From 5c10d8250250eed0abef10eabb0e9ae0cf1fe8c8 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sun, 16 Feb 2020 16:39:01 +0000
Subject: Add -tls1_3 and -notls1_3 options to openssl(1) s_client.

Also stop using version pinned methods, instead setting the min and max
protocol versions.

Requested by inoguchi@

ok inoguchi@ tb@
---
 src/usr.bin/openssl/openssl.1  | 14 +++++++------
 src/usr.bin/openssl/s_client.c | 46 ++++++++++++++++++++++++++----------------
 2 files changed, 37 insertions(+), 23 deletions(-)

(limited to 'src')

diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index 598de60a30..ffdddb7e73 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.118 2019/12/18 12:38:15 sthen Exp $
+.\" $OpenBSD: openssl.1,v 1.119 2020/02/16 16:39:01 jsing Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: December 18 2019 $
+.Dd $Mdocdate: February 16 2020 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -4213,6 +4213,7 @@ Verify the input data and output the recovered data.
 .Op Fl no_tls1
 .Op Fl no_tls1_1
 .Op Fl no_tls1_2
+.Op Fl no_tls1_3
 .Op Fl pass Ar arg
 .Op Fl pause
 .Op Fl policy_check
@@ -4233,6 +4234,7 @@ Verify the input data and output the recovered data.
 .Op Fl tls1
 .Op Fl tls1_1
 .Op Fl tls1_2
+.Op Fl tls1_3
 .Op Fl tlsextdebug
 .Op Fl use_srtp Ar profiles
 .Op Fl verify Ar depth
@@ -4370,8 +4372,8 @@ Can be used to override the implicit
 .Fl ign_eof
 after
 .Fl quiet .
-.It Fl no_tls1 | no_tls1_1 | no_tls1_2
-Disable the use of TLS1.0, 1.1, and 1.2, respectively.
+.It Fl no_tls1 | no_tls1_1 | no_tls1_2 | no_tls1_3
+Disable the use of TLS1.0, 1.1, 1.2 and 1.3 respectively.
 .It Fl no_ticket
 Disable RFC 4507 session ticket support.
 .It Fl pass Ar arg
@@ -4444,8 +4446,8 @@ Send a certificate status request to the server (OCSP stapling).
 The server response (if any) is printed out.
 .It Fl timeout
 Enable send/receive timeout on DTLS connections.
-.It Fl tls1 | tls1_1 | tls1_2
-Permit only TLS1.0, 1.1, or 1.2, respectively.
+.It Fl tls1 | tls1_1 | tls1_2 | tls1_3
+Permit only TLS1.0, 1.1, 1.2 or 1.3 respectively.
 .It Fl tlsextdebug
 Print a hex dump of any TLS extensions received from the server.
 .It Fl use_srtp Ar profiles
diff --git a/src/usr.bin/openssl/s_client.c b/src/usr.bin/openssl/s_client.c
index 1537ebcb26..443f00505e 100644
--- a/src/usr.bin/openssl/s_client.c
+++ b/src/usr.bin/openssl/s_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_client.c,v 1.41 2020/01/23 03:35:54 beck Exp $ */
+/* $OpenBSD: s_client.c,v 1.42 2020/02/16 16:39:01 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -222,12 +222,13 @@ sc_usage(void)
 	BIO_printf(bio_err, " -quiet        - no s_client output\n");
 	BIO_printf(bio_err, " -ign_eof      - ignore input eof (default when -quiet)\n");
 	BIO_printf(bio_err, " -no_ign_eof   - don't ignore input eof\n");
+	BIO_printf(bio_err, " -tls1_3       - just use TLSv1.3\n");
 	BIO_printf(bio_err, " -tls1_2       - just use TLSv1.2\n");
 	BIO_printf(bio_err, " -tls1_1       - just use TLSv1.1\n");
 	BIO_printf(bio_err, " -tls1         - just use TLSv1\n");
 	BIO_printf(bio_err, " -dtls1        - just use DTLSv1\n");
 	BIO_printf(bio_err, " -mtu          - set the link layer MTU\n");
-	BIO_printf(bio_err, " -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
+	BIO_printf(bio_err, " -no_tls1_3/-no_tls1_2/-no_tls1_1/-no_tls1 - turn off that protocol\n");
 	BIO_printf(bio_err, " -bugs         - Switch on all SSL implementation bug workarounds\n");
 	BIO_printf(bio_err, " -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
 	BIO_printf(bio_err, "                 command to see what is available\n");
@@ -334,6 +335,7 @@ s_client_main(int argc, char **argv)
 	int peerlen = sizeof(peer);
 	int enable_timeouts = 0;
 	long socket_mtu = 0;
+	uint16_t min_version = 0, max_version = 0;
 
 	if (single_execution) {
 		if (pledge("stdio cpath wpath rpath inet dns tty", NULL) == -1) {
@@ -342,7 +344,7 @@ s_client_main(int argc, char **argv)
 		}
 	}
 
