Quellcode durchsuchen

Remove TLSv1.3 draft.

master
Hakase vor 1 Monat
Ursprung
Commit
d087771dc0
Signiert von: Hakase <hakase@hakase.app> GPG-Schlüssel-ID: BB2821A9E0DF48C9

+ 9
- 15
README.md Datei anzeigen

@@ -12,12 +12,10 @@
12 12
 
13 13
 ## Information
14 14
 
15
-- [Test Page - (TLS 1.3 draft 23, 26, 28, final)](https://ssl.hakase.io/)
15
+- [Test Page - (TLS 1.3 final)](https://ssl.hakase.io/)
16 16
 - [SSL Test Result - testssl.sh](https://ssl.hakase.io/ssltest/hakase.io.html)
17 17
 - [SSL Test Result - dev.ssllabs.com](https://dev.ssllabs.com/ssltest/analyze.html?d=hakase.io)
18
-- **If you link site to a browser that supports draft 23 or 26 or 28 or final, you'll see a TLS 1.3 message.**
19
-
20
-**Support TLS 1.3 draft 28 browsers - _Chrome Canary, Firefox Nightly_**
18
+- **If you link site to a browser that supports final, you'll see a TLS 1.3 message.**
21 19
 
22 20
 Displays TLSv1.3 support for large sites.
23 21
 
@@ -25,13 +23,13 @@ Default support is in bold type.
25 23
 - [Baidu(China)](https://baidu.cn/) : **TLSv1.2**
26 24
 - [Naver(Korea)](https://naver.com/) : **TLSv1.2**
27 25
 - [Twitter](https://twitter.com/) : **TLSv1.2**
28
-- [**My Site**](https://hakase.io/) : _TLSv1.3_ draft 23, 26, 28, **final**
26
+- [**My Site**](https://hakase.io/) : _TLSv1.3_ **final**
29 27
 - [Facebook](https://facebook.com/) : _TLSv1.3_ draft 23, 26, 28, **final**
30
-- [Cloudflare](https://cloudflare.com/) : _TLSv1.3_ draft 23, 28, **final**
31
-- [Google(Gmail)](https://gmail.com/) : _TLSv1.3_ draft 23, 28, **final**
28
+- [Cloudflare](https://cloudflare.com/) : _TLSv1.3_ **final**
29
+- [Google(Gmail)](https://gmail.com/) : _TLSv1.3_ **final**
32 30
 - [NSS TLS 1.3(Mozilla)](https://tls13.crypto.mozilla.org/) : _TLSv1.3_ **final**
33 31
 
34
-[Compatible OpenSSL-3.0.0-dev (OpenSSL, 23204 commits)](https://github.com/openssl/openssl/tree/829800b0735ab99a0962418180cb076ff8081028)
32
+[Compatible OpenSSL-3.0.0-dev (OpenSSL, 23340 commits)](https://github.com/openssl/openssl/tree/1980ce45d6bdd2b57df7003d6b56b5df560b9064)
35 33
 
36 34
 ## Patch files
37 35
 
@@ -40,19 +38,15 @@ Default support is in bold type.
40 38
 You can find the _OpenSSL 1.1.0h_ patch is [here.](https://gitlab.com/buik/openssl/blob/openssl-patch/openssl-1.1/OpenSSL1.1h-equal-preference-cipher-groups.patch)
41 39
 
42 40
 Here is the basic patch content.
43
-- Support TLS 1.3 draft 23 + 26 + 28 + final
44
-    - Server: draft 23 + 26 + 28 + final
45
-    - Client: draft 23 + 26 + 27 + 28 + final
46 41
 - BoringSSL's Equal Preference Patch
47 42
 - Weak 3DES and not using ECDHE ciphers is not used in TLSv1.1 or later.
48 43
 
49 44
 | Patch file name | Patch list |
50 45
 | :--- | :--- |
51
-| openssl-1.1.1a-tls13_draft.patch | Only for TLS 1.3 draft 23, 26, 28, final support patch. |
52 46
 | openssl-equal-1.1.1a.patch<br>openssl-equal-3.0.0-dev.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can not_** be changed on _nginx_. |
53 47
 | openssl-equal-1.1.1a_ciphers.patch<br>openssl-equal-3.0.0-dev_ciphers.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can_** be changed on _nginx_. |
54 48
 | openssl-1.1.1a-chacha_draft.patch<br>openssl-3.0.0-dev-chacha_draft.patch | A draft version of chacha20-poly1305 is available. [View issue](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427554824) |
55
-| openssl-1.1.1a-tls13_draft.patch | Enable TLS 1.3 draft 23, 26, 28, final. |
49
+| openssl-1.1.1a-tls13_draft.patch | Only for **TLS 1.3 draft 23, 26, 28, final support patch**. |
56 50
 | openssl-1.1.1a-tls13_nginx_config.patch | You can set TLS 1.3 ciphere in nginx. ex) TLS13+AESGCM+AES128 |
57 51
 | openssl-3.0.0-dev_version_error.patch | **TEST** This is a way to fix nginx when the following errors occur during the build:<br>Error: missing binary operator before token "("<br>Maybe patched: [https://github.com/openssl/openssl/pull/7839](https://github.com/openssl/openssl/pull/7839)<br>Patched : [https://github.com/openssl/openssl/commit/5d609f22d28615c45685d9da871d432e9cb81127](https://github.com/openssl/openssl/commit/5d609f22d28615c45685d9da871d432e9cb81127) |
58 52
 
@@ -162,12 +156,12 @@ ssl_ecdh_curve X25519:P-256:P-384;
162 156
 ssl_prefer_server_ciphers on;
163 157
 ```
164 158
 
165
-### OpenSSL-1.1.1a, 3.0.0-dev ciphers (draft 23, 26, 28, final)
159
+### OpenSSL-1.1.1a, 3.0.0-dev ciphers
166 160
 ```
167 161
 [EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
168 162
 ```
169 163
 
170
-### OpenSSL-1.1.1a_ciphers, 3.0.0-dev_ciphers ciphers (draft 23, 26, 28, final)
164
+### OpenSSL-1.1.1a_ciphers, 3.0.0-dev_ciphers ciphers
171 165
 ```
172 166
 [TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
173 167
 ```

+ 27
- 27
openssl-3.0.0-dev-chacha_draft.patch Datei anzeigen

@@ -220,69 +220,69 @@ index 0d4612f314..5a3516d642 100644
220 220
  # endif
221 221
  #endif
222 222
 diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
223
-index 859795fa50..550e794fca 100644
223
+index 78a9e7acaf..15c712b291 100644
224 224
 --- a/crypto/objects/obj_dat.h
225 225
 +++ b/crypto/objects/obj_dat.h
226 226
 @@ -1079,7 +1079,7 @@ static const unsigned char so[7767] = {
227 227
      0x28,0xCC,0x45,0x03,0x04,                      /* [ 7761] OBJ_gmac */
228 228
  };
229 229
  
230
--#define NUM_NID 1201
231
-+#define NUM_NID 1202
230
+-#define NUM_NID 1203
231
++#define NUM_NID 1204
232 232
  static const ASN1_OBJECT nid_objs[NUM_NID] = {
233 233
      {"UNDEF", "undefined", NID_undef},
234 234
      {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
235
-@@ -2282,9 +2282,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
236
-     {"AES-128-SIV", "aes-128-siv", NID_aes_128_siv},
237
-     {"AES-192-SIV", "aes-192-siv", NID_aes_192_siv},
235
+@@ -2284,9 +2284,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
238 236
      {"AES-256-SIV", "aes-256-siv", NID_aes_256_siv},
237
+     {"BLAKE2BMAC", "blake2bmac", NID_blake2bmac},
238
+     {"BLAKE2SMAC", "blake2smac", NID_blake2smac},
239 239
 +    {"ChaCha20-Poly1305-D", "chacha20-poly1305-draft", NID_chacha20_poly1305_draft },
240 240
  };
241 241
  
242
--#define NUM_SN 1192
243
-+#define NUM_SN 1193
242
+-#define NUM_SN 1194
243
++#define NUM_SN 1195
244 244
  static const unsigned int sn_objs[NUM_SN] = {
245 245
       364,    /* "AD_DVCS" */
246 246
       419,    /* "AES-128-CBC" */
247
-@@ -2405,6 +2406,7 @@ static const unsigned int sn_objs[NUM_SN] = {
247
+@@ -2409,6 +2410,7 @@ static const unsigned int sn_objs[NUM_SN] = {
248 248
       417,    /* "CSPName" */
249 249
      1019,    /* "ChaCha20" */
250 250
      1018,    /* "ChaCha20-Poly1305" */
251
-+    1201,    /* "chacha20-poly1305-draft" */
251
++    1203,    /* "chacha20-poly1305-draft" */
252 252
       367,    /* "CrlID" */
253 253
       391,    /* "DC" */
254 254
        31,    /* "DES-CBC" */
255
-@@ -3480,7 +3482,7 @@ static const unsigned int sn_objs[NUM_SN] = {
255
+@@ -3484,7 +3486,7 @@ static const unsigned int sn_objs[NUM_SN] = {
256 256
      1093,    /* "x509ExtAdmission" */
257 257
  };
258 258
  
259
--#define NUM_LN 1192
260
-+#define NUM_LN 1193
259
+-#define NUM_LN 1194
260
++#define NUM_LN 1195
261 261
  static const unsigned int ln_objs[NUM_LN] = {
262 262
       363,    /* "AD Time Stamping" */
263 263
       405,    /* "ANSI X9.62" */
264
-@@ -3862,6 +3864,7 @@ static const unsigned int ln_objs[NUM_LN] = {
264
+@@ -3868,6 +3870,7 @@ static const unsigned int ln_objs[NUM_LN] = {
265 265
       883,    /* "certificateRevocationList" */
266 266
      1019,    /* "chacha20" */
267 267
      1018,    /* "chacha20-poly1305" */
268
-+    1201,    /* "ChaCha20-Poly1305-D" */
268
++    1203,    /* "ChaCha20-Poly1305-D" */
269 269
        54,    /* "challengePassword" */
270 270
       407,    /* "characteristic-two-field" */
271 271
       395,    /* "clearance" */
272 272
 diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
273
-index 021875d9e4..c13c751d74 100644
273
+index 87790200d4..94d033c158 100644
274 274
 --- a/crypto/objects/obj_mac.num
275 275
 +++ b/crypto/objects/obj_mac.num
276
-@@ -1198,3 +1198,4 @@ kmac256		1197
277
- aes_128_siv		1198
278
- aes_192_siv		1199
276
+@@ -1200,3 +1200,4 @@ aes_192_siv		1199
279 277
  aes_256_siv		1200
280
-+chacha20_poly1305_draft		1201
278
+ blake2bmac		1201
279
+ blake2smac		1202
280
++chacha20_poly1305_draft		1203
281 281
 diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
282
-index 851e31e5aa..e5b288d999 100644
282
+index 344b67b395..21653d9b87 100644
283 283
 --- a/crypto/objects/objects.txt
284 284
 +++ b/crypto/objects/objects.txt
285
-@@ -1541,6 +1541,7 @@ sm-scheme 104 7         : SM4-CTR             : sm4-ctr
285
+@@ -1543,6 +1543,7 @@ sm-scheme 104 7         : SM4-CTR             : sm4-ctr
286 286
  			: AES-192-CBC-HMAC-SHA256	: aes-192-cbc-hmac-sha256
287 287
  			: AES-256-CBC-HMAC-SHA256	: aes-256-cbc-hmac-sha256
288 288
  			: ChaCha20-Poly1305		: chacha20-poly1305
@@ -291,7 +291,7 @@ index 851e31e5aa..e5b288d999 100644
291 291
  
292 292
  ISO-US 10046 2 1	: dhpublicnumber		: X9.42 DH
293 293
 diff --git a/include/openssl/evp.h b/include/openssl/evp.h
294
-index 9f1dbd4b8b..774f102e48 100644
294
+index 23f07eaa05..c90c6435bd 100644
295 295
 --- a/include/openssl/evp.h
296 296
 +++ b/include/openssl/evp.h
297 297
 @@ -928,6 +928,7 @@ const EVP_CIPHER *EVP_camellia_256_ctr(void);
@@ -303,22 +303,22 @@ index 9f1dbd4b8b..774f102e48 100644
303 303
  # endif
304 304
  
305 305
 diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h
306
-index 242eaeb6ce..c8960d0e5c 100644
306
+index 97b2204ba6..a9b341243a 100644
307 307
 --- a/include/openssl/obj_mac.h
308 308
 +++ b/include/openssl/obj_mac.h
309
-@@ -4824,6 +4824,10 @@
309
+@@ -4832,6 +4832,10 @@
310 310
  #define LN_chacha20             "chacha20"
311 311
  #define NID_chacha20            1019
312 312
  
313 313
 +#define SN_chacha20_poly1305_draft      "ChaCha20-Poly1305-D"
314 314
 +#define LN_chacha20_poly1305_draft      "chacha20-poly1305-draft"
315
-+#define NID_chacha20_poly1305_draft     1201
315
++#define NID_chacha20_poly1305_draft     1203
316 316
 +
317 317
  #define SN_dhpublicnumber               "dhpublicnumber"
318 318
  #define LN_dhpublicnumber               "X9.42 DH"
319 319
  #define NID_dhpublicnumber              920
320 320
 diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
321
-index c7a830445b..8aa020669d 100644
321
+index 35311acaf4..c2bce6822d 100644
322 322
 --- a/include/openssl/ssl.h
323 323
 +++ b/include/openssl/ssl.h
324 324
 @@ -125,6 +125,7 @@ extern "C" {

+ 0
- 202
openssl-equal-1.1.1a.patch Datei anzeigen

@@ -70,43 +70,6 @@ index 87b295c9f9..d118d8e864 100644
70 70
  # define SSL_R_UNEXPECTED_RECORD                          245
71 71
  # define SSL_R_UNINITIALIZED                              276
72 72
  # define SSL_R_UNKNOWN_ALERT_TYPE                         246
73
-diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
74
-index e13b5dd4bc..779341c948 100644
75
---- a/include/openssl/tls1.h
76
-+++ b/include/openssl/tls1.h
77
-@@ -30,6 +30,16 @@ extern "C" {
78
- # define TLS1_3_VERSION                  0x0304
79
- # define TLS_MAX_VERSION                 TLS1_3_VERSION
80
- 
81
-+/* TODO(TLS1.3) REMOVE ME: Version indicators for draft version */
82
-+# define TLS1_3_VERSION_DRAFT_23         0x7f17
83
-+# define TLS1_3_VERSION_DRAFT_26         0x7f1a
84
-+# define TLS1_3_VERSION_DRAFT_27         0x7f1b
85
-+# define TLS1_3_VERSION_DRAFT            0x7f1c
86
-+# define TLS1_3_VERSION_DRAFT_TXT_23     "TLS 1.3 (draft 23)"
87
-+# define TLS1_3_VERSION_DRAFT_TXT_26     "TLS 1.3 (draft 26)"
88
-+# define TLS1_3_VERSION_DRAFT_TXT_27     "TLS 1.3 (draft 27)"
89
-+# define TLS1_3_VERSION_DRAFT_TXT        "TLS 1.3 (draft 28)"
90
-+
91
- /* Special value for method supporting multiple versions */
92
- # define TLS_ANY_VERSION                 0x10000
93
- 
94
-diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c
95
-index a11ed483e6..4fd583dd03 100644
96
---- a/ssl/record/ssl3_record_tls13.c
97
-+++ b/ssl/record/ssl3_record_tls13.c
98
-@@ -173,8 +173,9 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
99
-     if (((alg_enc & SSL_AESCCM) != 0
100
-                  && EVP_CipherUpdate(ctx, NULL, &lenu, NULL,
101
-                                      (unsigned int)rec->length) <= 0)
102
--            || EVP_CipherUpdate(ctx, NULL, &lenu, recheader,
103
--                                sizeof(recheader)) <= 0
104
-+            || (s->version_draft != TLS1_3_VERSION_DRAFT_23
105
-+                 && EVP_CipherUpdate(ctx, NULL, &lenu, recheader,
106
-+                                     sizeof(recheader)) <= 0)
107
-             || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input,
108
-                                 (unsigned int)rec->length) <= 0
109
-             || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
110 73
 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
111 74
 index 866ca4dfa9..7b98b670d2 100644
112 75
 --- a/ssl/s3_lib.c
@@ -1022,15 +985,6 @@ index 70e5a1740f..d583840984 100644
1022 985
      /* same as above but sorted for lookup */
1023 986
      STACK_OF(SSL_CIPHER) *cipher_list_by_id;
1024 987
      /* TLSv1.3 specific ciphersuites */
1025
-@@ -1080,6 +1117,8 @@ struct ssl_st {
1026
-      * DTLS1_VERSION)
1027
-      */
1028
-     int version;
1029
-+    /* TODO(TLS1.3): Remove this before release */
1030
-+    int version_draft;
1031
-     /* SSLv3 */
1032
-     const SSL_METHOD *method;
1033
-     /*
1034 988
 @@ -1138,7 +1177,7 @@ struct ssl_st {
1035 989
      /* Per connection DANE state */
1036 990
      SSL_DANE dane;
@@ -1072,124 +1026,6 @@ index 70e5a1740f..d583840984 100644
1072 1026
  __owur int ssl3_digest_cached_records(SSL *s, int keep);
1073 1027
  __owur int ssl3_new(SSL *s);
1074 1028
  void ssl3_free(SSL *s);
1075
-diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
1076
-index ab4dbf6713..745897b638 100644
1077
---- a/ssl/statem/extensions_clnt.c
1078
-+++ b/ssl/statem/extensions_clnt.c
1079
-@@ -533,8 +533,25 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
1080
-         return EXT_RETURN_FAIL;
1081
-     }
1082
- 
1083
-+    /*
1084
-+     * TODO(TLS1.3): There is some discussion on the TLS list as to whether
1085
-+     * we should include versions <TLS1.2. For the moment we do. To be
1086
-+     * reviewed later.
1087
-+     */
1088
-     for (currv = max_version; currv >= min_version; currv--) {
1089
--        if (!WPACKET_put_bytes_u16(pkt, currv)) {
1090
-+        /* TODO(TLS1.3): Remove this first if clause prior to release!! */
1091
-+        if (currv == TLS1_3_VERSION) {
1092
-+            if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1093
-+                    || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
1094
-+                    || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT_27)
1095
-+                    || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT_26)
1096
-+                    || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT_23)) {
1097
-+                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1098
-+                         SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
1099
-+                         ERR_R_INTERNAL_ERROR);
1100
-+                return EXT_RETURN_FAIL;
1101
-+            }
1102
-+        } else if (!WPACKET_put_bytes_u16(pkt, currv)) {
1103
-             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1104
-                      SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
1105
-                      ERR_R_INTERNAL_ERROR);
1106
-@@ -1763,6 +1780,15 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
1107
-         return 0;
1108
-     }
1109
- 
1110
-+    /* TODO(TLS1.3): Remove this before release */
1111
-+    if (version == TLS1_3_VERSION_DRAFT
1112
-+            || version == TLS1_3_VERSION_DRAFT_27
1113
-+            || version == TLS1_3_VERSION_DRAFT_26
1114
-+            || version == TLS1_3_VERSION_DRAFT_23) {
1115
-+        s->version_draft = version;
1116
-+        version = TLS1_3_VERSION;
1117
-+    }
1118
-+
1119
-     /*
1120
-      * The only protocol version we support which is valid in this extension in
1121
-      * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.
1122
-diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
1123
-index 0f2b22392b..6c1ce9813f 100644
1124
---- a/ssl/statem/extensions_srvr.c
1125
-+++ b/ssl/statem/extensions_srvr.c
1126
-@@ -897,7 +897,8 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1127
-     }
1128
-     if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
1129
-             || !WPACKET_start_sub_packet_u16(&hrrpkt)
1130
--            || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
1131
-+               /* TODO(TLS1.3): Fix this before release */
1132
-+            || !WPACKET_put_bytes_u16(&hrrpkt, s->version_draft)
1133
-             || !WPACKET_close(&hrrpkt)) {
1134
-         WPACKET_cleanup(&hrrpkt);
1135
-         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
1136
-@@ -1652,7 +1653,8 @@ EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1137
- 
1138
-     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1139
-             || !WPACKET_start_sub_packet_u16(pkt)
1140
--            || !WPACKET_put_bytes_u16(pkt, s->version)
1141
-+                /* TODO(TLS1.3): Update to remove the TLSv1.3 draft indicator */
1142
-+            || !WPACKET_put_bytes_u16(pkt, s->version_draft)
1143
-             || !WPACKET_close(pkt)) {
1144
-         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1145
-                  SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1146
-diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
1147
-index 4324896f50..d0de7ffe3d 100644
1148
---- a/ssl/statem/statem_lib.c
1149
-+++ b/ssl/statem/statem_lib.c
1150
-@@ -1786,6 +1786,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1151
-         unsigned int best_vers = 0;
1152
-         const SSL_METHOD *best_method = NULL;
1153
-         PACKET versionslist;
1154
-+        /* TODO(TLS1.3): Remove this before release */
1155
-+        unsigned int orig_candidate = 0;
1156
- 
1157
-         suppversions->parsed = 1;
1158
- 
1159
-@@ -1807,6 +1809,23 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1160
-             return SSL_R_BAD_LEGACY_VERSION;
1161
- 
1162
-         while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1163
-+            /* TODO(TLS1.3): Remove this before release */
1164
-+            if (candidate_vers == TLS1_3_VERSION
1165
-+                    || candidate_vers == TLS1_3_VERSION_DRAFT
1166
-+                    || candidate_vers == TLS1_3_VERSION_DRAFT_26
1167
-+                    || candidate_vers == TLS1_3_VERSION_DRAFT_23) {
1168
-+                if (best_vers == TLS1_3_VERSION
1169
-+                        && (orig_candidate > candidate_vers
1170
-+                        || orig_candidate == TLS1_3_VERSION))
1171
-+                    continue;
1172
-+                orig_candidate = candidate_vers;
1173
-+                candidate_vers = TLS1_3_VERSION;
1174
-+            }
1175
-+            /*
1176
-+             * TODO(TLS1.3): There is some discussion on the TLS list about
1177
-+             * whether to ignore versions <TLS1.2 in supported_versions. At the
1178
-+             * moment we honour them if present. To be reviewed later
1179
-+             */
1180
-             if (version_cmp(s, candidate_vers, best_vers) <= 0)
1181
-                 continue;
1182
-             if (ssl_version_supported(s, candidate_vers, &best_method))
1183
-@@ -1829,6 +1848,9 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1184
-             }
1185
-             check_for_downgrade(s, best_vers, dgrd);
1186
-             s->version = best_vers;
1187
-+            /* TODO(TLS1.3): Remove this before release */
1188
-+            if (best_vers == TLS1_3_VERSION)
1189
-+                s->version_draft = orig_candidate;
1190
-             s->method = best_method;
1191
-             return 0;
1192
-         }
1193 1029
 diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
1194 1030
 index e7c11c4bea..a2a6c1e44e 100644
1195 1031
 --- a/ssl/statem/statem_srvr.c
@@ -1233,41 +1069,3 @@ index e7c11c4bea..a2a6c1e44e 100644
1233 1069
  
1234 1070
                  if (cipher == NULL) {
1235 1071
                      SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1236
-diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
1237
-index be3039af38..99c4ddcb41 100644
1238
---- a/ssl/t1_trce.c
1239
-+++ b/ssl/t1_trce.c
1240
-@@ -65,6 +65,11 @@ static const ssl_trace_tbl ssl_version_tbl[] = {
1241
-     {TLS1_1_VERSION, "TLS 1.1"},
1242
-     {TLS1_2_VERSION, "TLS 1.2"},
1243
-     {TLS1_3_VERSION, "TLS 1.3"},
1244
-+    /* TODO(TLS1.3): Remove these lines before release */
1245
-+    {TLS1_3_VERSION_DRAFT_23, TLS1_3_VERSION_DRAFT_TXT_23},
1246
-+    {TLS1_3_VERSION_DRAFT_26, TLS1_3_VERSION_DRAFT_TXT_26},
1247
-+    {TLS1_3_VERSION_DRAFT_27, TLS1_3_VERSION_DRAFT_TXT_27},
1248
-+    {TLS1_3_VERSION_DRAFT, TLS1_3_VERSION_DRAFT_TXT},
1249
