Add TLS 1.3 Final variant flags.

Bug: 630147
Cq-Include-Trybots: luci.chromium.try:linux_mojo
Change-Id: I3a7c751403c53a4222ed006cad5a08741a2b1e0b
Reviewed-on: https://chromium-review.googlesource.com/1172504
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Gabriel Charette <gab@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Helen Li <xunjieli@chromium.org>
Reviewed-by: David Benjamin <davidben@chromium.org>
Commit-Queue: Steven Valdez <svaldez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#584856}
diff --git a/chrome/browser/about_flags.cc b/chrome/browser/about_flags.cc
index 797a6eb..1c8db38 100644
--- a/chrome/browser/about_flags.cc
+++ b/chrome/browser/about_flags.cc
@@ -767,6 +767,8 @@
      switches::kTLS13VariantDraft23},
     {flag_descriptions::kTLS13VariantDraft28, switches::kTLS13Variant,
      switches::kTLS13VariantDraft28},
+    {flag_descriptions::kTLS13VariantFinal, switches::kTLS13Variant,
+     switches::kTLS13VariantFinal},
 };
 
 #if !defined(OS_ANDROID)
diff --git a/chrome/browser/flag_descriptions.cc b/chrome/browser/flag_descriptions.cc
index 08a4cc7..2532bf4 100644
--- a/chrome/browser/flag_descriptions.cc
+++ b/chrome/browser/flag_descriptions.cc
@@ -1869,6 +1869,7 @@
 const char kTLS13VariantDeprecated[] = "Disabled (Deprecated Setting)";
 const char kTLS13VariantDraft23[] = "Enabled (Draft 23)";
 const char kTLS13VariantDraft28[] = "Enabled (Draft 28)";
+const char kTLS13VariantFinal[] = "Enabled (Final)";
 
 const char kTopDocumentIsolationName[] = "Top document isolation";
 const char kTopDocumentIsolationDescription[] =
diff --git a/chrome/browser/flag_descriptions.h b/chrome/browser/flag_descriptions.h
index b92597a..706ac46 100644
--- a/chrome/browser/flag_descriptions.h
+++ b/chrome/browser/flag_descriptions.h
@@ -1089,6 +1089,7 @@
 extern const char kTLS13VariantDeprecated[];
 extern const char kTLS13VariantDraft23[];
 extern const char kTLS13VariantDraft28[];
+extern const char kTLS13VariantFinal[];
 
 extern const char kSuggestionsWithSubStringMatchName[];
 extern const char kSuggestionsWithSubStringMatchDescription[];
diff --git a/chrome/browser/prefs/chrome_command_line_pref_store_ssl_manager_unittest.cc b/chrome/browser/prefs/chrome_command_line_pref_store_ssl_manager_unittest.cc
index 3fb7f7c..2fd0950 100644
--- a/chrome/browser/prefs/chrome_command_line_pref_store_ssl_manager_unittest.cc
+++ b/chrome/browser/prefs/chrome_command_line_pref_store_ssl_manager_unittest.cc
@@ -33,7 +33,7 @@
   base::CommandLine command_line(base::CommandLine::NO_PROGRAM);
   command_line.AppendSwitchASCII(switches::kSSLVersionMin, "tls1.1");
   command_line.AppendSwitchASCII(switches::kSSLVersionMax, "tls1.2");
-  command_line.AppendSwitchASCII(switches::kTLS13Variant, "draft23");
+  command_line.AppendSwitchASCII(switches::kTLS13Variant, "final");
 
   sync_preferences::PrefServiceMockFactory factory;
   factory.set_user_prefs(local_state_store);
@@ -53,7 +53,7 @@
             context_params->initial_ssl_config->version_min);
   EXPECT_EQ(network::mojom::SSLVersion::kTLS13,
             context_params->initial_ssl_config->version_max);
-  EXPECT_EQ(network::mojom::TLS13Variant::kDraft23,
+  EXPECT_EQ(network::mojom::TLS13Variant::kFinal,
             context_params->initial_ssl_config->tls13_variant);
 
