crypto/tls: enable more large record bogo tests

Previously a handful of large record tests were in the bogo config
ignore list. The ignored tests were failing because they used
insecure ciphersuites that aren't enabled by default.

This commit adds the non-default insecure ciphersuites to the bogo
TLS configuration and re-enables the tests. Doing this uncovered
a handful of unrelated tests that needed to be fixed, each handled
before this commit.

Updates #72006

Change-Id: I27a2cd231e4b8762b0d9e2dbd3d8ddd5b87fd5c7
Reviewed-on: https://go-review.googlesource.com/c/go/+/669158
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

diff --git a/src/crypto/tls/bogo_config.json b/src/crypto/tls/bogo_config.json
index 6e82ba80233b56a9f51a360287a70abc108025ba..5c1fd5a4638528d45f63ab6f54e568683b93b967 100644 (file)
--- a/src/crypto/tls/bogo_config.json
+++ b/src/crypto/tls/bogo_config.json
@@ -67,15 +67,6 @@
         "SupportTicketsWithSessionID": "TODO: first pass, this should be fixed",
         "NoNullCompression-TLS12": "TODO: first pass, this should be fixed",
         "KeyUpdate-RequestACK": "TODO: first pass, this should be fixed",
-        "TLS-TLS12-RSA_WITH_AES_128_GCM_SHA256-LargeRecord": "TODO: first pass, this should be fixed",
-        "TLS-TLS1-RSA_WITH_AES_128_CBC_SHA-LargeRecord": "TODO: first pass, this should be fixed",
-        "TLS-TLS11-RSA_WITH_AES_128_CBC_SHA-LargeRecord": "TODO: first pass, this should be fixed",
-        "TLS-TLS12-RSA_WITH_AES_128_CBC_SHA-LargeRecord": "TODO: first pass, this should be fixed",
-        "TLS-TLS12-RSA_WITH_AES_256_GCM_SHA384-LargeRecord": "TODO: first pass, this should be fixed",
-        "TLS-TLS1-RSA_WITH_AES_256_CBC_SHA-LargeRecord": "TODO: first pass, this should be fixed",
-        "TLS-TLS11-RSA_WITH_AES_256_CBC_SHA-LargeRecord": "TODO: first pass, this should be fixed",
-        "TLS-TLS12-RSA_WITH_AES_256_CBC_SHA-LargeRecord": "TODO: first pass, this should be fixed",
-        "TLS-TLS12-ECDHE_RSA_WITH_AES_128_CBC_SHA256-LargeRecord": "TODO: first pass, this should be fixed",
         "RequireAnyClientCertificate-TLS1": "TODO: first pass, this should be fixed",
         "RequireAnyClientCertificate-TLS11": "TODO: first pass, this should be fixed",
         "RequireAnyClientCertificate-TLS12": "TODO: first pass, this should be fixed",

diff --git a/src/crypto/tls/bogo_shim_test.go b/src/crypto/tls/bogo_shim_test.go
index 25367eef615bec98804ebb382e4ba87523dec365..fff276979e574693823d0d9c82d4975acf9c8077 100644 (file)
--- a/src/crypto/tls/bogo_shim_test.go
+++ b/src/crypto/tls/bogo_shim_test.go
@@ -125,6 +125,12 @@ func bogoShim() {
                return
        }
 
+       // Test with both the default and insecure cipher suites.
+       var ciphersuites []uint16
+       for _, s := range append(CipherSuites(), InsecureCipherSuites()...) {
+               ciphersuites = append(ciphersuites, s.ID)
+       }
+
        cfg := &Config{
                ServerName: "test",
 
@@ -133,6 +139,8 @@ func bogoShim() {
 
                ClientSessionCache: NewLRUClientSessionCache(0),
 
+               CipherSuites: ciphersuites,
+
                GetConfigForClient: func(chi *ClientHelloInfo) (*Config, error) {
 
                        if *expectAdvertisedALPN != "" {