From c71af8e0a1426a692fa35d2e50af3a30e7638c3e Mon Sep 17 00:00:00 2001
From: Juan Jose Nicola <juan.nicola@greenbone.net>
Date: Mon, 24 Aug 2020 14:28:11 +0200
Subject: [PATCH 1/2] Add support for TLSv1.3

---
 CHANGELOG.md     |  1 +
 misc/network.c   | 12 ++++++++++++
 misc/network.h   |  1 +
 nasl/nasl_host.c |  1 +
 4 files changed, 15 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a3929dffa..6dd431950 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ### Added
 - Extend nasl lint to detect if function parameter is used twice. [#590](https://github.com/greenbone/openvas/pull/590)
+- Add support for TLSv1.3. [#588](https://github.com/greenbone/openvas/pull/588)
 
 ### Fixed
 - Fork vhosts before creating the socket.[#576](https://github.com/greenbone/openvas/pull/576)
diff --git a/misc/network.c b/misc/network.c
index 13d4404d3..e34ad71aa 100644
--- a/misc/network.c
+++ b/misc/network.c
@@ -422,6 +422,9 @@ set_gnutls_protocol (gnutls_session_t session, openvas_encaps_t encaps,
     case OPENVAS_ENCAPS_TLSv12:
       priorities = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+ARCFOUR-128:%COMPAT";
       break;
+    case OPENVAS_ENCAPS_TLSv13:
+      priorities = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3:%COMPAT";
+      break;
     case OPENVAS_ENCAPS_SSLv23: /* Compatibility mode */
       priorities =
         "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:+ARCFOUR-128:%COMPAT";
@@ -799,6 +802,8 @@ socket_get_ssl_version (int fd)
       return OPENVAS_ENCAPS_TLSv11;
     case GNUTLS_TLS1_2:
       return OPENVAS_ENCAPS_TLSv12;
+    case GNUTLS_TLS1_3:
+      return OPENVAS_ENCAPS_TLSv13;
     default:
       return -1;
     }
@@ -926,6 +931,7 @@ open_stream_connection_ext (struct script_infos *args, unsigned int port,
     case OPENVAS_ENCAPS_TLSv1:
     case OPENVAS_ENCAPS_TLSv11:
     case OPENVAS_ENCAPS_TLSv12:
+    case OPENVAS_ENCAPS_TLSv13:
     case OPENVAS_ENCAPS_TLScustom:
     case OPENVAS_ENCAPS_SSLv2:
       break;
@@ -974,6 +980,7 @@ open_stream_connection_ext (struct script_infos *args, unsigned int port,
     case OPENVAS_ENCAPS_TLSv1:
     case OPENVAS_ENCAPS_TLSv11:
     case OPENVAS_ENCAPS_TLSv12:
+    case OPENVAS_ENCAPS_TLSv13:
     case OPENVAS_ENCAPS_TLScustom:
       cert = kb_item_get_str (kb, "SSL/cert");
       key = kb_item_get_str (kb, "SSL/key");
@@ -1154,6 +1161,7 @@ read_stream_connection_unbuffered (int fd, void *buf0, int min_len, int max_len)
     case OPENVAS_ENCAPS_TLSv1:
     case OPENVAS_ENCAPS_TLSv11:
     case OPENVAS_ENCAPS_TLSv12:
+    case OPENVAS_ENCAPS_TLSv13:
     case OPENVAS_ENCAPS_TLScustom:
       if (getpid () != fp->pid)
         {
@@ -1340,6 +1348,7 @@ write_stream_connection4 (int fd, void *buf0, int n, int i_opt)
     case OPENVAS_ENCAPS_TLSv1:
     case OPENVAS_ENCAPS_TLSv11:
     case OPENVAS_ENCAPS_TLSv12:
+    case OPENVAS_ENCAPS_TLSv13:
     case OPENVAS_ENCAPS_TLScustom:
 
