Take the new bogo from rustls for TLS 1.3 draft 23

mesalock-linux · Apr 9, 2018 · ebc27c7 · ebc27c7
1 parent dda088a
commit ebc27c7
Show file tree

Hide file tree

Showing 4 changed files with 104 additions and 92 deletions.
diff --git a/bogo/bogo_shim.rs b/bogo/bogo_shim.rs
@@ -37,13 +37,13 @@ extern crate env_logger;
 extern crate libc;
 extern crate mesalink_internals;
 
+use mesalink_internals::ssl::err::ErrorCode;
+use mesalink_internals::ssl::{err, ssl};
 use std::env;
-use std::process;
-use std::net;
-use std::io::Write;
 use std::ffi::CString;
-use mesalink_internals::ssl::{err, ssl};
-use mesalink_internals::ssl::err::ErrorCode;
+use std::io::Write;
+use std::net;
+use std::process;
 
 static BOGO_NACK: i32 = 89;
 
@@ -99,7 +99,9 @@ impl Options {
     }
 
     fn tls13_supported(&self) -> bool {
-        self.support_tls13 && (self.version_allowed(0x0304) || self.version_allowed(0x7f12))
+        self.support_tls13
+            && (self.version_allowed(0x0304) || self.version_allowed(0x7f16)
+                || self.version_allowed(0x7f17))
     }
 
     fn tls12_supported(&self) -> bool {
@@ -445,6 +447,7 @@ fn main() {
             "-no-tls11" |
             "-no-tls1" |
             "-no-ssl3" |
+            "-handoff" |
             "-decline-alpn" |
             "-expect-no-session" |
             "-expect-session-miss" |

diff --git a/bogo/config.json b/bogo/config.json
@@ -9,12 +9,15 @@
     "*-TLS11": "",
     "ConflictingVersionNegotiation": "",
     "SendFallbackSCSV": "fallback scsv not implemented",
-    "VersionNegotiation-*-TLS13Draft22-TLS13Experiment2": "no old drafts",
+    "VersionNegotiation-*-TLS13Draft23-TLS13Experiment2": "no old drafts",
     "PointFormat-Server-Missing": "we require ecc",
     "ECDSAKeyUsage-*": "TODO: we don't do anything with key usages",
     "CheckRecordVersion-*": "we don't look at record version",
     "TLS13-WrongOuterRecord": "we're lax on this",
     "*DTLS*": "not supported",
+    "TokenBinding-*": "not supported",
+    "QUICTransportParams-*": "not supported",
+    "DummyPQPadding-*": "not supported",
     "MTU*": "dtls only",
     "DisableEverything": "not useful",
     "SendEmptyRecords": "non-standard openssl/boringssl behaviour",
@@ -23,10 +26,13 @@
     "SendWarningAlerts-*": "",
     "LargeMessage-Reject": "",
     "Peek-*": "",
-    "SendHelloRetryRequest-2-TLS13Draft22": "we accept any supported keyshare",
+    "SendHelloRetryRequest-2-TLS13Draft23": "we accept any supported keyshare",
     "OmitExtensions-ServerHello-TLS12": "bug in bogo if sct offered",
     "EmptyExtensions-ServerHello-TLS12": "",
     "CBCRecordSplitting*": "insane ciphersuites",
+    "*-Split": "",
+    "EchoTLS13CompatibilitySessionID": "",
+    "SendHelloRetryRequest-2-TLS13Draft23": "we accept any supported keyshare",
     "*CBCPadding*": "",
     "RSAEphemeralKey": "",
     "BadRSAClientKeyExchange-*": "",
@@ -37,12 +43,15 @@
     "*-AES256-SHA*": "",
     "*-ECDSA-SHA1-*": "no ecdsa-sha1",
     "*-Sign-RSA-PKCS1-SHA1-*": "no sha1",
+    "*-P-224-*": "no p224",
     "*-P521-*": "no p521",
