From b8306cff4bba3c08297aa799472ca3a0137c2967 Mon Sep 17 00:00:00 2001
From: Ryan Meulenkamp <Ryan.Meulenkamp@Nedap.com>
Date: Tue, 20 Sep 2022 13:50:03 +0200
Subject: [PATCH 1/3] Enable TLS1.3

---
 Cargo.toml          | 10 +++++-----
 src/imp/openssl.rs  | 14 ++++++++++++--
 src/imp/schannel.rs |  1 +
 src/lib.rs          |  2 ++
 src/test.rs         | 19 +++++++++++++++++++
 5 files changed, 39 insertions(+), 7 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index 6ed9f231..04fa49de 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -23,14 +23,14 @@ libc = "0.2"
 tempfile = "3.1.0"
 
 [target.'cfg(target_os = "windows")'.dependencies]
-schannel = "0.1.17"
+schannel = "0.1.20"
 
 [target.'cfg(not(any(target_os = "windows", target_os = "macos", target_os = "ios")))'.dependencies]
 log = "0.4.5"
-openssl = "0.10.29"
-openssl-sys = "0.9.55"
-openssl-probe = "0.1"
+openssl = "0.10.41"
+openssl-sys = "0.9.75"
+openssl-probe = "0.1.5"
 
 [dev-dependencies]
 tempfile = "3.0"
-test-cert-gen = "0.7"
+test-cert-gen = "0.9"
diff --git a/src/imp/openssl.rs b/src/imp/openssl.rs
index 389caa5e..459e7ec2 100644
--- a/src/imp/openssl.rs
+++ b/src/imp/openssl.rs
@@ -32,6 +32,7 @@ fn supported_protocols(
             Protocol::Tlsv10 => SslVersion::TLS1,
             Protocol::Tlsv11 => SslVersion::TLS1_1,
             Protocol::Tlsv12 => SslVersion::TLS1_2,
+            Protocol::Tlsv13 => SslVersion::TLS1_3,
             Protocol::__NonExhaustive => unreachable!(),
         }
     }
@@ -54,7 +55,8 @@ fn supported_protocols(
         | SslOptions::NO_SSLV3
         | SslOptions::NO_TLSV1
         | SslOptions::NO_TLSV1_1
-        | SslOptions::NO_TLSV1_2;
+        | SslOptions::NO_TLSV1_2
+        | SslOptions::NO_TLSV1_3;
 
     ctx.clear_options(no_ssl_mask);
     let mut options = SslOptions::empty();
@@ -71,10 +73,18 @@ fn supported_protocols(
                 | SslOptions::NO_TLSV1
                 | SslOptions::NO_TLSV1_1
         }
+        Some(Protocol::Tlsv13) => {
+            SslOptions::NO_SSLV2
+                | SslOptions::NO_SSLV3
+                | SslOptions::NO_TLSV1
+                | SslOptions::NO_TLSV1_1
+                | SslOptions::NO_TLSV1_2
+        }
         Some(Protocol::__NonExhaustive) => unreachable!(),
     };
     options |= match max {
-        None | Some(Protocol::Tlsv12) => SslOptions::empty(),
+        None | Some(Protocol::Tlsv13) => SslOptions::empty(),
+        Some(Protocol::Tlsv12) => SslOptions::NO_TLSV1_3,
         Some(Protocol::Tlsv11) => SslOptions::NO_TLSV1_2,
         Some(Protocol::Tlsv10) => SslOptions::NO_TLSV1_1 | SslOptions::NO_TLSV1_2,
         Some(Protocol::Sslv3) => {
diff --git a/src/imp/schannel.rs b/src/imp/schannel.rs
index 62e5042f..faeb5dcb 100644
--- a/src/imp/schannel.rs
+++ b/src/imp/schannel.rs
@@ -19,6 +19,7 @@ static PROTOCOLS: &'static [Protocol] = &[
     Protocol::Tls10,
     Protocol::Tls11,
     Protocol::Tls12,
+    Protocol::Tls13,
 ];
 
 fn convert_protocols(min: Option<::Protocol>, max: Option<::Protocol>) -> &'static [Protocol] {
diff --git a/src/lib.rs b/src/lib.rs
index 14dabb7b..876722f2 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -325,6 +325,8 @@ pub enum Protocol {
     Tlsv11,
     /// The TLS 1.2 protocol.
     Tlsv12,
+    /// The TLS 1.3 protocol.
+    Tlsv13,
     #[doc(hidden)]
     __NonExhaustive,
 }
diff --git a/src/test.rs b/src/test.rs
index d29f0d26..a01ec7e8 100644
--- a/src/test.rs
+++ b/src/test.rs
@@ -16,6 +16,25 @@ macro_rules! p {
     };
 }
 
