jinql
/
openssl-patch
mirror of https://github.com/hakasenyang/openssl-patch
1
0
Fork 0
Code Issues Releases Wiki Activity

Update openssl-equal-pre6.patch

openssl-1.1.1
Hakase 2018-04-23 14:54:48 +09:00
parent 8978ba0d9e
commit 69de745d05
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
openssl-equal-pre6.patch
View File

@ -71,7 +71,7 @@ index 5c6718f..d079e32 100644
# define SSL_R_UNINITIALIZED 276
# define SSL_R_UNKNOWN_ALERT_TYPE 246
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 6193269..eaff05c 100644
index 6193269..0206266 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -37,12 +37,12 @@ static SSL_CIPHER tls13_ciphers[] = {
@ -215,7 +215,7 @@ index 6193269..eaff05c 100644
/*
* Since TLS 1.3 ciphersuites can be used with any auth or
@@ -4224,13 +4204,24 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4224,13 +4204,25 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
alg_k = c->algorithm_mkey;
alg_a = c->algorithm_auth;
@ -228,7 +228,8 @@ index 6193269..eaff05c 100644
+ /* Not use weak cipher after TLSv1.0 */
+ if ((alg_a & SSL_aRSA) &&
+ (alg_k & SSL_kRSA) &&
+ (s->version != TLS1_VERSION)) ok = 0;
+ (s->version != TLS1_VERSION))
+ ok = 0;
+
#ifndef OPENSSL_NO_PSK
/* with PSK there must be server callback set */
@ -242,7 +243,7 @@ index 6193269..eaff05c 100644
#ifdef CIPHER_DEBUG
fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
alg_a, mask_k, mask_a, (void *)c, c->name);
@@ -4247,6 +4238,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4247,6 +4239,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
if (!ok)
continue;
@ -257,7 +258,7 @@ index 6193269..eaff05c 100644
}
ii = sk_SSL_CIPHER_find(allow, c);
if (ii >= 0) {
@@ -4254,21 +4253,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4254,21 +4254,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
c->strength_bits, 0, (void *)c))
continue;