Browse Source

Removing OpenSSL-1.1.1 patch files and patch OpenSSL-1.1.1a files.

master
Hakase 3 months ago
parent
commit
4416999a70
Signed by: Hakase <hakase@hakase.app> GPG Key ID: BB2821A9E0DF48C9

+ 10
- 10
README.md View File

@@ -31,7 +31,7 @@ Default support is in bold type.
31 31
 - [Google(Gmail)](https://gmail.com/) : _TLSv1.3_ draft 23, 28, **final**
32 32
 - [NSS TLS 1.3(Mozilla)](https://tls13.crypto.mozilla.org/) : _TLSv1.3_ **final**
33 33
 
34
-[Compatible OpenSSL-1.1.1 (OpenSSL, 22764 commits)](https://github.com/openssl/openssl/tree/1708e3e85b4a86bae26860aa5d2913fc8eff6086)
34
+[Compatible OpenSSL-1.1.1a (OpenSSL, 22932 commits)](https://github.com/openssl/openssl/tree/d1c28d791a7391a8dc101713cd8646df96491d03)
35 35
 
36 36
 ## Patch files
37 37
 
@@ -46,12 +46,12 @@ Here is the basic patch content.
46 46
 
47 47
 | Patch file name | Patch list |
48 48
 | :--- | :--- |
49
-| openssl-1.1.1-tls13_draft.patch | Only for TLS 1.3 draft 23, 26, 28, final support patch. |
50
-| openssl-equal-1.1.1.patch<br>openssl-equal-1.1.2-dev.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can not_** be changed on _nginx_. |
51
-| openssl-equal-1.1.1_ciphers.patch<br>openssl-equal-1.1.2-dev_ciphers.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can_** be changed on _nginx_. |
52
-| openssl-1.1.1-chacha_draft.patch | A draft version of chacha20-poly1305 is available. [View issue](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427554824) |
53
-| openssl-1.1.1-tls13_draft.patch | Enable TLS 1.3 draft 23, 26, 28, final. |
54
-| openssl-1.1.1-tls13_nginx_config.patch | You can set TLS 1.3 ciphere in nginx. ex) TLS13+AESGCM+AES128 |
49
+| openssl-1.1.1a-tls13_draft.patch | Only for TLS 1.3 draft 23, 26, 28, final support patch. |
50
+| openssl-equal-1.1.1a.patch<br>openssl-equal-1.1.2-dev.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can not_** be changed on _nginx_. |
51
+| openssl-equal-1.1.1a_ciphers.patch<br>openssl-equal-1.1.2-dev_ciphers.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can_** be changed on _nginx_. |
52
+| openssl-1.1.1a-chacha_draft.patch | A draft version of chacha20-poly1305 is available. [View issue](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427554824) |
53
+| openssl-1.1.1a-tls13_draft.patch | Enable TLS 1.3 draft 23, 26, 28, final. |
54
+| openssl-1.1.1a-tls13_nginx_config.patch | You can set TLS 1.3 ciphere in nginx. ex) TLS13+AESGCM+AES128 |
55 55
 
56 56
 **The "_ciphers" patch file is a temporary change to the TLS 1.3 configuration.**
57 57
 
@@ -97,7 +97,7 @@ Thanks [@JemmyLoveJenny](https://github.com/JemmyLoveJenny)!
97 97
 git clone https://github.com/openssl/openssl.git
98 98
 git clone https://github.com/hakasenyang/openssl-patch.git
99 99
 cd openssl
100
-patch -p1 < ../openssl-patch/openssl-1.1.1-chacha_draft.patch
100
+patch -p1 < ../openssl-patch/openssl-1.1.1a-chacha_draft.patch
101 101
 ```
102 102
 
103 103
 ### nginx HPACK Patch
@@ -157,12 +157,12 @@ ssl_ecdh_curve X25519:P-256:P-384;
157 157
 ssl_prefer_server_ciphers on;
158 158
 ```
159 159
 
160
-### OpenSSL-1.1.x (> 1.1.1) ciphers (draft 23, 26, 28, final)
160
+### OpenSSL-1.1.x (>= 1.1.1a) ciphers (draft 23, 26, 28, final)
161 161
 ```
162 162
 [EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
163 163
 ```
164 164
 
165
-### OpenSSL-1.1.x_ciphers (> 1.1.1) ciphers (draft 23, 26, 28, final)
165
+### OpenSSL-1.1.x_ciphers (>= 1.1.1a) ciphers (draft 23, 26, 28, final)
166 166
 ```
167 167
 [TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
168 168
 ```

openssl-1.1.1-chacha_draft.patch → openssl-1.1.1a-chacha_draft.patch View File

@@ -1,11 +1,3 @@
1
-Issue: https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427554824
2
-
3
-Original source : https://github.com/JemmyLoveJenny/ngx_ossl_patches/blob/master/ossl_enable_chacha20-poly1305-draft.patch
4
-
5
-After using this patch, you can use it as is.
6
-If necessary, use it with "EECDH+CHACHA20-D".
7
-If you use EECDH+CHACHA20, the OLD version is also used at the same time.
8
-
9 1
 diff --git a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c
10 2
 index 086b3c4d51..5699901f7d 100644
11 3
 --- a/crypto/evp/c_allc.c
@@ -278,14 +270,14 @@ index e931f7f516..c1cf32b2b0 100644
278 270
       407,    /* "characteristic-two-field" */
279 271
       395,    /* "clearance" */
280 272
 diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
281
-index 1b6a9c61a1..a55fc456ee 100644
273
+index 1b6a9c61a1..c81ca25a53 100644
282 274
 --- a/crypto/objects/obj_mac.num
283 275
 +++ b/crypto/objects/obj_mac.num
284 276
 @@ -1192,3 +1192,4 @@ magma_cfb		1191
285 277
  magma_mac		1192
286 278
  hmacWithSHA512_224		1193
287 279
  hmacWithSHA512_256		1194
288
-+chacha20_poly1305_draft	1195
280
++chacha20_poly1305_draft		1195
289 281
 diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
290 282
 index 6dbc41ce37..581169eda8 100644
291 283
 --- a/crypto/objects/objects.txt
@@ -326,7 +318,7 @@ index 80ff5a7c86..456e05ffea 100644
326 318
  #define LN_dhpublicnumber               "X9.42 DH"
327 319
  #define NID_dhpublicnumber              920
328 320
 diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
329
-index ffe158388d..54dcd2702f 100644
321
+index d6b1b4e6a6..6d166c94f0 100644
330 322
 --- a/include/openssl/ssl.h
331 323
 +++ b/include/openssl/ssl.h
332 324
 @@ -125,6 +125,7 @@ extern "C" {
@@ -338,10 +330,10 @@ index ffe158388d..54dcd2702f 100644
338 330
  # define SSL_TXT_ARIA            "ARIA"
339 331
  # define SSL_TXT_ARIA_GCM        "ARIAGCM"
340 332
 diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
341
-index 2e46cf80d3..cc750bf735 100644
333
+index e13b5dd4bc..53d43c121e 100644
342 334
 --- a/include/openssl/tls1.h
343 335
 +++ b/include/openssl/tls1.h
344
-@@ -596,7 +596,12 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
336
+@@ -597,7 +597,12 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
345 337
  # define TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256   0x0300C09A
346 338
  # define TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384   0x0300C09B
347 339
  
