Update code for the final RFC version of TLSv1.3 (RFC8446)

  *) Support for TLSv1.3 added. Note that users upgrading from an earlier

     version of OpenSSL should review their configuration settings to ensure

     that they are still appropriate for TLSv1.3. For further information see:

     https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/

     NOTE: In this pre-release of OpenSSL a draft version of the

     TLSv1.3 standard has been implemented. Implementations of different draft

     versions of the standard do not inter-operate, and this version will not

     inter-operate with an implementation of the final standard when it is

     eventually published. Different pre-release versions may implement

     different versions of the draft. The final version of OpenSSL 1.1.1 will

     implement the final version of the standard.

     TODO(TLS1.3): Remove the above note before final release

     https://wiki.openssl.org/index.php/TLS1.3

     [Matt Caswell]

  *) Grand redesign of the OpenSSL random generator

established between the two endpoints. The functions

SSL_export_keying_material() and SSL_export_keying_material_early() enable an

application to use some of this keying material for its own purposes in

accordance with RFC5705 (for TLSv1.2 and below) or RFCXXXX (for TLSv1.3).

TODO(TLS1.3): Update the RFC number when the RFC is published.

accordance with RFC5705 (for TLSv1.2 and below) or RFC8446 (for TLSv1.3).

SSL_export_keying_material() derives keying material using

the F<exporter_master_secret> established in the handshake.

# define TLS1_3_VERSION                  0x0304

# define TLS_MAX_VERSION                 TLS1_3_VERSION

/* TODO(TLS1.3) REMOVE ME: Version indicators for draft version */

# define TLS1_3_VERSION_DRAFT_26         0x7f1a

# define TLS1_3_VERSION_DRAFT_27         0x7f1b

# define TLS1_3_VERSION_DRAFT            0x7f1c

# define TLS1_3_VERSION_DRAFT_TXT_26     "TLS 1.3 (draft 26)"

# define TLS1_3_VERSION_DRAFT_TXT_27     "TLS 1.3 (draft 27)"

# define TLS1_3_VERSION_DRAFT_TXT        "TLS 1.3 (draft 28)"

/* Special value for method supporting multiple versions */

# define TLS_ANY_VERSION                 0x10000

     * DTLS1_VERSION)

     */

    int version;

    /* TODO(TLS1.3): Remove this before release */

    int version_draft;

    /* SSLv3 */

    const SSL_METHOD *method;

    /*

        return EXT_RETURN_FAIL;

    }

    /*

     * TODO(TLS1.3): There is some discussion on the TLS list as to whether

     * we should include versions <TLS1.2. For the moment we do. To be

     * reviewed later.

     */

    for (currv = max_version; currv >= min_version; currv--) {

        /* TODO(TLS1.3): Remove this first if clause prior to release!! */

        if (currv == TLS1_3_VERSION) {

            if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)

                    || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT_27)

                    || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT_26)) {

                SSLfatal(s, SSL_AD_INTERNAL_ERROR,

                         SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,

                         ERR_R_INTERNAL_ERROR);

                return EXT_RETURN_FAIL;

            }

        } else if (!WPACKET_put_bytes_u16(pkt, currv)) {

        if (!WPACKET_put_bytes_u16(pkt, currv)) {

            SSLfatal(s, SSL_AD_INTERNAL_ERROR,

                     SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,

                     ERR_R_INTERNAL_ERROR);

        return 0;

    }

    /* TODO(TLS1.3): Remove this before release */

    if (version == TLS1_3_VERSION_DRAFT

            || version == TLS1_3_VERSION_DRAFT_27

            || version == TLS1_3_VERSION_DRAFT_26)

        version = TLS1_3_VERSION;

    /*

     * The only protocol version we support which is valid in this extension in

     * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.