Update TLS 1.3 citations for the final RFC.
Change-Id: I2d1671a4f21a602191fd0c9b932244a376ac5713
Reviewed-on: https://boringssl-review.googlesource.com/31104
Reviewed-by: David Benjamin <davidben@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
index ebf86a9..9f9e483 100644
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc
@@ -577,7 +577,7 @@
// A TLS 1.2 server would not know to skip the early data we offered. Report
// an error code sooner. The caller may use this error code to implement the
- // fallback described in draft-ietf-tls-tls13-18 appendix C.3.
+ // fallback described in RFC 8446 appendix D.3.
if (hs->early_data_offered) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_ON_EARLY_DATA);
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
diff --git a/ssl/internal.h b/ssl/internal.h
index e612f6d..14c871a 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -2462,11 +2462,10 @@
bool shed_handshake_config : 1;
};
-// From draft-ietf-tls-tls13-18, used in determining PSK modes.
+// From RFC 8446, used in determining PSK modes.
#define SSL_PSK_DHE_KE 0x1
-// From draft-ietf-tls-tls13-16, used in determining whether to respond with a
-// KeyUpdate.
+// From RFC 8446, used in determining whether to respond with a KeyUpdate.
#define SSL_KEY_UPDATE_NOT_REQUESTED 0
#define SSL_KEY_UPDATE_REQUESTED 1
diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc
index e129ab9..371ec53 100644
--- a/ssl/t1_lib.cc
+++ b/ssl/t1_lib.cc
@@ -1049,7 +1049,7 @@
// Signature Algorithms for Certificates.
//
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-23#section-4.2.3
+// https://tools.ietf.org/html/rfc8446#section-4.2.3
static bool ext_sigalgs_cert_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -1846,7 +1846,7 @@
// Pre Shared Key
//
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.6
+// https://tools.ietf.org/html/rfc8446#section-4.2.11
static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
@@ -1867,9 +1867,9 @@
return true;
}
- // Per draft-ietf-tls-tls13-21 section 4.1.4, skip offering the session if the
- // selected cipher in HelloRetryRequest does not match. This avoids performing
- // the transcript hash transformation for multiple hashes.
+ // Per RFC 8446 section 4.1.4, skip offering the session if the selected
+ // cipher in HelloRetryRequest does not match. This avoids performing the
+ // transcript hash transformation for multiple hashes.
if (hs->received_hello_retry_request &&
ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
return true;
@@ -2000,7 +2000,7 @@
// Pre-Shared Key Exchange Modes
//
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.7
+// https://tools.ietf.org/html/rfc8446#section-4.2.9
static bool ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE *hs,
CBB *out) {
@@ -2044,7 +2044,7 @@
// Early Data Indication
//
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.8
+// https://tools.ietf.org/html/rfc8446#section-4.2.10
static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -2129,7 +2129,7 @@
// Key Share
//
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.5
+// https://tools.ietf.org/html/rfc8446#section-4.2.8
static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -2314,7 +2314,7 @@
// Supported Versions
//
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.1
+// https://tools.ietf.org/html/rfc8446#section-4.2.1
static bool ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -2346,7 +2346,7 @@
// Cookie
//
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.2
+// https://tools.ietf.org/html/rfc8446#section-4.2.2
static bool ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
if (hs->cookie.empty()) {
@@ -2368,10 +2368,10 @@
}
-// Negotiated Groups
+// Supported Groups
//
-// https://tools.ietf.org/html/rfc4492#section-5.1.2
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.4
+// https://tools.ietf.org/html/rfc4492#section-5.1.1
+// https://tools.ietf.org/html/rfc8446#section-4.2.7
static bool ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index a627df9..cb77a73 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -89,9 +89,9 @@
typeServerHello uint8 = 2
typeHelloVerifyRequest uint8 = 3
typeNewSessionTicket uint8 = 4
- typeEndOfEarlyData uint8 = 5 // draft-ietf-tls-tls13-21
- typeHelloRetryRequest uint8 = 6 // draft-ietf-tls-tls13-16
- typeEncryptedExtensions uint8 = 8 // draft-ietf-tls-tls13-16
+ typeEndOfEarlyData uint8 = 5
+ typeHelloRetryRequest uint8 = 6
+ typeEncryptedExtensions uint8 = 8
typeCertificate uint8 = 11
typeServerKeyExchange uint8 = 12
typeCertificateRequest uint8 = 13
@@ -100,11 +100,11 @@
typeClientKeyExchange uint8 = 16
typeFinished uint8 = 20
typeCertificateStatus uint8 = 22
- typeKeyUpdate uint8 = 24 // draft-ietf-tls-tls13-16
+ typeKeyUpdate uint8 = 24
typeCompressedCertificate uint8 = 25 // Not IANA assigned
typeNextProtocol uint8 = 67 // Not IANA assigned
typeChannelID uint8 = 203 // Not IANA assigned
- typeMessageHash uint8 = 254 // draft-ietf-tls-tls13-21
+ typeMessageHash uint8 = 254
)
// TLS compression types.