@@ -355,7 +347,7 @@ index 2e46cf80d3..cc750bf735 100644
355 347
  # define TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305         0x0300CCA8
356 348
  # define TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305       0x0300CCA9
357 349
  # define TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305           0x0300CCAA
358
-@@ -761,6 +766,9 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
350
+@@ -762,6 +767,9 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
359 351
  # define TLS1_RFC_DHE_RSA_WITH_CHACHA20_POLY1305         "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
360 352
  # define TLS1_RFC_ECDHE_RSA_WITH_CHACHA20_POLY1305       "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
361 353
  # define TLS1_RFC_ECDHE_ECDSA_WITH_CHACHA20_POLY1305     "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
@@ -365,7 +357,7 @@ index 2e46cf80d3..cc750bf735 100644
365 357
  # define TLS1_RFC_PSK_WITH_CHACHA20_POLY1305             "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256"
366 358
  # define TLS1_RFC_ECDHE_PSK_WITH_CHACHA20_POLY1305       "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256"
367 359
  # define TLS1_RFC_DHE_PSK_WITH_CHACHA20_POLY1305         "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256"
368
-@@ -1089,7 +1097,12 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
360
+@@ -1090,7 +1098,12 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
369 361
  # define TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256    "ECDH-RSA-CAMELLIA128-SHA256"
370 362
  # define TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384    "ECDH-RSA-CAMELLIA256-SHA384"
371 363
  
@@ -380,7 +372,7 @@ index 2e46cf80d3..cc750bf735 100644
380 372
  # define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305       "ECDHE-ECDSA-CHACHA20-POLY1305"
381 373
  # define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305           "DHE-RSA-CHACHA20-POLY1305"
382 374
 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
383
-index 7713f767b2..cb37dd6e6f 100644
375
+index 866ca4dfa9..40b0205e52 100644
384 376
 --- a/ssl/s3_lib.c
385 377
 +++ b/ssl/s3_lib.c
386 378
 @@ -2082,6 +2082,54 @@ static SSL_CIPHER ssl3_ciphers[] = {
@@ -488,7 +480,7 @@ index 14066d0ea4..0ded2bd6b6 100644
488 480
      } else if (c->algorithm_mac & SSL_AEAD) {
489 481
          /* We're supposed to have handled all the AEAD modes above */
490 482
 diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
491
-index c22c1f9ee8..6c4595c49b 100644
483
+index 70e5a1740f..d75ba89a40 100644
492 484
 --- a/ssl/ssl_locl.h
493 485
 +++ b/ssl/ssl_locl.h
494 486
 @@ -230,12 +230,13 @@
@@ -507,7 +499,7 @@ index c22c1f9ee8..6c4595c49b 100644
507 499
  # define SSL_ARIA                (SSL_ARIAGCM)
508 500
  
509 501
 diff --git a/util/libcrypto.num b/util/libcrypto.num
510
-index ecece3824f..678b04c9ed 100644
502
+index bad3a3814e..c4166b784b 100644
511 503
 --- a/util/libcrypto.num
512 504
 +++ b/util/libcrypto.num
513 505
 @@ -4577,3 +4577,4 @@ OCSP_resp_get0_respdata                 4530	1_1_0j	EXIST::FUNCTION:OCSP

