9d7d3f
From 0c36569c6541ed1eb924ccd60dea5caca0d1e957 Mon Sep 17 00:00:00 2001
9d7d3f
From: Kamil Dudka <kdudka@redhat.com>
9d7d3f
Date: Thu, 27 Oct 2016 14:57:11 +0200
9d7d3f
Subject: [PATCH 1/5] vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
9d7d3f
9d7d3f
Fully implemented with the NSS backend only for now.
9d7d3f
9d7d3f
Reviewed-by: Ray Satiro
9d7d3f
9d7d3f
Upstream-commit: 6ad3add60654182a747f5971afb40817488ef0e8
9d7d3f
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
9d7d3f
---
9d7d3f
 docs/libcurl/curl_easy_setopt.3  | 2 ++
9d7d3f
 docs/libcurl/symbols-in-versions | 1 +
9d7d3f
 include/curl/curl.h              | 1 +
9d7d3f
 lib/nss.c                        | 8 ++++++++
9d7d3f
 packages/OS400/curl.inc.in       | 2 ++
9d7d3f
 5 files changed, 14 insertions(+)
9d7d3f
9d7d3f
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
9d7d3f
index 17b632f..226e0ca 100644
9d7d3f
--- a/docs/libcurl/curl_easy_setopt.3
9d7d3f
+++ b/docs/libcurl/curl_easy_setopt.3
9d7d3f
@@ -2262,6 +2262,8 @@ Force TLSv1.0 (Added in 7.34.0)
9d7d3f
 Force TLSv1.1 (Added in 7.34.0)
9d7d3f
 .IP CURL_SSLVERSION_TLSv1_2
9d7d3f
 Force TLSv1.2 (Added in 7.34.0)
9d7d3f
+.IP CURL_SSLVERSION_TLSv1_3
9d7d3f
+Force TLSv1.3 (Added in 7.51.1)
9d7d3f
 .RE
9d7d3f
 .IP CURLOPT_SSL_VERIFYPEER
9d7d3f
 Pass a long as parameter. By default, curl assumes a value of 1.
9d7d3f
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
9d7d3f
index e2cce4c..a66bd97 100644
9d7d3f
--- a/docs/libcurl/symbols-in-versions
9d7d3f
+++ b/docs/libcurl/symbols-in-versions
9d7d3f
@@ -685,6 +685,7 @@ CURL_SSLVERSION_TLSv1           7.9.2
9d7d3f
 CURL_SSLVERSION_TLSv1_0         7.34.0
9d7d3f
 CURL_SSLVERSION_TLSv1_1         7.34.0
9d7d3f
 CURL_SSLVERSION_TLSv1_2         7.34.0
9d7d3f
+CURL_SSLVERSION_TLSv1_3         7.51.1
9d7d3f
 CURL_TIMECOND_IFMODSINCE        7.9.7
9d7d3f
 CURL_TIMECOND_IFUNMODSINCE      7.9.7
9d7d3f
 CURL_TIMECOND_LASTMOD           7.9.7
9d7d3f
diff --git a/include/curl/curl.h b/include/curl/curl.h
9d7d3f
index 8b639fa..0fb1885 100644
9d7d3f
--- a/include/curl/curl.h
9d7d3f
+++ b/include/curl/curl.h
9d7d3f
@@ -1645,6 +1645,7 @@ enum {
9d7d3f
   CURL_SSLVERSION_TLSv1_0,
9d7d3f
   CURL_SSLVERSION_TLSv1_1,
9d7d3f
   CURL_SSLVERSION_TLSv1_2,
9d7d3f
+  CURL_SSLVERSION_TLSv1_3,
9d7d3f
 