-     {DTLS1_VERSION, "DTLS 1.0"},
1250
-     {DTLS1_2_VERSION, "DTLS 1.2"},
1251
-     {DTLS1_BAD_VER, "DTLS 1.0 (bad)"}
1252
-@@ -638,8 +643,19 @@ static int ssl_print_version(BIO *bio, int indent, const char *name,
1253
-     if (*pmsglen < 2)
1254
-         return 0;
1255
-     vers = ((*pmsg)[0] << 8) | (*pmsg)[1];
1256
--    if (version != NULL)
1257
--        *version = vers;
1258
-+    if (version != NULL) {
1259
-+        /* TODO(TLS1.3): Remove the draft conditional here before release */
1260
-+        switch(vers) {
1261
-+        case TLS1_3_VERSION_DRAFT_23:
1262
-+        case TLS1_3_VERSION_DRAFT_26:
1263
-+        case TLS1_3_VERSION_DRAFT_27:
1264
-+        case TLS1_3_VERSION_DRAFT:
1265
-+            *version = TLS1_3_VERSION;
1266
-+            break;
1267
-+        default:
1268
-+            *version = vers;
1269
-+        }
1270
-+    }
1271
-     BIO_indent(bio, indent, 80);
1272
-     BIO_printf(bio, "%s=0x%x (%s)\n",
1273
-                name, vers, ssl_trace_str(vers, ssl_version_tbl));

+ 0
- 202
openssl-equal-1.1.1a_ciphers.patch Datei anzeigen

@@ -49,43 +49,6 @@ index 87b295c9f9..d118d8e864 100644
49 49
  # define SSL_R_UNEXPECTED_RECORD                          245
50 50
  # define SSL_R_UNINITIALIZED                              276
51 51
  # define SSL_R_UNKNOWN_ALERT_TYPE                         246
52
-diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
53
-index e13b5dd4bc..779341c948 100644
54
---- a/include/openssl/tls1.h
55
-+++ b/include/openssl/tls1.h
56
-@@ -30,6 +30,16 @@ extern "C" {
57
- # define TLS1_3_VERSION                  0x0304
58
- # define TLS_MAX_VERSION                 TLS1_3_VERSION
59
- 
60
-+/* TODO(TLS1.3) REMOVE ME: Version indicators for draft version */
61
-+# define TLS1_3_VERSION_DRAFT_23         0x7f17
62
-+# define TLS1_3_VERSION_DRAFT_26         0x7f1a
63
-+# define TLS1_3_VERSION_DRAFT_27         0x7f1b
64
-+# define TLS1_3_VERSION_DRAFT            0x7f1c
65
-+# define TLS1_3_VERSION_DRAFT_TXT_23     "TLS 1.3 (draft 23)"
66
-+# define TLS1_3_VERSION_DRAFT_TXT_26     "TLS 1.3 (draft 26)"
67
-+# define TLS1_3_VERSION_DRAFT_TXT_27     "TLS 1.3 (draft 27)"
68
-+# define TLS1_3_VERSION_DRAFT_TXT        "TLS 1.3 (draft 28)"
69
-+
70
- /* Special value for method supporting multiple versions */
71
- # define TLS_ANY_VERSION                 0x10000
72
- 
73
-diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c
74
-index a11ed483e6..4fd583dd03 100644
75
---- a/ssl/record/ssl3_record_tls13.c
76
-+++ b/ssl/record/ssl3_record_tls13.c
77
-@@ -173,8 +173,9 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
78
-     if (((alg_enc & SSL_AESCCM) != 0
79
-                  && EVP_CipherUpdate(ctx, NULL, &lenu, NULL,
80
-                                      (unsigned int)rec->length) <= 0)
81
--            || EVP_CipherUpdate(ctx, NULL, &lenu, recheader,
82
--                                sizeof(recheader)) <= 0
83
-+            || (s->version_draft != TLS1_3_VERSION_DRAFT_23
84
-+                 && EVP_CipherUpdate(ctx, NULL, &lenu, recheader,
85
-+                                     sizeof(recheader)) <= 0)
86
-             || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input,
87
-                                 (unsigned int)rec->length) <= 0
88
-             || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
89 52
 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
90 53
 index 866ca4dfa9..1b6b99cb19 100644
91 54
 --- a/ssl/s3_lib.c
@@ -1057,15 +1020,6 @@ index 70e5a1740f..d583840984 100644
1057 1020
      /* same as above but sorted for lookup */
1058 1021
      STACK_OF(SSL_CIPHER) *cipher_list_by_id;
1059 1022
      /* TLSv1.3 specific ciphersuites */
1060
-@@ -1080,6 +1117,8 @@ struct ssl_st {
1061
-      * DTLS1_VERSION)
1062
-      */
1063
-     int version;
1064
-+    /* TODO(TLS1.3): Remove this before release */
1065
-+    int version_draft;
1066
-     /* SSLv3 */
1067
-     const SSL_METHOD *method;
1068
-     /*
1069 1023
 @@ -1138,7 +1177,7 @@ struct ssl_st {
1070 1024
      /* Per connection DANE state */
1071 1025
      SSL_DANE dane;
@@ -1107,124 +1061,6 @@ index 70e5a1740f..d583840984 100644
1107 1061
  __owur int ssl3_digest_cached_records(SSL *s, int keep);
1108 1062
  __owur int ssl3_new(SSL *s);
1109 1063
  void ssl3_free(SSL *s);
1110
-diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
1111
-index ab4dbf6713..745897b638 100644
1112
---- a/ssl/statem/extensions_clnt.c
1113
-+++ b/ssl/statem/extensions_clnt.c
1114
-@@ -533,8 +533,25 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
1115
-         return EXT_RETURN_FAIL;
1116
-     }
1117
- 
1118
-+    /*
1119
-+     * TODO(TLS1.3): There is some discussion on the TLS list as to whether
1120
-+     * we should include versions <TLS1.2. For the moment we do. To be
1121
-+     * reviewed later.
1122
-+     */
1123
-     for (currv = max_version; currv >= min_version; currv--) {
1124
--        if (!WPACKET_put_bytes_u16(pkt, currv)) {
1125
-+        /* TODO(TLS1.3): Remove this first if clause prior to release!! */
1126
-+        if (currv == TLS1_3_VERSION) {
1127
-+            if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1128
-+                    || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
1129
-+                    || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT_27)
1130
-+                    || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT_26)
1131
-+                    || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT_23)) {
1132
-+                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1133
-+                         SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
1134
-+                         ERR_R_INTERNAL_ERROR);
1135
-+                return EXT_RETURN_FAIL;
1136
-+            }
1137
-+        } else if (!WPACKET_put_bytes_u16(pkt, currv)) {
1138
-             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1139
-                      SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
1140
-                      ERR_R_INTERNAL_ERROR);
1141
-@@ -1763,6 +1780,15 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
1142
-         return 0;
1143
-     }
1144
- 
1145
-+    /* TODO(TLS1.3): Remove this before release */
1146
-+    if (version == TLS1_3_VERSION_DRAFT
1147
-+            || version == TLS1_3_VERSION_DRAFT_27
1148
-+            || version == TLS1_3_VERSION_DRAFT_26
1149
-+            || version == TLS1_3_VERSION_DRAFT_23) {
1150
-+        s->version_draft = version;
1151
-+        version = TLS1_3_VERSION;
1152
-+    }
1153
-+
1154
-     /*
1155
-      * The only protocol version we support which is valid in this extension in
1156
-      * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.
