Implement SSL_{CTX_,}set_ciphersuites().

OpenSSL added a separate API for configuring TLSv1.3 ciphersuites. Provide this API, while retaining the current behaviour of being able to configure TLSv1.3 via the existing interface. Note that this is not currently exposed in the headers/exported symbols. ok beck@ inoguchi@ tb@
author: jsing <> 2020-09-13 16:49:05 +0000
committer: jsing <> 2020-09-13 16:49:05 +0000
commit: 0aa52b54c9a57f9625af2c4445b991cfdd4ad228 (patch)
tree: e245dcd6ff9d7a9822feff50c7792c76ecfa9dba /src/lib/libssl/ssl_ciph.c
parent: a328631fddec2556ad8af08ce4de240790c537c9 (diff)
download: openbsd-0aa52b54c9a57f9625af2c4445b991cfdd4ad228.tar.gz
openbsd-0aa52b54c9a57f9625af2c4445b991cfdd4ad228.tar.bz2
openbsd-0aa52b54c9a57f9625af2c4445b991cfdd4ad228.zip
1 files changed, 15 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 4afbcf9896..fd576cee7b 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.118 2020/09/11 17:36:27 jsing Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.119 2020/09/13 16:49:05 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1184,6 +1184,7 @@ ssl_aes_is_accelerated(void)
 STACK_OF(SSL_CIPHER) *
 ssl_create_cipher_list(const SSL_METHOD *ssl_method,
    STACK_OF(SSL_CIPHER) **cipher_list,
+    STACK_OF(SSL_CIPHER) *cipher_list_tls13,
    const char *rule_str)
 {
        int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
@@ -1192,8 +1193,10 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method,
        const char *rule_p;
        CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
        const SSL_CIPHER **ca_list = NULL;
+        const SSL_CIPHER *cipher;
        int tls13_seen = 0;
        int any_active;
+        int i;
        /*
         * Return with error if nothing to do.
@@ -1335,11 +1338,21 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method,
                return (NULL);
        }
+        /* Prefer TLSv1.3 cipher suites. */
+        if (cipher_list_tls13 != NULL) {
+                for (i = 0; i < sk_SSL_CIPHER_num(cipher_list_tls13); i++) {
+                        cipher = sk_SSL_CIPHER_value(cipher_list_tls13, i);
+                        sk_SSL_CIPHER_push(cipherstack, cipher);
+                }
+                tls13_seen = 1;
+        }
        /*
         * The cipher selection for the list is done. The ciphers are added
         * to the resulting precedence to the STACK_OF(SSL_CIPHER).
         *
-         * If the rule string did not contain any references to TLSv1.3,
+         * If the rule string did not contain any references to TLSv1.3 and
+         * TLSv1.3 cipher suites have not been configured separately,
         * include inactive TLSv1.3 cipher suites. This avoids attempts to
         * use TLSv1.3 with an older rule string that does not include
         * TLSv1.3 cipher suites. If the rule string resulted in no active
author	jsing <>	2020-09-13 16:49:05 +0000
committer	jsing <>	2020-09-13 16:49:05 +0000
commit	0aa52b54c9a57f9625af2c4445b991cfdd4ad228 (patch)
tree	e245dcd6ff9d7a9822feff50c7792c76ecfa9dba /src/lib/libssl/ssl_ciph.c
parent	a328631fddec2556ad8af08ce4de240790c537c9 (diff)
download	openbsd-0aa52b54c9a57f9625af2c4445b991cfdd4ad228.tar.gz openbsd-0aa52b54c9a57f9625af2c4445b991cfdd4ad228.tar.bz2 openbsd-0aa52b54c9a57f9625af2c4445b991cfdd4ad228.zip