From ba1ba5f0fb16ddd6d2f80abf79c56cfff8c6b62a Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Sat, 15 Apr 2006 00:22:05 +0000
Subject: [PATCH] If cipher list contains a match for an explicit ciphersuite
 only match that one suite.

---
 CHANGES        |  4 ++++
 ssl/ssl_ciph.c | 25 +++++++++++++++++++++----
 2 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 3ba2d71f2f..dd272bdef9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -206,6 +206,10 @@
 
  Changes between 0.9.8a and 0.9.8b  [XX xxx XXXX]
 
+  *) When applying a cipher rule check to see if string match is an explicit
+     cipher suite and only match that one cipher suite if it is.
+     [Steve Henson]
+
   *) Link in manifests for VC++ if needed.
      [Austin Ziegler <halostatue@gmail.com>]
 
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 5f9ce0d418..dd4c956d6a 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -515,7 +515,8 @@ static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list,
 	*ca_curr = NULL;	/* end of list */
 	}
 
-static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask,
+static void ssl_cipher_apply_rule(unsigned long cipher_id,
+		unsigned long algorithms, unsigned long mask,
 		unsigned long algo_strength, unsigned long mask_strength,
 		int rule, int strength_bits, CIPHER_ORDER *co_list,
 		CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
@@ -541,11 +542,19 @@ static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask,
 
 		cp = curr->cipher;
 
+		/* If explicit cipher suite match that one only */
+
+		if (cipher_id)
+			{
+			if (cp->id != cipher_id)
+				continue;
+			}
+
 		/*
 		 * Selection criteria is either the number of strength_bits
 		 * or the algorithm used.
 		 */
-		if (strength_bits == -1)
+		else if (strength_bits == -1)
 			{
 			ma = mask & cp->algorithms;
 			ma_s = mask_strength & cp->algo_strength;
@@ -658,7 +667,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER *co_list,
 	 */
 	for (i = max_strength_bits; i >= 0; i--)
 		if (number_uses[i] > 0)
-			ssl_cipher_apply_rule(0, 0, 0, 0, CIPHER_ORD, i,
+			ssl_cipher_apply_rule(0, 0, 0, 0, 0, CIPHER_ORD, i,
 					co_list, head_p, tail_p);
 
 	OPENSSL_free(number_uses);
@@ -672,6 +681,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 	unsigned long algorithms, mask, algo_strength, mask_strength;
 	const char *l, *start, *buf;
 	int j, multi, found, rule, retval, ok, buflen;
+	unsigned long cipher_id;
 	char ch;
 
 	retval = 1;
@@ -761,6 +771,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 			 * use strcmp(), because buf is not '\0' terminated.)
 			 */
 			 j = found = 0;
+			 cipher_id = 0;
 			 while (ca_list[j])
 				{
 				if (!strncmp(buf, ca_list[j]->name, buflen) &&
@@ -775,6 +786,12 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 			if (!found)
 				break;	/* ignore this entry */
 
+			if (ca_list[j]->valid)
+				{
+				cipher_id = ca_list[j]->id;
+				break;
+				}
+
 			/* New algorithms:
 			 *  1 - any old restrictions apply outside new mask
 			 *  2 - any new restrictions apply outside old mask
@@ -818,7 +835,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 			}
 		else if (found)
 			{
-			ssl_cipher_apply_rule(algorithms, mask,
+			ssl_cipher_apply_rule(cipher_id, algorithms, mask,
 				algo_strength, mask_strength, rule, -1,
 				co_list, head_p, tail_p);
 			}
-- 
GitLab