From 5c389b79544373bccfce668b646e62e7ba9802a3 Mon Sep 17 00:00:00 2001
From: beck <beck@openbsd.org>
Date: Sun, 2 Jul 2023 06:37:27 +0000
Subject: [PATCH] Remove the ability to do tls 1.0 and 1.1 from libtls.

With this change any requests from configurations to request
versions of tls before tls 1.2 will use tls 1.2. This prepares
us to deprecate tls 1.0 and tls 1.1 support from libssl.

ok tb@
---
 lib/libtls/man/tls_config_set_protocols.3 | 12 +++---------
 lib/libtls/tls.c                          | 10 +++-------
 lib/libtls/tls.h                          | 14 +++++++++-----
 lib/libtls/tls_config.c                   |  6 +++---
 regress/lib/libtls/config/configtest.c    | 23 +++++++++--------------
 regress/lib/libtls/gotls/tls.go           |  2 --
 regress/lib/libtls/gotls/tls_test.go      |  8 ++++----
 7 files changed, 31 insertions(+), 44 deletions(-)

diff --git a/lib/libtls/man/tls_config_set_protocols.3 b/lib/libtls/man/tls_config_set_protocols.3
index 7c62493e831..32b8cce7578 100644
--- a/lib/libtls/man/tls_config_set_protocols.3
+++ b/lib/libtls/man/tls_config_set_protocols.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_config_set_protocols.3,v 1.11 2021/01/02 19:58:44 schwarze Exp $
+.\" $OpenBSD: tls_config_set_protocols.3,v 1.12 2023/07/02 06:37:27 beck Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2015, 2016 Joel Sing <jsing@openbsd.org>
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 2 2021 $
+.Dd $Mdocdate: July 2 2023 $
 .Dt TLS_CONFIG_SET_PROTOCOLS 3
 .Os
 .Sh NAME
@@ -76,10 +76,6 @@ Possible values are the bitwise OR of:
 .Pp
 .Bl -item -offset indent -compact
 .It
-.Dv TLS_PROTOCOL_TLSv1_0
-.It
-.Dv TLS_PROTOCOL_TLSv1_1
-.It
 .Dv TLS_PROTOCOL_TLSv1_2
 .It
 .Dv TLS_PROTOCOL_TLSv1_3
@@ -87,7 +83,7 @@ Possible values are the bitwise OR of:
 .Pp
 Additionally, the values
 .Dv TLS_PROTOCOL_TLSv1
-(TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3),
+(TLSv1.2, TLSv1.3),
 .Dv TLS_PROTOCOLS_ALL
 (all supported protocols) and
 .Dv TLS_PROTOCOLS_DEFAULT
@@ -106,8 +102,6 @@ The protocol string is a comma or colon separated list of keywords.
 Valid keywords are:
 .Pp
 .Bl -tag -width "tlsv1.3" -offset indent -compact
-.It Dv tlsv1.0
-.It Dv tlsv1.1
 .It Dv tlsv1.2
 .It Dv tlsv1.3
 .It Dv all
diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c
index 8444169bdcc..fdb994d7332 100644
--- a/lib/libtls/tls.c
+++ b/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.97 2023/06/18 11:43:03 op Exp $ */
+/* $OpenBSD: tls.c,v 1.98 2023/07/02 06:37:27 beck Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -520,16 +520,12 @@ tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx)
 
 	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
 	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
 
-	SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1);
-	SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
 	SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
 	SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_3);
 
-	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0)
-		SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
-	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0)
-		SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
 	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)
 		SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
 	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_3) == 0)
diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h
index b94a6fa6d05..34183745e5e 100644
--- a/lib/libtls/tls.h
+++ b/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.62 2022/03/24 15:56:34 tb Exp $ */
+/* $OpenBSD: tls.h,v 1.63 2023/07/02 06:37:27 beck Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -29,14 +29,18 @@ extern "C" {
 
 #define TLS_API	20200120
 
-#define TLS_PROTOCOL_TLSv1_0	(1 << 1)
-#define TLS_PROTOCOL_TLSv1_1	(1 << 2)
+/*
+ * Deprecated versions of TLS. Using these effectively selects
+ * the minimum supported version.
+ */
+#define TLS_PROTOCOL_TLSv1_0	(1 << 3)
+#define TLS_PROTOCOL_TLSv1_1	(1 << 3)
+/* Supported versions of TLS */
 #define TLS_PROTOCOL_TLSv1_2	(1 << 3)
 #define TLS_PROTOCOL_TLSv1_3	(1 << 4)
 
 #define TLS_PROTOCOL_TLSv1 \
-	(TLS_PROTOCOL_TLSv1_0|TLS_PROTOCOL_TLSv1_1|\
-	 TLS_PROTOCOL_TLSv1_2|TLS_PROTOCOL_TLSv1_3)
+	(TLS_PROTOCOL_TLSv1_2|TLS_PROTOCOL_TLSv1_3)
 
 #define TLS_PROTOCOLS_ALL TLS_PROTOCOL_TLSv1
 #define TLS_PROTOCOLS_DEFAULT (TLS_PROTOCOL_TLSv1_2|TLS_PROTOCOL_TLSv1_3)
diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c
index 3efd0ddd57d..5eb5b69ac6e 100644
--- a/lib/libtls/tls_config.c
+++ b/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.66 2023/05/14 07:26:25 op Exp $ */
+/* $OpenBSD: tls_config.c,v 1.67 2023/07/02 06:37:27 beck Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -251,9 +251,9 @@ tls_config_parse_protocols(uint32_t *protocols, const char *protostr)
 		if (strcasecmp(p, "tlsv1") == 0)
 			proto = TLS_PROTOCOL_TLSv1;
 		else if (strcasecmp(p, "tlsv1.0") == 0)
-			proto = TLS_PROTOCOL_TLSv1_0;
+			proto = TLS_PROTOCOL_TLSv1_2;
 		else if (strcasecmp(p, "tlsv1.1") == 0)
-			proto = TLS_PROTOCOL_TLSv1_1;
+			proto = TLS_PROTOCOL_TLSv1_2;
 		else if (strcasecmp(p, "tlsv1.2") == 0)
 			proto = TLS_PROTOCOL_TLSv1_2;
 		else if (strcasecmp(p, "tlsv1.3") == 0)
diff --git a/regress/lib/libtls/config/configtest.c b/regress/lib/libtls/config/configtest.c
index 47aa03e8260..5af5b56ffd4 100644
--- a/regress/lib/libtls/config/configtest.c
+++ b/regress/lib/libtls/config/configtest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: configtest.c,v 1.2 2020/01/20 08:40:16 jsing Exp $ */
+/* $OpenBSD: configtest.c,v 1.3 2023/07/02 06:37:27 beck Exp $ */
 /*
  * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
  *
@@ -71,30 +71,27 @@ struct parse_protocols_test parse_protocols_tests[] = {
 	{
 		.protostr = "tlsv1.0:tlsv1.1:tlsv1.2:tlsv1.3",
 		.want_return = 0,
-		.want_protocols = TLS_PROTOCOL_TLSv1_0 | TLS_PROTOCOL_TLSv1_1 |
-		    TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3,
+		.want_protocols = TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3,
 	},
 	{
 		.protostr = "tlsv1.0,tlsv1.1,tlsv1.2,tlsv1.3",
 		.want_return = 0,
-		.want_protocols = TLS_PROTOCOL_TLSv1_0 | TLS_PROTOCOL_TLSv1_1 |
-		    TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3,
+		.want_protocols = TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3,
 	},
 	{
 		.protostr = "tlsv1.1,tlsv1.2,tlsv1.0",
 		.want_return = 0,
-		.want_protocols = TLS_PROTOCOL_TLSv1_0 | TLS_PROTOCOL_TLSv1_1 |
-		    TLS_PROTOCOL_TLSv1_2,
+		.want_protocols = TLS_PROTOCOL_TLSv1_2,
 	},
 	{
 		.protostr = "tlsv1.1,tlsv1.2,tlsv1.1",
 		.want_return = 0,
-		.want_protocols = TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2,
+		.want_protocols = TLS_PROTOCOL_TLSv1_2,
 	},
 	{
 		.protostr = "tlsv1.1,tlsv1.2,!tlsv1.1",
 		.want_return = 0,
-		.want_protocols = TLS_PROTOCOL_TLSv1_2,
+		.want_protocols = 0,
 	},
 	{
 		.protostr = "unknown",
@@ -114,19 +111,17 @@ struct parse_protocols_test parse_protocols_tests[] = {
 	{
 		.protostr = "all,!tlsv1.0",
 		.want_return = 0,
-		.want_protocols = TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 | \
-			TLS_PROTOCOL_TLSv1_3,
+		.want_protocols = TLS_PROTOCOL_TLSv1_3,
 	},
 	{
 		.protostr = "!tlsv1.0",
 		.want_return = 0,
-		.want_protocols = TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 | \
-			TLS_PROTOCOL_TLSv1_3,
+		.want_protocols = TLS_PROTOCOL_TLSv1_3,
 	},
 	{
 		.protostr = "!tlsv1.0,!tlsv1.1,!tlsv1.3",
 		.want_return = 0,
-		.want_protocols = TLS_PROTOCOL_TLSv1_2,
+		.want_protocols = 0,
 	},
 	{
 		.protostr = "!tlsv1.0,!tlsv1.1,tlsv1.2,!tlsv1.3",
diff --git a/regress/lib/libtls/gotls/tls.go b/regress/lib/libtls/gotls/tls.go
index cf3e84c0309..3029d58c357 100644
--- a/regress/lib/libtls/gotls/tls.go
+++ b/regress/lib/libtls/gotls/tls.go
@@ -45,8 +45,6 @@ const (
 )
 
