jinql
/
openssl-patch
mirror of https://github.com/hakasenyang/openssl-patch
1
0
Fork 0
Code Issues Releases Wiki Activity

Update openssl-equal-pre6.patch

openssl-1.1.1
Hakase 2018-04-23 14:51:43 +09:00
parent ea82075c07
commit 8978ba0d9e
1 changed files with 17 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
openssl-equal-pre6.patch
View File

@ -71,7 +71,7 @@ index 5c6718f..d079e32 100644
# define SSL_R_UNINITIALIZED 276
# define SSL_R_UNKNOWN_ALERT_TYPE 246
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 6193269..8f9262f 100644
index 6193269..eaff05c 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -37,12 +37,12 @@ static SSL_CIPHER tls13_ciphers[] = {
@ -215,7 +215,7 @@ index 6193269..8f9262f 100644
/*
* Since TLS 1.3 ciphersuites can be used with any auth or
@@ -4224,13 +4204,25 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4224,13 +4204,24 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
alg_k = c->algorithm_mkey;
alg_a = c->algorithm_auth;
@ -225,8 +225,7 @@ index 6193269..8f9262f 100644
+ s->version != DTLS1_VERSION))
+ ok = 0;
+
+ /* not use ECDSA under TLS v1.2 */
+ // if ((alg_a & SSL_aECDSA) && s->version != TLS1_2_VERSION) ok = 0;
+ /* Not use weak cipher after TLSv1.0 */
+ if ((alg_a & SSL_aRSA) &&
+ (alg_k & SSL_kRSA) &&
+ (s->version != TLS1_VERSION)) ok = 0;
@ -243,7 +242,7 @@ index 6193269..8f9262f 100644
#ifdef CIPHER_DEBUG
fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
alg_a, mask_k, mask_a, (void *)c, c->name);
@@ -4247,6 +4239,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4247,6 +4238,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
if (!ok)
continue;
@ -258,7 +257,7 @@ index 6193269..8f9262f 100644
}
ii = sk_SSL_CIPHER_find(allow, c);
if (ii >= 0) {
@@ -4254,21 +4254,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4254,21 +4253,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
c->strength_bits, 0, (void *)c))
continue;
@ -307,7 +306,7 @@ index 6193269..8f9262f 100644
}
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 9011e42..113a728 100644
index 9011e42..7da2f1b 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -190,6 +190,7 @@ typedef struct cipher_order_st {
@ -637,7 +636,7 @@ index 9011e42..113a728 100644
}
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
disabled_mkey, disabled_auth, disabled_enc,
@@ -1583,27 +1643,30 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1583,27 +1643,36 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
OPENSSL_free(ca_list); /* Not needed anymore */
@ -670,17 +669,22 @@ index 9011e42..113a728 100644
- sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
- sk_SSL_CIPHER_free(cipherstack);
- return NULL;
- }
+ tmp))
+ goto err;
+ if (tmp->algorithm_enc == SSL_AES128GCM)
+ in_group_flags[num_in_group_flags++] = 1;
+ if (tmp->algorithm_enc == SSL_AES128GCM &&
+ i + 1 < sk_SSL_CIPHER_num(tls13_ciphersuites)) {
+ tmp = sk_SSL_CIPHER_value(tls13_ciphersuites, i + 1);
+ if (tmp->algorithm_enc == SSL_CHACHA20POLY1305)
+ in_group_flags[num_in_group_flags++] = 1;
+ else
+ in_group_flags[num_in_group_flags++] = 0;
}
+ else
+ in_group_flags[num_in_group_flags++] = 0;
}
/*
@@ -1612,26 +1675,66 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1612,26 +1681,67 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
*/
for (curr = head; curr != NULL; curr = curr->next) {
if (curr->active) {
@ -699,6 +703,7 @@ index 9011e42..113a728 100644
}
+
OPENSSL_free(co_list); /* Not needed any longer */
+ tmp = NULL;
+ co_list = NULL;
- if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack)) {