Add the SSL_METHOD for TLSv1.3 and all other base changes required

Includes addition of the various options to s_server/s_client. Also adds
one of the new TLS1.3 ciphersuites.

This isn't "real" TLS1.3!! It's identical to TLS1.2 apart from the protocol
and the ciphersuite...and the ciphersuite is just a renamed TLS1.2 one (not
a "real" TLS1.3 ciphersuite).
Reviewed-by: NRich Salz <rsalz@openssl.org>

apps/apps.h

@@ -210,7 +210,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
 # define OPT_S_ENUM \
         OPT_S__FIRST=3000, \
         OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \
-        OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \
+        OPT_S_NOTLS1_3, OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \
         OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \
         OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_STRICT, OPT_S_SIGALGS, \
         OPT_S_CLIENTSIGALGS, OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, \
@@ -222,6 +222,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
         {"no_tls1", OPT_S_NOTLS1, '-', "Just disable TLSv1"}, \
         {"no_tls1_1", OPT_S_NOTLS1_1, '-', "Just disable TLSv1.1" }, \
         {"no_tls1_2", OPT_S_NOTLS1_2, '-', "Just disable TLSv1.2"}, \
+        {"no_tls1_3", OPT_S_NOTLS1_3, '-', "Just disable TLSv1.3"}, \
         {"bugs", OPT_S_BUGS, '-', "Turn on SSL bug compatibility"}, \
         {"no_comp", OPT_S_NO_COMP, '-', "Disable SSL/TLS compression (default)" }, \
         {"comp", OPT_S_COMP, '-', "Use SSL/TLS-level compression" }, \
@@ -259,6 +260,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
         case OPT_S_NOTLS1: \
         case OPT_S_NOTLS1_1: \
         case OPT_S_NOTLS1_2: \
+        case OPT_S_NOTLS1_3: \
         case OPT_S_BUGS: \
         case OPT_S_NO_COMP: \
         case OPT_S_COMP: \
@@ -279,7 +281,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
 
 #define IS_NO_PROT_FLAG(o) \
  (o == OPT_S_NOSSL3 || o == OPT_S_NOTLS1 || o == OPT_S_NOTLS1_1 \
-  || o == OPT_S_NOTLS1_2)
+  || o == OPT_S_NOTLS1_2 || o == OPT_S_NOTLS1_3)
 
 /*
  * Option parsing.

apps/ciphers.c

@@ -21,6 +21,7 @@ typedef enum OPTION_choice {
     OPT_TLS1,
     OPT_TLS1_1,
     OPT_TLS1_2,
+    OPT_TLS1_3,
     OPT_PSK,
     OPT_SRP,
     OPT_V, OPT_UPPER_V, OPT_S
@@ -43,6 +44,9 @@ const OPTIONS ciphers_options[] = {
 #ifndef OPENSSL_NO_TLS1_2
     {"tls1_2", OPT_TLS1_2, '-', "TLS1.2 mode"},
 #endif
+#ifndef OPENSSL_NO_TLS1_3
+    {"tls1_3", OPT_TLS1_3, '-', "TLS1.3 mode"},
+#endif
 #ifndef OPENSSL_NO_SSL_TRACE
     {"stdname", OPT_STDNAME, '-', "Show standard cipher names"},
 #endif
@@ -135,6 +139,10 @@ int ciphers_main(int argc, char **argv)
             min_version = TLS1_2_VERSION;
             max_version = TLS1_2_VERSION;
             break;
+        case OPT_TLS1_3:
+            min_version = TLS1_3_VERSION;
+            max_version = TLS1_3_VERSION;
+            break;
         case OPT_PSK:
 #ifndef OPENSSL_NO_PSK
             psk = 1;

apps/s_cb.c

@@ -453,6 +453,7 @@ static STRINT_PAIR ssl_versions[] = {
     {"TLS 1.0", TLS1_VERSION},
     {"TLS 1.1", TLS1_1_VERSION},
     {"TLS 1.2", TLS1_2_VERSION},
+    {"TLS 1.3", TLS1_3_VERSION},
     {"DTLS 1.0", DTLS1_VERSION},
     {"DTLS 1.0 (bad)", DTLS1_BAD_VER},
     {NULL}
@@ -522,6 +523,7 @@ void msg_cb(int write_p, int version, int content_type, const void *buf,
         version == TLS1_VERSION ||
         version == TLS1_1_VERSION ||
         version == TLS1_2_VERSION ||
+        version == TLS1_3_VERSION ||
         version == DTLS1_VERSION || version == DTLS1_BAD_VER) {
         switch (content_type) {
         case 20:

apps/s_client.c

@@ -539,7 +539,7 @@ typedef enum OPTION_choice {
     OPT_SRP_MOREGROUPS,
 #endif
     OPT_SSL3, OPT_SSL_CONFIG,
-    OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
+    OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
     OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM, OPT_PASS,
     OPT_CERT_CHAIN, OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH,
         OPT_VERIFYCAPATH,
@@ -680,6 +680,9 @@ const OPTIONS s_client_options[] = {
 #ifndef OPENSSL_NO_TLS1_2
     {"tls1_2", OPT_TLS1_2, '-', "Just use TLSv1.2"},
 #endif
+#ifndef OPENSSL_NO_TLS1_3
+    {"tls1_3", OPT_TLS1_3, '-', "Just use TLSv1.3"},
+#endif
 #ifndef OPENSSL_NO_DTLS
     {"dtls", OPT_DTLS, '-', "Use any version of DTLS"},
     {"timeout", OPT_TIMEOUT, '-',
@@ -762,7 +765,7 @@ static const OPT_PAIR services[] = {
 
 #define IS_PROT_FLAG(o) \
  (o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2 \
-  || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2)
+  || o == OPT_TLS1_3 || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2)
 
 /* Free |*dest| and optionally set it to a copy of |source|. */
 static void freeandcopy(char **dest, const char *source)
@@ -1156,6 +1159,10 @@ int s_client_main(int argc, char **argv)
             min_version = SSL3_VERSION;
             max_version = SSL3_VERSION;
             break;
+        case OPT_TLS1_3:
+            min_version = TLS1_3_VERSION;
+            max_version = TLS1_3_VERSION;
+            break;
         case OPT_TLS1_2:
             min_version = TLS1_2_VERSION;
             max_version = TLS1_2_VERSION;

apps/s_server.c

@@ -669,7 +669,7 @@ typedef enum OPTION_choice {
     OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE,
     OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC,
     OPT_SSL_CONFIG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,
-    OPT_SSL3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
+    OPT_SSL3, OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
     OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_LISTEN,
     OPT_ID_PREFIX, OPT_RAND, OPT_SERVERNAME, OPT_SERVERNAME_FATAL,
     OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN,
@@ -834,6 +834,9 @@ const OPTIONS s_server_options[] = {
 #ifndef OPENSSL_NO_TLS1_2
     {"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"},
 #endif
+#ifndef OPENSSL_NO_TLS1_3
+    {"tls1_3", OPT_TLS1_3, '-', "just talk TLSv1.3"},
+#endif
 #ifndef OPENSSL_NO_DTLS
     {"dtls", OPT_DTLS, '-', "Use any DTLS version"},
     {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"},
@@ -868,7 +871,7 @@ const OPTIONS s_server_options[] = {
 
 #define IS_PROT_FLAG(o) \
  (o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2 \
-  || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2)
+  || o == OPT_TLS1_3 || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2)
 
 int s_server_main(int argc, char *argv[])
 {
@@ -1321,6 +1324,10 @@ int s_server_main(int argc, char *argv[])
             min_version = SSL3_VERSION;
             max_version = SSL3_VERSION;
             break;
+        case OPT_TLS1_3:
+            min_version = TLS1_3_VERSION;
+            max_version = TLS1_3_VERSION;
+            break;
         case OPT_TLS1_2:
             min_version = TLS1_2_VERSION;
             max_version = TLS1_2_VERSION;

doc/man1/ciphers.pod

@@ -15,6 +15,7 @@ B<openssl> B<ciphers>
 [B<-tls1>]
 [B<-tls1_1>]
 [B<-tls1_2>]
+[B<-tls1_3>]
 [B<-s>]
 [B<-psk>]
 [B<-srp>]
@@ -69,6 +70,11 @@ L<SSL_CIPHER_description(3)>.
 
 Like B<-v>, but include the official cipher suite values in hex.
 
+=item B<-tls1_3>
+
+In combination with the B<-s> option, list the ciphers which would be used if
+TLSv1.3 were negotiated.
+
 =item B<-tls1_2>
 
 In combination with the B<-s> option, list the ciphers which would be used if

doc/man1/s_client.pod

@@ -68,10 +68,12 @@ B<openssl> B<s_client>
 [B<-tls1>]
 [B<-tls1_1>]
 [B<-tls1_2>]
+[B<-tls1_3>]
 [B<-no_ssl3>]
 [B<-no_tls1>]
 [B<-no_tls1_1>]
 [B<-no_tls1_2>]
+[B<-no_tls1_3>]
 [B<-dtls>]
 [B<-dtls1>]
 [B<-dtls1_2>]
@@ -336,7 +338,7 @@ Use the PSK key B<key> when using a PSK cipher suite. The key is
 given as a hexadecimal number without leading 0x, for example -psk
 1a2b3c4d.
 
-=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
 
 These options require or disable the use of the specified SSL or TLS protocols.
 By default B<s_client> will negotiate the highest mutually supported protocol

doc/man1/s_server.pod

@@ -69,6 +69,9 @@ B<openssl> B<s_server>
 [B<-quiet>]
 [B<-ssl3>]
 [B<-tls1>]
+[B<-tls1_1>]
+[B<-tls1_2>]
+[B<-tls1_3>]
 [B<-dtls>]
 [B<-dtls1>]
 [B<-dtls1_2>]
@@ -81,6 +84,7 @@ B<openssl> B<s_server>
 [B<-no_tls1>]
 [B<-no_tls1_1>]
 [B<-no_tls1_2>]
+[B<-no_tls1_3>]
 [B<-no_dhe>]
 [B<-bugs>]
 [B<-comp>]
@@ -295,7 +299,7 @@ Use the PSK key B<key> when using a PSK cipher suite. The key is
 given as a hexadecimal number without leading 0x, for example -psk
 1a2b3c4d.
 
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
 
 These options require or disable the use of the specified SSL or TLS protocols.
 By default B<s_server> will negotiate the highest mutually supported protocol

doc/man3/SSL_CONF_cmd.pod

@@ -121,12 +121,13 @@ if specified.
 To restrict the supported protocol versions use these commands rather
 than the deprecated alternative commands below.
 
