From a3e085f204079003b36e6328d23cd91c10c261bb Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Wed, 4 Jan 2023 10:49:18 -0800
Subject: [PATCH] very basic support for public key types in cipher list string
 with '+'

---
 src/internal.c | 32 +++++++++++++++++++++++++++++++-
 tests/api.c    |  6 ++++++
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/src/internal.c b/src/internal.c
index 1afa361f9..c11a90fda 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -24280,13 +24280,33 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
             }
         }
 
-    #ifdef OPENSSL_EXTRA
+    #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
         if (length > 1) {
+            const char* substr = NULL;
+
             if (*current == '!') {
                 allowing = 0;
                 current++;
                 length--;
             }
+
+            /* extract public key types from a string like ECDHE+AESGCM */
+            substr = XSTRSTR(current, "+");
+            if (substr != NULL) {
+                word32 currLen = (word32)(substr - current);
+                if (length > currLen) {
+                    length = currLen;
+                }
+
+                /* checking for the DH substring includes ECDH / ECDHE suites */
+                if (XSTRSTR(substr, "DH") || XSTRSTR(substr, "RSA")) {
+                    substr += 1; /* +1 to skip over '+' */
+                    current = substr;
+                }
+                else {
+                    length  = (word32)(substr - current);
+                }
+            }
         }
     #endif
 
@@ -24383,6 +24403,16 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
             continue;
         }
 
+        if (XSTRCMP(name, "ECDHE") == 0) {
+            if (allowing) {
+                haveECC = 1;
+                haveECDSAsig = 1;
+                callInitSuites = 1;
+                ret = 1;
+            }
+            continue;
+        }
+
         if (XSTRCMP(name, "kRSA") == 0 || XSTRCMP(name, "RSA") == 0) {
             haveStaticRSA = allowing;
             if (allowing) {
diff --git a/tests/api.c b/tests/api.c
index 95b010f5a..e8508bcc3 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -7113,6 +7113,12 @@ static int test_wolfSSL_CTX_set_cipher_list(void)
     AssertIntEQ(server_args.return_code, TEST_SUCCESS);
 
     FreeTcpReady(&ready);
+
+    /* check with cipher string that has '+' */
+    AssertNotNull((ctxClient = wolfSSL_CTX_new(wolfTLSv1_2_client_method())));
+    AssertTrue(wolfSSL_CTX_set_cipher_list(ctxClient, "ECDHE+AESGCM"));
+    wolfSSL_CTX_free(ctxClient);
+
     res = TEST_RES_CHECK(1);
 #endif
     return res;