Allow cipher strings to be given using its standard name

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16179)

diff --git a/CHANGES.md b/CHANGES.md
index c14bec916dd3248c072b65e900d2a22fe3c6cf74..963289ca0954881cfc2684b4fb72c2a21d7e2075 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -24,6 +24,11 @@ OpenSSL 3.1
 
 ### Changes between 3.0 and 3.1 [xx XXX xxxx]
 
+ * The SSL_CTX_set_cipher_list family functions now accept ciphers using their
+   IANA standard names.
+
+   *Erik Lax*
+
  * The PVK key derivation function has been moved from b2i_PVK_bio_ex() into
    the legacy crypto provider as an EVP_KDF. Applications requiring this KDF
    will need to load the legacy crypto provider.

diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in
index 658730ec5382216e5c2fc09c91d0937490de025f..2428f612192459593d0728fd5b9fb9451260b3b3 100644 (file)
--- a/doc/man1/openssl-ciphers.pod.in
+++ b/doc/man1/openssl-ciphers.pod.in
@@ -115,6 +115,8 @@ used. The format is described below.
 The cipher list consists of one or more I<cipher strings> separated by colons.
 Commas or spaces are also acceptable separators but colons are normally used.
 
+The cipher string may reference a cipher using its standard name.
+
 The actual cipher string can take several different forms.
 
 It can consist of a single cipher suite such as B<RC4-SHA>.

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index dd22e57c59f0301463c4b6c6615cc0b04b138b05..01044deba3c9d476191152a3ed060c2b0c22dbf3 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1042,9 +1042,9 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
             while (((ch >= 'A') && (ch <= 'Z')) ||
                    ((ch >= '0') && (ch <= '9')) ||
                    ((ch >= 'a') && (ch <= 'z')) ||
-                   (ch == '-') || (ch == '.') || (ch == '='))
+                   (ch == '-') || (ch == '_') || (ch == '.') || (ch == '='))
 #else
-            while (isalnum((unsigned char)ch) || (ch == '-') || (ch == '.')
+            while (isalnum((unsigned char)ch) || (ch == '-') || (ch == '_') || (ch == '.')
                    || (ch == '='))
 #endif
             {
@@ -1095,6 +1095,11 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                     && (ca_list[j]->name[buflen] == '\0')) {
                     found = 1;
                     break;
+                } else if (ca_list[j]->stdname != NULL
+                           && strncmp(buf, ca_list[j]->stdname, buflen) == 0
+                           && ca_list[j]->stdname[buflen] == '\0') {
+                    found = 1;
+                    break;
                 } else
                     j++;
             }

diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c
index 2d166e2b46554b5523e3190a2fa2519623b561bd..c46e431b0018a431b7e2e931285d760ba11cb432 100644 (file)
--- a/test/cipherlist_test.c
+++ b/test/cipherlist_test.c
@@ -244,10 +244,26 @@ end:
     return result;
 }
 
+/* SSL_CTX_set_cipher_list matching with cipher standard name */
+static int test_stdname_cipherlist(void)
+{
+    SETUP_CIPHERLIST_TEST_FIXTURE();
+    if (!TEST_true(SSL_CTX_set_cipher_list(fixture->server, TLS1_RFC_RSA_WITH_AES_128_SHA))
+            || !TEST_true(SSL_CTX_set_cipher_list(fixture->client, TLS1_RFC_RSA_WITH_AES_128_SHA))) {
+        goto end;
+    }
+    result = 1;
+end:
+    tear_down(fixture);
+    fixture = NULL;
+    return result;
+}
+
 int setup_tests(void)
 {
     ADD_TEST(test_default_cipherlist_implicit);
     ADD_TEST(test_default_cipherlist_explicit);
     ADD_TEST(test_default_cipherlist_clear);
+    ADD_TEST(test_stdname_cipherlist);
     return 1;
 }