Remove draft22 and experiment2.

Change-Id: I2486dc810ea842c534015fc04917712daa26cfde
Update-Note: Now that tls13_experiment2 is gone, the server should remove the set_tls13_variant call. To avoid further churn, we'll make the server default for future variants to be what we'd like to deploy.
Reviewed-on: https://boringssl-review.googlesource.com/25104
Commit-Queue: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>

include/openssl/ssl.h

@@ -593,9 +593,7 @@ OPENSSL_EXPORT int DTLSv1_handle_timeout(SSL *ssl);
 #define DTLS1_VERSION 0xfeff
 #define DTLS1_2_VERSION 0xfefd
 
-#define TLS1_3_DRAFT22_VERSION 0x7f16
 #define TLS1_3_DRAFT23_VERSION 0x7f17
-#define TLS1_3_EXPERIMENT2_VERSION 0x7e02
 
 // SSL_CTX_set_min_proto_version sets the minimum protocol version for |ctx| to
 // |version|. If |version| is zero, the default minimum version is used. It
@@ -3304,8 +3302,6 @@ OPENSSL_EXPORT int SSL_total_renegotiations(const SSL *ssl);
 
 enum tls13_variant_t {
   tls13_default = 0,
-  tls13_experiment2 = 1,
-  tls13_draft22 = 2,
 };
 
 // SSL_CTX_set_tls13_variant sets which variant of TLS 1.3 we negotiate. On the

include/openssl/tls1.h

@@ -213,15 +213,13 @@ extern "C" {
 
 // ExtensionType values from draft-ietf-tls-tls13-18
 #define TLSEXT_TYPE_supported_groups 10
-#define TLSEXT_TYPE_old_key_share 40
 #define TLSEXT_TYPE_pre_shared_key 41
 #define TLSEXT_TYPE_early_data 42
 #define TLSEXT_TYPE_supported_versions 43
 #define TLSEXT_TYPE_cookie 44
 #define TLSEXT_TYPE_psk_key_exchange_modes 45
-#define TLSEXT_TYPE_ticket_early_data_info 46
 #define TLSEXT_TYPE_certificate_authorities 47
-#define TLSEXT_TYPE_new_key_share 51
+#define TLSEXT_TYPE_key_share 51
 
 // ExtensionType value from RFC5746
 #define TLSEXT_TYPE_renegotiate 0xff01

ssl/handshake_client.cc

@@ -493,8 +493,7 @@ static enum ssl_hs_wait_t do_enter_early_data(SSL_HANDSHAKE *hs) {
   }
 
   ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->session->ssl_version);
-  if (ssl_is_draft22(ssl->session->ssl_version) &&
-      !ssl->method->add_change_cipher_spec(ssl)) {
+  if (!ssl->method->add_change_cipher_spec(ssl)) {
     return ssl_hs_error;
   }
 

ssl/internal.h

@@ -392,18 +392,6 @@ bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
 // call this function before the version is determined.
 uint16_t ssl_protocol_version(const SSL *ssl);
 
-// ssl_is_draft22 returns whether the version corresponds to a draft22 TLS 1.3
-// variant.
-bool ssl_is_draft22(uint16_t version);
-
-// ssl_is_draft23 returns whether the version corresponds to a draft23 TLS 1.3
-// variant.
-bool ssl_is_draft23(uint16_t version);
-
-// ssl_is_draft23_variant returns whether the variant corresponds to a
-// draft23 TLS 1.3 variant.
- bool ssl_is_draft23_variant(enum tls13_variant_t variant);
-
 // Cipher suites.
 
 }  // namespace bssl

ssl/s3_pkt.cc

@@ -304,14 +304,6 @@ ssl_open_record_t ssl3_open_app_data(SSL *ssl, Span<uint8_t> *out,
   const bool is_early_data_read = ssl->server && SSL_in_early_data(ssl);
 
   if (type == SSL3_RT_HANDSHAKE) {
-    // If reading 0-RTT data, reject handshake data. 0-RTT data is terminated
-    // by an alert.
-    if (!ssl_is_draft22(ssl->version) && is_early_data_read) {
-      OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
-      *out_alert = SSL_AD_UNEXPECTED_MESSAGE;
-      return ssl_open_record_error;
-    }
-
     // Post-handshake data prior to TLS 1.3 is always renegotiation, which we
     // never accept as a server. Otherwise |ssl3_get_message| will send
     // |SSL_R_EXCESSIVE_MESSAGE_SIZE|.
@@ -332,16 +324,6 @@ ssl_open_record_t ssl3_open_app_data(SSL *ssl, Span<uint8_t> *out,
     return ssl_open_record_discard;
   }
 
-  // Handle the end_of_early_data alert.
-  static const uint8_t kEndOfEarlyData[2] = {SSL3_AL_WARNING,
-                                             TLS1_AD_END_OF_EARLY_DATA};
-  if (!ssl_is_draft22(ssl->version) && is_early_data_read &&
-      type == SSL3_RT_ALERT && body == kEndOfEarlyData) {
-    // Stop accepting early data.
-    ssl->s3->hs->can_early_read = false;
-    return ssl_open_record_discard;
-  }
-
   if (type != SSL3_RT_APPLICATION_DATA) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
     *out_alert = SSL_AD_UNEXPECTED_MESSAGE;

ssl/ssl_test.cc

@@ -2618,7 +2618,7 @@ TEST(SSLTest, SetVersion) {
 
   // TLS1_3_DRAFT_VERSION is not an API-level version.
   EXPECT_FALSE(
-      SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_DRAFT22_VERSION));
+      SSL_CTX_set_max_proto_version(ctx.get(), TLS1_3_DRAFT23_VERSION));
   ERR_clear_error();
 
   ctx.reset(SSL_CTX_new(DTLS_method()));

ssl/ssl_versions.cc

@@ -34,9 +34,7 @@ bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
       *out = version;
       return true;
 
-    case TLS1_3_DRAFT22_VERSION:
     case TLS1_3_DRAFT23_VERSION:
-    case TLS1_3_EXPERIMENT2_VERSION:
       *out = TLS1_3_VERSION;
       return true;
 
@@ -59,8 +57,6 @@ bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
 
 static const uint16_t kTLSVersions[] = {
     TLS1_3_DRAFT23_VERSION,
-    TLS1_3_DRAFT22_VERSION,
-    TLS1_3_EXPERIMENT2_VERSION,
     TLS1_2_VERSION,
     TLS1_1_VERSION,
     TLS1_VERSION,
@@ -103,9 +99,7 @@ static bool method_supports_version(const SSL_PROTOCOL_METHOD *method,
 
 static const char *ssl_version_to_string(uint16_t version) {
   switch (version) {
-    case TLS1_3_DRAFT22_VERSION:
     case TLS1_3_DRAFT23_VERSION:
-    case TLS1_3_EXPERIMENT2_VERSION:
       return "TLSv1.3";
 
     case TLS1_2_VERSION:
@@ -134,9 +128,7 @@ static const char *ssl_version_to_string(uint16_t version) {
 static uint16_t wire_version_to_api(uint16_t version) {
   switch (version) {
     // Report TLS 1.3 draft versions as TLS 1.3 in the public API.
-    case TLS1_3_DRAFT22_VERSION:
     case TLS1_3_DRAFT23_VERSION:
-    case TLS1_3_EXPERIMENT2_VERSION:
       return TLS1_3_VERSION;
     default:
       return version;
@@ -147,13 +139,11 @@ static uint16_t wire_version_to_api(uint16_t version) {
 // particular, it picks an arbitrary TLS 1.3 representative. This should only be
 // used in context where that does not matter.
 static bool api_version_to_wire(uint16_t *out, uint16_t version) {
-  if (version == TLS1_3_DRAFT22_VERSION ||
-      version == TLS1_3_DRAFT23_VERSION ||
-      version == TLS1_3_EXPERIMENT2_VERSION) {
+  if (version == TLS1_3_DRAFT23_VERSION) {
     return false;
   }
   if (version == TLS1_3_VERSION) {
-    version = TLS1_3_DRAFT22_VERSION;
+    version = TLS1_3_DRAFT23_VERSION;
   }
 
