Update openssl-equal-pre6.patch
Hakase
parent
ea82075c07
commit
8978ba0d9e
|
|
@ -71,7 +71,7 @@ index 5c6718f..d079e32 100644
|
||||||
# define SSL_R_UNINITIALIZED 276
|
# define SSL_R_UNINITIALIZED 276
|
||||||
# define SSL_R_UNKNOWN_ALERT_TYPE 246
|
# define SSL_R_UNKNOWN_ALERT_TYPE 246
|
||||||
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
|
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
|
||||||
index 6193269..8f9262f 100644
|
index 6193269..eaff05c 100644
|
||||||
--- a/ssl/s3_lib.c
|
--- a/ssl/s3_lib.c
|
||||||
+++ b/ssl/s3_lib.c
|
+++ b/ssl/s3_lib.c
|
||||||
@@ -37,12 +37,12 @@ static SSL_CIPHER tls13_ciphers[] = {
|
@@ -37,12 +37,12 @@ static SSL_CIPHER tls13_ciphers[] = {
|
||||||
|
|
@ -215,7 +215,7 @@ index 6193269..8f9262f 100644
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Since TLS 1.3 ciphersuites can be used with any auth or
|
* Since TLS 1.3 ciphersuites can be used with any auth or
|
||||||
@@ -4224,13 +4204,25 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
@@ -4224,13 +4204,24 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||||
alg_k = c->algorithm_mkey;
|
alg_k = c->algorithm_mkey;
|
||||||
alg_a = c->algorithm_auth;
|
alg_a = c->algorithm_auth;
|
||||||
|
|
||||||
|
|
@ -225,8 +225,7 @@ index 6193269..8f9262f 100644
|
||||||
+ s->version != DTLS1_VERSION))
|
+ s->version != DTLS1_VERSION))
|
||||||
+ ok = 0;
|
+ ok = 0;
|
||||||
+
|
+
|
||||||
+ /* not use ECDSA under TLS v1.2 */
|
+ /* Not use weak cipher after TLSv1.0 */
|
||||||
+ // if ((alg_a & SSL_aECDSA) && s->version != TLS1_2_VERSION) ok = 0;
|
|
||||||
+ if ((alg_a & SSL_aRSA) &&
|
+ if ((alg_a & SSL_aRSA) &&
|
||||||
+ (alg_k & SSL_kRSA) &&
|
+ (alg_k & SSL_kRSA) &&
|
||||||
+ (s->version != TLS1_VERSION)) ok = 0;
|
+ (s->version != TLS1_VERSION)) ok = 0;
|
||||||
|
|
@ -243,7 +242,7 @@ index 6193269..8f9262f 100644
|
||||||
#ifdef CIPHER_DEBUG
|
#ifdef CIPHER_DEBUG
|
||||||
fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
|
fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
|
||||||
alg_a, mask_k, mask_a, (void *)c, c->name);
|
alg_a, mask_k, mask_a, (void *)c, c->name);
|
||||||
@@ -4247,6 +4239,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
@@ -4247,6 +4238,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||||
|
|
||||||
if (!ok)
|
if (!ok)
|
||||||
continue;
|
continue;
|
||||||
|
|
@ -258,7 +257,7 @@ index 6193269..8f9262f 100644
|
||||||
}
|
}
|
||||||
ii = sk_SSL_CIPHER_find(allow, c);
|
ii = sk_SSL_CIPHER_find(allow, c);
|
||||||
if (ii >= 0) {
|
if (ii >= 0) {
|
||||||
@@ -4254,21 +4254,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
@@ -4254,21 +4253,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
|
||||||
if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
|
if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
|
||||||
c->strength_bits, 0, (void *)c))
|
c->strength_bits, 0, (void *)c))
|
||||||
continue;
|
continue;
|
||||||
|
|
@ -307,7 +306,7 @@ index 6193269..8f9262f 100644
|
||||||
}
|
}
|
||||||
|
|
||||||
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
|
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
|
||||||
index 9011e42..113a728 100644
|
index 9011e42..7da2f1b 100644
|
||||||
--- a/ssl/ssl_ciph.c
|
--- a/ssl/ssl_ciph.c
|
||||||
+++ b/ssl/ssl_ciph.c
|
+++ b/ssl/ssl_ciph.c
|
||||||
@@ -190,6 +190,7 @@ typedef struct cipher_order_st {
|
@@ -190,6 +190,7 @@ typedef struct cipher_order_st {
|
||||||
|
|
@ -637,7 +636,7 @@ index 9011e42..113a728 100644
|
||||||
}
|
}
|
||||||
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
||||||
disabled_mkey, disabled_auth, disabled_enc,
|
disabled_mkey, disabled_auth, disabled_enc,
|
||||||
@@ -1583,27 +1643,30 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
@@ -1583,27 +1643,36 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||||
|
|
||||||
OPENSSL_free(ca_list); /* Not needed anymore */
|
OPENSSL_free(ca_list); /* Not needed anymore */
|
||||||
|
|
||||||
|
|
@ -670,17 +669,22 @@ index 9011e42..113a728 100644
|
||||||
- sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
|
- sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
|
||||||
- sk_SSL_CIPHER_free(cipherstack);
|
- sk_SSL_CIPHER_free(cipherstack);
|
||||||
- return NULL;
|
- return NULL;
|
||||||
- }
|
|
||||||
+ tmp))
|
+ tmp))
|
||||||
+ goto err;
|
+ goto err;
|
||||||
+ if (tmp->algorithm_enc == SSL_AES128GCM)
|
+ if (tmp->algorithm_enc == SSL_AES128GCM &&
|
||||||
+ in_group_flags[num_in_group_flags++] = 1;
|
+ i + 1 < sk_SSL_CIPHER_num(tls13_ciphersuites)) {
|
||||||
|
+ tmp = sk_SSL_CIPHER_value(tls13_ciphersuites, i + 1);
|
||||||
|
+ if (tmp->algorithm_enc == SSL_CHACHA20POLY1305)
|
||||||
|
+ in_group_flags[num_in_group_flags++] = 1;
|
||||||
|
+ else
|
||||||
|
+ in_group_flags[num_in_group_flags++] = 0;
|
||||||
|
}
|
||||||
+ else
|
+ else
|
||||||
+ in_group_flags[num_in_group_flags++] = 0;
|
+ in_group_flags[num_in_group_flags++] = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -1612,26 +1675,66 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
@@ -1612,26 +1681,67 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||||
*/
|
*/
|
||||||
for (curr = head; curr != NULL; curr = curr->next) {
|
for (curr = head; curr != NULL; curr = curr->next) {
|
||||||
if (curr->active) {
|
if (curr->active) {
|
||||||
|
|
@ -699,6 +703,7 @@ index 9011e42..113a728 100644
|
||||||
}
|
}
|
||||||
+
|
+
|
||||||
OPENSSL_free(co_list); /* Not needed any longer */
|
OPENSSL_free(co_list); /* Not needed any longer */
|
||||||
|
+ tmp = NULL;
|
||||||
+ co_list = NULL;
|
+ co_list = NULL;
|
||||||
|
|
||||||
- if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack)) {
|
- if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack)) {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue