commit 37d924640a34da1dce96fa404843e95e055e3cbf
author David Benjamin <davidben@chromium.org> Sat Sep 20 17:54:24 2014 -0400
committer Adam Langley <agl@google.com> Mon Sep 22 17:22:56 2014 +0000
tree a9c0b8a916433be8bcfa75e756f0ea1642621ea2
parent 2a5ea98a4600327afdaf90ff959209db90ff8f4c

Disallow all special operators once groups are used.

+ and - should also be forbidden. Any operation other than appending will mix
up the in_group bits and give unexpected behavior.

Change-Id: Ieaebb9ee6393aa36243d0765e45cae667f977ef5
Reviewed-on: https://boringssl-review.googlesource.com/1803
Reviewed-by: Adam Langley <agl@google.com>

ssl/ssl_ciph.c

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index eb28656..fbed548 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -761,20 +761,8 @@
 			{ rule = CIPHER_DEL; l++; }
 		else if (ch == '+')
 			{ rule = CIPHER_ORD; l++; }
-		else if (ch == '!' && has_group)
-			{
-			OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
-			retval = found = in_group = 0;
-			break;
-			}
 		else if (ch == '!')
 			{ rule = CIPHER_KILL; l++; }
-		else if (ch == '@' && has_group)
-			{
-			OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
-			retval = found = in_group = 0;
-			break;
-			}
 		else if (ch == '@')
 			{ rule = CIPHER_SPECIAL; l++; }
 		else if (ch == '[')
@@ -793,6 +781,16 @@
 		else
 			{ rule = CIPHER_ADD; }
 
+		/* If preference groups are enabled, the only legal
+		 * operator is +. Otherwise the in_group bits will get
+		 * mixed up. */
+		if (has_group && rule != CIPHER_ADD)
+			{
+			OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
+			retval = found = in_group = 0;
+			break;
+			}
+
 		if (ITEM_SEP(ch))
 			{
 			l++;