From 6448f98c1857de521fb2dd3f9d4e5659845b5474 Mon Sep 17 00:00:00 2001
From: Jozef Kralik <jozef.kralik@eset.sk>
Date: Tue, 13 Dec 2016 21:10:00 +0100
Subject: vtls: add options to specify range of enabled TLS versions

This commit introduces the CURL_SSLVERSION_MAX_* constants as well as
the --tls-max option of the curl tool.

Closes https://github.com/curl/curl/pull/1166
---
 src/tool_cfgable.h  |  1 +
 src/tool_getparam.c |  6 ++++++
 src/tool_help.c     |  1 +
 src/tool_operate.c  |  3 ++-
 src/tool_paramhlp.c | 33 +++++++++++++++++++++++++++++++++
 src/tool_paramhlp.h |  2 ++
 6 files changed, 45 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h
index 0d2f765d2..b05c440e5 100644
--- a/src/tool_cfgable.h
+++ b/src/tool_cfgable.h
@@ -156,6 +156,7 @@ struct OperationConfig {
   struct curl_slist *postquote;
   struct curl_slist *prequote;
   long ssl_version;
+  long ssl_version_max;
   long proxy_ssl_version;
   long ip_version;
   curl_TimeCond timecond;
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index 686b01d7e..85d75ae6e 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -184,6 +184,7 @@ static const struct LongShort aliases[]= {
   {"$S", "tftp-no-options",          FALSE},
   {"$U", "connect-to",               TRUE},
   {"$W", "abstract-unix-socket",     TRUE},
+  {"$X", "tls-max",                  TRUE},
   {"0",   "http1.0",                 FALSE},
   {"01",  "http1.1",                 FALSE},
   {"02",  "http2",                   FALSE},
@@ -1060,6 +1061,11 @@ ParameterError getparameter(char *flag,    /* f or -long-flag */
         config->abstract_unix_socket = TRUE;
         GetStr(&config->unix_socket_path, nextarg);
         break;
+      case 'X': /* --tls-max */
+        err = str2tls_max(&config->ssl_version_max, nextarg);
+        if(err)
+          return err;
+        break;
       }
       break;
     case '#': /* --progress-bar */
diff --git a/src/tool_help.c b/src/tool_help.c
index 5085e542e..f6fe3527b 100644
--- a/src/tool_help.c
+++ b/src/tool_help.c
@@ -260,6 +260,7 @@ static const char *const helptext[] = {
   "     --tlsv1.1       Use TLSv1.1 (SSL)",
   "     --tlsv1.2       Use TLSv1.2 (SSL)",
   "     --tlsv1.3       Use TLSv1.3 (SSL)",
+  "     --tls-max VERSION  Use TLS up to VERSION (SSL)",
   "     --trace FILE    Write a debug trace to FILE",
   "     --trace-ascii FILE  Like --trace, but without hex output",
   "     --trace-time    Add time stamps to trace/verbose output",
diff --git a/src/tool_operate.c b/src/tool_operate.c
index c30b32046..a489b8dbd 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1087,7 +1087,8 @@ static CURLcode operate_do(struct GlobalConfig *global,
           if(config->falsestart)
             my_setopt(curl, CURLOPT_SSL_FALSESTART, 1L);
 
-          my_setopt_enum(curl, CURLOPT_SSLVERSION, config->ssl_version);
+          my_setopt_enum(curl, CURLOPT_SSLVERSION,
+                         config->ssl_version | config->ssl_version_max);
           my_setopt_enum(curl, CURLOPT_PROXY_SSLVERSION,
                          config->proxy_ssl_version);
         }
diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c
index 257e5c697..6b534ce5d 100644
--- a/src/tool_paramhlp.c
+++ b/src/tool_paramhlp.c
@@ -550,3 +550,36 @@ CURLcode get_args(struct OperationConfig *config, const size_t i)
 
   return result;
 }
+
+/*
+ * Parse the string and modify ssl_version in the val argument. Return PARAM_OK
+ * on success, otherwise a parameter error enum. ONLY ACCEPTS POSITIVE NUMBERS!
+ *
+ * Since this function gets called with the 'nextarg' pointer from within the
+ * getparameter a lot, we must check it for NULL before accessing the str
+ * data.
+ */
+
+ParameterError str2tls_max(long *val, const char *str)
+{
+   static struct s_tls_max {
+    const char *tls_max_str;
+    long tls_max;
+  } const tls_max_array[] = {
+    { "default", CURL_SSLVERSION_MAX_DEFAULT },
+    { "1.0",     CURL_SSLVERSION_MAX_TLSv1_0 },
+    { "1.1",     CURL_SSLVERSION_MAX_TLSv1_1 },
+    { "1.2",     CURL_SSLVERSION_MAX_TLSv1_2 },
+    { "1.3",     CURL_SSLVERSION_MAX_TLSv1_3 }
+  };
+  size_t i = 0;
+  if(!str)
+    return PARAM_REQUIRES_PARAMETER;
+  for(i = 0; i < sizeof(tls_max_array)/sizeof(tls_max_array[0]); i++) {
+    if(!strcmp(str, tls_max_array[i].tls_max_str)) {
+      *val = tls_max_array[i].tls_max;
+      return PARAM_OK;
+    }
+  }
+  return PARAM_BAD_USE;
+}
diff --git a/src/tool_paramhlp.h b/src/tool_paramhlp.h
index 89a99b2bb..cdfbacf3f 100644
--- a/src/tool_paramhlp.h
+++ b/src/tool_paramhlp.h
@@ -52,4 +52,6 @@ int ftpcccmethod(struct OperationConfig *config, const char *str);
 
 long delegation(struct OperationConfig *config, char *str);
 
+ParameterError str2tls_max(long *val, const char *str);
+
 #endif /* HEADER_CURL_TOOL_PARAMHLP_H */
-- 
cgit v1.2.3