From 32f30320f967fdd950f2e15448168c776ad47e50 Mon Sep 17 00:00:00 2001
From: Hakase <hakase@hakase.app>
Date: Wed, 23 May 2018 08:10:26 +0900
Subject: [PATCH] Not use skip ciphers

---
 openssl-equal-pre7-draft28.patch | 25 +++++--------------------
 1 file changed, 5 insertions(+), 20 deletions(-)

diff --git a/openssl-equal-pre7-draft28.patch b/openssl-equal-pre7-draft28.patch
index 04b6e4b..8ef9a21 100644
--- a/openssl-equal-pre7-draft28.patch
+++ b/openssl-equal-pre7-draft28.patch
@@ -71,7 +71,7 @@ index 8e395cdd2d..700d7b7b4e 100644
  # define SSL_R_UNINITIALIZED                              276
  # define SSL_R_UNKNOWN_ALERT_TYPE                         246
 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
-index 354769b0c1..00b4aad581 100644
+index 354769b0c1..f883175359 100644
 --- a/ssl/s3_lib.c
 +++ b/ssl/s3_lib.c
 @@ -4095,6 +4095,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
@@ -200,22 +200,7 @@ index 354769b0c1..00b4aad581 100644
  
          /*
           * Since TLS 1.3 ciphersuites can be used with any auth or
-@@ -4244,13 +4224,25 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
-             alg_k = c->algorithm_mkey;
-             alg_a = c->algorithm_auth;
- 
-+            /* Skip 3DES over TLS v1.0 */
-+            if (c->algorithm_enc == SSL_3DES &&
-+                (s->version != TLS1_VERSION &&
-+                 s->version != DTLS1_VERSION))
-+                ok = 0;
-+
-+            /* Not use weak cipher after TLSv1.0 */
-+            if ((alg_a & SSL_aRSA) &&
-+                (alg_k & SSL_kRSA) &&
-+                (s->version != TLS1_VERSION))
-+                ok = 0;
-+
+@@ -4247,10 +4227,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  #ifndef OPENSSL_NO_PSK
              /* with PSK there must be server callback set */
              if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL)
@@ -228,7 +213,7 @@ index 354769b0c1..00b4aad581 100644
  #ifdef CIPHER_DEBUG
              fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
                      alg_a, mask_k, mask_a, (void *)c, c->name);
-@@ -4267,6 +4259,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
+@@ -4267,6 +4247,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
  
              if (!ok)
                  continue;
@@ -243,7 +228,7 @@ index 354769b0c1..00b4aad581 100644
          }
          ii = sk_SSL_CIPHER_find(allow, c);
          if (ii >= 0) {
-@@ -4274,14 +4274,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
+@@ -4274,14 +4262,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
              if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
                                c->strength_bits, 0, (void *)c))
                  continue;
@@ -259,7 +244,7 @@ index 354769b0c1..00b4aad581 100644
              if (prefer_sha256) {
                  const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
  
-@@ -4293,13 +4286,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
+@@ -4293,13 +4274,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                      ret = tmp;
                  continue;
              }