Not use skip ciphers

2018-05-23 08:10:26 +09:00 · 2018-05-23 08:10:26 +09:00 · 32f30320f9
parent efab72e2a8
commit 32f30320f9
1 changed files with 5 additions and 20 deletions
--- a/openssl-equal-pre7-draft28.patch
+++ b/openssl-equal-pre7-draft28.patch
@ -71,7 +71,7 @@ index 8e395cdd2d..700d7b7b4e 100644
 # define SSL_R_UNINITIALIZED                              276
 # define SSL_R_UNKNOWN_ALERT_TYPE                         246
 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
-index 354769b0c1..00b4aad581 100644
+index 354769b0c1..f883175359 100644
 --- a/ssl/s3_lib.c
 +++ b/ssl/s3_lib.c
@@ -4095,6 +4095,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
@ -200,22 +200,7 @@ index 354769b0c1..00b4aad581 100644
 
         /*
          * Since TLS 1.3 ciphersuites can be used with any auth or
-@@ -4244,13 +4224,25 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
-             alg_k = c->algorithm_mkey;
-             alg_a = c->algorithm_auth;
- 
-+            /* Skip 3DES over TLS v1.0 */
-+            if (c->algorithm_enc == SSL_3DES &&
-+                (s->version != TLS1_VERSION &&
-+                 s->version != DTLS1_VERSION))
-+                ok = 0;
-+
-+            /* Not use weak cipher after TLSv1.0 */
-+            if ((alg_a & SSL_aRSA) &&
-+                (alg_k & SSL_kRSA) &&
-+                (s->version != TLS1_VERSION))
-+                ok = 0;
-+
+@@ -4247,10 +4227,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 #ifndef OPENSSL_NO_PSK
             /* with PSK there must be server callback set */
             if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL)
@ -228,7 +213,7 @@ index 354769b0c1..00b4aad581 100644
 #ifdef CIPHER_DEBUG
             fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
                     alg_a, mask_k, mask_a, (void *)c, c->name);
-@@ -4267,6 +4259,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
+@@ -4267,6 +4247,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 
             if (!ok)
                 continue;
@ -243,7 +228,7 @@ index 354769b0c1..00b4aad581 100644
         }
         ii = sk_SSL_CIPHER_find(allow, c);
         if (ii >= 0) {
-@@ -4274,14 +4274,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
+@@ -4274,14 +4262,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
             if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
                               c->strength_bits, 0, (void *)c))
                 continue;
@ -259,7 +244,7 @@ index 354769b0c1..00b4aad581 100644
             if (prefer_sha256) {
                 const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
 
-@@ -4293,13 +4286,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
+@@ -4293,13 +4274,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                     ret = tmp;
                 continue;
             }