Remove deprecated TLS 1.3 variants.
Upgrade-Note: SSL_CTX_set_tls13_variant(tls13_experiment) on the server
should switch to SSL_CTX_set_tls13_variant(tls13_experiment2).
(Configuring any TLS 1.3 variants on the server enables all variants,
so this is a no-op. We're just retiring some old experiments.)
Change-Id: I60f0ca3f96ff84bdf59e1a282a46e51d99047462
Reviewed-on: https://boringssl-review.googlesource.com/23784
Commit-Queue: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 066390b..14aab12 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -591,12 +591,8 @@
#define DTLS1_VERSION 0xfeff
#define DTLS1_2_VERSION 0xfefd
-#define TLS1_3_DRAFT_VERSION 0x7f12
-#define TLS1_3_DRAFT21_VERSION 0x7f15
#define TLS1_3_DRAFT22_VERSION 0x7f16
-#define TLS1_3_EXPERIMENT_VERSION 0x7e01
#define TLS1_3_EXPERIMENT2_VERSION 0x7e02
-#define TLS1_3_EXPERIMENT3_VERSION 0x7e03
// SSL_CTX_set_min_proto_version sets the minimum protocol version for |ctx| to
// |version|. If |version| is zero, the default minimum version is used. It
@@ -3226,11 +3222,7 @@
enum tls13_variant_t {
tls13_default = 0,
- tls13_experiment = 1,
- tls13_experiment2 = 2,
- tls13_experiment3 = 3,
- tls13_draft21 = 4,
- tls13_draft22 = 5,
+ tls13_experiment2 = 1,
};
// SSL_CTX_set_tls13_variant sets which variant of TLS 1.3 we negotiate. On the
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
index cdda459..ce9d278 100644
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc
@@ -464,7 +464,7 @@
hs->session_id_len = ssl->session->session_id_length;
OPENSSL_memcpy(hs->session_id, ssl->session->session_id,
hs->session_id_len);
- } else if (ssl_is_resumption_variant(hs->max_version, ssl->tls13_variant)) {
+ } else if (hs->max_version >= TLS1_3_VERSION) {
hs->session_id_len = sizeof(hs->session_id);
if (!RAND_bytes(hs->session_id, hs->session_id_len)) {
return ssl_hs_error;
diff --git a/ssl/s3_pkt.cc b/ssl/s3_pkt.cc
index e6518ba..e14d551 100644
--- a/ssl/s3_pkt.cc
+++ b/ssl/s3_pkt.cc
@@ -306,7 +306,7 @@
if (type == SSL3_RT_HANDSHAKE) {
// If reading 0-RTT data, reject handshake data. 0-RTT data is terminated
// by an alert.
- if (!ssl_is_draft21(ssl->version) && is_early_data_read) {
+ if (!ssl_is_draft22(ssl->version) && is_early_data_read) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
*out_alert = SSL_AD_UNEXPECTED_MESSAGE;
return ssl_open_record_error;
@@ -335,7 +335,7 @@
// Handle the end_of_early_data alert.
static const uint8_t kEndOfEarlyData[2] = {SSL3_AL_WARNING,
TLS1_AD_END_OF_EARLY_DATA};
- if (!ssl_is_draft21(ssl->version) && is_early_data_read &&
+ if (!ssl_is_draft22(ssl->version) && is_early_data_read &&
type == SSL3_RT_ALERT && body == kEndOfEarlyData) {
// Stop accepting early data.
ssl->s3->hs->can_early_read = false;
diff --git a/ssl/ssl_aead_ctx.cc b/ssl/ssl_aead_ctx.cc
index 775827c..247e889 100644
--- a/ssl/ssl_aead_ctx.cc
+++ b/ssl/ssl_aead_ctx.cc
@@ -173,10 +173,7 @@
return version_;
}
- if (ssl_is_resumption_record_version_experiment(version_)) {
- return TLS1_2_VERSION;
- }
- return TLS1_VERSION;
+ return TLS1_2_VERSION;
}
size_t SSLAEADContext::ExplicitNonceLen() const {
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 8288878..5d37448 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -2617,7 +2617,8 @@
EXPECT_EQ(TLS1_3_VERSION, ctx->conf_max_version);
// TLS1_3_DRAFT_VERSION is not an API-level version.
- EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_DRAFT_VERSION));
+ EXPECT_FALSE(
+ SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_DRAFT22_VERSION));
ERR_clear_error();
ctx.reset(SSL_CTX_new(DTLS_method()));
@@ -2960,9 +2961,7 @@
uint16_t record_version, length;
ASSERT_TRUE(CBS_get_u8(&cbs, &type));
ASSERT_TRUE(CBS_get_u16(&cbs, &record_version));
- EXPECT_TRUE(record_version == version() ||
- record_version == (is_dtls() ? DTLS1_VERSION : TLS1_VERSION))
- << "Invalid record version: " << record_version;
+ EXPECT_EQ(record_version & 0xff00, version() & 0xff00);
if (is_dtls()) {
uint16_t epoch;
ASSERT_TRUE(CBS_get_u16(&cbs, &epoch));
@@ -3862,7 +3861,7 @@
!TestPaddingExtension(TLS1_3_VERSION, TLS1_2_VERSION) ||
// Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
// will be a PSK binder after the padding extension.
- !TestPaddingExtension(TLS1_3_VERSION, TLS1_3_DRAFT_VERSION)) {
+ !TestPaddingExtension(TLS1_3_VERSION, TLS1_3_DRAFT22_VERSION)) {
ADD_FAILURE() << "Tests failed";
}
}
diff --git a/ssl/ssl_versions.cc b/ssl/ssl_versions.cc
index 2406bd8..4ef54da 100644
--- a/ssl/ssl_versions.cc
+++ b/ssl/ssl_versions.cc
@@ -34,12 +34,8 @@
*out = version;
return true;
- case TLS1_3_DRAFT_VERSION:
- case TLS1_3_DRAFT21_VERSION:
case TLS1_3_DRAFT22_VERSION:
- case TLS1_3_EXPERIMENT_VERSION:
case TLS1_3_EXPERIMENT2_VERSION:
- case TLS1_3_EXPERIMENT3_VERSION:
*out = TLS1_3_VERSION;
return true;
@@ -62,11 +58,7 @@
static const uint16_t kTLSVersions[] = {
TLS1_3_DRAFT22_VERSION,
- TLS1_3_EXPERIMENT3_VERSION,
TLS1_3_EXPERIMENT2_VERSION,
- TLS1_3_EXPERIMENT_VERSION,
- TLS1_3_DRAFT_VERSION,
- TLS1_3_DRAFT21_VERSION,
TLS1_2_VERSION,
TLS1_1_VERSION,
TLS1_VERSION,
@@ -109,12 +101,8 @@
static const char *ssl_version_to_string(uint16_t version) {
switch (version) {
- case TLS1_3_DRAFT_VERSION:
- case TLS1_3_DRAFT21_VERSION:
case TLS1_3_DRAFT22_VERSION:
- case TLS1_3_EXPERIMENT_VERSION:
case TLS1_3_EXPERIMENT2_VERSION:
- case TLS1_3_EXPERIMENT3_VERSION:
return "TLSv1.3";
case TLS1_2_VERSION:
@@ -143,12 +131,8 @@
static uint16_t wire_version_to_api(uint16_t version) {
switch (version) {
// Report TLS 1.3 draft versions as TLS 1.3 in the public API.
- case TLS1_3_DRAFT_VERSION:
- case TLS1_3_DRAFT21_VERSION:
case TLS1_3_DRAFT22_VERSION:
- case TLS1_3_EXPERIMENT_VERSION:
case TLS1_3_EXPERIMENT2_VERSION:
- case TLS1_3_EXPERIMENT3_VERSION:
return TLS1_3_VERSION;
default:
return version;
@@ -159,16 +143,12 @@
// particular, it picks an arbitrary TLS 1.3 representative. This should only be
// used in context where that does not matter.
static bool api_version_to_wire(uint16_t *out, uint16_t version) {
- if (version == TLS1_3_DRAFT_VERSION ||
- version == TLS1_3_DRAFT21_VERSION ||
- version == TLS1_3_DRAFT22_VERSION ||
- version == TLS1_3_EXPERIMENT_VERSION ||
- version == TLS1_3_EXPERIMENT2_VERSION ||
- version == TLS1_3_EXPERIMENT3_VERSION) {
+ if (version == TLS1_3_DRAFT22_VERSION ||
+ version == TLS1_3_EXPERIMENT2_VERSION) {
return false;
}
if (version == TLS1_3_VERSION) {
- version = TLS1_3_DRAFT_VERSION;
+ version = TLS1_3_DRAFT22_VERSION;
}
// Check it is a real protocol version.
