dtls-1.3

Add SSLProtocolVersion for TLS13 and DTLS13
Allow setting max version to 13 (for BoringSSL)
Don't change any defaults.
This is a NOP.

BUG=webrtc:383141571

Change-Id: I11303c14e8d79c09d9437d44e44003c67d2fc31b
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/370900
Commit-Queue: Jonas Oreland <jonaso@webrtc.org>
Reviewed-by: Harald Alvestrand <hta@webrtc.org>
Reviewed-by: Jonas Oreland <jonaso@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#43530}

rtc_base/openssl_stream_adapter.cc

@@ -106,6 +106,40 @@ void TimeCallbackForTesting(const SSL* ssl, struct timeval* out_clock) {
 }
 #endif
 
+uint16_t GetMaxVersion(SSLMode ssl_mode, SSLProtocolVersion version) {
+  switch (ssl_mode) {
+    case SSL_MODE_TLS:
+      switch (version) {
+        default:
+        case SSL_PROTOCOL_NOT_GIVEN:
+        case SSL_PROTOCOL_TLS_10:
+        case SSL_PROTOCOL_TLS_11:
+        case SSL_PROTOCOL_TLS_12:
+          return TLS1_2_VERSION;
+        case SSL_PROTOCOL_TLS_13:
+#ifdef TLS1_3_VERSION
+          return TLS1_3_VERSION;
+#else
+          return TLS1_2_VERSION;
+#endif
+      }
+    case SSL_MODE_DTLS:
+      switch (version) {
+        default:
+        case SSL_PROTOCOL_NOT_GIVEN:
+        case SSL_PROTOCOL_DTLS_10:
+        case SSL_PROTOCOL_DTLS_12:
+          return DTLS1_2_VERSION;
+        case SSL_PROTOCOL_DTLS_13:
+#ifdef DTLS1_3_VERSION
+          return DTLS1_3_VERSION;
+#else
+          return DTLS1_2_VERSION;
+#endif
+      }
+  }
+}
+
 }  // namespace
 
 //////////////////////////////////////////////////////////////////////
@@ -344,6 +378,11 @@ SSLProtocolVersion OpenSSLStreamAdapter::GetSslVersion() const {
     } else if (ssl_version == DTLS1_2_VERSION) {
       return SSL_PROTOCOL_DTLS_12;
     }
+#ifdef DTLS1_3_VERSION
+    if (ssl_version == DTLS1_3_VERSION) {
+      return SSL_PROTOCOL_DTLS_13;
+    }
+#endif
   } else {
     if (ssl_version == TLS1_VERSION) {
       return SSL_PROTOCOL_TLS_10;
@@ -352,6 +391,11 @@ SSLProtocolVersion OpenSSLStreamAdapter::GetSslVersion() const {
     } else if (ssl_version == TLS1_2_VERSION) {
       return SSL_PROTOCOL_TLS_12;
     }
+#ifdef TLS1_3_VERSION
+    if (ssl_version == TLS1_3_VERSION) {
+      return SSL_PROTOCOL_TLS_13;
+    }
+#endif
   }
 
   return SSL_PROTOCOL_NOT_GIVEN;
@@ -938,8 +982,8 @@ SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() {
 
   SSL_CTX_set_min_proto_version(
       ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
-  SSL_CTX_set_max_proto_version(
+  SSL_CTX_set_max_proto_version(ctx,
-      ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
+                                GetMaxVersion(ssl_mode_, ssl_max_version_));
 
 #ifdef OPENSSL_IS_BORINGSSL
   // SSL_CTX_set_current_time_cb is only supported in BoringSSL.

rtc_base/ssl_stream_adapter.h

@@ -92,8 +92,10 @@ enum SSLProtocolVersion {
   SSL_PROTOCOL_TLS_10 = 0,  // Deprecated and no longer supported.
   SSL_PROTOCOL_TLS_11 = 1,  // Deprecated and no longer supported.
   SSL_PROTOCOL_TLS_12 = 2,
+  SSL_PROTOCOL_TLS_13 = 3,
   SSL_PROTOCOL_DTLS_10 = 1,  // Deprecated and no longer supported.
   SSL_PROTOCOL_DTLS_12 = SSL_PROTOCOL_TLS_12,
+  SSL_PROTOCOL_DTLS_13 = SSL_PROTOCOL_TLS_13,
 };
 enum class SSLPeerCertificateDigestError {
   NONE,