 var protocolNames = map[ProtocolVersion]string{
-	ProtocolTLSv10: "TLSv1",
-	ProtocolTLSv11: "TLSv1.1",
 	ProtocolTLSv12: "TLSv1.2",
 	ProtocolTLSv13: "TLSv1.3",
 	ProtocolsAll:   "all",
diff --git a/regress/lib/libtls/gotls/tls_test.go b/regress/lib/libtls/gotls/tls_test.go
index f6c6cfcdd52..2b7ce2c19eb 100644
--- a/regress/lib/libtls/gotls/tls_test.go
+++ b/regress/lib/libtls/gotls/tls_test.go
@@ -251,11 +251,11 @@ func TestTLSVersions(t *testing.T) {
 		{tls.VersionSSL30, tls.VersionTLS12, ProtocolTLSv12, false},
 		{tls.VersionTLS10, tls.VersionTLS12, ProtocolTLSv12, false},
 		{tls.VersionTLS11, tls.VersionTLS12, ProtocolTLSv12, false},
-		{tls.VersionSSL30, tls.VersionTLS11, ProtocolTLSv11, false},
-		{tls.VersionSSL30, tls.VersionTLS10, ProtocolTLSv10, false},
+		{tls.VersionSSL30, tls.VersionTLS11, ProtocolTLSv11, true},
+		{tls.VersionSSL30, tls.VersionTLS10, ProtocolTLSv10, true},
 		{tls.VersionSSL30, tls.VersionSSL30, 0, true},
-		{tls.VersionTLS10, tls.VersionTLS10, ProtocolTLSv10, false},
-		{tls.VersionTLS11, tls.VersionTLS11, ProtocolTLSv11, false},
+		{tls.VersionTLS10, tls.VersionTLS10, ProtocolTLSv10, true},
+		{tls.VersionTLS11, tls.VersionTLS11, ProtocolTLSv11, true},
 		{tls.VersionTLS12, tls.VersionTLS12, ProtocolTLSv12, false},
 	}
 	for i, test := range tests {
-- 
2.20.1