Update Configure to know about tls1_3

Also we disable TLS1.3 by default (use enable-tls1_3 to re-enable). This is
because this is a WIP and will not be interoperable with any other TLS1.3
implementation.

Finally, we fix some tests that started failing when TLS1.3 was disabled by
default.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Configure

@@ -318,7 +318,7 @@ $config{sdirs} = [
     ];
 
 # Known TLS and DTLS protocols
-my @tls = qw(ssl3 tls1 tls1_1 tls1_2);
+my @tls = qw(ssl3 tls1 tls1_1 tls1_2 tls1_3);
 my @dtls = qw(dtls1 dtls1_2);
 
 # Explicitly known options that are possible to disable.  They can
@@ -440,6 +440,8 @@ our %disabled = ( # "what"         => "comment"
 		  "ssl3"                => "default",
 		  "ssl3-method"         => "default",
                   "ubsan"		=> "default",
+          #TODO(TLS1.3): Temporarily disabled while this is a WIP
+		  "tls1_3"              => "default",
 		  "unit-test"           => "default",
 		  "weak-ssl-ciphers"    => "default",
 		  "zlib"                => "default",
@@ -476,7 +478,7 @@ my @disable_cascades = (
     sub { $disabled{rsa}
 	  && ($disabled{dsa} || $disabled{dh})
 	  && ($disabled{ecdsa} || $disabled{ecdh}); }
-			=> [ "tls1", "tls1_1", "tls1_2",
+			=> [ "tls1", "tls1_1", "tls1_2", "tls1_3",
 			     "dtls1", "dtls1_2" ],
 
     "tls"		=> [ @tls ],

INSTALL

@@ -457,6 +457,12 @@
                    specific configuration, e.g. "-m32" to build x86 code on
                    an x64 system.
 
+  enable-tls1_3
+                   TODO(TLS1.3): Make this enabled by default
+                   Build support for TLS1.3. Note: This is a WIP feature and
+                   does not currently interoperate with other TLS1.3
+                   implementations! Use with caution!!
+
   no-<prot>
                    Don't build support for negotiating the specified SSL/TLS
                    protocol (one of ssl, ssl3, tls, tls1, tls1_1, tls1_2, dtls,

test/recipes/80-test_ssl_new.t

@@ -34,7 +34,8 @@ plan tests => 18;  # = scalar @conf_srcs
 # Some test results depend on the configuration of enabled protocols. We only
 # verify generated sources in the default configuration.
 my $is_default_tls = (disabled("ssl3") && !disabled("tls1") &&
-                      !disabled("tls1_1") && !disabled("tls1_2"));
+                      !disabled("tls1_1") && !disabled("tls1_2") &&
+                      disabled("tls1_3"));
 
 my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2"));
 

test/ssl-tests/protocol_version.pm

@@ -137,6 +137,7 @@ sub generate_resumption_tests {
 
     my @protocols = $dtls ? @dtls_protocols : @tls_protocols;
     my $min_enabled  = $dtls ? $min_dtls_enabled : $min_tls_enabled;
+    my $max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled;
 
     if (no_tests($dtls)) {
         return;
@@ -146,10 +147,10 @@ sub generate_resumption_tests {
     my @client_tests = ();
 
     # Obtain the first session against a fixed-version server/client.
-    foreach my $original_protocol($min_enabled..$#protocols) {
+    foreach my $original_protocol($min_enabled..$max_enabled) {
         # Upgrade or downgrade the server/client max version support and test
         # that it upgrades, downgrades or resumes the session as well.
-        foreach my $resume_protocol($min_enabled..$#protocols) {
+        foreach my $resume_protocol($min_enabled..$max_enabled) {
             my $resumption_expected;
             # We should only resume on exact version match.
             if ($original_protocol eq $resume_protocol) {