openssl-1.1.1-tls13_draft.patch → openssl-1.1.1a-tls13_draft.patch View File

@@ -1,5 +1,5 @@
1 1
 diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
2
-index 0a18a43544..c31597584b 100644
2
+index d6b1b4e6a6..173dbb1ef8 100644
3 3
 --- a/include/openssl/ssl.h
4 4
 +++ b/include/openssl/ssl.h
5 5
 @@ -173,12 +173,12 @@ extern "C" {
@@ -20,13 +20,13 @@ index 0a18a43544..c31597584b 100644
20 20
  /*
21 21
   * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
22 22
 diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
23
-index 2e46cf80d3..0accc837a3 100644
23
+index e13b5dd4bc..779341c948 100644
24 24
 --- a/include/openssl/tls1.h
25 25
 +++ b/include/openssl/tls1.h
26 26
 @@ -30,6 +30,16 @@ extern "C" {
27 27
  # define TLS1_3_VERSION                  0x0304
28 28
  # define TLS_MAX_VERSION                 TLS1_3_VERSION
29
-
29
+ 
30 30
 +/* TODO(TLS1.3) REMOVE ME: Version indicators for draft version */
31 31
 +# define TLS1_3_VERSION_DRAFT_23         0x7f17
32 32
 +# define TLS1_3_VERSION_DRAFT_26         0x7f1a
@@ -39,7 +39,7 @@ index 2e46cf80d3..0accc837a3 100644
39 39
 +
40 40
  /* Special value for method supporting multiple versions */
41 41
  # define TLS_ANY_VERSION                 0x10000
42
-
42
+ 
43 43
 diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c
44 44
 index a11ed483e6..4fd583dd03 100644
45 45
 --- a/ssl/record/ssl3_record_tls13.c
@@ -57,10 +57,10 @@ index a11ed483e6..4fd583dd03 100644
57 57
                                  (unsigned int)rec->length) <= 0
58 58
              || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
59 59
 diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
60
-index e8819e7a28..9afa488822 100644
60
+index 70e5a1740f..7b3b270ffc 100644
61 61
 --- a/ssl/ssl_locl.h
62 62
 +++ b/ssl/ssl_locl.h
63
-@@ -1074,6 +1111,8 @@ struct ssl_st {
63
+@@ -1080,6 +1080,8 @@ struct ssl_st {
64 64
       * DTLS1_VERSION)
65 65
       */
66 66
      int version;
@@ -70,13 +70,13 @@ index e8819e7a28..9afa488822 100644
70 70
      const SSL_METHOD *method;
71 71
      /*
72 72
 diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
73
-index 4b5e6fe2b8..99981c9e37 100644
73
+index ab4dbf6713..745897b638 100644
74 74
 --- a/ssl/statem/extensions_clnt.c
75 75
 +++ b/ssl/statem/extensions_clnt.c
76
-@@ -530,8 +530,25 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
76
+@@ -533,8 +533,25 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
77 77
          return EXT_RETURN_FAIL;
78 78
      }
79
-
79
+ 
80 80
 +    /*
81 81
 +     * TODO(TLS1.3): There is some discussion on the TLS list as to whether
82 82
 +     * we should include versions <TLS1.2. For the moment we do. To be
@@ -100,10 +100,10 @@ index 4b5e6fe2b8..99981c9e37 100644
100 100
              SSLfatal(s, SSL_AD_INTERNAL_ERROR,
101 101
                       SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
102 102
                       ERR_R_INTERNAL_ERROR);
103
-@@ -1760,6 +1777,15 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
103
+@@ -1763,6 +1780,15 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
104 104
          return 0;
105 105
      }
106
-
106
+ 
107 107
 +    /* TODO(TLS1.3): Remove this before release */
108 108
 +    if (version == TLS1_3_VERSION_DRAFT
109 109
 +            || version == TLS1_3_VERSION_DRAFT_27
@@ -131,7 +131,7 @@ index 0f2b22392b..6c1ce9813f 100644
131 131
          WPACKET_cleanup(&hrrpkt);
132 132
          SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
133 133
 @@ -1652,7 +1653,8 @@ EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
134
-
134
+ 
135 135
      if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
136 136
              || !WPACKET_start_sub_packet_u16(pkt)
137 137
 -            || !WPACKET_put_bytes_u16(pkt, s->version)
@@ -141,21 +141,21 @@ index 0f2b22392b..6c1ce9813f 100644
141 141
          SSLfatal(s, SSL_AD_INTERNAL_ERROR,
142 142
                   SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
143 143
 diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
144
-index 508bb88767..ee927baf64 100644
144
+index 4324896f50..d0de7ffe3d 100644
145 145
 --- a/ssl/statem/statem_lib.c
146 146
 +++ b/ssl/statem/statem_lib.c
147
-@@ -1753,6 +1753,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
147
+@@ -1786,6 +1786,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
148 148
          unsigned int best_vers = 0;
149 149
          const SSL_METHOD *best_method = NULL;
150 150
          PACKET versionslist;
151 151
 +        /* TODO(TLS1.3): Remove this before release */
152 152
 +        unsigned int orig_candidate = 0;
153
-
153
+ 
154 154
          suppversions->parsed = 1;
155
-
156
-@@ -1774,6 +1776,23 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
155
+ 
156
+@@ -1807,6 +1809,23 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
157 157
              return SSL_R_BAD_LEGACY_VERSION;
158
-
158
+ 
159 159
          while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
160 160
 +            /* TODO(TLS1.3): Remove this before release */
161 161
 +            if (candidate_vers == TLS1_3_VERSION
@@ -177,7 +177,7 @@ index 508bb88767..ee927baf64 100644
177 177
              if (version_cmp(s, candidate_vers, best_vers) <= 0)
178 178
                  continue;
179 179
              if (ssl_version_supported(s, candidate_vers, &best_method))
180
-@@ -1796,6 +1815,9 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
180
+@@ -1829,6 +1848,9 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
181 181
              }
182 182
              check_for_downgrade(s, best_vers, dgrd);
183 183
              s->version = best_vers;

openssl-1.1.1-tls13_nginx_config.patch → openssl-1.1.1a-tls13_nginx_config.patch View File

@@ -1,5 +1,5 @@
1 1
 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
2
-index 7713f767b2..c1725bd3a3 100644
2
+index 866ca4dfa9..4654becf1d 100644
3 3
 --- a/ssl/s3_lib.c
4 4
 +++ b/ssl/s3_lib.c
5 5
 @@ -31,7 +31,25 @@ const unsigned char tls12downgrade[] = {

openssl-equal-1.1.1.patch → openssl-equal-1.1.1a.patch View File

@@ -25,7 +25,7 @@ index 3aea982384..3c93eba0bf 100644
25 25
  
26 26
  The following lists give the SSL or TLS cipher suites names from the
27 27
 diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
28
-index 0a18a43544..c31597584b 100644
28
+index d6b1b4e6a6..173dbb1ef8 100644
29 29
 --- a/include/openssl/ssl.h
30 30
 +++ b/include/openssl/ssl.h
31 31
 @@ -173,12 +173,12 @@ extern "C" {
@@ -71,7 +71,7 @@ index 87b295c9f9..d118d8e864 100644
71 71
  # define SSL_R_UNINITIALIZED                              276
72 72
  # define SSL_R_UNKNOWN_ALERT_TYPE                         246
73 73
 diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
74
-index 2e46cf80d3..0accc837a3 100644
74
+index e13b5dd4bc..779341c948 100644
75 75
 --- a/include/openssl/tls1.h
76 76
 +++ b/include/openssl/tls1.h
77 77
 @@ -30,6 +30,16 @@ extern "C" {
@@ -108,7 +108,7 @@ index a11ed483e6..4fd583dd03 100644
108 108
                                  (unsigned int)rec->length) <= 0
109 109
              || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
110 110
 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
111
-index 7713f767b2..5a3f9e2c27 100644
111
+index 866ca4dfa9..7b98b670d2 100644
112 112
 --- a/ssl/s3_lib.c
113 113
 +++ b/ssl/s3_lib.c
114 114
 @@ -167,7 +167,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
@@ -138,7 +138,7 @@ index 7713f767b2..5a3f9e2c27 100644
138 138
       DTLS1_BAD_VER, DTLS1_2_VERSION,
139 139
       SSL_HIGH | SSL_FIPS,
140 140
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
141
-@@ -4104,6 +4104,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
141
+@@ -4124,6 +4124,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
142 142
      return 1;
143 143
  }
144 144
  
