Commit 582a17d6 authored by Matt Caswell's avatar Matt Caswell
Browse files

Add the SSL_METHOD for TLSv1.3 and all other base changes required 



Includes addition of the various options to s_server/s_client. Also adds
one of the new TLS1.3 ciphersuites.

This isn't "real" TLS1.3!! It's identical to TLS1.2 apart from the protocol
and the ciphersuite...and the ciphersuite is just a renamed TLS1.2 one (not
a "real" TLS1.3 ciphersuite).

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
parent ffd3d0ef

apps/apps.h

+4 −2
Original line number Diff line number Diff line
@@ -210,7 +210,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate, 
# define OPT_S_ENUM \

        OPT_S__FIRST=3000, \

        OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \

        OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \

        OPT_S_NOTLS1_3, OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \

        OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \

        OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_STRICT, OPT_S_SIGALGS, \

        OPT_S_CLIENTSIGALGS, OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, \
@@ -222,6 +222,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate, 
        {"no_tls1", OPT_S_NOTLS1, '-', "Just disable TLSv1"}, \

        {"no_tls1_1", OPT_S_NOTLS1_1, '-', "Just disable TLSv1.1" }, \

        {"no_tls1_2", OPT_S_NOTLS1_2, '-', "Just disable TLSv1.2"}, \

        {"no_tls1_3", OPT_S_NOTLS1_3, '-', "Just disable TLSv1.3"}, \

        {"bugs", OPT_S_BUGS, '-', "Turn on SSL bug compatibility"}, \

        {"no_comp", OPT_S_NO_COMP, '-', "Disable SSL/TLS compression (default)" }, \

        {"comp", OPT_S_COMP, '-', "Use SSL/TLS-level compression" }, \
@@ -259,6 +260,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate, 
        case OPT_S_NOTLS1: \

        case OPT_S_NOTLS1_1: \

        case OPT_S_NOTLS1_2: \

        case OPT_S_NOTLS1_3: \

        case OPT_S_BUGS: \

        case OPT_S_NO_COMP: \

        case OPT_S_COMP: \
@@ -279,7 +281,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate, 


#define IS_NO_PROT_FLAG(o) \

 (o == OPT_S_NOSSL3 || o == OPT_S_NOTLS1 || o == OPT_S_NOTLS1_1 \

  || o == OPT_S_NOTLS1_2)

  || o == OPT_S_NOTLS1_2 || o == OPT_S_NOTLS1_3)



/*

 * Option parsing.

apps/ciphers.c

+8 −0
Original line number Diff line number Diff line
@@ -21,6 +21,7 @@ typedef enum OPTION_choice { 
    OPT_TLS1,

    OPT_TLS1_1,

    OPT_TLS1_2,

    OPT_TLS1_3,

    OPT_PSK,

    OPT_SRP,

    OPT_V, OPT_UPPER_V, OPT_S
@@ -43,6 +44,9 @@ const OPTIONS ciphers_options[] = { 
#ifndef OPENSSL_NO_TLS1_2

    {"tls1_2", OPT_TLS1_2, '-', "TLS1.2 mode"},

#endif

#ifndef OPENSSL_NO_TLS1_3

    {"tls1_3", OPT_TLS1_3, '-', "TLS1.3 mode"},

#endif

#ifndef OPENSSL_NO_SSL_TRACE

    {"stdname", OPT_STDNAME, '-', "Show standard cipher names"},

#endif
@@ -135,6 +139,10 @@ int ciphers_main(int argc, char **argv) 
            min_version = TLS1_2_VERSION;

            max_version = TLS1_2_VERSION;

            break;

        case OPT_TLS1_3:

            min_version = TLS1_3_VERSION;

            max_version = TLS1_3_VERSION;

            break;

        case OPT_PSK:

#ifndef OPENSSL_NO_PSK

            psk = 1;

apps/s_cb.c

+2 −0
Original line number Diff line number Diff line
@@ -453,6 +453,7 @@ static STRINT_PAIR ssl_versions[] = { 
    {"TLS 1.0", TLS1_VERSION},