@@ -321,32 +301,16 @@
// TLS 1.3 variants must additionally match |tls13_variant|.
if (protocol_version != TLS1_3_VERSION ||
- (ssl->tls13_variant == tls13_experiment &&
- version == TLS1_3_EXPERIMENT_VERSION) ||
(ssl->tls13_variant == tls13_experiment2 &&
version == TLS1_3_EXPERIMENT2_VERSION) ||
- (ssl->tls13_variant == tls13_experiment3 &&
- version == TLS1_3_EXPERIMENT3_VERSION) ||
- (ssl->tls13_variant == tls13_draft21 &&
- version == TLS1_3_DRAFT21_VERSION) ||
- (ssl->tls13_variant == tls13_draft22 &&
- version == TLS1_3_DRAFT22_VERSION) ||
(ssl->tls13_variant == tls13_default &&
- version == TLS1_3_DRAFT_VERSION)) {
+ version == TLS1_3_DRAFT22_VERSION)) {
return true;
}
// The server, when not configured at |tls13_default|, should additionally
- // enable all variants, except draft-21 which is implemented solely for QUIC
- // interop testing and will not be deployed, and draft-22 which will be
- // enabled once the draft is finalized and ready to be deployed in Chrome.
- // Currently, this is to implement the draft-18 vs. experiments field trials.
- // In the future, this will be to transition cleanly to a final draft-22
- // which hopefully includes the deployability fixes.
- if (ssl->server &&
- ssl->tls13_variant != tls13_default &&
- version != TLS1_3_DRAFT21_VERSION &&
- version != TLS1_3_DRAFT22_VERSION) {
+ // enable all variants.
+ if (ssl->server && ssl->tls13_variant != tls13_default) {
return true;
}
@@ -397,42 +361,10 @@
return false;
}
-bool ssl_is_draft21(uint16_t version) {
- return version == TLS1_3_DRAFT21_VERSION || version == TLS1_3_DRAFT22_VERSION;
-}
-
bool ssl_is_draft22(uint16_t version) {
return version == TLS1_3_DRAFT22_VERSION;
}
-bool ssl_is_resumption_experiment(uint16_t version) {
- return version == TLS1_3_EXPERIMENT_VERSION ||
- version == TLS1_3_EXPERIMENT2_VERSION ||
- version == TLS1_3_EXPERIMENT3_VERSION ||
- version == TLS1_3_DRAFT22_VERSION;
-}
-
-bool ssl_is_resumption_variant(uint16_t max_version,
- enum tls13_variant_t variant) {
- if (max_version < TLS1_3_VERSION) {
- return false;
- }
- return variant == tls13_experiment || variant == tls13_experiment2 ||
- variant == tls13_experiment3 || variant == tls13_draft22;
-}
-
-bool ssl_is_resumption_client_ccs_experiment(uint16_t version) {
- return version == TLS1_3_EXPERIMENT_VERSION ||
- version == TLS1_3_EXPERIMENT2_VERSION ||
- version == TLS1_3_DRAFT22_VERSION;
-}
-
-bool ssl_is_resumption_record_version_experiment(uint16_t version) {
- return version == TLS1_3_EXPERIMENT2_VERSION ||
- version == TLS1_3_EXPERIMENT3_VERSION ||
- version == TLS1_3_DRAFT22_VERSION;
-}
-
} // namespace bssl
using namespace bssl;
diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc
index 8d03623..5a91b7a 100644
--- a/ssl/t1_lib.cc
+++ b/ssl/t1_lib.cc
@@ -1810,7 +1810,7 @@
// selected cipher in HelloRetryRequest does not match. This avoids performing
// the transcript hash transformation for multiple hashes.
if (hs->received_hello_retry_request &&
- ssl_is_draft21(ssl->version) &&
+ ssl_is_draft22(ssl->version) &&
ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
return true;
}
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index c6d5c65..de1e313 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -33,30 +33,18 @@
// A draft version of TLS 1.3 that is sent over the wire for the current draft.
const (
- tls13DraftVersion = 0x7f12
- tls13Draft21Version = 0x7f15
- tls13ExperimentVersion = 0x7e01
tls13Experiment2Version = 0x7e02
- tls13Experiment3Version = 0x7e03
tls13Draft22Version = 0x7f16
)
const (
- TLS13Default = 0
- TLS13Experiment = 1
- TLS13Experiment2 = 2
- TLS13Experiment3 = 3
- TLS13Draft21 = 4
- TLS13Draft22 = 5
+ TLS13Draft22 = 0
+ TLS13Experiment2 = 1
)
var allTLSWireVersions = []uint16{
- tls13DraftVersion,
tls13Draft22Version,
- tls13Draft21Version,
- tls13Experiment3Version,
tls13Experiment2Version,
- tls13ExperimentVersion,
VersionTLS12,
VersionTLS11,
VersionTLS10,
@@ -1637,7 +1625,7 @@
switch vers {
case VersionSSL30, VersionTLS10, VersionTLS11, VersionTLS12:
return vers, true
- case tls13DraftVersion, tls13Draft22Version, tls13Draft21Version, tls13ExperimentVersion, tls13Experiment2Version, tls13Experiment3Version:
+ case tls13Draft22Version, tls13Experiment2Version:
return VersionTLS13, true
}
}
@@ -1645,40 +1633,16 @@
return 0, false
}
-func isDraft21(vers uint16) bool {
- return vers == tls13Draft21Version || vers == tls13Draft22Version
-}
-
func isDraft22(vers uint16) bool {
return vers == tls13Draft22Version
}
-func isResumptionExperiment(vers uint16) bool {
- return vers == tls13ExperimentVersion || vers == tls13Experiment2Version || vers == tls13Experiment3Version || vers == tls13Draft22Version
-}
-
-func isResumptionClientCCSExperiment(vers uint16) bool {
- return vers == tls13ExperimentVersion || vers == tls13Experiment2Version || vers == tls13Draft22Version
-}
-
-func isResumptionRecordVersionExperiment(vers uint16) bool {
- return vers == tls13Experiment2Version || vers == tls13Experiment3Version || vers == tls13Draft22Version
-}
-
-func isResumptionRecordVersionVariant(variant int) bool {
- return variant == TLS13Experiment2 || variant == TLS13Experiment3 || variant == TLS13Draft22
-}
-
// isSupportedVersion checks if the specified wire version is acceptable. If so,
// it returns true and the corresponding protocol version. Otherwise, it returns
// false.
func (c *Config) isSupportedVersion(wireVers uint16, isDTLS bool) (uint16, bool) {
- if (c.TLS13Variant != TLS13Experiment && wireVers == tls13ExperimentVersion) ||
- (c.TLS13Variant != TLS13Experiment2 && wireVers == tls13Experiment2Version) ||
- (c.TLS13Variant != TLS13Experiment3 && wireVers == tls13Experiment3Version) ||
- (c.TLS13Variant != TLS13Draft22 && wireVers == tls13Draft22Version) ||
- (c.TLS13Variant != TLS13Draft21 && wireVers == tls13Draft21Version) ||
- (c.TLS13Variant != TLS13Default && wireVers == tls13DraftVersion) {
+ if (c.TLS13Variant != TLS13Experiment2 && wireVers == tls13Experiment2Version) ||
+ (c.TLS13Variant != TLS13Draft22 && wireVers == tls13Draft22Version) {
return 0, false
}
diff --git a/ssl/test/runner/conn.go b/ssl/test/runner/conn.go
index c6ee443..6493aa7 100644
--- a/ssl/test/runner/conn.go
+++ b/ssl/test/runner/conn.go
@@ -802,9 +802,6 @@
if c.haveVers {
expect = c.vers
if c.vers >= VersionTLS13 {
- expect = VersionTLS10
- }
- if isResumptionRecordVersionExperiment(c.wireVersion) {
expect = VersionTLS12
}
} else {
@@ -907,7 +904,7 @@
// Check they match that we expect.
expected := [6]byte{byte(recordTypeChangeCipherSpec), 3, 1, 0, 1, 1}
- if isResumptionRecordVersionExperiment(c.wireVersion) {
+ if c.vers >= VersionTLS13 {
expected[2] = 3
}
if !bytes.Equal(b.data[:6], expected[:]) {
@@ -1197,7 +1194,7 @@
}
}
vers := c.vers
- if vers == 0 || vers >= VersionTLS13 {
+ if vers == 0 {
// Some TLS servers fail if the record version is
// greater than TLS 1.0 for the initial ClientHello.