@@ -156,7 +156,7 @@ index 7713f767b2..5a3f9e2c27 100644
156 156
  /*
157 157
   * ssl3_choose_cipher - choose a cipher from those offered by the client
158 158
   * @s: SSL connection
159
-@@ -4113,16 +4124,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
159
+@@ -4133,16 +4144,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
160 160
   * Returns the selected cipher or NULL when no common ciphers.
161 161
   */
162 162
  const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -187,7 +187,7 @@ index 7713f767b2..5a3f9e2c27 100644
187 187
  
188 188
      /* Let's see which ciphers we can support */
189 189
  
190
-@@ -4149,54 +4168,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
190
+@@ -4169,54 +4188,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
191 191
  #endif
192 192
  
193 193
      /* SUITE-B takes precedence over server preference and ChaCha priortiy */
@@ -245,7 +245,7 @@ index 7713f767b2..5a3f9e2c27 100644
245 245
          allow = srvr;
246 246
      }
247 247
  
248
-@@ -4227,14 +4205,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
248
+@@ -4247,14 +4225,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
249 249
      for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
250 250
          c = sk_SSL_CIPHER_value(prio, i);
251 251
  
@@ -264,7 +264,7 @@ index 7713f767b2..5a3f9e2c27 100644
264 264
  
265 265
          /*
266 266
           * Since TLS 1.3 ciphersuites can be used with any auth or
267
-@@ -4256,10 +4236,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
267
+@@ -4276,10 +4256,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
268 268
  #ifndef OPENSSL_NO_PSK
269 269
              /* with PSK there must be server callback set */
270 270
              if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL)
@@ -277,7 +277,7 @@ index 7713f767b2..5a3f9e2c27 100644
277 277
  #ifdef CIPHER_DEBUG
278 278
              fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
279 279
                      alg_a, mask_k, mask_a, (void *)c, c->name);
280
-@@ -4276,6 +4256,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
280
+@@ -4296,6 +4276,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
281 281
  
282 282
              if (!ok)
283 283
                  continue;
@@ -292,7 +292,7 @@ index 7713f767b2..5a3f9e2c27 100644
292 292
          }
293 293
          ii = sk_SSL_CIPHER_find(allow, c);
294 294
          if (ii >= 0) {
295
-@@ -4283,14 +4271,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
295
+@@ -4303,14 +4291,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
296 296
              if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
297 297
                                c->strength_bits, 0, (void *)c))
298 298
                  continue;
@@ -308,7 +308,7 @@ index 7713f767b2..5a3f9e2c27 100644
308 308
              if (prefer_sha256) {
309 309
                  const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
310 310
  
311
-@@ -4302,13 +4283,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
311
+@@ -4322,13 +4303,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
312 312
                      ret = tmp;
313 313
                  continue;
314 314
              }
@@ -352,7 +352,7 @@ index 7713f767b2..5a3f9e2c27 100644
352 352
  }
353 353
  
354 354
 diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
355
-index b60cc79a2f..e028151423 100644
355
+index 14066d0ea4..165f1c83b1 100644
356 356
 --- a/ssl/ssl_ciph.c
357 357
 +++ b/ssl/ssl_ciph.c
358 358
 @@ -190,6 +190,7 @@ typedef struct cipher_order_st {
@@ -824,10 +824,10 @@ index 11331ce41f..cfc770b8d6 100644
824 824
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
825 825
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
826 826
 diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
827
-index d75158e30c..926a7a04c5 100644
827
+index 61a0ea2cc9..66e29ecba5 100644
828 828
 --- a/ssl/ssl_lib.c
829 829
 +++ b/ssl/ssl_lib.c
830
-@@ -1113,6 +1113,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
830
+@@ -1117,6 +1117,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
831 831
      return X509_VERIFY_PARAM_set1(ssl->param, vpm);
832 832
  }
833 833
  
@@ -899,7 +899,7 @@ index d75158e30c..926a7a04c5 100644
899 899
  X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
900 900
  {
901 901
      return ctx->param;
902
-@@ -1153,7 +1218,8 @@ void SSL_free(SSL *s)
902
+@@ -1157,7 +1222,8 @@ void SSL_free(SSL *s)
903 903
      BUF_MEM_free(s->init_buf);
904 904
  
905 905
      /* add extra stuff */
@@ -909,7 +909,7 @@ index d75158e30c..926a7a04c5 100644
909 909
      sk_SSL_CIPHER_free(s->cipher_list_by_id);
910 910
      sk_SSL_CIPHER_free(s->tls13_ciphersuites);
911 911
  
912
-@@ -2422,9 +2488,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
912
+@@ -2427,9 +2493,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
913 913
  {
914 914
      if (s != NULL) {
915 915
          if (s->cipher_list != NULL) {
@@ -921,7 +921,7 @@ index d75158e30c..926a7a04c5 100644
921 921
          }
922 922
      }
923 923
      return NULL;
924
-@@ -2498,8 +2564,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
924
+@@ -2503,8 +2569,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
925 925
   * preference */
926 926
  STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
927 927
  {
@@ -932,7 +932,7 @@ index d75158e30c..926a7a04c5 100644
932 932
      return NULL;
933 933
  }
934 934
  
935
-@@ -2930,7 +2996,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
935
+@@ -2935,7 +3001,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
936 936
                                  ret->tls13_ciphersuites,
937 937
                                  &ret->cipher_list, &ret->cipher_list_by_id,
938 938
                                  SSL_DEFAULT_CIPHER_LIST, ret->cert)
@@ -941,7 +941,7 @@ index d75158e30c..926a7a04c5 100644
941 941
          SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
942 942
          goto err2;
943 943
      }
944
-@@ -3103,7 +3169,7 @@ void SSL_CTX_free(SSL_CTX *a)
944
+@@ -3111,7 +3177,7 @@ void SSL_CTX_free(SSL_CTX *a)
945 945
  #ifndef OPENSSL_NO_CT
946 946
      CTLOG_STORE_free(a->ctlog_store);
947 947
  #endif
@@ -950,7 +950,7 @@ index d75158e30c..926a7a04c5 100644
950 950
      sk_SSL_CIPHER_free(a->cipher_list_by_id);
951 951
      sk_SSL_CIPHER_free(a->tls13_ciphersuites);
952 952
      ssl_cert_free(a->cert);
953
-@@ -3752,13 +3818,15 @@ SSL *SSL_dup(SSL *s)
953
+@@ -3789,13 +3855,15 @@ SSL *SSL_dup(SSL *s)
954 954
  
955 955
      /* dup the cipher_list and cipher_list_by_id stacks */
956 956
      if (s->cipher_list != NULL) {
@@ -969,12 +969,12 @@ index d75158e30c..926a7a04c5 100644
969 969
 +    }
970 970
  
