Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add chacha20-smarter.patch for openssl 1.1.0 in 123.09beta01
support bassie's Cloudflare backported chacha20 patch to only serve chacha20 ciphers if it's the preferred one for clients rather than server it based on server side preferences https://community.centminmod.com/posts/35727/
- Loading branch information
1 parent
afdbbf9
commit 58bb2fc
Showing
2 changed files
with
74 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
From 4fb0dc4dfgtrh65876987ottjrt45657e08b35d6a Mon Sep 17 00:00:00 2001 | ||
From: Bassie / Buik <allesisvoorbassiesdikkebuik@local> | ||
Date: Mon, 5 Sept 2016 19:09:47 -0800 | ||
Subject: [PATCH] Use ChaCha20+Poly1305 if it is the client's most preferred cipher suite. | ||
|
||
Use OpenSSL 1.1 ChaCha20+Poly1305 if it is the client's most preferred cipher suite. | ||
|
||
Ported from OpenSSL 1.0.2g source: github.com/cloudflare/sslconfig/patches/openssl_chacha20_poly1305_draft_and_rfc_ossl102g.patch. | ||
|
||
Index: ssl/s3_lib.c | ||
=================================================================== | ||
--- a/ssl/s3_lib.c 2016-08-25 17:29:22.000000000 +0200 | ||
+++ b/ssl/s3_lib.c 2016-09-04 19:54:21.749766219 +0200 | ||
@@ -3582,6 +3582,8 @@ | ||
STACK_OF(SSL_CIPHER) *prio, *allow; | ||
int i, ii, ok; | ||
unsigned long alg_k, alg_a, mask_k, mask_a; | ||
+ /* Port to OpenSSL 1.1 / Use ChaCha20+Poly1305 iff it's client's most preferred cipher suite */ | ||
+ int use_chacha = 0; | ||
|
||
/* Let's see which ciphers we can support */ | ||
|
||
@@ -3614,9 +3616,17 @@ | ||
if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s)) { | ||
prio = srvr; | ||
allow = clnt; | ||
+ /* Port to OpenSSL 1.1 / Use ChaCha20+Poly1305 iff it's client's most preferred cipher suite */ | ||
+ /* Use ChaPoly iff it's client's most preferred cipher suite */ | ||
+ if (sk_SSL_CIPHER_num(clnt) > 0) { | ||
+ c = sk_SSL_CIPHER_value(clnt, 0); | ||
+ if (c->algorithm_enc == SSL_CHACHA20POLY1305) | ||
+ use_chacha = 1; | ||
+ } | ||
} else { | ||
prio = clnt; | ||
allow = srvr; | ||
+ use_chacha = 1; | ||
} | ||
|
||
tls1_set_cert_validity(s); | ||
@@ -3633,6 +3643,11 @@ | ||
(DTLS_VERSION_LT(s->version, c->min_dtls) || | ||
DTLS_VERSION_GT(s->version, c->max_dtls))) | ||
continue; | ||
+ /* Port to OpenSSL 1.1 / Use ChaCha20+Poly1305 iff it's client's most preferred cipher suite */ | ||
+ /* Skip ChaCha unless top client priority */ | ||
+ if ((c->algorithm_enc == SSL_CHACHA20POLY1305) && !use_chacha) | ||
+ continue; | ||
+ | ||
|
||
mask_k = s->s3->tmp.mask_k; | ||
mask_a = s->s3->tmp.mask_a; |