-=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
 
-Disables protocol support for SSLv3, TLSv1.0, TLSv1.1 or TLSv1.2 by setting the
-corresponding options B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>, B<SSL_OP_NO_TLSv1_1>
-and B<SSL_OP_NO_TLSv1_2> respectively.
-These options are deprecated, instead use B<-min_protocol> and B<-max_protocol>.
+Disables protocol support for SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 by
+setting the corresponding options B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>,
+B<SSL_OP_NO_TLSv1_1>, B<SSL_OP_NO_TLSv1_2> and B<SSL_OP_NO_TLSv1_3>
+respectively. These options are deprecated, instead use B<-min_protocol> and
+B<-max_protocol>.
 
 =item B<-bugs>
 

doc/man3/SSL_CTX_new.pod

@@ -156,12 +156,12 @@ and be able to negotiate with all possible clients, but to only
 allow newer protocols like TLS 1.0, TLS 1.1 or TLS 1.2.
 
 The list of protocols available can also be limited using the
-B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>, B<SSL_OP_NO_TLSv1_1> and
-B<SSL_OP_NO_TLSv1_2> options of the L<SSL_CTX_set_options(3)> or
-L<SSL_set_options(3)> functions, but this approach is not recommended.
-Clients should avoid creating "holes" in the set of protocols they support.
-When disabling a protocol, make sure that you also disable either all previous
-or all subsequent protocol versions.
+B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>, B<SSL_OP_NO_TLSv1_1>,
+B<SSL_OP_NO_TLSv1_3> and B<SSL_OP_NO_TLSv1_2> options of the
+L<SSL_CTX_set_options(3)> or L<SSL_set_options(3)> functions, but this approach
+is not recommended. Clients should avoid creating "holes" in the set of
+protocols they support. When disabling a protocol, make sure that you also
+disable either all previous or all subsequent protocol versions.
 In clients, when a protocol version is disabled without disabling I<all>
 previous protocol versions, the effect is to also disable all subsequent
 protocol versions.

doc/man3/SSL_CTX_set_min_proto_version.pod

@@ -29,8 +29,8 @@ versions down to the lowest version, or up to the highest version
 supported by the library, respectively.
 
 Currently supported versions are B<SSL3_VERSION>, B<TLS1_VERSION>,
-B<TLS1_1_VERSION>, B<TLS1_2_VERSION> for TLS and B<DTLS1_VERSION>,
-B<DTLS1_2_VERSION> for DTLS.
+B<TLS1_1_VERSION>, B<TLS1_2_VERSION>, B<TLS1_3_VERSION> for TLS and
+B<DTLS1_VERSION>, B<DTLS1_2_VERSION> for DTLS.
 
 =head1 RETURN VALUES
 

doc/man3/SSL_CTX_set_options.pod

@@ -155,9 +155,9 @@ own preferences.
 
 
 =item SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1,
-SSL_OP_NO_TLSv1_2, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2
+SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_3, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2
 
-These options turn off the SSLv3, TLSv1, TLSv1.1 or TLSv1.2 protocol
+These options turn off the SSLv3, TLSv1, TLSv1.1, TLSv1.2 or TLSv1.3 protocol
 versions with TLS or the DTLSv1, DTLSv1.2 versions with DTLS,
 respectively.
 As of OpenSSL 1.1.0, these options are deprecated, use

include/openssl/ssl.h

@@ -343,12 +343,13 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type,
 # define SSL_OP_NO_TLSv1                                 0x04000000U
 # define SSL_OP_NO_TLSv1_2                               0x08000000U
 # define SSL_OP_NO_TLSv1_1                               0x10000000U
+# define SSL_OP_NO_TLSv1_3                               0x20000000U
 
 # define SSL_OP_NO_DTLSv1                                0x04000000U
 # define SSL_OP_NO_DTLSv1_2                              0x08000000U
 
 # define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv3|\
-        SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2)
+        SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2|SSL_OP_NO_TLSv1_3)
 # define SSL_OP_NO_DTLS_MASK (SSL_OP_NO_DTLSv1|SSL_OP_NO_DTLSv1_2)
 
 

include/openssl/tls1.h

@@ -65,7 +65,8 @@ extern "C" {
 # define TLS1_VERSION                    0x0301
 # define TLS1_1_VERSION                  0x0302
 # define TLS1_2_VERSION                  0x0303
-# define TLS_MAX_VERSION                 TLS1_2_VERSION
+# define TLS1_3_VERSION                  0x0304
+# define TLS_MAX_VERSION                 TLS1_3_VERSION
 
 /* Special value for method supporting multiple versions */
 # define TLS_ANY_VERSION                 0x10000
@@ -599,6 +600,9 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 # define TLS1_CK_DHE_PSK_WITH_CHACHA20_POLY1305           0x0300CCAD
 # define TLS1_CK_RSA_PSK_WITH_CHACHA20_POLY1305           0x0300CCAE
 
+/* TLS v1.3 ciphersuites */
+# define TLS1_3_CK_AES_128_GCM_SHA256                     0x03000D01
+
 /*
  * XXX Backward compatibility alert: Older versions of OpenSSL gave some DHE
  * ciphers names with "EDH" instead of "DHE".  Going forward, we should be
@@ -868,6 +872,13 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 # define TLS1_TXT_DHE_PSK_WITH_CHACHA20_POLY1305           "DHE-PSK-CHACHA20-POLY1305"
 # define TLS1_TXT_RSA_PSK_WITH_CHACHA20_POLY1305           "RSA-PSK-CHACHA20-POLY1305"
 