@@ -127,14 +127,14 @@
extensionTokenBinding uint16 = 24
extensionCompressedCertAlgs uint16 = 27
extensionSessionTicket uint16 = 35
- extensionPreSharedKey uint16 = 41 // draft-ietf-tls-tls13-23
- extensionEarlyData uint16 = 42 // draft-ietf-tls-tls13-23
- extensionSupportedVersions uint16 = 43 // draft-ietf-tls-tls13-23
- extensionCookie uint16 = 44 // draft-ietf-tls-tls13-23
- extensionPSKKeyExchangeModes uint16 = 45 // draft-ietf-tls-tls13-23
- extensionCertificateAuthorities uint16 = 47 // draft-ietf-tls-tls13-23
- extensionSignatureAlgorithmsCert uint16 = 50 // draft-ietf-tls-tls13-23
- extensionKeyShare uint16 = 51 // draft-ietf-tls-tls13-23
+ extensionPreSharedKey uint16 = 41
+ extensionEarlyData uint16 = 42
+ extensionSupportedVersions uint16 = 43
+ extensionCookie uint16 = 44
+ extensionPSKKeyExchangeModes uint16 = 45
+ extensionCertificateAuthorities uint16 = 47
+ extensionSignatureAlgorithmsCert uint16 = 50
+ extensionKeyShare uint16 = 51
extensionCustom uint16 = 1234 // not IANA assigned
extensionNextProtoNeg uint16 = 13172 // not IANA assigned
extensionRenegotiationInfo uint16 = 0xff01
@@ -239,13 +239,13 @@
SRTP_AES128_CM_HMAC_SHA1_32 = 0x0002
)
-// PskKeyExchangeMode values (see draft-ietf-tls-tls13-16)
+// PskKeyExchangeMode values (see RFC 8446, section 4.2.9)
const (
pskKEMode = 0
pskDHEKEMode = 1
)
-// KeyUpdateRequest values (see draft-ietf-tls-tls13-16, section 4.5.3)
+// KeyUpdateRequest values (see RFC 8446, section 4.6.3)
const (
keyUpdateNotRequested = 0
keyUpdateRequested = 1
@@ -2064,7 +2064,7 @@
}
var (
- // See draft-ietf-tls-tls13-16, section 6.3.1.2.
+ // See RFC 8446, section 4.1.3.
downgradeTLS13 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01}
downgradeTLS12 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00}
)
diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go
index 847c61a..49e947d 100644
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go
@@ -603,8 +603,7 @@
}
_, supportsTLS13 := c.config.isSupportedVersion(VersionTLS13, false)
- // Check for downgrade signals in the server random, per
- // draft-ietf-tls-tls13-16, section 4.1.3.
+ // Check for downgrade signals in the server random, per RFC 8446, section 4.1.3.
if (supportsTLS13 || c.config.Bugs.CheckTLS13DowngradeRandom) && !c.config.Bugs.IgnoreTLS13DowngradeRandom {
if c.vers <= VersionTLS12 && c.config.maxVersion(c.isDTLS) >= VersionTLS13 {
if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS13) {
diff --git a/ssl/test/runner/handshake_messages.go b/ssl/test/runner/handshake_messages.go
index 43eb6fe..edc5a92 100644
--- a/ssl/test/runner/handshake_messages.go
+++ b/ssl/test/runner/handshake_messages.go
@@ -589,7 +589,7 @@
algIDs.addU16(v)
}
}
- // The PSK extension must be last (draft-ietf-tls-tls13-18 section 4.2.6).
