Merge branches 'update-groups-and-keyexchange-to-support-dtls13', 'up…

…date-documentation-with-dtls1.3', 'disallow-renegotiation-for-dtls1.3', 'support-dtls13-in-cert-trace-functions', 'update-dtls-max-internal-version', 'update-ssl-protocol-lists-with-dtls13', 'update-tls-extensions-to-be-used-with-dtls13', 'update-s_client-and-s_server-to-use-dtls13' and 'adds-dtls13-structs-and-definitions' into dtls1.3-pr

apps/include/opt.h

@@ -213,12 +213,12 @@
             "Groups to advertise (colon-separated list)" }, \
         {"named_curve", OPT_S_NAMEDCURVE, 's', \
             "Elliptic curve used for ECDHE (server-side only)" }, \
-        {"cipher", OPT_S_CIPHER, 's', "Specify TLSv1.2 and below cipher list to be used"}, \
-        {"ciphersuites", OPT_S_CIPHERSUITES, 's', "Specify TLSv1.3 ciphersuites to be used"}, \
+        {"cipher", OPT_S_CIPHER, 's', "Specify (D)TLSv1.2 and below cipher list to be used"}, \
+        {"ciphersuites", OPT_S_CIPHERSUITES, 's', "Specify (D)TLSv1.3 ciphersuites to be used"}, \
         {"min_protocol", OPT_S_MINPROTO, 's', "Specify the minimum protocol version to be used"}, \
         {"max_protocol", OPT_S_MAXPROTO, 's', "Specify the maximum protocol version to be used"}, \
         {"record_padding", OPT_S_RECORD_PADDING, 's', \
-            "Block size to pad TLS 1.3 records to."}, \
+            "Block size to pad (D)TLS 1.3 records to."}, \
         {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \
             "Perform all sorts of protocol violations for testing purposes"}, \
         {"no_middlebox", OPT_S_NO_MIDDLEBOX, '-', \

apps/include/s_apps.h

@@ -16,7 +16,8 @@
 #define PROTOCOL        "tcp"
 
 #define SSL_VERSION_ALLOWS_RENEGOTIATION(s) \
-    (SSL_is_dtls(s) || (SSL_version(s) < TLS1_3_VERSION))
+    ((SSL_is_dtls(s) && SSL_version(s) > DTLS1_3_VERSION) \
+    || (!SSL_is_dtls(s) && SSL_version(s) < TLS1_3_VERSION))
 
 typedef int (*do_server_cb)(int s, int stype, int prot, unsigned char *context);
 void get_sock_info_address(int asock, char **hostname, char **service);

apps/lib/s_cb.c

@@ -550,6 +550,8 @@ static STRINT_PAIR ssl_versions[] = {
     {"TLS 1.2", TLS1_2_VERSION},
     {"TLS 1.3", TLS1_3_VERSION},
     {"DTLS 1.0", DTLS1_VERSION},
+    {"DTLS 1.2", DTLS1_2_VERSION},
+    {"DTLS 1.3", DTLS1_3_VERSION},
     {"DTLS 1.0 (bad)", DTLS1_BAD_VER},
     {NULL}
 };
@@ -632,7 +634,9 @@ void msg_cb(int write_p, int version, int content_type, const void *buf,
         version == TLS1_1_VERSION ||
         version == TLS1_2_VERSION ||
         version == TLS1_3_VERSION ||
-        version == DTLS1_VERSION || version == DTLS1_BAD_VER) {
+        version == DTLS1_VERSION ||
+        version == DTLS1_2_VERSION ||
+        version == DTLS1_3_VERSION || version == DTLS1_BAD_VER) {
         str_version = lookup(version, ssl_versions, "???");
         switch (content_type) {
         case SSL3_RT_CHANGE_CIPHER_SPEC:

apps/s_client.c

@@ -490,9 +490,9 @@ typedef enum OPTION_choice {
 #endif
     OPT_SSL3, OPT_SSL_CONFIG,
     OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
-    OPT_DTLS1_2, OPT_QUIC, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM,
-    OPT_PASS, OPT_CERT_CHAIN, OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN,
-    OPT_NEXTPROTONEG, OPT_ALPN,
+    OPT_DTLS1_2, OPT_DTLS1_3, OPT_QUIC, OPT_SCTP, OPT_TIMEOUT, OPT_MTU,
+    OPT_KEYFORM, OPT_PASS, OPT_CERT_CHAIN, OPT_KEY, OPT_RECONNECT,
+    OPT_BUILD_CHAIN, OPT_NEXTPROTONEG, OPT_ALPN,
     OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH,
     OPT_CAFILE, OPT_NOCAFILE, OPT_CHAINCAFILE, OPT_VERIFYCAFILE,
     OPT_CASTORE, OPT_NOCASTORE, OPT_CHAINCASTORE, OPT_VERIFYCASTORE,
@@ -695,6 +695,9 @@ const OPTIONS s_client_options[] = {
 #ifndef OPENSSL_NO_DTLS1_2
     {"dtls1_2", OPT_DTLS1_2, '-', "Just use DTLSv1.2"},
 #endif
+#ifndef OPENSSL_NO_DTLS1_3
+    {"dtls1_3", OPT_DTLS1_3, '-', "Just use DTLSv1.3"},
+#endif
 #ifndef OPENSSL_NO_SCTP
     {"sctp", OPT_SCTP, '-', "Use SCTP"},
     {"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"},
@@ -797,7 +800,7 @@ static const OPT_PAIR services[] = {
 #define IS_PROT_FLAG(o) \
  (o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2 \
   || o == OPT_TLS1_3 || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2 \
-  || o == OPT_QUIC)
+  || o == OPT_DTLS1_3 || o == OPT_QUIC)
 
