Update boringssl to afd52e91dfed27ab7193be040f067900947b14ac

Note that the block of 'LooseErrorTests' was previously handled by a patch in the BoGo test code. For consistency, I marked them as "loose errors" (aka. ignore reported TLS alert).
randombit · Oct 17, 2024 · c23a012 · c23a012
1 parent 6eb245d
commit c23a012
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 4 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -189,7 +189,7 @@ jobs:
  uses: actions/checkout@v4
  with:
  repository: randombit/boringssl
- ref: rene/runner-20240524
+ ref: rene/runner-20241016
  path: ./boringssl
  if: matrix.target == 'coverage' || matrix.target == 'sanitizer'
 

diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -48,7 +48,7 @@ jobs:
  uses: actions/checkout@v4
  with:
  repository: randombit/boringssl
- ref: rene/runner-20240524
+ ref: rene/runner-20241016
  path: ./boringssl
 
  - name: Setup Build Agent

diff --git a/src/bogo_shim/bogo_shim.cpp b/src/bogo_shim/bogo_shim.cpp
@@ -133,8 +133,10 @@ std::string map_to_bogo_error(const std::string& e) {
  {"Client sent plaintext HTTP request instead of TLS handshake", ":HTTP_REQUEST:"},
  {"Client signalled fallback SCSV, possible attack", ":INAPPROPRIATE_FALLBACK:"},
  {"Client version TLS v1.1 is unacceptable by policy", ":UNSUPPORTED_PROTOCOL:"},
+ {"Concatenated public values have an unexpected length", ":BAD_ECPOINT:"},
  {"No shared TLS version based on supported versions extension", ":UNSUPPORTED_PROTOCOL:"},
  {"Client: No certificates sent by server", ":DECODE_ERROR:"},
+ {"Decoded polynomial coefficients out of range", ":BAD_ECPOINT:"},
  {"Non-PSK Client Hello did not contain supported_groups and signature_algorithms extensions",
  ":NO_SHARED_GROUP:"},
  {"No certificates sent by server", ":PEER_DID_NOT_RETURN_A_CERTIFICATE:"},
@@ -173,6 +175,10 @@ std::string map_to_bogo_error(const std::string& e) {
  {"Invalid SessionTicket: Extra bytes at end of message", ":DECODE_ERROR:"},
  {"Invalid authentication tag: ChaCha20Poly1305 tag check failed", ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"},
  {"Invalid authentication tag: GCM tag check failed", ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"},
+ {"Invalid encapsulated key length", ":BAD_ECPOINT:"},
+ {"Invalid hybrid KEM ciphertext", ":BAD_ECPOINT:"},
+ {"Invalid size 31 for X25519 public key", ":BAD_ECPOINT:"},
+ {"Invalid size 33 for X25519 public key", ":BAD_ECPOINT:"},
  {"Message authentication failure", ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"},
  {"No content type found in encrypted record", ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"},
  {"No shared DTLS version", ":UNSUPPORTED_PROTOCOL:"},
@@ -236,6 +242,7 @@ std::string map_to_bogo_error(const std::string& e) {
  {"Unexpected extension received", ":UNEXPECTED_EXTENSION:"},
  {"server hello must contain key exchange information", ":MISSING_KEY_SHARE:"},
  {"Peer sent duplicated extensions", ":DUPLICATE_EXTENSION:"},
+ {"Policy does not accept any hash function supported by client", ":NO_SHARED_CIPHER:"},
  {"Server sent bad values for secure renegotiation", ":RENEGOTIATION_MISMATCH:"},
  {"Server version DTLS v1.0 is unacceptable by policy", ":UNSUPPORTED_PROTOCOL:"},
  {"Server version TLS v1.0 is unacceptable by policy", ":UNSUPPORTED_PROTOCOL:"},
@@ -323,6 +330,7 @@ std::string map_to_bogo_error(const std::string& e) {
  {"Error alert not marked fatal", ":BAD_ALERT:"},
  {"Peer sent unknown signature scheme", ":WRONG_SIGNATURE_TYPE:"},
  {"We did not offer the usage of RSA_PSS_SHA256 as a signature scheme", ":WRONG_SIGNATURE_TYPE:"},
+ {"X25519 public point appears to be of low order", ":BAD_ECPOINT:"},
  };
 
  auto err_map_i = err_map.find(e);

