crypto/tls: streamline BoGo testing w/ -bogo-local-dir

cpu · cpu · commit e74b224b7c7b · 2025-10-06T10:42:22.000-07:00
If -bogo-local-dir is provided but doesn't exist, populate it with a git checkout of the BoringSSL repo at the correct SHA. Without any -bogo-local-dir argument the BoGo TLS handshake test will fetch the BoringSSL source at a specific SHA as a Go module in a r/o module directory. When debugging, or extending BoGo coverage, it's preferable to have a mutable local copy of BoGo that the test will use. The pre-existing -bogo-local-dir flag offered a way to use a checkout of BoGo but it relied on the user fetching the correct repo & revision manually ahead of time. This commit extends the test to automatically invoke `git` to clone the repo into the provided local dir at the correct SHA based on the boringsslModVer const if the local dir doesn't exist. This leaves the user ready to make changes in local BoGo dir to aid debugging, or to upstream as CRs to BoringSSL, and prevents using an incorrect SHA by mistake. Updates golang#72006 Change-Id: I0451a3d35203878cdf02a7587e138c3cd60d15a9 Reviewed-on: https://go-review.googlesource.com/c/go/+/687475 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> TryBot-Bypass: Daniel McCarney <daniel@binaryparadox.net>
diff --git a/src/crypto/tls/bogo_shim_test.go b/src/crypto/tls/bogo_shim_test.go
@@ -11,6 +11,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
+	"errors"
 	"flag"
 	"fmt"
 	"html/template"
@@ -541,6 +542,7 @@ func orderlyShutdown(tlsConn *Conn) {
 }
 
 func TestBogoSuite(t *testing.T) {
+	testenv.MustHaveGoBuild(t)
 	if testing.Short() {
 		t.Skip("skipping in short mode")
 	}
@@ -559,6 +561,7 @@ func TestBogoSuite(t *testing.T) {
 
 	var bogoDir string
 	if *bogoLocalDir != "" {
+		ensureLocalBogo(t, *bogoLocalDir)
 		bogoDir = *bogoLocalDir
 	} else {
 		bogoDir = cryptotest.FetchModule(t, "boringssl.googlesource.com/boringssl.git", boringsslModVer)
@@ -664,6 +667,49 @@ func TestBogoSuite(t *testing.T) {
 	}
 }
 
+// ensureLocalBogo fetches BoringSSL to localBogoDir at the correct revision
+// (from boringsslModVer) if localBogoDir doesn't already exist.
+//
+// If localBogoDir does exist, ensureLocalBogo fails the test if it isn't
+// a directory.
+func ensureLocalBogo(t *testing.T, localBogoDir string) {
+	t.Helper()
+
+	if stat, err := os.Stat(localBogoDir); err == nil {
+		if !stat.IsDir() {
+			t.Fatalf("local bogo dir (%q) exists but is not a directory", localBogoDir)
+		}
+
+		t.Logf("using local bogo checkout from %q", localBogoDir)
+		return
+	} else if !errors.Is(err, os.ErrNotExist) {
+		t.Fatalf("failed to stat local bogo dir (%q): %v", localBogoDir, err)
+	}
+
+	testenv.MustHaveExecPath(t, "git")
+
+	idx := strings.LastIndex(boringsslModVer, "-")
+	if idx == -1 || idx == len(boringsslModVer)-1 {
+		t.Fatalf("invalid boringsslModVer format: %q", boringsslModVer)
+	}
+	commitSHA := boringsslModVer[idx+1:]
+
+	t.Logf("cloning boringssl@%s to %q", commitSHA, localBogoDir)
+	cloneCmd := testenv.Command(t, "git", "clone", "--no-checkout", "https://boringssl.googlesource.com/boringssl", localBogoDir)
+	if err := cloneCmd.Run(); err != nil {
+		t.Fatalf("git clone failed: %v", err)
+	}
+
+	checkoutCmd := testenv.Command(t, "git", "checkout", commitSHA)
+	checkoutCmd.Dir = localBogoDir
+	if err := checkoutCmd.Run(); err != nil {
+		t.Fatalf("git checkout failed: %v", err)
+	}
+
+	t.Logf("using fresh local bogo checkout from %q", localBogoDir)
+	return
+}
+
 func generateReport(results bogoResults, outPath string) error {
 	data := reportData{
 		Results:   results,
diff --git a/src/crypto/tls/handshake_test.go b/src/crypto/tls/handshake_test.go
@@ -46,8 +46,9 @@ var (
 	keyFile      = flag.String("keylog", "", "destination file for KeyLogWriter")
 	bogoMode     = flag.Bool("bogo-mode", false, "Enabled bogo shim mode, ignore everything else")
 	bogoFilter   = flag.String("bogo-filter", "", "BoGo test filter")
-	bogoLocalDir = flag.String("bogo-local-dir", "", "Local BoGo to use, instead of fetching from source")
-	bogoReport   = flag.String("bogo-html-report", "", "File path to render an HTML report with BoGo results")
+	bogoLocalDir = flag.String("bogo-local-dir", "",
+		"If not-present, checkout BoGo into this dir, or otherwise use it as a pre-existing checkout")
+	bogoReport = flag.String("bogo-html-report", "", "File path to render an HTML report with BoGo results")
 )
 
 func runTestAndUpdateIfNeeded(t *testing.T, name string, run func(t *testing.T, update bool), wait bool) {
