From 050c93c46f5bc880897152419200e60da56b46e0 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 29 May 2018 16:12:52 +0200
Subject: setopt: add TLS 1.3 ciphersuites

Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS.

curl: added --tls13-ciphers and --proxy-tls13-ciphers

Fixes #2435
Reported-by: zzq1015 on github
Closes #2607
---
 src/tool_cfgable.h  |  2 ++
 src/tool_getparam.c |  8 ++++++++
 src/tool_help.c     | 16 ++++++++++------
 src/tool_operate.c  |  7 +++++++
 4 files changed, 27 insertions(+), 6 deletions(-)

(limited to 'src')

diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h
index 9d995f85e..237c2bd7f 100644
--- a/src/tool_cfgable.h
+++ b/src/tool_cfgable.h
@@ -117,6 +117,8 @@ struct OperationConfig {
   struct getout *url_ul;    /* point to the node to fill in upload */
   char *cipher_list;
   char *proxy_cipher_list;
+  char *cipher13_list;
+  char *proxy_cipher13_list;
   char *cert;
   char *proxy_cert;
   char *cert_type;
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index e83373c37..a9f448112 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -201,6 +201,8 @@ static const struct LongShort aliases[]= {
   {"11",  "tlsv1.1",                 ARG_NONE},
   {"12",  "tlsv1.2",                 ARG_NONE},
   {"13",  "tlsv1.3",                 ARG_NONE},
+  {"1A", "tls13-ciphers",            ARG_STRING},
+  {"1B", "proxy-tls13-ciphers",      ARG_STRING},
   {"2",  "sslv2",                    ARG_NONE},
   {"3",  "sslv3",                    ARG_NONE},
   {"4",  "ipv4",                     ARG_NONE},
@@ -1177,6 +1179,12 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
         /* TLS version 1.3 */
         config->ssl_version = CURL_SSLVERSION_TLSv1_3;
         break;
+      case 'A': /* --tls13-ciphers */
+        GetStr(&config->cipher13_list, nextarg);
+        break;
+      case 'B': /* --proxy-tls13-ciphers */
+        GetStr(&config->proxy_cipher13_list, nextarg);
+        break;
       }
       break;
     case '2':
diff --git a/src/tool_help.c b/src/tool_help.c
index 7c4dda3b0..3218cf67d 100644
--- a/src/tool_help.c
+++ b/src/tool_help.c
@@ -160,12 +160,12 @@ static const struct helptxt helptext[] = {
    "Put the post data in the URL and use GET"},
   {"-g, --globoff",
    "Disable URL sequences and ranges using {} and []"},
-  {"    --happy-eyeballs-timeout-ms",
+  {"    --happy-eyeballs-timeout-ms <milliseconds>",
    "How long to wait in milliseconds for IPv6 before trying IPv4"},
-  {"-I, --head",
-   "Show document info only"},
   {"    --haproxy-protocol",
    "Send HAProxy PROXY protocol v1 header"},
+  {"-I, --head",
+   "Show document info only"},
   {"-H, --header <header/@file>",
    "Pass custom header(s) to server"},
   {"-h, --help",
@@ -297,7 +297,7 @@ static const struct helptxt helptext[] = {
   {"    --proxy-cert <cert[:passwd]>",
    "Set client certificate for proxy"},
   {"    --proxy-cert-type <type>",
-   "Client certificate type for HTTS proxy"},
+   "Client certificate type for HTTPS proxy"},
   {"    --proxy-ciphers <list>",
    "SSL ciphers to use for proxy"},
   {"    --proxy-crlfile <file>",
@@ -324,6 +324,8 @@ static const struct helptxt helptext[] = {
    "SPNEGO proxy service name"},
   {"    --proxy-ssl-allow-beast",
    "Allow security flaw for interop for HTTPS proxy"},
+  {"    --proxy-tls13-ciphers <ciphersuite list>",
+   "TLS 1.3 proxy cipher suites"},
   {"    --proxy-tlsauthtype <type>",
    "TLS authentication type for HTTPS proxy"},
   {"    --proxy-tlspassword <string>",
@@ -337,7 +339,7 @@ static const struct helptxt helptext[] = {
   {"    --proxy1.0 <host[:port]>",
    "Use HTTP/1.0 proxy on given port"},
   {"-p, --proxytunnel",
-   "Operate through a HTTP proxy tunnel (using CONNECT)"},
+   "Operate through an HTTP proxy tunnel (using CONNECT)"},
   {"    --pubkey <key>",
    "SSH Public key file name"},
   {"-Q, --quote",
@@ -362,7 +364,7 @@ static const struct helptxt helptext[] = {
    "Specify request command to use"},
   {"    --request-target",
    "Specify the target for this request"},
-  {"    --resolve <host:port:address>",
+  {"    --resolve <host:port:address[,address]...>",
    "Resolve the host+port to this address"},
   {"    --retry <num>",
    "Retry request if transient problems occur"},
@@ -432,6 +434,8 @@ static const struct helptxt helptext[] = {
    "Transfer based on a time condition"},
   {"    --tls-max <VERSION>",
    "Use TLSv1.0 or greater"},
+  {"    --tls13-ciphers <list of TLS 1.3 ciphersuites>",
+   "TLS 1.3 cipher suites to use"},
   {"    --tlsauthtype <type>",
    "TLS authentication type"},
   {"    --tlspassword",
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 5be862228..0a1b1a48d 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1216,6 +1216,13 @@ static CURLcode operate_do(struct GlobalConfig *global,
           my_setopt_str(curl, CURLOPT_PROXY_SSL_CIPHER_LIST,
                         config->proxy_cipher_list);
 
+        if(config->cipher13_list)
+          my_setopt_str(curl, CURLOPT_TLS13_CIPHERS, config->cipher13_list);
+
+        if(config->proxy_cipher13_list)
+          my_setopt_str(curl, CURLOPT_PROXY_SSL_CIPHER_LIST,
+                        config->proxy_cipher13_list);
+
         /* new in libcurl 7.9.2: */
         if(config->disable_epsv)
           /* disable it */
-- 
cgit v1.2.3