From a130ce0b718d878a804b8f8660e9fc6d400fb1cc Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Tue, 14 Aug 2018 22:26:39 -0500 Subject: [PATCH] Update TLS 1.3 citations for the final RFC. Change-Id: I2d1671a4f21a602191fd0c9b932244a376ac5713 Reviewed-on: https://boringssl-review.googlesource.com/31104 Reviewed-by: David Benjamin Reviewed-by: Steven Valdez Commit-Queue: David Benjamin CQ-Verified: CQ bot account: commit-bot@chromium.org --- crypto/fipsmodule/cipher/e_aes.c | 4 ++-- include/openssl/ssl.h | 14 ++++++------ include/openssl/tls1.h | 6 ++--- ssl/handshake_client.cc | 2 +- ssl/internal.h | 5 ++--- ssl/t1_lib.cc | 26 +++++++++++----------- ssl/test/runner/common.go | 32 +++++++++++++-------------- ssl/test/runner/handshake_client.go | 3 +-- ssl/test/runner/handshake_messages.go | 12 +++++----- ssl/test/runner/handshake_server.go | 3 +-- ssl/test/runner/prf.go | 5 ++--- ssl/tls13_both.cc | 3 +-- ssl/tls13_server.cc | 2 +- 13 files changed, 56 insertions(+), 61 deletions(-) diff --git a/crypto/fipsmodule/cipher/e_aes.c b/crypto/fipsmodule/cipher/e_aes.c index 639995dc..de2f10f0 100644 --- a/crypto/fipsmodule/cipher/e_aes.c +++ b/crypto/fipsmodule/cipher/e_aes.c @@ -1201,8 +1201,8 @@ static int aead_aes_gcm_tls13_seal_scatter( } // The given nonces must be strictly monotonically increasing. See - // https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-5.3 for details - // of the TLS 1.3 nonce construction. + // https://tools.ietf.org/html/rfc8446#section-5.3 for details of the TLS 1.3 + // nonce construction. uint64_t given_counter; OPENSSL_memcpy(&given_counter, nonce + nonce_len - sizeof(given_counter), sizeof(given_counter)); diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 047101ea..c2afa151 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1696,8 +1696,8 @@ OPENSSL_EXPORT int SSL_SESSION_set1_id_context(SSL_SESSION *session, // // If this function returns one, clients retain multiple sessions and use each // only once. This prevents passive observers from correlating connections with -// tickets. See draft-ietf-tls-tls13-18, appendix B.5. If it returns zero, -// |session| cannot be used without leaking a correlator. +// tickets. See RFC 8446, appendix C.4. If it returns zero, |session| cannot be +// used without leaking a correlator. OPENSSL_EXPORT int SSL_SESSION_should_be_single_use(const SSL_SESSION *session); // SSL_SESSION_is_resumable returns one if |session| is resumable and zero @@ -3048,8 +3048,8 @@ OPENSSL_EXPORT void SSL_get_peer_quic_transport_params(const SSL *ssl, // WARNING: A 0-RTT handshake has different security properties from normal // handshake, so it is off by default unless opted in. In particular, early data // is replayable by a network attacker. Callers must account for this when -// sending or processing data before the handshake is confirmed. See -// draft-ietf-tls-tls13-18 for more information. +// sending or processing data before the handshake is confirmed. See RFC 8446 +// for more information. // // As a server, if early data is accepted, |SSL_do_handshake| will complete as // soon as the ClientHello is processed and server flight sent. |SSL_write| may @@ -3084,9 +3084,9 @@ OPENSSL_EXPORT void SSL_get_peer_quic_transport_params(const SSL *ssl, // properties. The caller must disregard any values from before the reset and // query again. // -// Finally, to implement the fallback described in draft-ietf-tls-tls13-18 -// appendix C.3, retry on a fresh connection without 0-RTT if the handshake -// fails with |SSL_R_WRONG_VERSION_ON_EARLY_DATA|. +// Finally, to implement the fallback described in RFC 8446 appendix D.3, retry +// on a fresh connection without 0-RTT if the handshake