From fa25763b5528b56b448d64bfbaeac54905b0c80d Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 14 Mar 2018 10:43:53 +0000
Subject: [PATCH] Put the default set of TLSv1.3 ciphersuites in a header file

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5392)
---
 include/openssl/ssl.h | 5 +++++
 ssl/ssl_lib.c         | 5 +----
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index f2b5f36cdb..0679ada3de 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -169,8 +169,13 @@ extern "C" {
 /*
  * The following cipher list is used by default. It also is substituted when
  * an application-defined cipher list string starts with 'DEFAULT'.
+ * This applies to ciphersuites for TLSv1.2 and below.
  */
 # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
+/* This is the default set of TLSv1.3 ciphersuites */
+# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
+                                  "TLS_CHACHA20_POLY1305_SHA256:" \
+                                  "TLS_AES_128_GCM_SHA256"
 /*
  * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
  * starts with a reasonable order, and all we have to do for DEFAULT is
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index a4e7374969..d5c5918d16 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3019,10 +3019,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
         goto err;
 #endif
 
-    if (!SSL_CTX_set_ciphersuites(ret,
-            "TLS_AES_256_GCM_SHA384:"
-            "TLS_CHACHA20_POLY1305_SHA256:"
-            "TLS_AES_128_GCM_SHA256"))
+    if (!SSL_CTX_set_ciphersuites(ret, TLS_DEFAULT_CIPHERSUITES))
         goto err;
 
     if (!ssl_create_cipher_list(ret->method,