From eec367db036b9715d544cf9109cd349346e54ca4 Mon Sep 17 00:00:00 2001 From: Hakase Date: Mon, 23 Apr 2018 12:03:18 +0900 Subject: [PATCH] Update openssl-equal-latest.patch --- openssl-equal-latest.patch | 56 +++++++++++++++++++++++--------------- 1 file changed, 34 insertions(+), 22 deletions(-) diff --git a/openssl-equal-latest.patch b/openssl-equal-latest.patch index bea0d2e..5847746 100644 --- a/openssl-equal-latest.patch +++ b/openssl-equal-latest.patch @@ -25,7 +25,7 @@ index 3786e9a..8dd0d2c 100644 The following lists give the SSL or TLS cipher suites names from the diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h -index 4b45ae7..2193601 100644 +index 4b45ae7..7567b18 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -174,12 +174,12 @@ extern "C" { @@ -33,11 +33,10 @@ index 4b45ae7..2193601 100644 /* This is the default set of TLSv1.3 ciphersuites */ # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) -# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ -- "TLS_CHACHA20_POLY1305_SHA256:" \ -- "TLS_AES_128_GCM_SHA256" +# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_128_GCM_SHA256:" \ -+ "TLS_AES_256_GCM_SHA384:" \ -+ "TLS_CHACHA20_POLY1305_SHA256" + "TLS_CHACHA20_POLY1305_SHA256:" \ +- "TLS_AES_128_GCM_SHA256" ++ "TLS_AES_256_GCM_SHA384" # else -# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ - "TLS_AES_128_GCM_SHA256" @@ -292,7 +291,7 @@ index 6193269..5a330d6 100644 } diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c -index 9011e42..48d38d4 100644 +index 9011e42..22181a7 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -190,6 +190,7 @@ typedef struct cipher_order_st { @@ -478,25 +477,33 @@ index 9011e42..48d38d4 100644 return retval; } -@@ -1380,7 +1438,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) +@@ -1346,6 +1404,7 @@ static int update_cipher_list(STACK_OF(SSL_CIPHER) **cipher_list, + STACK_OF(SSL_CIPHER) *tls13_ciphersuites) + { + int i; ++ //STACK_OF(SSL_CIPHER) *tmp_cipher_list = sk_SSL_CIPHER_dup( (STACK_OF(SSL_CIPHER) *)cipher_list ); + STACK_OF(SSL_CIPHER) *tmp_cipher_list = sk_SSL_CIPHER_dup(*cipher_list); + + if (tmp_cipher_list == NULL) +@@ -1380,7 +1439,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) if (ret && ctx->cipher_list != NULL) { /* We already have a cipher_list, so we need to update it */ - return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id, -+ return update_cipher_list(ctx->cipher_list, &ctx->cipher_list_by_id, ++ return update_cipher_list(&ctx->cipher_list->ciphers, &ctx->cipher_list_by_id, ctx->tls13_ciphersuites); } -@@ -1393,7 +1451,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str) +@@ -1393,7 +1452,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str) if (ret && s->cipher_list != NULL) { /* We already have a cipher_list, so we need to update it */ - return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id, -+ return update_cipher_list(s->cipher_list, &s->cipher_list_by_id, ++ return update_cipher_list(&s->cipher_list->ciphers, &s->cipher_list_by_id, s->tls13_ciphersuites); } -@@ -1402,17 +1460,20 @@ int SSL_set_ciphersuites(SSL *s, const char *str) +@@ -1402,17 +1461,20 @@ int SSL_set_ciphersuites(SSL *s, const char *str) STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER) *tls13_ciphersuites, @@ -512,14 +519,15 @@ index 9011e42..48d38d4 100644 + STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list = NULL; const char *rule_p; CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; - const SSL_CIPHER **ca_list = NULL; +- const SSL_CIPHER **ca_list = NULL; ++ const SSL_CIPHER **ca_list = NULL, *tmp = NULL; + uint8_t *in_group_flags = NULL; + unsigned int num_in_group_flags = 0; + struct ssl_cipher_preference_list_st *pref_list = NULL; /* * Return with error if nothing to do. -@@ -1461,16 +1522,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, +@@ -1461,16 +1523,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, * preference). */ ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD, @@ -543,7 +551,7 @@ index 9011e42..48d38d4 100644 &head, &tail); /* -@@ -1479,13 +1540,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, +@@ -1479,13 +1541,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, * strength. */ ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD, @@ -560,7 +568,7 @@ index 9011e42..48d38d4 100644 &tail); /* -@@ -1493,16 +1554,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, +@@ -1493,16 +1555,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, * disabled. (For applications that allow them, they aren't too bad, but * we prefer authenticated ciphers.) */ @@ -581,7 +589,7 @@ index 9011e42..48d38d4 100644 &tail); /* -@@ -1518,7 +1579,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, +@@ -1518,7 +1580,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, * Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs. * TODO(openssl-team): is there an easier way to accomplish all this? */ @@ -590,7 +598,7 @@ index 9011e42..48d38d4 100644 &head, &tail); /* -@@ -1534,15 +1595,15 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, +@@ -1534,15 +1596,15 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, * Because we now bump ciphers to the top of the list, we proceed in * reverse order of preference. */ @@ -610,7 +618,7 @@ index 9011e42..48d38d4 100644 /* * We also need cipher aliases for selecting based on the rule_str. -@@ -1556,9 +1617,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, +@@ -1556,9 +1618,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); if (ca_list == NULL) { @@ -621,7 +629,7 @@ index 9011e42..48d38d4 100644 } ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mkey, disabled_auth, disabled_enc, -@@ -1583,27 +1643,26 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, +@@ -1583,27 +1644,30 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, OPENSSL_free(ca_list); /* Not needed anymore */ @@ -649,18 +657,22 @@ index 9011e42..48d38d4 100644 /* Add TLSv1.3 ciphers first - we always prefer those if possible */ for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { ++ tmp = sk_SSL_CIPHER_value(tls13_ciphersuites, i); if (!sk_SSL_CIPHER_push(cipherstack, - sk_SSL_CIPHER_value(tls13_ciphersuites, i))) { - sk_SSL_CIPHER_free(cipherstack); - return NULL; - } -+ sk_SSL_CIPHER_value(tls13_ciphersuites, i))) ++ tmp)) + goto err; -+ in_group_flags[num_in_group_flags++] = 1; ++ if (tmp->algorithm_enc == SSL_AES128GCM) ++ in_group_flags[num_in_group_flags++] = 1; ++ else ++ in_group_flags[num_in_group_flags++] = 0; } /* -@@ -1612,26 +1671,66 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, +@@ -1612,26 +1676,66 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, */ for (curr = head; curr != NULL; curr = curr->next) { if (curr->active) {