summaryrefslogtreecommitdiffstats
path: root/ssl
diff options
context:
space:
mode:
Diffstat (limited to 'ssl')
-rw-r--r--ssl/methods.c18
-rw-r--r--ssl/s3_lib.c15
-rw-r--r--ssl/ssl_conf.c4
-rw-r--r--ssl/ssl_lib.c4
-rw-r--r--ssl/ssl_locl.h4
-rw-r--r--ssl/ssl_sess.c3
-rw-r--r--ssl/statem/statem_lib.c9
-rw-r--r--ssl/t1_lib.c20
-rw-r--r--ssl/t1_trce.c2
9 files changed, 76 insertions, 3 deletions
diff --git a/ssl/methods.c b/ssl/methods.c
index c846143277..f0926b7ce0 100644
--- a/ssl/methods.c
+++ b/ssl/methods.c
@@ -19,6 +19,12 @@ IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0,
TLS_method,
ossl_statem_accept,
ossl_statem_connect, TLSv1_2_enc_data)
+#ifndef OPENSSL_NO_TLS1_3_METHOD
+IMPLEMENT_tls_meth_func(TLS1_3_VERSION, 0, SSL_OP_NO_TLSv1_3,
+ tlsv1_3_method,
+ ossl_statem_accept,
+ ossl_statem_connect, TLSv1_3_enc_data)
+#endif
#ifndef OPENSSL_NO_TLS1_2_METHOD
IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2,
tlsv1_2_method,
@@ -46,6 +52,12 @@ IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0,
TLS_server_method,
ossl_statem_accept,
ssl_undefined_function, TLSv1_2_enc_data)
+#ifndef OPENSSL_NO_TLS1_3_METHOD
+IMPLEMENT_tls_meth_func(TLS1_3_VERSION, 0, SSL_OP_NO_TLSv1_3,
+ tlsv1_3_server_method,
+ ossl_statem_accept,
+ ssl_undefined_function, TLSv1_3_enc_data)
+#endif
#ifndef OPENSSL_NO_TLS1_2_METHOD
IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2,
tlsv1_2_server_method,
@@ -75,6 +87,12 @@ IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0,
TLS_client_method,
ssl_undefined_function,
ossl_statem_connect, TLSv1_2_enc_data)
+#ifndef OPENSSL_NO_TLS1_3_METHOD
+IMPLEMENT_tls_meth_func(TLS1_3_VERSION, 0, SSL_OP_NO_TLSv1_3,
+ tlsv1_3_client_method,
+ ssl_undefined_function,
+ ossl_statem_connect, TLSv1_3_enc_data)
+#endif
#ifndef OPENSSL_NO_TLS1_2_METHOD
IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2,
tlsv1_2_client_method,
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index d19b97a4d9..ffdb45403d 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -834,6 +834,21 @@ static SSL_CIPHER ssl3_ciphers[] = {
256,
256,
},
+ {
+ 1,
+ TLS1_3_TXT_AES_128_GCM_SHA256,
+ TLS1_3_CK_AES_128_GCM_SHA256,
+ SSL_kRSA,
+ SSL_aRSA,
+ SSL_AES128GCM,
+ SSL_AEAD,
+ TLS1_3_VERSION, TLS1_3_VERSION,
+ 0, 0,
+ SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 128,
+ 128,
+ },
#ifndef OPENSSL_NO_EC
{
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 3957946092..63687b5ba1 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -257,6 +257,7 @@ static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value)
SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1),
SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),
SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2),
+ SSL_FLAG_TBL_INV("TLSv1.3", SSL_OP_NO_TLSv1_3),
SSL_FLAG_TBL_INV("DTLSv1", SSL_OP_NO_DTLSv1),
SSL_FLAG_TBL_INV("DTLSv1.2", SSL_OP_NO_DTLSv1_2)
};
@@ -282,6 +283,7 @@ static int protocol_from_string(const char *value)
{"TLSv1", TLS1_VERSION},
{"TLSv1.1", TLS1_1_VERSION},
{"TLSv1.2", TLS1_2_VERSION},
+ {"TLSv1.3", TLS1_3_VERSION},
{"DTLSv1", DTLS1_VERSION},
{"DTLSv1.2", DTLS1_2_VERSION}
};
@@ -526,6 +528,7 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
SSL_CONF_CMD_SWITCH("no_tls1", 0),
SSL_CONF_CMD_SWITCH("no_tls1_1", 0),
SSL_CONF_CMD_SWITCH("no_tls1_2", 0),
+ SSL_CONF_CMD_SWITCH("no_tls1_3", 0),
SSL_CONF_CMD_SWITCH("bugs", 0),
SSL_CONF_CMD_SWITCH("no_comp", 0),
SSL_CONF_CMD_SWITCH("comp", 0),
@@ -583,6 +586,7 @@ static const ssl_switch_tbl ssl_cmd_switches[] = {
{SSL_OP_NO_TLSv1, 0}, /* no_tls1 */
{SSL_OP_NO_TLSv1_1, 0}, /* no_tls1_1 */
{SSL_OP_NO_TLSv1_2, 0}, /* no_tls1_2 */
+ {SSL_OP_NO_TLSv1_3, 0}, /* no_tls1_3 */
{SSL_OP_ALL, 0}, /* bugs */
{SSL_OP_NO_COMPRESSION, 0}, /* no_comp */
{SSL_OP_NO_COMPRESSION, SSL_TFLAG_INV}, /* comp */
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 8bf872beec..84dd39371a 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3072,7 +3072,9 @@ const SSL_METHOD *ssl_bad_method(int ver)
const char *ssl_protocol_to_string(int version)
{
- if (version == TLS1_2_VERSION)
+ if (version == TLS1_3_VERSION)