971 971
      /* Dup the client_CA list */
972
-     if (s->ca_names != NULL) {
972
+     if (!dup_ca_names(&ret->ca_names, s->ca_names)
973 973
 diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
974
-index e8819e7a28..9afa488822 100644
974
+index 70e5a1740f..d583840984 100644
975 975
 --- a/ssl/ssl_locl.h
976 976
 +++ b/ssl/ssl_locl.h
977
-@@ -737,9 +737,46 @@ typedef struct ssl_ctx_ext_secure_st {
977
+@@ -741,9 +741,46 @@ typedef struct ssl_ctx_ext_secure_st {
978 978
      unsigned char tick_aes_key[TLSEXT_TICK_KEY_LENGTH];
979 979
  } SSL_CTX_EXT_SECURE;
980 980
  
@@ -1022,7 +1022,7 @@ index e8819e7a28..9afa488822 100644
1022 1022
      /* same as above but sorted for lookup */
1023 1023
      STACK_OF(SSL_CIPHER) *cipher_list_by_id;
1024 1024
      /* TLSv1.3 specific ciphersuites */
1025
-@@ -1074,6 +1111,8 @@ struct ssl_st {
1025
+@@ -1080,6 +1117,8 @@ struct ssl_st {
1026 1026
       * DTLS1_VERSION)
1027 1027
       */
1028 1028
      int version;
@@ -1031,7 +1031,7 @@ index e8819e7a28..9afa488822 100644
1031 1031
      /* SSLv3 */
1032 1032
      const SSL_METHOD *method;
1033 1033
      /*
1034
-@@ -1132,7 +1171,7 @@ struct ssl_st {
1034
+@@ -1138,7 +1177,7 @@ struct ssl_st {
1035 1035
      /* Per connection DANE state */
1036 1036
      SSL_DANE dane;
1037 1037
      /* crypto */
@@ -1040,8 +1040,8 @@ index e8819e7a28..9afa488822 100644
1040 1040
      STACK_OF(SSL_CIPHER) *cipher_list_by_id;
1041 1041
      /* TLSv1.3 specific ciphersuites */
1042 1042
      STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
1043
-@@ -2254,7 +2293,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
1044
- __owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const char *str);
1043
+@@ -2265,7 +2304,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
1044
+                                  const SSL_CIPHER *const *bp);
1045 1045
  __owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
1046 1046
                                                      STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
1047 1047
 -                                                    STACK_OF(SSL_CIPHER) **cipher_list,
@@ -1049,7 +1049,7 @@ index e8819e7a28..9afa488822 100644
1049 1049
                                                      STACK_OF(SSL_CIPHER) **cipher_list_by_id,
1050 1050
                                                      const char *rule_str,
1051 1051
                                                      CERT *c);
1052
-@@ -2264,6 +2303,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
1052
+@@ -2275,6 +2314,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
1053 1053
                                  STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
1054 1054
                                  int fatal);
1055 1055
  void ssl_update_cache(SSL *s, int mode);
@@ -1063,7 +1063,7 @@ index e8819e7a28..9afa488822 100644
1063 1063
  __owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
1064 1064
                                const EVP_MD **md, int *mac_pkey_type,
1065 1065
                                size_t *mac_secret_size, SSL_COMP **comp,
1066
-@@ -2347,7 +2393,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
1066
+@@ -2358,7 +2404,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
1067 1067
                                              CERT_PKEY *cpk);
1068 1068
  __owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
1069 1069
                                              STACK_OF(SSL_CIPHER) *clnt,
@@ -1073,10 +1073,10 @@ index e8819e7a28..9afa488822 100644
1073 1073
  __owur int ssl3_new(SSL *s);
1074 1074
  void ssl3_free(SSL *s);
1075 1075
 diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
1076
-index 4b5e6fe2b8..99981c9e37 100644
1076
+index ab4dbf6713..745897b638 100644
1077 1077
 --- a/ssl/statem/extensions_clnt.c
1078 1078
 +++ b/ssl/statem/extensions_clnt.c
1079
-@@ -530,8 +530,25 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
1079
+@@ -533,8 +533,25 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
1080 1080
          return EXT_RETURN_FAIL;
1081 1081
      }
1082 1082
  
@@ -1103,7 +1103,7 @@ index 4b5e6fe2b8..99981c9e37 100644
1103 1103
              SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1104 1104
                       SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
1105 1105
                       ERR_R_INTERNAL_ERROR);
1106
-@@ -1760,6 +1777,15 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
1106
+@@ -1763,6 +1780,15 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
1107 1107
          return 0;
1108 1108
      }
1109 1109
  
@@ -1144,10 +1144,10 @@ index 0f2b22392b..6c1ce9813f 100644
1144 1144
          SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1145 1145
                   SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1146 1146
 diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
1147
-index 508bb88767..ee927baf64 100644
1147
+index 4324896f50..d0de7ffe3d 100644
1148 1148
 --- a/ssl/statem/statem_lib.c
1149 1149
 +++ b/ssl/statem/statem_lib.c
1150
-@@ -1753,6 +1753,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1150
+@@ -1786,6 +1786,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1151 1151
          unsigned int best_vers = 0;
1152 1152
          const SSL_METHOD *best_method = NULL;
1153 1153
          PACKET versionslist;
@@ -1156,7 +1156,7 @@ index 508bb88767..ee927baf64 100644
1156 1156
  
1157 1157
          suppversions->parsed = 1;
1158 1158
  
1159
-@@ -1774,6 +1776,23 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1159
+@@ -1807,6 +1809,23 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1160 1160
              return SSL_R_BAD_LEGACY_VERSION;
1161 1161
  
