Update TLS 1.3 citations for the final RFC. Change-Id: I2d1671a4f21a602191fd0c9b932244a376ac5713 Reviewed-on: https://boringssl-review.googlesource.com/31104 Reviewed-by: David Benjamin <davidben@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/crypto/fipsmodule/cipher/e_aes.c b/crypto/fipsmodule/cipher/e_aes.c index 639995d..de2f10f 100644 --- a/crypto/fipsmodule/cipher/e_aes.c +++ b/crypto/fipsmodule/cipher/e_aes.c
@@ -1201,8 +1201,8 @@ } // The given nonces must be strictly monotonically increasing. See - // https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-5.3 for details - // of the TLS 1.3 nonce construction. + // https://tools.ietf.org/html/rfc8446#section-5.3 for details of the TLS 1.3 + // nonce construction. uint64_t given_counter; OPENSSL_memcpy(&given_counter, nonce + nonce_len - sizeof(given_counter), sizeof(given_counter));
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 047101e..c2afa15 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h
@@ -1696,8 +1696,8 @@ // // If this function returns one, clients retain multiple sessions and use each // only once. This prevents passive observers from correlating connections with -// tickets. See draft-ietf-tls-tls13-18, appendix B.5. If it returns zero, -// |session| cannot be used without leaking a correlator. +// tickets. See RFC 8446, appendix C.4. If it returns zero, |session| cannot be +// used without leaking a correlator. OPENSSL_EXPORT int SSL_SESSION_should_be_single_use(const SSL_SESSION *session); // SSL_SESSION_is_resumable returns one if |session| is resumable and zero @@ -3048,8 +3048,8 @@ // WARNING: A 0-RTT handshake has different security properties from normal // handshake, so it is off by default unless opted in. In particular, early data // is replayable by a network attacker. Callers must account for this when -// sending or processing data before the handshake is confirmed. See -// draft-ietf-tls-tls13-18 for more information. +// sending or processing data before the handshake is confirmed. See RFC 8446 +// for more information. // // As a server, if early data is accepted, |SSL_do_handshake| will complete as // soon as the ClientHello is processed and server flight sent. |SSL_write| may @@ -3084,9 +3084,9 @@ // properties. The caller must disregard any values from before the reset and // query again. // -// Finally, to implement the fallback described in draft-ietf-tls-tls13-18 -// appendix C.3, retry on a fresh connection without 0-RTT if the handshake -// fails with |SSL_R_WRONG_VERSION_ON_EARLY_DATA|. +// Finally, to implement the fallback described in RFC 8446 appendix D.3, retry +// on a fresh connection without 0-RTT if the handshake fails with +// |SSL_R_WRONG_VERSION_ON_EARLY_DATA|. // SSL_CTX_set_early_data_enabled sets whether early data is allowed to be used // with resumptions using |ctx|.
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index 0a3e9e4..937be6b 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h
@@ -217,7 +217,7 @@ // ExtensionType value from RFC4507 #define TLSEXT_TYPE_session_ticket 35 -// ExtensionType values from draft-ietf-tls-tls13-18 +// ExtensionType values from RFC8446 #define TLSEXT_TYPE_supported_groups 10 #define TLSEXT_TYPE_pre_shared_key 41 #define TLSEXT_TYPE_early_data 42 @@ -431,7 +431,7 @@ #define TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0x0300CCA9 #define TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0x0300CCAC -// TLS 1.3 ciphersuites from draft-ietf-tls-tls13-16 +// TLS 1.3 ciphersuites from RFC 8446. #define TLS1_CK_AES_128_GCM_SHA256 0x03001301 #define TLS1_CK_AES_256_GCM_SHA384 0x03001302 #define TLS1_CK_CHACHA20_POLY1305_SHA256 0x03001303 @@ -603,7 +603,7 @@ #define TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 \ "ECDHE-PSK-CHACHA20-POLY1305" -// TLS 1.3 ciphersuites from draft-ietf-tls-tls13-16 +// TLS 1.3 ciphersuites from RFC 8446. #define TLS1_TXT_AES_128_GCM_SHA256 "AEAD-AES128-GCM-SHA256" #define TLS1_TXT_AES_256_GCM_SHA384 "AEAD-AES256-GCM-SHA384" #define TLS1_TXT_CHACHA20_POLY1305_SHA256 "AEAD-CHACHA20-POLY1305-SHA256"