 /* Free |*dest| and optionally set it to a copy of |source|. */
 static void freeandcopy(char **dest, const char *source)
@@ -1349,6 +1352,18 @@ int s_client_main(int argc, char **argv)
             socket_type = SOCK_DGRAM;
             isdtls = 1;
             isquic = 0;
+#endif
+            break;
+        case OPT_DTLS1_3:
+#ifndef OPENSSL_NO_DTLS1_3
+            meth = DTLS_client_method();
+            min_version = DTLS1_3_VERSION;
+            max_version = DTLS1_3_VERSION;
+            socket_type = SOCK_DGRAM;
+            isdtls = 1;
+# ifndef OPENSS_NO_QUIC
+            isquic = 0;
+# endif
 #endif
             break;
         case OPT_QUIC:

apps/s_server.c

@@ -54,6 +54,7 @@ typedef unsigned int u_int;
 #include <openssl/ebcdic.h>
 #endif
 #include "internal/sockets.h"
+#include "ssl/ssl_local.h"
 
 static int not_resumable_sess_cb(SSL *s, int is_forward_secure);
 static int sv_body(int s, int stype, int prot, unsigned char *context);
@@ -134,7 +135,8 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity,
     if (s_debug)
         BIO_printf(bio_s_out, "psk_server_cb\n");
 
-    if (!SSL_is_dtls(ssl) && SSL_version(ssl) >= TLS1_3_VERSION) {
+    if ((SSL_is_dtls(ssl) && DTLS_VERSION_GE(SSL_version(ssl), DTLS1_3_VERSION))
+    || (!SSL_is_dtls(ssl) && SSL_version(ssl) >= TLS1_3_VERSION)) {
         /*
          * This callback is designed for use in (D)TLSv1.2 (or below). It is
          * possible to use a single callback for all protocol versions - but it
@@ -714,8 +716,8 @@ typedef enum OPTION_choice {
     OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC, OPT_SSL_CONFIG,
     OPT_MAX_SEND_FRAG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,
     OPT_SSL3, OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
-    OPT_DTLS1_2, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_LISTEN, OPT_STATELESS,
-    OPT_ID_PREFIX, OPT_SERVERNAME, OPT_SERVERNAME_FATAL,
+    OPT_DTLS1_2, OPT_DTLS1_3, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_LISTEN,
+    OPT_STATELESS, OPT_ID_PREFIX, OPT_SERVERNAME, OPT_SERVERNAME_FATAL,
     OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN, OPT_SENDFILE,
     OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
     OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA,
@@ -923,7 +925,7 @@ const OPTIONS s_server_options[] = {
      "The maximum number of bytes of early data (hard limit)"},
     {"early_data", OPT_EARLY_DATA, '-', "Attempt to read early data"},
     {"num_tickets", OPT_S_NUM_TICKETS, 'n',
-     "The number of TLSv1.3 session tickets that a server will automatically issue" },
+     "The number of (D)TLSv1.3 session tickets that a server will automatically issue" },
     {"anti_replay", OPT_ANTI_REPLAY, '-', "Switch on anti-replay protection (default)"},
     {"no_anti_replay", OPT_NO_ANTI_REPLAY, '-', "Switch off anti-replay protection"},
     {"http_server_binmode", OPT_HTTP_SERVER_BINMODE, '-', "opening files in binary mode when acting as http server (-WWW and -HTTP)"},
@@ -956,6 +958,9 @@ const OPTIONS s_server_options[] = {
 #ifndef OPENSSL_NO_DTLS1_2
     {"dtls1_2", OPT_DTLS1_2, '-', "Just talk DTLSv1.2"},
 #endif
+#ifndef OPENSSL_NO_DTLS1_3
+    {"dtls1_3", OPT_DTLS1_3, '-', "Just talk DTLSv1.3"},
+#endif
 #ifndef OPENSSL_NO_SCTP
     {"sctp", OPT_SCTP, '-', "Use SCTP"},
     {"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"},
@@ -988,7 +993,8 @@ const OPTIONS s_server_options[] = {
 