1157
-diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
1158
-index 0f2b22392b..6c1ce9813f 100644
1159
---- a/ssl/statem/extensions_srvr.c
1160
-+++ b/ssl/statem/extensions_srvr.c
1161
-@@ -897,7 +897,8 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1162
-     }
1163
-     if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
1164
-             || !WPACKET_start_sub_packet_u16(&hrrpkt)
1165
--            || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
1166
-+               /* TODO(TLS1.3): Fix this before release */
1167
-+            || !WPACKET_put_bytes_u16(&hrrpkt, s->version_draft)
1168
-             || !WPACKET_close(&hrrpkt)) {
1169
-         WPACKET_cleanup(&hrrpkt);
1170
-         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
1171
-@@ -1652,7 +1653,8 @@ EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1172
- 
1173
-     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1174
-             || !WPACKET_start_sub_packet_u16(pkt)
1175
--            || !WPACKET_put_bytes_u16(pkt, s->version)
1176
-+                /* TODO(TLS1.3): Update to remove the TLSv1.3 draft indicator */
1177
-+            || !WPACKET_put_bytes_u16(pkt, s->version_draft)
1178
-             || !WPACKET_close(pkt)) {
1179
-         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1180
-                  SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1181
-diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
1182
-index 4324896f50..d0de7ffe3d 100644
1183
---- a/ssl/statem/statem_lib.c
1184
-+++ b/ssl/statem/statem_lib.c
1185
-@@ -1786,6 +1786,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1186
-         unsigned int best_vers = 0;
1187
-         const SSL_METHOD *best_method = NULL;
1188
-         PACKET versionslist;
1189
-+        /* TODO(TLS1.3): Remove this before release */
1190
-+        unsigned int orig_candidate = 0;
1191
- 
1192
-         suppversions->parsed = 1;
1193
- 
1194
-@@ -1807,6 +1809,23 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1195
-             return SSL_R_BAD_LEGACY_VERSION;
1196
- 
1197
-         while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1198
-+            /* TODO(TLS1.3): Remove this before release */
1199
-+            if (candidate_vers == TLS1_3_VERSION
1200
-+                    || candidate_vers == TLS1_3_VERSION_DRAFT
1201
-+                    || candidate_vers == TLS1_3_VERSION_DRAFT_26
1202
-+                    || candidate_vers == TLS1_3_VERSION_DRAFT_23) {
1203
-+                if (best_vers == TLS1_3_VERSION
1204
-+                        && (orig_candidate > candidate_vers
1205
-+                        || orig_candidate == TLS1_3_VERSION))
1206
-+                    continue;
1207
-+                orig_candidate = candidate_vers;
1208
-+                candidate_vers = TLS1_3_VERSION;
1209
-+            }
1210
-+            /*
1211
-+             * TODO(TLS1.3): There is some discussion on the TLS list about
1212
-+             * whether to ignore versions <TLS1.2 in supported_versions. At the
1213
-+             * moment we honour them if present. To be reviewed later
1214
-+             */
1215
-             if (version_cmp(s, candidate_vers, best_vers) <= 0)
1216
-                 continue;
1217
-             if (ssl_version_supported(s, candidate_vers, &best_method))
1218
-@@ -1829,6 +1848,9 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1219
-             }
1220
-             check_for_downgrade(s, best_vers, dgrd);
1221
-             s->version = best_vers;
1222
-+            /* TODO(TLS1.3): Remove this before release */
1223
-+            if (best_vers == TLS1_3_VERSION)
1224
-+                s->version_draft = orig_candidate;
1225
-             s->method = best_method;
1226
-             return 0;
1227
-         }
1228 1064
 diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
1229 1065
 index e7c11c4bea..a2a6c1e44e 100644
1230 1066
 --- a/ssl/statem/statem_srvr.c
@@ -1268,41 +1104,3 @@ index e7c11c4bea..a2a6c1e44e 100644
1268 1104
  
1269 1105
                  if (cipher == NULL) {
1270 1106
                      SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1271
-diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
1272
-index be3039af38..99c4ddcb41 100644
1273
---- a/ssl/t1_trce.c
1274
-+++ b/ssl/t1_trce.c
1275
-@@ -65,6 +65,11 @@ static const ssl_trace_tbl ssl_version_tbl[] = {
1276
-     {TLS1_1_VERSION, "TLS 1.1"},
1277
-     {TLS1_2_VERSION, "TLS 1.2"},
1278
-     {TLS1_3_VERSION, "TLS 1.3"},
1279
-+    /* TODO(TLS1.3): Remove these lines before release */
1280
-+    {TLS1_3_VERSION_DRAFT_23, TLS1_3_VERSION_DRAFT_TXT_23},
1281
-+    {TLS1_3_VERSION_DRAFT_26, TLS1_3_VERSION_DRAFT_TXT_26},
1282
-+    {TLS1_3_VERSION_DRAFT_27, TLS1_3_VERSION_DRAFT_TXT_27},
1283
-+    {TLS1_3_VERSION_DRAFT, TLS1_3_VERSION_DRAFT_TXT},
1284
-     {DTLS1_VERSION, "DTLS 1.0"},
1285
-     {DTLS1_2_VERSION, "DTLS 1.2"},
1286
-     {DTLS1_BAD_VER, "DTLS 1.0 (bad)"}
1287
-@@ -638,8 +643,19 @@ static int ssl_print_version(BIO *bio, int indent, const char *name,
1288
-     if (*pmsglen < 2)
1289
-         return 0;
1290
-     vers = ((*pmsg)[0] << 8) | (*pmsg)[1];
1291
--    if (version != NULL)
1292
--        *version = vers;
1293
-+    if (version != NULL) {
1294
-+        /* TODO(TLS1.3): Remove the draft conditional here before release */
1295
-+        switch(vers) {
1296
-+        case TLS1_3_VERSION_DRAFT_23:
1297
-+        case TLS1_3_VERSION_DRAFT_26:
1298
-+        case TLS1_3_VERSION_DRAFT_27:
1299
-+        case TLS1_3_VERSION_DRAFT:
1300
-+            *version = TLS1_3_VERSION;
1301
-+            break;
1302
-+        default:
1303
-+            *version = vers;
1304
-+        }
1305
-+    }
1306
-     BIO_indent(bio, indent, 80);
1307
-     BIO_printf(bio, "%s=0x%x (%s)\n",
1308
-                name, vers, ssl_trace_str(vers, ssl_version_tbl));

+ 0
- 202
openssl-equal-3.0.0-dev.patch Datei anzeigen

@@ -70,43 +70,6 @@ index f8783717bc..0e7ad2818b 100644
70 70
  # define SSL_R_UNEXPECTED_RECORD                          245
71 71
  # define SSL_R_UNINITIALIZED                              276
72 72
  # define SSL_R_UNKNOWN_ALERT_TYPE                         246
73
-diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
74
-index 166f15ad5c..3205f1cbfb 100644
75
---- a/include/openssl/tls1.h
76
-+++ b/include/openssl/tls1.h
77
-@@ -32,6 +32,16 @@ extern "C" {
78
- #  define TLS_MAX_VERSION                TLS1_3_VERSION
79
- # endif
80
- 
81
-+/* TODO(TLS1.3) REMOVE ME: Version indicators for draft version */
82
-+# define TLS1_3_VERSION_DRAFT_23         0x7f17
83
-+# define TLS1_3_VERSION_DRAFT_26         0x7f1a
84
-+# define TLS1_3_VERSION_DRAFT_27         0x7f1b
85
-+# define TLS1_3_VERSION_DRAFT            0x7f1c
86
-+# define TLS1_3_VERSION_DRAFT_TXT_23     "TLS 1.3 (draft 23)"
87
-+# define TLS1_3_VERSION_DRAFT_TXT_26     "TLS 1.3 (draft 26)"
88
-+# define TLS1_3_VERSION_DRAFT_TXT_27     "TLS 1.3 (draft 27)"
89
-+# define TLS1_3_VERSION_DRAFT_TXT        "TLS 1.3 (draft 28)"
90
-+
91
- /* Special value for method supporting multiple versions */
