TLSv1.3 draft-23: align tests

* Changes tests so that they pass with draft-23 * BoringSSL interoperability: uses code at most recent commit. It uses "-tls13-variant draft23" flag to indicate compatibility with draft23 * NSS interoperability: Uses release 3.35 * PicoTLS interoperability: blocked. Doesn't seem to implement draft23 * Uses updated bogo from https://github.com/henrydcase/crypto-tls-bogo-shim
2018-06-25 18:22:15 +01:00 · 2018-06-25 18:22:15 +01:00 · 6e4abe2d07
Commit 6e4abe2d07
--- a/_dev/Makefile
+++ b/_dev/Makefile
@ -23,7 +23,7 @@ INSTALL_RACE:= $(words $(filter $(ARCH)_$(shell go env CGO_ENABLED), amd64_1))
 TARGET_TEST_COMPAT=boring picotls tstclnt

 # Some target-specific constants
-BORINGSSL_REVISION=1530ef3e
+BORINGSSL_REVISION=03de6813d8992a649092b4874ef0ebc022e2f58a
 BOGO_DOCKER_TRIS_LOCATION=/go/src/github.com/cloudflare/tls-tris

 ###############
--- a/_dev/bogo/Dockerfile
+++ b/_dev/bogo/Dockerfile
@ -10,8 +10,8 @@ RUN apk add --update \

 ENV CGO_ENABLED=0

-RUN git clone https://github.com/FiloSottile/crypto-tls-bogo-shim \
-    /go/src/github.com/FiloSottile/crypto-tls-bogo-shim
+RUN git clone https://github.com/henrydcase/crypto-tls-bogo-shim \
+    /go/src/github.com/henrydcase/crypto-tls-bogo-shim

 # Draft 18 with client-tests branch
 #ARG REVISION=3f5e87d6a1931b6f6930e4eadb7b2d0b2aa7c588
@ -20,10 +20,13 @@ RUN git clone https://github.com/FiloSottile/crypto-tls-bogo-shim \
 #ARG REVISION=81cc32b846c9fe2ea32613287e57a6a0db7bbb9a

 # Draft 22 with draft22-client branch (client-tests + draft22)
-ARG REVISION=f9729b5e4eafb1f1d313949388c3c2b167e84734
+# ARG REVISION=f9729b5e4eafb1f1d313949388c3c2b167e84734

-RUN cd /go/src/github.com/FiloSottile/crypto-tls-bogo-shim && \
+# Draft 23
+ARG REVISION=d07b9e80a87c871c2569ce4aabd06695336c5dc5
+
+RUN cd /go/src/github.com/henrydcase/crypto-tls-bogo-shim && \
    git checkout $REVISION

-WORKDIR /go/src/github.com/FiloSottile/crypto-tls-bogo-shim
+WORKDIR /go/src/github.com/henrydcase/crypto-tls-bogo-shim
 CMD ["make", "run"]
--- a/_dev/boring/Dockerfile
+++ b/_dev/boring/Dockerfile
@ -34,15 +34,24 @@ RUN mkdir boringssl/build
 # ARG REVISION=89917a5

 # Draft 18
-#ARG REVISION=9b885c5
+# ARG REVISION=9b885c5
 # Draft 18, but with "bssl server -loop -www" support and build fix
-ARG REVISION=40b24c8154
+# ARG REVISION=40b24c8154

 # Draft 21
-#ARG REVISION=cd8470f
+# ARG REVISION=cd8470f

 # Draft 22
-ARG REVISION=1530ef3e
+# ARG REVISION=1530ef3e
+
+# Draft 23
+# ARG REVISION=cb15cfda29c0c60d8d74145b17c93b43a7667837
+
+# Draft 28
+# ARG REVISION=861f384d7bc59241a9df1634ae938d8e75be2d30
+
+# Latest
+ARG REVISION=03de6813d8992a649092b4874ef0ebc022e2f58a

 RUN cd boringssl && git fetch
 RUN cd boringssl && git checkout $REVISION
--- a/_dev/boring/run.sh
+++ b/_dev/boring/run.sh
@ -2,7 +2,7 @@
 set -e

 /boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \
-	-tls13-variant draft22 -session-out /session -connect "$@" < /httpreq.txt
+	-tls13-variant draft23 -session-out /session -connect "$@" < /httpreq.txt
 exec /boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \
-	-tls13-variant draft22 -session-in /session -connect "$@" < /httpreq.txt
+	-tls13-variant draft23 -session-in /session -connect "$@" < /httpreq.txt

--- a/_dev/boring/server.sh
+++ b/_dev/boring/server.sh
@ -6,21 +6,21 @@ set -x
 bssl server \
    -key rsa.pem \
    -min-version tls1.2 -max-version tls1.3 \
-    -tls13-draft22-variant \
+    -tls13-variant draft23 \
    -accept 1443 -loop -www 2>&1 &

 # ECDSA
 bssl server \
    -key ecdsa.pem \
    -min-version tls1.2 -max-version tls1.3 \
-    -tls13-draft22-variant \
+    -tls13-variant draft23 \
    -accept 2443 -loop -www 2>&1 &

 # Require client authentication (with ECDSA)
 bssl server \
    -key ecdsa.pem \
    -min-version tls1.2 -max-version tls1.3 \
-    -tls13-draft22-variant \
+    -tls13-variant draft23 \
    -accept 6443 -loop -www \
    -require-any-client-cert -debug 2>&1 &

--- a/_dev/interop_test_runner
+++ b/_dev/interop_test_runner
@ -46,13 +46,13 @@ class RegexSelfTest(unittest.TestCase):
    ''' Ensures that those regexe's actually work '''

    LINE_HELLO_TLS      ="\nsomestuff\nHello TLS 1.3 _o/\nsomestuff"
-    LINE_HELLO_DRAFT_TLS="\nsomestuff\nHello TLS 1.3 (draft 22) _o/\nsomestuff"
+    LINE_HELLO_DRAFT_TLS="\nsomestuff\nHello TLS 1.3 (draft 23) _o/\nsomestuff"

-    LINE_HELLO_RESUMED  ="\nsomestuff\nHello TLS 1.3 (draft 22) [resumed] _o/\nsomestuff"
-    LINE_HELLO_MIXED    ="\nsomestuff\nHello TLS 1.3 (draft 22) _o/\nHello TLS 1.3 (draft 22) [resumed] _o/\nsomestuff"
-    LINE_HELLO_TLS_12   ="\nsomestuff\nHello TLS 1.2 (draft 22) [resumed] _o/\nsomestuff"
-    LINE_HELLO_TLS_13_0RTT="\nsomestuff\nHello TLS 1.3 (draft 22) [resumed] [0-RTT] _o/\nsomestuff"
-    LINE_HELLO_TLS_13_0RTT_CONFIRMED="\nsomestuff\nHello TLS 1.3 (draft 22) [resumed] [0-RTT confirmed] _o/\nsomestuff"
+    LINE_HELLO_RESUMED  ="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] _o/\nsomestuff"
+    LINE_HELLO_MIXED    ="\nsomestuff\nHello TLS 1.3 (draft 23) _o/\nHello TLS 1.3 (draft 23) [resumed] _o/\nsomestuff"
+    LINE_HELLO_TLS_12   ="\nsomestuff\nHello TLS 1.2 (draft 23) [resumed] _o/\nsomestuff"
+    LINE_HELLO_TLS_13_0RTT="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] [0-RTT] _o/\nsomestuff"
+    LINE_HELLO_TLS_13_0RTT_CONFIRMED="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] [0-RTT confirmed] _o/\nsomestuff"

    def test_regexes(self):
        self.assertIsNotNone(
@ -212,12 +212,14 @@ class InteropServer_BoringSSL(
        unittest.TestCase
    ): CLIENT_NAME = "tls-tris:boring"

-class InteropServer_PicoTLS(
-        InteropServer,
-        ServerNominalMixin,
-        ServerZeroRttMixin,
-        unittest.TestCase
-    ): CLIENT_NAME = "tls-tris:picotls"
+# PicoTLS doesn't seem to implement draft-23 correctly. It will
+# be enabled when draft-28 is implemented.
+# class InteropServer_PicoTLS(
+#         InteropServer,
+#         ServerNominalMixin,
+#         ServerZeroRttMixin,
+#         unittest.TestCase
+#     ): CLIENT_NAME = "tls-tris:picotls"

 class InteropServer_NSS(
        InteropServer,
--- a/_dev/tris-localserver/server.go
+++ b/_dev/tris-localserver/server.go
@ -43,6 +43,7 @@ var tlsVersionToName = map[uint16]string{
 	tls.VersionTLS13Draft18: "1.3 (draft 18)",
 	tls.VersionTLS13Draft21: "1.3 (draft 21)",
 	tls.VersionTLS13Draft22: "1.3 (draft 22)",
+	tls.VersionTLS13Draft23: "1.3 (draft 23)",
 }

 func NewServer() *server {
--- a/_dev/tris-testclient/client.go
+++ b/_dev/tris-testclient/client.go
@ -17,6 +17,7 @@ var tlsVersionToName = map[uint16]string{
 	tls.VersionTLS12:        "1.2",
 	tls.VersionTLS13:        "1.3",
 	tls.VersionTLS13Draft18: "1.3 (draft 18)",
+	tls.VersionTLS13Draft23: "1.3 (draft 23)",
 }

 var cipherSuiteIdToName = map[uint16]string{
--- a/_dev/tstclnt/Dockerfile
+++ b/_dev/tstclnt/Dockerfile
@ -21,7 +21,10 @@ ENV USE_64=1 NSS_ENABLE_TLS_1_3=1
 # ARG REVISION=e61c0f657100

 # Draft 22
-ARG REVISION=88c3f3fa581b
+#ARG REVISION=88c3f3fa581b
+
+# Draft 23
+ARG REVISION=16c622c9e1cc

 RUN cd nss && hg pull
 RUN cd nss && hg checkout -C $REVISION