Bug 1771100 - Update BoGo tests to recent BoringSSL version. r=djackson

It was required to update docker-interop image to ubuntu 20.04 since a newer Go release was required for the BoGo tests to run.

See nss/gtests/nss_bogo_shim/config.json for a list of disabled BoGo test, including short descriptions/bug links.

A -loose-local-errors falg was added to Bogo (runner.go) to allow usage of more tests by ignoring differences in local errors on the Go side of test connections, similar to the remote error 'suppression' used. The code is patched to the BoGo runner after cloning in nss/tests/bogo/bogo.sh and can be found in nss/gtests/nss_bogo_shim/nss_loose_local_errors.patch.

Differential Revision: https://phabricator.services.mozilla.com/D147675

2 files changed, 90 insertions, 69 deletions

diff --git a/gtests/nss_bogo_shim/config.json b/gtests/nss_bogo_shim/config.json
index 5c7a2e348..8d5955166 100644
--- a/gtests/nss_bogo_shim/config.json
+++ b/gtests/nss_bogo_shim/config.json
@@ -1,77 +1,77 @@
 {
     "DisabledTests": {
-        "### These tests break whenever we rev versions, so just leave them here for easy uncommenting":"",
-        "*TLS13Draft*":"NSS supports RFC 8446 only.",
-        "IgnoreClientVersionOrder":"Uses draft23",
+        "####################":"####################",
+        "### Failures due to Bogo/NSS specifics":"",
+        "####################":"####################",
+
+        "SendEmptyRecords":"Bogo allows only 32 empty records to be sent before other TLS messages.",
+        "SendUserCanceledAlerts-TooMany-TLS13":"Bogo allows only 5 user canceled alerts to be sent.",
+        "SendWarningAlerts-TooMany":"Bogo allows only 5 warning alerts to be sent.",
+        "TooManyKeyUpdates":"Bogo allows only 32 KeyUpdate messages to be sent.",
+        "UnsolicitedServerNameAck-TLS*":"Boring wants us to fail with an unexpected_extension alert, we simply ignore ssl_server_name_xtn.",
         "DuplicateCertCompressionExt*":"BoGo expects that an alert is sent if more than one compression algorithm is sent.",
-        "ServerBogusVersion":"Check that SH.legacy_version=TLS12 when the server picks TLS 1.3 (Bug 1443761)",
-        "DummyPQPadding-Server*":"Boring is testing a dummy PQ padding extension",
-        "VerifyPreferences-Enforced":"NSS sends alerts in response to errors in protected handshake messages in the clear",
-        "Draft-Downgrade-Server":"Boring implements a draft downgrade sentinel used for measurements.",
-        "FilterExtraAlgorithms":"NSS doesn't allow sending unsupported signature algorithms",
-        "SendBogusAlertType":"Unexpected TLS alerts should abort connections (Bug 1438263)",
-        "VerifyPreferences-Ed25519":"Add Ed25519 support (Bug 1325335)",
-        "Ed25519DefaultDisable*":"Add Ed25519 support (Bug 1325335)",
-        "ServerCipherFilter*":"Add Ed25519 support (Bug 1325335)",
-        "GarbageCertificate*":"Send bad_certificate alert when certificate parsing fails (Bug 1441565)",
-        "SupportedVersionSelection-TLS12":"Should maybe reject TLS 1.2 in SH.supported_versions (Bug 1438266)",
-        "Resume-Server-BinderWrongLength":"Alert disagreement (Bug 1317633)",
-        "Resume-Server-NoPSKBinder":"Alert disagreement (Bug 1317633)",
-        "CheckRecordVersion-TLS*":"Bug 1317634",
-        "GarbageInitialRecordVersion-TLS*":"NSS doesn't strictly check the ClientHello record version",
-        "GREASE-Server-TLS13":"BoringSSL GREASEs without a flag, but we ignore it",
-        "TLS13-ExpectNoSessionTicketOnBadKEMode-Server":"Bug in NSS. Don't send ticket when not permitted by KE modes (Bug 1317635)",
-        "*KeyUpdate*":"KeyUpdate Unimplemented",
-        "ClientAuth-NoFallback-TLS13":"Disagreement about alerts. Bug 1294975",
-        "SendWarningAlerts-TLS13":"NSS needs to trigger on warning alerts",
-        "NoSupportedCurves":"This tests a non-spec behavior for TLS 1.2 and expects the wrong alert for TLS 1.3",
-        "SendEmptyRecords":"Tests a non-spec behavior in BoGo where it chokes on too many empty records",
-        "LargePlaintext":"NSS needs to check for over-long records. Bug 1294978",
-        "TLS13-RC4-MD5-server":"This fails properly but returns an unexpected error. Not a bug but needs cleanup",
-        "*SSL3*":"NSS disables SSLv3",
-        "*SSLv3*":"NSS disables SSLv3",
-        "*AES256*":"Inconsistent support for AES256",
-        "*AES128-SHA256*":"No support for Suite B ciphers",