   // Explicitly double-check the settings are not in the preference store.
@@ -86,7 +86,7 @@
       base::MakeRefCounted<TestingPrefStore>();
 
   base::CommandLine command_line(base::CommandLine::NO_PROGRAM);
-  command_line.AppendSwitchASCII(switches::kTLS13Variant, "draft23");
+  command_line.AppendSwitchASCII(switches::kTLS13Variant, "final");
 
   sync_preferences::PrefServiceMockFactory factory;
   factory.set_user_prefs(local_state_store);
@@ -105,7 +105,7 @@
   // Command-line flags should be respected.
   EXPECT_EQ(network::mojom::SSLVersion::kTLS13,
             context_params->initial_ssl_config->version_max);
-  EXPECT_EQ(network::mojom::TLS13Variant::kDraft23,
+  EXPECT_EQ(network::mojom::TLS13Variant::kFinal,
             context_params->initial_ssl_config->tls13_variant);
 }
 
diff --git a/chrome/browser/ssl/ssl_config_service_manager_pref.cc b/chrome/browser/ssl/ssl_config_service_manager_pref.cc
index bf28ee9..41b8981 100644
--- a/chrome/browser/ssl/ssl_config_service_manager_pref.cc
+++ b/chrome/browser/ssl/ssl_config_service_manager_pref.cc
@@ -185,6 +185,9 @@
   } else if (tls13_variant == "draft28") {
     tls13_value = switches::kTLS13VariantDraft28;
     version_value = switches::kSSLVersionTLSv13;
+  } else if (tls13_variant == "final") {
+    tls13_value = switches::kTLS13VariantFinal;
+    version_value = switches::kSSLVersionTLSv13;
   }
 
   if (tls13_value) {
@@ -315,6 +318,8 @@
     config->tls13_variant = network::mojom::TLS13Variant::kDraft23;
   } else if (tls13_variant_str == switches::kTLS13VariantDraft28) {
     config->tls13_variant = network::mojom::TLS13Variant::kDraft28;
+  } else if (tls13_variant_str == switches::kTLS13VariantFinal) {
+    config->tls13_variant = network::mojom::TLS13Variant::kFinal;
   }
 
   config->disabled_cipher_suites = disabled_cipher_suites_;
diff --git a/chrome/browser/ssl/ssl_config_service_manager_pref_unittest.cc b/chrome/browser/ssl/ssl_config_service_manager_pref_unittest.cc
index bbba430..c33a499 100644
--- a/chrome/browser/ssl/ssl_config_service_manager_pref_unittest.cc
+++ b/chrome/browser/ssl/ssl_config_service_manager_pref_unittest.cc
@@ -290,6 +290,23 @@
             initial_config_->tls13_variant);
 }
 
+// Tests that Final TLS 1.3 can be enabled via field trials.
+TEST_F(SSLConfigServiceManagerPrefTest, TLS13VariantFeatureFinal) {
+  // Toggle the field trial.
+  variations::testing::VariationParamsManager variation_params(
+      "TLS13Variant", {{"variant", "final"}});
+
+  TestingPrefServiceSimple local_state;
+  SSLConfigServiceManager::RegisterPrefs(local_state.registry());
+
+  std::unique_ptr<SSLConfigServiceManager> config_manager =
+      SetUpConfigServiceManager(&local_state);
+
+  EXPECT_EQ(network::mojom::SSLVersion::kTLS13, initial_config_->version_max);
+  EXPECT_EQ(network::mojom::TLS13Variant::kFinal,
+            initial_config_->tls13_variant);
+}
+
 // Tests that the SSLVersionMax preference overwites the TLS 1.3 variant
 // field trial.
 TEST_F(SSLConfigServiceManagerPrefTest, TLS13SSLVersionMax) {
diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc
index 6c1b0d4b..d977792 100644
--- a/chrome/common/chrome_switches.cc
+++ b/chrome/common/chrome_switches.cc
@@ -670,7 +670,8 @@
 // Passes the name of the current running automated test to Chrome.
 const char kTestName[]                      = "test-name";
 
-// Specifies the enabled TLS 1.3 variant ("disabled", "draft23", "draft28").
+// Specifies the enabled TLS 1.3 variant ("disabled", "draft23", "draft28",
+// "final").
 const char kTLS13Variant[] = "tls13-variant";
 