9d7d3f
   CURL_SSLVERSION_LAST /* never use, keep last */
9d7d3f
 };
9d7d3f
diff --git a/lib/nss.c b/lib/nss.c
9d7d3f
index 31e5d75..8e26d1f 100644
9d7d3f
--- a/lib/nss.c
9d7d3f
+++ b/lib/nss.c
9d7d3f
@@ -1331,6 +1331,14 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
9d7d3f
     sslver->min = SSL_LIBRARY_VERSION_TLS_1_2;
9d7d3f
     sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
9d7d3f
     return CURLE_OK;
9d7d3f
+#endif
9d7d3f
+    break;
9d7d3f
+
9d7d3f
+  case CURL_SSLVERSION_TLSv1_3:
9d7d3f
+#ifdef SSL_LIBRARY_VERSION_TLS_1_3
9d7d3f
+    sslver->min = SSL_LIBRARY_VERSION_TLS_1_3;
9d7d3f
+    sslver->max = SSL_LIBRARY_VERSION_TLS_1_3;
9d7d3f
+    return CURLE_OK;
9d7d3f
 #endif
9d7d3f
     break;
9d7d3f
   }
9d7d3f
diff --git a/packages/OS400/curl.inc.in b/packages/OS400/curl.inc.in
9d7d3f
index 22a5511..30e6506 100644
9d7d3f
--- a/packages/OS400/curl.inc.in
9d7d3f
+++ b/packages/OS400/curl.inc.in
9d7d3f
@@ -232,6 +232,8 @@
9d7d3f
      d                 c                   5
9d7d3f
      d CURL_SSLVERSION_TLSv1_2...
9d7d3f
      d                 c                   6
9d7d3f
+     d CURL_SSLVERSION_TLSv1_3...
9d7d3f
+     d                 c                   7
9d7d3f
       *
9d7d3f
      d CURL_TLSAUTH_NONE...
9d7d3f
      d                 c                   0
9d7d3f
-- 
9d7d3f
2.17.2
9d7d3f
9d7d3f
9d7d3f
From d18da081cc26df5605b5a2995615660eb3270712 Mon Sep 17 00:00:00 2001
9d7d3f
From: Kamil Dudka <kdudka@redhat.com>
9d7d3f
Date: Thu, 27 Oct 2016 14:58:43 +0200
9d7d3f
Subject: [PATCH 2/5] curl: introduce the --tlsv1.3 option to force TLS 1.3
9d7d3f
9d7d3f
Fully implemented with the NSS backend only for now.
9d7d3f
9d7d3f
Reviewed-by: Ray Satiro
9d7d3f
9d7d3f
Upstream-commit: a110a03b43057879643046538c79cc9dd20d399a
9d7d3f
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
9d7d3f
---
9d7d3f
 docs/curl.1         | 10 +++++++---
9d7d3f
 src/tool_getparam.c |  5 +++++
9d7d3f
 src/tool_help.c     |  1 +
9d7d3f
 src/tool_setopt.c   |  1 +
9d7d3f
 4 files changed, 14 insertions(+), 3 deletions(-)
9d7d3f
9d7d3f
diff --git a/docs/curl.1 b/docs/curl.1
9d7d3f
index a26b03c..0c5ed9a 100644
9d7d3f
--- a/docs/curl.1
9d7d3f
+++ b/docs/curl.1
9d7d3f
@@ -118,9 +118,9 @@ internally preferred: HTTP 1.1.
9d7d3f
 .IP "-1, --tlsv1"
9d7d3f
 (SSL)
9d7d3f
 Forces curl to use TLS version 1.x when negotiating with a remote TLS server.
9d7d3f
-You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, and \fI--tlsv1.2\fP to
9d7d3f
-control the TLS version more precisely (if the SSL backend in use supports such
9d7d3f
-a level of control).
9d7d3f
+You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, \fI--tlsv1.2\fP, and
9d7d3f
+\fI--tlsv1.3\fP to control the TLS version more precisely (if the SSL backend
9d7d3f
+in use supports such a level of control).
9d7d3f
 .IP "-2, --sslv2"
9d7d3f
 (SSL)
9d7d3f
 Forces curl to use SSL version 2 when negotiating with a remote SSL server.
9d7d3f
@@ -1469,6 +1469,10 @@ Forces curl to use TLS version 1.1 when negotiating with a remote TLS server.
9d7d3f
 (SSL)
9d7d3f
 Forces curl to use TLS version 1.2 when negotiating with a remote TLS server.
9d7d3f
 (Added in 7.34.0)
9d7d3f
+.IP "--tlsv1.3"
9d7d3f
+(SSL)
9d7d3f
+Forces curl to use TLS version 1.3 when negotiating with a remote TLS server.
9d7d3f
+(Added in 7.51.1)
9d7d3f
 .IP "--tr-encoding"
9d7d3f
 (HTTP) Request a compressed Transfer-Encoding response using one of the
9d7d3f
 algorithms curl supports, and uncompress the data while receiving it.
9d7d3f
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
9d7d3f
index 32fc68b..86a7bb6 100644
9d7d3f
--- a/src/tool_getparam.c
9d7d3f
+++ b/src/tool_getparam.c
9d7d3f
@@ -179,6 +179,7 @@ static const struct LongShort aliases[]= {
9d7d3f
   {"10",  "tlsv1.0",                 FALSE},
9d7d3f
   {"11",  "tlsv1.1",                 FALSE},
9d7d3f
   {"12",  "tlsv1.2",                 FALSE},
9d7d3f
+  {"13",  "tlsv1.3",                 FALSE},
9d7d3f
   {"2",  "sslv2",                    FALSE},
9d7d3f
   {"3",  "sslv3",                    FALSE},
9d7d3f
   {"4",  "ipv4",                     FALSE},
9d7d3f
@@ -1000,6 +1001,10 @@ ParameterError getparameter(char *flag,    /* f or -long-flag */
9d7d3f
         /* TLS version 1.2 */
9d7d3f
         config->ssl_version = CURL_SSLVERSION_TLSv1_2;
9d7d3f
         break;
9d7d3f
+      case '3':
9d7d3f
+        /* TLS version 1.3 */
9d7d3f
+        config->ssl_version = CURL_SSLVERSION_TLSv1_3;
9d7d3f
+        break;
9d7d3f
       }
9d7d3f
       break;
9d7d3f
     case '2':
9d7d3f
diff --git a/src/tool_help.c b/src/tool_help.c
9d7d3f
index c2883eb..0659db6 100644
9d7d3f
--- a/src/tool_help.c
9d7d3f
+++ b/src/tool_help.c
9d7d3f
@@ -205,6 +205,7 @@ static const char *const helptext[] = {
9d7d3f
   "     --tlsv1.0       Use TLSv1.0 (SSL)",
9d7d3f
   "     --tlsv1.1       Use TLSv1.1 (SSL)",
9d7d3f
   "     --tlsv1.2       Use TLSv1.2 (SSL)",
9d7d3f
+  "     --tlsv1.3       Use TLSv1.3 (SSL)",
9d7d3f
   "     --trace FILE    Write a debug trace to the given file",
9d7d3f
   "     --trace-ascii FILE  Like --trace but without the hex output",
9d7d3f
   "     --trace-time    Add time stamps to trace/verbose output",
9d7d3f
diff --git a/src/tool_setopt.c b/src/tool_setopt.c
9d7d3f
index 5ae32cd..0534118 100644
9d7d3f
--- a/src/tool_setopt.c
9d7d3f
+++ b/src/tool_setopt.c
9d7d3f
@@ -81,6 +81,7 @@ const NameValue setopt_nv_CURL_SSLVERSION[] = {
9d7d3f
   NV(CURL_SSLVERSION_TLSv1_0),
9d7d3f
   NV(CURL_SSLVERSION_TLSv1_1),
9d7d3f
   NV(CURL_SSLVERSION_TLSv1_2),
9d7d3f
+  NV(CURL_SSLVERSION_TLSv1_3),
9d7d3f
   NVEND,
9d7d3f
 };
9d7d3f
 