-    "*-P-521": "",
-    "*-P-224": "no p224",
-    "*-P-224-*": "",
-    "CurveTest-Client-P-521-TLS13": "",
-    "CurveTest-Server-P-521-TLS13": "",
+    "CurveTest-Client-P-521-TLS12": "",
+    "CurveTest-Server-P-521-TLS12": "",
+    "CurveTest-Client-Compressed-P-521-TLS12": "",
+    "CurveTest-Server-Compressed-P-521-TLS12": "",
+    "CurveTest-Client-P-521-TLS13Draft23": "",
+    "CurveTest-Server-P-521-TLS13Draft23": "",
+    "CurveTest-*-Compressed-*": "",
     "*-Ed25519": "no ed25519 yet",
     "*-Ed25519-*": "",
     "GREASE-*": "not implemented",
@@ -124,9 +133,9 @@
     "TrailingMessageData-TLS13-ServerFinished": ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
     "TrailingMessageData-TLS13-ClientCertificate": ":BAD_HANDSHAKE_MSG:",
     "TrailingMessageData-TLS13-ClientCertificateVerify": ":BAD_HANDSHAKE_MSG:",
-    "MissingKeyShare-Client-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
-    "MissingKeyShare-Server-TLS13Draft22": ":INCOMPATIBLE:",
-    "EmptyEncryptedExtensions-TLS13Draft22": ":BAD_HANDSHAKE_MSG:",
+    "MissingKeyShare-Client-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
+    "MissingKeyShare-Server-TLS13Draft23": ":INCOMPATIBLE:",
+    "EmptyEncryptedExtensions-TLS13Draft23": ":BAD_HANDSHAKE_MSG:",
     "NoSupportedCurves": ":INCOMPATIBLE:",
     "BadECDHECurve": ":PEER_MISBEHAVIOUR:",
     "VersionTooLow": ":INCOMPATIBLE:",
@@ -146,51 +155,51 @@
     "NoNullCompression-TLS12": ":INCOMPATIBLE:",
     "NoNullCompression-TLS13": ":INCOMPATIBLE:",
     "InvalidCompressionMethod": ":PEER_MISBEHAVIOUR:",
-    "TLS13Draft22-InvalidCompressionMethod": ":PEER_MISBEHAVIOUR:",
-    "TLS13Draft22-AES128-GCM-server": ":INCOMPATIBLE:",
-    "TLS13Draft22-AES128-GCM-client": ":PEER_MISBEHAVIOUR:",
-    "TLS13Draft22-AES256-GCM-server": ":INCOMPATIBLE:",
-    "TLS13Draft22-AES256-GCM-client": ":PEER_MISBEHAVIOUR:",
-    "TLS13Draft22-ECDHE-ECDSA-AES128-GCM-client": ":PEER_MISBEHAVIOUR:",
-    "TLS13Draft22-ECDHE-ECDSA-AES256-GCM-client": ":PEER_MISBEHAVIOUR:",
-    "TLS13Draft22-ECDHE-ECDSA-CHACHA20-POLY1305-client": ":PEER_MISBEHAVIOUR:",
-    "TLS13Draft22-ECDHE-RSA-AES128-GCM-server": ":INCOMPATIBLE:",
-    "TLS13Draft22-ECDHE-RSA-AES128-GCM-client": ":PEER_MISBEHAVIOUR:",
-    "TLS13Draft22-ECDHE-RSA-AES256-GCM-server": ":INCOMPATIBLE:",
-    "TLS13Draft22-ECDHE-RSA-AES256-GCM-client": ":PEER_MISBEHAVIOUR:",
-    "TLS13Draft22-ECDHE-RSA-CHACHA20-POLY1305-server": ":INCOMPATIBLE:",
-    "TLS13Draft22-ECDHE-RSA-CHACHA20-POLY1305-client": ":PEER_MISBEHAVIOUR:",
+    "TLS13Draft23-InvalidCompressionMethod": ":PEER_MISBEHAVIOUR:",
+    "TLS13Draft23-AES128-GCM-server": ":INCOMPATIBLE:",
+    "TLS13Draft23-AES128-GCM-client": ":PEER_MISBEHAVIOUR:",
+    "TLS13Draft23-AES256-GCM-server": ":INCOMPATIBLE:",
+    "TLS13Draft23-AES256-GCM-client": ":PEER_MISBEHAVIOUR:",
+    "TLS13Draft23-ECDHE-ECDSA-AES128-GCM-client": ":PEER_MISBEHAVIOUR:",
+    "TLS13Draft23-ECDHE-ECDSA-AES256-GCM-client": ":PEER_MISBEHAVIOUR:",
+    "TLS13Draft23-ECDHE-ECDSA-CHACHA20-POLY1305-client": ":PEER_MISBEHAVIOUR:",
