diff options
Diffstat (limited to 'librelp-1.10.0-crypto-compliance.patch')
| -rw-r--r-- | librelp-1.10.0-crypto-compliance.patch | 88 |
1 files changed, 88 insertions, 0 deletions
diff --git a/librelp-1.10.0-crypto-compliance.patch b/librelp-1.10.0-crypto-compliance.patch new file mode 100644 index 0000000..56a120a --- /dev/null +++ b/librelp-1.10.0-crypto-compliance.patch @@ -0,0 +1,88 @@ +diff -up librelp-1.10.0/src/tcp.c.crypto-compliance librelp-1.10.0/src/tcp.c +--- librelp-1.10.0/src/tcp.c.crypto-compliance 2021-02-16 09:07:24.000000000 +0100 ++++ librelp-1.10.0/src/tcp.c 2021-08-17 10:13:53.368936612 +0200 +@@ -1155,32 +1155,8 @@ static relpRetVal LIBRELP_ATTR_NONNULL() + relpTcpTLSSetPrio_gtls(relpTcp_t *const pThis) + { + int r; +- char pristringBuf[4096]; +- char *pristring; + ENTER_RELPFUNC; +- /* Set default priority string (in simple cases where the user does not care...) */ +- if(pThis->pristring == NULL) { +- if (pThis->authmode == eRelpAuthMode_None) { +- if(pThis->bEnableTLSZip) { +- strncpy(pristringBuf, "NORMAL:+ANON-DH:+COMP-ALL", sizeof(pristringBuf)); +- } else { +- strncpy(pristringBuf, "NORMAL:+ANON-DH:+COMP-NULL", sizeof(pristringBuf)); +- } +- pristringBuf[sizeof(pristringBuf)-1] = '\0'; +- pristring = pristringBuf; +- r = gnutls_priority_set_direct(pThis->session, pristring, NULL); +- } else { +- r = gnutls_set_default_priority(pThis->session); +- strncpy(pristringBuf, "to recommended system default", sizeof(pristringBuf)); +- pristringBuf[sizeof(pristringBuf)-1] = '\0'; +- pristring = pristringBuf; +- } +- +- } else { +- pristring = pThis->pristring; +- r = gnutls_priority_set_direct(pThis->session, pristring, NULL); +- } +- ++ r = gnutls_set_default_priority(pThis->session); + if(r == GNUTLS_E_INVALID_REQUEST) { + ABORT_FINALIZE(RELP_RET_INVLD_TLS_PRIO); + } else if(r != GNUTLS_E_SUCCESS) { +@@ -1188,7 +1164,7 @@ relpTcpTLSSetPrio_gtls(relpTcp_t *const + } + + finalize_it: +- pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_gtls: Setting ciphers '%s' iRet=%d\n", pristring, iRet); ++ pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_gtls: Setting ciphers to system default iRet=%d\n", iRet); + + if(iRet != RELP_RET_OK) { + chkGnutlsCode(pThis, "Failed to set GnuTLS priority", iRet, r); +@@ -1207,38 +1183,15 @@ relpTcpTLSSetPrio_gtls(LIBRELP_ATTR_UNUS + static relpRetVal LIBRELP_ATTR_NONNULL() + relpTcpTLSSetPrio_ossl(relpTcp_t *const pThis) + { +- char pristringBuf[4096]; +- char *pristring; + ENTER_RELPFUNC; +- /* Compute priority string (in simple cases where the user does not care...) */ +- if(pThis->pristring == NULL) { +- if (pThis->authmode == eRelpAuthMode_None) { +- #if OPENSSL_VERSION_NUMBER >= 0x10100000L \ +- && !defined(LIBRESSL_VERSION_NUMBER) +- /* NOTE: do never use: +eNULL, it DISABLES encryption! */ +- strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0", +- sizeof(pristringBuf)); +- #else +- strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL", +- sizeof(pristringBuf)); +- #endif +- } else { +- strncpy(pristringBuf, "DEFAULT", sizeof(pristringBuf)); +- } +- pristringBuf[sizeof(pristringBuf)-1] = '\0'; +- pristring = pristringBuf; +- } else { +- /* We use custom CipherString if used sets it by SslConfCmd */ +- pristring = pThis->pristring; +- } + +- if ( SSL_set_cipher_list(pThis->ssl, pristring) == 0 ){ +- pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Error setting ciphers '%s'\n", pristring); ++ if (SSL_set_cipher_list(pThis->ssl, "PROFILE=SYSTEM") == 0){ ++ pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Error setting ciphers to system default\n"); + ABORT_FINALIZE(RELP_RET_ERR_TLS_SETUP); + } + + finalize_it: +- pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Setting ciphers '%s' iRet=%d\n", pristring, iRet); ++ pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Setting ciphers to system default iRet=%d\n", iRet); + LEAVE_RELPFUNC; + } + #else |