From 5c2ab55abe83aa929e638920cb31d346e7a4175d Mon Sep 17 00:00:00 2001
From: Jan Venekamp <1422460+jan2000@users.noreply.github.com>
Date: Mon, 5 Aug 2024 23:52:33 +0200
Subject: [PATCH] vtls: add SSLSUPP_CIPHER_LIST

Added SSLSUPP_CIPHER_LIST so be able to differniate SSL Backends
that support CURLOPT_SSL_CIPHER_LIST.

Closes #14406
---
 lib/setopt.c         | 20 ++++++++++++++------
 lib/vtls/bearssl.c   |  7 ++++++-
 lib/vtls/mbedtls.c   |  3 ++-
 lib/vtls/openssl.c   |  3 ++-
 lib/vtls/schannel.c  |  3 ++-
 lib/vtls/sectransp.c |  3 ++-
 lib/vtls/vtls.h      |  1 +
 lib/vtls/wolfssl.c   |  3 ++-
 8 files changed, 31 insertions(+), 12 deletions(-)

diff --git a/lib/setopt.c b/lib/setopt.c
index c2bf89c3f0..538bd52ad8 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -255,15 +255,23 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
     /* deprecated */
     break;
   case CURLOPT_SSL_CIPHER_LIST:
-    /* set a list of cipher we want to use in the SSL connection */
-    result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST],
-                            va_arg(param, char *));
+    if(Curl_ssl_supports(data, SSLSUPP_CIPHER_LIST)) {
+      /* set a list of cipher we want to use in the SSL connection */
+      result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST],
+                              va_arg(param, char *));
+    }
+    else
+      return CURLE_NOT_BUILT_IN;
     break;
 #ifndef CURL_DISABLE_PROXY
   case CURLOPT_PROXY_SSL_CIPHER_LIST:
-    /* set a list of cipher we want to use in the SSL connection for proxy */
-    result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST_PROXY],
-                            va_arg(param, char *));
+    if(Curl_ssl_supports(data, SSLSUPP_CIPHER_LIST)) {
+      /* set a list of cipher we want to use in the SSL connection for proxy */
+      result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST_PROXY],
+                              va_arg(param, char *));
+    }
+    else
+      return CURLE_NOT_BUILT_IN;
     break;
 #endif
   case CURLOPT_TLS13_CIPHERS:
diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c
index 4089e8577d..edd6ca90cc 100644
--- a/lib/vtls/bearssl.c
+++ b/lib/vtls/bearssl.c
@@ -1113,7 +1113,12 @@ static CURLcode bearssl_sha256sum(const unsigned char *input,
 
 const struct Curl_ssl Curl_ssl_bearssl = {
   { CURLSSLBACKEND_BEARSSL, "bearssl" }, /* info */
-  SSLSUPP_CAINFO_BLOB | SSLSUPP_SSL_CTX | SSLSUPP_HTTPS_PROXY,
+
+  SSLSUPP_CAINFO_BLOB |
+  SSLSUPP_SSL_CTX |
+  SSLSUPP_HTTPS_PROXY |
+  SSLSUPP_CIPHER_LIST,
+
   sizeof(struct bearssl_ssl_backend_data),
 
   Curl_none_init,                  /* init */
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index 5b8904b8d0..741cc7c7c6 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -1726,7 +1726,8 @@ const struct Curl_ssl Curl_ssl_mbedtls = {
 #ifdef TLS13_SUPPORT
   SSLSUPP_TLS13_CIPHERSUITES |
 #endif
-  SSLSUPP_HTTPS_PROXY,
+  SSLSUPP_HTTPS_PROXY |
+  SSLSUPP_CIPHER_LIST,
 
   sizeof(struct mbed_ssl_backend_data),
 
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 8754d35dcd..671299d43d 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -5212,7 +5212,8 @@ const struct Curl_ssl Curl_ssl_openssl = {
   SSLSUPP_ECH |
 #endif
   SSLSUPP_CA_CACHE |
-  SSLSUPP_HTTPS_PROXY,
+  SSLSUPP_HTTPS_PROXY |
+  SSLSUPP_CIPHER_LIST,
 
   sizeof(struct ossl_ctx),
 
diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index 4d3990a0c0..f6c17406a2 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -2969,7 +2969,8 @@ const struct Curl_ssl Curl_ssl_schannel = {
 #endif
   SSLSUPP_TLS13_CIPHERSUITES |
   SSLSUPP_CA_CACHE |
-  SSLSUPP_HTTPS_PROXY,
+  SSLSUPP_HTTPS_PROXY |
+  SSLSUPP_CIPHER_LIST,
 
   sizeof(struct schannel_ssl_backend_data),
 
diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
index 688027ce7d..b7e6f7e2bd 100644
--- a/lib/vtls/sectransp.c
+++ b/lib/vtls/sectransp.c
@@ -2888,7 +2888,8 @@ const struct Curl_ssl Curl_ssl_sectransp = {
 #ifdef SECTRANSP_PINNEDPUBKEY
   SSLSUPP_PINNEDPUBKEY |
 #endif /* SECTRANSP_PINNEDPUBKEY */
-  SSLSUPP_HTTPS_PROXY,
+  SSLSUPP_HTTPS_PROXY |
+  SSLSUPP_CIPHER_LIST,
 
   sizeof(struct st_ssl_backend_data),
 
diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
index 49a5eb053b..2f6ed6b538 100644
--- a/lib/vtls/vtls.h
+++ b/lib/vtls/vtls.h
@@ -39,6 +39,7 @@ struct Curl_ssl_session;
 #define SSLSUPP_CAINFO_BLOB  (1<<6)
 #define SSLSUPP_ECH          (1<<7)
 #define SSLSUPP_CA_CACHE     (1<<8)
+#define SSLSUPP_CIPHER_LIST  (1<<9) /* supports TLS 1.0-1.2 ciphersuites */
 
 #define ALPN_ACCEPTED "ALPN: server accepted "
 
diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
index 2ef0af6610..e14a6da319 100644
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@@ -1918,7 +1918,8 @@ const struct Curl_ssl Curl_ssl_wolfssl = {
 #ifdef WOLFSSL_TLS13
   SSLSUPP_TLS13_CIPHERSUITES |
 #endif
-  SSLSUPP_CA_CACHE,
+  SSLSUPP_CA_CACHE |
+  SSLSUPP_CIPHER_LIST,
 
   sizeof(struct wolfssl_ctx),