//
@@ -1205,7 +1202,7 @@
// layer to {3, 1}.
vers = VersionTLS10
}
- if isResumptionRecordVersionExperiment(c.wireVersion) || isResumptionRecordVersionExperiment(c.out.wireVersion) {
+ if c.vers >= VersionTLS13 || c.out.version >= VersionTLS13 {
vers = VersionTLS12
}
@@ -1240,7 +1237,7 @@
}
c.out.freeBlock(b)
- if typ == recordTypeChangeCipherSpec && !isResumptionExperiment(c.wireVersion) {
+ if typ == recordTypeChangeCipherSpec && c.vers < VersionTLS13 {
err = c.out.changeCipherSpec(c.config)
if err != nil {
return n, c.sendAlertLocked(alertLevelError, err.(alert))
@@ -1563,7 +1560,7 @@
earlyALPN: c.clientProtocol,
}
- if isDraft21(c.wireVersion) {
+ if isDraft22(c.wireVersion) {
session.masterSecret = deriveSessionPSK(cipherSuite, c.wireVersion, c.resumptionSecret, newSessionTicket.ticketNonce)
}
@@ -1854,7 +1851,7 @@
if cipherSuite == nil {
cipherSuite = c.earlyCipherSuite
}
- if isDraft21(c.wireVersion) {
+ if isDraft22(c.wireVersion) {
hash := cipherSuite.hash()
exporterKeyingLabel := []byte("exporter")
contextHash := hash.New()
@@ -1951,7 +1948,7 @@
maxEarlyDataSize: c.config.MaxEarlyDataSize,
}
- if isDraft21(c.wireVersion) {
+ if isDraft22(c.wireVersion) {
m.ticketNonce = nonce
}
@@ -1970,7 +1967,7 @@
earlyALPN: []byte(c.clientProtocol),
}
- if isDraft21(c.wireVersion) {
+ if isDraft22(c.wireVersion) {
state.masterSecret = deriveSessionPSK(c.cipherSuite, c.wireVersion, c.resumptionSecret, nonce)
}
@@ -2017,11 +2014,7 @@
payload := make([]byte, 5+len)
payload[0] = byte(recordTypeApplicationData)
payload[1] = 3
- payload[2] = 1
- if isResumptionRecordVersionVariant(c.config.TLS13Variant) {
- payload[1] = 3
- payload[2] = 3
- }
+ payload[2] = 3
payload[3] = byte(len >> 8)
payload[4] = byte(len)
_, err := c.conn.Write(payload)
diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go
index 55d21c9..cb24211 100644
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go
@@ -377,7 +377,7 @@
// set. Fill in an arbitrary TLS 1.3 version to compute
// the binder.
if session.vers < VersionTLS13 {
- version = tls13DraftVersion
+ version = tls13Draft22Version
}
generatePSKBinders(version, hello, pskCipherSuite, session.masterSecret, []byte{}, []byte{}, c.config)
}
@@ -416,14 +416,16 @@
if !c.config.Bugs.SkipChangeCipherSpec && isDraft22(session.wireVersion) {
c.wireVersion = session.wireVersion
+ c.vers = VersionTLS13
c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
c.wireVersion = 0
+ c.vers = 0
}
var earlyTrafficSecret []byte
- if isDraft21(session.wireVersion) {
- earlyTrafficSecret = finishedHash.deriveSecret(earlyTrafficLabelDraft21)
- c.earlyExporterSecret = finishedHash.deriveSecret(earlyExporterLabelDraft21)
+ if isDraft22(session.wireVersion) {
+ earlyTrafficSecret = finishedHash.deriveSecret(earlyTrafficLabelDraft22)
+ c.earlyExporterSecret = finishedHash.deriveSecret(earlyExporterLabelDraft22)
} else {
earlyTrafficSecret = finishedHash.deriveSecret(earlyTrafficLabel)
c.earlyExporterSecret = finishedHash.deriveSecret(earlyExporterLabel)
@@ -626,7 +628,7 @@
hs.writeHash(helloBytes, hs.c.sendHandshakeSeq-1)
if haveHelloRetryRequest {
- if isDraft21(c.wireVersion) {
+ if isDraft22(c.wireVersion) {
err = hs.finishedHash.UpdateForHelloRetryRequest()
if err != nil {
return err
@@ -727,13 +729,13 @@
func (hs *clientHandshakeState) doTLS13Handshake() error {
c := hs.c
- if isResumptionExperiment(c.wireVersion) && !isDraft22(c.wireVersion) {
+ if !isDraft22(c.wireVersion) {
// Early versions of the middlebox hacks inserted
// ChangeCipherSpec differently on 0-RTT and 2-RTT handshakes.
c.expectTLS13ChangeCipherSpec = true
}
- if isResumptionExperiment(c.wireVersion) && !bytes.Equal(hs.hello.sessionId, hs.serverHello.sessionId) {
+ if !bytes.Equal(hs.hello.sessionId, hs.serverHello.sessionId) {
return errors.New("tls: session IDs did not match.")
}
@@ -791,9 +793,9 @@
clientLabel := clientHandshakeTrafficLabel
serverLabel := serverHandshakeTrafficLabel
- if isDraft21(c.wireVersion) {
- clientLabel = clientHandshakeTrafficLabelDraft21
- serverLabel = serverHandshakeTrafficLabelDraft21
+ if isDraft22(c.wireVersion) {
+ clientLabel = clientHandshakeTrafficLabelDraft22
+ serverLabel = serverHandshakeTrafficLabelDraft22
}
// Derive handshake traffic keys and switch read key to handshake
@@ -939,10 +941,10 @@
clientLabel = clientApplicationTrafficLabel
serverLabel = serverApplicationTrafficLabel
exportLabel := exporterLabel
- if isDraft21(c.wireVersion) {
- clientLabel = clientApplicationTrafficLabelDraft21
- serverLabel = serverApplicationTrafficLabelDraft21
- exportLabel = exporterLabelDraft21
+ if isDraft22(c.wireVersion) {
+ clientLabel = clientApplicationTrafficLabelDraft22
+ serverLabel = serverApplicationTrafficLabelDraft22
+ exportLabel = exporterLabelDraft22
}
clientTrafficSecret := hs.finishedHash.deriveSecret(clientLabel)
@@ -991,7 +993,7 @@
helloRequest := new(helloRequestMsg)
c.writeRecord(recordTypeHandshake, helloRequest.marshal())
}
- if isDraft21(c.wireVersion) {
+ if isDraft22(c.wireVersion) {
endOfEarlyData := new(endOfEarlyDataMsg)
endOfEarlyData.nonEmpty = c.config.Bugs.NonEmptyEndOfEarlyData
c.writeRecord(recordTypeHandshake, endOfEarlyData.marshal())
@@ -1001,7 +1003,7 @@
}
}
- if !c.config.Bugs.SkipChangeCipherSpec && isResumptionClientCCSExperiment(c.wireVersion) && !hs.hello.hasEarlyData {
+ if !c.config.Bugs.SkipChangeCipherSpec && !hs.hello.hasEarlyData {
c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
}
@@ -1098,8 +1100,8 @@
c.useOutTrafficSecret(c.wireVersion, hs.suite, clientTrafficSecret)
resumeLabel := resumptionLabel
- if isDraft21(c.wireVersion) {
- resumeLabel = resumptionLabelDraft21
+ if isDraft22(c.wireVersion) {
+ resumeLabel = resumptionLabelDraft22
}
c.resumptionSecret = hs.finishedHash.deriveSecret(resumeLabel)
@@ -1845,8 +1847,8 @@
binderSize := len(hello.pskBinders)*(binderLen+1) + 2
truncatedHello := helloBytes[:len(helloBytes)-binderSize]
binderLabel := resumptionPSKBinderLabel
- if isDraft21(version) {
- binderLabel = resumptionPSKBinderLabelDraft21
+ if isDraft22(version) {
+ binderLabel = resumptionPSKBinderLabelDraft22
}
binder := computePSKBinder(psk, version, binderLabel, pskCipherSuite, firstClientHello, helloRetryRequest, truncatedHello)
if config.Bugs.SendShortPSKBinder {
diff --git a/ssl/test/runner/handshake_messages.go b/ssl/test/runner/handshake_messages.go
index 93d02e1..c4a6e16 100644
--- a/ssl/test/runner/handshake_messages.go
+++ b/ssl/test/runner/handshake_messages.go