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc index ebf86a9..9f9e483 100644 --- a/ssl/handshake_client.cc +++ b/ssl/handshake_client.cc
@@ -577,7 +577,7 @@ // A TLS 1.2 server would not know to skip the early data we offered. Report // an error code sooner. The caller may use this error code to implement the - // fallback described in draft-ietf-tls-tls13-18 appendix C.3. + // fallback described in RFC 8446 appendix D.3. if (hs->early_data_offered) { OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_ON_EARLY_DATA); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
diff --git a/ssl/internal.h b/ssl/internal.h index e612f6d..14c871a 100644 --- a/ssl/internal.h +++ b/ssl/internal.h
@@ -2462,11 +2462,10 @@ bool shed_handshake_config : 1; }; -// From draft-ietf-tls-tls13-18, used in determining PSK modes. +// From RFC 8446, used in determining PSK modes. #define SSL_PSK_DHE_KE 0x1 -// From draft-ietf-tls-tls13-16, used in determining whether to respond with a -// KeyUpdate. +// From RFC 8446, used in determining whether to respond with a KeyUpdate. #define SSL_KEY_UPDATE_NOT_REQUESTED 0 #define SSL_KEY_UPDATE_REQUESTED 1
diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc index e129ab9..371ec53 100644 --- a/ssl/t1_lib.cc +++ b/ssl/t1_lib.cc
@@ -1049,7 +1049,7 @@ // Signature Algorithms for Certificates. // -// https://tools.ietf.org/html/draft-ietf-tls-tls13-23#section-4.2.3 +// https://tools.ietf.org/html/rfc8446#section-4.2.3 static bool ext_sigalgs_cert_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; @@ -1846,7 +1846,7 @@ // Pre Shared Key // -// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.6 +// https://tools.ietf.org/html/rfc8446#section-4.2.11 static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; @@ -1867,9 +1867,9 @@ return true; } - // Per draft-ietf-tls-tls13-21 section 4.1.4, skip offering the session if the - // selected cipher in HelloRetryRequest does not match. This avoids performing - // the transcript hash transformation for multiple hashes. + // Per RFC 8446 section 4.1.4, skip offering the session if the selected + // cipher in HelloRetryRequest does not match. This avoids performing the + // transcript hash transformation for multiple hashes. if (hs->received_hello_retry_request && ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) { return true; @@ -2000,7 +2000,7 @@ // Pre-Shared Key Exchange Modes // -// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.7 +// https://tools.ietf.org/html/rfc8446#section-4.2.9 static bool ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { @@ -2044,7 +2044,7 @@ // Early Data Indication // -// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.8 +// https://tools.ietf.org/html/rfc8446#section-4.2.10 static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; @@ -2129,7 +2129,7 @@ // Key Share // -// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.5 +// https://tools.ietf.org/html/rfc8446#section-4.2.8 static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; @@ -2314,7 +2314,7 @@ // Supported Versions // -// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.1 +// https://tools.ietf.org/html/rfc8446#section-4.2.1 static bool ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; @@ -2346,7 +2346,7 @@ // Cookie // -// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.2 +// https://tools.ietf.org/html/rfc8446#section-4.2.2 static bool ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { if (hs->cookie.empty()) { @@ -2368,10 +2368,10 @@ } -// Negotiated Groups +// Supported Groups // -// https://tools.ietf.org/html/rfc4492#section-5.1.2 -// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.4 +// https://tools.ietf.org/html/rfc4492#section-5.1.1 +// https://tools.ietf.org/html/rfc8446#section-4.2.7 static bool ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl;
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go index a627df9..cb77a73 100644 --- a/ssl/test/runner/common.go +++ b/ssl/test/runner/common.go
@@ -89,9 +89,9 @@ typeServerHello uint8 = 2 typeHelloVerifyRequest uint8 = 3 typeNewSessionTicket uint8 = 4 - typeEndOfEarlyData uint8 = 5 // draft-ietf-tls-tls13-21 - typeHelloRetryRequest uint8 = 6 // draft-ietf-tls-tls13-16 - typeEncryptedExtensions uint8 = 8 // draft-ietf-tls-tls13-16 + typeEndOfEarlyData uint8 = 5 + typeHelloRetryRequest uint8 = 6 + typeEncryptedExtensions uint8 = 8 typeCertificate uint8 = 11 typeServerKeyExchange uint8 = 12 typeCertificateRequest uint8 = 13 @@ -100,11 +100,11 @@ typeClientKeyExchange uint8 = 16 typeFinished uint8 = 20 typeCertificateStatus uint8 = 22 - typeKeyUpdate uint8 = 24 // draft-ietf-tls-tls13-16 + typeKeyUpdate uint8 = 24 typeCompressedCertificate uint8 = 25 // Not IANA assigned typeNextProtocol uint8 = 67 // Not IANA assigned typeChannelID uint8 = 203 // Not IANA assigned - typeMessageHash uint8 = 254 // draft-ietf-tls-tls13-21 + typeMessageHash uint8 = 254 ) // TLS compression types. @@ -127,14 +127,14 @@ extensionTokenBinding uint16 = 24 extensionCompressedCertAlgs uint16 = 27 extensionSessionTicket uint16 = 35 - extensionPreSharedKey uint16 = 41 // draft-ietf-tls-tls13-23 - extensionEarlyData uint16 = 42 // draft-ietf-tls-tls13-23 - extensionSupportedVersions uint16 = 43 // draft-ietf-tls-tls13-23 - extensionCookie uint16 = 44 // draft-ietf-tls-tls13-23 - extensionPSKKeyExchangeModes uint16 = 45 // draft-ietf-tls-tls13-23 - extensionCertificateAuthorities uint16 = 47 // draft-ietf-tls-tls13-23 - extensionSignatureAlgorithmsCert uint16 = 50 // draft-ietf-tls-tls13-23 - extensionKeyShare uint16 = 51 // draft-ietf-tls-tls13-23 + extensionPreSharedKey uint16 = 41 + extensionEarlyData uint16 = 42 + extensionSupportedVersions uint16 = 43 + extensionCookie uint16 = 44 + extensionPSKKeyExchangeModes uint16 = 45 + extensionCertificateAuthorities uint16 = 47 + extensionSignatureAlgorithmsCert uint16 = 50 + extensionKeyShare uint16 = 51 extensionCustom uint16 = 1234 // not IANA assigned extensionNextProtoNeg uint16 = 13172 // not IANA assigned extensionRenegotiationInfo uint16 = 0xff01 @@ -239,13 +239,13 @@ SRTP_AES128_CM_HMAC_SHA1_32 = 0x0002 ) -// PskKeyExchangeMode values (see draft-ietf-tls-tls13-16) +// PskKeyExchangeMode values (see RFC 8446, section 4.2.9) const ( pskKEMode = 0 pskDHEKEMode = 1 ) -// KeyUpdateRequest values (see draft-ietf-tls-tls13-16, section 4.5.3) +// KeyUpdateRequest values (see RFC 8446, section 4.6.3) const ( keyUpdateNotRequested = 0 keyUpdateRequested = 1 @@ -2064,7 +2064,7 @@ } var ( - // See draft-ietf-tls-tls13-16, section 6.3.1.2. + // See RFC 8446, section 4.1.3. downgradeTLS13 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01} downgradeTLS12 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00} )
diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go index 847c61a..49e947d 100644 --- a/ssl/test/runner/handshake_client.go +++ b/ssl/test/runner/handshake_client.go
@@ -603,8 +603,7 @@ } _, supportsTLS13 := c.config.isSupportedVersion(VersionTLS13, false) - // Check for downgrade signals in the server random, per - // draft-ietf-tls-tls13-16, section 4.1.3. + // Check for downgrade signals in the server random, per RFC 8446, section 4.1.3. if (supportsTLS13 || c.config.Bugs.CheckTLS13DowngradeRandom) && !c.config.Bugs.IgnoreTLS13DowngradeRandom { if c.vers <= VersionTLS12 && c.config.maxVersion(c.isDTLS) >= VersionTLS13 { if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS13) {
diff --git a/ssl/test/runner/handshake_messages.go b/ssl/test/runner/handshake_messages.go index 43eb6fe..edc5a92 100644 --- a/ssl/test/runner/handshake_messages.go +++ b/ssl/test/runner/handshake_messages.go
