jinql
/
openssl-patch
mirror of https://github.com/hakasenyang/openssl-patch
1
0
Fork 0
Code Issues Releases Wiki Activity

Edit algorithm for TLSv1.3 ssl_ciph

openssl-1.1.1
Hakase 2018-05-02 13:06:17 +09:00
parent 57e67c8c1f
commit ba1b902b63
1 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
openssl-equal-pre7.patch
View File

@ -291,7 +291,7 @@ index f797497..0206266 100644
} }
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 9011e42..7da2f1b 100644 index 9011e42..4ad79b3 100644
--- a/ssl/ssl_ciph.c --- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c
@@ -190,6 +190,7 @@ typedef struct cipher_order_st { @@ -190,6 +190,7 @@ typedef struct cipher_order_st {
@ -505,7 +505,8 @@ index 9011e42..7da2f1b 100644
const char *rule_str, const char *rule_str,
CERT *c) CERT *c)
{ {
int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases, i; - int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases, i;
+ int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases, i, tls13_len;
uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac; uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac;
- STACK_OF(SSL_CIPHER) *cipherstack; - STACK_OF(SSL_CIPHER) *cipherstack;
+ STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list = NULL; + STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list = NULL;
@ -621,7 +622,7 @@ index 9011e42..7da2f1b 100644
} }
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
disabled_mkey, disabled_auth, disabled_enc, disabled_mkey, disabled_auth, disabled_enc,
@@ -1583,27 +1643,36 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, @@ -1583,27 +1643,37 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
OPENSSL_free(ca_list); /* Not needed anymore */ OPENSSL_free(ca_list); /* Not needed anymore */
@ -648,7 +649,9 @@ index 9011e42..7da2f1b 100644
+ goto err; + goto err;
/* Add TLSv1.3 ciphers first - we always prefer those if possible */ /* Add TLSv1.3 ciphers first - we always prefer those if possible */
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { - for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
+ tls13_len = sk_SSL_CIPHER_num(tls13_ciphersuites);
+ for (i = 0; i < tls13_len; i++) {
+ tmp = sk_SSL_CIPHER_value(tls13_ciphersuites, i); + tmp = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
if (!sk_SSL_CIPHER_push(cipherstack, if (!sk_SSL_CIPHER_push(cipherstack,
- sk_SSL_CIPHER_value(tls13_ciphersuites, i))) { - sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
@ -657,7 +660,7 @@ index 9011e42..7da2f1b 100644
+ tmp)) + tmp))
+ goto err; + goto err;
+ if (tmp->algorithm_enc == SSL_AES128GCM && + if (tmp->algorithm_enc == SSL_AES128GCM &&
+ i + 1 < sk_SSL_CIPHER_num(tls13_ciphersuites)) { + tls13_len > (i + 1)) {
+ tmp = sk_SSL_CIPHER_value(tls13_ciphersuites, i + 1); + tmp = sk_SSL_CIPHER_value(tls13_ciphersuites, i + 1);
+ if (tmp->algorithm_enc == SSL_CHACHA20POLY1305) + if (tmp->algorithm_enc == SSL_CHACHA20POLY1305)
+ in_group_flags[num_in_group_flags++] = 1; + in_group_flags[num_in_group_flags++] = 1;
@ -669,7 +672,7 @@ index 9011e42..7da2f1b 100644
} }
/* /*
@@ -1612,26 +1681,67 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, @@ -1612,26 +1682,67 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
*/ */
for (curr = head; curr != NULL; curr = curr->next) { for (curr = head; curr != NULL; curr = curr->next) {
if (curr->active) { if (curr->active) {