@@ -896,21 +896,17 @@
}
if m.versOverride != 0 {
hello.addU16(m.versOverride)
- } else if isResumptionExperiment(m.vers) {
+ } else if vers >= VersionTLS13 {
hello.addU16(VersionTLS12)
} else {
hello.addU16(m.vers)
}
hello.addBytes(m.random)
- if vers < VersionTLS13 || isResumptionExperiment(m.vers) {
- sessionId := hello.addU8LengthPrefixed()
- sessionId.addBytes(m.sessionId)
- }
+ sessionId := hello.addU8LengthPrefixed()
+ sessionId.addBytes(m.sessionId)
hello.addU16(m.cipherSuite)
- if vers < VersionTLS13 || isResumptionExperiment(m.vers) {
- hello.addU8(m.compressionMethod)
- }
+ hello.addU8(m.compressionMethod)
extensions := hello.addU16LengthPrefixed()
@@ -927,14 +923,12 @@
extensions.addU16(2) // Length
extensions.addU16(m.pskIdentity)
}
- if isResumptionExperiment(m.vers) || m.supportedVersOverride != 0 {
- extensions.addU16(extensionSupportedVersions)
- extensions.addU16(2) // Length
- if m.supportedVersOverride != 0 {
- extensions.addU16(m.supportedVersOverride)
- } else {
- extensions.addU16(m.vers)
- }
+ extensions.addU16(extensionSupportedVersions)
+ extensions.addU16(2) // Length
+ if m.supportedVersOverride != 0 {
+ extensions.addU16(m.supportedVersOverride)
+ } else {
+ extensions.addU16(m.vers)
}
if len(m.customExtension) > 0 {
extensions.addU16(extensionCustom)
@@ -980,19 +974,11 @@
if !ok {
return false
}
- if vers < VersionTLS13 || isResumptionExperiment(m.vers) {
- if !reader.readU8LengthPrefixedBytes(&m.sessionId) {
- return false
- }
- }
- if !reader.readU16(&m.cipherSuite) {
+ if !reader.readU8LengthPrefixedBytes(&m.sessionId) ||
+ !reader.readU16(&m.cipherSuite) ||
+ !reader.readU8(&m.compressionMethod) {
return false
}
- if vers < VersionTLS13 || isResumptionExperiment(m.vers) {
- if !reader.readU8(&m.compressionMethod) {
- return false
- }
- }
if len(reader) == 0 && m.vers < VersionTLS13 {
// Extension data is optional before TLS 1.3.
@@ -1052,9 +1038,7 @@
}
m.hasPSKIdentity = true
case extensionSupportedVersions:
- if !isResumptionExperiment(m.vers) {
- return false
- }
+ // Parsed above.
default:
// Only allow the 3 extensions that are sent in
// the clear in TLS 1.3.
@@ -1386,7 +1370,7 @@
retryRequest.addU8(m.compressionMethod)
} else {
retryRequest.addU16(m.vers)
- if isDraft21(m.vers) {
+ if isDraft22(m.vers) {
retryRequest.addU16(m.cipherSuite)
}
}
@@ -1440,7 +1424,7 @@
compressionMethod != 0 {
return false
}
- } else if isDraft21(m.vers) && !reader.readU16(&m.cipherSuite) {
+ } else if isDraft22(m.vers) && !reader.readU16(&m.cipherSuite) {
return false
}
var extensions byteReader
@@ -1806,7 +1790,7 @@
requestContext := body.addU8LengthPrefixed()
requestContext.addBytes(m.requestContext)
extensions := newByteBuilder()
- if isDraft21(m.vers) {
+ if isDraft22(m.vers) {
extensions = body.addU16LengthPrefixed()
if m.hasSignatureAlgorithm {
extensions.addU16(extensionSignatureAlgorithms)
@@ -1884,7 +1868,7 @@
m.raw = data
reader := byteReader(data[4:])
- if isDraft21(m.vers) {
+ if isDraft22(m.vers) {
var extensions byteReader
if !reader.readU8LengthPrefixedBytes(&m.requestContext) ||
!reader.readU16LengthPrefixed(&extensions) ||
@@ -2037,7 +2021,7 @@
body.addU32(m.ticketLifetime)
if version >= VersionTLS13 {
body.addU32(m.ticketAgeAdd)
- if isDraft21(m.vers) {
+ if isDraft22(m.vers) {
body.addU8LengthPrefixed().addBytes(m.ticketNonce)
}
}
@@ -2049,7 +2033,7 @@
extensions := body.addU16LengthPrefixed()
if m.maxEarlyDataSize > 0 {
extID := extensionTicketEarlyDataInfo
- if isDraft21(m.vers) {
+ if isDraft22(m.vers) {
extID = extensionEarlyData
}
extensions.addU16(extID)
@@ -2089,7 +2073,7 @@
}
m.ticketAgeAdd = uint32(data[0])<<24 | uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
data = data[4:]
- if isDraft21(m.vers) {
+ if isDraft22(m.vers) {
nonceLen := int(data[0])
data = data[1:]
if len(data) < nonceLen {
@@ -2128,7 +2112,7 @@
}
extID := extensionTicketEarlyDataInfo
- if isDraft21(m.vers) {
+ if isDraft22(m.vers) {
extID = extensionEarlyData
}
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index 9ba6c2c..0357889 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -281,7 +281,7 @@
}
if config.Bugs.ExpectNoTLS12Session {
- if len(hs.clientHello.sessionId) > 0 && !isResumptionExperiment(c.wireVersion) {
+ if len(hs.clientHello.sessionId) > 0 && c.vers >= VersionTLS13 {
return fmt.Errorf("tls: client offered an unexpected session ID")
}
if len(hs.clientHello.sessionTicket) > 0 {
@@ -585,7 +585,7 @@
}
if sendHelloRetryRequest {
- if isDraft21(c.wireVersion) {
+ if isDraft22(c.wireVersion) {
if err := hs.finishedHash.UpdateForHelloRetryRequest(); err != nil {
return err
}
@@ -654,7 +654,7 @@
// PSK binders and obfuscated ticket age are both updated in the
// second ClientHello.
- if isDraft21(c.wireVersion) && len(oldClientHelloCopy.pskIdentities) != len(newClientHelloCopy.pskIdentities) {
+ if isDraft22(c.wireVersion) && len(oldClientHelloCopy.pskIdentities) != len(newClientHelloCopy.pskIdentities) {
newClientHelloCopy.pskIdentities = oldClientHelloCopy.pskIdentities
} else {
if len(oldClientHelloCopy.pskIdentities) != len(newClientHelloCopy.pskIdentities) {
@@ -695,9 +695,9 @@
}
if encryptedExtensions.extensions.hasEarlyData {
var earlyTrafficSecret []byte
- if isDraft21(c.wireVersion) {
- earlyTrafficSecret = hs.finishedHash.deriveSecret(earlyTrafficLabelDraft21)
- c.earlyExporterSecret = hs.finishedHash.deriveSecret(earlyExporterLabelDraft21)
+ if isDraft22(c.wireVersion) {
+ earlyTrafficSecret = hs.finishedHash.deriveSecret(earlyTrafficLabelDraft22)
+ c.earlyExporterSecret = hs.finishedHash.deriveSecret(earlyExporterLabelDraft22)
} else {
earlyTrafficSecret = hs.finishedHash.deriveSecret(earlyTrafficLabel)
c.earlyExporterSecret = hs.finishedHash.deriveSecret(earlyExporterLabel)
@@ -809,7 +809,7 @@
}
c.flushHandshake()
- if !c.config.Bugs.SkipChangeCipherSpec && isResumptionExperiment(c.wireVersion) && !sendHelloRetryRequest {
+ if !c.config.Bugs.SkipChangeCipherSpec && !sendHelloRetryRequest {
c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
}
@@ -819,9 +819,9 @@
clientLabel := clientHandshakeTrafficLabel
serverLabel := serverHandshakeTrafficLabel
- if isDraft21(c.wireVersion) {
- clientLabel = clientHandshakeTrafficLabelDraft21
- serverLabel = serverHandshakeTrafficLabelDraft21
+ if isDraft22(c.wireVersion) {
+ clientLabel = clientHandshakeTrafficLabelDraft22
+ serverLabel = serverHandshakeTrafficLabelDraft22
}
// Switch to handshake traffic keys.
