Re: ftp: allow specifying supported protocols

[Jeremie Courreges-Anglas]

On Sat, Sep 05 2020, Theo Buehler <t...@theobuehler.org> wrote:
> I found this small diff useful more than once (admittedly for debugging).
> It allows specifying the protocols that may be used by ftp the same way
> as nc -Tprotocols works. For example:
>
> $ ftp -Sprotocols=tlsv1.2:tlsv1.1 https://example.com/file
>
> Perhaps someone else has use for it, too?

I think it's useful indeed.  ok jca@

One nit below,

> Index: ftp.1
> ===================================================================
> RCS file: /var/cvs/src/usr.bin/ftp/ftp.1,v
> retrieving revision 1.119
> diff -u -p -r1.119 ftp.1
> --- ftp.1     11 Feb 2020 18:41:39 -0000      1.119
> +++ ftp.1     5 Sep 2020 18:11:24 -0000
> @@ -261,6 +261,12 @@ Don't perform server certificate validat
>  Require the server to present a valid OCSP stapling in the TLS handshake.
>  .It Cm noverifytime
>  Disable validation of certificate times and OCSP validation.
> +.It Cm protocols Ns = Ns Ar protocol_list
> +Specify the supported TLS protocols that will be used by
> +.Nm
> +(see
> +.Xr tls_config_parse_protocols 3
> +for details).
>  .It Cm session Ns = Ns Ar /path/to/session
>  Specify a file to use for TLS session data.
>  If this file has a non-zero length, the session data will be read from this 
> file
> Index: main.c
> ===================================================================
> RCS file: /var/cvs/src/usr.bin/ftp/main.c,v
> retrieving revision 1.132
> diff -u -p -r1.132 main.c
> --- main.c    1 Sep 2020 12:33:48 -0000       1.132
> +++ main.c    1 Sep 2020 18:13:09 -0000
> @@ -209,6 +209,8 @@ char * const ssl_verify_opts[] = {
>       "noverifytime",
>  #define SSL_SESSION          8
>       "session",
> +#define SSL_PROTOCOLS                9
> +     "protocols",
>       NULL
>  };
>  
> @@ -220,6 +222,7 @@ process_ssl_options(char *cp)
>  {
>       const char *errstr;
>       long long depth;

(Should probably be an int.)

> +     uint32_t protocols;

Could be moved below str (smaller size on lp64, see style(9)).

>       char *str;
>  
>       while (*cp) {
> @@ -278,6 +281,14 @@ process_ssl_options(char *cp)
>                           tls_session_fd) == -1)
>                               errx(1, "failed to set session: %s",
>                                   tls_config_error(tls_config));
> +                     break;
> +             case SSL_PROTOCOLS:
> +                     if (str == NULL)
> +                             errx(1, "missing protocol name");
> +                     if (tls_config_parse_protocols(&protocols, str) != 0)
> +                             errx(1, "failed to parse TLS protocols");
> +                     if (tls_config_set_protocols(tls_config, protocols) != 
> 0)
> +                             errx(1, "failed to set TLS protocols");
>                       break;
>               default:
>                       errx(1, "unknown -S suboption `%s'",
>


-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE