Update TLS 1.3 citations for the final RFC.

Change-Id: I2d1671a4f21a602191fd0c9b932244a376ac5713 Reviewed-on: https://boringssl-review.googlesource.com/31104 Reviewed-by: David Benjamin <davidben@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-14 22:26:39 -05:00 · 2018-08-14 22:26:39 -05:00 · a130ce0b71
commit a130ce0b71
parent c4131a4a23
13 changed files with 56 additions and 61 deletions
--- a/crypto/fipsmodule/cipher/e_aes.c
+++ b/crypto/fipsmodule/cipher/e_aes.c
@ -1201,8 +1201,8 @@ static int aead_aes_gcm_tls13_seal_scatter(
  }

  // The given nonces must be strictly monotonically increasing. See
-  // https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-5.3 for details
-  // of the TLS 1.3 nonce construction.
+  // https://tools.ietf.org/html/rfc8446#section-5.3 for details of the TLS 1.3
+  // nonce construction.
  uint64_t given_counter;
  OPENSSL_memcpy(&given_counter, nonce + nonce_len - sizeof(given_counter),
                 sizeof(given_counter));
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@ -1696,8 +1696,8 @@ OPENSSL_EXPORT int SSL_SESSION_set1_id_context(SSL_SESSION *session,
 //
 // If this function returns one, clients retain multiple sessions and use each
 // only once. This prevents passive observers from correlating connections with
-// tickets. See draft-ietf-tls-tls13-18, appendix B.5. If it returns zero,
-// |session| cannot be used without leaking a correlator.
+// tickets. See RFC 8446, appendix C.4. If it returns zero, |session| cannot be
+// used without leaking a correlator.
 OPENSSL_EXPORT int SSL_SESSION_should_be_single_use(const SSL_SESSION *session);

 // SSL_SESSION_is_resumable returns one if |session| is resumable and zero
@ -3048,8 +3048,8 @@ OPENSSL_EXPORT void SSL_get_peer_quic_transport_params(const SSL *ssl,
 // WARNING: A 0-RTT handshake has different security properties from normal
 // handshake, so it is off by default unless opted in. In particular, early data
 // is replayable by a network attacker. Callers must account for this when
-// sending or processing data before the handshake is confirmed. See
-// draft-ietf-tls-tls13-18 for more information.
+// sending or processing data before the handshake is confirmed. See RFC 8446
+// for more information.
 //
 // As a server, if early data is accepted, |SSL_do_handshake| will complete as
 // soon as the ClientHello is processed and server flight sent. |SSL_write| may
@ -3084,9 +3084,9 @@ OPENSSL_EXPORT void SSL_get_peer_quic_transport_params(const SSL *ssl,
 // properties. The caller must disregard any values from before the reset and
 // query again.
 //
-// Finally, to implement the fallback described in draft-ietf-tls-tls13-18
-// appendix C.3, retry on a fresh connection without 0-RTT if the handshake
-// fails with |SSL_R_WRONG_VERSION_ON_EARLY_DATA|.
+// Finally, to implement the fallback described in RFC 8446 appendix D.3, retry
+// on a fresh connection without 0-RTT if the handshake fails with
+// |SSL_R_WRONG_VERSION_ON_EARLY_DATA|.

 // SSL_CTX_set_early_data_enabled sets whether early data is allowed to be used
 // with resumptions using |ctx|.
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@ -217,7 +217,7 @@ extern "C" {
 // ExtensionType value from RFC4507
 #define TLSEXT_TYPE_session_ticket 35

-// ExtensionType values from draft-ietf-tls-tls13-18
+// ExtensionType values from RFC8446
 #define TLSEXT_TYPE_supported_groups 10
 #define TLSEXT_TYPE_pre_shared_key 41
 #define TLSEXT_TYPE_early_data 42
@ -431,7 +431,7 @@ extern "C" {
 #define TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0x0300CCA9
 #define TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0x0300CCAC

