Fix from 0.9.7-stable.

[oweals/openssl.git] / ssl / ssl_ciph.c

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 8c2e1c305e4d3db4f97d93dfcdb42fbb2c683c66..441507f4946bf3764fc3cbb2eb2cadbfdebdf42e 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -192,6 +192,9 @@ void ssl_load_ciphers(void)
                EVP_get_digestbyname(SN_sha1);
        }
 
+
+#ifndef OPENSSL_NO_COMP
+
 static int sk_comp_cmp(const SSL_COMP * const *a,
                        const SSL_COMP * const *b)
        {
@@ -231,6 +234,7 @@ static void load_builtin_compressions(void)
                }
        CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
        }
+#endif
 
 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
             const EVP_MD **md, SSL_COMP **comp)
@@ -243,8 +247,9 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
        if (comp != NULL)
                {
                SSL_COMP ctmp;
-
+#ifndef OPENSSL_NO_COMP
                load_builtin_compressions();
+#endif
 
                *comp=NULL;
                ctmp.id=s->compress_meth;
@@ -477,7 +482,8 @@ static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list,
        *ca_curr = NULL;        /* end of list */
        }
 
-static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask,
+static void ssl_cipher_apply_rule(unsigned long cipher_id,
+               unsigned long algorithms, unsigned long mask,
                unsigned long algo_strength, unsigned long mask_strength,
                int rule, int strength_bits, CIPHER_ORDER *co_list,
                CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
@@ -503,11 +509,19 @@ static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask,
 
                cp = curr->cipher;
 
+               /* If explicit cipher suite match that one only */
+
+               if (cipher_id)
+                       {
+                       if (cp->id != cipher_id)
+                               continue;
+                       }
+
                /*
                 * Selection criteria is either the number of strength_bits
                 * or the algorithm used.
                 */
-               if (strength_bits == -1)
+               else if (strength_bits == -1)
                        {
                        ma = mask & cp->algorithms;
                        ma_s = mask_strength & cp->algo_strength;
@@ -620,7 +634,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER *co_list,
         */
        for (i = max_strength_bits; i >= 0; i--)
                if (number_uses[i] > 0)
-                       ssl_cipher_apply_rule(0, 0, 0, 0, CIPHER_ORD, i,
+                       ssl_cipher_apply_rule(0, 0, 0, 0, 0, CIPHER_ORD, i,
                                        co_list, head_p, tail_p);
 
        OPENSSL_free(number_uses);
@@ -634,6 +648,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
        unsigned long algorithms, mask, algo_strength, mask_strength;
        const char *l, *start, *buf;
        int j, multi, found, rule, retval, ok, buflen;
+       unsigned long cipher_id;
        char ch;
 
        retval = 1;
@@ -723,6 +738,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                         * use strcmp(), because buf is not '\0' terminated.)
                         */
                         j = found = 0;
+                        cipher_id = 0;
                         while (ca_list[j])
                                {
                                if (!strncmp(buf, ca_list[j]->name, buflen) &&
@@ -737,6 +753,12 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                        if (!found)
                                break;  /* ignore this entry */
 
+                       if (ca_list[j]->valid)
+                               {
+                               cipher_id = ca_list[j]->id;
+                               break;
+                               }
+
                        /* New algorithms:
                         *  1 - any old restrictions apply outside new mask
                         *  2 - any new restrictions apply outside old mask
@@ -780,7 +802,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                        }
                else if (found)
                        {
-                       ssl_cipher_apply_rule(algorithms, mask,
+                       ssl_cipher_apply_rule(cipher_id, algorithms, mask,
                                algo_strength, mask_strength, rule, -1,
                                co_list, head_p, tail_p);
                        }
@@ -1131,6 +1153,21 @@ SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
        return(NULL);
        }
 
+#ifdef OPENSSL_NO_COMP
+void *SSL_COMP_get_compression_methods(void)
+       {
+       return NULL;
+       }
+int SSL_COMP_add_compression_method(int id, void *cm)
+       {
+       return 1;
+       }
+
+const char *SSL_COMP_get_name(const void *comp)
+       {
+       return NULL;
+       }
+#else
 STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
        {
        load_builtin_compressions();
@@ -1191,3 +1228,4 @@ const char *SSL_COMP_get_name(const COMP_METHOD *comp)
        return NULL;
        }
 
+#endif