9d7d3f
-- 
9d7d3f
2.17.2
9d7d3f
9d7d3f
9d7d3f
From 6ffdc6a1ca867c0ed228ffba172cb910b77011f0 Mon Sep 17 00:00:00 2001
9d7d3f
From: Jozef Kralik <jozef.kralik@eset.sk>
9d7d3f
Date: Tue, 13 Dec 2016 21:10:00 +0100
9d7d3f
Subject: [PATCH 3/5] vtls: add options to specify range of enabled TLS
9d7d3f
 versions
9d7d3f
9d7d3f
This commit introduces the CURL_SSLVERSION_MAX_* constants as well as
9d7d3f
the --tls-max option of the curl tool.
9d7d3f
9d7d3f
Closes https://github.com/curl/curl/pull/1166
9d7d3f
9d7d3f
Upstream-commit: 6448f98c1857de521fb2dd3f9d4e5659845b5474
9d7d3f
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
9d7d3f
---
9d7d3f
 docs/curl.1                      | 21 ++++++-
9d7d3f
 docs/libcurl/curl_easy_setopt.3  | 18 +++++-
9d7d3f
 docs/libcurl/symbols-in-versions |  8 ++-
9d7d3f
 include/curl/curl.h              | 12 ++++
9d7d3f
 lib/nss.c                        | 94 ++++++++++++++++++++++----------
9d7d3f
 lib/sslgen.c                     |  2 +
9d7d3f
 lib/url.c                        |  7 ++-
9d7d3f
 lib/urldata.h                    |  1 +
9d7d3f
 src/tool_cfgable.h               |  1 +
9d7d3f
 src/tool_getparam.c              |  6 ++
9d7d3f
 src/tool_help.c                  |  1 +
9d7d3f
 src/tool_operate.c               |  3 +-
9d7d3f
 src/tool_paramhlp.c              | 32 +++++++++++
9d7d3f
 src/tool_paramhlp.h              |  2 +
9d7d3f
 14 files changed, 175 insertions(+), 33 deletions(-)
9d7d3f
9d7d3f
diff --git a/docs/curl.1 b/docs/curl.1
9d7d3f
index 0c5ed9a..35fae14 100644
9d7d3f
--- a/docs/curl.1
9d7d3f
+++ b/docs/curl.1
9d7d3f
@@ -1472,7 +1472,26 @@ Forces curl to use TLS version 1.2 when negotiating with a remote TLS server.
9d7d3f
 .IP "--tlsv1.3"
9d7d3f
 (SSL)
9d7d3f
 Forces curl to use TLS version 1.3 when negotiating with a remote TLS server.
9d7d3f
-(Added in 7.51.1)
9d7d3f
+(Added in 7.52.0)
9d7d3f
+.IP "--tls-max <VERSION>"
9d7d3f
+(SSL) VERSION defines maximum supported TLS version. The minimum acceptable version
9d7d3f
+is set by tlsv1.0, tlsv1.1, tlsv1.2 or tlsv1.3.
9d7d3f
+
9d7d3f
+.RS
9d7d3f
+.IP "default"
9d7d3f
+Use up to recommended TLS version.
9d7d3f
+.IP "1.0"
9d7d3f
+Use up to TLSv1.0.
9d7d3f
+.IP "1.1"
9d7d3f
+Use up to TLSv1.1.
9d7d3f
+.IP "1.2"
9d7d3f
+Use up to TLSv1.2.
9d7d3f
+.IP "1.3"
9d7d3f
+Use up to TLSv1.3.
9d7d3f
+.RE
9d7d3f
+
9d7d3f
+See also \fI--tlsv1.0\fP and \fI--tlsv1.1\fP and \fI--tlsv1.2\fP and
9d7d3f
+\fI--tlsv1.3\fP.  Added in 7.54.0.
9d7d3f
 .IP "--tr-encoding"
9d7d3f
 (HTTP) Request a compressed Transfer-Encoding response using one of the
9d7d3f
 algorithms curl supports, and uncompress the data while receiving it.
9d7d3f
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
9d7d3f
index 226e0ca..55d207e 100644
9d7d3f
--- a/docs/libcurl/curl_easy_setopt.3
9d7d3f
+++ b/docs/libcurl/curl_easy_setopt.3
9d7d3f
@@ -2263,7 +2263,23 @@ Force TLSv1.1 (Added in 7.34.0)
9d7d3f
 .IP CURL_SSLVERSION_TLSv1_2
9d7d3f
 Force TLSv1.2 (Added in 7.34.0)
9d7d3f
 .IP CURL_SSLVERSION_TLSv1_3
9d7d3f
-Force TLSv1.3 (Added in 7.51.1)
9d7d3f
+Force TLSv1.3 (Added in 7.52.0)
9d7d3f
+.IP CURL_SSLVERSION_MAX_DEFAULT
9d7d3f
+The flag defines maximum supported TLS version as TLSv1.2 or default
9d7d3f
+value from SSL library.
9d7d3f
+(Added in 7.54.0)
9d7d3f
+.IP CURL_SSLVERSION_MAX_TLSv1_0
9d7d3f
+The flag defines maximum supported TLS version as TLSv1.0.
9d7d3f
+(Added in 7.54.0)
9d7d3f
+.IP CURL_SSLVERSION_MAX_TLSv1_1
9d7d3f
+The flag defines maximum supported TLS version as TLSv1.1.
9d7d3f
+(Added in 7.54.0)
9d7d3f
+.IP CURL_SSLVERSION_MAX_TLSv1_2
9d7d3f
+The flag defines maximum supported TLS version as TLSv1.2.
9d7d3f
+(Added in 7.54.0)
9d7d3f
+.IP CURL_SSLVERSION_MAX_TLSv1_3
9d7d3f
+The flag defines maximum supported TLS version as TLSv1.3.
9d7d3f
+(Added in 7.54.0)
9d7d3f
 .RE
9d7d3f
 .IP CURLOPT_SSL_VERIFYPEER
9d7d3f
 Pass a long as parameter. By default, curl assumes a value of 1.
9d7d3f
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
9d7d3f
index a66bd97..34e0ac3 100644
9d7d3f
--- a/docs/libcurl/symbols-in-versions
9d7d3f
+++ b/docs/libcurl/symbols-in-versions
9d7d3f
@@ -685,7 +685,13 @@ CURL_SSLVERSION_TLSv1           7.9.2
9d7d3f
 CURL_SSLVERSION_TLSv1_0         7.34.0
9d7d3f
 CURL_SSLVERSION_TLSv1_1         7.34.0
9d7d3f
 CURL_SSLVERSION_TLSv1_2         7.34.0
9d7d3f
-CURL_SSLVERSION_TLSv1_3         7.51.1
9d7d3f
+CURL_SSLVERSION_TLSv1_3         7.52.0
9d7d3f
+CURL_SSLVERSION_MAX_NONE        7.54.0
9d7d3f
+CURL_SSLVERSION_MAX_DEFAULT     7.54.0
9d7d3f
+CURL_SSLVERSION_MAX_TLSv1_0     7.54.0
9d7d3f
+CURL_SSLVERSION_MAX_TLSv1_1     7.54.0
9d7d3f
+CURL_SSLVERSION_MAX_TLSv1_2     7.54.0
9d7d3f
+CURL_SSLVERSION_MAX_TLSv1_3     7.54.0
9d7d3f
 CURL_TIMECOND_IFMODSINCE        7.9.7
9d7d3f
 CURL_TIMECOND_IFUNMODSINCE      7.9.7
9d7d3f
 CURL_TIMECOND_LASTMOD           7.9.7
9d7d3f
diff --git a/include/curl/curl.h b/include/curl/curl.h
9d7d3f
index 0fb1885..5a46925 100644
9d7d3f
--- a/include/curl/curl.h
9d7d3f
+++ b/include/curl/curl.h
9d7d3f
@@ -1650,6 +1650,18 @@ enum {
9d7d3f
   CURL_SSLVERSION_LAST /* never use, keep last */
9d7d3f
 };
9d7d3f
 