+/* TLSv1.3 ciphersuites */
+/*
+ * TODO(TLS1.3): Review the naming scheme for TLSv1.3 ciphers and also the
+ * cipherstring selection process for these ciphers
+ */
+# define TLS1_3_TXT_AES_128_GCM_SHA256                     "TLS13-AES-128-GCM-SHA256"
+
 # define TLS_CT_RSA_SIGN                 1
 # define TLS_CT_DSS_SIGN                 2
 # define TLS_CT_RSA_FIXED_DH             3

ssl/methods.c

@@ -19,6 +19,12 @@ IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0,
                         TLS_method,
                         ossl_statem_accept,
                         ossl_statem_connect, TLSv1_2_enc_data)
+#ifndef OPENSSL_NO_TLS1_3_METHOD
+IMPLEMENT_tls_meth_func(TLS1_3_VERSION, 0, SSL_OP_NO_TLSv1_3,
+                        tlsv1_3_method,
+                        ossl_statem_accept,
+                        ossl_statem_connect, TLSv1_3_enc_data)
+#endif
 #ifndef OPENSSL_NO_TLS1_2_METHOD
 IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2,
                         tlsv1_2_method,
@@ -46,6 +52,12 @@ IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0,
                         TLS_server_method,
                         ossl_statem_accept,
                         ssl_undefined_function, TLSv1_2_enc_data)
+#ifndef OPENSSL_NO_TLS1_3_METHOD
+IMPLEMENT_tls_meth_func(TLS1_3_VERSION, 0, SSL_OP_NO_TLSv1_3,
+                        tlsv1_3_server_method,
+                        ossl_statem_accept,
+                        ssl_undefined_function, TLSv1_3_enc_data)
+#endif
 #ifndef OPENSSL_NO_TLS1_2_METHOD
 IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2,
                         tlsv1_2_server_method,
@@ -75,6 +87,12 @@ IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0,
                         TLS_client_method,
                         ssl_undefined_function,
                         ossl_statem_connect, TLSv1_2_enc_data)
+#ifndef OPENSSL_NO_TLS1_3_METHOD
+IMPLEMENT_tls_meth_func(TLS1_3_VERSION, 0, SSL_OP_NO_TLSv1_3,
+                        tlsv1_3_client_method,
+                        ssl_undefined_function,
+                        ossl_statem_connect, TLSv1_3_enc_data)
+#endif
 #ifndef OPENSSL_NO_TLS1_2_METHOD
 IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2,
                         tlsv1_2_client_method,

ssl/s3_lib.c

@@ -834,6 +834,21 @@ static SSL_CIPHER ssl3_ciphers[] = {
      256,
      256,
      },
+    {
+     1,
+     TLS1_3_TXT_AES_128_GCM_SHA256,
+     TLS1_3_CK_AES_128_GCM_SHA256,
+     SSL_kRSA,
+     SSL_aRSA,
+     SSL_AES128GCM,
+     SSL_AEAD,
+     TLS1_3_VERSION, TLS1_3_VERSION,
+     0, 0,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     128,
+     128,
+     },
 
 #ifndef OPENSSL_NO_EC
     {

ssl/ssl_conf.c

@@ -257,6 +257,7 @@ static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value)
         SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1),
         SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),
         SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2),
+        SSL_FLAG_TBL_INV("TLSv1.3", SSL_OP_NO_TLSv1_3),
         SSL_FLAG_TBL_INV("DTLSv1", SSL_OP_NO_DTLSv1),
         SSL_FLAG_TBL_INV("DTLSv1.2", SSL_OP_NO_DTLSv1_2)
     };
@@ -282,6 +283,7 @@ static int protocol_from_string(const char *value)
         {"TLSv1", TLS1_VERSION},
         {"TLSv1.1", TLS1_1_VERSION},
         {"TLSv1.2", TLS1_2_VERSION},
+        {"TLSv1.3", TLS1_3_VERSION},
         {"DTLSv1", DTLS1_VERSION},
         {"DTLSv1.2", DTLS1_2_VERSION}
     };
@@ -526,6 +528,7 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
     SSL_CONF_CMD_SWITCH("no_tls1", 0),
     SSL_CONF_CMD_SWITCH("no_tls1_1", 0),
     SSL_CONF_CMD_SWITCH("no_tls1_2", 0),
+    SSL_CONF_CMD_SWITCH("no_tls1_3", 0),
     SSL_CONF_CMD_SWITCH("bugs", 0),
     SSL_CONF_CMD_SWITCH("no_comp", 0),
     SSL_CONF_CMD_SWITCH("comp", 0),
@@ -583,6 +586,7 @@ static const ssl_switch_tbl ssl_cmd_switches[] = {
     {SSL_OP_NO_TLSv1, 0},       /* no_tls1 */
     {SSL_OP_NO_TLSv1_1, 0},     /* no_tls1_1 */
     {SSL_OP_NO_TLSv1_2, 0},     /* no_tls1_2 */
+    {SSL_OP_NO_TLSv1_3, 0},     /* no_tls1_3 */
     {SSL_OP_ALL, 0},            /* bugs */
     {SSL_OP_NO_COMPRESSION, 0}, /* no_comp */
     {SSL_OP_NO_COMPRESSION, SSL_TFLAG_INV}, /* comp */

ssl/ssl_lib.c

@@ -3072,7 +3072,9 @@ const SSL_METHOD *ssl_bad_method(int ver)
 