    {"TLS 1.1", TLS1_1_VERSION},

    {"TLS 1.2", TLS1_2_VERSION},

    {"TLS 1.3", TLS1_3_VERSION},

    {"DTLS 1.0", DTLS1_VERSION},

    {"DTLS 1.0 (bad)", DTLS1_BAD_VER},

    {NULL}
@@ -522,6 +523,7 @@ void msg_cb(int write_p, int version, int content_type, const void *buf, 
        version == TLS1_VERSION ||

        version == TLS1_1_VERSION ||

        version == TLS1_2_VERSION ||

        version == TLS1_3_VERSION ||

        version == DTLS1_VERSION || version == DTLS1_BAD_VER) {

        switch (content_type) {

        case 20:

apps/s_client.c

+9 −2
Original line number Diff line number Diff line
@@ -539,7 +539,7 @@ typedef enum OPTION_choice { 
    OPT_SRP_MOREGROUPS,

#endif

    OPT_SSL3, OPT_SSL_CONFIG,

    OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,

    OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,

    OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM, OPT_PASS,

    OPT_CERT_CHAIN, OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH,

        OPT_VERIFYCAPATH,
@@ -680,6 +680,9 @@ const OPTIONS s_client_options[] = { 
#ifndef OPENSSL_NO_TLS1_2

    {"tls1_2", OPT_TLS1_2, '-', "Just use TLSv1.2"},

#endif

#ifndef OPENSSL_NO_TLS1_3

    {"tls1_3", OPT_TLS1_3, '-', "Just use TLSv1.3"},

#endif

#ifndef OPENSSL_NO_DTLS

    {"dtls", OPT_DTLS, '-', "Use any version of DTLS"},

    {"timeout", OPT_TIMEOUT, '-',
@@ -762,7 +765,7 @@ static const OPT_PAIR services[] = { 


#define IS_PROT_FLAG(o) \

 (o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2 \

  || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2)

  || o == OPT_TLS1_3 || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2)



/* Free |*dest| and optionally set it to a copy of |source|. */

static void freeandcopy(char **dest, const char *source)
@@ -1156,6 +1159,10 @@ int s_client_main(int argc, char **argv) 
            min_version = SSL3_VERSION;

            max_version = SSL3_VERSION;

            break;

        case OPT_TLS1_3:

            min_version = TLS1_3_VERSION;

            max_version = TLS1_3_VERSION;

            break;

        case OPT_TLS1_2:

            min_version = TLS1_2_VERSION;

            max_version = TLS1_2_VERSION;

apps/s_server.c

+9 −2
Original line number Diff line number Diff line
@@ -669,7 +669,7 @@ typedef enum OPTION_choice { 
    OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE,

    OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC,

    OPT_SSL_CONFIG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,

    OPT_SSL3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,

    OPT_SSL3, OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,

    OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_LISTEN,

    OPT_ID_PREFIX, OPT_RAND, OPT_SERVERNAME, OPT_SERVERNAME_FATAL,

    OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN,
@@ -834,6 +834,9 @@ const OPTIONS s_server_options[] = { 
#ifndef OPENSSL_NO_TLS1_2

    {"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"},

#endif

#ifndef OPENSSL_NO_TLS1_3

    {"tls1_3", OPT_TLS1_3, '-', "just talk TLSv1.3"},

#endif

#ifndef OPENSSL_NO_DTLS

    {"dtls", OPT_DTLS, '-', "Use any DTLS version"},

    {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"},
@@ -868,7 +871,7 @@ const OPTIONS s_server_options[] = { 


#define IS_PROT_FLAG(o) \

 (o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2 \

  || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2)

  || o == OPT_TLS1_3 || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2)



int s_server_main(int argc, char *argv[])

{
@@ -1321,6 +1324,10 @@ int s_server_main(int argc, char *argv[]) 
            min_version = SSL3_VERSION;

            max_version = SSL3_VERSION;

            break;

        case OPT_TLS1_3:

            min_version = TLS1_3_VERSION;

            max_version = TLS1_3_VERSION;

            break;

        case OPT_TLS1_2:

            min_version = TLS1_2_VERSION;

            max_version = TLS1_2_VERSION;