       /* i_opt ignored for SSL */
@@ -1584,6 +1593,8 @@ get_encaps_name (openvas_encaps_t code)
       return "TLSv11";
     case OPENVAS_ENCAPS_TLSv12:
       return "TLSv12";
+    case OPENVAS_ENCAPS_TLSv13:
+      return "TLSv13";
     case OPENVAS_ENCAPS_TLScustom:
       return "TLScustom";
     default:
@@ -1607,6 +1618,7 @@ get_encaps_through (openvas_encaps_t code)
     case OPENVAS_ENCAPS_TLSv1:
     case OPENVAS_ENCAPS_TLSv11:
     case OPENVAS_ENCAPS_TLSv12:
+    case OPENVAS_ENCAPS_TLSv13:
     case OPENVAS_ENCAPS_TLScustom:
       return " through SSL";
     default:
diff --git a/misc/network.h b/misc/network.h
index 06b1a9695..8182f6285 100644
--- a/misc/network.h
+++ b/misc/network.h
@@ -49,6 +49,7 @@ typedef enum openvas_encaps
   OPENVAS_ENCAPS_TLSv1,
   OPENVAS_ENCAPS_TLSv11,
   OPENVAS_ENCAPS_TLSv12,
+  OPENVAS_ENCAPS_TLSv13,
   OPENVAS_ENCAPS_TLScustom, /* SSL/TLS using custom priorities.  */
   OPENVAS_ENCAPS_MAX,
 } openvas_encaps_t;
diff --git a/nasl/nasl_host.c b/nasl/nasl_host.c
index 0150b6f9a..068ed0e9e 100644
--- a/nasl/nasl_host.c
+++ b/nasl/nasl_host.c
@@ -342,6 +342,7 @@ nasl_this_host_name (lex_ctxt *lexic)
  *          - @a ENCAPS_TLSv1  TLS version 1.0
  *          - @a ENCAPS_TLSv11 TLS version 1.1
  *          - @a ENCAPS_TLSv12 TLS version 1.2
+ *          - @a ENCAPS_TLSv13 TLS version 1.3
  *          - @a ENCAPS_TLScustom SSL or TLS with custom priorities
  *
  * @nasluparam

From e2832a19aa30ce599b91a88dd10fe0dd95ada360 Mon Sep 17 00:00:00 2001
From: Philipp Eder <philipp.eder@greenbone.net>
Date: Mon, 7 Sep 2020 12:55:51 +0200
Subject: [PATCH 2/2] update build images to the newly created buster build
 images

---
 .circleci/config.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index b2956ac25..d24bce95e 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -10,7 +10,7 @@ jobs:
           command: clang-format -i -style=file src/*.{c,h} misc/*.{c,h} nasl/*.{c,h} && git diff --exit-code
   test_units:
     docker:
-      - image: greenbone/build-env-openvas-scanner-master-debian-stretch-gcc-core
+      - image: greenbone/build-env-openvas-scanner-master-debian-buster-gcc-core
     steps:
       - run:
           working_directory: ~/gvm-libs
@@ -26,7 +26,7 @@ jobs:
           command: mkdir build && cd build/ && cmake -DCMAKE_BUILD_TYPE=Release .. && make tests && CTEST_OUTPUT_ON_FAILURE=1 make test
   build_gcc_core:
     docker:
-      - image: greenbone/build-env-openvas-scanner-master-debian-stretch-gcc-core
+      - image: greenbone/build-env-openvas-scanner-master-debian-buster-gcc-core
     steps:
       - run:
           working_directory: ~/gvm-libs
@@ -42,7 +42,7 @@ jobs:
           command: mkdir build && cd build/ && cmake -DCMAKE_BUILD_TYPE=Release .. && make install
   scan_build:
     docker:
-      - image: greenbone/build-env-openvas-scanner-master-debian-stretch-clang-core
+      - image: greenbone/build-env-openvas-scanner-master-debian-buster-clang-core
     steps:
       - run:
           working_directory: ~/gvm-libs