curl-library
[PATCH 2/3] vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
From: Kamil Dudka <kdudka_at_redhat.com>
Date: Thu, 27 Oct 2016 15:25:56 +0200
Date: Thu, 27 Oct 2016 15:25:56 +0200
Fully implemented with the NSS backend only for now.
---
docs/libcurl/opts/CURLOPT_SSLVERSION.3 | 2 ++
docs/libcurl/symbols-in-versions | 1 +
include/curl/curl.h | 1 +
lib/vtls/darwinssl.c | 9 +++++++++
lib/vtls/gskit.c | 3 +++
lib/vtls/gtls.c | 6 ++++++
lib/vtls/nss.c | 8 ++++++++
lib/vtls/polarssl.c | 3 +++
lib/vtls/schannel.c | 3 +++
9 files changed, 36 insertions(+)
diff --git a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
index 2f40e46..1854af0 100644
--- a/docs/libcurl/opts/CURLOPT_SSLVERSION.3
+++ b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
@@ -48,6 +48,8 @@ TLSv1.0 (Added in 7.34.0)
TLSv1.1 (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_2
TLSv1.2 (Added in 7.34.0)
+.IP CURL_SSLVERSION_TLSv1_3
+TLSv1.3 (Added in 7.51.1)
.RE
.SH DEFAULT
CURL_SSLVERSION_DEFAULT
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index f6365ae..a77fde4 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -773,6 +773,7 @@ CURL_SSLVERSION_TLSv1 7.9.2
CURL_SSLVERSION_TLSv1_0 7.34.0
CURL_SSLVERSION_TLSv1_1 7.34.0
CURL_SSLVERSION_TLSv1_2 7.34.0
+CURL_SSLVERSION_TLSv1_3 7.51.1
CURL_TIMECOND_IFMODSINCE 7.9.7
CURL_TIMECOND_IFUNMODSINCE 7.9.7
CURL_TIMECOND_LASTMOD 7.9.7
diff --git a/include/curl/curl.h b/include/curl/curl.h
index 9c09cb9..03fcfeb 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -1805,6 +1805,7 @@ enum {
CURL_SSLVERSION_TLSv1_0,
CURL_SSLVERSION_TLSv1_1,
CURL_SSLVERSION_TLSv1_2,
+ CURL_SSLVERSION_TLSv1_3,
CURL_SSLVERSION_LAST /* never use, keep last */
};
diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c
index 66e74f1..6aa30d4 100644
--- a/lib/vtls/darwinssl.c
+++ b/lib/vtls/darwinssl.c
@@ -1071,6 +1071,9 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol12);
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
break;
+ case CURL_SSLVERSION_TLSv1_3:
+ failf(data, "TLSv1.3 is not yet supported with this TLS backend");
+ return CURLE_SSL_CONNECT_ERROR;
case CURL_SSLVERSION_SSLv3:
err = SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3);
if(err != noErr) {
@@ -1122,6 +1125,9 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
kTLSProtocol12,
true);
break;
+ case CURL_SSLVERSION_TLSv1_3:
+ failf(data, "TLSv1.3 is not yet supported with this TLS backend");
+ return CURLE_SSL_CONNECT_ERROR;
case CURL_SSLVERSION_SSLv3:
err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kSSLProtocol3,
@@ -1160,6 +1166,9 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
case CURL_SSLVERSION_TLSv1_2:
failf(data, "Your version of the OS does not support TLSv1.2");
return CURLE_SSL_CONNECT_ERROR;
+ case CURL_SSLVERSION_TLSv1_3:
+ failf(data, "Your version of the OS does not support TLSv1.3");
+ return CURLE_SSL_CONNECT_ERROR;
case CURL_SSLVERSION_SSLv2:
err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kSSLProtocol2,
diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c
index 1a1464b..9bdb9c0 100644
--- a/lib/vtls/gskit.c
+++ b/lib/vtls/gskit.c
@@ -639,6 +639,9 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
case CURL_SSLVERSION_TLSv1_2:
protoflags = CURL_GSKPROTO_TLSV12_MASK;
break;
+ case CURL_SSLVERSION_TLSv1_3:
+ failf(data, "TLS 1.3 not yet supported");
+ return CURLE_SSL_CIPHER;
}
/* Process SNI. Ignore if not supported (on OS400 < V7R1). */
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 3b056c4..e8f3176 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -569,6 +569,9 @@ gtls_connect_step1(struct connectdata *conn,
break;
case CURL_SSLVERSION_TLSv1_2:
protocol_priority[0] = GNUTLS_TLS1_2;
+ case CURL_SSLVERSION_TLSv1_3:
+ failf(data, "GnuTLS does not support TLSv1.3");
+ return CURLE_SSL_CONNECT_ERROR;
break;
case CURL_SSLVERSION_SSLv2:
default:
@@ -607,6 +610,9 @@ gtls_connect_step1(struct connectdata *conn,
prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
"+VERS-TLS1.2:" GNUTLS_SRP;
break;
+ case CURL_SSLVERSION_TLSv1_3:
+ failf(data, "GnuTLS does not support TLSv1.3");
+ return CURLE_SSL_CONNECT_ERROR;
case CURL_SSLVERSION_SSLv2:
default:
failf(data, "GnuTLS does not support SSLv2");
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index d57b6a5..d999958 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1536,6 +1536,14 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
#endif
break;
+ case CURL_SSLVERSION_TLSv1_3:
+#ifdef SSL_LIBRARY_VERSION_TLS_1_3
+ sslver->min = SSL_LIBRARY_VERSION_TLS_1_3;
+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_3;
+ return CURLE_OK;
+#endif
+ break;
+
default:
/* unsupported SSL/TLS version */
break;
diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c
index 4948392..d94a04c 100644
--- a/lib/vtls/polarssl.c
+++ b/lib/vtls/polarssl.c
@@ -306,6 +306,9 @@ polarssl_connect_step1(struct connectdata *conn,
SSL_MINOR_VERSION_3);
infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.2\n");
break;
+ case CURL_SSLVERSION_TLSv1_3:
+ failf(data, "PolarSSL: TLS 1.3 is not yet supported");
+ return CURLE_SSL_CONNECT_ERROR;
}
ssl_set_endpoint(&connssl->ssl, SSL_IS_CLIENT);
diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index f731eeb..63cb98a 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -213,6 +213,9 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
case CURL_SSLVERSION_TLSv1_2:
schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT;
break;
+ case CURL_SSLVERSION_TLSv1_3:
+ failf(data, "schannel: TLS 1.3 is not yet supported");
+ return CURLE_SSL_CONNECT_ERROR;
case CURL_SSLVERSION_SSLv3:
schannel_cred.grbitEnabledProtocols = SP_PROT_SSL3_CLIENT;
break;
--
2.7.4
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-10-27