 #define IS_PROT_FLAG(o) \
  (o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2 \
-  || o == OPT_TLS1_3 || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2)
+  || o == OPT_TLS1_3 || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2 \
+  || o == OPT_DTLS1_3)
 
 int s_server_main(int argc, char *argv[])
 {
@@ -1538,6 +1544,14 @@ int s_server_main(int argc, char *argv[])
             min_version = DTLS1_2_VERSION;
             max_version = DTLS1_2_VERSION;
             socket_type = SOCK_DGRAM;
+#endif
+            break;
+        case OPT_DTLS1_3:
+#ifndef OPENSSL_NO_DTLS
+            meth = DTLS_server_method();
+            min_version = DTLS1_3_VERSION;
+            max_version = DTLS1_3_VERSION;
+            socket_type = SOCK_DGRAM;
 #endif
             break;
         case OPT_SCTP:

doc/man1/openssl-s_client.pod.in

@@ -353,7 +353,7 @@ See L<ossl_store-file(7)> for more information on the C<file:> scheme.
 
 A file containing a list of certificates whose subject names will be sent
 to the server in the B<certificate_authorities> extension. Only supported
-for TLS 1.3
+for TLS 1.3 and DTLS 1.3
 
 =item B<-dane_tlsa_domain> I<domain>
 
@@ -542,13 +542,13 @@ This option must be provided in order to use a PSK cipher.
 =item B<-psk_session> I<file>
 
 Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
-Note that this will only work if TLSv1.3 is negotiated.
+Note that this will only work if (D)TLSv1.3 is negotiated.
 
 =item B<-sctp>
 
 Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
-conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only
-available where OpenSSL has support for SCTP enabled.
+conjunction with B<-dtls>, B<-dtls1>, B<-dtls1_2> or B<-dtls1_3>. This option
+is only available where OpenSSL has support for SCTP enabled.
 
 =item B<-sctp_label_bug>
 
@@ -618,11 +618,11 @@ option enables various workarounds.
 
 =item B<-no_tx_cert_comp>
 
-Disables support for sending TLSv1.3 compressed certificates.
+Disables support for sending (D)TLSv1.3 compressed certificates.
 
 =item B<-no_rx_cert_comp>
 
-Disables support for receiving TLSv1.3 compressed certificate.
+Disables support for receiving (D)TLSv1.3 compressed certificate.
 
 =item B<-comp>
 
@@ -743,7 +743,8 @@ for example "http/1.1" or "spdy/3".
 An empty list of protocols is treated specially and will cause the
 client to advertise support for the TLS extension but disconnect just
 after receiving ServerHello with a list of server supported protocols.
-The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
+The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> or B<-dtls1_3> is
+used.
 
 =item B<-ct>, B<-noct>
 
@@ -773,8 +774,8 @@ data and when the server accepts the early data.
 
 =item B<-enable_pha>
 
-For TLSv1.3 only, send the Post-Handshake Authentication extension. This will
-happen whether or not a certificate has been provided via B<-cert>.
+For (D)TLSv1.3 only, send the Post-Handshake Authentication extension. This
+will happen whether or not a certificate has been provided via B<-cert>.
 
 =item B<-use_srtp> I<value>
 
@@ -884,19 +885,19 @@ End the current SSL connection and exit.
 
 =item B<R>
 
-Renegotiate the SSL session (TLSv1.2 and below only).
+Renegotiate the SSL session ((D)TLSv1.2 and below only).
 
 =item B<C>
 
 Attempt to reconnect to the server using a resumption handshake.
 
 =item B<k>
 
-Send a key update message to the server (TLSv1.3 only)
+Send a key update message to the server ((D)TLSv1.3 only)
 
 =item B<K>
 
-Send a key update message to the server and request one back (TLSv1.3 only)
+Send a key update message to the server and request one back ((D)TLSv1.3 only)
 
 =back
 
@@ -937,7 +938,7 @@ Reconnect to the peer and attempt a resumption handshake
 
 =item B<keyup>
 
-Send a Key Update message. TLSv1.3 only. This command takes an optional
+Send a Key Update message. (D)TLSv1.3 only. This command takes an optional
 argument. If the argument "req" is supplied then the peer is also requested to
 update its keys. Otherwise if "noreq" is supplied the the peer is not requested
 to update its keys. The default is "req".

doc/man1/openssl-s_server.pod.in

@@ -612,11 +612,11 @@ option enables various workarounds.
 
 =item B<-no_tx_cert_comp>
 
-Disables support for sending TLSv1.3 compressed certificates.
+Disables support for sending (D)TLSv1.3 compressed certificates.
 
 =item B<-no_rx_cert_comp>
 
-Disables support for receiving TLSv1.3 compressed certificates.
+Disables support for receiving (D)TLSv1.3 compressed certificates.
 
 =item B<-no_comp>
 
@@ -633,14 +633,14 @@ OpenSSL 1.1.0.
 
 =item B<-no_ticket>
 
-Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3
-is negotiated. See B<-num_tickets>.
+Disable RFC4507bis session ticket support. This option has no effect if
+(D)TLSv1.3 is negotiated. See B<-num_tickets>.
 
 =item B<-num_tickets>
 
 Control the number of tickets that will be sent to the client after a full
-handshake in TLSv1.3. The default number of tickets is 2. This option does not
-affect the number of tickets sent after a resumption handshake.
+handshake in (D)TLSv1.3. The default number of tickets is 2. This option does
+not affect the number of tickets sent after a resumption handshake.
 
 =item B<-serverpref>
 
@@ -751,8 +751,8 @@ connect to that peer and complete the handshake.
 =item B<-sctp>
 
 Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
-conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only
-available where OpenSSL has support for SCTP enabled.
+conjunction with B<-dtls>, B<-dtls1>, B<-dtls1_2> or B<-dtls1_3>. This option
+is only available where OpenSSL has support for SCTP enabled.
 
 =item B<-sctp_label_bug>
 
@@ -780,7 +780,8 @@ The I<val> list is a comma-separated list of supported protocol
 names.  The list should contain the most desirable protocols first.
 Protocol names are printable ASCII strings, for example "http/1.1" or
 "spdy/3".
-The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
+The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> or B<-dtls1_3>
+is used.
 
 =item B<-ktls>
 
@@ -828,16 +829,16 @@ B<-WWW>, B<-HTTP> or B<-rev>.
 
 =item B<-stateless>
 
-Require TLSv1.3 cookies.
+Require (D)TLSv1.3 cookies.
 
 =item B<-anti_replay>, B<-no_anti_replay>
 
 Switches replay protection on or off, respectively. Replay protection is on by
 default unless overridden by a configuration file. When it is on, OpenSSL will
-automatically detect if a session ticket has been used more than once, TLSv1.3
-has been negotiated, and early data is enabled on the server. A full handshake
-is forced if a session ticket is used a second or subsequent time. Any early
-data that was sent will be rejected.
+automatically detect if a session ticket has been used more than once,
+(D)TLSv1.3 has been negotiated, and early data is enabled on the server. A full
+handshake is forced if a session ticket is used a second or subsequent time.
+Any early data that was sent will be rejected.
 
 =item B<-tfo>
 
@@ -913,12 +914,12 @@ End the current SSL connection and exit.
 
 =item B<r>
 
-Renegotiate the SSL session (TLSv1.2 and below only).
+Renegotiate the SSL session ((D)TLSv1.2 and below only).
 
 =item B<R>
 
-Renegotiate the SSL session and request a client certificate (TLSv1.2 and below
-only).
+Renegotiate the SSL session and request a client certificate ((D)TLSv1.2 and
+below only).
 
 =item B<P>
 
@@ -931,15 +932,15 @@ Print out some session cache status information.
 
 =item B<k>
 
-Send a key update message to the client (TLSv1.3 only)
+Send a key update message to the client ((D)TLSv1.3 only).
 
 =item B<K>
 
-Send a key update message to the client and request one back (TLSv1.3 only)
+Send a key update message to the client and request one back ((D)TLSv1.3 only).
 
 =item B<c>
 
-Send a certificate request to the client (TLSv1.3 only)
+Send a certificate request to the client ((D)TLSv1.3 only).
 
 =back
 

doc/man3/SSL_CIPHER_get_name.pod

@@ -74,7 +74,7 @@ different to the digest used to calculate the MAC for encrypted records.
 
 SSL_CIPHER_get_kx_nid() returns the key exchange NID corresponding to the method
 used by B<c>. If there is no key exchange, then B<NID_undef> is returned.
-If any appropriate key exchange algorithm can be used (as in the case of TLS 1.3
+If any appropriate key exchange algorithm can be used (as in the case of (D)TLS 1.3
 cipher suites) B<NID_kx_any> is returned. Examples (not comprehensive):
 
  NID_kx_rsa
@@ -85,7 +85,7 @@ cipher suites) B<NID_kx_any> is returned. Examples (not comprehensive):
 SSL_CIPHER_get_auth_nid() returns the authentication NID corresponding to the method
 used by B<c>. If there is no authentication, then B<NID_undef> is returned.
 If any appropriate authentication algorithm can be used (as in the case of
-TLS 1.3 cipher suites) B<NID_auth_any> is returned. Examples (not comprehensive):
+(D)TLS 1.3 cipher suites) B<NID_auth_any> is returned. Examples (not comprehensive):
 
  NID_auth_rsa
  NID_auth_ecdsa