-        "DuplicateExtension*":"NSS sends unexpected_extension alert",
-        "WeakDH":"NSS supports 768-bit DH",
-        "SillyDH":"NSS supports 4097-bit DH",
-        "SendWarningAlerts":"This appears to be Boring-specific",
-        "TLS12-AES128-GCM-client":"Bug 1292895",
-        "*TLS12-AES128-GCM-LargeRecord*":"Bug 1292895",
-        "Renegotiate-Client-Forbidden-1":"Bug 1292898",
-        "Renegotiate-Server-Forbidden":"NSS doesn't disable renegotiation by default",
-        "Renegotiate-Client-NoIgnore":"NSS doesn't disable renegotiation by default",
-        "StrayHelloRequest*":"NSS doesn't disable renegotiation by default",
-        "NoSupportedCurves-TLS13":"wanted SSL_ERROR_NO_CYPHER_OVERLAP, got missing extension error",
-        "FragmentedClientVersion":"received a malformed Client Hello handshake message",
-        "WrongMessageType-TLS13-EncryptedExtensions":"Boring expects CCS (Bugs 1481209, 1304603)",
-        "TrailingMessageData-TLS13-EncryptedExtensions":"Boring expects CCS (Bugs 1481209, 1304603)",
-        "UnofferedExtension-Client-TLS13":"Boring expects CCS (Bugs 1481209, 1304603)",
-        "UnknownExtension-Client-TLS13":"Boring expects CCS (Bugs 1481209, 1304603)",
-        "WrongMessageType-TLS13-CertificateRequest":"Boring expects CCS (Bugs 1481209, 1304603)",
-        "WrongMessageType-TLS13-ServerCertificateVerify":"Boring expects CCS (Bugs 1481209, 1304603)",
-        "WrongMessageType-TLS13-ServerCertificate":"Boring expects CCS (Bugs 1481209, 1304603)",
-        "WrongMessageType-TLS13-ServerFinished":"Boring expects CCS (Bugs 1481209, 1304603)",
-        "TrailingMessageData-*": "Bug 1304575",
-        "DuplicateKeyShares":"Bug 1304578",
-        "Resume-Server-TLS13-TLS13":"Bug 1314351",
-        "SkipEarlyData-Interleaved":"Bug 1336916",
-        "ECDSAKeyUsage-TLS1*":"Bug 1338194",
-        "PointFormat-Client-MissingUncompressed":"We ignore ec_point_formats extensions sent by servers.",
-        "SkipEarlyData-SecondClientHelloEarlyData":"Boring doesn't reject early_data in the 2nd CH but fails later with bad_record_mac.",
-        "SkipEarlyData-*TooMuchData":"Bug 1339373",
-        "UnsolicitedServerNameAck-TLS1*":"Boring wants us to fail with an unexpected_extension alert, we simply ignore ssl_server_name_xtn.",
-        "RequireAnyClientCertificate-TLS1*":"Bug 1339387",
+        "*Auth-SHA1-Fallback*":"Boring wants us to fall back to SHA-1 if supported_signature_algorithms in CR is empty.",
+        "NoSupportedCurves":"This tests a non-spec behavior for TLS 1.2",
+        "SkipEarlyData-*TooMuchData*":"Test of internal BoGo features (see Bug 1339373).",
+        "Client-RejectJDK11DowngradeRandom":"This random is not specified in RFC8446.",
+        "Renegotiate-Server-Forbidden":"TLS 1.2 test, renegotiation is allowed in NSS.",
+        "EmptySessionID-TLS13":"This test also asserts BoringSSL always sending CCS messages for compatibility mode.",
+        "Http*":"Test sends http string to socket before handshake. his data is interpreted as a record header and leads to different IO errors in NSS.",
+        "V2ClientHello*":"Prefix data before V2 ClientHello leads to IO errors in NSS.",
+        "Server-JDK11-NoWorkaround-3":"Unexpected Bogo crash.",
+
+        "*Ed25519*":"Add Ed25519 support (Bug 1325335)",
+        "*NoSSL3*":"Test passes but only because of handshake failure, NSS only rejects SSL3 immediately in TLS1.3 clients/servers.",
+        "GREASE-Server-TLS13":"NSS only supports ECH grease.",
         "SendExtensionOnClientCertificate-TLS13":"Bug 1339392",
-        "ALPNClient-Mismatch-TLS13":"NSS sends alerts in response to errors in protected handshake messages in the clear",
-        "P224-Server":"NSS doesn't support P-224",
-        "ClientAuth-SHA1-Fallback*":"Boring wants us to fall back to SHA-1 if supported_signature_algorithms in CR is empty."
+        "CheckRecordVersion-TLS1":"NSS doesn't check record version field. Bug 1317634",
+        "CheckRecordVersion-TLS11":"NSS doesn't check record version field. Bug 1317634",
+        "CheckRecordVersion-TLS12":"NSS doesn't check record version field. Bug 1317634",
+        "GarbageInitialRecordVersion-TLS*":"NSS doesn't strictly check the ClientHello record version.",
+        "DuplicateKeyShares*":"NSS doesn't check for duplicates. Bug 1304578",
+        "PointFormat-Client-MissingUncompressed":"NSS ignores ec_point_formats extensions sent by servers.",