9d7d3f
+enum {
9d7d3f
+  CURL_SSLVERSION_MAX_NONE =     0,
9d7d3f
+  CURL_SSLVERSION_MAX_DEFAULT =  (CURL_SSLVERSION_TLSv1   << 16),
9d7d3f
+  CURL_SSLVERSION_MAX_TLSv1_0 =  (CURL_SSLVERSION_TLSv1_0 << 16),
9d7d3f
+  CURL_SSLVERSION_MAX_TLSv1_1 =  (CURL_SSLVERSION_TLSv1_1 << 16),
9d7d3f
+  CURL_SSLVERSION_MAX_TLSv1_2 =  (CURL_SSLVERSION_TLSv1_2 << 16),
9d7d3f
+  CURL_SSLVERSION_MAX_TLSv1_3 =  (CURL_SSLVERSION_TLSv1_3 << 16),
9d7d3f
+
9d7d3f
+  /* never use, keep last */
9d7d3f
+  CURL_SSLVERSION_MAX_LAST =     (CURL_SSLVERSION_LAST    << 16)
9d7d3f
+};
9d7d3f
+
9d7d3f
 enum CURL_TLSAUTH {
9d7d3f
   CURL_TLSAUTH_NONE,
9d7d3f
   CURL_TLSAUTH_SRP,
9d7d3f
diff --git a/lib/nss.c b/lib/nss.c
9d7d3f
index 8e26d1f..d8e481b 100644
9d7d3f
--- a/lib/nss.c
9d7d3f
+++ b/lib/nss.c
9d7d3f
@@ -1284,67 +1284,105 @@ static CURLcode nss_load_ca_certificates(struct connectdata *conn,
9d7d3f
   return CURLE_OK;
9d7d3f
 }
9d7d3f
 