+ // The PSK extension must be last. See https://tools.ietf.org/html/rfc8446#section-4.2.11
if len(m.pskIdentities) > 0 && !m.pskBinderFirst {
extensions.addU16(extensionPreSharedKey)
pskExtension := extensions.addU16LengthPrefixed()
@@ -762,7 +762,7 @@
m.ticketSupported = true
m.sessionTicket = []byte(body)
case extensionKeyShare:
- // draft-ietf-tls-tls13 section 6.3.2.3
+ // https://tools.ietf.org/html/rfc8446#section-4.2.8
var keyShares byteReader
if !body.readU16LengthPrefixed(&keyShares) || len(body) != 0 {
return false
@@ -779,7 +779,7 @@
m.keyShares = append(m.keyShares, entry)
}
case extensionPreSharedKey:
- // draft-ietf-tls-tls13-18 section 4.2.6
+ // https://tools.ietf.org/html/rfc8446#section-4.2.11
var psks, binders byteReader
if !body.readU16LengthPrefixed(&psks) ||
!body.readU16LengthPrefixed(&binders) ||
@@ -807,12 +807,12 @@
return false
}
case extensionPSKKeyExchangeModes:
- // draft-ietf-tls-tls13-18 section 4.2.7
+ // https://tools.ietf.org/html/rfc8446#section-4.2.9
if !body.readU8LengthPrefixedBytes(&m.pskKEModes) || len(body) != 0 {
return false
}
case extensionEarlyData:
- // draft-ietf-tls-tls13 section 6.3.2.5
+ // https://tools.ietf.org/html/rfc8446#section-4.2.10
if len(body) != 0 {
return false
}
@@ -1299,7 +1299,7 @@
supportedPoints.addBytes(m.supportedPoints)
}
if len(m.supportedCurves) > 0 {
- // https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.4
+ // https://tools.ietf.org/html/rfc8446#section-4.2.7
extensions.addU16(extensionSupportedCurves)
supportedCurvesList := extensions.addU16LengthPrefixed()
supportedCurves := supportedCurvesList.addU16LengthPrefixed()
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index bdf72ae..ca7a7d3 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -1173,8 +1173,7 @@
_, supportsTLS13 := c.config.isSupportedVersion(VersionTLS13, false)
- // Signal downgrades in the server random, per draft-ietf-tls-tls13-16,
- // section 4.1.3.
+ // Signal downgrades in the server random, per RFC 8446, section 4.1.3.
if supportsTLS13 || config.Bugs.SendTLS13DowngradeRandom {
if c.vers <= VersionTLS12 && config.maxVersion(c.isDTLS) >= VersionTLS13 {
copy(hs.hello.random[len(hs.hello.random)-8:], downgradeTLS13)
diff --git a/ssl/test/runner/prf.go b/ssl/test/runner/prf.go
index 8c2da0d..96e7f24 100644
--- a/ssl/test/runner/prf.go
+++ b/ssl/test/runner/prf.go
@@ -384,8 +384,7 @@
}
// zeroSecretTLS13 returns the default all zeros secret for TLS 1.3, used when a
-// given secret is not available in the handshake. See draft-ietf-tls-tls13-16,
-// section 7.1.
+// given secret is not available in the handshake. See RFC 8446, section 7.1.
func (h *finishedHash) zeroSecret() []byte {
return make([]byte, h.hash.Size())
}
@@ -400,7 +399,7 @@
}
// hkdfExpandLabel implements TLS 1.3's HKDF-Expand-Label function, as defined
-// in section 7.1 of draft-ietf-tls-tls13-16.
+// in section 7.1 of RFC 8446.
func hkdfExpandLabel(hash crypto.Hash, secret, label, hashValue []byte, length int) []byte {
if len(label) > 255 || len(hashValue) > 255 {
panic("hkdfExpandLabel: label or hashValue too long")
diff --git a/ssl/tls13_both.cc b/ssl/tls13_both.cc
index ce9dd3c..a1793da 100644
--- a/ssl/tls13_both.cc
+++ b/ssl/tls13_both.cc
@@ -635,8 +635,7 @@
// Suppress KeyUpdate acknowledgments until this change is written to the
// wire. This prevents us from accumulating write obligations when read and
- // write progress at different rates. See draft-ietf-tls-tls13-18, section
- // 4.5.3.
+ // write progress at different rates. See RFC 8446, section 4.6.3.
ssl->s3->key_update_pending = true;
}
diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc
index a3940b6..aba7fc0 100644
--- a/ssl/tls13_server.cc
+++ b/ssl/tls13_server.cc
@@ -706,7 +706,7 @@
// If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on
// the wire sooner and also avoids triggering a write on |SSL_read| when
// processing the client Finished. This requires computing the client
- // Finished early. See draft-ietf-tls-tls13-18, section 4.5.1.
+ // Finished early. See RFC 8446, section 4.6.1.
static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0,
0, 0};
if (!hs->transcript.Update(kEndOfEarlyData)) {