+#[test]
+fn connect_google_tls13() {
+    let builder = p!(
+            TlsConnector::builder()
+            .min_protocol_version(Some(Protocol::Tlsv13))
+            .max_protocol_version(Some(Protocol::Tlsv13))
+            .build());
+    let s = p!(TcpStream::connect("google.com:443"));
+    let mut socket = p!(builder.connect("google.com", s));
+
+    p!(socket.write_all(b"GET / HTTP/1.0\r\n\r\n"));
+    let mut result = vec![];
+    p!(socket.read_to_end(&mut result));
+
+    println!("{}", String::from_utf8_lossy(&result));
+    assert!(result.starts_with(b"HTTP/1.0"));
+    assert!(result.ends_with(b"</HTML>\r\n") || result.ends_with(b"</html>"));
+}
+
 #[test]
 fn connect_google() {
     let builder = p!(TlsConnector::new());

From 9a4b9dbb6c2e52d6241272d5d0b7dc3037ff6eb1 Mon Sep 17 00:00:00 2001
From: Ryan Meulenkamp <Ryan.Meulenkamp@Nedap.com>
Date: Mon, 26 Sep 2022 15:47:30 +0200
Subject: [PATCH 2/3] Update a bit more

---
 .github/workflows/ci.yml      | 2 +-
 Cargo.toml                    | 4 ++--
 src/imp/security_framework.rs | 1 +
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 04ddf947..73cffedc 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -35,7 +35,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: sfackler/actions/rustup@master
         with:
-          version: 1.53.0
+          version: 1.63.0
       - run: echo "::set-output name=version::$(rustc --version)"
         id: rust-version
       - uses: actions/cache@v1
diff --git a/Cargo.toml b/Cargo.toml
index 04fa49de..ff473a78 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -16,8 +16,8 @@ vendored = ["openssl/vendored"]
 alpn = ["security-framework/alpn"]
 
 [target.'cfg(any(target_os = "macos", target_os = "ios"))'.dependencies]
-security-framework = "2.0.0"
-security-framework-sys = "2.0.0"
+security-framework = "2.7.0"
+security-framework-sys = "2.6.1"
 lazy_static = "1.4.0"
 libc = "0.2"
 tempfile = "3.1.0"
diff --git a/src/imp/security_framework.rs b/src/imp/security_framework.rs
index 0b417722..2cf8e734 100644
--- a/src/imp/security_framework.rs
+++ b/src/imp/security_framework.rs
@@ -48,6 +48,7 @@ fn convert_protocol(protocol: Protocol) -> SslProtocol {
         Protocol::Tlsv10 => SslProtocol::TLS1,
         Protocol::Tlsv11 => SslProtocol::TLS11,
         Protocol::Tlsv12 => SslProtocol::TLS12,
+        Protocol::Tlsv13 => SslProtocol::TLS13,
         Protocol::__NonExhaustive => unreachable!(),
     }
 }

From 2acd379fe0a510096ee8ed14831c5c113ef67634 Mon Sep 17 00:00:00 2001
From: Ryan Meulenkamp <Ryan.Meulenkamp@Nedap.com>
Date: Tue, 27 Sep 2022 10:35:49 +0200
Subject: [PATCH 3/3] Revert unnecessary changes

---
 src/imp/openssl.rs | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/src/imp/openssl.rs b/src/imp/openssl.rs
index 459e7ec2..72518824 100644
--- a/src/imp/openssl.rs
+++ b/src/imp/openssl.rs
@@ -55,8 +55,7 @@ fn supported_protocols(
         | SslOptions::NO_SSLV3
         | SslOptions::NO_TLSV1
         | SslOptions::NO_TLSV1_1
-        | SslOptions::NO_TLSV1_2
-        | SslOptions::NO_TLSV1_3;
+        | SslOptions::NO_TLSV1_2;
 
     ctx.clear_options(no_ssl_mask);
     let mut options = SslOptions::empty();
@@ -73,18 +72,10 @@ fn supported_protocols(
                 | SslOptions::NO_TLSV1
                 | SslOptions::NO_TLSV1_1
         }
-        Some(Protocol::Tlsv13) => {
-            SslOptions::NO_SSLV2
-                | SslOptions::NO_SSLV3
-                | SslOptions::NO_TLSV1
-                | SslOptions::NO_TLSV1_1
-                | SslOptions::NO_TLSV1_2
-        }
         Some(Protocol::__NonExhaustive) => unreachable!(),
     };
     options |= match max {
-        None | Some(Protocol::Tlsv13) => SslOptions::empty(),
-        Some(Protocol::Tlsv12) => SslOptions::NO_TLSV1_3,
+        None | Some(Protocol::Tlsv12) => SslOptions::empty(),
         Some(Protocol::Tlsv11) => SslOptions::NO_TLSV1_2,
         Some(Protocol::Tlsv10) => SslOptions::NO_TLSV1_1 | SslOptions::NO_TLSV1_2,
         Some(Protocol::Sslv3) => {