+    "TLS13Draft23-ECDHE-RSA-AES128-GCM-server": ":INCOMPATIBLE:",
+    "TLS13Draft23-ECDHE-RSA-AES128-GCM-client": ":PEER_MISBEHAVIOUR:",
+    "TLS13Draft23-ECDHE-RSA-AES256-GCM-server": ":INCOMPATIBLE:",
+    "TLS13Draft23-ECDHE-RSA-AES256-GCM-client": ":PEER_MISBEHAVIOUR:",
+    "TLS13Draft23-ECDHE-RSA-CHACHA20-POLY1305-server": ":INCOMPATIBLE:",
+    "TLS13Draft23-ECDHE-RSA-CHACHA20-POLY1305-client": ":PEER_MISBEHAVIOUR:",
     "TLS12-AEAD-CHACHA20-POLY1305-server": ":INCOMPATIBLE:",
     "TLS12-AEAD-CHACHA20-POLY1305-client": ":PEER_MISBEHAVIOUR:",
     "TLS12-AEAD-AES128-GCM-SHA256-server": ":INCOMPATIBLE:",
     "TLS12-AEAD-AES128-GCM-SHA256-client": ":PEER_MISBEHAVIOUR:",
     "TLS12-AEAD-AES256-GCM-SHA384-server": ":INCOMPATIBLE:",
     "TLS12-AEAD-AES256-GCM-SHA384-client": ":PEER_MISBEHAVIOUR:",
-    "SkipHelloRetryRequest-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
+    "SkipHelloRetryRequest-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
     "NoSupportedVersions": ":INCOMPATIBLE:",
-    "ClientAuth-Verify-RSA-PKCS1-SHA1-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
-    "ServerAuth-Verify-RSA-PKCS1-SHA1-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
-    "ClientAuth-Verify-RSA-PKCS1-SHA256-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
-    "ServerAuth-Verify-RSA-PKCS1-SHA256-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
-    "ClientAuth-Verify-RSA-PKCS1-SHA384-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
-    "ServerAuth-Verify-RSA-PKCS1-SHA384-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
-    "ClientAuth-Verify-RSA-PKCS1-SHA512-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
-    "ServerAuth-Verify-RSA-PKCS1-SHA512-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
-    "ServerAuth-Sign-RSA-PKCS1-SHA256-TLS13Draft22": ":INCOMPATIBLE:",
-    "ServerAuth-Sign-RSA-PKCS1-SHA384-TLS13Draft22": ":INCOMPATIBLE:",
-    "ServerAuth-Sign-RSA-PKCS1-SHA512-TLS13Draft22": ":INCOMPATIBLE:",
-    "ClientAuth-Sign-RSA-PKCS1-SHA256-TLS13Draft22": ":INCOMPATIBLE:",
-    "ClientAuth-Sign-RSA-PKCS1-SHA384-TLS13Draft22": ":INCOMPATIBLE:",
-    "ClientAuth-Sign-RSA-PKCS1-SHA512-TLS13Draft22": ":INCOMPATIBLE:",
-    "ALPNClient-EmptyProtocolName-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
-    "ALPNServer-EmptyProtocolName-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
-    "ALPNClient-RejectUnknown-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
+    "ClientAuth-Verify-RSA-PKCS1-SHA1-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
+    "ServerAuth-Verify-RSA-PKCS1-SHA1-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
+    "ClientAuth-Verify-RSA-PKCS1-SHA256-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
+    "ServerAuth-Verify-RSA-PKCS1-SHA256-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
+    "ClientAuth-Verify-RSA-PKCS1-SHA384-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
+    "ServerAuth-Verify-RSA-PKCS1-SHA384-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
+    "ClientAuth-Verify-RSA-PKCS1-SHA512-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
+    "ServerAuth-Verify-RSA-PKCS1-SHA512-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
+    "ServerAuth-Sign-RSA-PKCS1-SHA256-TLS13Draft23": ":INCOMPATIBLE:",
+    "ServerAuth-Sign-RSA-PKCS1-SHA384-TLS13Draft23": ":INCOMPATIBLE:",
+    "ServerAuth-Sign-RSA-PKCS1-SHA512-TLS13Draft23": ":INCOMPATIBLE:",
+    "ClientAuth-Sign-RSA-PKCS1-SHA256-TLS13Draft23": ":INCOMPATIBLE:",
+    "ClientAuth-Sign-RSA-PKCS1-SHA384-TLS13Draft23": ":INCOMPATIBLE:",
+    "ClientAuth-Sign-RSA-PKCS1-SHA512-TLS13Draft23": ":INCOMPATIBLE:",
+    "ALPNClient-EmptyProtocolName-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
+    "ALPNServer-EmptyProtocolName-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
+    "ALPNClient-RejectUnknown-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
     "ClientAuth-NoFallback-TLS13": ":INCOMPATIBLE:",
     "ServerAuth-NoFallback-TLS13": ":INCOMPATIBLE:",
     "ClientAuth-Enforced-TLS13": ":PEER_MISBEHAVIOUR:",
     "ServerAuth-Enforced-TLS13": ":PEER_MISBEHAVIOUR:",
-    "SecondClientHelloWrongCurve-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
-    "SecondClientHelloMissingKeyShare-TLS13Draft22": ":INCOMPATIBLE:",
+    "SecondClientHelloWrongCurve-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
+    "SecondClientHelloMissingKeyShare-TLS13Draft23": ":INCOMPATIBLE:",
     "Resume-Server-BinderWrongLength": ":PEER_MISBEHAVIOUR:",
     "Resume-Server-NoPSKBinder": ":PEER_MISBEHAVIOUR:",
     "Resume-Server-ExtraPSKBinder": ":PEER_MISBEHAVIOUR:",
@@ -201,77 +210,77 @@
     "Resume-Server-UnofferedCipher-TLS13": ":PEER_MISBEHAVIOUR:",
     "Resume-Client-CipherMismatch-TLS13": ":PEER_MISBEHAVIOUR:",
     "Resume-Client-PRFMismatch-TLS13": ":PEER_MISBEHAVIOUR:",
-    "Resume-Client-Mismatch-TLS12-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
-    "Resume-Client-Mismatch-TLS13Draft22-TLS12": ":PEER_MISBEHAVIOUR:",
+    "Resume-Client-Mismatch-TLS12-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
+    "Resume-Client-Mismatch-TLS13Draft23-TLS12": ":PEER_MISBEHAVIOUR:",
     "NoSupportedCurves-TLS13": ":INCOMPATIBLE:",
     "BadECDHECurve-TLS13": ":PEER_MISBEHAVIOUR:",
     "InvalidECDHPoint-Client-TLS13": ":PEER_MISBEHAVIOUR:",
     "InvalidECDHPoint-Server-TLS13": ":PEER_MISBEHAVIOUR:",
-    "InvalidPSKIdentity-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
-    "AlwaysSelectPSKIdentity-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
-    "TrailingKeyShareData-TLS13Draft22": ":BAD_HANDSHAKE_MSG:",
-    "HelloRetryRequestCurveMismatch-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
-    "HelloRetryRequestVersionMismatch-TLS13Draft22": ":BAD_HANDSHAKE_MSG:",
-    "HelloRetryRequest-DuplicateCookie-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
-    "HelloRetryRequest-DuplicateCurve-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
+    "InvalidPSKIdentity-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
+    "AlwaysSelectPSKIdentity-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
+    "TrailingKeyShareData-TLS13Draft23": ":BAD_HANDSHAKE_MSG:",
+    "HelloRetryRequestCurveMismatch-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
+    "HelloRetryRequestVersionMismatch-TLS13Draft23": ":BAD_HANDSHAKE_MSG:",
+    "HelloRetryRequest-DuplicateCookie-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
+    "HelloRetryRequest-DuplicateCurve-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
     "UnknownUnencryptedExtension-Client-TLS13": ":PEER_MISBEHAVIOUR:",
     "UnexpectedUnencryptedExtension-Client-TLS13": ":PEER_MISBEHAVIOUR:",
     "UnofferedExtension-Client-TLS13": ":PEER_MISBEHAVIOUR:",
     "RenegotiationInfo-Forbidden-TLS13": ":PEER_MISBEHAVIOUR:",
     "UnknownExtension-Client-TLS13": ":PEER_MISBEHAVIOUR:",
-    "RequestContextInHandshake-TLS13Draft22": ":BAD_HANDSHAKE_MSG:",
-    "UnnecessaryHelloRetryRequest-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
-    "UnknownCurve-HelloRetryRequest-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
-    "DisabledCurve-HelloRetryRequest-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
-    "HelloRetryRequest-Empty-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
-    "HelloRetryRequest-EmptyCookie-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
-    "HelloRetryRequest-Unknown-TLS13Draft22": ":INCOMPATIBLE:",
-    "MinimumVersion-Client-TLS13Draft22-TLS12": ":INCOMPATIBLE:",
-    "MinimumVersion-Client2-TLS13Draft22-TLS12": ":INCOMPATIBLE:",
-    "MinimumVersion-Server-TLS13Draft22-TLS12": ":INCOMPATIBLE:",
-    "MinimumVersion-Server2-TLS13Draft22-TLS12": ":INCOMPATIBLE:",
-    "DuplicateKeyShares-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
+    "RequestContextInHandshake-TLS13Draft23": ":BAD_HANDSHAKE_MSG:",
+    "UnnecessaryHelloRetryRequest-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
+    "UnknownCurve-HelloRetryRequest-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
+    "DisabledCurve-HelloRetryRequest-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
+    "HelloRetryRequest-Empty-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
+    "HelloRetryRequest-EmptyCookie-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
+    "HelloRetryRequest-Unknown-TLS13Draft23": ":INCOMPATIBLE:",
+    "MinimumVersion-Client-TLS13Draft23-TLS12": ":INCOMPATIBLE:",
+    "MinimumVersion-Client2-TLS13Draft23-TLS12": ":INCOMPATIBLE:",
+    "MinimumVersion-Server-TLS13Draft23-TLS12": ":INCOMPATIBLE:",
+    "MinimumVersion-Server2-TLS13Draft23-TLS12": ":INCOMPATIBLE:",
+    "DuplicateKeyShares-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
     "PartialEncryptedExtensionsWithServerHello": ":PEER_MISBEHAVIOUR:",
     "PartialClientFinishedWithClientHello": ":PEER_MISBEHAVIOUR:",
     "PointFormat-EncryptedExtensions-TLS13": ":PEER_MISBEHAVIOUR:",
     "Ticket-Forbidden-TLS13": ":PEER_MISBEHAVIOUR:",
     "PointFormat-Server-MissingUncompressed": ":INCOMPATIBLE:",
-    "MissingSignatureAlgorithmsInCertificateRequest-TLS13Draft22": ":INCOMPATIBLE:",
-    "NegotiatePSKResumption-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