   // Check it is a real protocol version.
@@ -304,12 +294,10 @@ bool ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) {
     return false;
   }
 
-  // TLS 1.3 variants must additionally match |tls13_variant|.
+  // This logic is part of the TLS 1.3 variants mechanism used in TLS 1.3
+  // experimentation. Although we currently only have one variant, TLS 1.3 does
+  // not a final stable deployment yet, so leave the logic in place for now.
   if (protocol_version != TLS1_3_VERSION ||
-      (ssl->tls13_variant == tls13_experiment2 &&
-       version == TLS1_3_EXPERIMENT2_VERSION) ||
-      (ssl->tls13_variant == tls13_draft22 &&
-       version == TLS1_3_DRAFT22_VERSION) ||
       (ssl->tls13_variant == tls13_default &&
        version == TLS1_3_DRAFT23_VERSION)) {
     return true;
@@ -368,18 +356,6 @@ bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
   return false;
 }
 
-bool ssl_is_draft22(uint16_t version) {
-  return version == TLS1_3_DRAFT22_VERSION || version == TLS1_3_DRAFT23_VERSION;
-}
-
-bool ssl_is_draft23(uint16_t version) {
-  return version == TLS1_3_DRAFT23_VERSION;
-}
-
-bool ssl_is_draft23_variant(tls13_variant_t variant) {
-  return variant == tls13_default;
-}
-
 }  // namespace bssl
 
 using namespace bssl;

ssl/t1_lib.cc

@@ -551,10 +551,6 @@ static bool forbid_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
   return true;
 }
 
-static bool dont_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
-  return true;
-}
-
 static bool ignore_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
                                     CBS *contents) {
   // This extension from the client is handled elsewhere.
@@ -1821,7 +1817,6 @@ static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
   // selected cipher in HelloRetryRequest does not match. This avoids performing
   // the transcript hash transformation for multiple hashes.
   if (hs->received_hello_retry_request &&
-      ssl_is_draft22(ssl->version) &&
       ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
     return true;
   }
@@ -2091,9 +2086,7 @@ static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
   }
 
   CBB contents, kse_bytes;
-  if (!CBB_add_u16(out, ssl_is_draft23_variant(ssl->tls13_variant)
-                            ? TLSEXT_TYPE_new_key_share
-                            : TLSEXT_TYPE_old_key_share) ||
+  if (!CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
       !CBB_add_u16_length_prefixed(out, &contents) ||
       !CBB_add_u16_length_prefixed(&contents, &kse_bytes)) {
     return false;
@@ -2250,9 +2243,7 @@ bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
   uint16_t group_id;
   CBB kse_bytes, public_key;
   if (!tls1_get_shared_group(hs, &group_id) ||
-      !CBB_add_u16(out, ssl_is_draft23(hs->ssl->version)
-                            ? TLSEXT_TYPE_new_key_share
-                            : TLSEXT_TYPE_old_key_share) ||
+      !CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
       !CBB_add_u16_length_prefixed(out, &kse_bytes) ||
       !CBB_add_u16(&kse_bytes, group_id) ||
       !CBB_add_u16_length_prefixed(&kse_bytes, &public_key) ||
@@ -2760,16 +2751,7 @@ static const struct tls_extension kExtensions[] = {
     ext_ec_point_add_serverhello,
   },
   {
-    TLSEXT_TYPE_old_key_share,
-    // This is added by TLSEXT_TYPE_new_key_share's callback.
-    NULL,
-    dont_add_clienthello,
-    forbid_parse_serverhello,
-    ignore_parse_clienthello,
-    dont_add_serverhello,
-  },
-  {
-    TLSEXT_TYPE_new_key_share,
+    TLSEXT_TYPE_key_share,
     NULL,
     ext_key_share_add_clienthello,
     forbid_parse_serverhello,