-	meth = SSLv23_client_method();
+	meth = TLS_client_method();
 
 	c_Pause = 0;
 	c_quiet = 0;
@@ -445,15 +447,21 @@ s_client_main(int argc, char **argv)
 			nbio_test = 1;
 		else if (strcmp(*argv, "-state") == 0)
 			state = 1;
-		else if (strcmp(*argv, "-tls1_2") == 0)
-			meth = TLSv1_2_client_method();
-		else if (strcmp(*argv, "-tls1_1") == 0)
-			meth = TLSv1_1_client_method();
-		else if (strcmp(*argv, "-tls1") == 0)
-			meth = TLSv1_client_method();
+		else if (strcmp(*argv, "-tls1_3") == 0) {
+			min_version = TLS1_3_VERSION;
+			max_version = TLS1_3_VERSION;
+		} else if (strcmp(*argv, "-tls1_2") == 0) {
+			min_version = TLS1_2_VERSION;
+			max_version = TLS1_2_VERSION;
+		} else if (strcmp(*argv, "-tls1_1") == 0) {
+			min_version = TLS1_1_VERSION;
+			max_version = TLS1_1_VERSION;
+		} else if (strcmp(*argv, "-tls1") == 0) {
+			min_version = TLS1_VERSION;
+			max_version = TLS1_VERSION;
 #ifndef OPENSSL_NO_DTLS1
-		else if (strcmp(*argv, "-dtls1") == 0) {
-			meth = DTLSv1_client_method();
+		} else if (strcmp(*argv, "-dtls1") == 0) {
+			meth = DTLS_client_method();
 			socket_type = SOCK_DGRAM;
 		} else if (strcmp(*argv, "-timeout") == 0)
 			enable_timeouts = 1;
@@ -489,7 +497,9 @@ s_client_main(int argc, char **argv)
 			if (--argc < 1)
 				goto bad;
 			CAfile = *(++argv);
-		} else if (strcmp(*argv, "-no_tls1_2") == 0)
+		} else if (strcmp(*argv, "-no_tls1_3") == 0)
+			off |= SSL_OP_NO_TLSv1_3;
+		else if (strcmp(*argv, "-no_tls1_2") == 0)
 			off |= SSL_OP_NO_TLSv1_2;
 		else if (strcmp(*argv, "-no_tls1_1") == 0)
 			off |= SSL_OP_NO_TLSv1_1;
@@ -550,17 +560,14 @@ s_client_main(int argc, char **argv)
 				starttls_proto = PROTO_XMPP;
 			else
 				goto bad;
-		}
-		else if (strcmp(*argv, "-4") == 0) {
+		} else if (strcmp(*argv, "-4") == 0) {
 			af = AF_INET;
 		} else if (strcmp(*argv, "-6") == 0) {
 			af = AF_INET6;
-		}
-		else if (strcmp(*argv, "-servername") == 0) {
+		} else if (strcmp(*argv, "-servername") == 0) {
 			if (--argc < 1)
 				goto bad;
 			servername = *(++argv);
-			/* meth=TLSv1_client_method(); */
 		}
 #ifndef OPENSSL_NO_SRTP
 		else if (strcmp(*argv, "-use_srtp") == 0) {
@@ -649,6 +656,11 @@ s_client_main(int argc, char **argv)
 	if (vpm)
 		SSL_CTX_set1_param(ctx, vpm);
 
+	if (!SSL_CTX_set_min_proto_version(ctx, min_version))
+		goto end;
+	if (!SSL_CTX_set_max_proto_version(ctx, max_version))
+		goto end;
+
 #ifndef OPENSSL_NO_SRTP
 	if (srtp_profiles != NULL)
 		SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
-- 
cgit v1.2.3-55-g6feb