Fix TLS 1.3 fuzzer mode in Go.
Runner needs to implement fuzzer mode as well so we can record
transcripts from it. A bunch of tests were failing:
- C and Go disagreed on what fuzzer mode did to TLS 1.3 padding. So we
fuzz more code, align Go with C. Fuzzer mode TLS 1.3 still pads but
just skips the final AEAD.
- The deterministic RNG should be applied per test, not per exchange. It
turns out, if your RNG is deterministic, one tends to pick the same
session ID over and over which confuses clients. (Resumption is
signaled by echoing the session ID.)
Now the only failing tests are the ones one would expect to fail.
BUG=79
Change-Id: Ica23881a6e726adae71e6767730519214ebcd62a
Reviewed-on: https://boringssl-review.googlesource.com/11126
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/test/runner/conn.go b/ssl/test/runner/conn.go
index 9969f8b..f532237 100644
--- a/ssl/test/runner/conn.go
+++ b/ssl/test/runner/conn.go
@@ -200,7 +200,7 @@
hc.incEpoch()
if config.Bugs.NullAllCiphers {
- hc.cipher = nil
+ hc.cipher = nullCipher{}
hc.mac = nil
}
return nil
@@ -210,6 +210,9 @@
func (hc *halfConn) useTrafficSecret(version uint16, suite *cipherSuite, secret, phase []byte, side trafficDirection) {
hc.version = version
hc.cipher = deriveTrafficAEAD(version, suite, secret, phase, side)
+ if hc.config.Bugs.NullAllCiphers {
+ hc.cipher = nullCipher{}
+ }
hc.trafficSecret = secret
hc.incEpoch()
}
@@ -423,18 +426,6 @@
if err != nil {
return false, 0, 0, alertBadRecordMAC
}
- if hc.version >= VersionTLS13 {
- i := len(payload)
- for i > 0 && payload[i-1] == 0 {
- i--
- }
- payload = payload[:i]
- if len(payload) == 0 {
- return false, 0, 0, alertUnexpectedMessage
- }
- contentType = recordType(payload[len(payload)-1])
- payload = payload[:len(payload)-1]
- }
b.resize(recordHeaderLen + explicitIVLen + len(payload))
case cbcMode:
blockSize := c.BlockSize()
@@ -473,6 +464,20 @@
default:
panic("unknown cipher type")
}
+
+ if hc.version >= VersionTLS13 {
+ i := len(payload)
+ for i > 0 && payload[i-1] == 0 {
+ i--
+ }
+ payload = payload[:i]
+ if len(payload) == 0 {
+ return false, 0, 0, alertUnexpectedMessage
+ }
+ contentType = recordType(payload[len(payload)-1])
+ payload = payload[:len(payload)-1]
+ b.resize(recordHeaderLen + len(payload))
+ }
}
// check, strip mac
@@ -545,29 +550,26 @@
// encrypt
if hc.cipher != nil {
+ // Add TLS 1.3 padding.
+ if hc.version >= VersionTLS13 {
+ paddingLen := hc.config.Bugs.RecordPadding
+ if hc.config.Bugs.OmitRecordContents {
+ b.resize(recordHeaderLen + paddingLen)
+ } else {
+ b.resize(len(b.data) + 1 + paddingLen)
+ b.data[len(b.data)-paddingLen-1] = byte(typ)
+ }
+ for i := 0; i < paddingLen; i++ {
+ b.data[len(b.data)-paddingLen+i] = 0
+ }
+ }
+
switch c := hc.cipher.(type) {
case cipher.Stream:
c.XORKeyStream(payload, payload)
case *tlsAead:
payloadLen := len(b.data) - recordHeaderLen - explicitIVLen
- paddingLen := 0
- if hc.version >= VersionTLS13 {
- payloadLen++
- paddingLen = hc.config.Bugs.RecordPadding
- }
- if hc.config.Bugs.OmitRecordContents {
- payloadLen = 0
- }
- b.resize(recordHeaderLen + explicitIVLen + payloadLen + paddingLen + c.Overhead())
- if hc.version >= VersionTLS13 {
- if !hc.config.Bugs.OmitRecordContents {
- b.data[payloadLen+recordHeaderLen-1] = byte(typ)
- }
- for i := 0; i < hc.config.Bugs.RecordPadding; i++ {
- b.data[payloadLen+recordHeaderLen+i] = 0
- }
- payloadLen += paddingLen
- }
+ b.resize(len(b.data) + c.Overhead())
nonce := hc.outSeq[:]
if c.explicitNonce {
nonce = b.data[recordHeaderLen : recordHeaderLen+explicitIVLen]