1162 1162
          while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
@@ -1180,7 +1180,7 @@ index 508bb88767..ee927baf64 100644
1180 1180
              if (version_cmp(s, candidate_vers, best_vers) <= 0)
1181 1181
                  continue;
1182 1182
              if (ssl_version_supported(s, candidate_vers, &best_method))
1183
-@@ -1796,6 +1815,9 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1183
+@@ -1829,6 +1848,9 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1184 1184
              }
1185 1185
              check_for_downgrade(s, best_vers, dgrd);
1186 1186
              s->version = best_vers;
@@ -1191,10 +1191,10 @@ index 508bb88767..ee927baf64 100644
1191 1191
              return 0;
1192 1192
          }
1193 1193
 diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
1194
-index 346b1e3989..0a747f39ce 100644
1194
+index e7c11c4bea..a2a6c1e44e 100644
1195 1195
 --- a/ssl/statem/statem_srvr.c
1196 1196
 +++ b/ssl/statem/statem_srvr.c
1197
-@@ -1742,7 +1742,7 @@ static int tls_early_post_process_client_hello(SSL *s)
1197
+@@ -1744,7 +1744,7 @@ static int tls_early_post_process_client_hello(SSL *s)
1198 1198
      /* For TLSv1.3 we must select the ciphersuite *before* session resumption */
1199 1199
      if (SSL_IS_TLS13(s)) {
1200 1200
          const SSL_CIPHER *cipher =
@@ -1203,7 +1203,7 @@ index 346b1e3989..0a747f39ce 100644
1203 1203
  
1204 1204
          if (cipher == NULL) {
1205 1205
              SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1206
-@@ -1923,7 +1923,7 @@ static int tls_early_post_process_client_hello(SSL *s)
1206
+@@ -1925,7 +1925,7 @@ static int tls_early_post_process_client_hello(SSL *s)
1207 1207
              /* check if some cipher was preferred by call back */
1208 1208
              if (pref_cipher == NULL)
1209 1209
                  pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
@@ -1212,7 +1212,7 @@ index 346b1e3989..0a747f39ce 100644
1212 1212
              if (pref_cipher == NULL) {
1213 1213
                  SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1214 1214
                           SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1215
-@@ -1932,8 +1932,9 @@ static int tls_early_post_process_client_hello(SSL *s)
1215
+@@ -1934,8 +1934,9 @@ static int tls_early_post_process_client_hello(SSL *s)
1216 1216
              }
1217 1217
  
1218 1218
              s->session->cipher = pref_cipher;
@@ -1224,7 +1224,7 @@ index 346b1e3989..0a747f39ce 100644
1224 1224
              sk_SSL_CIPHER_free(s->cipher_list_by_id);
1225 1225
              s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
1226 1226
          }
1227
-@@ -2245,7 +2246,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
1227
+@@ -2249,7 +2250,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
1228 1228
              /* In TLSv1.3 we selected the ciphersuite before resumption */
1229 1229
              if (!SSL_IS_TLS13(s)) {
1230 1230
                  cipher =

openssl-equal-1.1.1_ciphers.patch → openssl-equal-1.1.1a_ciphers.patch View File

@@ -50,7 +50,7 @@ index 87b295c9f9..d118d8e864 100644
50 50
  # define SSL_R_UNINITIALIZED                              276
51 51
  # define SSL_R_UNKNOWN_ALERT_TYPE                         246
52 52
 diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
53
-index 2e46cf80d3..0accc837a3 100644
53
+index e13b5dd4bc..779341c948 100644
54 54
 --- a/include/openssl/tls1.h
55 55
 +++ b/include/openssl/tls1.h
56 56
 @@ -30,6 +30,16 @@ extern "C" {
@@ -87,7 +87,7 @@ index a11ed483e6..4fd583dd03 100644
87 87
                                  (unsigned int)rec->length) <= 0
88 88
              || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
89 89
 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
90
-index 7713f767b2..a0af8ac001 100644
90
+index 866ca4dfa9..1b6b99cb19 100644
91 91
 --- a/ssl/s3_lib.c
92 92
 +++ b/ssl/s3_lib.c
93 93
 @@ -31,7 +31,25 @@ const unsigned char tls12downgrade[] = {
@@ -166,7 +166,7 @@ index 7713f767b2..a0af8ac001 100644
166 166
       DTLS1_BAD_VER, DTLS1_2_VERSION,
167 167
       SSL_HIGH | SSL_FIPS,
168 168
       SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
169
-@@ -4104,6 +4110,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
169
+@@ -4124,6 +4130,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
170 170
      return 1;
171 171
  }
172 172
  
@@ -184,7 +184,7 @@ index 7713f767b2..a0af8ac001 100644
184 184
  /*
185 185
   * ssl3_choose_cipher - choose a cipher from those offered by the client
186 186
   * @s: SSL connection
187
-@@ -4113,16 +4130,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
187
+@@ -4133,16 +4150,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
188 188
   * Returns the selected cipher or NULL when no common ciphers.
189 189
   */
190 190
  const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -215,7 +215,7 @@ index 7713f767b2..a0af8ac001 100644
215 215
  
216 216
      /* Let's see which ciphers we can support */
217 217
  
218
-@@ -4149,54 +4174,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
218
+@@ -4169,54 +4194,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
219 219
  #endif
220 220
  
221 221
      /* SUITE-B takes precedence over server preference and ChaCha priortiy */
@@ -273,7 +273,7 @@ index 7713f767b2..a0af8ac001 100644
273 273
          allow = srvr;
274 274
      }
275 275
  
276
-@@ -4227,14 +4211,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
276
+@@ -4247,14 +4231,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
277 277
      for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
278 278
          c = sk_SSL_CIPHER_value(prio, i);
279 279
  
@@ -292,7 +292,7 @@ index 7713f767b2..a0af8ac001 100644
292 292
  
293 293
          /*
294 294
           * Since TLS 1.3 ciphersuites can be used with any auth or
295
-@@ -4256,10 +4242,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
295
+@@ -4276,10 +4262,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
296 296
  #ifndef OPENSSL_NO_PSK
297 297
              /* with PSK there must be server callback set */
298 298
              if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL)
@@ -305,7 +305,7 @@ index 7713f767b2..a0af8ac001 100644
305 305
  #ifdef CIPHER_DEBUG
306 306
              fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
307 307
                      alg_a, mask_k, mask_a, (void *)c, c->name);
308
-@@ -4276,6 +4262,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
308
+@@ -4296,6 +4282,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
309 309
  
310 310
              if (!ok)
311 311
                  continue;
@@ -320,7 +320,7 @@ index 7713f767b2..a0af8ac001 100644
320 320
          }
321 321
          ii = sk_SSL_CIPHER_find(allow, c);
322 322
          if (ii >= 0) {
323
-@@ -4283,14 +4277,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
323
+@@ -4303,14 +4297,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
324 324
              if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
325 325
                                c->strength_bits, 0, (void *)c))
326 326
                  continue;
@@ -336,7 +336,7 @@ index 7713f767b2..a0af8ac001 100644
336 336
              if (prefer_sha256) {
337 337
                  const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
338 338
  