-// TLS 1.3 ciphersuites from draft-ietf-tls-tls13-16
+// TLS 1.3 ciphersuites from RFC 8446.
 #define TLS1_CK_AES_128_GCM_SHA256 0x03001301
 #define TLS1_CK_AES_256_GCM_SHA384 0x03001302
 #define TLS1_CK_CHACHA20_POLY1305_SHA256 0x03001303
@ -603,7 +603,7 @@ extern "C" {
 #define TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 \
  "ECDHE-PSK-CHACHA20-POLY1305"

-// TLS 1.3 ciphersuites from draft-ietf-tls-tls13-16
+// TLS 1.3 ciphersuites from RFC 8446.
 #define TLS1_TXT_AES_128_GCM_SHA256 "AEAD-AES128-GCM-SHA256"
 #define TLS1_TXT_AES_256_GCM_SHA384 "AEAD-AES256-GCM-SHA384"
 #define TLS1_TXT_CHACHA20_POLY1305_SHA256 "AEAD-CHACHA20-POLY1305-SHA256"
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc
@ -577,7 +577,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {

  // A TLS 1.2 server would not know to skip the early data we offered. Report
  // an error code sooner. The caller may use this error code to implement the
-  // fallback described in draft-ietf-tls-tls13-18 appendix C.3.
+  // fallback described in RFC 8446 appendix D.3.
  if (hs->early_data_offered) {
    OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_ON_EARLY_DATA);
    ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
--- a/ssl/internal.h
+++ b/ssl/internal.h
@ -2462,11 +2462,10 @@ struct SSL_CONFIG {
  bool shed_handshake_config : 1;
 };

-// From draft-ietf-tls-tls13-18, used in determining PSK modes.
+// From RFC 8446, used in determining PSK modes.
 #define SSL_PSK_DHE_KE 0x1

-// From draft-ietf-tls-tls13-16, used in determining whether to respond with a
-// KeyUpdate.
+// From RFC 8446, used in determining whether to respond with a KeyUpdate.
 #define SSL_KEY_UPDATE_NOT_REQUESTED 0
 #define SSL_KEY_UPDATE_REQUESTED 1

--- a/ssl/t1_lib.cc
+++ b/ssl/t1_lib.cc
@ -1049,7 +1049,7 @@ static bool ext_sigalgs_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,

 // Signature Algorithms for Certificates.
 //
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-23#section-4.2.3
+// https://tools.ietf.org/html/rfc8446#section-4.2.3

 static bool ext_sigalgs_cert_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
  SSL *const ssl = hs->ssl;
@ -1846,7 +1846,7 @@ static bool ext_ec_point_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {

 // Pre Shared Key
 //
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.6
+// https://tools.ietf.org/html/rfc8446#section-4.2.11

 static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) {
  SSL *const ssl = hs->ssl;
@ -1867,9 +1867,9 @@ static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
    return true;
  }

-  // Per draft-ietf-tls-tls13-21 section 4.1.4, skip offering the session if the
-  // selected cipher in HelloRetryRequest does not match. This avoids performing
-  // the transcript hash transformation for multiple hashes.
+  // Per RFC 8446 section 4.1.4, skip offering the session if the selected
+  // cipher in HelloRetryRequest does not match. This avoids performing the
+  // transcript hash transformation for multiple hashes.
  if (hs->received_hello_retry_request &&
      ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
    return true;
@ -2000,7 +2000,7 @@ bool ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {

 // Pre-Shared Key Exchange Modes
 //
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.7
+// https://tools.ietf.org/html/rfc8446#section-4.2.9

 static bool ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE *hs,
                                                       CBB *out) {
@ -2044,7 +2044,7 @@ static bool ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE *hs,

 // Early Data Indication
 //
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.8
+// https://tools.ietf.org/html/rfc8446#section-4.2.10

 static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
  SSL *const ssl = hs->ssl;
@ -2129,7 +2129,7 @@ static bool ext_early_data_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {

 // Key Share
 //
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.5
+// https://tools.ietf.org/html/rfc8446#section-4.2.8

 static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
  SSL *const ssl = hs->ssl;
@ -2314,7 +2314,7 @@ bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {

 // Supported Versions
 //
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.1
+// https://tools.ietf.org/html/rfc8446#section-4.2.1

 static bool ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
  SSL *const ssl = hs->ssl;
@ -2346,7 +2346,7 @@ static bool ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out)

 // Cookie
 //
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.2
+// https://tools.ietf.org/html/rfc8446#section-4.2.2

 static bool ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
  if (hs->cookie.empty()) {
@ -2368,10 +2368,10 @@ static bool ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
 }


-// Negotiated Groups
+// Supported Groups
 //
-// https://tools.ietf.org/html/rfc4492#section-5.1.2
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.4
+// https://tools.ietf.org/html/rfc4492#section-5.1.1
+// https://tools.ietf.org/html/rfc8446#section-4.2.7

 static bool ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
  SSL *const ssl = hs->ssl;
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@ -89,9 +89,9 @@ const (
 	typeServerHello           uint8 = 2
 	typeHelloVerifyRequest    uint8 = 3
 	typeNewSessionTicket      uint8 = 4
-	typeEndOfEarlyData        uint8 = 5 // draft-ietf-tls-tls13-21
-	typeHelloRetryRequest     uint8 = 6 // draft-ietf-tls-tls13-16
-	typeEncryptedExtensions   uint8 = 8 // draft-ietf-tls-tls13-16
+	typeEndOfEarlyData        uint8 = 5
+	typeHelloRetryRequest     uint8 = 6
+	typeEncryptedExtensions   uint8 = 8
 	typeCertificate           uint8 = 11
 	typeServerKeyExchange     uint8 = 12
 	typeCertificateRequest    uint8 = 13
@ -100,11 +100,11 @@ const (
 	typeClientKeyExchange     uint8 = 16
 	typeFinished              uint8 = 20
 	typeCertificateStatus     uint8 = 22
-	typeKeyUpdate             uint8 = 24  // draft-ietf-tls-tls13-16
+	typeKeyUpdate             uint8 = 24
 	typeCompressedCertificate uint8 = 25  // Not IANA assigned
 	typeNextProtocol          uint8 = 67  // Not IANA assigned
 	typeChannelID             uint8 = 203 // Not IANA assigned
-	typeMessageHash           uint8 = 254 // draft-ietf-tls-tls13-21
+	typeMessageHash           uint8 = 254
 )

 // TLS compression types.
@ -127,14 +127,14 @@ const (
 	extensionTokenBinding               uint16 = 24
 	extensionCompressedCertAlgs         uint16 = 27
 	extensionSessionTicket              uint16 = 35
-	extensionPreSharedKey               uint16 = 41    // draft-ietf-tls-tls13-23
-	extensionEarlyData                  uint16 = 42    // draft-ietf-tls-tls13-23
-	extensionSupportedVersions          uint16 = 43    // draft-ietf-tls-tls13-23
-	extensionCookie                     uint16 = 44    // draft-ietf-tls-tls13-23
-	extensionPSKKeyExchangeModes        uint16 = 45    // draft-ietf-tls-tls13-23
-	extensionCertificateAuthorities     uint16 = 47    // draft-ietf-tls-tls13-23
-	extensionSignatureAlgorithmsCert    uint16 = 50    // draft-ietf-tls-tls13-23
-	extensionKeyShare                   uint16 = 51    // draft-ietf-tls-tls13-23
+	extensionPreSharedKey               uint16 = 41
+	extensionEarlyData                  uint16 = 42
+	extensionSupportedVersions          uint16 = 43
+	extensionCookie                     uint16 = 44
+	extensionPSKKeyExchangeModes        uint16 = 45
+	extensionCertificateAuthorities     uint16 = 47
+	extensionSignatureAlgorithmsCert    uint16 = 50
+	extensionKeyShare                   uint16 = 51
 	extensionCustom                     uint16 = 1234  // not IANA assigned
 	extensionNextProtoNeg               uint16 = 13172 // not IANA assigned
 	extensionRenegotiationInfo          uint16 = 0xff01
@ -239,13 +239,13 @@ const (
 	SRTP_AES128_CM_HMAC_SHA1_32        = 0x0002
 )

