crypto/tls: clarify group selection logic

I initially thought the logic was broken, but writing the test I realized it was actually very clever (derogative). It was relying on the outer loop continuing after a supported match without a key share, allowing a later key share to override it (but not a later supported match because of the "if selectedGroup != 0 { continue }"). Replaced the clever loop with two hopefully more understandable loops, and added a test (which was already passing). We were however not checking that the selected group is in the supported list if we found it in key shares first. (This was only a MAY.) Fixed. Fixes #65686 Change-Id: I09ea44f90167ffa36809deb78255ed039a217b6d Reviewed-on: https://go-review.googlesource.com/c/go/+/586655 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Filippo Valsorda <filippo@golang.org>
2025-04-04 20:47:36 +03:00 · 2024-05-18 19:35:39 +02:00 · 2024-05-18 19:35:39 +02:00 · 245de0a13b
commit 245de0a13b
parent 2a85364a09
9 changed files with 248 additions and 60 deletions
--- a/boring_test.go
+++ b/boring_test.go
@ -26,33 +26,42 @@ import (
 )

 func TestBoringServerProtocolVersion(t *testing.T) {
-	test := func(name string, v uint16, msg string) {
+	test := func(t *testing.T, name string, v uint16, msg string) {
 		t.Run(name, func(t *testing.T) {
 			serverConfig := testConfig.Clone()
 			serverConfig.MinVersion = VersionSSL30
-			clientHello := &clientHelloMsg{
-				vers:               v,
-				random:             make([]byte, 32),
-				cipherSuites:       allCipherSuites(),
-				compressionMethods: []uint8{compressionNone},
-				supportedVersions:  []uint16{v},
+			clientConfig := testConfig.Clone()
+			clientConfig.MinVersion = v
+			clientConfig.MaxVersion = v
+			_, _, err := testHandshake(t, clientConfig, serverConfig)
+			if msg == "" {
+				if err != nil {
+					t.Fatalf("got error: %v, expected success", err)
+				}
+			} else {
+				if err == nil {
+					t.Fatalf("got success, expected error")
+				}
+				if !strings.Contains(err.Error(), msg) {
+					t.Fatalf("got error %v, expected %q", err, msg)
+				}
 			}
-			testClientHelloFailure(t, serverConfig, clientHello, msg)
 		})
 	}

-	test("VersionTLS10", VersionTLS10, "")
-	test("VersionTLS11", VersionTLS11, "")
-	test("VersionTLS12", VersionTLS12, "")
-	test("VersionTLS13", VersionTLS13, "")
+	test(t, "VersionTLS10", VersionTLS10, "")
+	test(t, "VersionTLS11", VersionTLS11, "")
+	test(t, "VersionTLS12", VersionTLS12, "")
+	test(t, "VersionTLS13", VersionTLS13, "")

-	fipstls.Force()
-	defer fipstls.Abandon()
-	test("VersionSSL30", VersionSSL30, "client offered only unsupported versions")
-	test("VersionTLS10", VersionTLS10, "client offered only unsupported versions")
-	test("VersionTLS11", VersionTLS11, "client offered only unsupported versions")
-	test("VersionTLS12", VersionTLS12, "")
-	test("VersionTLS13", VersionTLS13, "client offered only unsupported versions")
+	t.Run("fipstls", func(t *testing.T) {
+		fipstls.Force()
+		defer fipstls.Abandon()
+		test(t, "VersionTLS10", VersionTLS10, "supported versions")
+		test(t, "VersionTLS11", VersionTLS11, "supported versions")
+		test(t, "VersionTLS12", VersionTLS12, "")
+		test(t, "VersionTLS13", VersionTLS13, "supported versions")
+	})
 }

 func isBoringVersion(v uint16) bool {
@ -154,26 +163,22 @@ func TestBoringServerCurves(t *testing.T) {

 	for _, curveid := range defaultCurvePreferences {
 		t.Run(fmt.Sprintf("curve=%d", curveid), func(t *testing.T) {
-			clientHello := &clientHelloMsg{
-				vers:               VersionTLS12,
-				random:             make([]byte, 32),
-				cipherSuites:       []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
-				compressionMethods: []uint8{compressionNone},
-				supportedCurves:    []CurveID{curveid},
-				supportedPoints:    []uint8{pointFormatUncompressed},
+			clientConfig := testConfig.Clone()
+			clientConfig.CurvePreferences = []CurveID{curveid}
+			if _, _, err := testHandshake(t, clientConfig, serverConfig); err != nil {
+				t.Fatalf("got error: %v, expected success", err)
 			}

-			testClientHello(t, serverConfig, clientHello)
-
 			// With fipstls forced, bad curves should be rejected.
 			t.Run("fipstls", func(t *testing.T) {
 				fipstls.Force()
 				defer fipstls.Abandon()
-				msg := ""
-				if !isBoringCurve(curveid) {
-					msg = "no cipher suite supported by both client and server"
+				_, _, err := testHandshake(t, clientConfig, serverConfig)
+				if err != nil && isBoringCurve(curveid) {
+					t.Fatalf("got error: %v, expected success", err)
+				} else if err == nil && !isBoringCurve(curveid) {
+					t.Fatalf("got success, expected error")
 				}
-				testClientHelloFailure(t, serverConfig, clientHello, msg)
 			})
 		})
 	}