vtls: add SSLSUPP_CIPHER_LIST

Added SSLSUPP_CIPHER_LIST so be able to differniate SSL Backends that support CURLOPT_SSL_CIPHER_LIST. Closes #14406
2025-01-30 14:22:33 +08:00 · 2024-08-05 23:52:33 +02:00 · 2024-08-05 23:52:33 +02:00 · 5c2ab55abe
commit 5c2ab55abe
parent cd4aee156f
8 changed files with 31 additions and 12 deletions
--- a/lib/setopt.c
+++ b/lib/setopt.c
@ -255,15 +255,23 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
    /* deprecated */
    break;
  case CURLOPT_SSL_CIPHER_LIST:
-    /* set a list of cipher we want to use in the SSL connection */
-    result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST],
-                            va_arg(param, char *));
+    if(Curl_ssl_supports(data, SSLSUPP_CIPHER_LIST)) {
+      /* set a list of cipher we want to use in the SSL connection */
+      result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST],
+                              va_arg(param, char *));
+    }
+    else
+      return CURLE_NOT_BUILT_IN;
    break;
 #ifndef CURL_DISABLE_PROXY
  case CURLOPT_PROXY_SSL_CIPHER_LIST:
-    /* set a list of cipher we want to use in the SSL connection for proxy */
-    result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST_PROXY],
-                            va_arg(param, char *));
+    if(Curl_ssl_supports(data, SSLSUPP_CIPHER_LIST)) {
+      /* set a list of cipher we want to use in the SSL connection for proxy */
+      result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST_PROXY],
+                              va_arg(param, char *));
+    }
+    else
+      return CURLE_NOT_BUILT_IN;
    break;
 #endif
  case CURLOPT_TLS13_CIPHERS:
--- a/lib/vtls/bearssl.c
+++ b/lib/vtls/bearssl.c
@ -1113,7 +1113,12 @@ static CURLcode bearssl_sha256sum(const unsigned char *input,

 const struct Curl_ssl Curl_ssl_bearssl = {
  { CURLSSLBACKEND_BEARSSL, "bearssl" }, /* info */
-  SSLSUPP_CAINFO_BLOB | SSLSUPP_SSL_CTX | SSLSUPP_HTTPS_PROXY,
+
+  SSLSUPP_CAINFO_BLOB |
+  SSLSUPP_SSL_CTX |
+  SSLSUPP_HTTPS_PROXY |
+  SSLSUPP_CIPHER_LIST,
+
  sizeof(struct bearssl_ssl_backend_data),

  Curl_none_init,                  /* init */
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@ -1726,7 +1726,8 @@ const struct Curl_ssl Curl_ssl_mbedtls = {
 #ifdef TLS13_SUPPORT
  SSLSUPP_TLS13_CIPHERSUITES |
 #endif
-  SSLSUPP_HTTPS_PROXY,
+  SSLSUPP_HTTPS_PROXY |
+  SSLSUPP_CIPHER_LIST,

  sizeof(struct mbed_ssl_backend_data),

--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@ -5212,7 +5212,8 @@ const struct Curl_ssl Curl_ssl_openssl = {
  SSLSUPP_ECH |
 #endif
  SSLSUPP_CA_CACHE |
-  SSLSUPP_HTTPS_PROXY,
+  SSLSUPP_HTTPS_PROXY |
+  SSLSUPP_CIPHER_LIST,

  sizeof(struct ossl_ctx),

--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@ -2969,7 +2969,8 @@ const struct Curl_ssl Curl_ssl_schannel = {
 #endif
  SSLSUPP_TLS13_CIPHERSUITES |
  SSLSUPP_CA_CACHE |
-  SSLSUPP_HTTPS_PROXY,
+  SSLSUPP_HTTPS_PROXY |
+  SSLSUPP_CIPHER_LIST,

  sizeof(struct schannel_ssl_backend_data),

--- a/lib/vtls/sectransp.c
+++ b/lib/vtls/sectransp.c
@ -2888,7 +2888,8 @@ const struct Curl_ssl Curl_ssl_sectransp = {
 #ifdef SECTRANSP_PINNEDPUBKEY
  SSLSUPP_PINNEDPUBKEY |
 #endif /* SECTRANSP_PINNEDPUBKEY */
-  SSLSUPP_HTTPS_PROXY,
+  SSLSUPP_HTTPS_PROXY |
+  SSLSUPP_CIPHER_LIST,

  sizeof(struct st_ssl_backend_data),

--- a/lib/vtls/vtls.h
+++ b/lib/vtls/vtls.h
@ -39,6 +39,7 @@ struct Curl_ssl_session;
 #define SSLSUPP_CAINFO_BLOB  (1<<6)
 #define SSLSUPP_ECH          (1<<7)
 #define SSLSUPP_CA_CACHE     (1<<8)
+#define SSLSUPP_CIPHER_LIST  (1<<9) /* supports TLS 1.0-1.2 ciphersuites */

 #define ALPN_ACCEPTED "ALPN: server accepted "

--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@ -1918,7 +1918,8 @@ const struct Curl_ssl Curl_ssl_wolfssl = {
 #ifdef WOLFSSL_TLS13
  SSLSUPP_TLS13_CIPHERSUITES |
 #endif
-  SSLSUPP_CA_CACHE,
+  SSLSUPP_CA_CACHE |
+  SSLSUPP_CIPHER_LIST,

  sizeof(struct wolfssl_ctx),