 const char *ssl_protocol_to_string(int version)
 {
-    if (version == TLS1_2_VERSION)
+    if (version == TLS1_3_VERSION)
+        return "TLSv1.3";
+    else if (version == TLS1_2_VERSION)
         return "TLSv1.2";
     else if (version == TLS1_1_VERSION)
         return "TLSv1.1";

ssl/ssl_locl.h

@@ -1641,6 +1641,9 @@ __owur const SSL_METHOD *tlsv1_1_client_method(void);
 __owur const SSL_METHOD *tlsv1_2_method(void);
 __owur const SSL_METHOD *tlsv1_2_server_method(void);
 __owur const SSL_METHOD *tlsv1_2_client_method(void);
+__owur const SSL_METHOD *tlsv1_3_method(void);
+__owur const SSL_METHOD *tlsv1_3_server_method(void);
+__owur const SSL_METHOD *tlsv1_3_client_method(void);
 __owur const SSL_METHOD *dtlsv1_method(void);
 __owur const SSL_METHOD *dtlsv1_server_method(void);
 __owur const SSL_METHOD *dtlsv1_client_method(void);
@@ -1652,6 +1655,7 @@ __owur const SSL_METHOD *dtlsv1_2_client_method(void);
 extern const SSL3_ENC_METHOD TLSv1_enc_data;
 extern const SSL3_ENC_METHOD TLSv1_1_enc_data;
 extern const SSL3_ENC_METHOD TLSv1_2_enc_data;
+extern const SSL3_ENC_METHOD TLSv1_3_enc_data;
 extern const SSL3_ENC_METHOD SSLv3_enc_data;
 extern const SSL3_ENC_METHOD DTLSv1_enc_data;
 extern const SSL3_ENC_METHOD DTLSv1_2_enc_data;

ssl/ssl_sess.c

@@ -320,6 +320,9 @@ int ssl_get_new_session(SSL *s, int session)
         } else if (s->version == TLS1_2_VERSION) {
             ss->ssl_version = TLS1_2_VERSION;
             ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
+        } else if (s->version == TLS1_3_VERSION) {
+            ss->ssl_version = TLS1_3_VERSION;
+            ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
         } else if (s->version == DTLS1_BAD_VER) {
             ss->ssl_version = DTLS1_BAD_VER;
             ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;

ssl/statem/statem_lib.c

@@ -647,11 +647,16 @@ typedef struct {
     const SSL_METHOD *(*smeth) (void);
 } version_info;
 
-#if TLS_MAX_VERSION != TLS1_2_VERSION
-# error Code needs update for TLS_method() support beyond TLS1_2_VERSION.
+#if TLS_MAX_VERSION != TLS1_3_VERSION
+# error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
 #endif
 
 static const version_info tls_version_table[] = {
+#ifndef OPENSSL_NO_TLS1_3
+    {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
+#else
+    {TLS1_3_VERSION, NULL, NULL},
+#endif
 #ifndef OPENSSL_NO_TLS1_2
     {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
 #else

ssl/t1_lib.c

@@ -84,6 +84,26 @@ SSL3_ENC_METHOD const TLSv1_2_enc_data = {
     ssl3_handshake_write
 };
 
+SSL3_ENC_METHOD const TLSv1_3_enc_data = {
+    tls1_enc,
+    tls1_mac,
+    tls1_setup_key_block,
+    tls1_generate_master_secret,
+    tls1_change_cipher_state,
+    tls1_final_finish_mac,
+    TLS1_FINISH_MAC_LENGTH,
+    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
+    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
+    tls1_alert_code,
+    tls1_export_keying_material,
+    SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
+        | SSL_ENC_FLAG_TLS1_2_CIPHERS,
+    SSL3_HM_HEADER_LENGTH,
+    ssl3_set_handshake_header,
+    tls_close_construct_packet,
+    ssl3_handshake_write
+};
+
 long tls1_default_timeout(void)
 {
     /*

ssl/t1_trce.c

@@ -61,6 +61,7 @@ static ssl_trace_tbl ssl_version_tbl[] = {
     {TLS1_VERSION, "TLS 1.0"},
     {TLS1_1_VERSION, "TLS 1.1"},
     {TLS1_2_VERSION, "TLS 1.2"},
+    {TLS1_3_VERSION, "TLS 1.3"},
     {DTLS1_VERSION, "DTLS 1.0"},
     {DTLS1_2_VERSION, "DTLS 1.2"},
     {DTLS1_BAD_VER, "DTLS 1.0 (bad)"}
@@ -422,6 +423,7 @@ static ssl_trace_tbl ssl_ciphers_tbl[] = {
     {0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305"},
     {0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305"},
     {0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305"},
+    {0x0D01, "TLS_AES_128_GCM_SHA256"},
     {0xFEFE, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
     {0xFEFF, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
 };

test/cipherlist_test.c

@@ -107,10 +107,14 @@ static const uint32_t default_ciphers_in_order[] = {
 #ifndef OPENSSL_NO_TLS1_2
     TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
     TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
+#endif
+#ifndef OPENSSL_NO_TLS1_3
+    TLS1_3_CK_AES_128_GCM_SHA256,
+#endif
+#ifndef OPENSSL_NO_TLS1_2
     TLS1_CK_RSA_WITH_AES_256_SHA256,
     TLS1_CK_RSA_WITH_AES_128_SHA256,
 #endif
-
     TLS1_CK_RSA_WITH_AES_256_SHA,
     TLS1_CK_RSA_WITH_AES_128_SHA,
 };

