diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/crypto/tls/bogo_config.json | 14 | ||||
| -rw-r--r-- | src/crypto/tls/bogo_shim_test.go | 33 |
2 files changed, 44 insertions, 3 deletions
diff --git a/src/crypto/tls/bogo_config.json b/src/crypto/tls/bogo_config.json index 9e3990ecb5..b269d4b670 100644 --- a/src/crypto/tls/bogo_config.json +++ b/src/crypto/tls/bogo_config.json @@ -74,6 +74,9 @@ "BadRSAClientKeyExchange-5": "crypto/tls doesn't check the version number in the premaster secret - see processClientKeyExchange comment", "SupportTicketsWithSessionID": "We don't support session ID resumption", "ResumeTLS12SessionID-TLS13": "We don't support session ID resumption", + "TrustAnchors-*": "We don't support draft-beck-tls-trust-anchor-ids", + "PAKE-Extension-*": "We don't support PAKE", + "*TicketFlags": "We don't support draft-ietf-tls-tlsflags", "CheckLeafCurve": "TODO: first pass, this should be fixed", "KeyUpdate-RequestACK": "TODO: first pass, this should be fixed", @@ -206,7 +209,14 @@ "EarlyData-Server-BadFinished-TLS13": "TODO: first pass, this should be fixed", "EarlyData-UnexpectedHandshake-Server-TLS13": "TODO: first pass, this should be fixed", "EarlyData-CipherMismatch-Client-TLS13": "TODO: first pass, this should be fixed", - "Resume-Server-UnofferedCipher-TLS13": "TODO: first pass, this should be fixed" + + "ServerNameExtensionServer-TLS-*": "https://github.com/golang/go/issues/74282", + + "Resume-Server-UnofferedCipher-TLS13": "TODO: first pass, this should be fixed", + "GarbageCertificate-Server-TLS13": "TODO: 2025/06 BoGo update, should be fixed", + "WrongMessageType-TLS13-ClientCertificate-TLS": "TODO: 2025/06 BoGo update, should be fixed", + "KeyUpdate-Requested": "TODO: 2025/06 BoGo update, should be fixed", + "AppDataBeforeTLS13KeyChange-*": "TODO: 2025/06 BoGo update, should be fixed" }, "AllCurves": [ 23, @@ -216,6 +226,6 @@ 4588 ], "ErrorMap": { - ":ECH_REJECTED:": "tls: server rejected ECH" + ":ECH_REJECTED:": ["tls: server rejected ECH"] } } diff --git a/src/crypto/tls/bogo_shim_test.go b/src/crypto/tls/bogo_shim_test.go index 2e88d539c4..7cab568db8 100644 --- a/src/crypto/tls/bogo_shim_test.go +++ b/src/crypto/tls/bogo_shim_test.go @@ -420,6 +420,12 @@ func bogoShim() { } } if err != io.EOF { + // Flush the TLS conn and then perform a graceful shutdown of the + // TCP connection to avoid the runner side hitting an unexpected + // write error before it has processed the alert we may have + // generated for the error condition. + orderlyShutdown(tlsConn) + retryErr, ok := err.(*ECHRejectionError) if !ok { log.Fatal(err) @@ -505,6 +511,31 @@ func bogoShim() { } } +// If the test case produces an error, we don't want to immediately close the +// TCP connection after generating an alert. The runner side may try to write +// additional data to the connection before it reads the alert. If the conn +// has already been torn down, then these writes will produce an unexpected +// broken pipe err and fail the test. +func orderlyShutdown(tlsConn *Conn) { + // Flush any pending alert data + tlsConn.flush() + + netConn := tlsConn.NetConn() + tcpConn := netConn.(*net.TCPConn) + tcpConn.CloseWrite() + + // Read and discard any data that was sent by the peer. + buf := make([]byte, maxPlaintext) + for { + n, err := tcpConn.Read(buf) + if n == 0 || err != nil { + break + } + } + + tcpConn.CloseRead() +} + func TestBogoSuite(t *testing.T) { if testing.Short() { t.Skip("skipping in short mode") @@ -526,7 +557,7 @@ func TestBogoSuite(t *testing.T) { if *bogoLocalDir != "" { bogoDir = *bogoLocalDir } else { - const boringsslModVer = "v0.0.0-20241120195446-5cce3fbd23e1" + const boringsslModVer = "v0.0.0-20250620172916-f51d8b099832" bogoDir = cryptotest.FetchModule(t, "boringssl.googlesource.com/boringssl.git", boringsslModVer) } |