 // This mode disables the TLS 1.3 for the |kTLS13Variant| switch.
@@ -682,6 +683,9 @@
 // This mode enables TLS 1.3 draft-28 for the |kTLS13Variant| switch.
 const char kTLS13VariantDraft28[] = "draft28";
 
+// This mode enables TLS 1.3 final for the |kTLS13Variant| switch.
+const char kTLS13VariantFinal[] = "final";
+
 // Identifies a list of download sources as trusted, but only if proper group
 // policy is set.
 const char kTrustedDownloadSources[] = "trusted-download-sources";
diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h
index ecd8704..c5cb9d5 100644
--- a/chrome/common/chrome_switches.h
+++ b/chrome/common/chrome_switches.h
@@ -199,6 +199,7 @@
 extern const char kTLS13VariantDisabled[];
 extern const char kTLS13VariantDraft23[];
 extern const char kTLS13VariantDraft28[];
+extern const char kTLS13VariantFinal[];
 extern const char kTrustedDownloadSources[];
 extern const char kTryChromeAgain[];
 extern const char kUnlimitedStorage[];
diff --git a/chrome/common/pref_names.cc b/chrome/common/pref_names.cc
index 0365b08..866e018 100644
--- a/chrome/common/pref_names.cc
+++ b/chrome/common/pref_names.cc
@@ -1695,8 +1695,8 @@
 const char kSSLVersionMax[] = "ssl.version_max";
 
 // String specifying the TLS 1.3 variant to negotiate when negotiating TLS 1.3.
-// Supported values are "disabled", which disables TLS 1.3, "draft23", and
-// "draft28".
+// Supported values are "disabled", which disables TLS 1.3, "draft23",
+// "draft28", and "final".
 const char kTLS13Variant[] = "ssl.tls13_variant";
 
 // String specifying the TLS ciphersuites to disable. Ciphersuites are
diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc
index 196e252..1925d8a 100644
--- a/net/socket/ssl_client_socket_impl.cc
+++ b/net/socket/ssl_client_socket_impl.cc
@@ -915,6 +915,9 @@
     case kTLS13VariantDraft28:
       SSL_set_tls13_variant(ssl_.get(), tls13_draft28);
       break;
+    case kTLS13VariantFinal:
+      SSL_set_tls13_variant(ssl_.get(), tls13_rfc);
+      break;
   }
 
   // OpenSSL defaults some options to on, others to off. To avoid ambiguity,
diff --git a/net/ssl/ssl_config.h b/net/ssl/ssl_config.h
index 2d7782e..4e97069 100644
--- a/net/ssl/ssl_config.h
+++ b/net/ssl/ssl_config.h
@@ -38,6 +38,7 @@
 enum TLS13Variant {
   kTLS13VariantDraft23,
   kTLS13VariantDraft28,
+  kTLS13VariantFinal,
 };
 
 // Default minimum protocol version.
diff --git a/services/network/public/mojom/ssl_config.mojom b/services/network/public/mojom/ssl_config.mojom
index dcbafa6d..05e98db 100644
--- a/services/network/public/mojom/ssl_config.mojom
+++ b/services/network/public/mojom/ssl_config.mojom
@@ -15,6 +15,7 @@
 enum TLS13Variant {
   kDraft23,
   kDraft28,
+  kFinal,
 };
 
 // This contains the subset of net::SSLConfig members that are managed by the
diff --git a/services/network/ssl_config_type_converter.cc b/services/network/ssl_config_type_converter.cc
index 3ef67f4..fa34606 100644
--- a/services/network/ssl_config_type_converter.cc
+++ b/services/network/ssl_config_type_converter.cc
@@ -13,6 +13,8 @@
       return net::kTLS13VariantDraft23;
     case network::mojom::TLS13Variant::kDraft28:
       return net::kTLS13VariantDraft28;
+    case network::mojom::TLS13Variant::kFinal:
+      return net::kTLS13VariantFinal;
   }
   NOTREACHED();
   return net::kTLS13VariantDraft23;