ssl/test/runner/common.go

@@ -33,21 +33,15 @@ const (
 
 // A draft version of TLS 1.3 that is sent over the wire for the current draft.
 const (
-	tls13Experiment2Version = 0x7e02
-	tls13Draft22Version     = 0x7f16
-	tls13Draft23Version     = 0x7f17
+	tls13Draft23Version = 0x7f17
 )
 
 const (
-	TLS13Draft23     = 0
-	TLS13Experiment2 = 1
-	TLS13Draft22     = 2
+	TLS13Draft23 = 0
 )
 
 var allTLSWireVersions = []uint16{
 	tls13Draft23Version,
-	tls13Draft22Version,
-	tls13Experiment2Version,
 	VersionTLS12,
 	VersionTLS11,
 	VersionTLS10,
@@ -125,15 +119,14 @@ const (
 	extensionTokenBinding               uint16 = 24
 	extensionQUICTransportParams        uint16 = 26
 	extensionSessionTicket              uint16 = 35
-	extensionOldKeyShare                uint16 = 40    // draft-ietf-tls-tls13-16
 	extensionPreSharedKey               uint16 = 41    // draft-ietf-tls-tls13-16
 	extensionEarlyData                  uint16 = 42    // draft-ietf-tls-tls13-16
 	extensionSupportedVersions          uint16 = 43    // draft-ietf-tls-tls13-16
 	extensionCookie                     uint16 = 44    // draft-ietf-tls-tls13-16
 	extensionPSKKeyExchangeModes        uint16 = 45    // draft-ietf-tls-tls13-18
 	extensionTicketEarlyDataInfo        uint16 = 46    // draft-ietf-tls-tls13-18
 	extensionCertificateAuthorities     uint16 = 47    // draft-ietf-tls-tls13-21
-	extensionNewKeyShare                uint16 = 51    // draft-ietf-tls-tls13-23
+	extensionKeyShare                   uint16 = 51    // draft-ietf-tls-tls13-23
 	extensionCustom                     uint16 = 1234  // not IANA assigned
 	extensionNextProtoNeg               uint16 = 13172 // not IANA assigned
 	extensionRenegotiationInfo          uint16 = 0xff01
@@ -1670,29 +1663,19 @@ func wireToVersion(vers uint16, isDTLS bool) (uint16, bool) {
 		switch vers {
 		case VersionSSL30, VersionTLS10, VersionTLS11, VersionTLS12:
 			return vers, true
-		case tls13Draft23Version, tls13Draft22Version, tls13Experiment2Version:
+		case tls13Draft23Version:
 			return VersionTLS13, true
 		}
 	}
 
 	return 0, false
 }
 
-func isDraft22(vers uint16) bool {
-	return vers == tls13Draft22Version || vers == tls13Draft23Version
-}
-
-func isDraft23(vers uint16) bool {
-	return vers == tls13Draft23Version
-}
-
 // isSupportedVersion checks if the specified wire version is acceptable. If so,
 // it returns true and the corresponding protocol version. Otherwise, it returns
 // false.
 func (c *Config) isSupportedVersion(wireVers uint16, isDTLS bool) (uint16, bool) {
-	if (c.TLS13Variant != TLS13Experiment2 && wireVers == tls13Experiment2Version) ||
-		(c.TLS13Variant != TLS13Draft23 && wireVers == tls13Draft23Version) ||
-		(c.TLS13Variant != TLS13Draft22 && wireVers == tls13Draft22Version) {
+	if c.TLS13Variant != TLS13Draft23 && wireVers == tls13Draft23Version {
 		return 0, false
 	}
 

ssl/test/runner/conn.go

@@ -1566,9 +1566,7 @@ func (c *Conn) processTLS13NewSessionTicket(newSessionTicket *newSessionTicketMs
 		earlyALPN:          c.clientProtocol,
 	}
 
