Allow cipher strings to be given using its standard name

Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16179)
2021-07-30 00:47:46 +02:00 · 2021-07-30 00:47:46 +02:00 · d1b26ddbf6
parent 398ae82316
commit d1b26ddbf6
4 changed files with 30 additions and 2 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -24,6 +24,11 @@ OpenSSL 3.1

 ### Changes between 3.0 and 3.1 [xx XXX xxxx]

+ * The SSL_CTX_set_cipher_list family functions now accept ciphers using their
+   IANA standard names.
+
+   *Erik Lax*
+
 * The PVK key derivation function has been moved from b2i_PVK_bio_ex() into
   the legacy crypto provider as an EVP_KDF. Applications requiring this KDF
   will need to load the legacy crypto provider.
--- a/doc/man1/openssl-ciphers.pod.in
+++ b/doc/man1/openssl-ciphers.pod.in
@ -115,6 +115,8 @@ used. The format is described below.
 The cipher list consists of one or more I<cipher strings> separated by colons.
 Commas or spaces are also acceptable separators but colons are normally used.

+The cipher string may reference a cipher using its standard name.
+
 The actual cipher string can take several different forms.

 It can consist of a single cipher suite such as B<RC4-SHA>.
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@ -1042,9 +1042,9 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
            while (((ch >= 'A') && (ch <= 'Z')) ||
                   ((ch >= '0') && (ch <= '9')) ||
                   ((ch >= 'a') && (ch <= 'z')) ||
-                   (ch == '-') || (ch == '.') || (ch == '='))
+                   (ch == '-') || (ch == '_') || (ch == '.') || (ch == '='))
 #else
-            while (isalnum((unsigned char)ch) || (ch == '-') || (ch == '.')
+            while (isalnum((unsigned char)ch) || (ch == '-') || (ch == '_') || (ch == '.')
                   || (ch == '='))
 #endif
            {
@ -1095,6 +1095,11 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                    && (ca_list[j]->name[buflen] == '\0')) {
                    found = 1;
                    break;
+                } else if (ca_list[j]->stdname != NULL
+                           && strncmp(buf, ca_list[j]->stdname, buflen) == 0
+                           && ca_list[j]->stdname[buflen] == '\0') {
+                    found = 1;
+                    break;
                } else
                    j++;
            }
--- a/test/cipherlist_test.c
+++ b/test/cipherlist_test.c
@ -244,10 +244,26 @@ end:
    return result;
 }

+/* SSL_CTX_set_cipher_list matching with cipher standard name */
+static int test_stdname_cipherlist(void)
+{
+    SETUP_CIPHERLIST_TEST_FIXTURE();
+    if (!TEST_true(SSL_CTX_set_cipher_list(fixture->server, TLS1_RFC_RSA_WITH_AES_128_SHA))
+            || !TEST_true(SSL_CTX_set_cipher_list(fixture->client, TLS1_RFC_RSA_WITH_AES_128_SHA))) {
+        goto end;
+    }
+    result = 1;
+end:
+    tear_down(fixture);
+    fixture = NULL;
+    return result;
+}
+
 int setup_tests(void)
 {
    ADD_TEST(test_default_cipherlist_implicit);
    ADD_TEST(test_default_cipherlist_explicit);
    ADD_TEST(test_default_cipherlist_clear);
+    ADD_TEST(test_stdname_cipherlist);
    return 1;
 }