test/recipes/80-test_ssl_old.t

@@ -21,10 +21,10 @@ setup("test_ssl");
 $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
 
 my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_srp, $no_psk,
-    $no_ssl3, $no_tls1, $no_tls1_1, $no_tls1_2,
+    $no_ssl3, $no_tls1, $no_tls1_1, $no_tls1_2, $no_tls1_3,
     $no_dtls, $no_dtls1, $no_dtls1_2, $no_ct) =
     anydisabled qw/rsa dsa dh ec srp psk
-                   ssl3 tls1 tls1_1 tls1_2
+                   ssl3 tls1 tls1_1 tls1_2 tls1_3
                    dtls dtls1 dtls1_2 ct/;
 my $no_anytls = alldisabled(available_protocols("tls"));
 my $no_anydtls = alldisabled(available_protocols("dtls"));
@@ -446,6 +446,7 @@ sub testssl {
 
 	my @protocols = ();
 	# FIXME: I feel unsure about the following line, is that really just TLSv1.2, or is it all of the SSLv3/TLS protocols?
+        push(@protocols, "TLSv1.3") unless $no_tls1_3;
         push(@protocols, "TLSv1.2") unless $no_tls1_2;
         push(@protocols, "SSLv3") unless $no_ssl3;
 	my $protocolciphersuitcount = 0;
@@ -463,22 +464,27 @@ sub testssl {
 
         # The count of protocols is because in addition to the ciphersuits
         # we got above, we're running a weak DH test for each protocol
-	plan tests => $protocolciphersuitcount + scalar(@protocols);
-
-	foreach my $protocol (@protocols) {
-	    note "Testing ciphersuites for $protocol";
-	    foreach my $cipher (@{$ciphersuites{$protocol}}) {
-		ok(run(test([@ssltest, @exkeys, "-cipher", $cipher,
-			     $protocol eq "SSLv3" ? ("-ssl3") : ()])),
-		   "Testing $cipher");
-	    }
+        plan tests => $protocolciphersuitcount + scalar(@protocols);
+
+        foreach my $protocol (@protocols) {
+            note "Testing ciphersuites for $protocol";
+            my $flag = "";
+            if ($protocol eq "SSLv3") {
+                $flag = "-ssl3";
+            } elsif ($protocol eq "TLSv1.2") {
+                $flag = "-tls1_2";
+            }
+            foreach my $cipher (@{$ciphersuites{$protocol}}) {
+                ok(run(test([@ssltest, @exkeys, "-cipher", $cipher, $flag])),
+                "Testing $cipher");
+            }
             is(run(test([@ssltest,
                          "-s_cipher", "EDH",
                          "-c_cipher", 'EDH:@SECLEVEL=1',
                          "-dhe512",
                          $protocol eq "SSLv3" ? ("-ssl3") : ()])), 0,
                "testing connection with weak DH, expecting failure");
-	}
+        }
     };
 
     subtest 'RSA/(EC)DHE/PSK tests' => sub {

test/ssl-tests/13-fragmentation.conf

@@ -267,6 +267,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [10-large-app-data-aes-sha1-multibuffer-client]
 CipherString = AES128-SHA
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
@@ -291,6 +292,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [11-large-app-data-aes-sha2-multibuffer-client]
 CipherString = AES128-SHA256
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
@@ -315,6 +317,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [12-large-app-data-aes-sha1-multibuffer-odd-fragment-client]
 CipherString = AES128-SHA
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
@@ -339,6 +342,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [13-large-app-data-aes-sha2-multibuffer-odd-fragment-client]
 CipherString = AES128-SHA256
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
@@ -363,6 +367,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [14-small-app-data-aes-sha1-multibuffer-client]
 CipherString = AES128-SHA
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
@@ -387,6 +392,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [15-small-app-data-aes-sha2-multibuffer-client]
 CipherString = AES128-SHA256
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 

test/ssl-tests/13-fragmentation.conf.in

@@ -114,6 +114,7 @@ our @tests = (
         server => { },
         client => {
             CipherString => "AES128-SHA",
+            MaxProtocol => "TLSv1.2"
         },
         test => {
             ApplicationData => 1024 * 1024,
@@ -125,6 +126,7 @@ our @tests = (
         server => { },
         client => {
             CipherString => "AES128-SHA256",
+            MaxProtocol => "TLSv1.2"
         },
         test => {
             ApplicationData => 1024 * 1024,
@@ -136,6 +138,7 @@ our @tests = (
         server => { },
         client => {
             CipherString => "AES128-SHA",
+            MaxProtocol => "TLSv1.2"
         },
         test => {
             ApplicationData => 1024 * 1024 + 3,
@@ -147,6 +150,7 @@ our @tests = (
         server => { },
         client => {
             CipherString => "AES128-SHA256",
+            MaxProtocol => "TLSv1.2"
         },
         test => {
             ApplicationData => 1024 * 1024 - 3,
@@ -161,6 +165,7 @@ our @tests = (
         server => { },
         client => {
             CipherString => "AES128-SHA",
+            MaxProtocol => "TLSv1.2"
         },
         test => {
             ApplicationData => 4 * 1024,
@@ -172,6 +177,7 @@ our @tests = (
         server => { },
         client => {
             CipherString => "AES128-SHA256",
+            MaxProtocol => "TLSv1.2"
         },
         test => {
             ApplicationData => 4 * 1024,