-// PskKeyExchangeMode values (see draft-ietf-tls-tls13-16)
+// PskKeyExchangeMode values (see RFC 8446, section 4.2.9)
 const (
 	pskKEMode    = 0
 	pskDHEKEMode = 1
 )

-// KeyUpdateRequest values (see draft-ietf-tls-tls13-16, section 4.5.3)
+// KeyUpdateRequest values (see RFC 8446, section 4.6.3)
 const (
 	keyUpdateNotRequested = 0
 	keyUpdateRequested    = 1
@ -2064,7 +2064,7 @@ func isSupportedSignatureAlgorithm(sigAlg signatureAlgorithm, sigAlgs []signatur
 }

 var (
-	// See draft-ietf-tls-tls13-16, section 6.3.1.2.
+	// See RFC 8446, section 4.1.3.
 	downgradeTLS13 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01}
 	downgradeTLS12 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00}
 )
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go
@ -603,8 +603,7 @@ NextCipherSuite:
 	}

 	_, supportsTLS13 := c.config.isSupportedVersion(VersionTLS13, false)
-	// Check for downgrade signals in the server random, per
-	// draft-ietf-tls-tls13-16, section 4.1.3.
+	// Check for downgrade signals in the server random, per RFC 8446, section 4.1.3.
 	if (supportsTLS13 || c.config.Bugs.CheckTLS13DowngradeRandom) && !c.config.Bugs.IgnoreTLS13DowngradeRandom {
 		if c.vers <= VersionTLS12 && c.config.maxVersion(c.isDTLS) >= VersionTLS13 {
 			if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS13) {
--- a/ssl/test/runner/handshake_messages.go
+++ b/ssl/test/runner/handshake_messages.go
@ -589,7 +589,7 @@ func (m *clientHelloMsg) marshal() []byte {
 			algIDs.addU16(v)
 		}
 	}
-	// The PSK extension must be last (draft-ietf-tls-tls13-18 section 4.2.6).
+	// The PSK extension must be last. See https://tools.ietf.org/html/rfc8446#section-4.2.11
 	if len(m.pskIdentities) > 0 && !m.pskBinderFirst {
 		extensions.addU16(extensionPreSharedKey)
 		pskExtension := extensions.addU16LengthPrefixed()
@ -762,7 +762,7 @@ func (m *clientHelloMsg) unmarshal(data []byte) bool {
 			m.ticketSupported = true
 			m.sessionTicket = []byte(body)
 		case extensionKeyShare:
-			// draft-ietf-tls-tls13 section 6.3.2.3
+			// https://tools.ietf.org/html/rfc8446#section-4.2.8
 			var keyShares byteReader
 			if !body.readU16LengthPrefixed(&keyShares) || len(body) != 0 {
 				return false
@ -779,7 +779,7 @@ func (m *clientHelloMsg) unmarshal(data []byte) bool {
 				m.keyShares = append(m.keyShares, entry)
 			}
 		case extensionPreSharedKey:
-			// draft-ietf-tls-tls13-18 section 4.2.6
+			// https://tools.ietf.org/html/rfc8446#section-4.2.11
 			var psks, binders byteReader
 			if !body.readU16LengthPrefixed(&psks) ||
 				!body.readU16LengthPrefixed(&binders) ||
@ -807,12 +807,12 @@ func (m *clientHelloMsg) unmarshal(data []byte) bool {
 				return false
 			}
 		case extensionPSKKeyExchangeModes:
-			// draft-ietf-tls-tls13-18 section 4.2.7
+			// https://tools.ietf.org/html/rfc8446#section-4.2.9
 			if !body.readU8LengthPrefixedBytes(&m.pskKEModes) || len(body) != 0 {
 				return false
 			}
 		case extensionEarlyData:
-			// draft-ietf-tls-tls13 section 6.3.2.5
+			// https://tools.ietf.org/html/rfc8446#section-4.2.10
 			if len(body) != 0 {
 				return false
 			}
@ -1299,7 +1299,7 @@ func (m *serverExtensions) marshal(extensions *byteBuilder) {
 		supportedPoints.addBytes(m.supportedPoints)
 	}
 	if len(m.supportedCurves) > 0 {
-		// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.4
+		// https://tools.ietf.org/html/rfc8446#section-4.2.7
 		extensions.addU16(extensionSupportedCurves)
 		supportedCurvesList := extensions.addU16LengthPrefixed()
 		supportedCurves := supportedCurvesList.addU16LengthPrefixed()
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@ -1173,8 +1173,7 @@ func (hs *serverHandshakeState) processClientHello() (isResume bool, err error)

