Cite an RFC over 9000 (draft-ietf-quic-tls is now RFC 9001).
Also now that it's finalized, flip the default for
SSL_set_quic_use_legacy_codepoint.
Update-Note: QUIC APIs now default to the standard code point rather
than the draft one. QUICHE has already been calling
SSL_set_quic_use_legacy_codepoint, so this should not affect them. Once
callers implementing the draft versions cycle out, we can then drop
SSL_set_quic_use_legacy_codepoint altogether. I've also bumped
BORINGSSL_API_VERSION in case we end up needing an ifdef.
Change-Id: Id2cab66215f4ad4c1e31503d329c0febfdb4603e
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47864
Reviewed-by: David Schinazi <dschinazi@google.com>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/base.h b/include/openssl/base.h
index e52fd09..66d0493 100644
--- a/include/openssl/base.h
+++ b/include/openssl/base.h
@@ -195,7 +195,7 @@
// A consumer may use this symbol in the preprocessor to temporarily build
// against multiple revisions of BoringSSL at the same time. It is not
// recommended to do so for longer than is necessary.
-#define BORINGSSL_API_VERSION 14
+#define BORINGSSL_API_VERSION 15
#if defined(BORINGSSL_SHARED_LIBRARY)
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 998dbbb..0981f15 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -3186,7 +3186,7 @@
//
// QUIC acts as an underlying transport for the TLS 1.3 handshake. The following
// functions allow a QUIC implementation to serve as the underlying transport as
-// described in draft-ietf-quic-tls.
+// described in RFC 9001.
//
// When configured for QUIC, |SSL_do_handshake| will drive the handshake as
// before, but it will not use the configured |BIO|. It will call functions on
@@ -3206,8 +3206,7 @@
// confirm the handshake. As a client, |SSL_ERROR_EARLY_DATA_REJECTED| and
// |SSL_reset_early_data_reject| behave as usual.
//
-// See https://tools.ietf.org/html/draft-ietf-quic-tls-15#section-4.1 for more
-// details.
+// See https://www.rfc-editor.org/rfc/rfc9001.html#section-4.1 for more details.
//
// To avoid DoS attacks, the QUIC implementation must limit the amount of data
// being queued up. The implementation can call
@@ -3218,7 +3217,8 @@
// |SSL_set_quic_transport_params|. |SSL_get_peer_quic_transport_params| may be
// used to query the value received from the peer. BoringSSL handles this
// extension as an opaque byte string. The caller is responsible for serializing
-// and parsing them. See draft-ietf-quic-transport (section 7.3) for details.
+// and parsing them. See https://www.rfc-editor.org/rfc/rfc9000#section-7.4 for
+// details.
//
// QUIC additionally imposes restrictions on 0-RTT. In particular, the QUIC
// transport layer requires that if a server accepts 0-RTT data, then the
@@ -3330,7 +3330,7 @@
// that may be received at the given encryption level. This function should be
// used to limit buffering in the QUIC implementation.
//
-// See https://tools.ietf.org/html/draft-ietf-quic-transport-16#section-4.4.
+// See https://www.rfc-editor.org/rfc/rfc9000#section-7.5
OPENSSL_EXPORT size_t SSL_quic_max_handshake_flight_len(
const SSL *ssl, enum ssl_encryption_level_t level);
@@ -3393,8 +3393,8 @@
// SSL_set_quic_use_legacy_codepoint configures whether to use the legacy QUIC
// extension codepoint 0xffa5 as opposed to the official value 57. Call with
-// |use_legacy| set to 1 to use 0xffa5 and call with 0 to use 57. The default
-// value for this is currently 1 but it will change to 0 at a later date.
+// |use_legacy| set to 1 to use 0xffa5 and call with 0 to use 57. By default,
+// the standard code point is used.
OPENSSL_EXPORT void SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy);
// SSL_set_quic_early_data_context configures a context string in QUIC servers
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index 75dea96..c41eba2 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -209,19 +209,15 @@
// hasn't been a problem in practice since it's QUIC-only). Drafts 33 onward
// use the value 57 which was officially registered with IANA.
#define TLSEXT_TYPE_quic_transport_parameters_legacy 0xffa5
-#define TLSEXT_TYPE_quic_transport_parameters_standard 57
-// TLSEXT_TYPE_quic_transport_parameters is an alias for
-// |TLSEXT_TYPE_quic_transport_parameters_legacy|. It will switch to
-// |TLSEXT_TYPE_quic_transport_parameters_standard| at a later date.
-//
-// Callers using |SSL_set_quic_use_legacy_codepoint| should use
-// |TLSEXT_TYPE_quic_transport_parameters_legacy| or
-// |TLSEXT_TYPE_quic_transport_parameters_standard| rather than this constant.
-// When the default code point is switched to the standard one, this value will
-// be updated and we will transition callers back to the unsuffixed constant.
