Add -tls1_3 and -notls1_3 options to openssl(1) s_client.

Also stop using version pinned methods, instead setting the min and max
protocol versions.

Requested by inoguchi@

ok inoguchi@ tb@

2 files changed, 37 insertions, 23 deletions

diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index 598de60a30..ffdddb7e73 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.118 2019/12/18 12:38:15 sthen Exp $
+.\" $OpenBSD: openssl.1,v 1.119 2020/02/16 16:39:01 jsing Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: December 18 2019 $
+.Dd $Mdocdate: February 16 2020 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -4213,6 +4213,7 @@ Verify the input data and output the recovered data.
 .Op Fl no_tls1
 .Op Fl no_tls1_1
 .Op Fl no_tls1_2
+.Op Fl no_tls1_3
 .Op Fl pass Ar arg
 .Op Fl pause
 .Op Fl policy_check
@@ -4233,6 +4234,7 @@ Verify the input data and output the recovered data.
 .Op Fl tls1
 .Op Fl tls1_1
 .Op Fl tls1_2
+.Op Fl tls1_3
 .Op Fl tlsextdebug
 .Op Fl use_srtp Ar profiles
 .Op Fl verify Ar depth
@@ -4370,8 +4372,8 @@ Can be used to override the implicit
 .Fl ign_eof
 after
 .Fl quiet .
-.It Fl no_tls1 | no_tls1_1 | no_tls1_2
-Disable the use of TLS1.0, 1.1, and 1.2, respectively.
+.It Fl no_tls1 | no_tls1_1 | no_tls1_2 | no_tls1_3
+Disable the use of TLS1.0, 1.1, 1.2 and 1.3 respectively.
 .It Fl no_ticket
 Disable RFC 4507 session ticket support.
 .It Fl pass Ar arg
@@ -4444,8 +4446,8 @@ Send a certificate status request to the server (OCSP stapling).
 The server response (if any) is printed out.
 .It Fl timeout
 Enable send/receive timeout on DTLS connections.
-.It Fl tls1 | tls1_1 | tls1_2
-Permit only TLS1.0, 1.1, or 1.2, respectively.
+.It Fl tls1 | tls1_1 | tls1_2 | tls1_3
+Permit only TLS1.0, 1.1, 1.2 or 1.3 respectively.
 .It Fl tlsextdebug
 Print a hex dump of any TLS extensions received from the server.
 .It Fl use_srtp Ar profiles
diff --git a/src/usr.bin/openssl/s_client.c b/src/usr.bin/openssl/s_client.c
index 1537ebcb26..443f00505e 100644
--- a/src/usr.bin/openssl/s_client.c
+++ b/src/usr.bin/openssl/s_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_client.c,v 1.41 2020/01/23 03:35:54 beck Exp $ */
+/* $OpenBSD: s_client.c,v 1.42 2020/02/16 16:39:01 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -222,12 +222,13 @@ sc_usage(void)
         BIO_printf(bio_err, " -quiet        - no s_client output\n");
         BIO_printf(bio_err, " -ign_eof      - ignore input eof (default when -quiet)\n");
         BIO_printf(bio_err, " -no_ign_eof   - don't ignore input eof\n");
+        BIO_printf(bio_err, " -tls1_3       - just use TLSv1.3\n");
         BIO_printf(bio_err, " -tls1_2       - just use TLSv1.2\n");
         BIO_printf(bio_err, " -tls1_1       - just use TLSv1.1\n");
         BIO_printf(bio_err, " -tls1         - just use TLSv1\n");
         BIO_printf(bio_err, " -dtls1        - just use DTLSv1\n");
         BIO_printf(bio_err, " -mtu          - set the link layer MTU\n");
-        BIO_printf(bio_err, " -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
+        BIO_printf(bio_err, " -no_tls1_3/-no_tls1_2/-no_tls1_1/-no_tls1 - turn off that protocol\n");
         BIO_printf(bio_err, " -bugs         - Switch on all SSL implementation bug workarounds\n");
         BIO_printf(bio_err, " -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
         BIO_printf(bio_err, "                 command to see what is available\n");
@@ -334,6 +335,7 @@ s_client_main(int argc, char **argv)
         int peerlen = sizeof(peer);
         int enable_timeouts = 0;
         long socket_mtu = 0;
+        uint16_t min_version = 0, max_version = 0;
 
         if (single_execution) {
                 if (pledge("stdio cpath wpath rpath inet dns tty", NULL) == -1) {
@@ -342,7 +344,7 @@ s_client_main(int argc, char **argv)
                 }
         }
 
-        meth = SSLv23_client_method();
+        meth = TLS_client_method();
 
         c_Pause = 0;
         c_quiet = 0;
@@ -445,15 +447,21 @@ s_client_main(int argc, char **argv)
                         nbio_test = 1;
                 else if (strcmp(*argv, "-state") == 0)
                         state = 1;
-                else if (strcmp(*argv, "-tls1_2") == 0)
-                        meth = TLSv1_2_client_method();
-                else if (strcmp(*argv, "-tls1_1") == 0)
-                        meth = TLSv1_1_client_method();
-                else if (strcmp(*argv, "-tls1") == 0)
-                        meth = TLSv1_client_method();
+                else if (strcmp(*argv, "-tls1_3") == 0) {
+                        min_version = TLS1_3_VERSION;
+                        max_version = TLS1_3_VERSION;
+                } else if (strcmp(*argv, "-tls1_2") == 0) {
+                        min_version = TLS1_2_VERSION;
+                        max_version = TLS1_2_VERSION;
+                } else if (strcmp(*argv, "-tls1_1") == 0) {
+                        min_version = TLS1_1_VERSION;
+                        max_version = TLS1_1_VERSION;
+                } else if (strcmp(*argv, "-tls1") == 0) {
+                        min_version = TLS1_VERSION;
+                        max_version = TLS1_VERSION;
 #ifndef OPENSSL_NO_DTLS1
-                else if (strcmp(*argv, "-dtls1") == 0) {
-                        meth = DTLSv1_client_method();
+                } else if (strcmp(*argv, "-dtls1") == 0) {
+                        meth = DTLS_client_method();
                         socket_type = SOCK_DGRAM;
                 } else if (strcmp(*argv, "-timeout") == 0)
                         enable_timeouts = 1;
@@ -489,7 +497,9 @@ s_client_main(int argc, char **argv)
                         if (--argc < 1)
                                 goto bad;
                         CAfile = *(++argv);
-                } else if (strcmp(*argv, "-no_tls1_2") == 0)
+                } else if (strcmp(*argv, "-no_tls1_3") == 0)
+                        off |= SSL_OP_NO_TLSv1_3;
+                else if (strcmp(*argv, "-no_tls1_2") == 0)
                         off |= SSL_OP_NO_TLSv1_2;
                 else if (strcmp(*argv, "-no_tls1_1") == 0)
                         off |= SSL_OP_NO_TLSv1_1;
@@ -550,17 +560,14 @@ s_client_main(int argc, char **argv)
                                 starttls_proto = PROTO_XMPP;
                         else
                                 goto bad;
-                }
-                else if (strcmp(*argv, "-4") == 0) {
+                } else if (strcmp(*argv, "-4") == 0) {
                         af = AF_INET;
                 } else if (strcmp(*argv, "-6") == 0) {
                         af = AF_INET6;
-                }
-                else if (strcmp(*argv, "-servername") == 0) {
+                } else if (strcmp(*argv, "-servername") == 0) {
                         if (--argc < 1)
                                 goto bad;
                         servername = *(++argv);
-                        /* meth=TLSv1_client_method(); */
                 }
 #ifndef OPENSSL_NO_SRTP
                 else if (strcmp(*argv, "-use_srtp") == 0) {
@@ -649,6 +656,11 @@ s_client_main(int argc, char **argv)
         if (vpm)
                 SSL_CTX_set1_param(ctx, vpm);
 
+        if (!SSL_CTX_set_min_proto_version(ctx, min_version))
+                goto end;
+        if (!SSL_CTX_set_max_proto_version(ctx, max_version))
+                goto end;
+
 #ifndef OPENSSL_NO_SRTP
         if (srtp_profiles != NULL)
                 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);