jinql
/
openssl-patch
mirror of https://github.com/hakasenyang/openssl-patch
1
0
Fork 0
Code Issues Releases Wiki Activity

Update openssl-equal-latest.patch

openssl-1.1.1
Hakase 2018-04-23 01:39:17 +09:00
parent 3516b73bc5
commit abff1578e0
1 changed files with 27 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
openssl-equal-latest.patch
View File

@ -25,7 +25,7 @@ index 3786e9a..8dd0d2c 100644
The following lists give the SSL or TLS cipher suites names from the The following lists give the SSL or TLS cipher suites names from the
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 4b45ae7..01391d8 100644 index 4b45ae7..2193601 100644
--- a/include/openssl/ssl.h --- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h +++ b/include/openssl/ssl.h
@@ -174,12 +174,12 @@ extern "C" { @@ -174,12 +174,12 @@ extern "C" {
@ -35,9 +35,9 @@ index 4b45ae7..01391d8 100644
-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ -# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
- "TLS_CHACHA20_POLY1305_SHA256:" \ - "TLS_CHACHA20_POLY1305_SHA256:" \
- "TLS_AES_128_GCM_SHA256" - "TLS_AES_128_GCM_SHA256"
+# define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \ +# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_128_GCM_SHA256:" \
+ "TLS_AES_128_GCM_SHA256:" \ + "TLS_AES_256_GCM_SHA384:" \
+ "TLS_AES_256_GCM_SHA384" + "TLS_CHACHA20_POLY1305_SHA256"
# else # else
-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ -# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
- "TLS_AES_128_GCM_SHA256" - "TLS_AES_128_GCM_SHA256"
@ -72,7 +72,7 @@ index 5c6718f..d079e32 100644
# define SSL_R_UNINITIALIZED 276 # define SSL_R_UNINITIALIZED 276
# define SSL_R_UNKNOWN_ALERT_TYPE 246 # define SSL_R_UNKNOWN_ALERT_TYPE 246
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 6193269..26c6243 100644 index 6193269..5a330d6 100644
--- a/ssl/s3_lib.c --- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c +++ b/ssl/s3_lib.c
@@ -4095,6 +4095,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len) @@ -4095,6 +4095,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
@ -105,7 +105,7 @@ index 6193269..26c6243 100644
- STACK_OF(SSL_CIPHER) *prio, *allow; - STACK_OF(SSL_CIPHER) *prio, *allow;
- int i, ii, ok; - int i, ii, ok;
+ STACK_OF(SSL_CIPHER) *srvr = server_pref->ciphers, *prio, *allow; + STACK_OF(SSL_CIPHER) *srvr = server_pref->ciphers, *prio, *allow;
+ int i, ii, ok, safari_ec = 0, use_chacha = 0; + int i, ii, ok, safari_ec = 0;
unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0; unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0;
-#ifndef OPENSSL_NO_CHACHA -#ifndef OPENSSL_NO_CHACHA
- STACK_OF(SSL_CIPHER) *prio_chacha = NULL; - STACK_OF(SSL_CIPHER) *prio_chacha = NULL;
@ -123,26 +123,24 @@ index 6193269..26c6243 100644
/* Let's see which ciphers we can support */ /* Let's see which ciphers we can support */
@@ -4139,55 +4158,21 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, @@ -4139,54 +4158,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
#endif #endif
/* SUITE-B takes precedence over server preference and ChaCha priortiy */ /* SUITE-B takes precedence over server preference and ChaCha priortiy */
- if (tls1_suiteb(s)) { - if (tls1_suiteb(s)) {
- prio = srvr;
- allow = clnt;
- } else if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
+ if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s)) { + if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s)) {
prio = srvr; prio = srvr;
+ in_group_flags = server_pref->in_group_flags;
allow = clnt;
- } else if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
- prio = srvr;
- allow = clnt; - allow = clnt;
-#ifndef OPENSSL_NO_CHACHA -#ifndef OPENSSL_NO_CHACHA
- /* If ChaCha20 is at the top of the client preference list, - /* If ChaCha20 is at the top of the client preference list,
- and there are ChaCha20 ciphers in the server list, then - and there are ChaCha20 ciphers in the server list, then
- temporarily prioritize all ChaCha20 ciphers in the servers list. */ - temporarily prioritize all ChaCha20 ciphers in the servers list. */
- if (s->options & SSL_OP_PRIORITIZE_CHACHA && sk_SSL_CIPHER_num(clnt) > 0) { - if (s->options & SSL_OP_PRIORITIZE_CHACHA && sk_SSL_CIPHER_num(clnt) > 0) {
+ in_group_flags = server_pref->in_group_flags; - c = sk_SSL_CIPHER_value(clnt, 0);
+ /* Use ChaCha20+Poly1305 if it's client's most preferred cipher suite */
+ if (sk_SSL_CIPHER_num(clnt) > 0 && SSL_IS_TLS13(s)) {
c = sk_SSL_CIPHER_value(clnt, 0);
- if (c->algorithm_enc == SSL_CHACHA20POLY1305) { - if (c->algorithm_enc == SSL_CHACHA20POLY1305) {
