From c637a192a3def2d7297186206e037ec5207e020f Mon Sep 17 00:00:00 2001
From: Abilio Marques <abiliojr@gmail.com>
Date: Mon, 29 Mar 2021 06:54:46 +0200
Subject: [PATCH] add support for tlsv1.3 ciphers

Signed-off-by: Abilio Marques <abiliojr@gmail.com>
---
 lib/mosquitto_internal.h |  1 +
 lib/net_mosq.c           | 11 +++++++++++
 lib/options.c            | 16 +++++++++++-----
 3 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/lib/mosquitto_internal.h b/lib/mosquitto_internal.h
index e69fe751..4c9779b7 100644
--- a/lib/mosquitto_internal.h
+++ b/lib/mosquitto_internal.h
@@ -254,6 +254,7 @@ struct mosquitto {
 	int (*tls_pw_callback)(char *buf, int size, int rwflag, void *userdata);
 	char *tls_version;
 	char *tls_ciphers;
+	char *tls_13_ciphers;
 	char *tls_psk;
 	char *tls_psk_identity;
 	char *tls_engine;
diff --git a/lib/net_mosq.c b/lib/net_mosq.c
index d42d83a7..a4c617ef 100644
--- a/lib/net_mosq.c
+++ b/lib/net_mosq.c
@@ -760,6 +760,17 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 				return MOSQ_ERR_TLS;
 			}
 		}
+
+#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)
+		if(mosq->tls_13_ciphers){
+			ret = SSL_CTX_set_ciphersuites(mosq->ssl_ctx, mosq->tls_13_ciphers);
+			if(ret == 0){
+				log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to set TLS 1.3 ciphersuites. Check cipher_tls13 list \"%s\".", mosq->tls_13_ciphers);
+				return MOSQ_ERR_TLS;
+			}
+		}
+#endif
+
 		if(mosq->tls_cafile || mosq->tls_capath || mosq->tls_use_os_certs){
 			ret = net__tls_load_ca(mosq);
 			if(ret != MOSQ_ERR_SUCCESS){
diff --git a/lib/options.c b/lib/options.c
index deb7c01f..900d5f65 100644
--- a/lib/options.c
+++ b/lib/options.c
@@ -231,14 +231,20 @@ int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs, const char *tl
 		mosq->tls_version = mosquitto__strdup("tlsv1.2");
 		if(!mosq->tls_version) return MOSQ_ERR_NOMEM;
 	}
+
+	mosq->tls_ciphers = NULL;
+	mosq->tls_13_ciphers = NULL;
+
 	if(ciphers){
-		mosq->tls_ciphers = mosquitto__strdup(ciphers);
-		if(!mosq->tls_ciphers) return MOSQ_ERR_NOMEM;
-	}else{
-		mosq->tls_ciphers = NULL;
+		if(!strcasecmp(tls_version, "tlsv1.3")){
+			mosq->tls_13_ciphers = mosquitto__strdup(ciphers);
+			if(!mosq->tls_13_ciphers) return MOSQ_ERR_NOMEM;
+		}else{
+			mosq->tls_ciphers = mosquitto__strdup(ciphers);
+			if(!mosq->tls_ciphers) return MOSQ_ERR_NOMEM;
+		}
 	}
 
-
 	return MOSQ_ERR_SUCCESS;
 #else
 	return MOSQ_ERR_NOT_SUPPORTED;