From: Steffan Karger <steffan@karger.me>
Date: Sun, 26 Nov 2017 14:15:54 +0000 (+0100)
Subject: Add support for TLS 1.3 in --tls-version-{min, max}
X-Git-Tag: v2.4.5~26
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=59dbb8602f30d278bd152a4a736c2af8345368eb;p=thirdparty%2Fopenvpn.git

Add support for TLS 1.3 in --tls-version-{min, max}

Tested with the current openssl master branch for TLS 1.3 support.

mbed TLS has no public builds with TLS 1.3 support yet, so nothing to do
there right now.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20171126141555.25930-2-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15932.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 8ca9eda119638a88863118affd69dfaf8b867c92)
---

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 0841cd099..19e28392c 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -530,6 +530,10 @@ tls_version_parse(const char *vstr, const char *extra)
     {
         return TLS_VER_1_2;
     }
+    else if (!strcmp(vstr, "1.3") && TLS_VER_1_3 <= max_version)
+    {
+        return TLS_VER_1_3;
+    }
     else if (extra && !strcmp(extra, "or-highest"))
     {
         return max_version;
diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h
index bdef634a6..aa331df26 100644
--- a/src/openvpn/ssl_backend.h
+++ b/src/openvpn/ssl_backend.h
@@ -114,6 +114,7 @@ void tls_clear_error(void);
 #define TLS_VER_1_0     1
 #define TLS_VER_1_1     2
 #define TLS_VER_1_2     3
+#define TLS_VER_1_3     4
 int tls_version_parse(const char *vstr, const char *extra);
 
 /**
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 5e869f2cf..a484098f4 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -206,7 +206,9 @@ info_callback(INFO_CALLBACK_SSL_CONST SSL *s, int where, int ret)
 int
 tls_version_max(void)
 {
-#if defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2)
+#if defined(TLS1_3_VERSION)
+    return TLS_VER_1_3;
+#elif defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2)
     return TLS_VER_1_2;
 #elif defined(TLS1_1_VERSION) || defined(SSL_OP_NO_TLSv1_1)
     return TLS_VER_1_1;
@@ -231,6 +233,12 @@ openssl_tls_version(int ver)
     {
         return TLS1_2_VERSION;
     }
+#if defined(TLS1_3_VERSION)
+    else if (ver == TLS_VER_1_3)
+    {
+        return TLS1_3_VERSION;
+    }
+#endif
     return 0;
 }