From 64cc121f419e137db6620a6955dd197edcc292e8 Mon Sep 17 00:00:00 2001 From: Steven Valdez Date: Mon, 4 Dec 2017 11:15:37 -0500 Subject: [PATCH] Remove deprecated TLS 1.3 variants. Upgrade-Note: SSL_CTX_set_tls13_variant(tls13_experiment) on the server should switch to SSL_CTX_set_tls13_variant(tls13_experiment2). (Configuring any TLS 1.3 variants on the server enables all variants, so this is a no-op. We're just retiring some old experiments.) Change-Id: I60f0ca3f96ff84bdf59e1a282a46e51d99047462 Reviewed-on: https://boringssl-review.googlesource.com/23784 Commit-Queue: Steven Valdez CQ-Verified: CQ bot account: commit-bot@chromium.org Reviewed-by: David Benjamin --- include/openssl/ssl.h | 10 +--- ssl/handshake_client.cc | 2 +- ssl/s3_pkt.cc | 4 +- ssl/ssl_aead_ctx.cc | 5 +- ssl/ssl_test.cc | 9 ++- ssl/ssl_versions.cc | 80 ++------------------------- ssl/t1_lib.cc | 2 +- ssl/test/runner/common.go | 46 ++------------- ssl/test/runner/conn.go | 25 +++------ ssl/test/runner/handshake_client.go | 42 +++++++------- ssl/test/runner/handshake_messages.go | 60 ++++++++------------ ssl/test/runner/handshake_server.go | 40 +++++++------- ssl/test/runner/prf.go | 32 +++++------ ssl/test/runner/runner.go | 79 +++++--------------------- ssl/tls13_client.cc | 39 +++++-------- ssl/tls13_enc.cc | 68 +++++++++++------------ ssl/tls13_server.cc | 34 +++++------- ssl/tls_record.cc | 4 +- tool/client.cc | 18 +----- tool/server.cc | 12 +--- 20 files changed, 189 insertions(+), 422 deletions(-) diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 066390b640..14aab123e3 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -591,12 +591,8 @@ OPENSSL_EXPORT int DTLSv1_handle_timeout(SSL *ssl); #define DTLS1_VERSION 0xfeff #define DTLS1_2_VERSION 0xfefd -#define TLS1_3_DRAFT_VERSION 0x7f12 -#define TLS1_3_DRAFT21_VERSION 0x7f15 #define TLS1_3_DRAFT22_VERSION 0x7f16 -#define TLS1_3_EXPERIMENT_VERSION 0x7e01 #define TLS1_3_EXPERIMENT2_VERSION 0x7e02 -#define TLS1_3_EXPERIMENT3_VERSION 0x7e03 // SSL_CTX_set_min_proto_version sets the minimum protocol version for |ctx| to // |version|. If |version| is zero, the default minimum version is used. It @@ -3226,11 +3222,7 @@ OPENSSL_EXPORT int SSL_total_renegotiations(const SSL *ssl); enum tls13_variant_t { tls13_default = 0, - tls13_experiment = 1, - tls13_experiment2 = 2, - tls13_experiment3 = 3, - tls13_draft21 = 4, - tls13_draft22 = 5, + tls13_experiment2 = 1, }; // SSL_CTX_set_tls13_variant sets which variant of TLS 1.3 we negotiate. On the diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc index cdda4593cc..ce9d278639 100644 --- a/ssl/handshake_client.cc +++ b/ssl/handshake_client.cc @@ -464,7 +464,7 @@ static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) { hs->session_id_len = ssl->session->session_id_length; OPENSSL_memcpy(hs->session_id, ssl->session->session_id, hs->session_id_len); - } else if (ssl_is_resumption_variant(hs->max_version, ssl->tls13_variant)) { + } else if (hs->max_version >= TLS1_3_VERSION) { hs->session_id_len = sizeof(hs->session_id); if (!RAND_bytes(hs->session_id, hs->session_id_len)) { return ssl_hs_error; diff --git a/ssl/s3_pkt.cc b/ssl/s3_pkt.cc index e6518ba8f3..e14d551a18 100644 --- a/ssl/s3_pkt.cc +++ b/ssl/s3_pkt.cc @@ -306,7 +306,7 @@ ssl_open_record_t ssl3_open_app_data(SSL *ssl, Span *out, if (type == SSL3_RT_HANDSHAKE) { // If reading 0-RTT data, reject handshake data. 0-RTT data is terminated // by an alert. - if (!ssl_is_draft21(ssl->version) && is_early_data_read) { + if (!ssl_is_draft22(ssl->version) && is_early_data_read) { OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD); *out_alert = SSL_AD_UNEXPECTED_MESSAGE; return ssl_open_record_error; @@ -335,7 +335,7 @@ ssl_open_record_t ssl3_open_app_data(SSL *ssl, Span *out, // Handle the end_of_early_data alert. static const uint8_t kEndOfEarlyData[2] = {SSL3_AL_WARNING, TLS1_AD_END_OF_EARLY_DATA}; - if (!ssl_is_draft21(ssl->version) && is_early_data_read && + if (!ssl_is_draft22(ssl->version) && is_early_data_read && type == SSL3_RT_ALERT && body == kEndOfEarlyData) { // Stop accepting early data. ssl->s3->hs->can_early_read = false; diff --git a/ssl/ssl_aead_ctx.cc b/ssl/ssl_aead_ctx.cc index 775827c7ae..247e889e59 100644 --- a/ssl/ssl_aead_ctx.cc +++ b/ssl/ssl_aead_ctx.cc @@ -173,10 +173,7 @@ uint16_t SSLAEADContext::RecordVersion() const { return version_; } - if (ssl_is_resumption_record_version_experiment(version_)) { - return TLS1_2_VERSION; - } - return TLS1_VERSION; + return TLS1_2_VERSION; } size_t SSLAEADContext::ExplicitNonceLen() const { diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc index 82888780ee..5d37448a01 100644 --- a/ssl/ssl_test.cc +++ b/ssl/ssl_test.cc @@ -2617,7 +2617,8 @@ TEST(SSLTest, SetVersion) { EXPECT_EQ(TLS1_3_VERSION, ctx->conf_max_version); // TLS1_3_DRAFT_VERSION is not an API-level version. - EXPECT_FALSE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_DRAFT_VERSION)); + EXPECT_FALSE( + SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_DRAFT22_VERSION)); ERR_clear_error(); ctx.reset(SSL_CTX_new(DTLS_method())); @@ -2960,9 +2961,7 @@ TEST_P(SSLVersionTest, RecordCallback) { uint16_t record_version, length; ASSERT_TRUE(CBS_get_u8(&cbs, &type)); ASSERT_TRUE(CBS_get_u16(&cbs, &record_version)); - EXPECT_TRUE(record_version == version() || - record_version == (is_dtls() ? DTLS1_VERSION : TLS1_VERSION)) - << "Invalid record version: " << record_version; + EXPECT_EQ(record_version & 0xff00, version() & 0xff00); if (is_dtls()) { uint16_t epoch; ASSERT_TRUE(CBS_get_u16(&cbs, &epoch)); @@ -3862,7 +3861,7 @@ TEST(SSLTest, AllTests) { !TestPaddingExtension(TLS1_3_VERSION, TLS1_2_VERSION) || // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there // will be a PSK binder after the padding extension. - !TestPaddingExtension(TLS1_3_VERSION, TLS1_3_DRAFT_VERSION)) { + !TestPaddingExtension(TLS1_3_VERSION, TLS1_3_DRAFT22_VERSION)) { ADD_FAILURE() << "Tests failed"; } } diff --git a/ssl/ssl_versions.cc b/ssl/ssl_versions.cc index 2406bd81ca..4ef54da1c8 100644 --- a/ssl/ssl_versions.cc +++ b/ssl/ssl_versions.cc @@ -34,12 +34,8 @@ bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) { *out = version; return true; - case TLS1_3_DRAFT_VERSION: - case TLS1_3_DRAFT21_VERSION: case TLS1_3_DRAFT22_VERSION: - case TLS1_3_EXPERIMENT_VERSION: case TLS1_3_EXPERIMENT2_VERSION: - case TLS1_3_EXPERIMENT3_VERSION: *out = TLS1_3_VERSION; return true; @@ -62,11 +58,7 @@ bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) { static const uint16_t kTLSVersions[] = { TLS1_3_DRAFT22_VERSION, - TLS1_3_EXPERIMENT3_VERSION, TLS1_3_EXPERIMENT2_VERSION, - TLS1_3_EXPERIMENT_VERSION, - TLS1_3_DRAFT_VERSION, - TLS1_3_DRAFT21_VERSION, TLS1_2_VERSION, TLS1_1_VERSION, TLS1_VERSION, @@ -109,12 +101,8 @@ static bool method_supports_version(const SSL_PROTOCOL_METHOD *method, static const char *ssl_version_to_string(uint16_t version) { switch (version) { - case TLS1_3_DRAFT_VERSION: - case TLS1_3_DRAFT21_VERSION: case TLS1_3_DRAFT22_VERSION: - case TLS1_3_EXPERIMENT_VERSION: case TLS1_3_EXPERIMENT2_VERSION: - case TLS1_3_EXPERIMENT3_VERSION: return "TLSv1.3"; case TLS1_2_VERSION: @@ -143,12 +131,8 @@ static const char *ssl_version_to_string(uint16_t version) { static uint16_t wire_version_to_api(uint16_t version) { switch (version) { // Report TLS 1.3 draft versions as TLS 1.3 in the public API. - case TLS1_3_DRAFT_VERSION: - case TLS1_3_DRAFT21_VERSION: case TLS1_3_DRAFT22_VERSION: - case TLS1_3_EXPERIMENT_VERSION: case TLS1_3_EXPERIMENT2_VERSION: - case TLS1_3_EXPERIMENT3_VERSION: return TLS1_3_VERSION; default: return version; @@ -159,16 +143,12 @@ static uint16_t wire_version_to_api(uint16_t version) { // particular, it picks an arbitrary TLS 1.3 representative. This should only be // used in context where that does not matter. static bool api_version_to_wire(uint16_t *out, uint16_t version) { - if (version == TLS1_3_DRAFT_VERSION || - version == TLS1_3_DRAFT21_VERSION || - version == TLS1_3_DRAFT22_VERSION || - version == TLS1_3_EXPERIMENT_VERSION || - version == TLS1_3_EXPERIMENT2_VERSION || - version == TLS1_3_EXPERIMENT3_VERSION) { + if (version == TLS1_3_DRAFT22_VERSION || + version == TLS1_3_EXPERIMENT2_VERSION) { return false; } if (version == TLS1_3_VERSION) { - version = TLS1_3_DRAFT_VERSION; + version = TLS1_3_DRAFT22_VERSION; } // Check it is a real protocol version. @@ -321,32 +301,16 @@ bool ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) { // TLS 1.3 variants must additionally match |tls13_variant|. if (protocol_version != TLS1_3_VERSION || - (ssl->tls13_variant == tls13_experiment && - version == TLS1_3_EXPERIMENT_VERSION) || (ssl->tls13_variant == tls13_experiment2 && version == TLS1_3_EXPERIMENT2_VERSION) || - (ssl->tls13_variant == tls13_experiment3 && - version == TLS1_3_EXPERIMENT3_VERSION) || - (ssl->tls13_variant == tls13_draft21 && - version == TLS1_3_DRAFT21_VERSION) || - (ssl->tls13_variant == tls13_draft22 && - version == TLS1_3_DRAFT22_VERSION) || (ssl->tls13_variant == tls13_default && - version == TLS1_3_DRAFT_VERSION)) { + version == TLS1_3_DRAFT22_VERSION)) { return true; } // The server, when not configured at |tls13_default|, should additionally - // enable all variants, except draft-21 which is implemented solely for QUIC - // interop testing and will not be deployed, and draft-22 which will be - // enabled once the draft is finalized and ready to be deployed in Chrome. - // Currently, this is to implement the draft-18 vs. experiments field trials. - // In the future, this will be to transition cleanly to a final draft-22 - // which hopefully includes the deployability fixes. - if (ssl->server && - ssl->tls13_variant != tls13_default && - version != TLS1_3_DRAFT21_VERSION && - version != TLS1_3_DRAFT22_VERSION) { + // enable all variants. + if (ssl->server && ssl->tls13_variant != tls13_default) { return true; } @@ -397,42 +361,10 @@ bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert, return false; } -bool ssl_is_draft21(uint16_t version) { - return version == TLS1_3_DRAFT21_VERSION || version == TLS1_3_DRAFT22_VERSION; -} - bool ssl_is_draft22(uint16_t version) { return version == TLS1_3_DRAFT22_VERSION; } -bool ssl_is_resumption_experiment(uint16_t version) { - return version == TLS1_3_EXPERIMENT_VERSION || - version == TLS1_3_EXPERIMENT2_VERSION || - version == TLS1_3_EXPERIMENT3_VERSION || - version == TLS1_3_DRAFT22_VERSION; -} - -bool ssl_is_resumption_variant(uint16_t max_version, - enum tls13_variant_t variant) { - if (max_version < TLS1_3_VERSION) { - return false; - } - return variant == tls13_experiment || variant == tls13_experiment2 || - variant == tls13_experiment3 || variant == tls13_draft22; -} - -bool ssl_is_resumption_client_ccs_experiment(uint16_t version) { - return version == TLS1_3_EXPERIMENT_VERSION || - version == TLS1_3_EXPERIMENT2_VERSION || - version == TLS1_3_DRAFT22_VERSION; -} - -bool ssl_is_resumption_record_version_experiment(uint16_t version) { - return version == TLS1_3_EXPERIMENT2_VERSION || - version == TLS1_3_EXPERIMENT3_VERSION || - version == TLS1_3_DRAFT22_VERSION; -} - } // namespace bssl using namespace bssl; diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc index 8d03623838..5a91b7ac50 100644 --- a/ssl/t1_lib.cc +++ b/ssl/t1_lib.cc @@ -1810,7 +1810,7 @@ static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { // selected cipher in HelloRetryRequest does not match. This avoids performing // the transcript hash transformation for multiple hashes. if (hs->received_hello_retry_request && - ssl_is_draft21(ssl->version) && + ssl_is_draft22(ssl->version) && ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) { return true; } diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go index c6d5c65015..de1e313454 100644 --- a/ssl/test/runner/common.go +++ b/ssl/test/runner/common.go @@ -33,30 +33,18 @@ const ( // A draft version of TLS 1.3 that is sent over the wire for the current draft. const ( - tls13DraftVersion = 0x7f12 - tls13Draft21Version = 0x7f15 - tls13ExperimentVersion = 0x7e01 tls13Experiment2Version = 0x7e02 - tls13Experiment3Version = 0x7e03 tls13Draft22Version = 0x7f16 ) const ( - TLS13Default = 0 - TLS13Experiment = 1 - TLS13Experiment2 = 2 - TLS13Experiment3 = 3 - TLS13Draft21 = 4 - TLS13Draft22 = 5 + TLS13Draft22 = 0 + TLS13Experiment2 = 1 ) var allTLSWireVersions = []uint16{ - tls13DraftVersion, tls13Draft22Version, - tls13Draft21Version, - tls13Experiment3Version, tls13Experiment2Version, - tls13ExperimentVersion, VersionTLS12, VersionTLS11, VersionTLS10, @@ -1637,7 +1625,7 @@ func wireToVersion(vers uint16, isDTLS bool) (uint16, bool) { switch vers { case VersionSSL30, VersionTLS10, VersionTLS11, VersionTLS12: return vers, true - case tls13DraftVersion, tls13Draft22Version, tls13Draft21Version, tls13ExperimentVersion, tls13Experiment2Version, tls13Experiment3Version: + case tls13Draft22Version, tls13Experiment2Version: return VersionTLS13, true } } @@ -1645,40 +1633,16 @@ func wireToVersion(vers uint16, isDTLS bool) (uint16, bool) { return 0, false } -func isDraft21(vers uint16) bool { - return vers == tls13Draft21Version || vers == tls13Draft22Version -} - func isDraft22(vers uint16) bool { return vers == tls13Draft22Version } -func isResumptionExperiment(vers uint16) bool { - return vers == tls13ExperimentVersion || vers == tls13Experiment2Version || vers == tls13Experiment3Version || vers == tls13Draft22Version -} - -func isResumptionClientCCSExperiment(vers uint16) bool { - return vers == tls13ExperimentVersion || vers == tls13Experiment2Version || vers == tls13Draft22Version -} - -func isResumptionRecordVersionExperiment(vers uint16) bool { - return vers == tls13Experiment2Version || vers == tls13Experiment3Version || vers == tls13Draft22Version -} - -func isResumptionRecordVersionVariant(variant int) bool { - return variant == TLS13Experiment2 || variant == TLS13Experiment3 || variant == TLS13Draft22 -} - // isSupportedVersion checks if the specified wire version is acceptable. If so, // it returns true and the corresponding protocol version. Otherwise, it returns // false. func (c *Config) isSupportedVersion(wireVers uint16, isDTLS bool) (uint16, bool) { - if (c.TLS13Variant != TLS13Experiment && wireVers == tls13ExperimentVersion) || - (c.TLS13Variant != TLS13Experiment2 && wireVers == tls13Experiment2Version) || - (c.TLS13Variant != TLS13Experiment3 && wireVers == tls13Experiment3Version) || - (c.TLS13Variant != TLS13Draft22 && wireVers == tls13Draft22Version) || - (c.TLS13Variant != TLS13Draft21 && wireVers == tls13Draft21Version) || - (c.TLS13Variant != TLS13Default && wireVers == tls13DraftVersion) { + if (c.TLS13Variant != TLS13Experiment2 && wireVers == tls13Experiment2Version) || + (c.TLS13Variant != TLS13Draft22 && wireVers == tls13Draft22Version) { return 0, false } diff --git a/ssl/test/runner/conn.go b/ssl/test/runner/conn.go index c6ee443c6d..6493aa7544 100644 --- a/ssl/test/runner/conn.go +++ b/ssl/test/runner/conn.go @@ -802,9 +802,6 @@ RestartReadRecord: if c.haveVers { expect = c.vers if c.vers >= VersionTLS13 { - expect = VersionTLS10 - } - if isResumptionRecordVersionExperiment(c.wireVersion) { expect = VersionTLS12 } } else { @@ -907,7 +904,7 @@ func (c *Conn) readTLS13ChangeCipherSpec() error { // Check they match that we expect. expected := [6]byte{byte(recordTypeChangeCipherSpec), 3, 1, 0, 1, 1} - if isResumptionRecordVersionExperiment(c.wireVersion) { + if c.vers >= VersionTLS13 { expected[2] = 3 } if !bytes.Equal(b.data[:6], expected[:]) { @@ -1197,7 +1194,7 @@ func (c *Conn) doWriteRecord(typ recordType, data []byte) (n int, err error) { } } vers := c.vers - if vers == 0 || vers >= VersionTLS13 { + if vers == 0 { // Some TLS servers fail if the record version is // greater than TLS 1.0 for the initial ClientHello. // @@ -1205,7 +1202,7 @@ func (c *Conn) doWriteRecord(typ recordType, data []byte) (n int, err error) { // layer to {3, 1}. vers = VersionTLS10 } - if isResumptionRecordVersionExperiment(c.wireVersion) || isResumptionRecordVersionExperiment(c.out.wireVersion) { + if c.vers >= VersionTLS13 || c.out.version >= VersionTLS13 { vers = VersionTLS12 } @@ -1240,7 +1237,7 @@ func (c *Conn) doWriteRecord(typ recordType, data []byte) (n int, err error) { } c.out.freeBlock(b) - if typ == recordTypeChangeCipherSpec && !isResumptionExperiment(c.wireVersion) { + if typ == recordTypeChangeCipherSpec && c.vers < VersionTLS13 { err = c.out.changeCipherSpec(c.config) if err != nil { return n, c.sendAlertLocked(alertLevelError, err.(alert)) @@ -1563,7 +1560,7 @@ func (c *Conn) processTLS13NewSessionTicket(newSessionTicket *newSessionTicketMs earlyALPN: c.clientProtocol, } - if isDraft21(c.wireVersion) { + if isDraft22(c.wireVersion) { session.masterSecret = deriveSessionPSK(cipherSuite, c.wireVersion, c.resumptionSecret, newSessionTicket.ticketNonce) } @@ -1854,7 +1851,7 @@ func (c *Conn) exportKeyingMaterialTLS13(length int, secret, label, context []by if cipherSuite == nil { cipherSuite = c.earlyCipherSuite } - if isDraft21(c.wireVersion) { + if isDraft22(c.wireVersion) { hash := cipherSuite.hash() exporterKeyingLabel := []byte("exporter") contextHash := hash.New() @@ -1951,7 +1948,7 @@ func (c *Conn) SendNewSessionTicket(nonce []byte) error { maxEarlyDataSize: c.config.MaxEarlyDataSize, } - if isDraft21(c.wireVersion) { + if isDraft22(c.wireVersion) { m.ticketNonce = nonce } @@ -1970,7 +1967,7 @@ func (c *Conn) SendNewSessionTicket(nonce []byte) error { earlyALPN: []byte(c.clientProtocol), } - if isDraft21(c.wireVersion) { + if isDraft22(c.wireVersion) { state.masterSecret = deriveSessionPSK(c.cipherSuite, c.wireVersion, c.resumptionSecret, nonce) } @@ -2017,11 +2014,7 @@ func (c *Conn) sendFakeEarlyData(len int) error { payload := make([]byte, 5+len) payload[0] = byte(recordTypeApplicationData) payload[1] = 3 - payload[2] = 1 - if isResumptionRecordVersionVariant(c.config.TLS13Variant) { - payload[1] = 3 - payload[2] = 3 - } + payload[2] = 3 payload[3] = byte(len >> 8) payload[4] = byte(len) _, err := c.conn.Write(payload) diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go index 55d21c97be..cb24211f89 100644 --- a/ssl/test/runner/handshake_client.go +++ b/ssl/test/runner/handshake_client.go @@ -377,7 +377,7 @@ NextCipherSuite: // set. Fill in an arbitrary TLS 1.3 version to compute // the binder. if session.vers < VersionTLS13 { - version = tls13DraftVersion + version = tls13Draft22Version } generatePSKBinders(version, hello, pskCipherSuite, session.masterSecret, []byte{}, []byte{}, c.config) } @@ -416,14 +416,16 @@ NextCipherSuite: if !c.config.Bugs.SkipChangeCipherSpec && isDraft22(session.wireVersion) { c.wireVersion = session.wireVersion + c.vers = VersionTLS13 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) c.wireVersion = 0 + c.vers = 0 } var earlyTrafficSecret []byte - if isDraft21(session.wireVersion) { - earlyTrafficSecret = finishedHash.deriveSecret(earlyTrafficLabelDraft21) - c.earlyExporterSecret = finishedHash.deriveSecret(earlyExporterLabelDraft21) + if isDraft22(session.wireVersion) { + earlyTrafficSecret = finishedHash.deriveSecret(earlyTrafficLabelDraft22) + c.earlyExporterSecret = finishedHash.deriveSecret(earlyExporterLabelDraft22) } else { earlyTrafficSecret = finishedHash.deriveSecret(earlyTrafficLabel) c.earlyExporterSecret = finishedHash.deriveSecret(earlyExporterLabel) @@ -626,7 +628,7 @@ NextCipherSuite: hs.writeHash(helloBytes, hs.c.sendHandshakeSeq-1) if haveHelloRetryRequest { - if isDraft21(c.wireVersion) { + if isDraft22(c.wireVersion) { err = hs.finishedHash.UpdateForHelloRetryRequest() if err != nil { return err @@ -727,13 +729,13 @@ NextCipherSuite: func (hs *clientHandshakeState) doTLS13Handshake() error { c := hs.c - if isResumptionExperiment(c.wireVersion) && !isDraft22(c.wireVersion) { + if !isDraft22(c.wireVersion) { // Early versions of the middlebox hacks inserted // ChangeCipherSpec differently on 0-RTT and 2-RTT handshakes. c.expectTLS13ChangeCipherSpec = true } - if isResumptionExperiment(c.wireVersion) && !bytes.Equal(hs.hello.sessionId, hs.serverHello.sessionId) { + if !bytes.Equal(hs.hello.sessionId, hs.serverHello.sessionId) { return errors.New("tls: session IDs did not match.") } @@ -791,9 +793,9 @@ func (hs *clientHandshakeState) doTLS13Handshake() error { clientLabel := clientHandshakeTrafficLabel serverLabel := serverHandshakeTrafficLabel - if isDraft21(c.wireVersion) { - clientLabel = clientHandshakeTrafficLabelDraft21 - serverLabel = serverHandshakeTrafficLabelDraft21 + if isDraft22(c.wireVersion) { + clientLabel = clientHandshakeTrafficLabelDraft22 + serverLabel = serverHandshakeTrafficLabelDraft22 } // Derive handshake traffic keys and switch read key to handshake @@ -939,10 +941,10 @@ func (hs *clientHandshakeState) doTLS13Handshake() error { clientLabel = clientApplicationTrafficLabel serverLabel = serverApplicationTrafficLabel exportLabel := exporterLabel - if isDraft21(c.wireVersion) { - clientLabel = clientApplicationTrafficLabelDraft21 - serverLabel = serverApplicationTrafficLabelDraft21 - exportLabel = exporterLabelDraft21 + if isDraft22(c.wireVersion) { + clientLabel = clientApplicationTrafficLabelDraft22 + serverLabel = serverApplicationTrafficLabelDraft22 + exportLabel = exporterLabelDraft22 } clientTrafficSecret := hs.finishedHash.deriveSecret(clientLabel) @@ -991,7 +993,7 @@ func (hs *clientHandshakeState) doTLS13Handshake() error { helloRequest := new(helloRequestMsg) c.writeRecord(recordTypeHandshake, helloRequest.marshal()) } - if isDraft21(c.wireVersion) { + if isDraft22(c.wireVersion) { endOfEarlyData := new(endOfEarlyDataMsg) endOfEarlyData.nonEmpty = c.config.Bugs.NonEmptyEndOfEarlyData c.writeRecord(recordTypeHandshake, endOfEarlyData.marshal()) @@ -1001,7 +1003,7 @@ func (hs *clientHandshakeState) doTLS13Handshake() error { } } - if !c.config.Bugs.SkipChangeCipherSpec && isResumptionClientCCSExperiment(c.wireVersion) && !hs.hello.hasEarlyData { + if !c.config.Bugs.SkipChangeCipherSpec && !hs.hello.hasEarlyData { c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) } @@ -1098,8 +1100,8 @@ func (hs *clientHandshakeState) doTLS13Handshake() error { c.useOutTrafficSecret(c.wireVersion, hs.suite, clientTrafficSecret) resumeLabel := resumptionLabel - if isDraft21(c.wireVersion) { - resumeLabel = resumptionLabelDraft21 + if isDraft22(c.wireVersion) { + resumeLabel = resumptionLabelDraft22 } c.resumptionSecret = hs.finishedHash.deriveSecret(resumeLabel) @@ -1845,8 +1847,8 @@ func generatePSKBinders(version uint16, hello *clientHelloMsg, pskCipherSuite *c binderSize := len(hello.pskBinders)*(binderLen+1) + 2 truncatedHello := helloBytes[:len(helloBytes)-binderSize] binderLabel := resumptionPSKBinderLabel - if isDraft21(version) { - binderLabel = resumptionPSKBinderLabelDraft21 + if