@@ -589,7 +589,7 @@ algIDs.addU16(v) } } - // The PSK extension must be last (draft-ietf-tls-tls13-18 section 4.2.6). + // The PSK extension must be last. See https://tools.ietf.org/html/rfc8446#section-4.2.11 if len(m.pskIdentities) > 0 && !m.pskBinderFirst { extensions.addU16(extensionPreSharedKey) pskExtension := extensions.addU16LengthPrefixed() @@ -762,7 +762,7 @@ m.ticketSupported = true m.sessionTicket = []byte(body) case extensionKeyShare: - // draft-ietf-tls-tls13 section 6.3.2.3 + // https://tools.ietf.org/html/rfc8446#section-4.2.8 var keyShares byteReader if !body.readU16LengthPrefixed(&keyShares) || len(body) != 0 { return false @@ -779,7 +779,7 @@ m.keyShares = append(m.keyShares, entry) } case extensionPreSharedKey: - // draft-ietf-tls-tls13-18 section 4.2.6 + // https://tools.ietf.org/html/rfc8446#section-4.2.11 var psks, binders byteReader if !body.readU16LengthPrefixed(&psks) || !body.readU16LengthPrefixed(&binders) || @@ -807,12 +807,12 @@ return false } case extensionPSKKeyExchangeModes: - // draft-ietf-tls-tls13-18 section 4.2.7 + // https://tools.ietf.org/html/rfc8446#section-4.2.9 if !body.readU8LengthPrefixedBytes(&m.pskKEModes) || len(body) != 0 { return false } case extensionEarlyData: - // draft-ietf-tls-tls13 section 6.3.2.5 + // https://tools.ietf.org/html/rfc8446#section-4.2.10 if len(body) != 0 { return false } @@ -1299,7 +1299,7 @@ supportedPoints.addBytes(m.supportedPoints) } if len(m.supportedCurves) > 0 { - // https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.4 + // https://tools.ietf.org/html/rfc8446#section-4.2.7 extensions.addU16(extensionSupportedCurves) supportedCurvesList := extensions.addU16LengthPrefixed() supportedCurves := supportedCurvesList.addU16LengthPrefixed()
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go index bdf72ae..ca7a7d3 100644 --- a/ssl/test/runner/handshake_server.go +++ b/ssl/test/runner/handshake_server.go
@@ -1173,8 +1173,7 @@ _, supportsTLS13 := c.config.isSupportedVersion(VersionTLS13, false) - // Signal downgrades in the server random, per draft-ietf-tls-tls13-16, - // section 4.1.3. + // Signal downgrades in the server random, per RFC 8446, section 4.1.3. if supportsTLS13 || config.Bugs.SendTLS13DowngradeRandom { if c.vers <= VersionTLS12 && config.maxVersion(c.isDTLS) >= VersionTLS13 { copy(hs.hello.random[len(hs.hello.random)-8:], downgradeTLS13)
diff --git a/ssl/test/runner/prf.go b/ssl/test/runner/prf.go index 8c2da0d..96e7f24 100644 --- a/ssl/test/runner/prf.go +++ b/ssl/test/runner/prf.go
@@ -384,8 +384,7 @@ } // zeroSecretTLS13 returns the default all zeros secret for TLS 1.3, used when a -// given secret is not available in the handshake. See draft-ietf-tls-tls13-16, -// section 7.1. +// given secret is not available in the handshake. See RFC 8446, section 7.1. func (h *finishedHash) zeroSecret() []byte { return make([]byte, h.hash.Size()) } @@ -400,7 +399,7 @@ } // hkdfExpandLabel implements TLS 1.3's HKDF-Expand-Label function, as defined -// in section 7.1 of draft-ietf-tls-tls13-16. +// in section 7.1 of RFC 8446. func hkdfExpandLabel(hash crypto.Hash, secret, label, hashValue []byte, length int) []byte { if len(label) > 255 || len(hashValue) > 255 { panic("hkdfExpandLabel: label or hashValue too long")
diff --git a/ssl/tls13_both.cc b/ssl/tls13_both.cc index ce9dd3c..a1793da 100644 --- a/ssl/tls13_both.cc +++ b/ssl/tls13_both.cc
@@ -635,8 +635,7 @@ // Suppress KeyUpdate acknowledgments until this change is written to the // wire. This prevents us from accumulating write obligations when read and - // write progress at different rates. See draft-ietf-tls-tls13-18, section - // 4.5.3. + // write progress at different rates. See RFC 8446, section 4.6.3. ssl->s3->key_update_pending = true; }
diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc index a3940b6..aba7fc0 100644 --- a/ssl/tls13_server.cc +++ b/ssl/tls13_server.cc
@@ -706,7 +706,7 @@ // If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on // the wire sooner and also avoids triggering a write on |SSL_read| when // processing the client Finished. This requires computing the client - // Finished early. See draft-ietf-tls-tls13-18, section 4.5.1. + // Finished early. See RFC 8446, section 4.6.1. static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0, 0, 0}; if (!hs->transcript.Update(kEndOfEarlyData)) {