+    "MissingSignatureAlgorithmsInCertificateRequest-TLS13Draft23": ":INCOMPATIBLE:",
+    "NegotiatePSKResumption-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
     "PointFormat-Client-MissingUncompressed": ":PEER_MISBEHAVIOUR:",
     "SendUnsolicitedOCSPOnCertificate-TLS13": ":PEER_MISBEHAVIOUR:",
     "SendUnsolicitedSCTOnCertificate-TLS13": ":PEER_MISBEHAVIOUR:",
     "UnsolicitedServerNameAck-TLS12": ":PEER_MISBEHAVIOUR:",
-    "UnsolicitedServerNameAck-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
+    "UnsolicitedServerNameAck-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
     "TicketSessionIDLength-33-TLS12": ":BAD_HANDSHAKE_MSG:",
     "Ed25519DefaultDisable-NoAccept": ":PEER_MISBEHAVIOUR:",
     "SendUnknownExtensionOnCertificate-TLS13": ":PEER_MISBEHAVIOUR:",
     "SendDuplicateExtensionsOnCerts-TLS13": ":PEER_MISBEHAVIOUR:",
     "SignedCertificateTimestampListEmpty-Client-TLS12": ":PEER_MISBEHAVIOUR:",
-    "SignedCertificateTimestampListEmpty-Client-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
+    "SignedCertificateTimestampListEmpty-Client-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
     "SignedCertificateTimestampListEmptySCT-Client-TLS12": ":PEER_MISBEHAVIOUR:",
-    "SignedCertificateTimestampListEmptySCT-Client-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
+    "SignedCertificateTimestampListEmptySCT-Client-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
     "EMS-Forbidden-TLS13": ":PEER_MISBEHAVIOUR:",
     "Unclean-Shutdown": ":CLOSE_WITHOUT_CLOSE_NOTIFY:",
     "SendExtensionOnClientCertificate-TLS13": ":PEER_MISBEHAVIOUR:",
     "SendBogusAlertType": ":BAD_ALERT:",
-    "TLS13Draft22-HRR-InvalidCompressionMethod": ":BAD_HANDSHAKE_MSG:",
+    "TLS13Draft23-HRR-InvalidCompressionMethod": ":BAD_HANDSHAKE_MSG:",
     "CertificateCipherMismatch-RSA": ":PEER_MISBEHAVIOUR:",
     "CertificateCipherMismatch-ECDSA": ":PEER_MISBEHAVIOUR:",
     "ServerCipherFilter-RSA": ":INCOMPATIBLE:",
     "SendServerHelloAsHelloRetryRequest": ":BAD_HANDSHAKE_MSG:",
     "TLS13-OnlyPadding": ":PEER_MISBEHAVIOUR:",
     "TLS13-EmptyRecords": ":PEER_MISBEHAVIOUR:",
     "SupportedVersionSelection-TLS12": ":PEER_MISBEHAVIOUR:",
-    "HelloRetryRequestVersionMismatch-TLS13Draft22": ":INCOMPATIBLE:",
-    "HelloRetryRequest-CipherChange-TLS13Draft22": ":PEER_MISBEHAVIOUR:",
+    "HelloRetryRequestVersionMismatch-TLS13Draft23": ":INCOMPATIBLE:",
+    "HelloRetryRequest-CipherChange-TLS13Draft23": ":PEER_MISBEHAVIOUR:",
     "ExtendedMasterSecret-NoToYes-Client": ":PEER_MISBEHAVIOUR:",
     "ExtendedMasterSecret-YesToNo-Server": ":PEER_MISBEHAVIOUR:",
     "ExtendedMasterSecret-YesToNo-Client": ":PEER_MISBEHAVIOUR:"
   },
   "TestLocalErrorMap": {
     "SendServerHelloAsHelloRetryRequest": "remote error: error decoding message",
     "GarbageCertificate-Server-TLS12": "remote error: access denied",
-    "GarbageCertificate-Server-TLS13Draft22": "remote error: access denied"
+    "GarbageCertificate-Server-TLS13Draft23": "remote error: access denied"