 	_, supportsTLS13 := c.config.isSupportedVersion(VersionTLS13, false)

-	// Signal downgrades in the server random, per draft-ietf-tls-tls13-16,
-	// section 4.1.3.
+	// Signal downgrades in the server random, per RFC 8446, section 4.1.3.
 	if supportsTLS13 || config.Bugs.SendTLS13DowngradeRandom {
 		if c.vers <= VersionTLS12 && config.maxVersion(c.isDTLS) >= VersionTLS13 {
 			copy(hs.hello.random[len(hs.hello.random)-8:], downgradeTLS13)
--- a/ssl/test/runner/prf.go
+++ b/ssl/test/runner/prf.go
@ -384,8 +384,7 @@ func (h *finishedHash) discardHandshakeBuffer() {
 }

 // zeroSecretTLS13 returns the default all zeros secret for TLS 1.3, used when a
-// given secret is not available in the handshake. See draft-ietf-tls-tls13-16,
-// section 7.1.
+// given secret is not available in the handshake. See RFC 8446, section 7.1.
 func (h *finishedHash) zeroSecret() []byte {
 	return make([]byte, h.hash.Size())
 }
@ -400,7 +399,7 @@ func (h *finishedHash) nextSecret() {
 }

 // hkdfExpandLabel implements TLS 1.3's HKDF-Expand-Label function, as defined
-// in section 7.1 of draft-ietf-tls-tls13-16.
+// in section 7.1 of RFC 8446.
 func hkdfExpandLabel(hash crypto.Hash, secret, label, hashValue []byte, length int) []byte {
 	if len(label) > 255 || len(hashValue) > 255 {
 		panic("hkdfExpandLabel: label or hashValue too long")
--- a/ssl/tls13_both.cc
+++ b/ssl/tls13_both.cc
@ -635,8 +635,7 @@ static int tls13_receive_key_update(SSL *ssl, const SSLMessage &msg) {

    // Suppress KeyUpdate acknowledgments until this change is written to the
    // wire. This prevents us from accumulating write obligations when read and
-    // write progress at different rates. See draft-ietf-tls-tls13-18, section
-    // 4.5.3.
+    // write progress at different rates. See RFC 8446, section 4.6.3.
    ssl->s3->key_update_pending = true;
  }

--- a/ssl/tls13_server.cc
+++ b/ssl/tls13_server.cc
@ -706,7 +706,7 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
    // If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on
    // the wire sooner and also avoids triggering a write on |SSL_read| when
    // processing the client Finished. This requires computing the client
-    // Finished early. See draft-ietf-tls-tls13-18, section 4.5.1.
+    // Finished early. See RFC 8446, section 4.6.1.
    static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0,
                                               0, 0};
    if (!hs->transcript.Update(kEndOfEarlyData)) {