If ssl_cipher_apply_rule() is given a specific cipher suite, match on it.

Otherwise matching a specific cipher is performed by matching against
its characteristics, which can result in multiple rather than a single
match.

Found by bluhm@'s regress tests.

ok bluhm@ tb@

1 files changed, 4 insertions, 3 deletions

diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c
index bbae6a63d9b..3cbf368ad31 100644
--- a/lib/libssl/ssl_ciph.c
+++ b/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.106 2018/11/07 01:53:36 jsing Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.107 2019/03/24 17:10:54 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -921,6 +921,9 @@ ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey,
 
 		cp = curr->cipher;
 
+		if (cipher_id && cp->id != cipher_id)
+			continue;
+
 		/*
 		 * Selection criteria is either the value of strength_bits
 		 * or the algorithms used.
@@ -929,7 +932,6 @@ ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey,
 			if (strength_bits != cp->strength_bits)
 				continue;
 		} else {
-
 			if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
 				continue;
 			if (alg_auth && !(alg_auth & cp->algorithm_auth))
@@ -944,7 +946,6 @@ ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey,
 				continue;
 		}
 
-
 		/* add the cipher if it has not been added yet. */
 		if (rule == CIPHER_ADD) {
 			/* reverse == 0 */