fails with +// |SSL_R_WRONG_VERSION_ON_EARLY_DATA|. // SSL_CTX_set_early_data_enabled sets whether early data is allowed to be used // with resumptions using |ctx|. diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index 0a3e9e4a..937be6b3 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -217,7 +217,7 @@ extern "C" { // ExtensionType value from RFC4507 #define TLSEXT_TYPE_session_ticket 35 -// ExtensionType values from draft-ietf-tls-tls13-18 +// ExtensionType values from RFC8446 #define TLSEXT_TYPE_supported_groups 10 #define TLSEXT_TYPE_pre_shared_key 41 #define TLSEXT_TYPE_early_data 42 @@ -431,7 +431,7 @@ extern "C" { #define TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0x0300CCA9 #define TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0x0300CCAC -// TLS 1.3 ciphersuites from draft-ietf-tls-tls13-16 +// TLS 1.3 ciphersuites from RFC 8446. #define TLS1_CK_AES_128_GCM_SHA256 0x03001301 #define TLS1_CK_AES_256_GCM_SHA384 0x03001302 #define TLS1_CK_CHACHA20_POLY1305_SHA256 0x03001303 @@ -603,7 +603,7 @@ extern "C" { #define TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 \ "ECDHE-PSK-CHACHA20-POLY1305" -// TLS 1.3 ciphersuites from draft-ietf-tls-tls13-16 +// TLS 1.3 ciphersuites from RFC 8446. #define TLS1_TXT_AES_128_GCM_SHA256 "AEAD-AES128-GCM-SHA256" #define TLS1_TXT_AES_256_GCM_SHA384 "AEAD-AES256-GCM-SHA384" #define TLS1_TXT_CHACHA20_POLY1305_SHA256 "AEAD-CHACHA20-POLY1305-SHA256" diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc index ebf86a9b..9f9e4833 100644 --- a/ssl/handshake_client.cc +++ b/ssl/handshake_client.cc @@ -577,7 +577,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { // A TLS 1.2 server would not know to skip the early data we offered. Report // an error code sooner. The caller may use this error code to implement the - // fallback described in draft-ietf-tls-tls13-18 appendix C.3. + // fallback described in RFC 8446 appendix D.3. if (hs->early_data_offered) { OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_ON_EARLY_DATA); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION); diff --git a/ssl/internal.h b/ssl/internal.h index e612f6d7..14c871a6 100644 --- a/ssl/internal.h +++ b/ssl/internal.h @@ -2462,11 +2462,10 @@ struct SSL_CONFIG { bool shed_handshake_config : 1; }; -// From draft-ietf-tls-tls13-18, used in determining PSK modes. +// From RFC 8446, used in determining PSK modes. #define SSL_PSK_DHE_KE 0x1 -// From draft-ietf-tls-tls13-16, used in determining whether to respond with a -// KeyUpdate. +// From RFC 8446, used in determining whether to respond with a KeyUpdate. #define SSL_KEY_UPDATE_NOT_REQUESTED 0 #define SSL_KEY_UPDATE_REQUESTED 1 diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc index e129ab9e..371ec532 100644 --- a/ssl/t1_lib.cc +++ b/ssl/t1_lib.cc @@ -1049,7 +1049,7 @@ static bool ext_sigalgs_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, // Signature Algorithms for Certificates. // -// https://tools.ietf.org/html/draft-ietf-tls-tls13-23#section-4.2.3 +// https://tools.ietf.org/html/rfc8446#section-4.2.3 static bool ext_sigalgs_cert_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; @@ -1846,7 +1846,7 @@ static bool ext_ec_point_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { // Pre Shared Key // -// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.6 +// https://tools.ietf.org/html/rfc8446#section-4.2.11 static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; @@ -1867,9 +1867,9 @@ static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { return true; } - // Per draft-ietf-tls-tls13-21 section 4.1.4, skip offering the session if the - // selected cipher in HelloRetryRequest does not match. This