1. onResumeShimWritesFirst is unused, replace the binding with an
   underscore.
2. in the bogoShim() function when looping through resumeCount+1 the
   tlsConn read for loop only breaks for non-nil err, so there's no need
   to check that again after the loop body.

Updates #72006

Change-Id: Ieff45d26df33d71003a2509ea5b2b06c5fa0e1d6
Reviewed-on: https://go-review.googlesource.com/c/go/+/650715
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Pratt <mpratt@google.com>

While not clearly motivated by normative language in RFC 8446 it seems
clear that an empty opaque ticket value is non-operable, and so we
should reject it with an appropriate alert/error.

This allows removing the SendEmptySessionTicket-TLS13 BoGo test from the
bogo excluded tests configuration.

Fixes #70513
Updates #72006

Change-Id: I589b34e86fb1eb27a349a230e920c22284597cde
Reviewed-on: https://go-review.googlesource.com/c/go/+/650735
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: David Chase <drchase@google.com>
Auto-Submit: Daniel McCarney <daniel@binaryparadox.net>

This commit removes SkipNewSessionTicket from the bogo_config.json
excluded tests list.

Previously this test was being skipped with a TODO that there might be
a bug here. In practice it seems like there's no bug and the test is
handled correctly by crypto/tls.

When activated, a TLS 1.2 client connecting to the bogo dispatcher goes
through the normal handshake process with the exception that the server
skips sending the NewSessionTicket msg expected by the client in
response to the client's final flight of handshake msgs.

The crypto/tls TLS 1.2 client_handshake.go logic correctly rejects the
unexpected message that follows (ChangeCipherSpec) when trying to read
the bytes necessary to unmarshal the expected NewSessionTicket message
that was omitted.

Updates #72006

Change-Id: I9faea4d18589d10b163211aa17b2d0da8af1187e
Reviewed-on: https://go-review.googlesource.com/c/go/+/650736
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Auto-Submit: Daniel McCarney <daniel@binaryparadox.net>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>

When encountering alertUserCanceled in a TLS 1.3 handshake, ignore the
alert and retry reading a record. This matches existing logic for how
TLS 1.2 alertLevelWarning alerts are handled.

For broader context, TLS 1.3 removed warning-level alerts except for
alertUserCanceled (RFC 8446, § 6.1). Since at least one major
implementation (https://bugs.openjdk.org/browse/JDK-8323517)
misuses this alert, many TLS stacks now ignore it outright when seen in
a TLS 1.3 handshake (e.g. BoringSSL, NSS, Rustls).

With the crypto/tls behaviour changed to match peer implementations we
can now enable the "SendUserCanceledAlerts-TLS13" BoGo test.

"SendUserCanceledAlerts-TooMany-TLS13" remains ignored, because like
"SendWarningAlerts*" fixing the test requires some general spam
protocol message enhancements be done first.

Updates #72006

Change-Id: I570c1fa674b5a4760836c514d35ee17f746fe28d
Reviewed-on: https://go-review.googlesource.com/c/go/+/650716
Reviewed-by: Michael Pratt <mpratt@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>

When this command line flag is provided to the BoGo runner it will:

* Disable some timeouts
* Limit concurrency to 1 worker at a time
* Pass the -wait-for-debugger flag to the shim process
* Print the PID of the shim process to status output

On the shim-side, we need to react to -wait-for-debugger by sending
ourselves a SIGSTOP signal. When a debugger attaches to the shim the
process will be resumed.

This makes it possible to debug both the runner side and the shim side
of a BoGo interaction without resorting to print style debugging.

Since SIGSTOP is not a signal we can use on Windows this functionality
is limited to unix builds.

Updates #72006

Change-Id: Iafa08cf71830cdfde3e6ee4826914236e3cd7e57
Reviewed-on: https://go-review.googlesource.com/c/go/+/650737
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

Previously this test was skipped without a comment clarifying why. In
practice it's because crypto/tls doesn't generate GREASE extensions at
this time, and the test expects to find one in the NewSessionTicket
message extensions produced by a server.

We're already skipping some other GREASE related test as
not-yet-implemented without explicit bogo_config.json exclusion by way
of the -enable-grease flag not being implemented, however for TLS
1.3 servers the BoGo expectation is that they _always_ send GREASE, and
so the -enable-grease flag isn't provided and an explicit skip must be
used.

We should revisit this alongside implementing GREASE ext production in
general for both clients and servers.

Updates #72006

Change-Id: I8af4b555ac8c32cad42215fbf26aa0feae90fa21
Reviewed-on: https://go-review.googlesource.com/c/go/+/650717
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>

For malformed client/server certificates in a TLS handshake send
a decode_error alert, matching BoringSSL behaviour.

Previously crypto/tls used a bad_certificate alert for this purpose.
The TLS specification is imprecise enough to allow this to be considered
a spec. justified choice, but since all other places in the protocol
encourage using decode_error for structurally malformed messages we may
as well do the same here and get some extra cross-impl consistency for
free.

This also allows un-ignoring the BoGo
GarbageCertificate-[Client|Server]-[TLS12|TLS13] tests.

Updates #72006

Change-Id: Ide45ba1602816e71c3289a60e77587266c3b9036
Reviewed-on: https://go-review.googlesource.com/c/go/+/652995
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>

If we weren't resuming an existing session, and we constructed a TLS 1.3
compatible client hello, ensure the server doesn't echo back the
made up compatibility session ID if we end up handshaking for TLS 1.2.

As part of an effort to make the initial stages of a TLS 1.3 handshake
compatible with TLS 1.2 middleboxes, TLS 1.3 requires that the client
hello contain a non-empty legacy_session_id value. For anti-ossification
purposes it's recommended this ID be randomly generated. This is the
strategy the crypto/tls package takes.

When we follow this approach, but then end up negotiating TLS 1.2, the
server should not have echoed back that random ID to us. It's impossible
for the server to have had a session with a matching ID and so it is
misbehaving and it's prudent for our side to abort the handshake.

See RFC 8446 Section 4.1.2 for more detail:
  https://www.rfc-editor.org/rfc/rfc8446#section-4.1.2

Adopting this behaviour allows un-ignoring the BoGo
EchoTLS13CompatibilitySessionID testcase.

Updates #72006

Change-Id: I1e52075177a13a7aa103b45498eae38d8a4c34b9
Reviewed-on: https://go-review.googlesource.com/c/go/+/652997
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>