339
-@@ -4302,13 +4289,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
339
+@@ -4322,13 +4309,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
340 340
                      ret = tmp;
341 341
                  continue;
342 342
              }
@@ -380,7 +380,7 @@ index 7713f767b2..a0af8ac001 100644
380 380
  }
381 381
  
382 382
 diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
383
-index b60cc79a2f..205f868a05 100644
383
+index 14066d0ea4..dc190fa334 100644
384 384
 --- a/ssl/ssl_ciph.c
385 385
 +++ b/ssl/ssl_ciph.c
386 386
 @@ -190,6 +190,7 @@ typedef struct cipher_order_st {
@@ -859,10 +859,10 @@ index 11331ce41f..cfc770b8d6 100644
859 859
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
860 860
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
861 861
 diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
862
-index d75158e30c..926a7a04c5 100644
862
+index 61a0ea2cc9..66e29ecba5 100644
863 863
 --- a/ssl/ssl_lib.c
864 864
 +++ b/ssl/ssl_lib.c
865
-@@ -1113,6 +1113,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
865
+@@ -1117,6 +1117,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
866 866
      return X509_VERIFY_PARAM_set1(ssl->param, vpm);
867 867
  }
868 868
  
@@ -934,7 +934,7 @@ index d75158e30c..926a7a04c5 100644
934 934
  X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
935 935
  {
936 936
      return ctx->param;
937
-@@ -1153,7 +1218,8 @@ void SSL_free(SSL *s)
937
+@@ -1157,7 +1222,8 @@ void SSL_free(SSL *s)
938 938
      BUF_MEM_free(s->init_buf);
939 939
  
940 940
      /* add extra stuff */
@@ -944,7 +944,7 @@ index d75158e30c..926a7a04c5 100644
944 944
      sk_SSL_CIPHER_free(s->cipher_list_by_id);
945 945
      sk_SSL_CIPHER_free(s->tls13_ciphersuites);
946 946
  
947
-@@ -2422,9 +2488,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
947
+@@ -2427,9 +2493,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
948 948
  {
949 949
      if (s != NULL) {
950 950
          if (s->cipher_list != NULL) {
@@ -956,7 +956,7 @@ index d75158e30c..926a7a04c5 100644
956 956
          }
957 957
      }
958 958
      return NULL;
959
-@@ -2498,8 +2564,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
959
+@@ -2503,8 +2569,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
960 960
   * preference */
961 961
  STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
962 962
  {
@@ -967,7 +967,7 @@ index d75158e30c..926a7a04c5 100644
967 967
      return NULL;
968 968
  }
969 969
  
970
-@@ -2930,7 +2996,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
970
+@@ -2935,7 +3001,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
971 971
                                  ret->tls13_ciphersuites,
972 972
                                  &ret->cipher_list, &ret->cipher_list_by_id,
973 973
                                  SSL_DEFAULT_CIPHER_LIST, ret->cert)
@@ -976,7 +976,7 @@ index d75158e30c..926a7a04c5 100644
976 976
          SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
977 977
          goto err2;
978 978
      }
979
-@@ -3103,7 +3169,7 @@ void SSL_CTX_free(SSL_CTX *a)
979
+@@ -3111,7 +3177,7 @@ void SSL_CTX_free(SSL_CTX *a)
980 980
  #ifndef OPENSSL_NO_CT
981 981
      CTLOG_STORE_free(a->ctlog_store);
982 982
  #endif
@@ -985,7 +985,7 @@ index d75158e30c..926a7a04c5 100644
985 985
      sk_SSL_CIPHER_free(a->cipher_list_by_id);
986 986
      sk_SSL_CIPHER_free(a->tls13_ciphersuites);
987 987
      ssl_cert_free(a->cert);
988
-@@ -3752,13 +3818,15 @@ SSL *SSL_dup(SSL *s)
988
+@@ -3789,13 +3855,15 @@ SSL *SSL_dup(SSL *s)
989 989
  
990 990
      /* dup the cipher_list and cipher_list_by_id stacks */
991 991
      if (s->cipher_list != NULL) {
@@ -1004,12 +1004,12 @@ index d75158e30c..926a7a04c5 100644
1004 1004
 +    }
1005 1005
  
1006 1006
      /* Dup the client_CA list */
1007
-     if (s->ca_names != NULL) {
1007
+     if (!dup_ca_names(&ret->ca_names, s->ca_names)
1008 1008
 diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
1009
-index e8819e7a28..9afa488822 100644
1009
+index 70e5a1740f..d583840984 100644
1010 1010
 --- a/ssl/ssl_locl.h
1011 1011
 +++ b/ssl/ssl_locl.h
1012
-@@ -737,9 +737,46 @@ typedef struct ssl_ctx_ext_secure_st {
1012
+@@ -741,9 +741,46 @@ typedef struct ssl_ctx_ext_secure_st {
1013 1013
      unsigned char tick_aes_key[TLSEXT_TICK_KEY_LENGTH];
1014 1014
  } SSL_CTX_EXT_SECURE;
1015 1015
  
