From 3738bd24e9d4a33d52a585206262895bd6893bf4 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Thu, 23 Jan 2020 10:40:59 +0000
Subject: Correctly handle TLSv1.3 ciphers suites in ssl3_choose_cipher().

Currently, TLSv1.3 cipher suites are filtered out by the fact that
they have authentication and key exchange algorithms that are not
being set in ssl_set_cert_masks(). Fix this so that ssl3_choose_cipher()
works for TLSv1.3, however we also now need to ensure that we filter out
TLSv1.3 for non-TLSv1.3 and only select TLSv1.3 for TLSv1.3.

ok beck@ tb@
---
 src/lib/libssl/tls13_lib.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'src/lib/libssl/tls13_lib.c')

diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index 5d8c359014..91dd566864 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tls13_lib.c,v 1.24 2020/01/23 07:30:55 beck Exp $ */
+/*	$OpenBSD: tls13_lib.c,v 1.25 2020/01/23 10:40:59 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -24,6 +24,11 @@
 #include "ssl_locl.h"
 #include "tls13_internal.h"
 
+SSL3_ENC_METHOD TLSv1_3_enc_data = {
+	.enc = NULL,
+	.enc_flags = SSL_ENC_FLAG_TLS1_3_CIPHERS,
+};
+
 /*
  * RFC 8446 section 4.1.3, magic values which must be set by the
  * server in server random if it is willing to downgrade but supports
-- 
cgit v1.2.3-55-g6feb