diff --git a/src/bogo_shim/config.json b/src/bogo_shim/config.json
@@ -21,7 +21,32 @@
  "TLS-TLS13-PSK_WITH_AES_256_CBC_SHA-server": "expects a different error for better coverage of Boring SSL's code base",
  "TLS-TLS13-ECDHE_PSK_WITH_AES_128_CBC_SHA-server": "expects a different error for better coverage of Boring SSL's code base",
  "TLS-TLS13-ECDHE_PSK_WITH_AES_256_CBC_SHA-server": "expects a different error for better coverage of Boring SSL's code base",
- "TLS-TLS13-ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256-server": "expects a different error for better coverage of Boring SSL's code base"
+ "TLS-TLS13-ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256-server": "expects a different error for better coverage of Boring SSL's code base",
+
+ "CertificateVerificationFail-Server-TLS12-TLS-Sync": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS12-CustomCallback-TLS-Sync": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS12-TLS-Sync-ImplicitHandshake": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS12-CustomCallback-TLS-Sync-ImplicitHandshake": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS12-TLS-Sync-SplitHandshakeRecords": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS12-CustomCallback-TLS-Sync-SplitHandshakeRecords": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS12-TLS-Sync-PackHandshake": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS12-CustomCallback-TLS-Sync-PackHandshake": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS12-DTLS-Sync": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS13-DTLS-Sync": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS12-CustomCallback-DTLS-Sync": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS13-CustomCallback-DTLS-Sync": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS12-DTLS-Sync-ImplicitHandshake": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS12-CustomCallback-DTLS-Sync-ImplicitHandshake": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS13-CustomCallback-DTLS-Sync-ImplicitHandshake": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS13-DTLS-Sync-ImplicitHandshake": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS12-DTLS-Sync-SplitHandshakeRecords": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS12-CustomCallback-DTLS-Sync-SplitHandshakeRecords": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS13-DTLS-Sync-SplitHandshakeRecords": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS13-CustomCallback-DTLS-Sync-SplitHandshakeRecords": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS12-CustomCallback-DTLS-Sync-PackHandshake": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS12-DTLS-Sync-PackHandshake": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS13-DTLS-Sync-PackHandshake": "too picky TLS alert",
+ "CertificateVerificationFail-Server-TLS13-CustomCallback-DTLS-Sync-PackHandshake": "too picky TLS alert"
  },
 
  "DisabledTests": {
@@ -36,10 +61,22 @@
  "*-TLS11-*": "No TLS 1.1",
  "TLS11-*": "No TLS 1.1",
 
+ "*DTLS13*": "No DTLS 1.3",
+ "DTLS-TLS13*": "No DTLS 1.3",
+ "*TLS13-DTLS": "No DTLS 1.3",
+ "*DTLS-TLS13": "No DTLS 1.3",
+ "TLS13*-DTLS-*": "No DTLS 1.3",
+ "MinimumVersion-*-TLS13-*DTLS": "No DTLS 1.3",
+
  "*RSA_PKCS1_MD5_SHA1": "We do not implement MD5/SHA1 concatenation anyway",
+ "*RSA_PKCS1_SHA1*": "We do not implement PKCS1 SHA-1",
+ "*-ECDSA_SHA1-*": "We do not implement ECDSA SHA-1",
+ "*RSA_PKCS1_SHA256_LEGACY-TLS13": "We do allow for PKCS1 in TLS 1.3",
+
  "Compliance-fips202205-*": "We do not have explicit support for a FIPS TLS policy",
  "Compliance-fips-202205-*": "We do not have explicit support for a FIPS TLS policy",
  "Compliance-wpa-202304-*": "We do not have explicit support for the WPA Enterprise mode",
+ "Compliance-cnsa202407-*": "We do not have explicit support for CNSA",
 
  "CBCRecordSplitting*": "No need to split CBC records in TLS 1.2",
  "DelegatedCredentials*": "No support of -delegated-cerdential",
@@ -142,6 +179,8 @@
  "Renegotiate-Client-UnfinishedWrite": "BoringSSL specific API test",
  "FailEarlyCallback": "BoringSSL specific API test",
 
+ "*MLKEM*": "No support for hybrid key exchange with ML-KEM, yet",
+
  "NotJustKyberKeyShare": "BoringSSL specific policy test (we may offer solo PQ/T groups)",
  "KyberKeyShareIncludedSecond": "BoringSSL specific policy test (we may offer solo PQ/T groups)",
  "KyberKeyShareIncludedThird": "BoringSSL specific policy test (we may offer solo PQ/T groups)",

diff --git a/src/editors/vscode/scripts/bogo.py b/src/editors/vscode/scripts/bogo.py
@@ -6,7 +6,7 @@
 
 
 BORING_REPO = "https://github.com/randombit/boringssl.git"
-BORING_BRANCH = "rene/runner-20240524"
+BORING_BRANCH = "rene/runner-20241016"
 
 BORING_PATH = "build_deps/boringssl"
 BOGO_PATH = os.path.join(BORING_PATH, "ssl", "test", "runner")