Update the TLS 1.3 draft version to draft 16. This should land in the same group of revisions as the two parent commits. Change-Id: Id9d769b890b3308ea70b705e7241c73cb1930ede Reviewed-on: https://boringssl-review.googlesource.com/11581 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>

commit: a128a55e0bf94cd8535936ea1da3e393b8b0d103 [log] [tgz]
author: David Benjamin <davidben@google.com> Thu Oct 13 14:26:33 2016 -0400
committer: David Benjamin <davidben@google.com> Thu Oct 13 19:12:36 2016 +0000
tree: 5a30d5e7e61882f930d771b353a9a99eb5e0addf
parent: 3baa6e153b9b7cb0a6bd99f508762487c777f817 [diff]
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 52ed52c..0fed81d 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -562,7 +562,7 @@
 #define DTLS1_VERSION 0xfeff
 #define DTLS1_2_VERSION 0xfefd
 
-#define TLS1_3_DRAFT_VERSION 0x7f0f
+#define TLS1_3_DRAFT_VERSION 0x7f10
 
 /* SSL_CTX_set_min_proto_version sets the minimum protocol version for |ctx| to
  * |version|. If |version| is zero, the default minimum version is used. It

diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index 1c55ab3..35d3145 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h

@@ -205,7 +205,7 @@
 /* ExtensionType value from RFC4507 */
 #define TLSEXT_TYPE_session_ticket 35
 
-/* ExtensionType values from draft-ietf-tls-tls13-13 */
+/* ExtensionType values from draft-ietf-tls-tls13-16 */
 #define TLSEXT_TYPE_supported_groups 10
 #define TLSEXT_TYPE_key_share 40
 #define TLSEXT_TYPE_pre_shared_key 41
@@ -419,7 +419,7 @@
 #define TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305 \
   TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 
-/* TLS 1.3 ciphersuites from draft-ietf-tls-tls13-15 */
+/* TLS 1.3 ciphersuites from draft-ietf-tls-tls13-16 */
 #define TLS1_CK_AES_128_GCM_SHA256 0x03001301
 #define TLS1_CK_AES_256_GCM_SHA384 0x03001302
 #define TLS1_CK_CHACHA20_POLY1305_SHA256 0x03001303
@@ -610,7 +610,7 @@
 #define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305 \
   TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 
-/* TLS 1.3 ciphersuites from draft-ietf-tls-tls13-15 */
+/* TLS 1.3 ciphersuites from draft-ietf-tls-tls13-16 */
 #define TLS1_TXT_AES_128_GCM_SHA256 "AEAD-AES128-GCM-SHA256"
 #define TLS1_TXT_AES_256_GCM_SHA384 "AEAD-AES256-GCM-SHA384"
 #define TLS1_TXT_CHACHA20_POLY1305_SHA256 "AEAD-CHACHA20-POLY1305-SHA256"

diff --git a/ssl/internal.h b/ssl/internal.h
index 815831e..36f0442 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h

@@ -1347,7 +1347,7 @@
 extern const SSL3_ENC_METHOD TLSv1_enc_data;
 extern const SSL3_ENC_METHOD SSLv3_enc_data;
 
-/* From draft-ietf-tls-tls13-15, used in determining PSK modes. */
+/* From draft-ietf-tls-tls13-16, used in determining PSK modes. */
 #define SSL_PSK_KE        0x0
 #define SSL_PSK_DHE_KE    0x1
 

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index c9f5bbf..3c9f5ba 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c

@@ -1908,7 +1908,7 @@
 
 /* Pre Shared Key
  *
- * https://tools.ietf.org/html/draft-ietf-tls-tls13-15 */
+ * https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.6 */
 
 static int ext_pre_shared_key_add_clienthello(SSL *ssl, CBB *out) {
   uint16_t min_version, max_version;
@@ -2010,7 +2010,7 @@
 
 /* Key Share
  *
- * https://tools.ietf.org/html/draft-ietf-tls-tls13-12 */
+ * https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.5 */
 
 static int ext_key_share_add_clienthello(SSL *ssl, CBB *out) {
   uint16_t min_version, max_version;
@@ -2293,7 +2293,7 @@
 /* Negotiated Groups
  *
  * https://tools.ietf.org/html/rfc4492#section-5.1.2
- * https://tools.ietf.org/html/draft-ietf-tls-tls13-12#section-6.3.2.2 */
+ * https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.4 */
 
 static int ext_supported_groups_add_clienthello(SSL *ssl, CBB *out) {
   if (!ssl_any_ec_cipher_suites_enabled(ssl)) {

diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 7878fc7..62c8dd3 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go

@@ -27,7 +27,7 @@
 )
 
 // A draft version of TLS 1.3 that is sent over the wire for the current draft.
-const tls13DraftVersion = 0x7f0f
+const tls13DraftVersion = 0x7f10
 