+ return "TLSv1.3";
+ else if (version == TLS1_2_VERSION)
return "TLSv1.2";
else if (version == TLS1_1_VERSION)
return "TLSv1.1";
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 8a7e1a9474..d5a6fe236e 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1641,6 +1641,9 @@ __owur const SSL_METHOD *tlsv1_1_client_method(void);
__owur const SSL_METHOD *tlsv1_2_method(void);
__owur const SSL_METHOD *tlsv1_2_server_method(void);
__owur const SSL_METHOD *tlsv1_2_client_method(void);
+__owur const SSL_METHOD *tlsv1_3_method(void);
+__owur const SSL_METHOD *tlsv1_3_server_method(void);
+__owur const SSL_METHOD *tlsv1_3_client_method(void);
__owur const SSL_METHOD *dtlsv1_method(void);
__owur const SSL_METHOD *dtlsv1_server_method(void);
__owur const SSL_METHOD *dtlsv1_client_method(void);
@@ -1652,6 +1655,7 @@ __owur const SSL_METHOD *dtlsv1_2_client_method(void);
extern const SSL3_ENC_METHOD TLSv1_enc_data;
extern const SSL3_ENC_METHOD TLSv1_1_enc_data;
extern const SSL3_ENC_METHOD TLSv1_2_enc_data;
+extern const SSL3_ENC_METHOD TLSv1_3_enc_data;
extern const SSL3_ENC_METHOD SSLv3_enc_data;
extern const SSL3_ENC_METHOD DTLSv1_enc_data;
extern const SSL3_ENC_METHOD DTLSv1_2_enc_data;
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index eee1ca1f5b..e0ec918c91 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -320,6 +320,9 @@ int ssl_get_new_session(SSL *s, int session)
} else if (s->version == TLS1_2_VERSION) {
ss->ssl_version = TLS1_2_VERSION;
ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
+ } else if (s->version == TLS1_3_VERSION) {
+ ss->ssl_version = TLS1_3_VERSION;
+ ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
} else if (s->version == DTLS1_BAD_VER) {
ss->ssl_version = DTLS1_BAD_VER;
ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index c185d7c72a..a3d8d1ee26 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -647,11 +647,16 @@ typedef struct {
const SSL_METHOD *(*smeth) (void);
} version_info;
-#if TLS_MAX_VERSION != TLS1_2_VERSION
-# error Code needs update for TLS_method() support beyond TLS1_2_VERSION.
+#if TLS_MAX_VERSION != TLS1_3_VERSION
+# error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
#endif
static const version_info tls_version_table[] = {
+#ifndef OPENSSL_NO_TLS1_3
+ {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
+#else
+ {TLS1_3_VERSION, NULL, NULL},
+#endif
#ifndef OPENSSL_NO_TLS1_2
{TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
#else
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 87ebbf3625..e19f93d21c 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -84,6 +84,26 @@ SSL3_ENC_METHOD const TLSv1_2_enc_data = {
ssl3_handshake_write
};
+SSL3_ENC_METHOD const TLSv1_3_enc_data = {
+ tls1_enc,
+ tls1_mac,
+ tls1_setup_key_block,
+ tls1_generate_master_secret,
+ tls1_change_cipher_state,
+ tls1_final_finish_mac,
+ TLS1_FINISH_MAC_LENGTH,
+ TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
+ TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
+ tls1_alert_code,
+ tls1_export_keying_material,
+ SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
+ | SSL_ENC_FLAG_TLS1_2_CIPHERS,
+ SSL3_HM_HEADER_LENGTH,
+ ssl3_set_handshake_header,
+ tls_close_construct_packet,
+ ssl3_handshake_write
+};
+
long tls1_default_timeout(void)
{
/*
diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index 4577f038a3..ab5d2dac76 100644
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -61,6 +61,7 @@ static ssl_trace_tbl ssl_version_tbl[] = {
{TLS1_VERSION, "TLS 1.0"},
{TLS1_1_VERSION, "TLS 1.1"},
{TLS1_2_VERSION, "TLS 1.2"},
+ {TLS1_3_VERSION, "TLS 1.3"},
{DTLS1_VERSION, "DTLS 1.0"},
{DTLS1_2_VERSION, "DTLS 1.2"},
{DTLS1_BAD_VER, "DTLS 1.0 (bad)"}
@@ -422,6 +423,7 @@ static ssl_trace_tbl ssl_ciphers_tbl[] = {
{0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305"},
{0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305"},
{0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305"},
+ {0x0D01, "TLS_AES_128_GCM_SHA256"},
{0xFEFE, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
{0xFEFF, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
};