Update TLS 1.3 citations for the final RFC.
Change-Id: I2d1671a4f21a602191fd0c9b932244a376ac5713
Reviewed-on: https://boringssl-review.googlesource.com/31104
Reviewed-by: David Benjamin <davidben@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/crypto/fipsmodule/cipher/e_aes.c b/crypto/fipsmodule/cipher/e_aes.c
index 639995d..de2f10f 100644
--- a/crypto/fipsmodule/cipher/e_aes.c
+++ b/crypto/fipsmodule/cipher/e_aes.c
@@ -1201,8 +1201,8 @@
}
// The given nonces must be strictly monotonically increasing. See
- // https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-5.3 for details
- // of the TLS 1.3 nonce construction.
+ // https://tools.ietf.org/html/rfc8446#section-5.3 for details of the TLS 1.3
+ // nonce construction.
uint64_t given_counter;
OPENSSL_memcpy(&given_counter, nonce + nonce_len - sizeof(given_counter),
sizeof(given_counter));
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 047101e..c2afa15 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1696,8 +1696,8 @@
//
// If this function returns one, clients retain multiple sessions and use each
// only once. This prevents passive observers from correlating connections with
-// tickets. See draft-ietf-tls-tls13-18, appendix B.5. If it returns zero,
-// |session| cannot be used without leaking a correlator.
+// tickets. See RFC 8446, appendix C.4. If it returns zero, |session| cannot be
+// used without leaking a correlator.
OPENSSL_EXPORT int SSL_SESSION_should_be_single_use(const SSL_SESSION *session);
// SSL_SESSION_is_resumable returns one if |session| is resumable and zero
@@ -3048,8 +3048,8 @@
// WARNING: A 0-RTT handshake has different security properties from normal
// handshake, so it is off by default unless opted in. In particular, early data
// is replayable by a network attacker. Callers must account for this when
-// sending or processing data before the handshake is confirmed. See
-// draft-ietf-tls-tls13-18 for more information.
+// sending or processing data before the handshake is confirmed. See RFC 8446
+// for more information.
//
// As a server, if early data is accepted, |SSL_do_handshake| will complete as
// soon as the ClientHello is processed and server flight sent. |SSL_write| may
@@ -3084,9 +3084,9 @@
// properties. The caller must disregard any values from before the reset and
// query again.
//
-// Finally, to implement the fallback described in draft-ietf-tls-tls13-18
-// appendix C.3, retry on a fresh connection without 0-RTT if the handshake
-// fails with |SSL_R_WRONG_VERSION_ON_EARLY_DATA|.
+// Finally, to implement the fallback described in RFC 8446 appendix D.3, retry
+// on a fresh connection without 0-RTT if the handshake fails with
+// |SSL_R_WRONG_VERSION_ON_EARLY_DATA|.
// SSL_CTX_set_early_data_enabled sets whether early data is allowed to be used
// with resumptions using |ctx|.
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index 0a3e9e4..937be6b 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -217,7 +217,7 @@
// ExtensionType value from RFC4507
#define TLSEXT_TYPE_session_ticket 35
-// ExtensionType values from draft-ietf-tls-tls13-18
+// ExtensionType values from RFC8446
#define TLSEXT_TYPE_supported_groups 10
#define TLSEXT_TYPE_pre_shared_key 41
#define TLSEXT_TYPE_early_data 42
@@ -431,7 +431,7 @@
#define TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0x0300CCA9
#define TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0x0300CCAC
-// TLS 1.3 ciphersuites from draft-ietf-tls-tls13-16
+// TLS 1.3 ciphersuites from RFC 8446.
#define TLS1_CK_AES_128_GCM_SHA256 0x03001301
#define TLS1_CK_AES_256_GCM_SHA384 0x03001302
#define TLS1_CK_CHACHA20_POLY1305_SHA256 0x03001303
@@ -603,7 +603,7 @@
#define TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 \
"ECDHE-PSK-CHACHA20-POLY1305"
-// TLS 1.3 ciphersuites from draft-ietf-tls-tls13-16
+// TLS 1.3 ciphersuites from RFC 8446.
#define TLS1_TXT_AES_128_GCM_SHA256 "AEAD-AES128-GCM-SHA256"
#define TLS1_TXT_AES_256_GCM_SHA384 "AEAD-AES256-GCM-SHA384"
#define TLS1_TXT_CHACHA20_POLY1305_SHA256 "AEAD-CHACHA20-POLY1305-SHA256"
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
index ebf86a9..9f9e483 100644
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc
@@ -577,7 +577,7 @@
// A TLS 1.2 server would not know to skip the early data we offered. Report
// an error code sooner. The caller may use this error code to implement the
- // fallback described in draft-ietf-tls-tls13-18 appendix C.3.