@@ -968,10 +968,10 @@
clientLabel = clientApplicationTrafficLabel
serverLabel = serverApplicationTrafficLabel
exportLabel := exporterLabel
- if isDraft21(c.wireVersion) {
- clientLabel = clientApplicationTrafficLabelDraft21
- serverLabel = serverApplicationTrafficLabelDraft21
- exportLabel = exporterLabelDraft21
+ if isDraft22(c.wireVersion) {
+ clientLabel = clientApplicationTrafficLabelDraft22
+ serverLabel = serverApplicationTrafficLabelDraft22
+ exportLabel = exporterLabelDraft22
}
clientTrafficSecret := hs.finishedHash.deriveSecret(clientLabel)
@@ -991,7 +991,7 @@
// Read end_of_early_data.
if encryptedExtensions.extensions.hasEarlyData {
- if isDraft21(c.wireVersion) {
+ if isDraft22(c.wireVersion) {
msg, err := c.readHandshake()
if err != nil {
return err
@@ -1012,7 +1012,7 @@
}
}
}
- if isResumptionClientCCSExperiment(c.wireVersion) && !isDraft22(c.wireVersion) && !hs.clientHello.hasEarlyData {
+ if !isDraft22(c.wireVersion) && !hs.clientHello.hasEarlyData {
// Early versions of the middlebox hacks inserted
// ChangeCipherSpec differently on 0-RTT and 2-RTT handshakes.
c.expectTLS13ChangeCipherSpec = true
@@ -1132,8 +1132,8 @@
c.cipherSuite = hs.suite
resumeLabel := resumptionLabel
- if isDraft21(c.wireVersion) {
- resumeLabel = resumptionLabelDraft21
+ if isDraft22(c.wireVersion) {
+ resumeLabel = resumptionLabelDraft22
}
c.resumptionSecret = hs.finishedHash.deriveSecret(resumeLabel)
@@ -2135,8 +2135,8 @@
}
binderLabel := resumptionPSKBinderLabel
- if isDraft21(version) {
- binderLabel = resumptionPSKBinderLabelDraft21
+ if isDraft22(version) {
+ binderLabel = resumptionPSKBinderLabelDraft22
}
binder := computePSKBinder(sessionState.masterSecret, version, binderLabel, pskCipherSuite, firstClientHello, helloRetryRequest, truncatedHello)
if !bytes.Equal(binder, binderToVerify) {
diff --git a/ssl/test/runner/prf.go b/ssl/test/runner/prf.go
index 54e18cb..62c98b7 100644
--- a/ssl/test/runner/prf.go
+++ b/ssl/test/runner/prf.go
@@ -396,7 +396,7 @@
}
func (h *finishedHash) nextSecret() {
- if isDraft21(h.wireVersion) {
+ if isDraft22(h.wireVersion) {
derivedLabel := []byte("derived")
h.secret = hkdfExpandLabel(h.hash, h.wireVersion, h.secret, derivedLabel, h.hash.New().Sum(nil), h.hash.Size())
}
@@ -410,7 +410,7 @@
}
versionLabel := []byte("TLS 1.3, ")
- if isDraft21(version) {
+ if isDraft22(version) {
versionLabel = []byte("tls13 ")
}
@@ -450,17 +450,17 @@
exporterLabel = []byte("exporter master secret")
resumptionLabel = []byte("resumption master secret")
- externalPSKBinderLabelDraft21 = []byte("ext binder")
- resumptionPSKBinderLabelDraft21 = []byte("res binder")
- earlyTrafficLabelDraft21 = []byte("c e traffic")
- clientHandshakeTrafficLabelDraft21 = []byte("c hs traffic")
- serverHandshakeTrafficLabelDraft21 = []byte("s hs traffic")
- clientApplicationTrafficLabelDraft21 = []byte("c ap traffic")
- serverApplicationTrafficLabelDraft21 = []byte("s ap traffic")
- applicationTrafficLabelDraft21 = []byte("traffic upd")
- earlyExporterLabelDraft21 = []byte("e exp master")
- exporterLabelDraft21 = []byte("exp master")
- resumptionLabelDraft21 = []byte("res master")
+ externalPSKBinderLabelDraft22 = []byte("ext binder")
+ resumptionPSKBinderLabelDraft22 = []byte("res binder")
+ earlyTrafficLabelDraft22 = []byte("c e traffic")
+ clientHandshakeTrafficLabelDraft22 = []byte("c hs traffic")
+ serverHandshakeTrafficLabelDraft22 = []byte("s hs traffic")
+ clientApplicationTrafficLabelDraft22 = []byte("c ap traffic")
+ serverApplicationTrafficLabelDraft22 = []byte("s ap traffic")
+ applicationTrafficLabelDraft22 = []byte("traffic upd")
+ earlyExporterLabelDraft22 = []byte("e exp master")
+ exporterLabelDraft22 = []byte("exp master")
+ resumptionLabelDraft22 = []byte("res master")
resumptionPSKLabel = []byte("resumption")
)
@@ -515,8 +515,8 @@
func updateTrafficSecret(hash crypto.Hash, version uint16, secret []byte) []byte {
trafficLabel := applicationTrafficLabel
- if isDraft21(version) {
- trafficLabel = applicationTrafficLabelDraft21
+ if isDraft22(version) {
+ trafficLabel = applicationTrafficLabelDraft22
}
return hkdfExpandLabel(hash, version, secret, trafficLabel, nil, hash.Size())
}
@@ -526,7 +526,7 @@
finishedHash.addEntropy(psk)
binderKey := finishedHash.deriveSecret(label)
finishedHash.Write(clientHello)
- if isDraft21(version) && len(helloRetryRequest) != 0 {
+ if isDraft22(version) && len(helloRetryRequest) != 0 {
finishedHash.UpdateForHelloRetryRequest()
}
finishedHash.Write(helloRetryRequest)
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 4cfce26..545faf7 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -1321,20 +1321,6 @@
versionDTLS: VersionDTLS12,
},
{
- name: "TLS13",
- version: VersionTLS13,
- excludeFlag: "-no-tls13",
- versionWire: tls13DraftVersion,
- tls13Variant: TLS13Default,
- },
- {
- name: "TLS13Draft21",
- version: VersionTLS13,
- excludeFlag: "-no-tls13",
- versionWire: tls13Draft21Version,
- tls13Variant: TLS13Draft21,
- },
- {
name: "TLS13Draft22",
version: VersionTLS13,
excludeFlag: "-no-tls13",
@@ -1342,26 +1328,12 @@
tls13Variant: TLS13Draft22,
},
{
- name: "TLS13Experiment",
- version: VersionTLS13,
- excludeFlag: "-no-tls13",
- versionWire: tls13ExperimentVersion,
- tls13Variant: TLS13Experiment,
- },
- {
name: "TLS13Experiment2",
version: VersionTLS13,
excludeFlag: "-no-tls13",
versionWire: tls13Experiment2Version,
tls13Variant: TLS13Experiment2,
},
- {
- name: "TLS13Experiment3",
- version: VersionTLS13,
- excludeFlag: "-no-tls13",
- versionWire: tls13Experiment3Version,
- tls13Variant: TLS13Experiment3,
- },
}
func allVersions(protocol protocol) []tlsVersion {
@@ -3923,7 +3895,7 @@
// Test that an empty client CA list doesn't send a CA extension.
testCases = append(testCases, testCase{
testType: serverTest,
- name: "TLS13Draft21-Empty-Client-CA-List",
+ name: "TLS13Draft22-Empty-Client-CA-List",
config: Config{
MaxVersion: VersionTLS13,
Certificates: []Certificate{rsaCertificate},
@@ -3931,7 +3903,7 @@
ExpectNoCertificateAuthoritiesExtension: true,
},
},
- tls13Variant: TLS13Draft21,
+ tls13Variant: TLS13Draft22,
flags: []string{
"-require-any-client-certificate",
"-use-client-ca-list", "<EMPTY>",
@@ -5334,9 +5306,8 @@
expectedClientVersion := expectedVersion
if expectedVersion == VersionTLS13 && runnerVers.tls13Variant != shimVers.tls13Variant {
expectedClientVersion = VersionTLS12
- expectedServerVersion = VersionTLS12
- if shimVers.tls13Variant != TLS13Default && runnerVers.tls13Variant != TLS13Draft21 && runnerVers.tls13Variant != TLS13Draft22 {
- expectedServerVersion = VersionTLS13
+ if shimVers.tls13Variant == TLS13Draft22 {
+ expectedServerVersion = VersionTLS12
}
}
@@ -5353,10 +5324,7 @@
clientVers = recordVersionToWire(clientVers, protocol)
serverVers := expectedServerVersion
if expectedServerVersion >= VersionTLS13 {
- serverVers = VersionTLS10
- if runnerVers.tls13Variant == TLS13Experiment2 || runnerVers.tls13Variant == TLS13Experiment3 || runnerVers.tls13Variant == TLS13Draft22 {
- serverVers = VersionTLS12
- }
+ serverVers = VersionTLS12
}
serverVers = recordVersionToWire(serverVers, protocol)
@@ -5541,21 +5509,6 @@
expectedError: ":UNEXPECTED_EXTENSION:",
})
- // Test that the non-experimental TLS 1.3 isn't negotiated by the
- // supported_versions extension in the ServerHello.