92
- # define TLS_ANY_VERSION                 0x10000
93
- 
94
-diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c
95
-index 30e5dddf82..4f1c2f2bd1 100644
96
---- a/ssl/record/ssl3_record_tls13.c
97
-+++ b/ssl/record/ssl3_record_tls13.c
98
-@@ -173,8 +173,9 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
99
-     if (((alg_enc & SSL_AESCCM) != 0
100
-                  && EVP_CipherUpdate(ctx, NULL, &lenu, NULL,
101
-                                      (unsigned int)rec->length) <= 0)
102
--            || EVP_CipherUpdate(ctx, NULL, &lenu, recheader,
103
--                                sizeof(recheader)) <= 0
104
-+            || (s->version_draft != TLS1_3_VERSION_DRAFT_23
105
-+                 && EVP_CipherUpdate(ctx, NULL, &lenu, recheader,
106
-+                                     sizeof(recheader)) <= 0)
107
-             || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input,
108
-                                 (unsigned int)rec->length) <= 0
109
-             || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
110 73
 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
111 74
 index a5b3dbbfd5..505c32d18e 100644
112 75
 --- a/ssl/s3_lib.c
@@ -1022,15 +985,6 @@ index bd0d4210f4..2c96db0618 100644
1022 985
      /* same as above but sorted for lookup */
1023 986
      STACK_OF(SSL_CIPHER) *cipher_list_by_id;
1024 987
      /* TLSv1.3 specific ciphersuites */
1025
-@@ -1088,6 +1125,8 @@ struct ssl_st {
1026
-      * DTLS1_VERSION)
1027
-      */
1028
-     int version;
1029
-+    /* TODO(TLS1.3): Remove this before release */
1030
-+    int version_draft;
1031
-     /* SSLv3 */
1032
-     const SSL_METHOD *method;
1033
-     /*
1034 988
 @@ -1146,7 +1185,7 @@ struct ssl_st {
1035 989
      /* Per connection DANE state */
1036 990
      SSL_DANE dane;
@@ -1072,124 +1026,6 @@ index bd0d4210f4..2c96db0618 100644
1072 1026
  __owur int ssl3_digest_cached_records(SSL *s, int keep);
1073 1027
  __owur int ssl3_new(SSL *s);
1074 1028
  void ssl3_free(SSL *s);
1075
-diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
1076
-index 6e133e026e..f26bc8e879 100644
1077
---- a/ssl/statem/extensions_clnt.c
1078
-+++ b/ssl/statem/extensions_clnt.c
1079
-@@ -533,8 +533,25 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
1080
-         return EXT_RETURN_FAIL;
1081
-     }
1082
- 
1083
-+    /*
1084
-+     * TODO(TLS1.3): There is some discussion on the TLS list as to whether
1085
-+     * we should include versions <TLS1.2. For the moment we do. To be
1086
-+     * reviewed later.
1087
-+     */
1088
-     for (currv = max_version; currv >= min_version; currv--) {
1089
--        if (!WPACKET_put_bytes_u16(pkt, currv)) {
1090
-+        /* TODO(TLS1.3): Remove this first if clause prior to release!! */
1091
-+        if (currv == TLS1_3_VERSION) {
1092
-+            if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1093
-+                    || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
1094
-+                    || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT_27)
1095
-+                    || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT_26)
1096
-+                    || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT_23)) {
1097
-+                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1098
-+                         SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
1099
-+                         ERR_R_INTERNAL_ERROR);
1100
-+                return EXT_RETURN_FAIL;
1101
-+            }
1102
-+        } else if (!WPACKET_put_bytes_u16(pkt, currv)) {
1103
-             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1104
-                      SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
1105
-                      ERR_R_INTERNAL_ERROR);
1106
-@@ -1763,6 +1780,15 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
1107
-         return 0;
1108
-     }
1109
- 
1110
-+    /* TODO(TLS1.3): Remove this before release */
1111
-+    if (version == TLS1_3_VERSION_DRAFT
1112
-+            || version == TLS1_3_VERSION_DRAFT_27
1113
-+            || version == TLS1_3_VERSION_DRAFT_26
1114
-+            || version == TLS1_3_VERSION_DRAFT_23) {
1115
-+        s->version_draft = version;
1116
-+        version = TLS1_3_VERSION;
1117
-+    }
1118
-+
1119
-     /*
1120
-      * The only protocol version we support which is valid in this extension in
1121
-      * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.
1122
-diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
1123
-index 6545f5727d..15786a7bfc 100644
1124
---- a/ssl/statem/extensions_srvr.c
1125
-+++ b/ssl/statem/extensions_srvr.c
1126
-@@ -897,7 +897,8 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1127
-     }
1128
-     if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
1129
-             || !WPACKET_start_sub_packet_u16(&hrrpkt)
1130
--            || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
1131
-+               /* TODO(TLS1.3): Fix this before release */
1132
-+            || !WPACKET_put_bytes_u16(&hrrpkt, s->version_draft)
1133
-             || !WPACKET_close(&hrrpkt)) {
1134
-         WPACKET_cleanup(&hrrpkt);
1135
-         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
1136
-@@ -1652,7 +1653,8 @@ EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1137
- 
1138
-     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1139
-             || !WPACKET_start_sub_packet_u16(pkt)
1140
--            || !WPACKET_put_bytes_u16(pkt, s->version)
1141
-+                /* TODO(TLS1.3): Update to remove the TLSv1.3 draft indicator */
1142
-+            || !WPACKET_put_bytes_u16(pkt, s->version_draft)
1143
-             || !WPACKET_close(pkt)) {
1144
-         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1145
-                  SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1146
-diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
1147
-index 2f78a3f602..5d5121d12b 100644
1148
---- a/ssl/statem/statem_lib.c
1149
-+++ b/ssl/statem/statem_lib.c
1150
-@@ -1770,6 +1770,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1151
-         unsigned int best_vers = 0;
1152
-         const SSL_METHOD *best_method = NULL;
1153
-         PACKET versionslist;
1154
-+        /* TODO(TLS1.3): Remove this before release */
1155
-+        unsigned int orig_candidate = 0;
1156
- 
1157
-         suppversions->parsed = 1;
1158
- 
1159
-@@ -1791,6 +1793,23 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1160
-             return SSL_R_BAD_LEGACY_VERSION;
1161
- 
1162
-         while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1163
-+            /* TODO(TLS1.3): Remove this before release */
1164
-+            if (candidate_vers == TLS1_3_VERSION
1165
-+                    || candidate_vers == TLS1_3_VERSION_DRAFT
1166
-+                    || candidate_vers == TLS1_3_VERSION_DRAFT_26
1167
-+                    || candidate_vers == TLS1_3_VERSION_DRAFT_23) {
1168
-+                if (best_vers == TLS1_3_VERSION
1169
