GnutTLS: TLS 1.3 support

Closes #2971
2018-09-10 22:35:38 +04:00 · 2018-09-10 22:35:38 +04:00 · 9bdadbbdee
parent e968029b4d
commit 9bdadbbdee
1 changed files with 62 additions and 9 deletions
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@ -94,6 +94,10 @@ static bool gtls_inited = FALSE;
 #  endif
 #endif

+#if (GNUTLS_VERSION_NUMBER >= 0x030603)
+#define HAS_TLS13
+#endif
+
 #ifdef HAS_OCSP
 # include <gnutls/ocsp.h>
 #endif
@ -391,6 +395,9 @@ set_ssl_version_min_max(int *list, size_t list_size, struct connectdata *conn)
  switch(ssl_version_max) {
    case CURL_SSLVERSION_MAX_NONE:
    case CURL_SSLVERSION_MAX_DEFAULT:
+#ifdef HAS_TLS13
+      ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_3;
+#endif
      ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
      break;
  }
@ -408,8 +415,13 @@ set_ssl_version_min_max(int *list, size_t list_size, struct connectdata *conn)
        protocol_priority[protocol_priority_idx++] = GNUTLS_TLS1_2;
        break;
      case CURL_SSLVERSION_TLSv1_3:
+#ifdef HAS_TLS13
+        protocol_priority[protocol_priority_idx++] = GNUTLS_TLS1_3;
+        break;
+#else
        failf(data, "GnuTLS: TLS 1.3 is not yet supported");
        return CURLE_SSL_CONNECT_ERROR;
+#endif
    }
  }
  return CURLE_OK;
@ -427,11 +439,7 @@ set_ssl_version_min_max(const char **prioritylist, struct connectdata *conn)
  struct Curl_easy *data = conn->data;
  long ssl_version = SSL_CONN_CONFIG(version);
  long ssl_version_max = SSL_CONN_CONFIG(version_max);
-  if(ssl_version == CURL_SSLVERSION_TLSv1_3 ||
-     ssl_version_max == CURL_SSLVERSION_MAX_TLSv1_3) {
-    failf(data, "GnuTLS: TLS 1.3 is not yet supported");
-    return CURLE_SSL_CONNECT_ERROR;
-  }
+
  if(ssl_version_max == CURL_SSLVERSION_MAX_NONE) {
    ssl_version_max = CURL_SSLVERSION_MAX_DEFAULT;
  }
@ -445,7 +453,6 @@ set_ssl_version_min_max(const char **prioritylist, struct connectdata *conn)
                      "+VERS-TLS1.0:+VERS-TLS1.1:" GNUTLS_SRP;
      return CURLE_OK;
    case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_2:
-    case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_DEFAULT:
      *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
                      "+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:" GNUTLS_SRP;
      return CURLE_OK;
@ -454,15 +461,54 @@ set_ssl_version_min_max(const char **prioritylist, struct connectdata *conn)
                      "+VERS-TLS1.1:" GNUTLS_SRP;
      return CURLE_OK;
    case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_2:
-    case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_DEFAULT:
      *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
                      "+VERS-TLS1.1:+VERS-TLS1.2:" GNUTLS_SRP;
      return CURLE_OK;
    case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_TLSv1_2:
-    case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT:
      *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
                      "+VERS-TLS1.2:" GNUTLS_SRP;
      return CURLE_OK;
+    case CURL_SSLVERSION_TLSv1_3 | CURL_SSLVERSION_MAX_TLSv1_3:
+#ifdef HAS_TLS13
+       *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
+                       "+VERS-TLS1.3:" GNUTLS_SRP;
+      return CURLE_OK;
+#else
+       failf(data, "GnuTLS: TLS 1.3 is not yet supported");
+      return CURLE_SSL_CONNECT_ERROR;
+#endif
+    case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_DEFAULT:
+      *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
+                      "+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:"
+#ifdef HAS_TLS13
+                      "+VERS-TLS1.3:"
+#endif
+                      GNUTLS_SRP;
+      return CURLE_OK;
+    case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_DEFAULT:
+      *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
+                      "+VERS-TLS1.1:+VERS-TLS1.2:"
+#ifdef HAS_TLS13
+                      "+VERS-TLS1.3:"
+#endif
+                      GNUTLS_SRP;
+      return CURLE_OK;
+    case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT:
+      *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
+                      "+VERS-TLS1.2:"
+#ifdef HAS_TLS13
+                      "+VERS-TLS1.3:"
+#endif
+                      GNUTLS_SRP;
+      return CURLE_OK;
+    case CURL_SSLVERSION_TLSv1_3 | CURL_SSLVERSION_MAX_DEFAULT:
+      *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
+                      "+VERS-TLS1.2:"
+#ifdef HAS_TLS13
+                      "+VERS-TLS1.3:"
+#endif
+                      GNUTLS_SRP;
+      return CURLE_OK;
  }

  failf(data, "GnuTLS: cannot set ssl protocol");
@ -675,6 +721,9 @@ gtls_connect_step1(struct connectdata *conn,
      protocol_priority[0] = GNUTLS_TLS1_0;
      protocol_priority[1] = GNUTLS_TLS1_1;
      protocol_priority[2] = GNUTLS_TLS1_2;
+#ifdef HAS_TLS13
+      protocol_priority[3] = GNUTLS_TLS1_3;
+#endif
      break;
    case CURL_SSLVERSION_TLSv1_0:
    case CURL_SSLVERSION_TLSv1_1:
@ -711,7 +760,11 @@ gtls_connect_step1(struct connectdata *conn,
      break;
    case CURL_SSLVERSION_DEFAULT:
    case CURL_SSLVERSION_TLSv1:
-      prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:" GNUTLS_SRP;
+      prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:"
+#ifdef HAS_TLS13
+                     "+VERS-TLS1.3:"
+#endif
+                     GNUTLS_SRP;
      break;
    case CURL_SSLVERSION_TLSv1_0:
    case CURL_SSLVERSION_TLSv1_1: