diff options
author | Matt Caswell <matt@openssl.org> | 2018-07-18 16:05:49 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-08-15 12:33:30 +0100 |
commit | 35e742ecac9239539db016e1282b4cbdf501509c (patch) | |
tree | 69505449d87cb5902f7db623738266782bb98ac2 /ssl | |
parent | 58094ab60ff51918a248dc6bd977d48f981fe2c1 (diff) | |
download | openssl-35e742ecac9239539db016e1282b4cbdf501509c.tar.gz |
Update code for the final RFC version of TLSv1.3 (RFC8446)
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6741)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/ssl_locl.h | 2 | ||||
-rw-r--r-- | ssl/statem/extensions_clnt.c | 23 | ||||
-rw-r--r-- | ssl/statem/extensions_srvr.c | 6 | ||||
-rw-r--r-- | ssl/statem/statem_lib.c | 23 | ||||
-rw-r--r-- | ssl/t1_trce.c | 18 |
5 files changed, 5 insertions, 67 deletions
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index a1a880c05c..6d6404ba3d 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1071,8 +1071,6 @@ struct ssl_st { * DTLS1_VERSION) */ int version; - /* TODO(TLS1.3): Remove this before release */ - int version_draft; /* SSLv3 */ const SSL_METHOD *method; /* diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index cc4563b357..86d6189ea1 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -530,23 +530,8 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt, return EXT_RETURN_FAIL; } - /* - * TODO(TLS1.3): There is some discussion on the TLS list as to whether - * we should include versions <TLS1.2. For the moment we do. To be - * reviewed later. - */ for (currv = max_version; currv >= min_version; currv--) { - /* TODO(TLS1.3): Remove this first if clause prior to release!! */ - if (currv == TLS1_3_VERSION) { - if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT) - || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT_27) - || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT_26)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, - SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, - ERR_R_INTERNAL_ERROR); - return EXT_RETURN_FAIL; - } - } else if (!WPACKET_put_bytes_u16(pkt, currv)) { + if (!WPACKET_put_bytes_u16(pkt, currv)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, ERR_R_INTERNAL_ERROR); @@ -1790,12 +1775,6 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context, return 0; } - /* TODO(TLS1.3): Remove this before release */ - if (version == TLS1_3_VERSION_DRAFT - || version == TLS1_3_VERSION_DRAFT_27 - || version == TLS1_3_VERSION_DRAFT_26) - version = TLS1_3_VERSION; - /* * The only protocol version we support which is valid in this extension in * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else. diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 00c0ec9c09..295d3e7ee5 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -897,8 +897,7 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, } if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions) || !WPACKET_start_sub_packet_u16(&hrrpkt) - /* TODO(TLS1.3): Fix this before release */ - || !WPACKET_put_bytes_u16(&hrrpkt, s->version_draft) + || !WPACKET_put_bytes_u16(&hrrpkt, s->version) || !WPACKET_close(&hrrpkt)) { WPACKET_cleanup(&hrrpkt); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE, @@ -1651,8 +1650,7 @@ EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt, if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions) || !WPACKET_start_sub_packet_u16(pkt) - /* TODO(TLS1.3): Update to remove the TLSv1.3 draft indicator */ - || !WPACKET_put_bytes_u16(pkt, s->version_draft) + || !WPACKET_put_bytes_u16(pkt, s->version) || !WPACKET_close(pkt)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS, diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index d602846416..d04f8773de 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -1742,8 +1742,6 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd) unsigned int best_vers = 0; const SSL_METHOD *best_method = NULL; PACKET versionslist; - /* TODO(TLS1.3): Remove this before release */ - unsigned int orig_candidate = 0; suppversions->parsed = 1; @@ -1765,24 +1763,6 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd) return SSL_R_BAD_LEGACY_VERSION; while (PACKET_get_net_2(&versionslist, &candidate_vers)) { - /* TODO(TLS1.3): Remove this before release */ - if (candidate_vers == TLS1_3_VERSION_DRAFT - || candidate_vers == TLS1_3_VERSION_DRAFT_27 - || candidate_vers == TLS1_3_VERSION_DRAFT_26) { - if (best_vers == TLS1_3_VERSION - && orig_candidate > candidate_vers) - continue; - orig_candidate = candidate_vers; - candidate_vers = TLS1_3_VERSION; - } else if (candidate_vers == TLS1_3_VERSION) { - /* Don't actually accept real TLSv1.3 */ - continue; - } - /* - * TODO(TLS1.3): There is some discussion on the TLS list about - * whether to ignore versions <TLS1.2 in supported_versions. At the - * moment we honour them if present. To be reviewed later - */ if (version_cmp(s, candidate_vers, best_vers) <= 0) continue; if (ssl_version_supported(s, candidate_vers, &best_method)) @@ -1805,9 +1785,6 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd) } check_for_downgrade(s, best_vers, dgrd); s->version = best_vers; - /* TODO(TLS1.3): Remove this before release */ - if (best_vers == TLS1_3_VERSION) - s->version_draft = orig_candidate; s->method = best_method; return 0; } diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index 4d052d0705..b79c776f2d 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -65,10 +65,6 @@ static const ssl_trace_tbl ssl_version_tbl[] = { {TLS1_1_VERSION, "TLS 1.1"}, {TLS1_2_VERSION, "TLS 1.2"}, {TLS1_3_VERSION, "TLS 1.3"}, - /* TODO(TLS1.3): Remove these lines before release */ - {TLS1_3_VERSION_DRAFT_26, TLS1_3_VERSION_DRAFT_TXT_26}, - {TLS1_3_VERSION_DRAFT_27, TLS1_3_VERSION_DRAFT_TXT_27}, - {TLS1_3_VERSION_DRAFT, TLS1_3_VERSION_DRAFT_TXT}, {DTLS1_VERSION, "DTLS 1.0"}, {DTLS1_2_VERSION, "DTLS 1.2"}, {DTLS1_BAD_VER, "DTLS 1.0 (bad)"} @@ -642,18 +638,8 @@ static int ssl_print_version(BIO *bio, int indent, const char *name, if (*pmsglen < 2) return 0; vers = ((*pmsg)[0] << 8) | (*pmsg)[1]; - if (version != NULL) { - /* TODO(TLS1.3): Remove the draft conditional here before release */ - switch(vers) { - case TLS1_3_VERSION_DRAFT_26: - case TLS1_3_VERSION_DRAFT_27: - case TLS1_3_VERSION_DRAFT: - *version = TLS1_3_VERSION; - break; - default: - *version = vers; - } - } + if (version != NULL) + *version = vers; BIO_indent(bio, indent, 80); BIO_printf(bio, "%s=0x%x (%s)\n", name, vers, ssl_trace_str(vers, ssl_version_tbl)); |