From ed65f7dc342297abbad9ad5662bca588f904b4f6 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Bodo=20M=C3=B6ller?= <bodo@openssl.org>
Date: Mon, 11 Sep 2006 09:49:03 +0000
Subject: [PATCH] ensure that ciphersuite strings such as "RC4-MD5" match the
 SSL 2.0 ciphersuite as well

---
 CHANGES        | 28 +++++++++++++++++++++++++++-
 ssl/ssl_ciph.c | 28 ++++++++++++++++------------
 2 files changed, 43 insertions(+), 13 deletions(-)

diff --git a/CHANGES b/CHANGES
index 18eb27eebe..054c6a7a7f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,7 +2,7 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 0.9.8c and 0.9.9  [xx XXX xxxx]
+ Changes between 0.9.8d and 0.9.9  [xx XXX xxxx]
 
   *) Allow multiple CRLs to exist in an X509_STORE with matching issuer names.
      Modify get_crl() to find a valid (unexpired) CRL if possible.
@@ -379,6 +379,32 @@
 
  Changes between 0.9.8c and 0.9.8d  [xx XXX xxxx]
 
+  *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites
+     match only those.  Before that, "AES256-SHA" would be interpreted
+     as a pattern and match "AES128-SHA" too since we currently only
+     have a single AES bit in the ciphersuite description bitmap.
+     That change, however, also applied to ciphersuite strings such as
+     "RC4-MD5" that intentionally matched multiple ciphersuites --
+     namely, SSL 2.0 ciphersuites in addition to the more common ones
+     from SSL 3.0/TLS 1.0.
+
+     So we change the selection algorithm again: Naming an explicit
+     ciphersuite selects this one ciphersuite, and any other similar
+     ciphersuite (same bitmap) from *other* protocol versions.
+     Thus, "RC4-MD5" again will properly select both the SSL 2.0
+     ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.
+
+     Since SSL 2.0 does not have any ciphersuites for which the
+     128/256 bit distinction would be relevant, this works for now.
+     The proper fix will be to use different bits for AES128 and
+     AES256, which would have avoided the problems from the beginning;
+     however, bits are scarce, so we can only do this in a new release
+     (not just a patchlevel) when we can change the SSL_CIPHER
+     definition to split the single 'unsigned long mask' bitmap into
+     multiple values to extend the available space.
+
+     [Bodo Moeller]
+
  Changes between 0.9.8b and 0.9.8c  [05 Sep 2006]
 
   *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index c85ea030fe..87aa83a314 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -638,7 +638,7 @@ static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list,
 	*ca_curr = NULL;	/* end of list */
 	}
 
-static void ssl_cipher_apply_rule(unsigned long cipher_id,
+static void ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long ssl_version,
 		unsigned long algorithms, unsigned long mask,
 		unsigned long algo_strength, unsigned long mask_strength,
 		int rule, int strength_bits,
@@ -665,9 +665,10 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
 
 		cp = curr->cipher;
 
-		/* If explicit cipher suite match that one only */
+		/* If explicit cipher suite, match only that one for its own protocol version.
+		 * Usual selection criteria will be used for similar ciphersuites from other version! */
 
-		if (cipher_id)
+		if (cipher_id && (cp->algorithms & SSL_SSL_MASK) == ssl_version)
 			{
 			if (cp->id != cipher_id)
 				continue;
@@ -789,7 +790,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
 	 */
 	for (i = max_strength_bits; i >= 0; i--)
 		if (number_uses[i] > 0)
-			ssl_cipher_apply_rule(0, 0, 0, 0, 0, CIPHER_ORD, i,
+			ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i,
 					head_p, tail_p);
 
 	OPENSSL_free(number_uses);
@@ -803,7 +804,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 	unsigned long algorithms, mask, algo_strength, mask_strength;
 	const char *l, *start, *buf;
 	int j, multi, found, rule, retval, ok, buflen;
-	unsigned long cipher_id = 0;
+	unsigned long cipher_id = 0, ssl_version = 0;
 	char ch;
 
 	retval = 1;
@@ -894,6 +895,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 			 */
 			 j = found = 0;
 			 cipher_id = 0;
+			 ssl_version = 0;
 			 while (ca_list[j])
 				{
 				if (!strncmp(buf, ca_list[j]->name, buflen) &&
@@ -908,12 +910,6 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 			if (!found)
 				break;	/* ignore this entry */
 
-			if (ca_list[j]->valid)
-				{
-				cipher_id = ca_list[j]->id;
-				break;
-				}
-
 			/* New algorithms:
 			 *  1 - any old restrictions apply outside new mask
 			 *  2 - any new restrictions apply outside old mask
@@ -928,6 +924,14 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 			                (algo_strength & ca_list[j]->algo_strength);
 			mask_strength |= ca_list[j]->mask_strength;
 
+			/* explicit ciphersuite found */
+			if (ca_list[j]->valid)
+				{
+				cipher_id = ca_list[j]->id;
+				ssl_version = ca_list[j]->algorithms & SSL_SSL_MASK;
+				break;
+				}
+
 			if (!multi) break;
 			}
 
@@ -956,7 +960,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 			}
 		else if (found)
 			{
-			ssl_cipher_apply_rule(cipher_id, algorithms, mask,
+			ssl_cipher_apply_rule(cipher_id, ssl_version, algorithms, mask,
 				algo_strength, mask_strength, rule, -1,
 				head_p, tail_p);
 			}
-- 
2.34.1