+ // fallback described in RFC 8446 appendix D.3.
if (hs->early_data_offered) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_ON_EARLY_DATA);
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
diff --git a/ssl/internal.h b/ssl/internal.h
index e612f6d..14c871a 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -2462,11 +2462,10 @@
bool shed_handshake_config : 1;
};
-// From draft-ietf-tls-tls13-18, used in determining PSK modes.
+// From RFC 8446, used in determining PSK modes.
#define SSL_PSK_DHE_KE 0x1
-// From draft-ietf-tls-tls13-16, used in determining whether to respond with a
-// KeyUpdate.
+// From RFC 8446, used in determining whether to respond with a KeyUpdate.
#define SSL_KEY_UPDATE_NOT_REQUESTED 0
#define SSL_KEY_UPDATE_REQUESTED 1
diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc
index e129ab9..371ec53 100644
--- a/ssl/t1_lib.cc
+++ b/ssl/t1_lib.cc
@@ -1049,7 +1049,7 @@
// Signature Algorithms for Certificates.
//
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-23#section-4.2.3
+// https://tools.ietf.org/html/rfc8446#section-4.2.3
static bool ext_sigalgs_cert_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -1846,7 +1846,7 @@
// Pre Shared Key
//
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.6
+// https://tools.ietf.org/html/rfc8446#section-4.2.11
static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
@@ -1867,9 +1867,9 @@
return true;
}
- // Per draft-ietf-tls-tls13-21 section 4.1.4, skip offering the session if the
- // selected cipher in HelloRetryRequest does not match. This avoids performing
- // the transcript hash transformation for multiple hashes.
+ // Per RFC 8446 section 4.1.4, skip offering the session if the selected
+ // cipher in HelloRetryRequest does not match. This avoids performing the
+ // transcript hash transformation for multiple hashes.
if (hs->received_hello_retry_request &&
ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
return true;
@@ -2000,7 +2000,7 @@
// Pre-Shared Key Exchange Modes
//
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.7
+// https://tools.ietf.org/html/rfc8446#section-4.2.9
static bool ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE *hs,
CBB *out) {
@@ -2044,7 +2044,7 @@
// Early Data Indication
//
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.8
+// https://tools.ietf.org/html/rfc8446#section-4.2.10
static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -2129,7 +2129,7 @@
// Key Share
//
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.5
+// https://tools.ietf.org/html/rfc8446#section-4.2.8
static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -2314,7 +2314,7 @@
// Supported Versions
//
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.1
+// https://tools.ietf.org/html/rfc8446#section-4.2.1
static bool ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -2346,7 +2346,7 @@
// Cookie
//
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.2
+// https://tools.ietf.org/html/rfc8446#section-4.2.2
static bool ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
if (hs->cookie.empty()) {
@@ -2368,10 +2368,10 @@
}
-// Negotiated Groups
+// Supported Groups
//
-// https://tools.ietf.org/html/rfc4492#section-5.1.2
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.4
+// https://tools.ietf.org/html/rfc4492#section-5.1.1
+// https://tools.ietf.org/html/rfc8446#section-4.2.7
static bool ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index a627df9..cb77a73 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -89,9 +89,9 @@
typeServerHello uint8 = 2
typeHelloVerifyRequest uint8 = 3
typeNewSessionTicket uint8 = 4
- typeEndOfEarlyData uint8 = 5 // draft-ietf-tls-tls13-21
- typeHelloRetryRequest uint8 = 6 // draft-ietf-tls-tls13-16
- typeEncryptedExtensions uint8 = 8 // draft-ietf-tls-tls13-16
+ typeEndOfEarlyData uint8 = 5
+ typeHelloRetryRequest uint8 = 6
+ typeEncryptedExtensions uint8 = 8
typeCertificate uint8 = 11
typeServerKeyExchange uint8 = 12
typeCertificateRequest uint8 = 13
@@ -100,11 +100,11 @@
typeClientKeyExchange uint8 = 16
typeFinished uint8 = 20
typeCertificateStatus uint8 = 22
- typeKeyUpdate uint8 = 24 // draft-ietf-tls-tls13-16
+ typeKeyUpdate uint8 = 24
typeCompressedCertificate uint8 = 25 // Not IANA assigned
typeNextProtocol uint8 = 67 // Not IANA assigned
typeChannelID uint8 = 203 // Not IANA assigned
- typeMessageHash uint8 = 254 // draft-ietf-tls-tls13-21
+ typeMessageHash uint8 = 254
)
// TLS compression types.
@@ -127,14 +127,14 @@
extensionTokenBinding uint16 = 24
extensionCompressedCertAlgs uint16 = 27
extensionSessionTicket uint16 = 35
- extensionPreSharedKey uint16 = 41 // draft-ietf-tls-tls13-23
- extensionEarlyData uint16 = 42 // draft-ietf-tls-tls13-23
- extensionSupportedVersions uint16 = 43 // draft-ietf-tls-tls13-23
- extensionCookie uint16 = 44 // draft-ietf-tls-tls13-23
- extensionPSKKeyExchangeModes uint16 = 45 // draft-ietf-tls-tls13-23
- extensionCertificateAuthorities uint16 = 47 // draft-ietf-tls-tls13-23
- extensionSignatureAlgorithmsCert uint16 = 50 // draft-ietf-tls-tls13-23
- extensionKeyShare uint16 = 51 // draft-ietf-tls-tls13-23
+ extensionPreSharedKey uint16 = 41
+ extensionEarlyData uint16 = 42
+ extensionSupportedVersions uint16 = 43
+ extensionCookie uint16 = 44
+ extensionPSKKeyExchangeModes uint16 = 45
+ extensionCertificateAuthorities uint16 = 47
+ extensionSignatureAlgorithmsCert uint16 = 50
+ extensionKeyShare uint16 = 51
extensionCustom uint16 = 1234 // not IANA assigned
extensionNextProtoNeg uint16 = 13172 // not IANA assigned
extensionRenegotiationInfo uint16 = 0xff01
@@ -239,13 +239,13 @@
SRTP_AES128_CM_HMAC_SHA1_32 = 0x0002
)
-// PskKeyExchangeMode values (see draft-ietf-tls-tls13-16)
+// PskKeyExchangeMode values (see RFC 8446, section 4.2.9)
const (
pskKEMode = 0
pskDHEKEMode = 1
)
-// KeyUpdateRequest values (see draft-ietf-tls-tls13-16, section 4.5.3)
+// KeyUpdateRequest values (see RFC 8446, section 4.6.3)
const (
keyUpdateNotRequested = 0
keyUpdateRequested = 1
@@ -2064,7 +2064,7 @@
}
var (
- // See draft-ietf-tls-tls13-16, section 6.3.1.2.
+ // See RFC 8446, section 4.1.3.
downgradeTLS13 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01}
downgradeTLS12 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00}
)
diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go
index 847c61a..49e947d 100644
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go
@@ -603,8 +603,7 @@
}
_, supportsTLS13 := c.config.isSupportedVersion(VersionTLS13, false)
- // Check for downgrade signals in the server random, per
- // draft-ietf-tls-tls13-16, section 4.1.3.
+ // Check for downgrade signals in the server random, per RFC 8446, section 4.1.3.
if (supportsTLS13 || c.config.Bugs.CheckTLS13DowngradeRandom) && !c.config.Bugs.IgnoreTLS13DowngradeRandom {
if c.vers <= VersionTLS12 && c.config.maxVersion(c.isDTLS) >= VersionTLS13 {
if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS13) {
diff --git a/ssl/test/runner/handshake_messages.go b/ssl/test/runner/handshake_messages.go
index 43eb6fe..edc5a92 100644
--- a/ssl/test/runner/handshake_messages.go
+++ b/ssl/test/runner/handshake_messages.go
@@ -589,7 +589,7 @@
algIDs.addU16(v)
}
}
- // The PSK extension must be last (draft-ietf-tls-tls13-18 section 4.2.6).
+ // The PSK extension must be last. See https://tools.ietf.org/html/rfc8446#section-4.2.11
if len(m.pskIdentities) > 0 && !m.pskBinderFirst {
extensions.addU16(extensionPreSharedKey)
pskExtension := extensions.addU16LengthPrefixed()
@@ -762,7 +762,7 @@
m.ticketSupported = true
m.sessionTicket = []byte(body)
case extensionKeyShare:
- // draft-ietf-tls-tls13 section 6.3.2.3
+ // https://tools.ietf.org/html/rfc8446#section-4.2.8
var keyShares byteReader
if !body.readU16LengthPrefixed(&keyShares) || len(body) != 0 {
return false
@@ -779,7 +779,7 @@
m.keyShares = append(m.keyShares, entry)
}
case extensionPreSharedKey:
- // draft-ietf-tls-tls13-18 section 4.2.6
+ // https://tools.ietf.org/html/rfc8446#section-4.2.11
var psks, binders byteReader
if !body.readU16LengthPrefixed(&psks) ||
!body.readU16LengthPrefixed(&binders) ||
@@ -807,12 +807,12 @@
return false
}
case extensionPSKKeyExchangeModes:
- // draft-ietf-tls-tls13-18 section 4.2.7
+ // https://tools.ietf.org/html/rfc8446#section-4.2.9
if !body.readU8LengthPrefixedBytes(&m.pskKEModes) || len(body) != 0 {
return false
}
case extensionEarlyData:
- // draft-ietf-tls-tls13 section 6.3.2.5
+ // https://tools.ietf.org/html/rfc8446#section-4.2.10
if len(body) != 0 {
return false
}
@@ -1299,7 +1299,7 @@
supportedPoints.addBytes(m.supportedPoints)
}
if len(m.supportedCurves) > 0 {
- // https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.4
+ // https://tools.ietf.org/html/rfc8446#section-4.2.7
extensions.addU16(extensionSupportedCurves)
supportedCurvesList := extensions.addU16LengthPrefixed()
supportedCurves := supportedCurvesList.addU16LengthPrefixed()
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index bdf72ae..ca7a7d3 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -1173,8 +1173,7 @@
_, supportsTLS13 := c.config.isSupportedVersion(VersionTLS13, false)
- // Signal downgrades in the server random, per draft-ietf-tls-tls13-16,
- // section 4.1.3.
+ // Signal downgrades in the server random, per RFC 8446, section 4.1.3.
if supportsTLS13 || config.Bugs.SendTLS13DowngradeRandom {
if c.vers <= VersionTLS12 && config.maxVersion(c.isDTLS) >= VersionTLS13 {
copy(hs.hello.random[len(hs.hello.random)-8:], downgradeTLS13)
diff --git a/ssl/test/runner/prf.go b/ssl/test/runner/prf.go
index 8c2da0d..96e7f24 100644
--- a/ssl/test/runner/prf.go
+++ b/ssl/test/runner/prf.go
@@ -384,8 +384,7 @@
}
// zeroSecretTLS13 returns the default all zeros secret for TLS 1.3, used when a
-// given secret is not available in the handshake. See draft-ietf-tls-tls13-16,
-// section 7.1.
+// given secret is not available in the handshake. See RFC 8446, section 7.1.
func (h *finishedHash) zeroSecret() []byte {
return make([]byte, h.hash.Size())
}
@@ -400,7 +399,7 @@
}
// hkdfExpandLabel implements TLS 1.3's HKDF-Expand-Label function, as defined
-// in section 7.1 of draft-ietf-tls-tls13-16.
+// in section 7.1 of RFC 8446.
func hkdfExpandLabel(hash crypto.Hash, secret, label, hashValue []byte, length int) []byte {
if len(label) > 255 || len(hashValue) > 255 {
panic("hkdfExpandLabel: label or hashValue too long")
diff --git a/ssl/tls13_both.cc b/ssl/tls13_both.cc
index ce9dd3c..a1793da 100644
--- a/ssl/tls13_both.cc
+++ b/ssl/tls13_both.cc
@@ -635,8 +635,7 @@
// Suppress KeyUpdate acknowledgments until this change is written to the
// wire. This prevents us from accumulating write obligations when read and
- // write progress at different rates. See draft-ietf-tls-tls13-18, section
- // 4.5.3.
+ // write progress at different rates. See RFC 8446, section 4.6.3.
ssl->s3->key_update_pending = true;
}
diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc
index a3940b6..aba7fc0 100644
--- a/ssl/tls13_server.cc
+++ b/ssl/tls13_server.cc
@@ -706,7 +706,7 @@
// If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on
// the wire sooner and also avoids triggering a write on |SSL_read| when
// processing the client Finished. This requires computing the client
- // Finished early. See draft-ietf-tls-tls13-18, section 4.5.1.
+ // Finished early. See RFC 8446, section 4.6.1.
static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0,
0, 0};
if (!hs->transcript.Update(kEndOfEarlyData)) {
