diff options
| author |   jsing <jsing@openbsd.org> | 2020-09-13 16:49:05 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2020-09-13 16:49:05 +0000 |
| commit | 61a9dc017c155caa6fe6323f54bc4d850457f395 (patch) | |
| tree | 0b94bc45eae82ee9e316fc6ad41b4665a10b1a40 /lib/libssl/ssl_ciph.c | |
| parent | Adapt regress to IFS splitting correction (eval.c -r1.66) (diff) | |
| download | wireguard-openbsd-61a9dc017c155caa6fe6323f54bc4d850457f395.tar.xz wireguard-openbsd-61a9dc017c155caa6fe6323f54bc4d850457f395.zip | |
Implement SSL_{CTX_,}set_ciphersuites().
OpenSSL added a separate API for configuring TLSv1.3 ciphersuites. Provide
this API, while retaining the current behaviour of being able to configure
TLSv1.3 via the existing interface.
Note that this is not currently exposed in the headers/exported symbols.
ok beck@ inoguchi@ tb@
Diffstat (limited to 'lib/libssl/ssl_ciph.c')
| -rw-r--r-- | lib/libssl/ssl_ciph.c | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c index 4afbcf98963..fd576cee7b1 100644 --- a/lib/libssl/ssl_ciph.c +++ b/lib/libssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.118 2020/09/11 17:36:27 jsing Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.119 2020/09/13 16:49:05 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1184,6 +1184,7 @@ ssl_aes_is_accelerated(void) STACK_OF(SSL_CIPHER) * ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER) **cipher_list, + STACK_OF(SSL_CIPHER) *cipher_list_tls13, const char *rule_str) { int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; @@ -1192,8 +1193,10 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, const char *rule_p; CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; const SSL_CIPHER **ca_list = NULL; + const SSL_CIPHER *cipher; int tls13_seen = 0; int any_active; + int i; /* * Return with error if nothing to do. @@ -1335,11 +1338,21 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, return (NULL); } + /* Prefer TLSv1.3 cipher suites. */ + if (cipher_list_tls13 != NULL) { + for (i = 0; i < sk_SSL_CIPHER_num(cipher_list_tls13); i++) { + cipher = sk_SSL_CIPHER_value(cipher_list_tls13, i); + sk_SSL_CIPHER_push(cipherstack, cipher); + } + tls13_seen = 1; + } + /* * The cipher selection for the list is done. The ciphers are added * to the resulting precedence to the STACK_OF(SSL_CIPHER). * - * If the rule string did not contain any references to TLSv1.3, + * If the rule string did not contain any references to TLSv1.3 and + * TLSv1.3 cipher suites have not been configured separately, * include inactive TLSv1.3 cipher suites. This avoids attempts to * use TLSv1.3 with an older rule string that does not include * TLSv1.3 cipher suites. If the rule string resulted in no active |