-	if isDraft22(c.wireVersion) {
-		session.masterSecret = deriveSessionPSK(cipherSuite, c.wireVersion, c.resumptionSecret, newSessionTicket.ticketNonce)
-	}
+	session.masterSecret = deriveSessionPSK(cipherSuite, c.wireVersion, c.resumptionSecret, newSessionTicket.ticketNonce)
 
 	cacheKey := clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
 	_, ok := c.config.ClientSessionCache.Get(cacheKey)
@@ -1860,16 +1858,13 @@ func (c *Conn) exportKeyingMaterialTLS13(length int, secret, label, context []by
 	if cipherSuite == nil {
 		cipherSuite = c.earlyCipherSuite
 	}
-	if isDraft22(c.wireVersion) {
-		hash := cipherSuite.hash()
-		exporterKeyingLabel := []byte("exporter")
-		contextHash := hash.New()
-		contextHash.Write(context)
-		exporterContext := hash.New().Sum(nil)
-		derivedSecret := hkdfExpandLabel(cipherSuite.hash(), c.wireVersion, secret, label, exporterContext, hash.Size())
-		return hkdfExpandLabel(cipherSuite.hash(), c.wireVersion, derivedSecret, exporterKeyingLabel, contextHash.Sum(nil), length)
-	}
-	return hkdfExpandLabel(cipherSuite.hash(), c.wireVersion, secret, label, context, length)
+	hash := cipherSuite.hash()
+	exporterKeyingLabel := []byte("exporter")
+	contextHash := hash.New()
+	contextHash.Write(context)
+	exporterContext := hash.New().Sum(nil)
+	derivedSecret := hkdfExpandLabel(cipherSuite.hash(), secret, label, exporterContext, hash.Size())
+	return hkdfExpandLabel(cipherSuite.hash(), derivedSecret, exporterKeyingLabel, contextHash.Sum(nil), length)
 }
 
 // ExportKeyingMaterial exports keying material from the current connection
@@ -1954,32 +1949,25 @@ func (c *Conn) SendNewSessionTicket(nonce []byte) error {
 		duplicateEarlyDataExtension: c.config.Bugs.DuplicateTicketEarlyData,
 		customExtension:             c.config.Bugs.CustomTicketExtension,
 		ticketAgeAdd:                ticketAgeAdd,
+		ticketNonce:                 nonce,
 		maxEarlyDataSize:            c.config.MaxEarlyDataSize,
 	}
 
-	if isDraft22(c.wireVersion) {
-		m.ticketNonce = nonce
-	}
-
 	if c.config.Bugs.SendTicketLifetime != 0 {
 		m.ticketLifetime = uint32(c.config.Bugs.SendTicketLifetime / time.Second)
 	}
 
 	state := sessionState{
 		vers:               c.vers,
 		cipherSuite:        c.cipherSuite.id,
-		masterSecret:       c.resumptionSecret,
+		masterSecret:       deriveSessionPSK(c.cipherSuite, c.wireVersion, c.resumptionSecret, nonce),
 		certificates:       peerCertificatesRaw,
 		ticketCreationTime: c.config.time(),
 		ticketExpiration:   c.config.time().Add(time.Duration(m.ticketLifetime) * time.Second),
 		ticketAgeAdd:       uint32(addBuffer[3])<<24 | uint32(addBuffer[2])<<16 | uint32(addBuffer[1])<<8 | uint32(addBuffer[0]),
 		earlyALPN:          []byte(c.clientProtocol),
 	}
 
-	if isDraft22(c.wireVersion) {
-		state.masterSecret = deriveSessionPSK(c.cipherSuite, c.wireVersion, c.resumptionSecret, nonce)
-	}
-
 	if !c.config.Bugs.SendEmptySessionTicket {
 		var err error
 		m.ticket, err = c.encryptTicket(&state)