isDraft22(version) { + binderLabel = resumptionPSKBinderLabelDraft22 } binder := computePSKBinder(psk, version, binderLabel, pskCipherSuite, firstClientHello, helloRetryRequest, truncatedHello) if config.Bugs.SendShortPSKBinder { diff --git a/ssl/test/runner/handshake_messages.go b/ssl/test/runner/handshake_messages.go index 93d02e1b5b..c4a6e162fc 100644 --- a/ssl/test/runner/handshake_messages.go +++ b/ssl/test/runner/handshake_messages.go @@ -896,21 +896,17 @@ func (m *serverHelloMsg) marshal() []byte { } if m.versOverride != 0 { hello.addU16(m.versOverride) - } else if isResumptionExperiment(m.vers) { + } else if vers >= VersionTLS13 { hello.addU16(VersionTLS12) } else { hello.addU16(m.vers) } hello.addBytes(m.random) - if vers < VersionTLS13 || isResumptionExperiment(m.vers) { - sessionId := hello.addU8LengthPrefixed() - sessionId.addBytes(m.sessionId) - } + sessionId := hello.addU8LengthPrefixed() + sessionId.addBytes(m.sessionId) hello.addU16(m.cipherSuite) - if vers < VersionTLS13 || isResumptionExperiment(m.vers) { - hello.addU8(m.compressionMethod) - } + hello.addU8(m.compressionMethod) extensions := hello.addU16LengthPrefixed() @@ -927,14 +923,12 @@ func (m *serverHelloMsg) marshal() []byte { extensions.addU16(2) // Length extensions.addU16(m.pskIdentity) } - if isResumptionExperiment(m.vers) || m.supportedVersOverride != 0 { - extensions.addU16(extensionSupportedVersions) - extensions.addU16(2) // Length - if m.supportedVersOverride != 0 { - extensions.addU16(m.supportedVersOverride) - } else { - extensions.addU16(m.vers) - } + extensions.addU16(extensionSupportedVersions) + extensions.addU16(2) // Length + if m.supportedVersOverride != 0 { + extensions.addU16(m.supportedVersOverride) + } else { + extensions.addU16(m.vers) } if len(m.customExtension) > 0 { extensions.addU16(extensionCustom) @@ -980,19 +974,11 @@ func (m *serverHelloMsg) unmarshal(data []byte) bool { if !ok { return false } - if vers < VersionTLS13 || isResumptionExperiment(m.vers) { - if !reader.readU8LengthPrefixedBytes(&m.sessionId) { - return false - } - } - if !reader.readU16(&m.cipherSuite) { + if !reader.readU8LengthPrefixedBytes(&m.sessionId) || + !reader.readU16(&m.cipherSuite) || + !reader.readU8(&m.compressionMethod) { return false } - if vers < VersionTLS13 || isResumptionExperiment(m.vers) { - if !reader.readU8(&m.compressionMethod) { - return false - } - } if len(reader) == 0 && m.vers < VersionTLS13 { // Extension data is optional before TLS 1.3. @@ -1052,9 +1038,7 @@ func (m *serverHelloMsg) unmarshal(data []byte) bool { } m.hasPSKIdentity = true case extensionSupportedVersions: - if !isResumptionExperiment(m.vers) { - return false - } + // Parsed above. default: // Only allow the 3 extensions that are sent in // the clear in TLS 1.3. @@ -1386,7 +1370,7 @@ func (m *helloRetryRequestMsg) marshal() []byte { retryRequest.addU8(m.compressionMethod) } else { retryRequest.addU16(m.vers) - if isDraft21(m.vers) { + if isDraft22(m.vers) { retryRequest.addU16(m.cipherSuite) } } @@ -1440,7 +1424,7 @@ func (m *helloRetryRequestMsg) unmarshal(data []byte) bool { compressionMethod != 0 { return false } - } else if isDraft21(m.vers) && !reader.readU16(&m.cipherSuite) { + } else if isDraft22(m.vers) && !reader.readU16(&m.cipherSuite) { return false } var extensions byteReader @@ -1806,7 +1790,7 @@ func (m *certificateRequestMsg) marshal() []byte { requestContext := body.addU8LengthPrefixed() requestContext.addBytes(m.requestContext) extensions := newByteBuilder() - if isDraft21(m.vers) { + if isDraft22(m.vers) { extensions = body.addU16LengthPrefixed() if m.hasSignatureAlgorithm { extensions.addU16(extensionSignatureAlgorithms) @@ -1884,7 +1868,7 @@ func (m *certificateRequestMsg) unmarshal(data []byte) bool { m.raw = data reader := byteReader(data[4:]) - if isDraft21(m.vers) { + if isDraft22(m.vers) { var extensions byteReader if !reader.readU8LengthPrefixedBytes(&m.requestContext) || !reader.readU16LengthPrefixed(&extensions) || @@ -2037,7 +2021,7 @@ func (m *newSessionTicketMsg) marshal() []byte { body.addU32(m.ticketLifetime) if version >= VersionTLS13 { body.addU32(m.ticketAgeAdd) - if isDraft21(m.vers) { + if isDraft22(m.vers) { body.addU8LengthPrefixed().addBytes(m.ticketNonce) } } @@ -2049,7 +2033,7 @@ func (m *newSessionTicketMsg) marshal() []byte { extensions := body.addU16LengthPrefixed() if m.maxEarlyDataSize > 0 { extID := extensionTicketEarlyDataInfo - if isDraft21(m.vers) { + if isDraft22(m.vers) { extID = extensionEarlyData } extensions.addU16(extID) @@ -2089,7 +2073,7 @@ func (m *newSessionTicketMsg) unmarshal(data []byte) bool { } m.ticketAgeAdd = uint32(data[0])<<24 | uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) data = data[4:] - if isDraft21(m.vers) { + if isDraft22(m.vers) { nonceLen := int(data[0]) data = data[1:] if len(data) < nonceLen { @@ -2128,7 +2112,7 @@ func (m *newSessionTicketMsg) unmarshal(data []byte) bool { } extID := extensionTicketEarlyDataInfo - if isDraft21(m.vers) { + if isDraft22(m.vers) { extID = extensionEarlyData } diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go index 9ba6c2c4cc..0357889f6a 100644 --- a/ssl/test/runner/handshake_server.go +++ b/ssl/test/runner/handshake_server.go @@ -281,7 +281,7 @@ func (hs *serverHandshakeState) readClientHello() error { } if config.Bugs.ExpectNoTLS12Session { - if len(hs.clientHello.sessionId) > 0 && !isResumptionExperiment(c.wireVersion) { + if len(hs.clientHello.sessionId) > 0 && c.vers >= VersionTLS13 { return fmt.Errorf("tls: client offered an unexpected session ID") } if len(hs.clientHello.sessionTicket) > 0 { @@ -585,7 +585,7 @@ ResendHelloRetryRequest: } if sendHelloRetryRequest { - if isDraft21(c.wireVersion) { + if isDraft22(c.wireVersion) { if err := hs.finishedHash.UpdateForHelloRetryRequest(); err != nil { return err } @@ -654,7 +654,7 @@ ResendHelloRetryRequest: // PSK binders and obfuscated ticket age are both updated in the // second ClientHello. - if isDraft21(c.wireVersion) && len(oldClientHelloCopy.pskIdentities) != len(newClientHelloCopy.pskIdentities) { + if isDraft22(c.wireVersion) && len(oldClientHelloCopy.pskIdentities) != len(newClientHelloCopy.pskIdentities) { newClientHelloCopy.pskIdentities = oldClientHelloCopy.pskIdentities } else { if len(oldClientHelloCopy.pskIdentities) != len(newClientHelloCopy.pskIdentities) { @@ -695,9 +695,9 @@ ResendHelloRetryRequest: } if encryptedExtensions.extensions.hasEarlyData { var earlyTrafficSecret []byte - if isDraft21(c.wireVersion) { - earlyTrafficSecret = hs.finishedHash.deriveSecret(earlyTrafficLabelDraft21) - c.earlyExporterSecret = hs.finishedHash.deriveSecret(earlyExporterLabelDraft21) + if isDraft22(c.wireVersion) { + earlyTrafficSecret = hs.finishedHash.deriveSecret(earlyTrafficLabelDraft22) + c.earlyExporterSecret = hs.finishedHash.deriveSecret(earlyExporterLabelDraft22) } else { earlyTrafficSecret = hs.finishedHash.deriveSecret(earlyTrafficLabel) c.earlyExporterSecret = hs.finishedHash.deriveSecret(earlyExporterLabel) @@ -809,7 +809,7 @@ ResendHelloRetryRequest: } c.flushHandshake() - if !c.config.Bugs.SkipChangeCipherSpec && isResumptionExperiment(c.wireVersion) && !sendHelloRetryRequest { + if !c.config.Bugs.SkipChangeCipherSpec && !sendHelloRetryRequest { c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) } @@ -819,9 +819,9 @@ ResendHelloRetryRequest: clientLabel := clientHandshakeTrafficLabel serverLabel := serverHandshakeTrafficLabel - if isDraft21(c.wireVersion) { - clientLabel = clientHandshakeTrafficLabelDraft21 - serverLabel = serverHandshakeTrafficLabelDraft21 + if isDraft22(c.wireVersion) { + clientLabel = clientHandshakeTrafficLabelDraft22 + serverLabel = serverHandshakeTrafficLabelDraft22 } // Switch to handshake traffic keys. @@ -968,10 +968,10 @@ ResendHelloRetryRequest: clientLabel = clientApplicationTrafficLabel serverLabel = serverApplicationTrafficLabel exportLabel := exporterLabel - if isDraft21(c.wireVersion) { - clientLabel = clientApplicationTrafficLabelDraft21 - serverLabel = serverApplicationTrafficLabelDraft21 - exportLabel = exporterLabelDraft21 + if isDraft22(c.wireVersion) { + clientLabel = clientApplicationTrafficLabelDraft22 + serverLabel = serverApplicationTrafficLabelDraft22 + exportLabel = exporterLabelDraft22 } clientTrafficSecret := hs.finishedHash.deriveSecret(clientLabel) @@ -991,7 +991,7 @@ ResendHelloRetryRequest: // Read end_of_early_data. if encryptedExtensions.extensions.hasEarlyData { - if isDraft21(c.wireVersion) { + if isDraft22(c.wireVersion) { msg, err := c.readHandshake() if err != nil { return err @@ -1012,7 +1012,7 @@ ResendHelloRetryRequest: } } } - if isResumptionClientCCSExperiment(c.wireVersion) && !isDraft22(c.wireVersion) && !hs.clientHello.hasEarlyData { + if !isDraft22(c.wireVersion) && !hs.clientHello.hasEarlyData { // Early versions of the middlebox hacks inserted // ChangeCipherSpec differently on 0-RTT and 2-RTT handshakes. c.expectTLS13ChangeCipherSpec = true @@ -1132,8 +1132,8 @@ ResendHelloRetryRequest: c.cipherSuite = hs.suite resumeLabel := resumptionLabel - if isDraft21(c.wireVersion) { - resumeLabel = resumptionLabelDraft21 + if isDraft22(c.wireVersion) { + resumeLabel = resumptionLabelDraft22 } c.resumptionSecret = hs.finishedHash.deriveSecret(resumeLabel) @@ -2135,8 +2135,8 @@ func verifyPSKBinder(version uint16, clientHello *clientHelloMsg, sessionState * } binderLabel := resumptionPSKBinderLabel - if isDraft21(version) { - binderLabel = resumptionPSKBinderLabelDraft21 + if isDraft22(version) { + binderLabel = resumptionPSKBinderLabelDraft22 } binder := computePSKBinder(sessionState.masterSecret, version, binderLabel, pskCipherSuite, firstClientHello, helloRetryRequest, truncatedHello) if !bytes.Equal(binder, binderToVerify) { diff --git a/ssl/test/runner/prf.go b/ssl/test/runner/prf.go index 54e18cba40..62c98b73ce 100644 --- a/ssl/test/runner/prf.go +++ b/ssl/test/runner/prf.go @@ -396,7 +396,7 @@ func (h *finishedHash) addEntropy(ikm []byte) { } func (h *finishedHash) nextSecret() { - if isDraft21(h.wireVersion) { + if isDraft22(h.wireVersion) { derivedLabel := []byte("derived") h.secret = hkdfExpandLabel(h.hash, h.wireVersion, h.secret, derivedLabel, h.hash.New().Sum(nil), h.hash.Size()) } @@ -410,7 +410,7 @@ func hkdfExpandLabel(hash crypto.Hash, version uint16, secret, label, hashValue } versionLabel := []byte("TLS 1.3, ") - if isDraft21(version) { + if isDraft22(version) { versionLabel = []byte("tls13 ") } @@ -450,17 +450,17 @@ var ( exporterLabel = []byte("exporter master secret") resumptionLabel = []byte("resumption master secret") - externalPSKBinderLabelDraft21 = []byte("ext binder") - resumptionPSKBinderLabelDraft21 = []byte("res binder") - earlyTrafficLabelDraft21 = []byte("c e traffic") - clientHandshakeTrafficLabelDraft21 = []byte("c hs traffic") - serverHandshakeTrafficLabelDraft21 = []byte("s hs traffic") - clientApplicationTrafficLabelDraft21 = []byte("c ap traffic") - serverApplicationTrafficLabelDraft21 = []byte("s ap traffic") - applicationTrafficLabelDraft21 = []byte("traffic upd") - earlyExporterLabelDraft21 = []byte("e exp master") - exporterLabelDraft21 = []byte("exp master") - resumptionLabelDraft21 = []byte("res master") + externalPSKBinderLabelDraft22 = []byte("ext binder") + resumptionPSKBinderLabelDraft22 = []byte("res binder") + earlyTrafficLabelDraft22 = []byte("c e traffic") + clientHandshakeTrafficLabelDraft22 = []byte("c hs traffic") + serverHandshakeTrafficLabelDraft22 = []byte("s hs traffic") + clientApplicationTrafficLabelDraft22 = []byte("c ap traffic") + serverApplicationTrafficLabelDraft22 = []byte("s ap traffic") + applicationTrafficLabelDraft22 = []byte("traffic upd") + earlyExporterLabelDraft22 = []byte("e exp master") + exporterLabelDraft22 = []byte("exp master") + resumptionLabelDraft22 = []byte("res master") resumptionPSKLabel = []byte("resumption") ) @@ -515,8 +515,8 @@ func deriveTrafficAEAD(version uint16, suite *cipherSuite, secret []byte, side t func updateTrafficSecret(hash crypto.Hash, version uint16, secret []byte) []byte { trafficLabel := applicationTrafficLabel - if isDraft21(version) { - trafficLabel = applicationTrafficLabelDraft21 + if isDraft22(version) { + trafficLabel = applicationTrafficLabelDraft22 } return hkdfExpandLabel(hash, version, secret, trafficLabel, nil, hash.Size()) } @@ -526,7 +526,7 @@ func computePSKBinder(psk []byte, version uint16, label []byte, cipherSuite *cip finishedHash.addEntropy(psk) binderKey := finishedHash.deriveSecret(label) finishedHash.Write(clientHello) - if isDraft21(version) && len(helloRetryRequest) != 0 { + if isDraft22(version) && len(helloRetryRequest) != 0 { finishedHash.UpdateForHelloRetryRequest() } finishedHash.Write(helloRetryRequest) diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go index 4cfce261b8..545faf7420 100644 --- a/ssl/test/runner/runner.go +++ b/ssl/test/runner/runner.go @@ -1320,20 +1320,6 @@ var tlsVersions = []tlsVersion{ hasDTLS: true, versionDTLS: VersionDTLS12, }, - { - name: "TLS13", - version: VersionTLS13, - excludeFlag: "-no-tls13", - versionWire: tls13DraftVersion, - tls13Variant: TLS13Default, - }, - { - name: "TLS13Draft21", - version: VersionTLS13, - excludeFlag: "-no-tls13", - versionWire: tls13Draft21Version, - tls13Variant: TLS13Draft21, - }, { name: "TLS13Draft22", version: VersionTLS13, @@ -1341,13 +1327,6 @@ var tlsVersions = []tlsVersion{ versionWire: tls13Draft22Version, tls13Variant: TLS13Draft22, }, - { - name: "TLS13Experiment", - version: VersionTLS13, - excludeFlag: "-no-tls13", - versionWire: tls13ExperimentVersion, - tls13Variant: TLS13Experiment, - }, { name: "TLS13Experiment2", version: VersionTLS13, @@ -1355,13 +1334,6 @@ var tlsVersions = []tlsVersion{ versionWire: tls13Experiment2Version, tls13Variant: TLS13Experiment2, }, - { - name: "TLS13Experiment3", - version: VersionTLS13, - excludeFlag: "-no-tls13", - versionWire: tls13Experiment3Version, - tls13Variant: TLS13Experiment3, - }, } func allVersions(protocol protocol) []tlsVersion { @@ -3923,7 +3895,7 @@ func addClientAuthTests() { // Test that an empty client CA list doesn't send a CA extension. testCases = append(testCases, testCase{ testType: serverTest, - name: "TLS13Draft21-Empty-Client-CA-List", + name: "TLS13Draft22-Empty-Client-CA-List", config: Config{ MaxVersion: VersionTLS13, Certificates: []Certificate{rsaCertificate}, @@ -3931,7 +3903,7 @@ func addClientAuthTests() { ExpectNoCertificateAuthoritiesExtension: true, }, }, - tls13Variant: TLS13Draft21, + tls13Variant: TLS13Draft22, flags: []string{ "-require-any-client-certificate", "-use-client-ca-list", "", @@ -5334,9 +5306,8 @@ func addVersionNegotiationTests() { expectedClientVersion := expectedVersion if expectedVersion == VersionTLS13 && runnerVers.tls13Variant != shimVers.tls13Variant { expectedClientVersion = VersionTLS12 - expectedServerVersion = VersionTLS12 - if shimVers.tls13Variant != TLS13Default && runnerVers.tls13Variant != TLS13Draft21 && runnerVers.tls13Variant != TLS13Draft22 { - expectedServerVersion = VersionTLS13 + if shimVers.tls13Variant == TLS13Draft22 { + expectedServerVersion = VersionTLS12 } } @@ -5353,10 +5324,7 @@ func addVersionNegotiationTests() { clientVers = recordVersionToWire(clientVers, protocol) serverVers := expectedServerVersion if expectedServerVersion >= VersionTLS13 { - serverVers = VersionTLS10 - if runnerVers.tls13Variant == TLS13Experiment2 || runnerVers.tls13Variant == TLS13Experiment3 || runnerVers.tls13Variant == TLS13Draft22 { - serverVers = VersionTLS12 - } + serverVers = VersionTLS12 } serverVers = recordVersionToWire(serverVers, protocol) @@ -5541,21 +5509,6 @@ func addVersionNegotiationTests() { expectedError: ":UNEXPECTED_EXTENSION:", }) - // Test that the non-experimental TLS 1.3 isn't negotiated by the - // supported_versions extension in the ServerHello. - testCases = append(testCases, testCase{ - testType: clientTest, - name: "SupportedVersionSelection-TLS13", - config: Config{ - MaxVersion: VersionTLS13, - Bugs: ProtocolBugs{ - SendServerSupportedExtensionVersion: tls13DraftVersion, - }, - }, - shouldFail: true, - expectedError: ":UNEXPECTED_EXTENSION:", - }) - // Test that the maximum version is selected regardless of the // client-sent order. testCases = append(testCases, testCase{ @@ -5563,7 +5516,7 @@ func addVersionNegotiationTests() { name: "IgnoreClientVersionOrder", config: Config{ Bugs: ProtocolBugs{ - SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion}, + SendSupportedVersions: []uint16{VersionTLS12, tls13Draft22Version}, }, }, expectedVersion: VersionTLS13, @@ -6814,8 +6767,7 @@ func addResumptionVersionTests() { MaxVersion: sessionVers.version, TLS13Variant: sessionVers.tls13Variant, Bugs: ProtocolBugs{ - ExpectNoTLS12Session: sessionVers.version >= VersionTLS13, - ExpectNoTLS13PSK: sessionVers.version < VersionTLS13, + ExpectNoTLS13PSK: sessionVers.version < VersionTLS13, }, }, expectedVersion: sessionVers.version, @@ -11380,19 +11332,14 @@ func addTLS13HandshakeTests() { tls13Variant: variant, }) - hasSessionID := false - if variant != TLS13Default { - hasSessionID = true - } - - // Test that the client sends a fake session ID in the correct experiments. + // Test that the client sends a fake session ID in TLS 1.3. testCases = append(testCases, testCase{ testType: clientTest, name: "TLS13SessionID-" + name, config: Config{ MaxVersion: VersionTLS13, Bugs: ProtocolBugs{ - ExpectClientHelloSessionID: hasSessionID, + ExpectClientHelloSessionID: true, }, }, tls13Variant: variant, @@ -11709,7 +11656,7 @@ func addTLS13HandshakeTests() { expectedError: ":WRONG_CURVE:", }) - if isDraft21(version.versionWire) { + if isDraft22(version.versionWire) { testCases = append(testCases, testCase{ name: "HelloRetryRequest-CipherChange-" + name, config: Config{ @@ -11996,7 +11943,7 @@ func addTLS13HandshakeTests() { expectedError: ":DECODE_ERROR:", }) - if isDraft21(version.versionWire) { + if isDraft22(version.versionWire) { testCases = append(testCases, testCase{ name: "UnknownExtensionInCertificateRequest-" + name, config: Config{ @@ -12678,7 +12625,7 @@ func addTLS13HandshakeTests() { }) expectedError := ":UNEXPECTED_RECORD:" - if isDraft21(version.versionWire) { + if isDraft22(version.versionWire) { // In draft-21 and up, early data is expected to be // terminated by a handshake message, though we test // with the wrong one. @@ -12780,7 +12727,7 @@ func addTLS13HandshakeTests() { expectedLocalError: "remote error: error decrypting message", }) - if isDraft21(version.versionWire) { + if isDraft22(version.versionWire) { testCases = append(testCases, testCase{ testType: serverTest, name: "Server-NonEmptyEndOfEarlyData-" + name, diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc index f471a4e94a..c230afab57 100644 --- a/ssl/tls13_client.cc +++ b/ssl/tls13_client.cc @@ -104,7 +104,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) { CBS body = msg.body; uint16_t server_version; if (!CBS_get_u16(&body, &server_version) || - (ssl_is_draft21(ssl->version) && + (ssl_is_draft22(ssl->version) && !CBS_get_u16(&body, &cipher_suite)) || !CBS_get_u16_length_prefixed(&body, &extensions) || CBS_len(&body) != 0) { @@ -114,7 +114,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) { } } - if (ssl_is_draft21(ssl->version)) { + if (ssl_is_draft22(ssl->version)) { const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite); // Check if the cipher is a TLS 1.3 cipher. if (cipher == NULL || @@ -253,12 +253,11 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { uint8_t compression_method; if (!CBS_get_u16(&body, &server_version) || !CBS_get_bytes(&body, &server_random, SSL3_RANDOM_SIZE) || - (ssl_is_resumption_experiment(ssl->version) && - (!CBS_get_u8_length_prefixed(&body, &session_id) || - !CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len))) || + !CBS_get_u8_length_prefixed(&body, &session_id) || + !CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len) || !CBS_get_u16(&body, &cipher_suite) || - (ssl_is_resumption_experiment(ssl->version) && - (!CBS_get_u8(&body, &compression_method) || compression_method != 0)) || + !CBS_get_u8(&body, &compression_method) || + compression_method != 0 || !CBS_get_u16_length_prefixed(&body, &extensions) || CBS_len(&body) != 0) { ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); @@ -266,10 +265,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - uint16_t expected_version = ssl_is_resumption_experiment(ssl->version) - ? TLS1_2_VERSION - : ssl->version; - if (server_version != expected_version) { + if (server_version != TLS1_2_VERSION) { ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER); return ssl_hs_error; @@ -297,7 +293,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { } // Check that the cipher matches the one in the HelloRetryRequest. - if (ssl_is_draft21(ssl->version) && + if (ssl_is_draft22(ssl->version) && hs->received_hello_retry_request && hs->new_cipher != cipher) { OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED); @@ -324,14 +320,6 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - // supported_versions is parsed in handshake_client to select the experimental - // TLS 1.3 version. - if (have_supported_versions && !ssl_is_resumption_experiment(ssl->version)) { - OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); - ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION); - return ssl_hs_error; - } - alert = SSL_AD_DECODE_ERROR; if (have_pre_shared_key) { if (ssl->session == NULL) { @@ -426,8 +414,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { if (!hs->early_data_offered) { // Earlier versions of the resumption experiment added ChangeCipherSpec just // before the Finished flight. - if (ssl_is_resumption_client_ccs_experiment(ssl->version) && - !ssl_is_draft22(ssl->version) && + if (!ssl_is_draft22(ssl->version) && !ssl->method->add_change_cipher_spec(ssl)) { return ssl_hs_error; } @@ -523,7 +510,7 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) { } - if (ssl_is_draft21(ssl->version)) { + if (ssl_is_draft22(ssl->version)) { bool have_sigalgs = false, have_ca = false; CBS sigalgs, ca; const SSL_EXTENSION_TYPE ext_types[] = { @@ -678,7 +665,7 @@ static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) { if (ssl->early_data_accepted) { hs->can_early_write = false; - if (ssl_is_draft21(ssl->version)) { + if (ssl_is_draft22(ssl->version)) { ScopedCBB cbb; CBB body; if (!ssl->method->init_message(ssl, cbb.get(), &body, @@ -917,7 +904,7 @@ int tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) { CBS body = msg.body, ticket_nonce, ticket, extensions; if (!CBS_get_u32(&body, &server_timeout) || !CBS_get_u32(&body, &session->ticket_age_add) || - (ssl_is_draft21(ssl->version) && + (ssl_is_draft22(ssl->version) && !CBS_get_u8_length_prefixed(&body, &ticket_nonce)) || !CBS_get_u16_length_prefixed(&body, &ticket) || !CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen) || @@ -941,7 +928,7 @@ int tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) { // Parse out the extensions. bool have_early_data_info = false; CBS early_data_info; - uint16_t ext_id = ssl_is_draft21(ssl->version) + uint16_t ext_id = ssl_is_draft22(ssl->version) ? TLSEXT_TYPE_early_data : TLSEXT_TYPE_ticket_early_data_info; const SSL_EXTENSION_TYPE ext_types[] = { diff --git a/ssl/tls13_enc.cc b/ssl/tls13_enc.cc index 9dcd0711d5..1bf820ea49 100644 --- a/ssl/tls13_enc.cc +++ b/ssl/tls13_enc.cc @@ -72,7 +72,7 @@ static int hkdf_expand_label(uint8_t *out, uint16_t version, size_t label_len, const uint8_t *hash, size_t hash_len, size_t len) { const char *kTLS13LabelVersion = - ssl_is_draft21(version) ? "tls13 " : "TLS 1.3, "; + ssl_is_draft22(version) ? "tls13 " : "TLS 1.3, "; ScopedCBB cbb; CBB child; @@ -104,7 +104,7 @@ int tls13_advance_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *in, SSL *const ssl = hs->ssl; // Draft 18 does not include the extra Derive-Secret step. - if (ssl_is_draft21(ssl->version)) { + if (ssl_is_draft22(ssl->version)) { uint8_t derive_context[EVP_MAX_MD_SIZE]; unsigned derive_context_len; if (!EVP_Digest(nullptr, 0, derive_context, &derive_context_len, @@ -224,24 +224,24 @@ static const char kTLS13LabelClientApplicationTraffic[] = static const char kTLS13LabelServerApplicationTraffic[] = "server application traffic secret"; -static const char kTLS13Draft21LabelExporter[] = "exp master"; -static const char kTLS13Draft21LabelEarlyExporter[] = "e exp master"; +static const char kTLS13Draft22LabelExporter[] = "exp master"; +static const char kTLS13Draft22LabelEarlyExporter[] = "e exp master"; -static const char kTLS13Draft21LabelClientEarlyTraffic[] = "c e traffic"; -static const char kTLS13Draft21LabelClientHandshakeTraffic[] = "c hs traffic"; -static const char kTLS13Draft21LabelServerHandshakeTraffic[] = "s hs traffic"; -static const char kTLS13Draft21LabelClientApplicationTraffic[] = "c ap traffic"; -static const char kTLS13Draft21LabelServerApplicationTraffic[] = "s ap traffic"; +static const char kTLS13Draft22LabelClientEarlyTraffic[] = "c e traffic"; +static const char kTLS13Draft22LabelClientHandshakeTraffic[] = "c hs traffic"; +static const char kTLS13Draft22LabelServerHandshakeTraffic[] = "s hs traffic"; +static const char kTLS13Draft22LabelClientApplicationTraffic[] = "c ap traffic"; +static const char kTLS13Draft22LabelServerApplicationTraffic[] = "s ap traffic"; int tls13_derive_early_secrets(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; uint16_t version = SSL_get_session(ssl)->ssl_version; - const char *early_traffic_label = ssl_is_draft21(version) - ? kTLS13Draft21LabelClientEarlyTraffic + const char *early_traffic_label = ssl_is_draft22(version) + ? kTLS13Draft22LabelClientEarlyTraffic : kTLS13LabelClientEarlyTraffic; - const char *early_exporter_label = ssl_is_draft21(version) - ? kTLS13Draft21LabelEarlyExporter + const char *early_exporter_label = ssl_is_draft22(version) + ? kTLS13Draft22LabelEarlyExporter : kTLS13LabelEarlyExporter; if (!derive_secret(hs, hs->early_traffic_secret, hs->hash_len, early_traffic_label, strlen(early_traffic_label)) || @@ -257,11 +257,11 @@ int tls13_derive_early_secrets(SSL_HANDSHAKE *hs) { int tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - const char *client_label = ssl_is_draft21(ssl->version) - ? kTLS13Draft21LabelClientHandshakeTraffic + const char *client_label = ssl_is_draft22(ssl->version) + ? kTLS13Draft22LabelClientHandshakeTraffic : kTLS13LabelClientHandshakeTraffic; - const char *server_label = ssl_is_draft21(ssl->version) - ? kTLS13Draft21LabelServerHandshakeTraffic + const char *server_label = ssl_is_draft22(ssl->version) + ? kTLS13Draft22LabelServerHandshakeTraffic : kTLS13LabelServerHandshakeTraffic; return derive_secret(hs, hs->client_handshake_secret, hs->hash_len, client_label, strlen(client_label)) && @@ -276,14 +276,14 @@ int tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs) { int tls13_derive_application_secrets(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; ssl->s3->exporter_secret_len = hs->hash_len; - const char *client_label = ssl_is_draft21(ssl->version) - ? kTLS13Draft21LabelClientApplicationTraffic + const char *client_label = ssl_is_draft22(ssl->version) + ? kTLS13Draft22LabelClientApplicationTraffic : kTLS13LabelClientApplicationTraffic; - const char *server_label = ssl_is_draft21(ssl->version) - ? kTLS13Draft21LabelServerApplicationTraffic + const char *server_label = ssl_is_draft22(ssl->version) + ? kTLS13Draft22LabelServerApplicationTraffic : kTLS13LabelServerApplicationTraffic; - const char *exporter_label = ssl_is_draft21(ssl->version) - ? kTLS13Draft21LabelExporter + const char *exporter_label = ssl_is_draft22(ssl->version) + ? kTLS13Draft22LabelExporter : kTLS13LabelExporter; return derive_secret(hs, hs->client_traffic_secret_0, hs->hash_len, client_label, strlen(client_label)) && @@ -301,7 +301,7 @@ int tls13_derive_application_secrets(SSL_HANDSHAKE *hs) { static const char kTLS13LabelApplicationTraffic[] = "application traffic secret"; -static const char kTLS13Draft21LabelApplicationTraffic[] = "traffic upd"; +static const char kTLS13Draft22LabelApplicationTraffic[] = "traffic upd"; int tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) { uint8_t *secret; @@ -314,8 +314,8 @@ int tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) { secret_len = ssl->s3->write_traffic_secret_len; } - const char *traffic_label = ssl_is_draft21(ssl->version) - ? kTLS13Draft21LabelApplicationTraffic + const char *traffic_label = ssl_is_draft22(ssl->version) + ? kTLS13Draft22LabelApplicationTraffic : kTLS13LabelApplicationTraffic; const EVP_MD *digest = ssl_session_get_digest(SSL_get_session(ssl)); @@ -329,15 +329,15 @@ int tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) { } static const char kTLS13LabelResumption[] = "resumption master secret"; -static const char kTLS13Draft21LabelResumption[] = "res master"; +static const char kTLS13Draft22LabelResumption[] = "res master"; int tls13_derive_resumption_secret(SSL_HANDSHAKE *hs) { if (hs->hash_len > SSL_MAX_MASTER_KEY_LENGTH) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return 0; } - const char *resumption_label = ssl_is_draft21(hs->ssl->version) - ? kTLS13Draft21LabelResumption + const char *resumption_label = ssl_is_draft22(hs->ssl->version) + ? kTLS13Draft22LabelResumption : kTLS13LabelResumption; hs->new_session->master_key_length = hs->hash_len; return derive_secret(hs, hs->new_session->master_key, @@ -388,7 +388,7 @@ int tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, static const char kTLS13LabelResumptionPSK[] = "resumption"; bool tls13_derive_session_psk(SSL_SESSION *session, Span nonce) { - if (!ssl_is_draft21(session->ssl_version)) { + if (!ssl_is_draft22(session->ssl_version)) { return true; } @@ -413,7 +413,7 @@ int tls13_export_keying_material(SSL *ssl, Span out, } uint16_t version = SSL_get_session(ssl)->ssl_version; - if (!ssl_is_draft21(version)) { + if (!ssl_is_draft22(version)) { const EVP_MD *digest = ssl_session_get_digest(SSL_get_session(ssl)); return hkdf_expand_label(out.data(), version, digest, secret.data(), secret.size(), label.data(), label.size(), @@ -443,7 +443,7 @@ int tls13_export_keying_material(SSL *ssl, Span out, } static const char kTLS13LabelPSKBinder[] = "resumption psk binder key"; -static const char kTLS13Draft21LabelPSKBinder[] = "res binder"; +static const char kTLS13Draft22LabelPSKBinder[] = "res binder"; static int tls13_psk_binder(uint8_t *out, uint16_t version, const EVP_MD *digest, uint8_t *psk, size_t psk_len, @@ -461,8 +461,8 @@ static int tls13_psk_binder(uint8_t *out, uint16_t version, NULL, 0)) { return 0; } - const char *binder_label = ssl_is_draft21(version) - ? kTLS13Draft21LabelPSKBinder + const char *binder_label = ssl_is_draft22(version) + ? kTLS13Draft22LabelPSKBinder : kTLS13LabelPSKBinder; uint8_t binder_key[EVP_MAX_MD_SIZE] = {0}; diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc index 1040ace03d..af9167cad1 100644 --- a/ssl/tls13_server.cc +++ b/ssl/tls13_server.cc @@ -182,7 +182,7 @@ static int add_new_session_tickets(SSL_HANDSHAKE *hs) { SSL3_MT_NEW_SESSION_TICKET) || !CBB_add_u32(&body, session->timeout) || !CBB_add_u32(&body, session->ticket_age_add) || - (ssl_is_draft21(ssl->version) && + (ssl_is_draft22(ssl->version) && (!CBB_add_u8_length_prefixed(&body, &nonce_cbb) || !CBB_add_bytes(&nonce_cbb, nonce, sizeof(nonce)))) || !CBB_add_u16_length_prefixed(&body, &ticket) || @@ -194,7 +194,7 @@ static int add_new_session_tickets(SSL_HANDSHAKE *hs) { if (ssl->cert->enable_early_data) { CBB early_data_info; - if (!CBB_add_u16(&extensions, ssl_is_draft21(ssl->version) + if (!CBB_add_u16(&extensions, ssl_is_draft22(ssl->version) ? TLSEXT_TYPE_early_data : TLSEXT_TYPE_ticket_early_data_info) || !CBB_add_u16_length_prefixed(&extensions, &early_data_info) || @@ -472,7 +472,7 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) { ssl->early_data_accepted = false; ssl->s3->skip_early_data = true; ssl->method->next_message(ssl); - if (ssl_is_draft21(ssl->version) && + if (ssl_is_draft22(ssl->version) && !hs->transcript.UpdateForHelloRetryRequest()) { return ssl_hs_error; } @@ -525,7 +525,7 @@ static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) { if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_HELLO_RETRY_REQUEST) || !CBB_add_u16(&body, ssl->version) || - (ssl_is_draft21(ssl->version) && + (ssl_is_draft22(ssl->version) && !CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher))) || !tls1_get_shared_group(hs, &group_id) || !CBB_add_u16_length_prefixed(&body, &extensions) || @@ -580,34 +580,26 @@ static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) { static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - uint16_t version = ssl->version; - if (ssl_is_resumption_experiment(ssl->version)) { - version = TLS1_2_VERSION; - } - // Send a ServerHello. ScopedCBB cbb; CBB body, extensions, session_id; if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) || - !CBB_add_u16(&body, version) || + !CBB_add_u16(&body, TLS1_2_VERSION) || !RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) || !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) || - (ssl_is_resumption_experiment(ssl->version) && - (!CBB_add_u8_length_prefixed(&body, &session_id) || - !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len))) || + !CBB_add_u8_length_prefixed(&body, &session_id) || + !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) || !CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher)) || - (ssl_is_resumption_experiment(ssl->version) && !CBB_add_u8(&body, 0)) || + !CBB_add_u8(&body, 0) || !CBB_add_u16_length_prefixed(&body, &extensions) || !ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) || !ssl_ext_key_share_add_serverhello(hs, &extensions) || - (ssl_is_resumption_experiment(ssl->version) && - !ssl_ext_supported_versions_add_serverhello(hs, &extensions)) || + !ssl_ext_supported_versions_add_serverhello(hs, &extensions) || !ssl_add_message_cbb(ssl, cbb.get())) { return ssl_hs_error; } - if (ssl_is_resumption_experiment(ssl->version) && - (!ssl_is_draft22(ssl->version) || !hs->sent_hello_retry_request) && + if ((!ssl_is_draft22(ssl->version) || !hs->sent_hello_retry_request) && !ssl->method->add_change_cipher_spec(ssl)) { return ssl_hs_error; } @@ -639,7 +631,7 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { // Send a CertificateRequest, if necessary. if (hs->cert_request) { - if (ssl_is_draft21(ssl->version)) { + if (ssl_is_draft22(ssl->version)) { CBB cert_request_extensions, sigalg_contents, sigalgs_cbb; if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CERTIFICATE_REQUEST) || @@ -737,7 +729,7 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) { // the wire sooner and also avoids triggering a write on |SSL_read| when // processing the client Finished. This requires computing the client // Finished early. See draft-ietf-tls-tls13-18, section 4.5.1. - if (ssl_is_draft21(ssl->version)) { + if (ssl_is_draft22(ssl->version)) { static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0, 0, 0}; if (!hs->transcript.Update(kEndOfEarlyData)) { @@ -799,7 +791,7 @@ static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) { // If early data was not accepted, the EndOfEarlyData and ChangeCipherSpec // message will be in the discarded early data. if (hs->ssl->early_data_accepted) { - if (ssl_is_draft21(ssl->version)) { + if (ssl_is_draft22(ssl->version)) { SSLMessage msg; if (!ssl->method->get_message(ssl, &msg)) { return ssl_hs_read_message; diff --git a/ssl/tls_record.cc b/ssl/tls_record.cc index a1363fa6f3..3d34951d1b 100644 --- a/ssl/tls_record.cc +++ b/ssl/tls_record.cc @@ -264,7 +264,7 @@ ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, *out_consumed = in.size() - CBS_len(&cbs); if (ssl->s3->have_version && - ssl_is_resumption_experiment(ssl->version) && + ssl_protocol_version(ssl) >= TLS1_3_VERSION && SSL_in_init(ssl) && type == SSL3_RT_CHANGE_CIPHER_SPEC && ciphertext_len == 1 && @@ -357,7 +357,7 @@ ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, if (type == SSL3_RT_ALERT) { // Return end_of_early_data alerts as-is for the caller to process. - if (!ssl_is_draft21(ssl->version) && + if (!ssl_is_draft22(ssl->version) && out->size() == 2 && (*out)[0] == SSL3_AL_WARNING && (*out)[1] == TLS1_AD_END_OF_EARLY_DATA) { diff --git a/tool/client.cc b/tool/client.cc index fa279ae52e..fc8f5e06f0 100644 --- a/tool/client.cc +++ b/tool/client.cc @@ -332,30 +332,14 @@ static bool DoConnection(SSL_CTX *ctx, } static bool GetTLS13Variant(tls13_variant_t *out, const std::string &in) { - if (in == "draft") { + if (in == "draft22") { *out = tls13_default; return true; } - if (in == "draft21") { - *out = tls13_draft21; - return true; - } - if (in == "experiment") { - *out = tls13_experiment; - return true; - } if (in == "experiment2") { *out = tls13_experiment2; return true; } - if (in == "experiment3") { - *out = tls13_experiment3; - return true; - } - if (in == "draft22") { - *out = tls13_draft22; - return true; - } return false; } diff --git a/tool/server.cc b/tool/server.cc index 99638852db..37235a7898 100644 --- a/tool/server.cc +++ b/tool/server.cc @@ -68,10 +68,7 @@ static const struct argument kArguments[] = { "-early-data", kBooleanArgument, "Allow early data", }, { - "-tls13-variant", kBooleanArgument, "Enable TLS 1.3 variants", - }, - { - "-tls13-draft22-variant", kBooleanArgument, "Enable TLS 1.3 Draft 22.", + "-tls13-variant", kBooleanArgument, "Enables all TLS 1.3 variants", }, { "-www", kBooleanArgument, @@ -310,11 +307,8 @@ bool Server(const std::vector &args) { SSL_CTX_set_early_data_enabled(ctx.get(), 1); } - // Draft 22 variants need to be explicitly enabled. - if (args_map.count("-tls13-draft22-variant") != 0) { - SSL_CTX_set_tls13_variant(ctx.get(), tls13_draft22); - } else if (args_map.count("-tls13-variant") != 0) { - SSL_CTX_set_tls13_variant(ctx.get(), tls13_experiment); + if (args_map.count("-tls13-variant") != 0) { + SSL_CTX_set_tls13_variant(ctx.get(), tls13_experiment2); } if (args_map.count("-debug") != 0) {