From: Daniel McCarney Date: Wed, 30 Apr 2025 14:07:10 +0000 (-0400) Subject: crypto/tls: skip BadRSAClientKeyExchange-[4,5] X-Git-Tag: go1.25rc1~312 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=45f27826178981400f6d083fd087d20d0abb02d2;p=gostls13.git crypto/tls: skip BadRSAClientKeyExchange-[4,5] These two bogo tests mutate the version number used for the premaster secret calculation for a client RSA key exchange, with the expectation the server rejects the handshake. Per the comment in the end of rsaKeyAgreement.processClientKeyExchange we explicitly choose *not* to verify the version number. This commit adds the two version number tests to the ignore list. They coincidentally happen to produced the expected failure because they use a non-default ciphersuite. When we add this ciphersuite to the client config for the bogo test they will start to fail unless ignored. Updates #72006 Change-Id: I27a2cd231e4b8762b0d9e2dbd3d8ddd5b87fd5c6 Reviewed-on: https://go-review.googlesource.com/c/go/+/669175 LUCI-TryBot-Result: Go LUCI Reviewed-by: Cherry Mui Reviewed-by: Roland Shoemaker --- diff --git a/src/crypto/tls/bogo_config.json b/src/crypto/tls/bogo_config.json index 66f29998ff..6e82ba8023 100644 --- a/src/crypto/tls/bogo_config.json +++ b/src/crypto/tls/bogo_config.json @@ -58,6 +58,9 @@ "*Client-P-224*": "no P-224 support", "*Server-P-224*": "no P-224 support", "CurveID-Resume*": "unexposed curveID is not stored in the ticket yet", + "BadRSAClientKeyExchange-4": "crypto/tls doesn't check the version number in the premaster secret - see processClientKeyExchange comment", + "BadRSAClientKeyExchange-5": "crypto/tls doesn't check the version number in the premaster secret - see processClientKeyExchange comment", + "CheckLeafCurve": "TODO: first pass, this should be fixed", "DisabledCurve-HelloRetryRequest-TLS13": "TODO: first pass, this should be fixed", "UnsupportedCurve": "TODO: first pass, this should be fixed",