Make Tor support TLS1.3 ciphers with OpenSSL 1.1.1

Without this patch, not only will TLS1.3 not work with Tor, but
OpenSSL 1.1.1 with TLS1.3 enabled won't build any connections at
all: It requires that either TLS1.3 be disabled, or some TLS1.3
ciphersuites be listed.

Closes ticket 24978.

1 files changed, 20 insertions, 1 deletions

diff --git a/src/common/ciphers.inc b/src/common/ciphers.inc
index ab4ac40724..23f5fd2da4 100644
--- a/src/common/ciphers.inc
+++ b/src/common/ciphers.inc
@@ -2,8 +2,27 @@
  * advertise.  Before including it, you should define the CIPHER and XCIPHER
  * macros.
  *
- * This file was automatically generated by get_mozilla_ciphers.py.
+ * This file was automatically generated by get_mozilla_ciphers.py;
+ * TLSv1.3 ciphers were added manually.
  */
+
+/* Here are the TLS1.3 ciphers. Note that we don't have XCIPHER instances
+ * here, since we don't want to ever fake them.
+ */
+#ifdef TLS1_3_TXT_AES_128_GCM_SHA256
+   CIPHER(0x1301, TLS1_3_TXT_AES_128_GCM_SHA256)
+#endif
+#ifdef TLS1_3_TXT_AES_256_GCM_SHA384
+   CIPHER(0x1302, TLS1_3_TXT_AES_256_GCM_SHA384)
+#endif
+#ifdef TLS1_3_TXT_CHACHA20_POLY1305_SHA256
+   CIPHER(0x1303, TLS1_3_TXT_CHACHA20_POLY1305_SHA256)
+#endif
+#ifdef TLS1_3_TXT_AES_128_CCM_SHA256
+   CIPHER(0x1304, TLS1_3_TXT_AES_128_CCM_SHA256)
+#endif
+
+/* Here's the machine-generated list. */
 #ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
     CIPHER(0xc02b, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
 #else