Merge f73fd68 into 0e946f6

README.md

@@ -78,7 +78,7 @@ obsolete cryptography.
 
 ## Current features
 
-* TLS1.2 and TLS1.3 (draft 18) only.
+* TLS1.2 and TLS1.3 (draft 22) only.
 * ECDSA or RSA server authentication by clients.
 * RSA server authentication by servers.
 * Forward secrecy using ECDHE; with curve25519, nistp256 or nistp384 curves.
@@ -93,6 +93,7 @@ obsolete cryptography.
 * Client authentication by clients.
 * Client authentication by servers.
 * Extended master secret support (RFC7627).
+* Exporters (RFC5705).
 * OCSP stapling by servers.
 * SCT stapling by servers.
 * SCT verification by clients.

bogo/check.py

@@ -0,0 +1,46 @@
+import re
+import json
+import fnmatch
+
+config = json.load(open('config.json'))
+test_error_set = set(config['TestErrorMap'].keys())
+obsolete_disabled_tests = set()
+
+all_tests = set()
+failing_tests = set()
+unimpl_tests = set()
+disabled_tests = set()
+passed_tests = set()
+
+for line in open('out'):
+    m = re.match('^(PASSED|UNIMPLEMENTED|FAILED|DISABLED) \((.*)\)$', line.strip())
+    if m:
+        status, name = m.groups()
+        if name in test_error_set:
+            test_error_set.remove(name)
+        all_tests.add(name)
+        if status == 'FAILED':
+            failing_tests.add(name)
+        elif status == 'UNIMPLEMENTED':
+            unimpl_tests.add(name)
+        elif status == 'DISABLED':
+            disabled_tests.add(name)
+        elif status == 'PASSED':
+            passed_tests.add(name)
+
+if disabled_tests:
+    for disabled_glob in sorted(config['DisabledTests'].keys()):
+        tests_matching_glob = fnmatch.filter(disabled_tests, disabled_glob)
+        if not tests_matching_glob:
+            print 'DisabledTests glob', disabled_glob, 'matches no tests'
+else:
+    print '(DisabledTests unchecked)'
+
+print len(all_tests), 'total tests'
+print len(passed_tests), 'passed'
+print len(failing_tests), 'tests failing'
+print len(unimpl_tests), 'tests not supported'
+
+if test_error_set:
+    print 'unknown TestErrorMap keys', test_error_set
+

bogo/fetch-and-build

@@ -3,7 +3,7 @@
 set -e
 
 # a known-good commit
-COMMIT=9c33ae85621ef8e00a42309b5101e0bedd02b816
+COMMIT=0a54e998481b0b5a8abd9717c5f7301a3b18b628
 
 rm -f runner.tar.gz
 wget https://boringssl.googlesource.com/boringssl/+archive/$COMMIT/ssl/test/runner.tar.gz

bogo/patches/testerrormap.diff

@@ -1,20 +1,22 @@
-Support a map of test names to expected errors.
-
-diff -ru vanilla/runner.go bogo/runner.go
---- vanilla/runner.go	2016-08-17 23:45:12.000000000 +0100
-+++ bogo/runner.go	2016-08-22 23:25:37.911319366 +0100
-@@ -78,6 +78,10 @@
- 	// “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
+diff -ru original/runner.go bogo/runner.go
+--- original/runner.go	2017-12-28 16:24:49.000000000 +0000
++++ bogo/runner.go	2017-12-29 13:53:29.061166983 +0000
+@@ -83,6 +83,14 @@
  	// like “SSL_ERROR_NO_CYPHER_OVERLAP”.
  	ErrorMap map[string]string
-+
+ 
 +	// TestErrorMap maps from full test names to the correct error
 +	// string for the shim in question.
 +	TestErrorMap map[string]string
- }
-
- var shimConfig ShimConfiguration
-@@ -766,7 +770,11 @@
++
++	// TestLocalErrorMap maps from full test names to the correct local
++	// error string for the shim in question.
++	TestLocalErrorMap map[string]string
++
+ 	// HalfRTTTickets is the number of half-RTT tickets the client should
+ 	// expect before half-RTT data when testing 0-RTT.
+ 	HalfRTTTickets int
+@@ -939,7 +947,11 @@
  	}
  }
 
@@ -27,12 +29,38 @@ diff -ru vanilla/runner.go bogo/runner.go
  	if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
  		return translated
  	}
-@@ -936,7 +944,7 @@
+@@ -951,6 +963,14 @@
+ 	return errorStr
+ }
+
++func translateExpectedLocalError(testName string, localError string) string {
++	if translated, ok := shimConfig.TestLocalErrorMap[testName]; ok {
++		return translated
++	}
++
++	return localError
++}
++
+ func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
+ 	// Help debugging panics on the Go side.
+ 	defer func() {
+@@ -1215,15 +1235,16 @@
  	}
 
  	failed := err != nil || childErr != nil
 -	expectedError := translateExpectedError(test.expectedError)
 +	expectedError := translateExpectedError(test.name, test.expectedError)
  	correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
 
++	var expectedLocalError = translateExpectedLocalError(test.name, test.expectedLocalError)
  	localError := "none"
+ 	if err != nil {
+ 		localError = err.Error()
+ 	}
+-	if len(test.expectedLocalError) != 0 {
+-		correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
++	if len(expectedLocalError) != 0 {
++		correctFailure = correctFailure && strings.Contains(localError, expectedLocalError)
+ 	}
+
+ 	if failed != test.shouldFail || failed && !correctFailure || mustFail {

bogo/runme

@@ -14,6 +14,9 @@ if [ ! -e bogo/ ] ; then
   cp -v keys/* bogo/
 fi
 
+# Best effort on OS-X
+case $OSTYPE in darwin*) set +e ;; esac
+
 ( cd bogo && ./bogo.test -shim-path ../../target/debug/examples/bogo_shim \
      -shim-config ../config.json \
      -test.parallel 1 -num-workers 1 \