-+                        && (orig_candidate > candidate_vers
1170
-+                        || orig_candidate == TLS1_3_VERSION))
1171
-+                    continue;
1172
-+                orig_candidate = candidate_vers;
1173
-+                candidate_vers = TLS1_3_VERSION;
1174
-+            }
1175
-+            /*
1176
-+             * TODO(TLS1.3): There is some discussion on the TLS list about
1177
-+             * whether to ignore versions <TLS1.2 in supported_versions. At the
1178
-+             * moment we honour them if present. To be reviewed later
1179
-+             */
1180
-             if (version_cmp(s, candidate_vers, best_vers) <= 0)
1181
-                 continue;
1182
-             if (ssl_version_supported(s, candidate_vers, &best_method))
1183
-@@ -1813,6 +1832,9 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1184
-             }
1185
-             check_for_downgrade(s, best_vers, dgrd);
1186
-             s->version = best_vers;
1187
-+            /* TODO(TLS1.3): Remove this before release */
1188
-+            if (best_vers == TLS1_3_VERSION)
1189
-+                s->version_draft = orig_candidate;
1190
-             s->method = best_method;
1191
-             return 0;
1192
-         }
1193 1029
 diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
1194 1030
 index b0dd54903d..1d096858f8 100644
1195 1031
 --- a/ssl/statem/statem_srvr.c
@@ -1233,41 +1069,3 @@ index b0dd54903d..1d096858f8 100644
1233 1069
  
1234 1070
                  if (cipher == NULL) {
1235 1071
                      SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1236
-diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
1237
-index 656fefe896..654271f368 100644
1238
---- a/ssl/t1_trce.c
1239
-+++ b/ssl/t1_trce.c
1240
-@@ -65,6 +65,11 @@ static const ssl_trace_tbl ssl_version_tbl[] = {
1241
-     {TLS1_1_VERSION, "TLS 1.1"},
1242
-     {TLS1_2_VERSION, "TLS 1.2"},
1243
-     {TLS1_3_VERSION, "TLS 1.3"},
1244
-+    /* TODO(TLS1.3): Remove these lines before release */
1245
-+    {TLS1_3_VERSION_DRAFT_23, TLS1_3_VERSION_DRAFT_TXT_23},
1246
-+    {TLS1_3_VERSION_DRAFT_26, TLS1_3_VERSION_DRAFT_TXT_26},
1247
-+    {TLS1_3_VERSION_DRAFT_27, TLS1_3_VERSION_DRAFT_TXT_27},
1248
-+    {TLS1_3_VERSION_DRAFT, TLS1_3_VERSION_DRAFT_TXT},
1249
-     {DTLS1_VERSION, "DTLS 1.0"},
1250
-     {DTLS1_2_VERSION, "DTLS 1.2"},
1251
-     {DTLS1_BAD_VER, "DTLS 1.0 (bad)"}
1252
-@@ -638,8 +643,19 @@ static int ssl_print_version(BIO *bio, int indent, const char *name,
1253
-     if (*pmsglen < 2)
1254
-         return 0;
1255
-     vers = ((*pmsg)[0] << 8) | (*pmsg)[1];
1256
--    if (version != NULL)
1257
--        *version = vers;
1258
-+    if (version != NULL) {
1259
-+        /* TODO(TLS1.3): Remove the draft conditional here before release */
1260
-+        switch(vers) {
1261
-+        case TLS1_3_VERSION_DRAFT_23:
1262
-+        case TLS1_3_VERSION_DRAFT_26:
1263
-+        case TLS1_3_VERSION_DRAFT_27:
1264
-+        case TLS1_3_VERSION_DRAFT:
1265
-+            *version = TLS1_3_VERSION;
1266
-+            break;
1267
-+        default:
1268
-+            *version = vers;
1269
-+        }
1270
-+    }
1271
-     BIO_indent(bio, indent, 80);
1272
-     BIO_printf(bio, "%s=0x%x (%s)\n",
1273
-                name, vers, ssl_trace_str(vers, ssl_version_tbl));

+ 0
- 202
openssl-equal-3.0.0-dev_ciphers.patch Datei anzeigen

@@ -49,43 +49,6 @@ index f8783717bc..0e7ad2818b 100644
49 49
  # define SSL_R_UNEXPECTED_RECORD                          245
50 50
  # define SSL_R_UNINITIALIZED                              276
51 51
  # define SSL_R_UNKNOWN_ALERT_TYPE                         246
52
-diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
53
-index 166f15ad5c..3205f1cbfb 100644
54
---- a/include/openssl/tls1.h
55
-+++ b/include/openssl/tls1.h
56
-@@ -32,6 +32,16 @@ extern "C" {
57
- #  define TLS_MAX_VERSION                TLS1_3_VERSION
58
- # endif
59
- 
60
-+/* TODO(TLS1.3) REMOVE ME: Version indicators for draft version */
61
-+# define TLS1_3_VERSION_DRAFT_23         0x7f17
62
-+# define TLS1_3_VERSION_DRAFT_26         0x7f1a
63
-+# define TLS1_3_VERSION_DRAFT_27         0x7f1b
64
-+# define TLS1_3_VERSION_DRAFT            0x7f1c
65
-+# define TLS1_3_VERSION_DRAFT_TXT_23     "TLS 1.3 (draft 23)"
66
-+# define TLS1_3_VERSION_DRAFT_TXT_26     "TLS 1.3 (draft 26)"
67
-+# define TLS1_3_VERSION_DRAFT_TXT_27     "TLS 1.3 (draft 27)"
68
-+# define TLS1_3_VERSION_DRAFT_TXT        "TLS 1.3 (draft 28)"
69
-+
70
- /* Special value for method supporting multiple versions */
71
- # define TLS_ANY_VERSION                 0x10000
72
- 
73
-diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c
74
-index 30e5dddf82..4f1c2f2bd1 100644
75
---- a/ssl/record/ssl3_record_tls13.c
76
-+++ b/ssl/record/ssl3_record_tls13.c
77
-@@ -173,8 +173,9 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
78
-     if (((alg_enc & SSL_AESCCM) != 0
79
-                  && EVP_CipherUpdate(ctx, NULL, &lenu, NULL,
80
-                                      (unsigned int)rec->length) <= 0)
81
--            || EVP_CipherUpdate(ctx, NULL, &lenu, recheader,
82
--                                sizeof(recheader)) <= 0
83
-+            || (s->version_draft != TLS1_3_VERSION_DRAFT_23
84
-+                 && EVP_CipherUpdate(ctx, NULL, &lenu, recheader,
85
-+                                     sizeof(recheader)) <= 0)
86
-             || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input,
87
-                                 (unsigned int)rec->length) <= 0
88
-             || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
89 52
 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
90 53
 index a5b3dbbfd5..6dd4ad4b68 100644
91 54
 --- a/ssl/s3_lib.c
@@ -1057,15 +1020,6 @@ index bd0d4210f4..2c96db0618 100644
1057 1020
      /* same as above but sorted for lookup */
1058 1021
      STACK_OF(SSL_CIPHER) *cipher_list_by_id;
1059 1022
      /* TLSv1.3 specific ciphersuites */
1060
-@@ -1088,6 +1125,8 @@ struct ssl_st {
1061
-      * DTLS1_VERSION)
1062
-      */
1063
-     int version;
1064
-+    /* TODO(TLS1.3): Remove this before release */
1065
-+    int version_draft;
1066
-     /* SSLv3 */
1067
-     const SSL_METHOD *method;
1068
-     /*
1069 1023
 @@ -1146,7 +1185,7 @@ struct ssl_st {
1070 1024
      /* Per connection DANE state */
1071 1025
      SSL_DANE dane;
@@ -1107,124 +1061,6 @@ index bd0d4210f4..2c96db0618 100644
1107 1061
  __owur int ssl3_digest_cached_records(SSL *s, int keep);
1108 1062
  __owur int ssl3_new(SSL *s);
1109 1063
  void ssl3_free(SSL *s);
1110
-diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
1111
-index 6e133e026e..f26bc8e879 100644
1112
---- a/ssl/statem/extensions_clnt.c
1113
-+++ b/ssl/statem/extensions_clnt.c
1114
-@@ -533,8 +533,25 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
1115
-         return EXT_RETURN_FAIL;
1116
-     }
1117
- 
1118
-+    /*
1119
-+     * TODO(TLS1.3): There is some discussion on the TLS list as to whether
1120
-+     * we should include versions <TLS1.2. For the moment we do. To be
1121
-+     * reviewed later.
