From 6ad3add60654182a747f5971afb40817488ef0e8 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 27 Oct 2016 14:57:11 +0200
Subject: vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3

Fully implemented with the NSS backend only for now.

Reviewed-by: Ray Satiro
---
 RELEASE-NOTES                          | 1 +
 docs/libcurl/opts/CURLOPT_SSLVERSION.3 | 2 ++
 docs/libcurl/symbols-in-versions       | 1 +
 include/curl/curl.h                    | 1 +
 lib/vtls/darwinssl.c                   | 9 +++++++++
 lib/vtls/gskit.c                       | 3 +++
 lib/vtls/gtls.c                        | 6 ++++++
 lib/vtls/nss.c                         | 8 ++++++++
 lib/vtls/polarssl.c                    | 3 +++
 lib/vtls/schannel.c                    | 3 +++
 packages/OS400/curl.inc.in             | 2 ++
 11 files changed, 39 insertions(+)

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 9a4737820..0917c683a 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -9,6 +9,7 @@ Curl and libcurl 7.51.1
 This release includes the following changes:
 
  o nss: map CURL_SSLVERSION_DEFAULT to NSS default
+ o vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
  o
 
 This release includes the following bugfixes:
diff --git a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
index 2f40e4631..1854af03c 100644
--- a/docs/libcurl/opts/CURLOPT_SSLVERSION.3
+++ b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
@@ -48,6 +48,8 @@ TLSv1.0 (Added in 7.34.0)
 TLSv1.1 (Added in 7.34.0)
 .IP CURL_SSLVERSION_TLSv1_2
 TLSv1.2 (Added in 7.34.0)
+.IP CURL_SSLVERSION_TLSv1_3
+TLSv1.3 (Added in 7.51.1)
 .RE
 .SH DEFAULT
 CURL_SSLVERSION_DEFAULT
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index f6365ae11..a77fde440 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -773,6 +773,7 @@ CURL_SSLVERSION_TLSv1           7.9.2
 CURL_SSLVERSION_TLSv1_0         7.34.0
 CURL_SSLVERSION_TLSv1_1         7.34.0
 CURL_SSLVERSION_TLSv1_2         7.34.0
+CURL_SSLVERSION_TLSv1_3         7.51.1
 CURL_TIMECOND_IFMODSINCE        7.9.7
 CURL_TIMECOND_IFUNMODSINCE      7.9.7
 CURL_TIMECOND_LASTMOD           7.9.7
diff --git a/include/curl/curl.h b/include/curl/curl.h
index 9c09cb966..03fcfebc3 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -1805,6 +1805,7 @@ enum {
   CURL_SSLVERSION_TLSv1_0,
   CURL_SSLVERSION_TLSv1_1,
   CURL_SSLVERSION_TLSv1_2,
+  CURL_SSLVERSION_TLSv1_3,
 
   CURL_SSLVERSION_LAST /* never use, keep last */
 };
diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c
index 66e74f1ba..6aa30d451 100644
--- a/lib/vtls/darwinssl.c
+++ b/lib/vtls/darwinssl.c
@@ -1071,6 +1071,9 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
         (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol12);
         (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
         break;
+      case CURL_SSLVERSION_TLSv1_3:
+        failf(data, "TLSv1.3 is not yet supported with this TLS backend");
+        return CURLE_SSL_CONNECT_ERROR;
       case CURL_SSLVERSION_SSLv3:
         err = SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3);
         if(err != noErr) {
@@ -1122,6 +1125,9 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
                                            kTLSProtocol12,
                                            true);
         break;
+      case CURL_SSLVERSION_TLSv1_3:
+        failf(data, "TLSv1.3 is not yet supported with this TLS backend");
+        return CURLE_SSL_CONNECT_ERROR;
       case CURL_SSLVERSION_SSLv3:
         err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
                                            kSSLProtocol3,
@@ -1160,6 +1166,9 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
     case CURL_SSLVERSION_TLSv1_2:
       failf(data, "Your version of the OS does not support TLSv1.2");
       return CURLE_SSL_CONNECT_ERROR;
+    case CURL_SSLVERSION_TLSv1_3:
+      failf(data, "Your version of the OS does not support TLSv1.3");
+      return CURLE_SSL_CONNECT_ERROR;
     case CURL_SSLVERSION_SSLv2:
       err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
                                          kSSLProtocol2,
diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c
index 3b0cfd5a0..9760c93ab 100644
--- a/lib/vtls/gskit.c
+++ b/lib/vtls/gskit.c
@@ -639,6 +639,9 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
   case CURL_SSLVERSION_TLSv1_2:
     protoflags = CURL_GSKPROTO_TLSV12_MASK;
     break;
+  case CURL_SSLVERSION_TLSv1_3:
+    failf(data, "TLS 1.3 not yet supported");
+    return CURLE_SSL_CIPHER;
   }
 