avoids performing - // the transcript hash transformation for multiple hashes. + // Per RFC 8446 section 4.1.4, skip offering the session if the selected + // cipher in HelloRetryRequest does not match. This avoids performing the + // transcript hash transformation for multiple hashes. if (hs->received_hello_retry_request && ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) { return true; @@ -2000,7 +2000,7 @@ bool ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { // Pre-Shared Key Exchange Modes // -// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.7 +// https://tools.ietf.org/html/rfc8446#section-4.2.9 static bool ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { @@ -2044,7 +2044,7 @@ static bool ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE *hs, // Early Data Indication // -// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.8 +// https://tools.ietf.org/html/rfc8446#section-4.2.10 static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; @@ -2129,7 +2129,7 @@ static bool ext_early_data_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { // Key Share // -// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.5 +// https://tools.ietf.org/html/rfc8446#section-4.2.8 static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; @@ -2314,7 +2314,7 @@ bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { // Supported Versions // -// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.1 +// https://tools.ietf.org/html/rfc8446#section-4.2.1 static bool ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; @@ -2346,7 +2346,7 @@ static bool ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) // Cookie // -// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.2 +// https://tools.ietf.org/html/rfc8446#section-4.2.2 static bool ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { if (hs->cookie.empty()) { @@ -2368,10 +2368,10 @@ static bool ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { } -// Negotiated Groups +// Supported Groups // -// https://tools.ietf.org/html/rfc4492#section-5.1.2 -// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.4 +// https://tools.ietf.org/html/rfc4492#section-5.1.1 +// https://tools.ietf.org/html/rfc8446#section-4.2.7 static bool ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go index a627df94..cb77a73a 100644 --- a/ssl/test/runner/common.go +++ b/ssl/test/runner/common.go @@ -89,9 +89,9 @@ const ( typeServerHello uint8 = 2 typeHelloVerifyRequest uint8 = 3 typeNewSessionTicket uint8 = 4 - typeEndOfEarlyData uint8 = 5 // draft-ietf-tls-tls13-21 - typeHelloRetryRequest uint8 = 6 // draft-ietf-tls-tls13-16 - typeEncryptedExtensions uint8 = 8 // draft-ietf-tls-tls13-16 + typeEndOfEarlyData uint8 = 5 + typeHelloRetryRequest uint8 = 6 + typeEncryptedExtensions uint8 = 8 typeCertificate uint8 = 11 typeServerKeyExchange uint8 = 12 typeCertificateRequest uint8 = 13 @@ -100,11 +100,11 @@ const ( typeClientKeyExchange uint8 = 16 typeFinished uint8 = 20 typeCertificateStatus uint8 = 22 - typeKeyUpdate uint8 = 24 // draft-ietf-tls-tls13-16 + typeKeyUpdate uint8 = 24 typeCompressedCertificate uint8 = 25 // Not IANA assigned typeNextProtocol uint8 = 67 // Not IANA assigned typeChannelID uint8 = 203 // Not IANA assigned - typeMessageHash uint8 = 254 // draft-ietf-tls-tls13-21 + typeMessageHash uint8 = 254 ) // TLS compression types. @@ -127,14 +127,14 @@ const ( extensionTokenBinding uint16 = 24 extensionCompressedCertAlgs uint16 = 27 extensionSessionTicket uint16 = 35 - extensionPreSharedKey uint16 = 41 // draft-ietf-tls-tls13-23 - extensionEarlyData uint16 = 42 // draft-ietf-tls-tls13-23 - extensionSupportedVersions uint16 = 43 // draft-ietf-tls-tls13-23 - extensionCookie uint16 = 44 // draft-ietf-tls-tls13-23 - extensionPSKKeyExchangeModes uint16 = 45 // draft-ietf-tls-tls13-23 - extensionCertificateAuthorities uint16 = 47 // draft-ietf-tls-tls13-23 - extensionSignatureAlgorithmsCert uint16 = 50 // draft-ietf-tls-tls13-23 - extensionKeyShare uint16 = 51 // draft-ietf-tls-tls13-23 + extensionPreSharedKey uint16 = 41 + extensionEarlyData uint16 = 42 + extensionSupportedVersions uint16 = 43 + extensionCookie uint16 = 44 + extensionPSKKeyExchangeModes uint16 = 45 + extensionCertificateAuthorities uint16 = 47 + extensionSignatureAlgorithmsCert uint16 = 50 + extensionKeyShare uint16 = 51 extensionCustom uint16 = 1234 // not IANA assigned extensionNextProtoNeg uint16 = 13172 // not IANA assigned extensionRenegotiationInfo uint16 = 0xff01 @@ -239,13 +239,13 @@ const ( SRTP_AES128_CM_HMAC_SHA1_32 = 0x0002 ) -// PskKeyExchangeMode values (see draft-ietf-tls-tls13-16) +// PskKeyExchangeMode values (see RFC 8446, section 4.2.9) const ( pskKEMode = 0 pskDHEKEMode = 1 ) -// KeyUpdateRequest values (see draft-ietf-tls-tls13-16, section 4.5.3) +// KeyUpdateRequest values (see RFC 8446, section 4.6.3) const ( keyUpdateNotRequested = 0 keyUpdateRequested = 1 @@ -2064,7 +2064,7 @@ func isSupportedSignatureAlgorithm(sigAlg signatureAlgorithm, sigAlgs []signatur } var ( - // See draft-ietf-tls-tls13-16, section 6.3.1.2. + // See RFC 8446, section 4.1.3. downgradeTLS13 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01} downgradeTLS12 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00} ) diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go index 847c61ae..49e947d4 100644 --- a/ssl/test/runner/handshake_client.go +++ b/ssl/test/runner/handshake_client.go @@ -603,8 +603,7 @@ NextCipherSuite: } _, supportsTLS13 := c.config.isSupportedVersion(VersionTLS13, false) - // Check for downgrade signals in the server random, per - // draft-ietf-tls-tls13-16, section 4.1.3. + // Check for downgrade signals in the server random, per RFC 8446, section 4.1.3. if (supportsTLS13 || c.config.Bugs.CheckTLS13DowngradeRandom) && !c.config.Bugs.IgnoreTLS13DowngradeRandom { if c.vers <= VersionTLS12 && c.config.maxVersion(c.isDTLS) >= VersionTLS13 { if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS13) { diff --git a/ssl/test/runner/handshake_messages.go b/ssl/test/runner/handshake_messages.go index 43eb6fef..edc5a925 100644 --- a/ssl/test/runner/handshake_messages.go +++ b/ssl/test/runner/handshake_messages.go @@ -589,7 +589,7 @@ func (m *clientHelloMsg) marshal() []byte { algIDs.addU16(v) } } - // The PSK extension must be last (draft-ietf-tls-tls13-18 section 4.2.6). + // The PSK extension must be last. See https://tools.ietf.org/html/rfc8446#section-4.2.11 if len(m.pskIdentities) > 0 && !m.pskBinderFirst { extensions.addU16(extensionPreSharedKey) pskExtension := extensions.addU16LengthPrefixed() @@ -762,7 +762,7 @@ func (m *clientHelloMsg) unmarshal(data []byte) bool { m.ticketSupported = true m.sessionTicket = []byte(body) case extensionKeyShare: - // draft-ietf-tls-tls13 section 6.3.2.3 + // https://tools.ietf.org/html/rfc8446#section-4.2.8 var keyShares byteReader if !body.readU16LengthPrefixed(&keyShares) || len(body) != 0 { return false @@ -779,7 +779,7 @@ func (m *clientHelloMsg) unmarshal(data []byte) bool { m.keyShares = append(m.keyShares, entry) } case extensionPreSharedKey: - // draft-ietf-tls-tls13-18 section 4.2.6 + // https://tools.ietf.org/html/rfc8446#section-4.2.11 var psks, binders byteReader if !body.readU16LengthPrefixed(&psks) || !body.readU16LengthPrefixed(&binders) || @@ -807,12 +807,12 @@ func (m *clientHelloMsg) unmarshal(data []byte) bool { return false } case extensionPSKKeyExchangeModes: - // draft-ietf-tls-tls13-18 section 4.2.7 + // https://tools.ietf.org/html/rfc8446#section-4.2.9 if !body.readU8LengthPrefixedBytes(&m.pskKEModes) || len(body) != 0 { return false } case extensionEarlyData: - // draft-ietf-tls-tls13 section 6.3.2.5 + // https://tools.ietf.org/html/rfc8446#section-4.2.10 if len(body) != 0 { return false } @@ -1299,7 +1299,7 @@ func (m *serverExtensions) marshal(extensions *byteBuilder) { supportedPoints.addBytes(m.supportedPoints) } if len(m.supportedCurves) > 0 { - // https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.4 + // https://tools.ietf.org/html/rfc8446#section-4.2.7 extensions.addU16(extensionSupportedCurves) supportedCurvesList := extensions.addU16LengthPrefixed() supportedCurves := supportedCurvesList.addU16LengthPrefixed() diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go index bdf72ae9..ca7a7d37 100644 --- a/ssl/test/runner/handshake_server.go +++ b/ssl/test/runner/handshake_server.go @@ -1173,8 +1173,7 @@ func (hs *serverHandshakeState) processClientHello() (isResume bool, err error) _, supportsTLS13 := c.config.isSupportedVersion(VersionTLS13, false) - // Signal downgrades in the server random, per draft-ietf-tls-tls13-16, - // section 4.1.3. + // Signal downgrades in the server random, per RFC 8446, section 4.1.3. if supportsTLS13 || config.Bugs.SendTLS13DowngradeRandom { if c.vers <= VersionTLS12 && config.maxVersion(c.isDTLS) >= VersionTLS13 { copy(hs.hello.random[len(hs.hello.random)-8:], downgradeTLS13) diff --git a/ssl/test/runner/prf.go b/ssl/test/runner/prf.go index 8c2da0dd..96e7f247 100644 --- a/ssl/test/runner/prf.go +++ b/ssl/test/runner/prf.go @@ -384,8 +384,7 @@ func (h *finishedHash) discardHandshakeBuffer() { } // zeroSecretTLS13 returns the default all zeros secret for TLS 1.3, used when a -// given secret is not available in the handshake. See draft-ietf-tls-tls13-16, -// section 7.1. +// given secret is not available in the handshake. See RFC 8446, section 7.1. func (h *finishedHash) zeroSecret() []byte { return make([]byte, h.hash.Size()) } @@ -400,7 +399,7 @@ func (h *finishedHash) nextSecret() { } // hkdfExpandLabel implements TLS 1.3's HKDF-Expand-Label function, as defined -// in section 7.1 of draft-ietf-tls-tls13-16. +// in section 7.1 of RFC 8446. func hkdfExpandLabel(hash crypto.Hash, secret, label, hashValue []byte, length int) []byte { if len(label) > 255 || len(hashValue) > 255 { panic("hkdfExpandLabel: label or hashValue too long") diff --git a/ssl/tls13_both.cc b/ssl/tls13_both.cc index ce9dd3ca..a1793da0 100644 --- a/ssl/tls13_both.cc +++ b/ssl/tls13_both.cc @@ -635,8 +635,7 @@ static int tls13_receive_key_update(SSL *ssl, const SSLMessage &msg) { // Suppress KeyUpdate acknowledgments until this change is written to the // wire. This prevents us from accumulating write obligations when read and - // write progress at different rates. See draft-ietf-tls-tls13-18, section - // 4.5.3. + // write progress at different rates. See RFC 8446, section 4.6.3. ssl->s3->key_update_pending = true; } diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc index a3940b64..aba7fc0b 100644 --- a/ssl/tls13_server.cc +++ b/ssl/tls13_server.cc @@ -706,7 +706,7 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) { // If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on // the wire sooner and also avoids triggering a write on |SSL_read| when // processing the client Finished. This requires computing the client - // Finished early. See draft-ietf-tls-tls13-18, section 4.5.1. + // Finished early. See RFC 8446, section 4.6.1. static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0, 0, 0}; if (!hs->transcript.Update(kEndOfEarlyData)) {