LibreSSL 2.5.4 tarball patches to add nc -T tlscompat and tolerate undef IPV6_TCLASS

0001-nc-tlscompat.patch

From: Kyle J. McKay <[email protected]>
Subject: [PATCHv2 1/2] nc: support -T tlscompat option

Some services are still provided using TLS 1.0 and older ciphers.
It is possible to use the nc command to connect to these services
using the "-T tlsall" option, but that also enables legacy and
insecure ciphers and is not desirable.

Instead add a new "-T tlscompat" option that can be used to access
older servers while not also enabling insecure and very old legacy
ciphers possibly allowing them to be unintentionally used (perhaps
because of a server misconfiguration).

Signed-off-by: Kyle J. McKay <[email protected]>

---
 apps/nc/nc.1     | 2 ++
 apps/nc/netcat.c | 9 +++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/apps/nc/nc.1 b/apps/nc/nc.1
index b1f96488..dd8bc70e 100644
--- a/apps/nc/nc.1
+++ b/apps/nc/nc.1
@@ -233,6 +233,8 @@ For TLS options
 may be one of
 .Ar tlsall ;
 which allows the use of all supported TLS protocols and ciphers,
+.Ar tlscompat ;
+which allows the use of all supported TLS protocols and "compat" ciphers,
 .Ar noverify ;
 which disables certificate verification;
 .Ar noname ,
diff --git a/apps/nc/netcat.c b/apps/nc/netcat.c
index 6b4979c8..9a13e726 100644
--- a/apps/nc/netcat.c
+++ b/apps/nc/netcat.c
@@ -74,6 +74,7 @@
 #define TLS_NONAME	(1 << 3)
 #define TLS_CCERT	(1 << 4)
 #define TLS_MUSTSTAPLE	(1 << 5)
+#define TLS_COMPAT	(1 << 6)
 
 /* Command Line Options */
 int	dflag;					/* detached, no stdin */
@@ -393,6 +394,8 @@ main(int argc, char *argv[])
 		errx(1, "cannot use -c and -F");
 	if (TLSopt && !usetls)
 		errx(1, "you must specify -c to use TLS options");
+	if ((TLSopt & (TLS_ALL|TLS_COMPAT)) == (TLS_ALL|TLS_COMPAT))
+		errx(1, "cannot use -T tlsall and -T tlscompat");
 	if (Cflag && !usetls)
 		errx(1, "you must specify -c to use -C");
 	if (Kflag && !usetls)
@@ -490,11 +493,12 @@ main(int argc, char *argv[])
 			errx(1, "%s", tls_config_error(tls_cfg));
 		if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1)
 			errx(1, "%s", tls_config_error(tls_cfg));
-		if (TLSopt & TLS_ALL) {
+		if (TLSopt & (TLS_ALL|TLS_COMPAT)) {
 			if (tls_config_set_protocols(tls_cfg,
 			    TLS_PROTOCOLS_ALL) != 0)
 				errx(1, "%s", tls_config_error(tls_cfg));
-			if (tls_config_set_ciphers(tls_cfg, "all") != 0)
+			if (tls_config_set_ciphers(tls_cfg,
+			    (TLSopt & TLS_ALL) ? "all" : "compat") != 0)
 				errx(1, "%s", tls_config_error(tls_cfg));
 		}
 		if (!lflag && (TLSopt & TLS_CCERT))
@@ -1564,6 +1568,7 @@ map_tls(char *s, int *val)
 		{ "noname",		TLS_NONAME },
 		{ "clientcert",		TLS_CCERT},
 		{ "muststaple",		TLS_MUSTSTAPLE},
+		{ "tlscompat",		TLS_COMPAT },
 		{ NULL,			-1 },
 	};
 

-- 
tg: (9996e217..) t/nc-tlscompat (depends on: t/release)

0002-nc-missing-tclass.patch

From: Kyle J. McKay <[email protected]>
Subject: [PATCHv2 2/2] nc: do not require IPV6_TCLASS

Older IPv6 implementations may not have an IPV6_TCLASS
option.  Tolerate this situation by simply returning an
error if an attempt is made to use IPV6_TCLASS on such
a system.

Signed-off-by: Kyle J. McKay <[email protected]>

---
 apps/nc/netcat.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/apps/nc/netcat.c b/apps/nc/netcat.c
index 9a13e726..ded61e8f 100644
--- a/apps/nc/netcat.c
+++ b/apps/nc/netcat.c
@@ -1468,9 +1468,15 @@ set_common_sockopts(int s, int af)
 		    IP_TOS, &Tflag, sizeof(Tflag)) == -1)
 			err(1, "set IP ToS");
 
+#ifdef IPV6_TCLASS
 		else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
 		    IPV6_TCLASS, &Tflag, sizeof(Tflag)) == -1)
 			err(1, "set IPv6 traffic class");
+#else
+		else if (af == AF_INET6)
+			errno = ENOPROTOOPT,
+			err(1, "set IPv6 traffic class not supported");
+#endif
 	}
 	if (Iflag) {
 		if (setsockopt(s, SOL_SOCKET, SO_RCVBUF,

-- 
tg: (e45c992d..) t/nc-tclass (depends on: t/nc-tlscompat)