-#define TLSEXT_TYPE_quic_transport_parameters \
- TLSEXT_TYPE_quic_transport_parameters_legacy
+// ExtensionType value from RFC9000
+#define TLSEXT_TYPE_quic_transport_parameters 57
+
+// TLSEXT_TYPE_quic_transport_parameters_standard is an alias for
+// |TLSEXT_TYPE_quic_transport_parameters|. Use
+// |TLSEXT_TYPE_quic_transport_parameters| instead.
+#define TLSEXT_TYPE_quic_transport_parameters_standard \
+ TLSEXT_TYPE_quic_transport_parameters
// ExtensionType value from RFC8879
#define TLSEXT_TYPE_cert_compression 27
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index 5b06005..a05b9b1 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -730,7 +730,7 @@
handoff(false),
shed_handshake_config(false),
jdk11_workaround(false),
- quic_use_legacy_codepoint(true) {
+ quic_use_legacy_codepoint(false) {
assert(ssl);
}
diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc
index 67f18fd..420b6ee 100644
--- a/ssl/t1_lib.cc
+++ b/ssl/t1_lib.cc
@@ -2646,7 +2646,7 @@
return true;
}
- uint16_t extension_type = TLSEXT_TYPE_quic_transport_parameters_standard;
+ uint16_t extension_type = TLSEXT_TYPE_quic_transport_parameters;
if (hs->config->quic_use_legacy_codepoint) {
extension_type = TLSEXT_TYPE_quic_transport_parameters_legacy;
}
@@ -2782,7 +2782,7 @@
return true;
}
- uint16_t extension_type = TLSEXT_TYPE_quic_transport_parameters_standard;
+ uint16_t extension_type = TLSEXT_TYPE_quic_transport_parameters;
if (hs->config->quic_use_legacy_codepoint) {
extension_type = TLSEXT_TYPE_quic_transport_parameters_legacy;
}
@@ -3251,7 +3251,7 @@
dont_add_serverhello,
},
{
- TLSEXT_TYPE_quic_transport_parameters_standard,
+ TLSEXT_TYPE_quic_transport_parameters,
NULL,
ext_quic_transport_params_add_clienthello,
ext_quic_transport_params_parse_serverhello,
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index fa2ba6c..4e84a0e 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -119,7 +119,7 @@
extensionCertificateAuthorities uint16 = 47
extensionSignatureAlgorithmsCert uint16 = 50
extensionKeyShare uint16 = 51
- extensionQUICTransportParams uint16 = 57 // draft-ietf-quic-tls-33 and later
+ extensionQUICTransportParams uint16 = 57
extensionCustom uint16 = 1234 // not IANA assigned
extensionNextProtoNeg uint16 = 13172 // not IANA assigned
extensionApplicationSettings uint16 = 17513 // not IANA assigned
diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc
index d23cf6c..8ba6b4d 100644
--- a/ssl/tls13_client.cc
+++ b/ssl/tls13_client.cc
@@ -713,8 +713,7 @@
SSL *const ssl = hs->ssl;
if (ssl->s3->early_data_accepted) {
- // QUIC omits the EndOfEarlyData message. See draft-ietf-quic-tls-22,
- // section 8.3.
+ // QUIC omits the EndOfEarlyData message. See RFC 9001, section 8.3.
if (ssl->quic_method == nullptr) {
ScopedCBB cbb;
CBB body;
@@ -1044,7 +1043,7 @@
}
// QUIC does not use the max_early_data_size parameter and always sets it to
- // a fixed value. See draft-ietf-quic-tls-22, section 4.5.
+ // a fixed value. See RFC 9001, section 4.6.1.
if (ssl->quic_method != nullptr &&
session->ticket_max_early_data != 0xffffffff) {
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc
index cb14e7e..c2a66a8 100644
--- a/ssl/tls13_server.cc
+++ b/ssl/tls13_server.cc
@@ -155,7 +155,7 @@
(!ssl->quic_method || !ssl->config->quic_early_data_context.empty());
if (enable_early_data) {
// QUIC does not use the max_early_data_size parameter and always sets it
- // to a fixed value. See draft-ietf-quic-tls-22, section 4.5.
+ // to a fixed value. See RFC 9001, section 4.6.1.
session->ticket_max_early_data =
ssl->quic_method != nullptr ? 0xffffffff : kMaxEarlyDataAccepted;
}
@@ -979,9 +979,8 @@
hs->in_early_data = true;
}
- // QUIC doesn't use an EndOfEarlyData message (draft-ietf-quic-tls-22,
- // section 8.3), so we switch to client_handshake_secret before the early
- // return.
+ // QUIC doesn't use an EndOfEarlyData message (RFC 9001, section 8.3), so we
+ // switch to client_handshake_secret before the early return.
if (ssl->quic_method != nullptr) {
if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
hs->new_session.get(),