From 0aa52b54c9a57f9625af2c4445b991cfdd4ad228 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Sun, 13 Sep 2020 16:49:05 +0000 Subject: Implement SSL_{CTX_,}set_ciphersuites(). OpenSSL added a separate API for configuring TLSv1.3 ciphersuites. Provide this API, while retaining the current behaviour of being able to configure TLSv1.3 via the existing interface. Note that this is not currently exposed in the headers/exported symbols. ok beck@ inoguchi@ tb@ --- src/lib/libssl/ssl_ciph.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) (limited to 'src/lib/libssl/ssl_ciph.c') diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 4afbcf9896..fd576cee7b 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.118 2020/09/11 17:36:27 jsing Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.119 2020/09/13 16:49:05 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1184,6 +1184,7 @@ ssl_aes_is_accelerated(void) STACK_OF(SSL_CIPHER) * ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER) **cipher_list, + STACK_OF(SSL_CIPHER) *cipher_list_tls13, const char *rule_str) { int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; @@ -1192,8 +1193,10 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, const char *rule_p; CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; const SSL_CIPHER **ca_list = NULL; + const SSL_CIPHER *cipher; int tls13_seen = 0; int any_active; + int i; /* * Return with error if nothing to do. @@ -1335,11 +1338,21 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, return (NULL); } + /* Prefer TLSv1.3 cipher suites. */ + if (cipher_list_tls13 != NULL) { + for (i = 0; i < sk_SSL_CIPHER_num(cipher_list_tls13); i++) { + cipher = sk_SSL_CIPHER_value(cipher_list_tls13, i); + sk_SSL_CIPHER_push(cipherstack, cipher); + } + tls13_seen = 1; + } + /* * The cipher selection for the list is done. The ciphers are added * to the resulting precedence to the STACK_OF(SSL_CIPHER). * - * If the rule string did not contain any references to TLSv1.3, + * If the rule string did not contain any references to TLSv1.3 and + * TLSv1.3 cipher suites have not been configured separately, * include inactive TLSv1.3 cipher suites. This avoids attempts to * use TLSv1.3 with an older rule string that does not include * TLSv1.3 cipher suites. If the rule string resulted in no active -- cgit v1.2.3-55-g6feb