9d7d3f
-static CURLcode nss_init_sslver(SSLVersionRange *sslver,
9d7d3f
-                                struct SessionHandle *data)
9d7d3f
+static CURLcode nss_sslver_from_curl(PRUint16 *nssver, long version)
9d7d3f
 {
9d7d3f
-  switch (data->set.ssl.version) {
9d7d3f
-  default:
9d7d3f
-  case CURL_SSLVERSION_DEFAULT:
9d7d3f
-    break;
9d7d3f
-
9d7d3f
+  switch(version) {
9d7d3f
   case CURL_SSLVERSION_TLSv1:
9d7d3f
-    sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
9d7d3f
 #ifdef SSL_LIBRARY_VERSION_TLS_1_2
9d7d3f
-    sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
9d7d3f
+    *nssver = SSL_LIBRARY_VERSION_TLS_1_2;
9d7d3f
 #elif defined SSL_LIBRARY_VERSION_TLS_1_1
9d7d3f
-    sslver->max = SSL_LIBRARY_VERSION_TLS_1_1;
9d7d3f
+    *nssver = SSL_LIBRARY_VERSION_TLS_1_1;
9d7d3f
 #else
9d7d3f
-    sslver->max = SSL_LIBRARY_VERSION_TLS_1_0;
9d7d3f
+    *nssver = SSL_LIBRARY_VERSION_TLS_1_0;
9d7d3f
 #endif
9d7d3f
     return CURLE_OK;
9d7d3f
 
9d7d3f
   case CURL_SSLVERSION_SSLv2:
9d7d3f
-    sslver->min = SSL_LIBRARY_VERSION_2;
9d7d3f
-    sslver->max = SSL_LIBRARY_VERSION_2;
9d7d3f
+    *nssver = SSL_LIBRARY_VERSION_2;
9d7d3f
     return CURLE_OK;
9d7d3f
 
9d7d3f
   case CURL_SSLVERSION_SSLv3:
9d7d3f
-    sslver->min = SSL_LIBRARY_VERSION_3_0;
9d7d3f
-    sslver->max = SSL_LIBRARY_VERSION_3_0;
9d7d3f
+    *nssver = SSL_LIBRARY_VERSION_3_0;
9d7d3f
     return CURLE_OK;
9d7d3f
 
9d7d3f
   case CURL_SSLVERSION_TLSv1_0:
9d7d3f
-    sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
9d7d3f
-    sslver->max = SSL_LIBRARY_VERSION_TLS_1_0;
9d7d3f
+    *nssver = SSL_LIBRARY_VERSION_TLS_1_0;
9d7d3f
     return CURLE_OK;
9d7d3f
 
9d7d3f
   case CURL_SSLVERSION_TLSv1_1:
9d7d3f
 #ifdef SSL_LIBRARY_VERSION_TLS_1_1
9d7d3f
-    sslver->min = SSL_LIBRARY_VERSION_TLS_1_1;
9d7d3f
-    sslver->max = SSL_LIBRARY_VERSION_TLS_1_1;
9d7d3f
+    *nssver = SSL_LIBRARY_VERSION_TLS_1_1;
9d7d3f
     return CURLE_OK;
9d7d3f
+#else
9d7d3f
+    return CURLE_SSL_CONNECT_ERROR;
9d7d3f
 #endif
9d7d3f
-    break;
9d7d3f
 
9d7d3f
   case CURL_SSLVERSION_TLSv1_2:
9d7d3f
 #ifdef SSL_LIBRARY_VERSION_TLS_1_2
9d7d3f
-    sslver->min = SSL_LIBRARY_VERSION_TLS_1_2;
9d7d3f
-    sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
9d7d3f
+    *nssver = SSL_LIBRARY_VERSION_TLS_1_2;
9d7d3f
     return CURLE_OK;
9d7d3f
+#else
9d7d3f
+    return CURLE_SSL_CONNECT_ERROR;
9d7d3f
 #endif
9d7d3f
-    break;
9d7d3f
 
9d7d3f
   case CURL_SSLVERSION_TLSv1_3:
9d7d3f
 #ifdef SSL_LIBRARY_VERSION_TLS_1_3
9d7d3f
-    sslver->min = SSL_LIBRARY_VERSION_TLS_1_3;
9d7d3f
-    sslver->max = SSL_LIBRARY_VERSION_TLS_1_3;
9d7d3f
+    *nssver = SSL_LIBRARY_VERSION_TLS_1_3;
9d7d3f
     return CURLE_OK;
9d7d3f
+#else
9d7d3f
+    return CURLE_SSL_CONNECT_ERROR;
9d7d3f
 #endif
9d7d3f
+
9d7d3f
+  default:
9d7d3f
+    return CURLE_SSL_CONNECT_ERROR;
9d7d3f
+  }
9d7d3f
+}
9d7d3f
+
9d7d3f
+static CURLcode nss_init_sslver(SSLVersionRange *sslver,
9d7d3f
+                                struct SessionHandle *data)
9d7d3f
+{
9d7d3f
+  CURLcode result;
9d7d3f
+  const long min = data->set.ssl.version;
9d7d3f
+  const long max = data->set.ssl.version_max;
9d7d3f
+
9d7d3f
+  if(min == CURL_SSLVERSION_DEFAULT || max == CURL_SSLVERSION_MAX_DEFAULT) {
9d7d3f
+    /* map CURL_SSLVERSION_DEFAULT to NSS default */
9d7d3f
+    if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess)
9d7d3f
+      return CURLE_SSL_CONNECT_ERROR;
9d7d3f
+    /* ... but make sure we use at least TLSv1.0 according to libcurl API */
9d7d3f
+    if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0)
9d7d3f
+      sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
9d7d3f
+  }
9d7d3f
+
9d7d3f
+  switch(min) {
9d7d3f
+  case CURL_SSLVERSION_DEFAULT:
9d7d3f
+    break;
9d7d3f
+  case CURL_SSLVERSION_TLSv1:
9d7d3f
+    sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
9d7d3f
     break;
9d7d3f
+  default:
9d7d3f
+    result = nss_sslver_from_curl(&sslver->min, min);
9d7d3f
+    if(result) {
9d7d3f
+      failf(data, "unsupported min version passed via CURLOPT_SSLVERSION");
9d7d3f
+      return result;
9d7d3f
+    }
9d7d3f
+    if(max == CURL_SSLVERSION_MAX_NONE)
9d7d3f
+      sslver->max = sslver->min;
9d7d3f
+  }
9d7d3f
+
9d7d3f
+  switch(max) {
9d7d3f
+  case CURL_SSLVERSION_MAX_NONE:
9d7d3f
+  case CURL_SSLVERSION_MAX_DEFAULT:
9d7d3f
+    break;
9d7d3f
+  default:
9d7d3f
+    result = nss_sslver_from_curl(&sslver->max, max >> 16);
9d7d3f
+    if(result) {
9d7d3f
+      failf(data, "unsupported max version passed via CURLOPT_SSLVERSION");
9d7d3f
+      return result;
9d7d3f
+    }
9d7d3f
   }
9d7d3f
 
