jinql
/
openssl-patch
mirror of https://github.com/hakasenyang/openssl-patch
1
0
Fork 0
Code Issues Releases Wiki Activity

Update openssl-equal-latest.patch

openssl-1.1.1
Hakase 2018-04-23 12:03:18 +09:00
parent bb732e2cbc
commit eec367db03
1 changed files with 34 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
openssl-equal-latest.patch
View File

@ -25,7 +25,7 @@ index 3786e9a..8dd0d2c 100644
The following lists give the SSL or TLS cipher suites names from the
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 4b45ae7..2193601 100644
index 4b45ae7..7567b18 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -174,12 +174,12 @@ extern "C" {
@ -33,11 +33,10 @@ index 4b45ae7..2193601 100644
/* This is the default set of TLSv1.3 ciphersuites */
# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
- "TLS_CHACHA20_POLY1305_SHA256:" \
- "TLS_AES_128_GCM_SHA256"
+# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_128_GCM_SHA256:" \
+ "TLS_AES_256_GCM_SHA384:" \
+ "TLS_CHACHA20_POLY1305_SHA256"
"TLS_CHACHA20_POLY1305_SHA256:" \
- "TLS_AES_128_GCM_SHA256"
+ "TLS_AES_256_GCM_SHA384"
# else
-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
- "TLS_AES_128_GCM_SHA256"
@ -292,7 +291,7 @@ index 6193269..5a330d6 100644
}
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 9011e42..48d38d4 100644
index 9011e42..22181a7 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -190,6 +190,7 @@ typedef struct cipher_order_st {
@ -478,25 +477,33 @@ index 9011e42..48d38d4 100644
return retval;
}
@@ -1380,7 +1438,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
@@ -1346,6 +1404,7 @@ static int update_cipher_list(STACK_OF(SSL_CIPHER) **cipher_list,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites)
{
int i;
+ //STACK_OF(SSL_CIPHER) *tmp_cipher_list = sk_SSL_CIPHER_dup( (STACK_OF(SSL_CIPHER) *)cipher_list );
STACK_OF(SSL_CIPHER) *tmp_cipher_list = sk_SSL_CIPHER_dup(*cipher_list);
if (tmp_cipher_list == NULL)
@@ -1380,7 +1439,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
if (ret && ctx->cipher_list != NULL) {
/* We already have a cipher_list, so we need to update it */
- return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id,
+ return update_cipher_list(ctx->cipher_list, &ctx->cipher_list_by_id,
+ return update_cipher_list(&ctx->cipher_list->ciphers, &ctx->cipher_list_by_id,
ctx->tls13_ciphersuites);
}
@@ -1393,7 +1451,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
@@ -1393,7 +1452,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
if (ret && s->cipher_list != NULL) {
/* We already have a cipher_list, so we need to update it */
- return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id,
+ return update_cipher_list(s->cipher_list, &s->cipher_list_by_id,
+ return update_cipher_list(&s->cipher_list->ciphers, &s->cipher_list_by_id,
s->tls13_ciphersuites);
}
@@ -1402,17 +1460,20 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
@@ -1402,17 +1461,20 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
@ -512,14 +519,15 @@ index 9011e42..48d38d4 100644
+ STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list = NULL;
const char *rule_p;
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
const SSL_CIPHER **ca_list = NULL;
- const SSL_CIPHER **ca_list = NULL;
+ const SSL_CIPHER **ca_list = NULL, *tmp = NULL;
+ uint8_t *in_group_flags = NULL;
+ unsigned int num_in_group_flags = 0;
+ struct ssl_cipher_preference_list_st *pref_list = NULL;
/*
* Return with error if nothing to do.
@@ -1461,16 +1522,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1461,16 +1523,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
* preference).
*/
ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD,
@ -543,7 +551,7 @@ index 9011e42..48d38d4 100644
&head, &tail);
/*
@@ -1479,13 +1540,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1479,13 +1541,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
* strength.
*/
ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD,
@ -560,7 +568,7 @@ index 9011e42..48d38d4 100644
&tail);
/*
@@ -1493,16 +1554,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1493,16 +1555,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
* disabled. (For applications that allow them, they aren't too bad, but
* we prefer authenticated ciphers.)
*/
@ -581,7 +589,7 @@ index 9011e42..48d38d4 100644
&tail);
/*
@@ -1518,7 +1579,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1518,7 +1580,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
* Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs.
* TODO(openssl-team): is there an easier way to accomplish all this?
*/
@ -590,7 +598,7 @@ index 9011e42..48d38d4 100644
&head, &tail);
/*
@@ -1534,15 +1595,15 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1534,15 +1596,15 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
* Because we now bump ciphers to the top of the list, we proceed in
* reverse order of preference.
*/
@ -610,7 +618,7 @@ index 9011e42..48d38d4 100644
/*
* We also need cipher aliases for selecting based on the rule_str.
@@ -1556,9 +1617,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1556,9 +1618,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
if (ca_list == NULL) {
@ -621,7 +629,7 @@ index 9011e42..48d38d4 100644
}
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
disabled_mkey, disabled_auth, disabled_enc,
@@ -1583,27 +1643,26 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1583,27 +1644,30 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
OPENSSL_free(ca_list); /* Not needed anymore */
@ -649,18 +657,22 @@ index 9011e42..48d38d4 100644
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
+ tmp = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
if (!sk_SSL_CIPHER_push(cipherstack,
- sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
- sk_SSL_CIPHER_free(cipherstack);
- return NULL;
- }
+ sk_SSL_CIPHER_value(tls13_ciphersuites, i)))
+ tmp))
+ goto err;
+ in_group_flags[num_in_group_flags++] = 1;
+ if (tmp->algorithm_enc == SSL_AES128GCM)
+ in_group_flags[num_in_group_flags++] = 1;
+ else
+ in_group_flags[num_in_group_flags++] = 0;
}
/*
@@ -1612,26 +1671,66 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1612,26 +1676,66 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
*/
for (curr = head; curr != NULL; curr = curr->next) {
if (curr->active) {