dtls-1.3
Add SSLProtocolVersion for TLS13 and DTLS13
Allow setting max version to 13 (for BoringSSL)
Don't change any defaults.
This is a NOP.
BUG=webrtc:383141571
Change-Id: I11303c14e8d79c09d9437d44e44003c67d2fc31b
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/370900
Commit-Queue: Jonas Oreland <jonaso@webrtc.org>
Reviewed-by: Harald Alvestrand <hta@webrtc.org>
Reviewed-by: Jonas Oreland <jonaso@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#43530}
diff --git a/rtc_base/openssl_stream_adapter.cc b/rtc_base/openssl_stream_adapter.cc
index 1b29435..bf78695 100644
--- a/rtc_base/openssl_stream_adapter.cc
+++ b/rtc_base/openssl_stream_adapter.cc
@@ -106,6 +106,40 @@
}
#endif
+uint16_t GetMaxVersion(SSLMode ssl_mode, SSLProtocolVersion version) {
+ switch (ssl_mode) {
+ case SSL_MODE_TLS:
+ switch (version) {
+ default:
+ case SSL_PROTOCOL_NOT_GIVEN:
+ case SSL_PROTOCOL_TLS_10:
+ case SSL_PROTOCOL_TLS_11:
+ case SSL_PROTOCOL_TLS_12:
+ return TLS1_2_VERSION;
+ case SSL_PROTOCOL_TLS_13:
+#ifdef TLS1_3_VERSION
+ return TLS1_3_VERSION;
+#else
+ return TLS1_2_VERSION;
+#endif
+ }
+ case SSL_MODE_DTLS:
+ switch (version) {
+ default:
+ case SSL_PROTOCOL_NOT_GIVEN:
+ case SSL_PROTOCOL_DTLS_10:
+ case SSL_PROTOCOL_DTLS_12:
+ return DTLS1_2_VERSION;
+ case SSL_PROTOCOL_DTLS_13:
+#ifdef DTLS1_3_VERSION
+ return DTLS1_3_VERSION;
+#else
+ return DTLS1_2_VERSION;
+#endif
+ }
+ }
+}
+
} // namespace
//////////////////////////////////////////////////////////////////////
@@ -344,6 +378,11 @@
} else if (ssl_version == DTLS1_2_VERSION) {
return SSL_PROTOCOL_DTLS_12;
}
+#ifdef DTLS1_3_VERSION
+ if (ssl_version == DTLS1_3_VERSION) {
+ return SSL_PROTOCOL_DTLS_13;
+ }
+#endif
} else {
if (ssl_version == TLS1_VERSION) {
return SSL_PROTOCOL_TLS_10;
@@ -352,6 +391,11 @@
} else if (ssl_version == TLS1_2_VERSION) {
return SSL_PROTOCOL_TLS_12;
}
+#ifdef TLS1_3_VERSION
+ if (ssl_version == TLS1_3_VERSION) {
+ return SSL_PROTOCOL_TLS_13;
+ }
+#endif
}
return SSL_PROTOCOL_NOT_GIVEN;
@@ -938,8 +982,8 @@
SSL_CTX_set_min_proto_version(
ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
- SSL_CTX_set_max_proto_version(
- ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
+ SSL_CTX_set_max_proto_version(ctx,
+ GetMaxVersion(ssl_mode_, ssl_max_version_));
#ifdef OPENSSL_IS_BORINGSSL
// SSL_CTX_set_current_time_cb is only supported in BoringSSL.
diff --git a/rtc_base/ssl_stream_adapter.h b/rtc_base/ssl_stream_adapter.h
index fd2c352..b13ef56 100644
--- a/rtc_base/ssl_stream_adapter.h
+++ b/rtc_base/ssl_stream_adapter.h
@@ -92,8 +92,10 @@
SSL_PROTOCOL_TLS_10 = 0, // Deprecated and no longer supported.
SSL_PROTOCOL_TLS_11 = 1, // Deprecated and no longer supported.
SSL_PROTOCOL_TLS_12 = 2,
+ SSL_PROTOCOL_TLS_13 = 3,
SSL_PROTOCOL_DTLS_10 = 1, // Deprecated and no longer supported.
SSL_PROTOCOL_DTLS_12 = SSL_PROTOCOL_TLS_12,
+ SSL_PROTOCOL_DTLS_13 = SSL_PROTOCOL_TLS_13,
};
enum class SSLPeerCertificateDigestError {
NONE,