9d7d3f
-  failf(data, "TLS minor version cannot be set");
9d7d3f
-  return CURLE_SSL_CONNECT_ERROR;
9d7d3f
+  return CURLE_OK;
9d7d3f
 }
9d7d3f
 
9d7d3f
 static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
9d7d3f
@@ -1400,7 +1438,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
9d7d3f
   CURLcode curlerr;
9d7d3f
 
9d7d3f
   SSLVersionRange sslver = {
9d7d3f
-    SSL_LIBRARY_VERSION_3_0,      /* min */
9d7d3f
+    SSL_LIBRARY_VERSION_TLS_1_0,  /* min */
9d7d3f
     SSL_LIBRARY_VERSION_TLS_1_0   /* max */
9d7d3f
   };
9d7d3f
 
9d7d3f
diff --git a/lib/sslgen.c b/lib/sslgen.c
9d7d3f
index 79cbb6f..d917f05 100644
9d7d3f
--- a/lib/sslgen.c
9d7d3f
+++ b/lib/sslgen.c
9d7d3f
@@ -86,6 +86,7 @@ Curl_ssl_config_matches(struct ssl_config_data* data,
9d7d3f
                         struct ssl_config_data* needle)
9d7d3f
 {
9d7d3f
   if((data->version == needle->version) &&
9d7d3f
+     (data->version_max == needle->version_max) &&
9d7d3f
      (data->verifypeer == needle->verifypeer) &&
9d7d3f
      (data->verifyhost == needle->verifyhost) &&
9d7d3f
      safe_strequal(data->CApath, needle->CApath) &&
9d7d3f
@@ -107,6 +108,7 @@ Curl_clone_ssl_config(struct ssl_config_data *source,
9d7d3f
   dest->verifyhost = source->verifyhost;
9d7d3f
   dest->verifypeer = source->verifypeer;
9d7d3f
   dest->version = source->version;
9d7d3f
+  dest->version_max = source->version_max;
9d7d3f
 
9d7d3f
   if(source->CAfile) {
9d7d3f
     dest->CAfile = strdup(source->CAfile);
9d7d3f
diff --git a/lib/url.c b/lib/url.c
9d7d3f
index cb3f3c3..cc099a5 100644
9d7d3f
--- a/lib/url.c
9d7d3f
+++ b/lib/url.c
9d7d3f
@@ -667,6 +667,9 @@ CURLcode Curl_open(struct SessionHandle **curl)
9d7d3f
   return res;
9d7d3f
 }
9d7d3f
 
9d7d3f
+#define C_SSLVERSION_VALUE(x) (x & 0xffff)
9d7d3f
+#define C_SSLVERSION_MAX_VALUE(x) (x & 0xffff0000)
9d7d3f
+
9d7d3f
 CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
9d7d3f
                      va_list param)
9d7d3f
 {
9d7d3f
@@ -882,7 +885,9 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
9d7d3f
      * Set explicit SSL version to try to connect with, as some SSL
9d7d3f
      * implementations are lame.
9d7d3f
      */
9d7d3f
-    data->set.ssl.version = va_arg(param, long);
9d7d3f
+    arg = va_arg(param, long);
9d7d3f
+    data->set.ssl.version = C_SSLVERSION_VALUE(arg);
9d7d3f
+    data->set.ssl.version_max = C_SSLVERSION_MAX_VALUE(arg);
9d7d3f
     break;
9d7d3f
 
9d7d3f
 #ifndef CURL_DISABLE_HTTP
9d7d3f
diff --git a/lib/urldata.h b/lib/urldata.h
9d7d3f
index d10c784..a5027ed 100644
9d7d3f
--- a/lib/urldata.h
9d7d3f
+++ b/lib/urldata.h
9d7d3f
@@ -335,6 +335,7 @@ struct ssl_connect_data {
9d7d3f
 
9d7d3f
 struct ssl_config_data {
9d7d3f
   long version;          /* what version the client wants to use */
9d7d3f
+  long version_max;      /* max supported version the client wants to use*/
9d7d3f
   long certverifyresult; /* result from the certificate verification */
9d7d3f
 
