1 files changed, 92 insertions, 38 deletions

diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs
index dac23114..1feb3ca6 100644
--- a/openssl/src/ssl/mod.rs
+++ b/openssl/src/ssl/mod.rs
@@ -952,7 +952,9 @@ impl SslContextBuilder {
         unsafe { cvt(ffi::SSL_CTX_use_PrivateKey(self.as_ptr(), key.as_ptr())).map(|_| ()) }
     }
 
-    /// Sets the list of supported ciphers.
+    /// Sets the list of supported ciphers for protocols before TLSv1.3.
+    ///
+    /// The `set_ciphersuites` method controls the cipher suites for TLSv1.3.
     ///
     /// See [`ciphers`] for details on the format.
     ///
@@ -970,6 +972,29 @@ impl SslContextBuilder {
         }
     }
 
+    /// Sets the list of supported ciphers for the TLSv1.3 protocol.
+    ///
+    /// The `set_cipher_list` method controls lthe cipher suites for protocols before TLSv1.3.
+    ///
+    /// The format consists of TLSv1.3 ciphersuite names separated by `:` characters in order of
+    /// preference.
+    ///
+    /// Requires OpenSSL 1.1.1 or newer.
+    ///
+    /// This corresponds to [`SSL_CTX_set_ciphersuites`].
+    ///
+    /// [`SSL_CTX_set_ciphersuites`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html
+    #[cfg(ossl111)]
+    pub fn set_ciphersuites(&mut self, cipher_list: &str) -> Result<(), ErrorStack> {
+        let cipher_list = CString::new(cipher_list).unwrap();
+        unsafe {
+            cvt(ffi::SSL_CTX_set_ciphersuites(
+                self.as_ptr(),
+                cipher_list.as_ptr() as *const _,
+            )).map(|_| ())
+        }
+    }
+
     /// Enables ECDHE key exchange with an automatically chosen curve list.
     ///
     /// Requires OpenSSL 1.0.2.
@@ -2188,6 +2213,32 @@ impl SslRef {
         unsafe { cvt(ffi::SSL_set_ecdh_auto(self.as_ptr(), onoff as c_int)).map(|_| ()) }
     }
 
+    /// Like [`SslContextBuilder::set_alpn_protos`].
+    ///
+    /// Requires OpenSSL 1.0.2 or LibreSSL 2.6.1 or newer.
+    ///
+    /// This corresponds to [`SSL_set_alpn_protos`].
+    ///
+    /// [`SslContextBuilder::set_alpn_protos`]: struct.SslContextBuilder.html#method.set_alpn_protos
+    /// [`SSL_set_alpn_protos`]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_set_alpn_protos.html
+    #[cfg(any(ossl102, libressl261))]
+    pub fn set_alpn_protos(&mut self, protocols: &[u8]) -> Result<(), ErrorStack> {
+        unsafe {
+            assert!(protocols.len() <= c_uint::max_value() as usize);
+            let r = ffi::SSL_set_alpn_protos(
+                self.as_ptr(),
+                protocols.as_ptr(),
+                protocols.len() as c_uint,
+            );
+            // fun fact, SSL_set_alpn_protos has a reversed return code D:
+            if r == 0 {
+                Ok(())
+            } else {
+                Err(ErrorStack::get())
+            }
+        }
+    }
+
     /// Returns the current cipher if the session is active.
     ///
     /// This corresponds to [`SSL_get_current_cipher`].
@@ -3291,44 +3342,9 @@ pub enum ShutdownResult {
 }
 
 cfg_if! {
-    if #[cfg(ossl110)] {
-        use ffi::{
-            SSL_CTX_up_ref,
-            SSL_SESSION_get_master_key, SSL_SESSION_up_ref, SSL_is_server, TLS_method, DTLS_method,
-        };
-
-        pub unsafe fn get_new_idx(f: ffi::CRYPTO_EX_free) -> c_int {
-            ffi::CRYPTO_get_ex_new_index(
-                ffi::CRYPTO_EX_INDEX_SSL_CTX,
-                0,
-                ptr::null_mut(),
-                None,
-                None,
-                Some(f),
-            )
-        }
-
-        pub unsafe fn get_new_ssl_idx(f: ffi::CRYPTO_EX_free) -> c_int {
-            ffi::CRYPTO_get_ex_new_index(
-                ffi::CRYPTO_EX_INDEX_SSL,
-                0,
-                ptr::null_mut(),
-                None,
-                None,
-                Some(f),
-            )
-        }
+    if #[cfg(any(ossl110, libressl273))] {
+        use ffi::{SSL_CTX_up_ref, SSL_SESSION_get_master_key, SSL_SESSION_up_ref, SSL_is_server};
     } else {
-        use ffi::{SSLv23_method as TLS_method, DTLSv1_method as DTLS_method};
-
-        pub unsafe fn get_new_idx(f: ffi::CRYPTO_EX_free) -> c_int {
-            ffi::SSL_CTX_get_ex_new_index(0, ptr::null_mut(), None, None, Some(f))
-        }
-
-        pub unsafe fn get_new_ssl_idx(f: ffi::CRYPTO_EX_free) -> c_int {
-            ffi::SSL_get_ex_new_index(0, ptr::null_mut(), None, None, Some(f))
-        }
-
         #[allow(bad_style)]
         pub unsafe fn SSL_CTX_up_ref(ssl: *mut ffi::SSL_CTX) -> c_int {
             ffi::CRYPTO_add_lock(
@@ -3375,3 +3391,41 @@ cfg_if! {
         }
     }
 }
+
+cfg_if! {
+    if #[cfg(ossl110)] {
+        use ffi::{TLS_method, DTLS_method};
+
+        pub unsafe fn get_new_idx(f: ffi::CRYPTO_EX_free) -> c_int {
+            ffi::CRYPTO_get_ex_new_index(
+                ffi::CRYPTO_EX_INDEX_SSL_CTX,
+                0,
+                ptr::null_mut(),
+                None,
+                None,
+                Some(f),
+            )
+        }
+
+        pub unsafe fn get_new_ssl_idx(f: ffi::CRYPTO_EX_free) -> c_int {
+            ffi::CRYPTO_get_ex_new_index(
+                ffi::CRYPTO_EX_INDEX_SSL,
+                0,
+                ptr::null_mut(),
+                None,
+                None,
+                Some(f),
+            )
+        }
+    } else {
+        use ffi::{SSLv23_method as TLS_method, DTLSv1_method as DTLS_method};
+
+        pub unsafe fn get_new_idx(f: ffi::CRYPTO_EX_free) -> c_int {
+            ffi::SSL_CTX_get_ex_new_index(0, ptr::null_mut(), None, None, Some(f))
+        }
+
+        pub unsafe fn get_new_ssl_idx(f: ffi::CRYPTO_EX_free) -> c_int {
+            ffi::SSL_get_ex_new_index(0, ptr::null_mut(), None, None, Some(f))
+        }
+    }
+}