From 5c0bfb1931500c779b9393cda45c6aee83714019 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sun, 24 Mar 2019 17:10:54 +0000
Subject: If ssl_cipher_apply_rule() is given a specific cipher suite, match on
 it.

Otherwise matching a specific cipher is performed by matching against
its characteristics, which can result in multiple rather than a single
match.

Found by bluhm@'s regress tests.

ok bluhm@ tb@
---
 src/lib/libssl/ssl_ciph.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index bbae6a63d9..3cbf368ad3 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.106 2018/11/07 01:53:36 jsing Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.107 2019/03/24 17:10:54 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -921,6 +921,9 @@ ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey,
 
 		cp = curr->cipher;
 
+		if (cipher_id && cp->id != cipher_id)
+			continue;
+
 		/*
 		 * Selection criteria is either the value of strength_bits
 		 * or the algorithms used.
@@ -929,7 +932,6 @@ ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey,
 			if (strength_bits != cp->strength_bits)
 				continue;
 		} else {
-
 			if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
 				continue;
 			if (alg_auth && !(alg_auth & cp->algorithm_auth))
@@ -944,7 +946,6 @@ ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey,
 				continue;
 		}
 
-
 		/* add the cipher if it has not been added yet. */
 		if (rule == CIPHER_ADD) {
 			/* reverse == 0 */
-- 
cgit v1.2.3-55-g6feb