9d7d3f
   bool verifypeer;       /* set TRUE if this is desired */
9d7d3f
diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h
9d7d3f
index 68d0297..5f45f63 100644
9d7d3f
--- a/src/tool_cfgable.h
9d7d3f
+++ b/src/tool_cfgable.h
9d7d3f
@@ -146,6 +146,7 @@ struct Configurable {
9d7d3f
   struct curl_slist *postquote;
9d7d3f
   struct curl_slist *prequote;
9d7d3f
   long ssl_version;
9d7d3f
+  long ssl_version_max;
9d7d3f
   long ip_version;
9d7d3f
   curl_TimeCond timecond;
9d7d3f
   time_t condtime;
9d7d3f
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
9d7d3f
index 86a7bb6..9a228b9 100644
9d7d3f
--- a/src/tool_getparam.c
9d7d3f
+++ b/src/tool_getparam.c
9d7d3f
@@ -174,6 +174,7 @@ static const struct LongShort aliases[]= {
9d7d3f
   {"$I", "post303",                  FALSE},
9d7d3f
   {"$J", "metalink",                 FALSE},
9d7d3f
   {"$M", "unix-socket",              TRUE},
9d7d3f
+  {"$X", "tls-max",                  TRUE},
9d7d3f
   {"0",  "http1.0",                  FALSE},
9d7d3f
   {"1",  "tlsv1",                    FALSE},
9d7d3f
   {"10",  "tlsv1.0",                 FALSE},
9d7d3f
@@ -968,6 +969,11 @@ ParameterError getparameter(char *flag,    /* f or -long-flag */
9d7d3f
       case 'M': /* --unix-socket */
9d7d3f
         GetStr(&config->unix_socket_path, nextarg);
9d7d3f
         break;
9d7d3f
+      case 'X': /* --tls-max */
9d7d3f
+        err = str2tls_max(&config->ssl_version_max, nextarg);
9d7d3f
+        if(err)
9d7d3f
+          return err;
9d7d3f
+        break;
9d7d3f
       }
9d7d3f
       break;
9d7d3f
     case '#': /* --progress-bar */
9d7d3f
diff --git a/src/tool_help.c b/src/tool_help.c
9d7d3f
index 0659db6..3eeef6d 100644
9d7d3f
--- a/src/tool_help.c
9d7d3f
+++ b/src/tool_help.c
9d7d3f
@@ -206,6 +206,7 @@ static const char *const helptext[] = {
9d7d3f
   "     --tlsv1.1       Use TLSv1.1 (SSL)",
9d7d3f
   "     --tlsv1.2       Use TLSv1.2 (SSL)",
9d7d3f
   "     --tlsv1.3       Use TLSv1.3 (SSL)",
9d7d3f
+  "     --tls-max VERSION  Use TLS up to VERSION (SSL)",
9d7d3f
   "     --trace FILE    Write a debug trace to the given file",
9d7d3f
   "     --trace-ascii FILE  Like --trace but without the hex output",
9d7d3f
   "     --trace-time    Add time stamps to trace/verbose output",
9d7d3f
diff --git a/src/tool_operate.c b/src/tool_operate.c
9d7d3f
index 185f9c6..052def1 100644
9d7d3f
--- a/src/tool_operate.c
9d7d3f
+++ b/src/tool_operate.c
9d7d3f
@@ -1109,7 +1109,8 @@ int operate(struct Configurable *config, int argc, argv_item_t argv[])
9d7d3f
         }
9d7d3f
 #endif
9d7d3f
 
9d7d3f
-        my_setopt_enum(curl, CURLOPT_SSLVERSION, config->ssl_version);
9d7d3f
+        my_setopt_enum(curl, CURLOPT_SSLVERSION,
9d7d3f
+                       config->ssl_version | config->ssl_version_max);
9d7d3f
         my_setopt_enum(curl, CURLOPT_TIMECONDITION, config->timecond);
9d7d3f
         my_setopt(curl, CURLOPT_TIMEVALUE, config->condtime);
9d7d3f
         my_setopt_str(curl, CURLOPT_CUSTOMREQUEST, config->customrequest);
9d7d3f
diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c
9d7d3f
index 5d6f8bb..5ceddb2 100644
9d7d3f
--- a/src/tool_paramhlp.c
9d7d3f
+++ b/src/tool_paramhlp.c
9d7d3f
@@ -405,3 +405,35 @@ long delegation(struct Configurable *config, char *str)
9d7d3f
   return CURLGSSAPI_DELEGATION_NONE;
9d7d3f
 }
9d7d3f
 
9d7d3f
+/*
9d7d3f
+ * Parse the string and modify ssl_version in the val argument. Return PARAM_OK
9d7d3f
+ * on success, otherwise a parameter error enum. ONLY ACCEPTS POSITIVE NUMBERS!
9d7d3f
+ *
9d7d3f
+ * Since this function gets called with the 'nextarg' pointer from within the
9d7d3f
+ * getparameter a lot, we must check it for NULL before accessing the str
9d7d3f
+ * data.
9d7d3f
+ */
9d7d3f
+
9d7d3f
+ParameterError str2tls_max(long *val, const char *str)
9d7d3f
+{
9d7d3f
+   static struct s_tls_max {
9d7d3f
+    const char *tls_max_str;
9d7d3f
+    long tls_max;
9d7d3f
+  } const tls_max_array[] = {
9d7d3f
+    { "default", CURL_SSLVERSION_MAX_DEFAULT },
9d7d3f
+    { "1.0",     CURL_SSLVERSION_MAX_TLSv1_0 },
9d7d3f
+    { "1.1",     CURL_SSLVERSION_MAX_TLSv1_1 },
9d7d3f
+    { "1.2",     CURL_SSLVERSION_MAX_TLSv1_2 },
9d7d3f
+    { "1.3",     CURL_SSLVERSION_MAX_TLSv1_3 }
9d7d3f
+  };
9d7d3f
+  size_t i = 0;
9d7d3f
+  if(!str)
9d7d3f
+    return PARAM_REQUIRES_PARAMETER;
9d7d3f
+  for(i = 0; i < sizeof(tls_max_array)/sizeof(tls_max_array[0]); i++) {
9d7d3f
+    if(!strcmp(str, tls_max_array[i].tls_max_str)) {
9d7d3f
+      *val = tls_max_array[i].tls_max;
9d7d3f
+      return PARAM_OK;
9d7d3f
+    }
9d7d3f
+  }
9d7d3f
+  return PARAM_BAD_USE;
9d7d3f
+}
9d7d3f
diff --git a/src/tool_paramhlp.h b/src/tool_paramhlp.h
9d7d3f
index de1604e..c848d1c 100644
9d7d3f
--- a/src/tool_paramhlp.h
9d7d3f
+++ b/src/tool_paramhlp.h
9d7d3f
@@ -48,5 +48,7 @@ int ftpcccmethod(struct Configurable *config, const char *str);
9d7d3f
 
9d7d3f
 long delegation(struct Configurable *config, char *str);
9d7d3f
 
9d7d3f
+ParameterError str2tls_max(long *val, const char *str);
9d7d3f
+
9d7d3f
 #endif /* HEADER_CURL_TOOL_PARAMHLP_H */
9d7d3f
 
9d7d3f
-- 
9d7d3f
2.20.1
9d7d3f
9d7d3f
9d7d3f
From 6a332224ba66b7ad21f6a874af94c1b7441ca19f Mon Sep 17 00:00:00 2001
9d7d3f
From: Hubert Kario <hkario@redhat.com>
9d7d3f
Date: Fri, 17 May 2019 17:15:24 +0000
9d7d3f
Subject: [PATCH 4/5] nss: allow to specify TLS 1.3 ciphers if supported by NSS
9d7d3f
9d7d3f
Closes #3916
9d7d3f
9d7d3f
Upstream-commit: 319ae9075efba769c9d5e98e827bb325ad0fcb6f
9d7d3f
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
9d7d3f
---
9d7d3f
 lib/nss.c | 5 +++++
9d7d3f
 1 file changed, 5 insertions(+)
9d7d3f
9d7d3f
diff --git a/lib/nss.c b/lib/nss.c
9d7d3f
index d8e481b..330387c 100644
9d7d3f
--- a/lib/nss.c
9d7d3f
+++ b/lib/nss.c
9d7d3f
@@ -195,6 +195,11 @@ static const cipher_s cipherlist[] = {
9d7d3f
  {"dhe_rsa_chacha20_poly1305_sha_256",
9d7d3f
      TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
9d7d3f
 #endif
9d7d3f
+#ifdef TLS_AES_256_GCM_SHA384
9d7d3f
+ {"aes_128_gcm_sha_256",              TLS_AES_128_GCM_SHA256},
9d7d3f
+ {"aes_256_gcm_sha_384",              TLS_AES_256_GCM_SHA384},
9d7d3f
+ {"chacha20_poly1305_sha_256",        TLS_CHACHA20_POLY1305_SHA256},
9d7d3f
+#endif
9d7d3f
 };
9d7d3f
 
9d7d3f
 static const char* pem_library = "libnsspem.so";
9d7d3f
-- 
9d7d3f
2.20.1
9d7d3f
9d7d3f
9d7d3f
From 268dcd88beb3d270d5aaeda473d51550ea9a3f84 Mon Sep 17 00:00:00 2001
9d7d3f
From: Kamil Dudka <kdudka@redhat.com>
9d7d3f
Date: Mon, 3 Jun 2019 12:31:21 +0200
9d7d3f
Subject: [PATCH 5/5] nss: make `curl --tlsv1` compatible with
9d7d3f
 curl-7.29.0-52.el7
9d7d3f
9d7d3f
---
9d7d3f
 lib/nss.c | 4 +++-
9d7d3f
 1 file changed, 3 insertions(+), 1 deletion(-)
9d7d3f
9d7d3f
diff --git a/lib/nss.c b/lib/nss.c
9d7d3f
index 330387c..f963c63 100644
9d7d3f
--- a/lib/nss.c
9d7d3f
+++ b/lib/nss.c
9d7d3f
@@ -1350,7 +1350,9 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
9d7d3f
   const long min = data->set.ssl.version;
9d7d3f
   const long max = data->set.ssl.version_max;
9d7d3f
 
9d7d3f
-  if(min == CURL_SSLVERSION_DEFAULT || max == CURL_SSLVERSION_MAX_DEFAULT) {
9d7d3f
+  if(min == CURL_SSLVERSION_DEFAULT || max == CURL_SSLVERSION_MAX_DEFAULT
9d7d3f
+      || min == CURL_SSLVERSION_TLSv1)
9d7d3f
+  {
9d7d3f
     /* map CURL_SSLVERSION_DEFAULT to NSS default */
9d7d3f
     if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess)
9d7d3f
       return CURLE_SSL_CONNECT_ERROR;
9d7d3f
-- 
9d7d3f
2.20.1
9d7d3f