   /* Process SNI. Ignore if not supported (on OS400 < V7R1). */
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 5c87c7fe3..d47d80fc5 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -569,6 +569,9 @@ gtls_connect_step1(struct connectdata *conn,
       break;
     case CURL_SSLVERSION_TLSv1_2:
       protocol_priority[0] = GNUTLS_TLS1_2;
+    case CURL_SSLVERSION_TLSv1_3:
+      failf(data, "GnuTLS does not support TLSv1.3");
+      return CURLE_SSL_CONNECT_ERROR;
     break;
       case CURL_SSLVERSION_SSLv2:
     default:
@@ -607,6 +610,9 @@ gtls_connect_step1(struct connectdata *conn,
       prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
                      "+VERS-TLS1.2:" GNUTLS_SRP;
       break;
+    case CURL_SSLVERSION_TLSv1_3:
+      failf(data, "GnuTLS does not support TLSv1.3");
+      return CURLE_SSL_CONNECT_ERROR;
     case CURL_SSLVERSION_SSLv2:
     default:
       failf(data, "GnuTLS does not support SSLv2");
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 5abb57427..5e5272727 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1541,6 +1541,14 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
 #endif
     break;
 
+  case CURL_SSLVERSION_TLSv1_3:
+#ifdef SSL_LIBRARY_VERSION_TLS_1_3
+    sslver->min = SSL_LIBRARY_VERSION_TLS_1_3;
+    sslver->max = SSL_LIBRARY_VERSION_TLS_1_3;
+    return CURLE_OK;
+#endif
+    break;
+
   default:
     /* unsupported SSL/TLS version */
     break;
diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c
index 18b564e02..4e41315b6 100644
--- a/lib/vtls/polarssl.c
+++ b/lib/vtls/polarssl.c
@@ -306,6 +306,9 @@ polarssl_connect_step1(struct connectdata *conn,
                         SSL_MINOR_VERSION_3);
     infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.2\n");
     break;
+  case CURL_SSLVERSION_TLSv1_3:
+    failf(data, "PolarSSL: TLS 1.3 is not yet supported");
+    return CURLE_SSL_CONNECT_ERROR;
   }
 
   ssl_set_endpoint(&connssl->ssl, SSL_IS_CLIENT);
diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index f731eebdc..63cb98a3c 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -213,6 +213,9 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
     case CURL_SSLVERSION_TLSv1_2:
       schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT;
       break;
+    case CURL_SSLVERSION_TLSv1_3:
+      failf(data, "schannel: TLS 1.3 is not yet supported");
+      return CURLE_SSL_CONNECT_ERROR;
     case CURL_SSLVERSION_SSLv3:
       schannel_cred.grbitEnabledProtocols = SP_PROT_SSL3_CLIENT;
       break;
diff --git a/packages/OS400/curl.inc.in b/packages/OS400/curl.inc.in
index 4176905a0..4028795ef 100644
--- a/packages/OS400/curl.inc.in
+++ b/packages/OS400/curl.inc.in
@@ -258,6 +258,8 @@
      d                 c                   5
      d CURL_SSLVERSION_TLSv1_2...
      d                 c                   6
+     d CURL_SSLVERSION_TLSv1_3...
+     d                 c                   7
       *
      d CURL_TLSAUTH_NONE...
      d                 c                   0
-- 
cgit v1.2.3