@@ -1057,7 +1057,7 @@ index e8819e7a28..9afa488822 100644
1057 1057
      /* same as above but sorted for lookup */
1058 1058
      STACK_OF(SSL_CIPHER) *cipher_list_by_id;
1059 1059
      /* TLSv1.3 specific ciphersuites */
1060
-@@ -1074,6 +1111,8 @@ struct ssl_st {
1060
+@@ -1080,6 +1117,8 @@ struct ssl_st {
1061 1061
       * DTLS1_VERSION)
1062 1062
       */
1063 1063
      int version;
@@ -1066,7 +1066,7 @@ index e8819e7a28..9afa488822 100644
1066 1066
      /* SSLv3 */
1067 1067
      const SSL_METHOD *method;
1068 1068
      /*
1069
-@@ -1132,7 +1171,7 @@ struct ssl_st {
1069
+@@ -1138,7 +1177,7 @@ struct ssl_st {
1070 1070
      /* Per connection DANE state */
1071 1071
      SSL_DANE dane;
1072 1072
      /* crypto */
@@ -1075,8 +1075,8 @@ index e8819e7a28..9afa488822 100644
1075 1075
      STACK_OF(SSL_CIPHER) *cipher_list_by_id;
1076 1076
      /* TLSv1.3 specific ciphersuites */
1077 1077
      STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
1078
-@@ -2254,7 +2293,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
1079
- __owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const char *str);
1078
+@@ -2265,7 +2304,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
1079
+                                  const SSL_CIPHER *const *bp);
1080 1080
  __owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
1081 1081
                                                      STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
1082 1082
 -                                                    STACK_OF(SSL_CIPHER) **cipher_list,
@@ -1084,7 +1084,7 @@ index e8819e7a28..9afa488822 100644
1084 1084
                                                      STACK_OF(SSL_CIPHER) **cipher_list_by_id,
1085 1085
                                                      const char *rule_str,
1086 1086
                                                      CERT *c);
1087
-@@ -2264,6 +2303,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
1087
+@@ -2275,6 +2314,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
1088 1088
                                  STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
1089 1089
                                  int fatal);
1090 1090
  void ssl_update_cache(SSL *s, int mode);
@@ -1098,7 +1098,7 @@ index e8819e7a28..9afa488822 100644
1098 1098
  __owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
1099 1099
                                const EVP_MD **md, int *mac_pkey_type,
1100 1100
                                size_t *mac_secret_size, SSL_COMP **comp,
1101
-@@ -2347,7 +2393,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
1101
+@@ -2358,7 +2404,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
1102 1102
                                              CERT_PKEY *cpk);
1103 1103
  __owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
1104 1104
                                              STACK_OF(SSL_CIPHER) *clnt,
@@ -1108,10 +1108,10 @@ index e8819e7a28..9afa488822 100644
1108 1108
  __owur int ssl3_new(SSL *s);
1109 1109
  void ssl3_free(SSL *s);
1110 1110
 diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
1111
-index 4b5e6fe2b8..99981c9e37 100644
1111
+index ab4dbf6713..745897b638 100644
1112 1112
 --- a/ssl/statem/extensions_clnt.c
1113 1113
 +++ b/ssl/statem/extensions_clnt.c
1114
-@@ -530,8 +530,25 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
1114
+@@ -533,8 +533,25 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
1115 1115
          return EXT_RETURN_FAIL;
1116 1116
      }
1117 1117
  
@@ -1138,7 +1138,7 @@ index 4b5e6fe2b8..99981c9e37 100644
1138 1138
              SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1139 1139
                       SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
1140 1140
                       ERR_R_INTERNAL_ERROR);
1141
-@@ -1760,6 +1777,15 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
1141
+@@ -1763,6 +1780,15 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
1142 1142
          return 0;
1143 1143
      }
1144 1144
  
@@ -1179,10 +1179,10 @@ index 0f2b22392b..6c1ce9813f 100644
1179 1179
          SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1180 1180
                   SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1181 1181
 diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
1182
-index 508bb88767..ee927baf64 100644
1182
+index 4324896f50..d0de7ffe3d 100644
1183 1183
 --- a/ssl/statem/statem_lib.c
1184 1184
 +++ b/ssl/statem/statem_lib.c
1185
-@@ -1753,6 +1753,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1185
+@@ -1786,6 +1786,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1186 1186
          unsigned int best_vers = 0;
1187 1187
          const SSL_METHOD *best_method = NULL;
1188 1188
          PACKET versionslist;
@@ -1191,7 +1191,7 @@ index 508bb88767..ee927baf64 100644
1191 1191
  
1192 1192
          suppversions->parsed = 1;
1193 1193
  
1194
-@@ -1774,6 +1776,23 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1194
+@@ -1807,6 +1809,23 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1195 1195
              return SSL_R_BAD_LEGACY_VERSION;
1196 1196
  
1197 1197
          while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
@@ -1215,7 +1215,7 @@ index 508bb88767..ee927baf64 100644
1215 1215
              if (version_cmp(s, candidate_vers, best_vers) <= 0)
1216 1216
                  continue;
1217 1217
              if (ssl_version_supported(s, candidate_vers, &best_method))
1218
-@@ -1796,6 +1815,9 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1218
+@@ -1829,6 +1848,9 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1219 1219
              }
1220 1220
              check_for_downgrade(s, best_vers, dgrd);
1221 1221
              s->version = best_vers;
@@ -1226,10 +1226,10 @@ index 508bb88767..ee927baf64 100644
1226 1226
              return 0;
1227 1227
          }
1228 1228
 diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
1229
-index 346b1e3989..0a747f39ce 100644
1229
+index e7c11c4bea..a2a6c1e44e 100644
1230 1230
 --- a/ssl/statem/statem_srvr.c
1231 1231
 +++ b/ssl/statem/statem_srvr.c
1232
-@@ -1742,7 +1742,7 @@ static int tls_early_post_process_client_hello(SSL *s)
1232
+@@ -1744,7 +1744,7 @@ static int tls_early_post_process_client_hello(SSL *s)
1233 1233
      /* For TLSv1.3 we must select the ciphersuite *before* session resumption */
1234 1234
      if (SSL_IS_TLS13(s)) {
1235 1235
          const SSL_CIPHER *cipher =
@@ -1238,7 +1238,7 @@ index 346b1e3989..0a747f39ce 100644
1238 1238
  
1239 1239
          if (cipher == NULL) {
1240 1240
              SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1241
-@@ -1923,7 +1923,7 @@ static int tls_early_post_process_client_hello(SSL *s)
1241
+@@ -1925,7 +1925,7 @@ static int tls_early_post_process_client_hello(SSL *s)
1242 1242
              /* check if some cipher was preferred by call back */
1243 1243
              if (pref_cipher == NULL)
1244 1244
                  pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
@@ -1247,7 +1247,7 @@ index 346b1e3989..0a747f39ce 100644
1247 1247
              if (pref_cipher == NULL) {
1248 1248
                  SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1249 1249
                           SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1250
-@@ -1932,8 +1932,9 @@ static int tls_early_post_process_client_hello(SSL *s)
1250
+@@ -1934,8 +1934,9 @@ static int tls_early_post_process_client_hello(SSL *s)
1251 1251
              }
1252 1252
  
1253 1253
              s->session->cipher = pref_cipher;
@@ -1259,7 +1259,7 @@ index 346b1e3989..0a747f39ce 100644
1259 1259
              sk_SSL_CIPHER_free(s->cipher_list_by_id);
1260 1260
              s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
1261 1261
          }
1262
-@@ -2245,7 +2246,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
1262
+@@ -2249,7 +2250,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
1263 1263
              /* In TLSv1.3 we selected the ciphersuite before resumption */
1264 1264
              if (!SSL_IS_TLS13(s)) {
1265 1265
                  cipher =

Loading…
Cancel
Save