   }
 }
diff --git a/bogo/fetch-and-build b/bogo/fetch-and-build
@@ -1,10 +1,10 @@
 # ISC License (ISC)
 # Copyright (c) 2016, Joseph Birr-Pixton <[email protected]>
-# 
+#
 # Permission to use, copy, modify, and/or distribute this software for
 # any purpose with or without fee is hereby granted, provided that the
 # above copyright notice and this permission notice appear in all copies.
-# 
+#
 # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
 # WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
 # WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
@@ -19,7 +19,7 @@
 set -e
 
 # a known-good commit
-COMMIT=0a54e998481b0b5a8abd9717c5f7301a3b18b628
+COMMIT=8a1a5daa490ee95be6ba1a5e076c2589977d057a
 
 rm -f runner.tar.gz
 wget https://boringssl.googlesource.com/boringssl/+archive/$COMMIT/ssl/test/runner.tar.gz

diff --git a/bogo/patches/testerrormap.diff b/bogo/patches/testerrormap.diff
@@ -1,10 +1,10 @@
 # ISC License (ISC)
 # Copyright (c) 2016, Joseph Birr-Pixton <[email protected]>
-# 
+#
 # Permission to use, copy, modify, and/or distribute this software for
 # any purpose with or without fee is hereby granted, provided that the
 # above copyright notice and this permission notice appear in all copies.
-# 
+#
 # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
 # WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
 # WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
@@ -20,7 +20,7 @@ diff -ru original/runner.go bogo/runner.go
 @@ -83,6 +83,14 @@
  	// like “SSL_ERROR_NO_CYPHER_OVERLAP”.
  	ErrorMap map[string]string
- 
+
 +	// TestErrorMap maps from full test names to the correct error
 +	// string for the shim in question.
 +	TestErrorMap map[string]string
@@ -35,7 +35,7 @@ diff -ru original/runner.go bogo/runner.go
 @@ -939,7 +947,11 @@
  	}
  }
- 
+
 -func translateExpectedError(errorStr string) string {
 +func translateExpectedError(testName string, errorStr string) string {
 +	if translated, ok := shimConfig.TestErrorMap[testName]; ok {
@@ -48,7 +48,7 @@ diff -ru original/runner.go bogo/runner.go
 @@ -951,6 +963,14 @@
  	return errorStr
  }
- 
+
 +func translateExpectedLocalError(testName string, localError string) string {
 +	if translated, ok := shimConfig.TestLocalErrorMap[testName]; ok {
 +		return translated
@@ -62,12 +62,12 @@ diff -ru original/runner.go bogo/runner.go
  	defer func() {
 @@ -1215,15 +1235,16 @@
  	}
- 
+
  	failed := err != nil || childErr != nil
 -	expectedError := translateExpectedError(test.expectedError)
 +	expectedError := translateExpectedError(test.name, test.expectedError)
  	correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
- 
+
 +	var expectedLocalError = translateExpectedLocalError(test.name, test.expectedLocalError)
  	localError := "none"
  	if err != nil {
@@ -78,5 +78,5 @@ diff -ru original/runner.go bogo/runner.go
 +	if len(expectedLocalError) != 0 {
 +		correctFailure = correctFailure && strings.Contains(localError, expectedLocalError)
  	}
- 
- 	if failed != test.shouldFail || failed && !correctFailure || mustFail {
+
+ 	if failed != test.shouldFail || failed && !correctFailure || mustFail {