- testCases = append(testCases, testCase{
- testType: clientTest,
- name: "SupportedVersionSelection-TLS13",
- config: Config{
- MaxVersion: VersionTLS13,
- Bugs: ProtocolBugs{
- SendServerSupportedExtensionVersion: tls13DraftVersion,
- },
- },
- shouldFail: true,
- expectedError: ":UNEXPECTED_EXTENSION:",
- })
-
// Test that the maximum version is selected regardless of the
// client-sent order.
testCases = append(testCases, testCase{
@@ -5563,7 +5516,7 @@
name: "IgnoreClientVersionOrder",
config: Config{
Bugs: ProtocolBugs{
- SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
+ SendSupportedVersions: []uint16{VersionTLS12, tls13Draft22Version},
},
},
expectedVersion: VersionTLS13,
@@ -6814,8 +6767,7 @@
MaxVersion: sessionVers.version,
TLS13Variant: sessionVers.tls13Variant,
Bugs: ProtocolBugs{
- ExpectNoTLS12Session: sessionVers.version >= VersionTLS13,
- ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
+ ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
},
},
expectedVersion: sessionVers.version,
@@ -11380,19 +11332,14 @@
tls13Variant: variant,
})
- hasSessionID := false
- if variant != TLS13Default {
- hasSessionID = true
- }
-
- // Test that the client sends a fake session ID in the correct experiments.
+ // Test that the client sends a fake session ID in TLS 1.3.
testCases = append(testCases, testCase{
testType: clientTest,
name: "TLS13SessionID-" + name,
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
- ExpectClientHelloSessionID: hasSessionID,
+ ExpectClientHelloSessionID: true,
},
},
tls13Variant: variant,
@@ -11709,7 +11656,7 @@
expectedError: ":WRONG_CURVE:",
})
- if isDraft21(version.versionWire) {
+ if isDraft22(version.versionWire) {
testCases = append(testCases, testCase{
name: "HelloRetryRequest-CipherChange-" + name,
config: Config{
@@ -11996,7 +11943,7 @@
expectedError: ":DECODE_ERROR:",
})
- if isDraft21(version.versionWire) {
+ if isDraft22(version.versionWire) {
testCases = append(testCases, testCase{
name: "UnknownExtensionInCertificateRequest-" + name,
config: Config{
@@ -12678,7 +12625,7 @@
})
expectedError := ":UNEXPECTED_RECORD:"
- if isDraft21(version.versionWire) {
+ if isDraft22(version.versionWire) {
// In draft-21 and up, early data is expected to be
// terminated by a handshake message, though we test
// with the wrong one.
@@ -12780,7 +12727,7 @@
expectedLocalError: "remote error: error decrypting message",
})
- if isDraft21(version.versionWire) {
+ if isDraft22(version.versionWire) {
testCases = append(testCases, testCase{
testType: serverTest,
name: "Server-NonEmptyEndOfEarlyData-" + name,
diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc
index f471a4e..c230afa 100644
--- a/ssl/tls13_client.cc
+++ b/ssl/tls13_client.cc
@@ -104,7 +104,7 @@
CBS body = msg.body;
uint16_t server_version;
if (!CBS_get_u16(&body, &server_version) ||
- (ssl_is_draft21(ssl->version) &&
+ (ssl_is_draft22(ssl->version) &&
!CBS_get_u16(&body, &cipher_suite)) ||
!CBS_get_u16_length_prefixed(&body, &extensions) ||
CBS_len(&body) != 0) {
@@ -114,7 +114,7 @@
}
}
- if (ssl_is_draft21(ssl->version)) {
+ if (ssl_is_draft22(ssl->version)) {
const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
// Check if the cipher is a TLS 1.3 cipher.
if (cipher == NULL ||
@@ -253,12 +253,11 @@
uint8_t compression_method;
if (!CBS_get_u16(&body, &server_version) ||
!CBS_get_bytes(&body, &server_random, SSL3_RANDOM_SIZE) ||
- (ssl_is_resumption_experiment(ssl->version) &&
- (!CBS_get_u8_length_prefixed(&body, &session_id) ||
- !CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len))) ||
+ !CBS_get_u8_length_prefixed(&body, &session_id) ||
+ !CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len) ||
!CBS_get_u16(&body, &cipher_suite) ||
- (ssl_is_resumption_experiment(ssl->version) &&
- (!CBS_get_u8(&body, &compression_method) || compression_method != 0)) ||
+ !CBS_get_u8(&body, &compression_method) ||
+ compression_method != 0 ||
!CBS_get_u16_length_prefixed(&body, &extensions) ||
CBS_len(&body) != 0) {
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
@@ -266,10 +265,7 @@
return ssl_hs_error;
}
- uint16_t expected_version = ssl_is_resumption_experiment(ssl->version)
- ? TLS1_2_VERSION
- : ssl->version;
- if (server_version != expected_version) {
+ if (server_version != TLS1_2_VERSION) {
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);
return ssl_hs_error;
@@ -297,7 +293,7 @@
}
// Check that the cipher matches the one in the HelloRetryRequest.
- if (ssl_is_draft21(ssl->version) &&
+ if (ssl_is_draft22(ssl->version) &&
hs->received_hello_retry_request &&
hs->new_cipher != cipher) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
@@ -324,14 +320,6 @@
return ssl_hs_error;
}
- // supported_versions is parsed in handshake_client to select the experimental
- // TLS 1.3 version.
- if (have_supported_versions && !ssl_is_resumption_experiment(ssl->version)) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
- ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
- return ssl_hs_error;
- }
-
alert = SSL_AD_DECODE_ERROR;
if (have_pre_shared_key) {
if (ssl->session == NULL) {
@@ -426,8 +414,7 @@
if (!hs->early_data_offered) {
// Earlier versions of the resumption experiment added ChangeCipherSpec just
// before the Finished flight.
- if (ssl_is_resumption_client_ccs_experiment(ssl->version) &&
- !ssl_is_draft22(ssl->version) &&
+ if (!ssl_is_draft22(ssl->version) &&
!ssl->method->add_change_cipher_spec(ssl)) {
return ssl_hs_error;
}
@@ -523,7 +510,7 @@
}
- if (ssl_is_draft21(ssl->version)) {
+ if (ssl_is_draft22(ssl->version)) {
bool have_sigalgs = false, have_ca = false;
CBS sigalgs, ca;
const SSL_EXTENSION_TYPE ext_types[] = {
@@ -678,7 +665,7 @@
if (ssl->early_data_accepted) {
hs->can_early_write = false;
- if (ssl_is_draft21(ssl->version)) {
+ if (ssl_is_draft22(ssl->version)) {
ScopedCBB cbb;
CBB body;
if (!ssl->method->init_message(ssl, cbb.get(), &body,
@@ -917,7 +904,7 @@
CBS body = msg.body, ticket_nonce, ticket, extensions;
if (!CBS_get_u32(&body, &server_timeout) ||
!CBS_get_u32(&body, &session->ticket_age_add) ||
- (ssl_is_draft21(ssl->version) &&
+ (ssl_is_draft22(ssl->version) &&
!CBS_get_u8_length_prefixed(&body, &ticket_nonce)) ||
!CBS_get_u16_length_prefixed(&body, &ticket) ||
!CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen) ||
@@ -941,7 +928,7 @@
// Parse out the extensions.
bool have_early_data_info = false;
CBS early_data_info;
- uint16_t ext_id = ssl_is_draft21(ssl->version)
+ uint16_t ext_id = ssl_is_draft22(ssl->version)
? TLSEXT_TYPE_early_data
: TLSEXT_TYPE_ticket_early_data_info;
const SSL_EXTENSION_TYPE ext_types[] = {
diff --git a/ssl/tls13_enc.cc b/ssl/tls13_enc.cc
index 9dcd071..1bf820e 100644
--- a/ssl/tls13_enc.cc
+++ b/ssl/tls13_enc.cc
@@ -72,7 +72,7 @@
size_t label_len, const uint8_t *hash,
size_t hash_len, size_t len) {
const char *kTLS13LabelVersion =
- ssl_is_draft21(version) ? "tls13 " : "TLS 1.3, ";
+ ssl_is_draft22(version) ? "tls13 " : "TLS 1.3, ";
ScopedCBB cbb;
CBB child;
@@ -104,7 +104,7 @@
SSL *const ssl = hs->ssl;
// Draft 18 does not include the extra Derive-Secret step.
