Allow enabling all TLS 1.3 variants by setting |tls13_default|.
Update-Note: Enabling TLS 1.3 now enables both draft-23 and draft-28
by default, in preparation for cycling all to draft-28.
Change-Id: I9405f39081f2e5f7049aaae8a9c85399f21df047
Reviewed-on: https://boringssl-review.googlesource.com/28304
Commit-Queue: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/ssl/ssl_versions.cc b/ssl/ssl_versions.cc
index a09efa1..9588dd3 100644
--- a/ssl/ssl_versions.cc
+++ b/ssl/ssl_versions.cc
@@ -299,17 +299,20 @@
return false;
}
- // This logic is part of the TLS 1.3 variants mechanism used in TLS 1.3
- // experimentation. TLS 1.3 variants must match the enabled |tls13_variant|.
- if (protocol_version != TLS1_3_VERSION ||
- (ssl->tls13_variant == tls13_draft28 &&
- version == TLS1_3_DRAFT28_VERSION) ||
- (ssl->tls13_variant == tls13_default &&
- version == TLS1_3_DRAFT23_VERSION)) {
- return true;
+ // If the TLS 1.3 variant is set to |tls13_default|, all variants are enabled,
+ // otherwise only the matching version is enabled.
+ if (protocol_version == TLS1_3_VERSION) {
+ switch (ssl->tls13_variant) {
+ case tls13_draft23:
+ return version == TLS1_3_DRAFT23_VERSION;
+ case tls13_draft28:
+ return version == TLS1_3_DRAFT28_VERSION;
+ case tls13_default:
+ return true;
+ }
}
- return false;
+ return true;
}
bool ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb) {
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index f5ddaed..dcc1b01 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -39,8 +39,9 @@
)
const (
- TLS13Draft23 = 0
- TLS13Draft28 = 1
+ TLS13Default = 0
+ TLS13Draft23 = 1
+ TLS13Draft28 = 2
)
var allTLSWireVersions = []uint16{
@@ -1714,8 +1715,8 @@
// it returns true and the corresponding protocol version. Otherwise, it returns
// false.
func (c *Config) isSupportedVersion(wireVers uint16, isDTLS bool) (uint16, bool) {
- if (c.TLS13Variant != TLS13Draft23 && wireVers == tls13Draft23Version) ||
- (c.TLS13Variant != TLS13Draft28 && wireVers == tls13Draft28Version) {
+ if (c.TLS13Variant == TLS13Draft23 && wireVers == tls13Draft28Version) ||
+ (c.TLS13Variant == TLS13Draft28 && wireVers == tls13Draft23Version) {
return 0, false
}
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 0ad00c2..53eeb8b 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -1405,6 +1405,23 @@
return ret
}
+func allShimVersions(protocol protocol) []tlsVersion {
+ if protocol == dtls {
+ return allVersions(protocol)
+ }
+ tls13Default := tlsVersion{
+ name: "TLS13Default",
+ version: VersionTLS13,
+ excludeFlag: "-no-tls13",
+ versionWire: 0,
+ tls13Variant: TLS13Default,
+ }
+
+ var shimVersions []tlsVersion
+ shimVersions = append(shimVersions, allVersions(protocol)...)
+ return append(shimVersions, tls13Default)
+}
+
type testCipherSuite struct {
name string
id uint16
@@ -5371,7 +5388,7 @@
func addVersionNegotiationTests() {
for _, protocol := range []protocol{tls, dtls} {
- for _, shimVers := range allVersions(protocol) {
+ for _, shimVers := range allShimVersions(protocol) {
// Assemble flags to disable all newer versions on the shim.
var flags []string
for _, vers := range allVersions(protocol) {
@@ -5393,13 +5410,12 @@
if runnerVers.version < shimVers.version {
expectedVersion = runnerVers.version
}
- // When running and shim have different TLS 1.3 variants enabled,
- // shim peers are expected to fall back to TLS 1.2.
+
if expectedVersion == VersionTLS13 && runnerVers.tls13Variant != shimVers.tls13Variant {
- expectedVersion = VersionTLS12
+ if shimVers.tls13Variant != TLS13Default {
+ expectedVersion = VersionTLS12
+ }
}
- expectedClientVersion := expectedVersion
- expectedServerVersion := expectedVersion
suffix := shimVers.name + "-" + runnerVers.name
if protocol == dtls {
@@ -5412,8 +5428,8 @@
clientVers = VersionTLS10
}
clientVers = recordVersionToWire(clientVers, protocol)
- serverVers := expectedServerVersion
- if expectedServerVersion >= VersionTLS13 {
+ serverVers := expectedVersion
+ if expectedVersion >= VersionTLS13 {
serverVers = VersionTLS12
}
serverVers = recordVersionToWire(serverVers, protocol)
@@ -5430,7 +5446,7 @@
},
},
flags: flags,
- expectedVersion: expectedClientVersion,
+ expectedVersion: expectedVersion,
})
testCases = append(testCases, testCase{
protocol: protocol,
@@ -5444,7 +5460,7 @@
},
},
flags: flags2,
- expectedVersion: expectedClientVersion,
+ expectedVersion: expectedVersion,
})
testCases = append(testCases, testCase{
@@ -5459,7 +5475,7 @@
},
},
flags: flags,
- expectedVersion: expectedServerVersion,
+ expectedVersion: expectedVersion,
})
testCases = append(testCases, testCase{
protocol: protocol,
@@ -5473,7 +5489,7 @@
},
},
flags: flags2,
- expectedVersion: expectedServerVersion,
+ expectedVersion: expectedVersion,
})
}
}