+        "SkipEarlyData-Interleaved-TLS13":"NSS ignores invalid early data records by default since ssl_0rtt_ignore_trial is default. Bug 1336916",
+        "ECDSAKeyUsage*":"NSS only checks KeyUsage on server setup and with delegated credential verification. Bug 1338194",
+        "RSAKeyUsage-*-WantSignature-GotEncipherment-*":"NSS only checks KeyUsage on server setup and with delegated credential verification. See Bug 1338194",
+        "TLS13-ExpectNoSessionTicketOnBadKEMode-Server":"NSS Server side bug. Don't send ticket when not permitted by KE modes (Bug 1317635)",
+        "Resume-Server-OmitPSKsOnSecondClientHello":"NSS Server side bug. It does not detect ClientHello dropping of PSK extension (after HRR).",
+        "Renegotiate-Client-Forbidden-1":"By default NSS allows renegotiation with extension contrary to bogo.",
+        "TLS-ECH*":"NSS ECH is not enabled by default.",
+        "Server-TooLongSessionID*":"NSS does not check the length of the ClientHello sessionID.",
+        "TrailingData*":"NSS does only check for trailing data on possible key change handshake messages in TLS 1.3",
+        "Partial*":"See TrailingData* description.",
+
+        "####################":"####################",
+        "### TLS1/11 failures due to unsupported signature algorithms":"",
+        "####################":"####################",
+
+        "FallbackSCSV":"",
+        "TicketSessionIDLength*":"",
+        "NoExtendedMasterSecret-TLS1-Server":"",
+        "NoExtendedMasterSecret-TLS11-Server":"",
+        "TLS1-Server-ClientAuth*":"",
+        "TLS11-Server-ClientAuth*":"",
+        "Resume-Server-TLS1-TLS1-TLS":"",
+        "Resume-Server-TLS11-TLS11-TLS":"",
+        "Resume-Server-NoTickets-TLS1-TLS1-TLS":"",
+        "Resume-Server-NoTickets-TLS11-TLS11-TLS":"",
+        "VersionNegotiation-Server*-TLS1-TLS":"",
+        "VersionNegotiation-Server*-TLS11-TLS":"",
+        "MinimumVersion-Server*-TLS1-TLS1-TLS":"",
+        "MinimumVersion-Server*-TLS1-TLS11-TLS":"",
+        "MinimumVersion-Server*-TLS11-TLS11-TLS":"",
+        "GarbageCertificate-Server-TLS1":"",
+        "GarbageCertificate-Server-TLS11":"",
+        "LooseInitialRecordVersion-TLS1":"",
+        "LooseInitialRecordVersion-TLS11":"",
+        "*Certificate-TLS1":"",
+        "*Certificate-TLS11":"",
+        "BadRSAClientKeyExchange-*":"This is a TLS11 only test.",
+        "RSAKeyUsage-Server-WantSignature-GotSignature-TLS1":"Only Server side of TLS 1 fails",
+        "RSAKeyUsage-Server-WantSignature-GotSignature-TLS11":"Only Server side of TLS 11 fails",
+
+        "":""
     },
     "ErrorMap" : {
-        ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:":"SSL_ERROR_NO_CYPHER_OVERLAP",
-        ":UNKNOWN_CIPHER_RETURNED:":"SSL_ERROR_NO_CYPHER_OVERLAP",
-        ":OLD_SESSION_CIPHER_NOT_RETURNED:":"SSL_ERROR_RX_MALFORMED_SERVER_HELLO",
-        ":NO_SHARED_CIPHER:":"SSL_ERROR_NO_CYPHER_OVERLAP",
-        ":DIGEST_CHECK_FAILED:":"SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE"
     }
 }
diff --git a/gtests/nss_bogo_shim/nss_loose_local_errors.patch b/gtests/nss_bogo_shim/nss_loose_local_errors.patch
new file mode 100644
index 000000000..7d816c676
--- /dev/null
+++ b/gtests/nss_bogo_shim/nss_loose_local_errors.patch
@@ -0,0 +1,21 @@
+diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
+index 4c1c95551..3e4eb3530 100644
+--- a/ssl/test/runner/runner.go
++++ b/ssl/test/runner/runner.go
+@@ -74,6 +74,7 @@ var (
+ 	deterministic      = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
+ 	allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
+ 	looseErrors        = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
++	looseLocalErrors   = flag.Bool("loose-local-errors", false, "If true, allow shims to report an untranslated local error code.")
+ 	shimConfigFile     = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
+ 	includeDisabled    = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
+ 	repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.")
+@@ -1696,7 +1697,7 @@ func runTest(statusChan chan statusMsg, test *testCase, shimPath string, mallocN
+ 	if localErr != nil {
+ 		localErrString = localErr.Error()
+ 	}
+-	if len(test.expectedLocalError) != 0 {
++	if !*looseLocalErrors && len(test.expectedLocalError) != 0 {
+ 		correctFailure = correctFailure && strings.Contains(localErrString, test.expectedLocalError)
+ 	}
+