From c1fd005bfc80412efd7d0807256ef5815997edef Mon Sep 17 00:00:00 2001
From: Otto Hollmann <otto.hollmann@suse.com>
Date: Thu, 28 May 2020 13:39:33 +0200
Subject: [PATCH] Add cipher list ciphersuites which using encryption algorithm
 in mode CBC.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11984)
---
 doc/man1/openssl-ciphers.pod.in | 7 +++++++
 include/openssl/ssl.h           | 1 +
 ssl/ssl_ciph.c                  | 1 +
 ssl/ssl_local.h                 | 3 +++
 4 files changed, 12 insertions(+)

diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in
index 07ff9bc1df..b4ed3e51d5 100644
--- a/doc/man1/openssl-ciphers.pod.in
+++ b/doc/man1/openssl-ciphers.pod.in
@@ -403,6 +403,13 @@ used and only the two suite B compliant cipher suites
 (ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-ECDSA-AES256-GCM-SHA384) are
 permissible.
 
+=item B<CBC>
+
+All cipher suites using encryption algorithm in Cipher Block Chaining (CBC)
+mode. These cipher suites are only supported in TLS v1.2 and earlier. Currently
+it's an alias for the following cipherstrings: B<SSL_DES>, B<SSL_3DES>, B<SSL_RC2>,
+B<SSL_IDEA>, B<SSL_AES128>, B<SSL_AES256>, B<SSL_CAMELLIA128>, B<SSL_CAMELLIA256>, B<SSL_SEED>.
+
 =back
 
 =head1 CIPHER SUITE NAMES
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 0973f0688d..c039b2a04a 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -138,6 +138,7 @@ extern "C" {
 # define SSL_TXT_ARIA128         "ARIA128"
 # define SSL_TXT_ARIA256         "ARIA256"
 # define SSL_TXT_GOST2012_GOST8912_GOST8912 "GOST2012-GOST8912-GOST8912"
+# define SSL_TXT_CBC             "CBC"
 
 # define SSL_TXT_MD5             "MD5"
 # define SSL_TXT_SHA1            "SHA1"
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index ec2dabc89a..83710f8431 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -253,6 +253,7 @@ static const SSL_CIPHER cipher_aliases[] = {
     {0, SSL_TXT_ARIA_GCM, NULL, 0, 0, 0, SSL_ARIA128GCM | SSL_ARIA256GCM},
     {0, SSL_TXT_ARIA128, NULL, 0, 0, 0, SSL_ARIA128GCM},
     {0, SSL_TXT_ARIA256, NULL, 0, 0, 0, SSL_ARIA256GCM},
+    {0, SSL_TXT_CBC, NULL, 0, 0, 0, SSL_CBC},
 
     /* MAC aliases */
     {0, SSL_TXT_MD5, NULL, 0, 0, 0, 0, SSL_MD5},
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 083141931c..5e2379c093 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -246,6 +246,9 @@
 # define SSL_CHACHA20            (SSL_CHACHA20POLY1305)
 # define SSL_ARIAGCM             (SSL_ARIA128GCM | SSL_ARIA256GCM)
 # define SSL_ARIA                (SSL_ARIAGCM)
+# define SSL_CBC                 (SSL_DES | SSL_3DES | SSL_RC2 | SSL_IDEA \
+                                  | SSL_AES128 | SSL_AES256 | SSL_CAMELLIA128 \
+                                  | SSL_CAMELLIA256 | SSL_SEED)
 
 /* Bits for algorithm_mac (symmetric authentication) */
 
-- 
2.34.1