From d1b26ddbf6a9165c71884eff228300e3d83be1b1 Mon Sep 17 00:00:00 2001
From: Erik Lax <erik@datahack.se>
Date: Fri, 30 Jul 2021 00:47:46 +0200
Subject: [PATCH] Allow cipher strings to be given using its standard name

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16179)
---
 CHANGES.md                      |  5 +++++
 doc/man1/openssl-ciphers.pod.in |  2 ++
 ssl/ssl_ciph.c                  |  9 +++++++--
 test/cipherlist_test.c          | 16 ++++++++++++++++
 4 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index c14bec916d..963289ca09 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -24,6 +24,11 @@ OpenSSL 3.1
 
 ### Changes between 3.0 and 3.1 [xx XXX xxxx]
 
+ * The SSL_CTX_set_cipher_list family functions now accept ciphers using their
+   IANA standard names.
+
+   *Erik Lax*
+
  * The PVK key derivation function has been moved from b2i_PVK_bio_ex() into
    the legacy crypto provider as an EVP_KDF. Applications requiring this KDF
    will need to load the legacy crypto provider.
diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in
index 658730ec53..2428f61219 100644
--- a/doc/man1/openssl-ciphers.pod.in
+++ b/doc/man1/openssl-ciphers.pod.in
@@ -115,6 +115,8 @@ used. The format is described below.
 The cipher list consists of one or more I<cipher strings> separated by colons.
 Commas or spaces are also acceptable separators but colons are normally used.
 
+The cipher string may reference a cipher using its standard name.
+
 The actual cipher string can take several different forms.
 
 It can consist of a single cipher suite such as B<RC4-SHA>.
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index dd22e57c59..01044deba3 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1042,9 +1042,9 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
             while (((ch >= 'A') && (ch <= 'Z')) ||
                    ((ch >= '0') && (ch <= '9')) ||
                    ((ch >= 'a') && (ch <= 'z')) ||
-                   (ch == '-') || (ch == '.') || (ch == '='))
+                   (ch == '-') || (ch == '_') || (ch == '.') || (ch == '='))
 #else
-            while (isalnum((unsigned char)ch) || (ch == '-') || (ch == '.')
+            while (isalnum((unsigned char)ch) || (ch == '-') || (ch == '_') || (ch == '.')
                    || (ch == '='))
 #endif
             {
@@ -1095,6 +1095,11 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                     && (ca_list[j]->name[buflen] == '\0')) {
                     found = 1;
                     break;
+                } else if (ca_list[j]->stdname != NULL
+                           && strncmp(buf, ca_list[j]->stdname, buflen) == 0
+                           && ca_list[j]->stdname[buflen] == '\0') {
+                    found = 1;
+                    break;
                 } else
                     j++;
             }
diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c
index 2d166e2b46..c46e431b00 100644
--- a/test/cipherlist_test.c
+++ b/test/cipherlist_test.c
@@ -244,10 +244,26 @@ end:
     return result;
 }
 
+/* SSL_CTX_set_cipher_list matching with cipher standard name */
+static int test_stdname_cipherlist(void)
+{
+    SETUP_CIPHERLIST_TEST_FIXTURE();
+    if (!TEST_true(SSL_CTX_set_cipher_list(fixture->server, TLS1_RFC_RSA_WITH_AES_128_SHA))
+            || !TEST_true(SSL_CTX_set_cipher_list(fixture->client, TLS1_RFC_RSA_WITH_AES_128_SHA))) {
+        goto end;
+    }
+    result = 1;
+end:
+    tear_down(fixture);
+    fixture = NULL;
+    return result;
+}
+
 int setup_tests(void)
 {
     ADD_TEST(test_default_cipherlist_implicit);
     ADD_TEST(test_default_cipherlist_explicit);
     ADD_TEST(test_default_cipherlist_clear);
+    ADD_TEST(test_stdname_cipherlist);
     return 1;
 }