1122
-+     */
1123
-     for (currv = max_version; currv >= min_version; currv--) {
1124
--        if (!WPACKET_put_bytes_u16(pkt, currv)) {
1125
-+        /* TODO(TLS1.3): Remove this first if clause prior to release!! */
1126
-+        if (currv == TLS1_3_VERSION) {
1127
-+            if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1128
-+                    || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
1129
-+                    || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT_27)
1130
-+                    || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT_26)
1131
-+                    || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT_23)) {
1132
-+                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1133
-+                         SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
1134
-+                         ERR_R_INTERNAL_ERROR);
1135
-+                return EXT_RETURN_FAIL;
1136
-+            }
1137
-+        } else if (!WPACKET_put_bytes_u16(pkt, currv)) {
1138
-             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1139
-                      SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
1140
-                      ERR_R_INTERNAL_ERROR);
1141
-@@ -1763,6 +1780,15 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
1142
-         return 0;
1143
-     }
1144
- 
1145
-+    /* TODO(TLS1.3): Remove this before release */
1146
-+    if (version == TLS1_3_VERSION_DRAFT
1147
-+            || version == TLS1_3_VERSION_DRAFT_27
1148
-+            || version == TLS1_3_VERSION_DRAFT_26
1149
-+            || version == TLS1_3_VERSION_DRAFT_23) {
1150
-+        s->version_draft = version;
1151
-+        version = TLS1_3_VERSION;
1152
-+    }
1153
-+
1154
-     /*
1155
-      * The only protocol version we support which is valid in this extension in
1156
-      * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.
1157
-diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
1158
-index 6545f5727d..15786a7bfc 100644
1159
---- a/ssl/statem/extensions_srvr.c
1160
-+++ b/ssl/statem/extensions_srvr.c
1161
-@@ -897,7 +897,8 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1162
-     }
1163
-     if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
1164
-             || !WPACKET_start_sub_packet_u16(&hrrpkt)
1165
--            || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
1166
-+               /* TODO(TLS1.3): Fix this before release */
1167
-+            || !WPACKET_put_bytes_u16(&hrrpkt, s->version_draft)
1168
-             || !WPACKET_close(&hrrpkt)) {
1169
-         WPACKET_cleanup(&hrrpkt);
1170
-         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
1171
-@@ -1652,7 +1653,8 @@ EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1172
- 
1173
-     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1174
-             || !WPACKET_start_sub_packet_u16(pkt)
1175
--            || !WPACKET_put_bytes_u16(pkt, s->version)
1176
-+                /* TODO(TLS1.3): Update to remove the TLSv1.3 draft indicator */
1177
-+            || !WPACKET_put_bytes_u16(pkt, s->version_draft)
1178
-             || !WPACKET_close(pkt)) {
1179
-         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1180
-                  SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1181
-diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
1182
-index 2f78a3f602..5d5121d12b 100644
1183
---- a/ssl/statem/statem_lib.c
1184
-+++ b/ssl/statem/statem_lib.c
1185
-@@ -1770,6 +1770,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1186
-         unsigned int best_vers = 0;
1187
-         const SSL_METHOD *best_method = NULL;
1188
-         PACKET versionslist;
1189
-+        /* TODO(TLS1.3): Remove this before release */
1190
-+        unsigned int orig_candidate = 0;
1191
- 
1192
-         suppversions->parsed = 1;
1193
- 
1194
-@@ -1791,6 +1793,23 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1195
-             return SSL_R_BAD_LEGACY_VERSION;
1196
- 
1197
-         while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1198
-+            /* TODO(TLS1.3): Remove this before release */
1199
-+            if (candidate_vers == TLS1_3_VERSION
1200
-+                    || candidate_vers == TLS1_3_VERSION_DRAFT
1201
-+                    || candidate_vers == TLS1_3_VERSION_DRAFT_26
1202
-+                    || candidate_vers == TLS1_3_VERSION_DRAFT_23) {
1203
-+                if (best_vers == TLS1_3_VERSION
1204
-+                        && (orig_candidate > candidate_vers
1205
-+                        || orig_candidate == TLS1_3_VERSION))
1206
-+                    continue;
1207
-+                orig_candidate = candidate_vers;
1208
-+                candidate_vers = TLS1_3_VERSION;
1209
-+            }
1210
-+            /*
1211
-+             * TODO(TLS1.3): There is some discussion on the TLS list about
1212
-+             * whether to ignore versions <TLS1.2 in supported_versions. At the
1213
-+             * moment we honour them if present. To be reviewed later
1214
-+             */
1215
-             if (version_cmp(s, candidate_vers, best_vers) <= 0)
1216
-                 continue;
1217
-             if (ssl_version_supported(s, candidate_vers, &best_method))
1218
-@@ -1813,6 +1832,9 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1219
-             }
1220
-             check_for_downgrade(s, best_vers, dgrd);
1221
-             s->version = best_vers;
1222
-+            /* TODO(TLS1.3): Remove this before release */
1223
-+            if (best_vers == TLS1_3_VERSION)
1224
-+                s->version_draft = orig_candidate;
1225
-             s->method = best_method;
1226
-             return 0;
1227
-         }
1228 1064
 diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
1229 1065
 index b0dd54903d..1d096858f8 100644
1230 1066
 --- a/ssl/statem/statem_srvr.c
@@ -1268,41 +1104,3 @@ index b0dd54903d..1d096858f8 100644
1268 1104
  
1269 1105
                  if (cipher == NULL) {
1270 1106
                      SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1271
-diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
1272
-index 656fefe896..654271f368 100644
1273
---- a/ssl/t1_trce.c
1274
-+++ b/ssl/t1_trce.c
1275
-@@ -65,6 +65,11 @@ static const ssl_trace_tbl ssl_version_tbl[] = {
1276
-     {TLS1_1_VERSION, "TLS 1.1"},
1277
-     {TLS1_2_VERSION, "TLS 1.2"},
1278
-     {TLS1_3_VERSION, "TLS 1.3"},
1279
-+    /* TODO(TLS1.3): Remove these lines before release */
1280
-+    {TLS1_3_VERSION_DRAFT_23, TLS1_3_VERSION_DRAFT_TXT_23},
1281
-+    {TLS1_3_VERSION_DRAFT_26, TLS1_3_VERSION_DRAFT_TXT_26},
1282
-+    {TLS1_3_VERSION_DRAFT_27, TLS1_3_VERSION_DRAFT_TXT_27},
1283
-+    {TLS1_3_VERSION_DRAFT, TLS1_3_VERSION_DRAFT_TXT},
1284
-     {DTLS1_VERSION, "DTLS 1.0"},
1285
-     {DTLS1_2_VERSION, "DTLS 1.2"},
1286
-     {DTLS1_BAD_VER, "DTLS 1.0 (bad)"}
1287
-@@ -638,8 +643,19 @@ static int ssl_print_version(BIO *bio, int indent, const char *name,
1288
-     if (*pmsglen < 2)
1289
-         return 0;
1290
-     vers = ((*pmsg)[0] << 8) | (*pmsg)[1];
1291
--    if (version != NULL)
1292
--        *version = vers;
1293
-+    if (version != NULL) {
1294
-+        /* TODO(TLS1.3): Remove the draft conditional here before release */
1295
-+        switch(vers) {
1296
-+        case TLS1_3_VERSION_DRAFT_23:
1297
-+        case TLS1_3_VERSION_DRAFT_26:
1298
-+        case TLS1_3_VERSION_DRAFT_27:
1299
-+        case TLS1_3_VERSION_DRAFT:
1300
-+            *version = TLS1_3_VERSION;
1301
-+            break;
1302
-+        default:
1303
-+            *version = vers;
1304
-+        }
1305
-+    }
1306
-     BIO_indent(bio, indent, 80);
1307
-     BIO_printf(bio, "%s=0x%x (%s)\n",
1308
-                name, vers, ssl_trace_str(vers, ssl_version_tbl));

Laden…
Abbrechen
Speichern