 const (
 	maxPlaintext        = 16384        // maximum plaintext payload length
@@ -57,8 +57,8 @@
 	typeServerHello         uint8 = 2
 	typeHelloVerifyRequest  uint8 = 3
 	typeNewSessionTicket    uint8 = 4
-	typeHelloRetryRequest   uint8 = 6 // draft-ietf-tls-tls13-13
-	typeEncryptedExtensions uint8 = 8 // draft-ietf-tls-tls13-13
+	typeHelloRetryRequest   uint8 = 6 // draft-ietf-tls-tls13-16
+	typeEncryptedExtensions uint8 = 8 // draft-ietf-tls-tls13-16
 	typeCertificate         uint8 = 11
 	typeServerKeyExchange   uint8 = 12
 	typeCertificateRequest  uint8 = 13
@@ -67,7 +67,7 @@
 	typeClientKeyExchange   uint8 = 16
 	typeFinished            uint8 = 20
 	typeCertificateStatus   uint8 = 22
-	typeKeyUpdate           uint8 = 24  // draft-ietf-tls-tls13-13
+	typeKeyUpdate           uint8 = 24  // draft-ietf-tls-tls13-16
 	typeNextProtocol        uint8 = 67  // Not IANA assigned
 	typeChannelID           uint8 = 203 // Not IANA assigned
 )
@@ -89,11 +89,11 @@
 	extensionSignedCertificateTimestamp uint16 = 18
 	extensionExtendedMasterSecret       uint16 = 23
 	extensionSessionTicket              uint16 = 35
-	extensionKeyShare                   uint16 = 40    // draft-ietf-tls-tls13-13
-	extensionPreSharedKey               uint16 = 41    // draft-ietf-tls-tls13-13
-	extensionEarlyData                  uint16 = 42    // draft-ietf-tls-tls13-13
+	extensionKeyShare                   uint16 = 40    // draft-ietf-tls-tls13-16
+	extensionPreSharedKey               uint16 = 41    // draft-ietf-tls-tls13-16
+	extensionEarlyData                  uint16 = 42    // draft-ietf-tls-tls13-16
 	extensionSupportedVersions          uint16 = 43    // draft-ietf-tls-tls13-16
-	extensionCookie                     uint16 = 44    // draft-ietf-tls-tls13-13
+	extensionCookie                     uint16 = 44    // draft-ietf-tls-tls13-16
 	extensionCustom                     uint16 = 1234  // not IANA assigned
 	extensionNextProtoNeg               uint16 = 13172 // not IANA assigned
 	extensionRenegotiationInfo          uint16 = 0xff01
@@ -194,13 +194,13 @@
 	SRTP_AES128_CM_HMAC_SHA1_32        = 0x0002
 )
 
-// PskKeyExchangeMode values (see draft-ietf-tls-tls13-15)
+// PskKeyExchangeMode values (see draft-ietf-tls-tls13-16)
 const (
 	pskKEMode    = 0
 	pskDHEKEMode = 1
 )
 
-// PskAuthenticationMode values (see draft-ietf-tls-tls13-15)
+// PskAuthenticationMode values (see draft-ietf-tls-tls13-16)
 const (
 	pskAuthMode     = 0
 	pskSignAuthMode = 1
@@ -1535,7 +1535,7 @@
 }
 
 var (
-	// See draft-ietf-tls-tls13-13, section 6.3.1.2.
+	// See draft-ietf-tls-tls13-16, section 6.3.1.2.
 	downgradeTLS13 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01}
 	downgradeTLS12 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00}
 )

diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go
index 4b16f28..ae3228a 100644
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go

@@ -455,7 +455,7 @@
 	}
 
 	// Check for downgrade signals in the server random, per
-	// draft-ietf-tls-tls13-14, section 6.3.1.2.
+	// draft-ietf-tls-tls13-16, section 4.1.3.
 	if c.vers <= VersionTLS12 && c.config.maxVersion(c.isDTLS) >= VersionTLS13 {
 		if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS13) {
 			c.sendAlert(alertProtocolVersion)

diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index eea6bf5..9147134 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go

@@ -956,8 +956,8 @@
 		c.sendAlert(alertInternalError)
 		return false, err
 	}
-	// Signal downgrades in the server random, per draft-ietf-tls-tls13-14,
-	// section 6.3.1.2.
+	// Signal downgrades in the server random, per draft-ietf-tls-tls13-16,
+	// section 4.1.3.
 	if c.vers <= VersionTLS12 && config.maxVersion(c.isDTLS) >= VersionTLS13 {
 		copy(hs.hello.random[len(hs.hello.random)-8:], downgradeTLS13)
 	}

diff --git a/ssl/test/runner/prf.go b/ssl/test/runner/prf.go
index 99ef64f..ffa68e9 100644
--- a/ssl/test/runner/prf.go
+++ b/ssl/test/runner/prf.go

@@ -368,7 +368,7 @@
 }
 
 // zeroSecretTLS13 returns the default all zeros secret for TLS 1.3, used when a
-// given secret is not available in the handshake. See draft-ietf-tls-tls13-13,
+// given secret is not available in the handshake. See draft-ietf-tls-tls13-16,
 // section 7.1.
 func (h *finishedHash) zeroSecret() []byte {
 	return make([]byte, h.hash.Size())
@@ -388,7 +388,7 @@
 }
 
 // hkdfExpandLabel implements TLS 1.3's HKDF-Expand-Label function, as defined
-// in section 7.1 of draft-ietf-tls-tls13-13.
+// in section 7.1 of draft-ietf-tls-tls13-16.
 func hkdfExpandLabel(hash crypto.Hash, secret, label, hashValue []byte, length int) []byte {
 	if len(label) > 255 || len(hashValue) > 255 {
 		panic("hkdfExpandLabel: label or hashValue too long")
@@ -429,7 +429,7 @@
 )
 
 // deriveSecret implements TLS 1.3's Derive-Secret function, as defined in
-// section 7.1 of draft ietf-tls-tls13-13.
+// section 7.1 of draft ietf-tls-tls13-16.
 func (h *finishedHash) deriveSecret(secret, label []byte) []byte {
 	if h.resumptionContextHash == nil {
 		panic("Resumption context not set.")
commit	a128a55e0bf94cd8535936ea1da3e393b8b0d103	[log] [tgz]
author	David Benjamin <davidben@google.com>	Thu Oct 13 14:26:33 2016 -0400
committer	David Benjamin <davidben@google.com>	Thu Oct 13 19:12:36 2016 +0000
tree	5a30d5e7e61882f930d771b353a9a99eb5e0addf
parent	3baa6e153b9b7cb0a6bd99f508762487c777f817 [diff]