- /* ChaCha20 is client preferred, check server... */ - /* ChaCha20 is client preferred, check server... */
- int num = sk_SSL_CIPHER_num(srvr); - int num = sk_SSL_CIPHER_num(srvr);
@ -175,20 +173,15 @@ index 6193269..26c6243 100644
- } - }
- } - }
- } - }
+ if (c->algorithm_enc == SSL_CHACHA20POLY1305) - }
+ use_chacha = 1;
}
-# endif -# endif
+ allow = clnt;
} else { } else {
prio = clnt; prio = clnt;
+ in_group_flags = NULL; + in_group_flags = NULL;
allow = srvr; allow = srvr;
+ use_chacha = 1;
} }
if (!SSL_IS_TLS13(s)) { @@ -4198,14 +4176,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4198,15 +4183,21 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) { for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
c = sk_SSL_CIPHER_value(prio, i); c = sk_SSL_CIPHER_value(prio, i);
@ -205,14 +198,9 @@ index 6193269..26c6243 100644
- continue; - continue;
+ ok = 0; + ok = 0;
+ /* Skip ChaCha unless top client priority */
+ if (c->algorithm_enc == SSL_CHACHA20POLY1305 && !use_chacha && SSL_IS_TLS13(s))
+ continue;
+
/* /*
* Since TLS 1.3 ciphersuites can be used with any auth or * Since TLS 1.3 ciphersuites can be used with any auth or
* key exchange scheme skip tests. @@ -4224,13 +4204,25 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4224,13 +4215,23 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
alg_k = c->algorithm_mkey; alg_k = c->algorithm_mkey;
alg_a = c->algorithm_auth; alg_a = c->algorithm_auth;
@ -224,7 +212,9 @@ index 6193269..26c6243 100644
+ +
+ /* not use ECDSA under TLS v1.2 */ + /* not use ECDSA under TLS v1.2 */
+ // if ((alg_a & SSL_aECDSA) && s->version != TLS1_2_VERSION) ok = 0; + // if ((alg_a & SSL_aECDSA) && s->version != TLS1_2_VERSION) ok = 0;
+ if ((alg_a & SSL_aRSA) && (alg_k & SSL_kRSA) && s->version == TLS1_2_VERSION) ok = 0; + if ((alg_a & SSL_aRSA) &&
+ (alg_k & SSL_kRSA) &&
+ (s->version != TLS1_VERSION)) ok = 0;
+ +
#ifndef OPENSSL_NO_PSK #ifndef OPENSSL_NO_PSK
/* with PSK there must be server callback set */ /* with PSK there must be server callback set */
@ -238,7 +228,7 @@ index 6193269..26c6243 100644
#ifdef CIPHER_DEBUG #ifdef CIPHER_DEBUG
fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k, fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
alg_a, mask_k, mask_a, (void *)c, c->name); alg_a, mask_k, mask_a, (void *)c, c->name);
@@ -4247,6 +4248,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, @@ -4247,6 +4239,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
if (!ok) if (!ok)
continue; continue;
@ -253,7 +243,7 @@ index 6193269..26c6243 100644
} }
ii = sk_SSL_CIPHER_find(allow, c); ii = sk_SSL_CIPHER_find(allow, c);
if (ii >= 0) { if (ii >= 0) {
@@ -4254,21 +4263,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, @@ -4254,21 +4254,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED, if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
c->strength_bits, 0, (void *)c)) c->strength_bits, 0, (void *)c))
continue; continue;
@ -302,7 +292,7 @@ index 6193269..26c6243 100644
} }
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 9011e42..6e9216d 100644 index 9011e42..147a11c 100644
--- a/ssl/ssl_ciph.c --- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c
@@ -190,6 +190,7 @@ typedef struct cipher_order_st { @@ -190,6 +190,7 @@ typedef struct cipher_order_st {
@ -631,7 +621,7 @@ index 9011e42..6e9216d 100644
} }
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
disabled_mkey, disabled_auth, disabled_enc, disabled_mkey, disabled_auth, disabled_enc,
@@ -1583,19 +1643,19 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, @@ -1583,27 +1643,30 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
OPENSSL_free(ca_list); /* Not needed anymore */ OPENSSL_free(ca_list); /* Not needed anymore */
@ -659,16 +649,18 @@ index 9011e42..6e9216d 100644
/* Add TLSv1.3 ciphers first - we always prefer those if possible */ /* Add TLSv1.3 ciphers first - we always prefer those if possible */
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
@@ -1604,6 +1664,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, if (!sk_SSL_CIPHER_push(cipherstack,
sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
sk_SSL_CIPHER_free(cipherstack); sk_SSL_CIPHER_free(cipherstack);
+ in_group_flags[num_in_group_flags++] = 1;
return NULL; return NULL;
} }
+ else + else
+ num_in_group_flags++; + in_group_flags[num_in_group_flags++] = 0;
} }
/* /*
@@ -1612,26 +1674,66 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, @@ -1612,26 +1675,66 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
*/ */
for (curr = head; curr != NULL; curr = curr->next) { for (curr = head; curr != NULL; curr = curr->next) {
if (curr->active) { if (curr->active) {