- if (ssl_is_draft21(ssl->version)) {
+ if (ssl_is_draft22(ssl->version)) {
uint8_t derive_context[EVP_MAX_MD_SIZE];
unsigned derive_context_len;
if (!EVP_Digest(nullptr, 0, derive_context, &derive_context_len,
@@ -224,24 +224,24 @@
static const char kTLS13LabelServerApplicationTraffic[] =
"server application traffic secret";
-static const char kTLS13Draft21LabelExporter[] = "exp master";
-static const char kTLS13Draft21LabelEarlyExporter[] = "e exp master";
+static const char kTLS13Draft22LabelExporter[] = "exp master";
+static const char kTLS13Draft22LabelEarlyExporter[] = "e exp master";
-static const char kTLS13Draft21LabelClientEarlyTraffic[] = "c e traffic";
-static const char kTLS13Draft21LabelClientHandshakeTraffic[] = "c hs traffic";
-static const char kTLS13Draft21LabelServerHandshakeTraffic[] = "s hs traffic";
-static const char kTLS13Draft21LabelClientApplicationTraffic[] = "c ap traffic";
-static const char kTLS13Draft21LabelServerApplicationTraffic[] = "s ap traffic";
+static const char kTLS13Draft22LabelClientEarlyTraffic[] = "c e traffic";
+static const char kTLS13Draft22LabelClientHandshakeTraffic[] = "c hs traffic";
+static const char kTLS13Draft22LabelServerHandshakeTraffic[] = "s hs traffic";
+static const char kTLS13Draft22LabelClientApplicationTraffic[] = "c ap traffic";
+static const char kTLS13Draft22LabelServerApplicationTraffic[] = "s ap traffic";
int tls13_derive_early_secrets(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
uint16_t version = SSL_get_session(ssl)->ssl_version;
- const char *early_traffic_label = ssl_is_draft21(version)
- ? kTLS13Draft21LabelClientEarlyTraffic
+ const char *early_traffic_label = ssl_is_draft22(version)
+ ? kTLS13Draft22LabelClientEarlyTraffic
: kTLS13LabelClientEarlyTraffic;
- const char *early_exporter_label = ssl_is_draft21(version)
- ? kTLS13Draft21LabelEarlyExporter
+ const char *early_exporter_label = ssl_is_draft22(version)
+ ? kTLS13Draft22LabelEarlyExporter
: kTLS13LabelEarlyExporter;
if (!derive_secret(hs, hs->early_traffic_secret, hs->hash_len,
early_traffic_label, strlen(early_traffic_label)) ||
@@ -257,11 +257,11 @@
int tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- const char *client_label = ssl_is_draft21(ssl->version)
- ? kTLS13Draft21LabelClientHandshakeTraffic
+ const char *client_label = ssl_is_draft22(ssl->version)
+ ? kTLS13Draft22LabelClientHandshakeTraffic
: kTLS13LabelClientHandshakeTraffic;
- const char *server_label = ssl_is_draft21(ssl->version)
- ? kTLS13Draft21LabelServerHandshakeTraffic
+ const char *server_label = ssl_is_draft22(ssl->version)
+ ? kTLS13Draft22LabelServerHandshakeTraffic
: kTLS13LabelServerHandshakeTraffic;
return derive_secret(hs, hs->client_handshake_secret, hs->hash_len,
client_label, strlen(client_label)) &&
@@ -276,14 +276,14 @@
int tls13_derive_application_secrets(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
ssl->s3->exporter_secret_len = hs->hash_len;
- const char *client_label = ssl_is_draft21(ssl->version)
- ? kTLS13Draft21LabelClientApplicationTraffic
+ const char *client_label = ssl_is_draft22(ssl->version)
+ ? kTLS13Draft22LabelClientApplicationTraffic
: kTLS13LabelClientApplicationTraffic;
- const char *server_label = ssl_is_draft21(ssl->version)
- ? kTLS13Draft21LabelServerApplicationTraffic
+ const char *server_label = ssl_is_draft22(ssl->version)
+ ? kTLS13Draft22LabelServerApplicationTraffic
: kTLS13LabelServerApplicationTraffic;
- const char *exporter_label = ssl_is_draft21(ssl->version)
- ? kTLS13Draft21LabelExporter
+ const char *exporter_label = ssl_is_draft22(ssl->version)
+ ? kTLS13Draft22LabelExporter
: kTLS13LabelExporter;
return derive_secret(hs, hs->client_traffic_secret_0, hs->hash_len,
client_label, strlen(client_label)) &&
@@ -301,7 +301,7 @@
static const char kTLS13LabelApplicationTraffic[] =
"application traffic secret";
-static const char kTLS13Draft21LabelApplicationTraffic[] = "traffic upd";
+static const char kTLS13Draft22LabelApplicationTraffic[] = "traffic upd";
int tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) {
uint8_t *secret;
@@ -314,8 +314,8 @@
secret_len = ssl->s3->write_traffic_secret_len;
}
- const char *traffic_label = ssl_is_draft21(ssl->version)
- ? kTLS13Draft21LabelApplicationTraffic
+ const char *traffic_label = ssl_is_draft22(ssl->version)
+ ? kTLS13Draft22LabelApplicationTraffic
: kTLS13LabelApplicationTraffic;
const EVP_MD *digest = ssl_session_get_digest(SSL_get_session(ssl));
@@ -329,15 +329,15 @@
}
static const char kTLS13LabelResumption[] = "resumption master secret";
-static const char kTLS13Draft21LabelResumption[] = "res master";
+static const char kTLS13Draft22LabelResumption[] = "res master";
int tls13_derive_resumption_secret(SSL_HANDSHAKE *hs) {
if (hs->hash_len > SSL_MAX_MASTER_KEY_LENGTH) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
}
- const char *resumption_label = ssl_is_draft21(hs->ssl->version)
- ? kTLS13Draft21LabelResumption
+ const char *resumption_label = ssl_is_draft22(hs->ssl->version)
+ ? kTLS13Draft22LabelResumption
: kTLS13LabelResumption;
hs->new_session->master_key_length = hs->hash_len;
return derive_secret(hs, hs->new_session->master_key,
@@ -388,7 +388,7 @@
static const char kTLS13LabelResumptionPSK[] = "resumption";
bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce) {
- if (!ssl_is_draft21(session->ssl_version)) {
+ if (!ssl_is_draft22(session->ssl_version)) {
return true;
}
@@ -413,7 +413,7 @@
}
uint16_t version = SSL_get_session(ssl)->ssl_version;
- if (!ssl_is_draft21(version)) {
+ if (!ssl_is_draft22(version)) {
const EVP_MD *digest = ssl_session_get_digest(SSL_get_session(ssl));
return hkdf_expand_label(out.data(), version, digest, secret.data(),
secret.size(), label.data(), label.size(),
@@ -443,7 +443,7 @@
}
static const char kTLS13LabelPSKBinder[] = "resumption psk binder key";
-static const char kTLS13Draft21LabelPSKBinder[] = "res binder";
+static const char kTLS13Draft22LabelPSKBinder[] = "res binder";
static int tls13_psk_binder(uint8_t *out, uint16_t version,
const EVP_MD *digest, uint8_t *psk, size_t psk_len,
@@ -461,8 +461,8 @@
NULL, 0)) {
return 0;
}
- const char *binder_label = ssl_is_draft21(version)
- ? kTLS13Draft21LabelPSKBinder
+ const char *binder_label = ssl_is_draft22(version)
+ ? kTLS13Draft22LabelPSKBinder
: kTLS13LabelPSKBinder;
uint8_t binder_key[EVP_MAX_MD_SIZE] = {0};
diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc
index 1040ace..af9167c 100644
--- a/ssl/tls13_server.cc
+++ b/ssl/tls13_server.cc
@@ -182,7 +182,7 @@
SSL3_MT_NEW_SESSION_TICKET) ||
!CBB_add_u32(&body, session->timeout) ||
!CBB_add_u32(&body, session->ticket_age_add) ||
- (ssl_is_draft21(ssl->version) &&
+ (ssl_is_draft22(ssl->version) &&
(!CBB_add_u8_length_prefixed(&body, &nonce_cbb) ||
!CBB_add_bytes(&nonce_cbb, nonce, sizeof(nonce)))) ||
!CBB_add_u16_length_prefixed(&body, &ticket) ||
@@ -194,7 +194,7 @@
if (ssl->cert->enable_early_data) {
CBB early_data_info;
- if (!CBB_add_u16(&extensions, ssl_is_draft21(ssl->version)
+ if (!CBB_add_u16(&extensions, ssl_is_draft22(ssl->version)
? TLSEXT_TYPE_early_data
: TLSEXT_TYPE_ticket_early_data_info) ||
!CBB_add_u16_length_prefixed(&extensions, &early_data_info) ||
@@ -472,7 +472,7 @@
ssl->early_data_accepted = false;
ssl->s3->skip_early_data = true;
ssl->method->next_message(ssl);
- if (ssl_is_draft21(ssl->version) &&
+ if (ssl_is_draft22(ssl->version) &&
!hs->transcript.UpdateForHelloRetryRequest()) {
return ssl_hs_error;
}
@@ -525,7 +525,7 @@
if (!ssl->method->init_message(ssl, cbb.get(), &body,
SSL3_MT_HELLO_RETRY_REQUEST) ||
!CBB_add_u16(&body, ssl->version) ||
- (ssl_is_draft21(ssl->version) &&
+ (ssl_is_draft22(ssl->version) &&
!CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher))) ||
!tls1_get_shared_group(hs, &group_id) ||
!CBB_add_u16_length_prefixed(&body, &extensions) ||
@@ -580,34 +580,26 @@
static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- uint16_t version = ssl->version;
- if (ssl_is_resumption_experiment(ssl->version)) {
- version = TLS1_2_VERSION;
- }
-
// Send a ServerHello.
ScopedCBB cbb;
CBB body, extensions, session_id;
if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) ||
- !CBB_add_u16(&body, version) ||
+ !CBB_add_u16(&body, TLS1_2_VERSION) ||
!RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) ||
!CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||
- (ssl_is_resumption_experiment(ssl->version) &&
- (!CBB_add_u8_length_prefixed(&body, &session_id) ||
- !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len))) ||
+ !CBB_add_u8_length_prefixed(&body, &session_id) ||
+ !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) ||
!CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher)) ||
- (ssl_is_resumption_experiment(ssl->version) && !CBB_add_u8(&body, 0)) ||
+ !CBB_add_u8(&body, 0) ||
!CBB_add_u16_length_prefixed(&body, &extensions) ||
!ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) ||
!ssl_ext_key_share_add_serverhello(hs, &extensions) ||
- (ssl_is_resumption_experiment(ssl->version) &&
- !ssl_ext_supported_versions_add_serverhello(hs, &extensions)) ||
+ !ssl_ext_supported_versions_add_serverhello(hs, &extensions) ||
!ssl_add_message_cbb(ssl, cbb.get())) {
return ssl_hs_error;
}
- if (ssl_is_resumption_experiment(ssl->version) &&
- (!ssl_is_draft22(ssl->version) || !hs->sent_hello_retry_request) &&
+ if ((!ssl_is_draft22(ssl->version) || !hs->sent_hello_retry_request) &&
!ssl->method->add_change_cipher_spec(ssl)) {
return ssl_hs_error;
}
@@ -639,7 +631,7 @@
// Send a CertificateRequest, if necessary.
if (hs->cert_request) {
- if (ssl_is_draft21(ssl->version)) {
+ if (ssl_is_draft22(ssl->version)) {
CBB cert_request_extensions, sigalg_contents, sigalgs_cbb;
if (!ssl->method->init_message(ssl, cbb.get(), &body,
SSL3_MT_CERTIFICATE_REQUEST) ||
@@ -737,7 +729,7 @@
// the wire sooner and also avoids triggering a write on |SSL_read| when
// processing the client Finished. This requires computing the client
// Finished early. See draft-ietf-tls-tls13-18, section 4.5.1.
- if (ssl_is_draft21(ssl->version)) {
+ if (ssl_is_draft22(ssl->version)) {
static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0,
0, 0};
if (!hs->transcript.Update(kEndOfEarlyData)) {
@@ -799,7 +791,7 @@
// If early data was not accepted, the EndOfEarlyData and ChangeCipherSpec
// message will be in the discarded early data.
if (hs->ssl->early_data_accepted) {
- if (ssl_is_draft21(ssl->version)) {
+ if (ssl_is_draft22(ssl->version)) {
SSLMessage msg;
if (!ssl->method->get_message(ssl, &msg)) {
return ssl_hs_read_message;
diff --git a/ssl/tls_record.cc b/ssl/tls_record.cc
index a1363fa..3d34951 100644
--- a/ssl/tls_record.cc
+++ b/ssl/tls_record.cc
@@ -264,7 +264,7 @@
*out_consumed = in.size() - CBS_len(&cbs);
if (ssl->s3->have_version &&
- ssl_is_resumption_experiment(ssl->version) &&
+ ssl_protocol_version(ssl) >= TLS1_3_VERSION &&
SSL_in_init(ssl) &&
type == SSL3_RT_CHANGE_CIPHER_SPEC &&
ciphertext_len == 1 &&
@@ -357,7 +357,7 @@
if (type == SSL3_RT_ALERT) {
// Return end_of_early_data alerts as-is for the caller to process.
- if (!ssl_is_draft21(ssl->version) &&
+ if (!ssl_is_draft22(ssl->version) &&
out->size() == 2 &&
(*out)[0] == SSL3_AL_WARNING &&
(*out)[1] == TLS1_AD_END_OF_EARLY_DATA) {
diff --git a/tool/client.cc b/tool/client.cc
index fa279ae..fc8f5e0 100644
--- a/tool/client.cc
+++ b/tool/client.cc
@@ -332,30 +332,14 @@
}
static bool GetTLS13Variant(tls13_variant_t *out, const std::string &in) {
- if (in == "draft") {
+ if (in == "draft22") {
*out = tls13_default;
return true;
}
- if (in == "draft21") {
- *out = tls13_draft21;
- return true;
- }
- if (in == "experiment") {
- *out = tls13_experiment;
- return true;
- }
if (in == "experiment2") {
*out = tls13_experiment2;
return true;
}
- if (in == "experiment3") {
- *out = tls13_experiment3;
- return true;
- }
- if (in == "draft22") {
- *out = tls13_draft22;
- return true;
- }
return false;
}
diff --git a/tool/server.cc b/tool/server.cc
index 9963885..37235a7 100644
--- a/tool/server.cc
+++ b/tool/server.cc
@@ -68,10 +68,7 @@
"-early-data", kBooleanArgument, "Allow early data",
},
{
- "-tls13-variant", kBooleanArgument, "Enable TLS 1.3 variants",
- },
- {
- "-tls13-draft22-variant", kBooleanArgument, "Enable TLS 1.3 Draft 22.",
+ "-tls13-variant", kBooleanArgument, "Enables all TLS 1.3 variants",
},
{
"-www", kBooleanArgument,
@@ -310,11 +307,8 @@
SSL_CTX_set_early_data_enabled(ctx.get(), 1);
}
- // Draft 22 variants need to be explicitly enabled.
- if (args_map.count("-tls13-draft22-variant") != 0) {
- SSL_CTX_set_tls13_variant(ctx.get(), tls13_draft22);
- } else if (args_map.count("-tls13-variant") != 0) {
- SSL_CTX_set_tls13_variant(ctx.get(), tls13_experiment);
+ if (args_map.count("-tls13-variant") != 0) {
+ SSL_CTX_set_tls13_variant(ctx.get(), tls13_experiment2);
}
if (args_map.count("-debug") != 0) {