test/ssl-tests/14-curves.conf

@@ -44,6 +44,7 @@ client = 0-curve-sect163k1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = sect163k1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [0-curve-sect163k1-client]
@@ -69,6 +70,7 @@ client = 1-curve-sect163r1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = sect163r1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [1-curve-sect163r1-client]
@@ -94,6 +96,7 @@ client = 2-curve-sect163r2-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = sect163r2
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [2-curve-sect163r2-client]
@@ -119,6 +122,7 @@ client = 3-curve-sect193r1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = sect193r1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [3-curve-sect193r1-client]
@@ -144,6 +148,7 @@ client = 4-curve-sect193r2-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = sect193r2
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [4-curve-sect193r2-client]
@@ -169,6 +174,7 @@ client = 5-curve-sect233k1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = sect233k1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [5-curve-sect233k1-client]
@@ -194,6 +200,7 @@ client = 6-curve-sect233r1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = sect233r1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [6-curve-sect233r1-client]
@@ -219,6 +226,7 @@ client = 7-curve-sect239k1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = sect239k1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [7-curve-sect239k1-client]
@@ -244,6 +252,7 @@ client = 8-curve-sect283k1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = sect283k1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [8-curve-sect283k1-client]
@@ -269,6 +278,7 @@ client = 9-curve-sect283r1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = sect283r1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [9-curve-sect283r1-client]
@@ -294,6 +304,7 @@ client = 10-curve-sect409k1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = sect409k1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [10-curve-sect409k1-client]
@@ -319,6 +330,7 @@ client = 11-curve-sect409r1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = sect409r1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [11-curve-sect409r1-client]
@@ -344,6 +356,7 @@ client = 12-curve-sect571k1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = sect571k1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [12-curve-sect571k1-client]
@@ -369,6 +382,7 @@ client = 13-curve-sect571r1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = sect571r1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [13-curve-sect571r1-client]
@@ -394,6 +408,7 @@ client = 14-curve-secp160k1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = secp160k1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [14-curve-secp160k1-client]
@@ -419,6 +434,7 @@ client = 15-curve-secp160r1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = secp160r1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [15-curve-secp160r1-client]
@@ -444,6 +460,7 @@ client = 16-curve-secp160r2-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = secp160r2
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [16-curve-secp160r2-client]
@@ -469,6 +486,7 @@ client = 17-curve-secp192k1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = secp192k1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [17-curve-secp192k1-client]
@@ -494,6 +512,7 @@ client = 18-curve-prime192v1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = prime192v1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [18-curve-prime192v1-client]
@@ -519,6 +538,7 @@ client = 19-curve-secp224k1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = secp224k1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [19-curve-secp224k1-client]
@@ -544,6 +564,7 @@ client = 20-curve-secp224r1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = secp224r1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [20-curve-secp224r1-client]
@@ -569,6 +590,7 @@ client = 21-curve-secp256k1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = secp256k1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [21-curve-secp256k1-client]
@@ -594,6 +616,7 @@ client = 22-curve-prime256v1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = prime256v1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [22-curve-prime256v1-client]
@@ -619,6 +642,7 @@ client = 23-curve-secp384r1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = secp384r1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [23-curve-secp384r1-client]
@@ -644,6 +668,7 @@ client = 24-curve-secp521r1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = secp521r1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [24-curve-secp521r1-client]
@@ -669,6 +694,7 @@ client = 25-curve-brainpoolP256r1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = brainpoolP256r1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [25-curve-brainpoolP256r1-client]
@@ -694,6 +720,7 @@ client = 26-curve-brainpoolP384r1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = brainpoolP384r1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [26-curve-brainpoolP384r1-client]
@@ -719,6 +746,7 @@ client = 27-curve-brainpoolP512r1-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = brainpoolP512r1
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [27-curve-brainpoolP512r1-client]
@@ -744,6 +772,7 @@ client = 28-curve-X25519-client
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = X25519
+MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [28-curve-X25519-client]

test/ssl-tests/14-curves.conf.in

@@ -27,7 +27,9 @@ sub generate_tests() {
         push @tests, {
 	    name => "curve-${curve}",
             server => {
-                "Curves" => $curve
+                "Curves" => $curve,
+                # TODO(TLS1.3): Can we get this to work for TLSv1.3?
+                "MaxProtocol" => "TLSv1.2"
             },
             client => {
 		"CipherString" => "ECDHE",

test/ssl-tests/protocol_version.pm

@@ -20,12 +20,12 @@ use OpenSSL::Test;
 use OpenSSL::Test::Utils qw/anydisabled alldisabled/;
 setup("no_test_here");
 
-my @tls_protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");
+my @tls_protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3");
 # undef stands for "no limit".
-my @min_tls_protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");
-my @max_tls_protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", undef);
+my @min_tls_protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3");
+my @max_tls_protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3", undef);
 
-my @is_tls_disabled = anydisabled("ssl3", "tls1", "tls1_1", "tls1_2");
+my @is_tls_disabled = anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "tls1_3");
 
 my $min_tls_enabled; my $max_tls_enabled;
 
@@ -74,7 +74,7 @@ foreach my $i (0..$#dtls_protocols) {
 sub no_tests {
     my ($dtls) = @_;
     return $dtls ? alldisabled("dtls1", "dtls1_2") :
-      alldisabled("ssl3", "tls1", "tls1_1", "tls1_2");
+      alldisabled("ssl3", "tls1", "tls1_1", "tls1_2", "tls1_3");
 }
 
 sub generate_version_tests {
@@ -234,9 +234,15 @@ sub expected_result {
         # Server doesn't support the client range.
         return ("ServerFail", undef);
     } elsif ($c_min > $s_max) {
-        # Server will try with a version that is lower than the lowest
-        # supported client version.
-        return ("ClientFail", undef);
+        my @prots = @$protocols;
+        if ($prots[$c_min] eq "TLSv1.3") {
+            # Client won't have sent any ciphersuite the server recognises
+                        return ("ServerFail", undef);
+        } else {
+            # Server will try with a version that is lower than the lowest
+            # supported client version.
+            return ("ClientFail", undef);
+        }
     } else {
         # Server and client ranges overlap.
         my $max_common = $s_max < $c_max ? $s_max : $c_max;

test/ssl_test_ctx.c

@@ -152,6 +152,7 @@ const char *ssl_alert_name(int alert)
 /********************/
 
 static const test_enum ssl_protocols[] = {
+     {"TLSv1.3", TLS1_3_VERSION},
      {"TLSv1.2", TLS1_2_VERSION},
      {"TLSv1.1", TLS1_1_VERSION},
      {"TLSv1", TLS1_VERSION},

test/ssltest_old.c

@@ -886,6 +886,7 @@ static int protocol_from_string(const char *value)
         {"tls1", TLS1_VERSION},
         {"tls1.1", TLS1_1_VERSION},
         {"tls1.2", TLS1_2_VERSION},
+        {"tls1.3", TLS1_3_VERSION},
         {"dtls1", DTLS1_VERSION},
         {"dtls1.2", DTLS1_2_VERSION}};
     size_t i;
@@ -958,7 +959,7 @@ int main(int argc, char *argv[])
     int badop = 0;
     enum { BIO_MEM, BIO_PAIR, BIO_IPV4, BIO_IPV6 } bio_type = BIO_MEM;
     int force = 0;
-    int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, ssl3 = 0, ret = 1;
+    int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, tls1_2 = 0, ssl3 = 0, ret = 1;
     int client_auth = 0;
     int server_auth = 0, i;
     struct app_verify_arg app_verify_arg =
@@ -1123,7 +1124,9 @@ int main(int argc, char *argv[])
             min_version = TLS1_VERSION;
         }
 #endif
-        else if (strcmp(*argv, "-tls1") == 0) {
+        else if (strcmp(*argv, "-tls1_2") == 0) {
+            tls1_2 = 1;
+        } else if (strcmp(*argv, "-tls1") == 0) {
             tls1 = 1;
         } else if (strcmp(*argv, "-ssl3") == 0) {
             ssl3 = 1;
@@ -1329,8 +1332,8 @@ int main(int argc, char *argv[])
         goto end;
     }
 
-    if (ssl3 + tls1 + dtls + dtls1 + dtls12 > 1) {
-        fprintf(stderr, "At most one of -ssl3, -tls1, -dtls, -dtls1 or -dtls12 should "
+    if (ssl3 + tls1 + tls1_2 + dtls + dtls1 + dtls12 > 1) {
+        fprintf(stderr, "At most one of -ssl3, -tls1, -tls1_2, -dtls, -dtls1 or -dtls12 should "
                 "be requested.\n");
         EXIT(1);
     }
@@ -1345,6 +1348,11 @@ int main(int argc, char *argv[])
         no_protocol = 1;
     else
 #endif
+#ifdef OPENSSL_NO_TLS1_2
+    if (tls1_2)
+        no_protocol = 1;
+    else
+#endif
 #if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1)
     if (dtls1)
         no_protocol = 1;
@@ -1369,10 +1377,11 @@ int main(int argc, char *argv[])
         goto end;
     }
 
-    if (!ssl3 && !tls1 && !dtls && !dtls1 && !dtls12 && number > 1 && !reuse && !force) {
+    if (!ssl3 && !tls1 && !tls1_2 && !dtls && !dtls1 && !dtls12 && number > 1
+            && !reuse && !force) {
         fprintf(stderr, "This case cannot work.  Use -f to perform "
                 "the test anyway (and\n-d to see what happens), "
-                "or add one of -ssl3, -tls1, -dtls, -dtls1, -dtls12, -reuse\n"
+                "or add one of -ssl3, -tls1, -tls1_2, -dtls, -dtls1, -dtls12, -reuse\n"
                 "to avoid protocol mismatch.\n");
         EXIT(1);
     }
@@ -1435,6 +1444,9 @@ int main(int argc, char *argv[])
     } else if (tls1) {
         min_version = TLS1_VERSION;
         max_version = TLS1_VERSION;
+    } else if (tls1_2) {
+        min_version = TLS1_2_VERSION;
+        max_version = TLS1_2_VERSION;
     }
 #endif
 #ifndef OPENSSL_NO_DTLS

util/TLSProxy/Proxy.pm

@@ -147,8 +147,10 @@ sub start
                 or die "Failed to redirect stdout: $!";
             open(STDERR, ">&STDOUT");
         }
+        # TODO(TLS1.3): Temporarily disabled for TLS1.3...no shared cipher
+        # because the TLS1.3 ciphersuites are not compatible with ossltest
         my $execcmd = $self->execute
-            ." s_server -no_comp -rev -engine ossltest -accept "
+            ." s_server -no_tls1_3 -no_comp -rev -engine ossltest -accept "
             .($self->server_port)
             ." -cert ".$self->cert." -naccept ".$self->serverconnects;
         if ($self->ciphers ne "") {