diff options
Diffstat (limited to 'src/lib/libssl/ssl_ciph.c')
| -rw-r--r-- | src/lib/libssl/ssl_ciph.c | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 4afbcf9896..fd576cee7b 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_ciph.c,v 1.118 2020/09/11 17:36:27 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_ciph.c,v 1.119 2020/09/13 16:49:05 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1184,6 +1184,7 @@ ssl_aes_is_accelerated(void) | |||
| 1184 | STACK_OF(SSL_CIPHER) * | 1184 | STACK_OF(SSL_CIPHER) * |
| 1185 | ssl_create_cipher_list(const SSL_METHOD *ssl_method, | 1185 | ssl_create_cipher_list(const SSL_METHOD *ssl_method, |
| 1186 | STACK_OF(SSL_CIPHER) **cipher_list, | 1186 | STACK_OF(SSL_CIPHER) **cipher_list, |
| 1187 | STACK_OF(SSL_CIPHER) *cipher_list_tls13, | ||
| 1187 | const char *rule_str) | 1188 | const char *rule_str) |
| 1188 | { | 1189 | { |
| 1189 | int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; | 1190 | int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; |
| @@ -1192,8 +1193,10 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 1192 | const char *rule_p; | 1193 | const char *rule_p; |
| 1193 | CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; | 1194 | CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; |
| 1194 | const SSL_CIPHER **ca_list = NULL; | 1195 | const SSL_CIPHER **ca_list = NULL; |
| 1196 | const SSL_CIPHER *cipher; | ||
| 1195 | int tls13_seen = 0; | 1197 | int tls13_seen = 0; |
| 1196 | int any_active; | 1198 | int any_active; |
| 1199 | int i; | ||
| 1197 | 1200 | ||
| 1198 | /* | 1201 | /* |
| 1199 | * Return with error if nothing to do. | 1202 | * Return with error if nothing to do. |
| @@ -1335,11 +1338,21 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 1335 | return (NULL); | 1338 | return (NULL); |
| 1336 | } | 1339 | } |
| 1337 | 1340 | ||
| 1341 | /* Prefer TLSv1.3 cipher suites. */ | ||
| 1342 | if (cipher_list_tls13 != NULL) { | ||
| 1343 | for (i = 0; i < sk_SSL_CIPHER_num(cipher_list_tls13); i++) { | ||
| 1344 | cipher = sk_SSL_CIPHER_value(cipher_list_tls13, i); | ||
| 1345 | sk_SSL_CIPHER_push(cipherstack, cipher); | ||
| 1346 | } | ||
| 1347 | tls13_seen = 1; | ||
| 1348 | } | ||
| 1349 | |||
| 1338 | /* | 1350 | /* |
| 1339 | * The cipher selection for the list is done. The ciphers are added | 1351 | * The cipher selection for the list is done. The ciphers are added |
| 1340 | * to the resulting precedence to the STACK_OF(SSL_CIPHER). | 1352 | * to the resulting precedence to the STACK_OF(SSL_CIPHER). |
| 1341 | * | 1353 | * |
| 1342 | * If the rule string did not contain any references to TLSv1.3, | 1354 | * If the rule string did not contain any references to TLSv1.3 and |
| 1355 | * TLSv1.3 cipher suites have not been configured separately, | ||
| 1343 | * include inactive TLSv1.3 cipher suites. This avoids attempts to | 1356 | * include inactive TLSv1.3 cipher suites. This avoids attempts to |
| 1344 | * use TLSv1.3 with an older rule string that does not include | 1357 | * use TLSv1.3 with an older rule string that does not include |
| 1345 | * TLSv1.3 cipher suites. If the rule string resulted in no active | 1358 | * TLSv1.3 cipher suites. If the rule string resulted in no active |