jinql
/
openssl-patch
mirror of https://github.com/hakasenyang/openssl-patch
1
0
Fork 0
Code Issues Releases Wiki Activity

Add pre10 patches

openssl-1.1.1
Hakase 2018-08-23 00:10:35 +09:00
parent f0931b8a03
commit 4966584cdb
5 changed files with 2624 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
README.md
View File

@ -25,21 +25,21 @@ Default support is in bold type.
- Twitter : **TLSv1.2**
- **My Site** : _TLSv1.3_ draft 23, 26, 28, **final**
- Facebook : _TLSv1.3_ draft 23, 26, 28, **final**
- Cloudflare : _TLSv1.3_ draft 23, 28, **final**
- Google(Gmail) : _TLSv1.3_ draft 23, **28**
- Cloudflare : _TLSv1.3_ draft **23**, 28
[Compatible OpenSSL-1.1.1-pre9-dev (OpenSSL, 22644 commits)](https://github.com/openssl/openssl/tree/2805ee1e095a78f596dc7adf778441e2edb9f15c)
[Compatible OpenSSL-1.1.1-pre10-dev (OpenSSL, 22668 commits)](https://github.com/openssl/openssl/tree/2fe3e2b68272e803a6e35259a49919d57205418b)
## Patch files
You can find the _OpenSSL 1.1.0h_ patch is [here.](https://gitlab.com/buik/openssl/blob/openssl-patch/openssl-1.1/OpenSSL1.1h-equal-preference-cipher-groups.patch)
Here is the basic patch content.
- Support TLS 1.3 draft 23 + 26 + 28 **(Pre9) + final** (Not support pre2 - 26, 28, final)
- Support TLS 1.3 draft 23 + 26 + 28 **(Pre9~10) + final** (Not support pre2 - 26, 28, final)
- Server: draft 23 + 26 + 28
- Client: draft 23 + 26 + 27 + 28
- (pre9)Server: draft 23 + 26 + 28 + final
- (pre9)Client: draft 23 + 26 + 27 + 28 + final
- (pre9~10)Server: draft 23 + 26 + 28 + final
- (pre9~10)Client: draft 23 + 26 + 27 + 28 + final
- BoringSSL's Equal Preference Patch
- Weak 3DES and not using ECDHE ciphers is not used in TLSv1.1 or later.
@ -48,8 +48,8 @@ Here is the basic patch content.
| openssl-equal-pre2.patch | **_Not support_** draft **26, 28**. |
| openssl-equal-pre7.patch<br />openssl-equal-pre8.patch | TLS 1.3 cipher settings **_can not_** be changed on _nginx_. |
| openssl-equal-pre7_ciphers.patch<br />openssl-equal-pre8_ciphers.patch | TLS 1.3 cipher settings **_can_** be changed on _nginx_. |
| openssl-equal-pre9.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can not_** be changed on _nginx_. |
| openssl-equal-pre9_ciphers.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can_** be changed on _nginx_. |
| openssl-equal-pre9.patch<br />openssl-equal-pre10.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can not_** be changed on _nginx_. |
| openssl-equal-pre9_ciphers.patch<br />openssl-equal-pre10_ciphers.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can_** be changed on _nginx_. |
**The "_ciphers" patch file is a temporary change to the TLS 1.3 configuration.**
@ -77,7 +77,7 @@ Example of setting TLS 1.3 cipher in nginx (pre7 or higher):
git clone https://github.com/openssl/openssl.git
git clone https://github.com/hakasenyang/openssl-patch.git
cd openssl
patch -p1 < ../openssl-patch/openssl-equal-pre9_ciphers.patch
patch -p1 < ../openssl-patch/openssl-equal-pre10_ciphers.patch
```
And then use --with-openssl in nginx or build after ./config.
@ -121,12 +121,12 @@ ssl_prefer_server_ciphers on;
[TLS13-AES-128-GCM-SHA256|TLS13-AES-256-GCM-SHA384|TLS13-CHACHA20-POLY1305-SHA256]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
```
### OpenSSL-1.1.1-pre7~9 ciphers (draft 23, 26, 28, **(pre9) - final**)
### OpenSSL-1.1.1-pre7~10 ciphers (draft 23, 26, 28, **(pre9~10) - final**)
```
[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
```
### OpenSSL-1.1.1-pre7~9_ciphers ciphers (draft 23, 26, 28, **(pre9) - final**)
### OpenSSL-1.1.1-pre7~10_ciphers ciphers (draft 23, 26, 28, **(pre9~10) - final**)
```
[TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
```

1273
openssl-equal-pre10.patch Normal file
View File

File diff suppressed because it is too large Load Diff

1308
openssl-equal-pre10_ciphers.patch Normal file
View File

File diff suppressed because it is too large Load Diff

34
openssl-equal-pre9.patch
View File

@ -25,7 +25,7 @@ index 3aea982384..3c93eba0bf 100644
The following lists give the SSL or TLS cipher suites names from the
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 155d6515e1..651bc3c6b4 100644
index eb689c1c36..3191b68efe 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -173,12 +173,12 @@ extern "C" {
@ -824,10 +824,10 @@ index 11331ce41f..cfc770b8d6 100644
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index a486356c2a..d753825aa1 100644
index 7e8093bcfd..8f50d6d343 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1112,6 +1112,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
@@ -1113,6 +1113,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
return X509_VERIFY_PARAM_set1(ssl->param, vpm);
}
@ -899,7 +899,7 @@ index a486356c2a..d753825aa1 100644
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
{
return ctx->param;
@@ -1152,7 +1217,8 @@ void SSL_free(SSL *s)
@@ -1153,7 +1218,8 @@ void SSL_free(SSL *s)
BUF_MEM_free(s->init_buf);
/* add extra stuff */
@ -909,7 +909,7 @@ index a486356c2a..d753825aa1 100644
sk_SSL_CIPHER_free(s->cipher_list_by_id);
sk_SSL_CIPHER_free(s->tls13_ciphersuites);
@@ -2421,9 +2487,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
@@ -2422,9 +2488,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
{
if (s != NULL) {
if (s->cipher_list != NULL) {
@ -921,7 +921,7 @@ index a486356c2a..d753825aa1 100644
}
}
return NULL;
@@ -2497,8 +2563,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
@@ -2498,8 +2564,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
* preference */
STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
{
@ -932,7 +932,7 @@ index a486356c2a..d753825aa1 100644
return NULL;
}
@@ -2933,7 +2999,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
@@ -2934,7 +3000,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id,
SSL_DEFAULT_CIPHER_LIST, ret->cert)
@ -941,7 +941,7 @@ index a486356c2a..d753825aa1 100644
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err2;
}
@@ -3106,7 +3172,7 @@ void SSL_CTX_free(SSL_CTX *a)
@@ -3107,7 +3173,7 @@ void SSL_CTX_free(SSL_CTX *a)
#ifndef OPENSSL_NO_CT
CTLOG_STORE_free(a->ctlog_store);
#endif
@ -950,7 +950,7 @@ index a486356c2a..d753825aa1 100644
sk_SSL_CIPHER_free(a->cipher_list_by_id);
sk_SSL_CIPHER_free(a->tls13_ciphersuites);
ssl_cert_free(a->cert);
@@ -3761,13 +3827,15 @@ SSL *SSL_dup(SSL *s)
@@ -3762,13 +3828,15 @@ SSL *SSL_dup(SSL *s)
/* dup the cipher_list and cipher_list_by_id stacks */
if (s->cipher_list != NULL) {
@ -971,7 +971,7 @@ index a486356c2a..d753825aa1 100644
/* Dup the client_CA list */
if (s->ca_names != NULL) {
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 6d6404ba3d..38e95528f2 100644
index 362ae1cbe5..bc70199224 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -737,9 +737,46 @@ typedef struct ssl_ctx_ext_secure_st {
@ -1022,7 +1022,7 @@ index 6d6404ba3d..38e95528f2 100644
/* same as above but sorted for lookup */
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* TLSv1.3 specific ciphersuites */
@@ -1071,6 +1108,8 @@ struct ssl_st {
@@ -1074,6 +1111,8 @@ struct ssl_st {
* DTLS1_VERSION)
*/
int version;
@ -1031,7 +1031,7 @@ index 6d6404ba3d..38e95528f2 100644
/* SSLv3 */
const SSL_METHOD *method;
/*
@@ -1129,7 +1168,7 @@ struct ssl_st {
@@ -1132,7 +1171,7 @@ struct ssl_st {
/* Per connection DANE state */
SSL_DANE dane;
/* crypto */
@ -1040,7 +1040,7 @@ index 6d6404ba3d..38e95528f2 100644
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* TLSv1.3 specific ciphersuites */
STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
@@ -2251,7 +2290,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
@@ -2254,7 +2293,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
__owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const char *str);
__owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
@ -1049,7 +1049,7 @@ index 6d6404ba3d..38e95528f2 100644
STACK_OF(SSL_CIPHER) **cipher_list_by_id,
const char *rule_str,
CERT *c);
@@ -2261,6 +2300,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
@@ -2264,6 +2303,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
int fatal);
void ssl_update_cache(SSL *s, int mode);
@ -1063,7 +1063,7 @@ index 6d6404ba3d..38e95528f2 100644
__owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
const EVP_MD **md, int *mac_pkey_type,
size_t *mac_secret_size, SSL_COMP **comp,
@@ -2344,7 +2390,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
@@ -2347,7 +2393,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
CERT_PKEY *cpk);
__owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
STACK_OF(SSL_CIPHER) *clnt,
@ -1073,7 +1073,7 @@ index 6d6404ba3d..38e95528f2 100644
__owur int ssl3_new(SSL *s);
void ssl3_free(SSL *s);
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 86d6189ea1..a1defe7493 100644
index 2d5b60a737..39a60a2167 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -530,8 +530,25 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
@ -1103,7 +1103,7 @@ index 86d6189ea1..a1defe7493 100644
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
ERR_R_INTERNAL_ERROR);
@@ -1775,6 +1792,15 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
@@ -1760,6 +1777,15 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
return 0;
}

32
openssl-equal-pre9_ciphers.patch
View File

@ -859,10 +859,10 @@ index 11331ce41f..cfc770b8d6 100644
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index a486356c2a..d753825aa1 100644
index 7e8093bcfd..8f50d6d343 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1112,6 +1112,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
@@ -1113,6 +1113,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
return X509_VERIFY_PARAM_set1(ssl->param, vpm);
}
@ -934,7 +934,7 @@ index a486356c2a..d753825aa1 100644
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
{
return ctx->param;
@@ -1152,7 +1217,8 @@ void SSL_free(SSL *s)
@@ -1153,7 +1218,8 @@ void SSL_free(SSL *s)
BUF_MEM_free(s->init_buf);
/* add extra stuff */
@ -944,7 +944,7 @@ index a486356c2a..d753825aa1 100644
sk_SSL_CIPHER_free(s->cipher_list_by_id);
sk_SSL_CIPHER_free(s->tls13_ciphersuites);
@@ -2421,9 +2487,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
@@ -2422,9 +2488,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
{
if (s != NULL) {
if (s->cipher_list != NULL) {
@ -956,7 +956,7 @@ index a486356c2a..d753825aa1 100644
}
}
return NULL;
@@ -2497,8 +2563,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
@@ -2498,8 +2564,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
* preference */
STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
{
@ -967,7 +967,7 @@ index a486356c2a..d753825aa1 100644
return NULL;
}
@@ -2933,7 +2999,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
@@ -2934,7 +3000,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id,
SSL_DEFAULT_CIPHER_LIST, ret->cert)
@ -976,7 +976,7 @@ index a486356c2a..d753825aa1 100644
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err2;
}
@@ -3106,7 +3172,7 @@ void SSL_CTX_free(SSL_CTX *a)
@@ -3107,7 +3173,7 @@ void SSL_CTX_free(SSL_CTX *a)
#ifndef OPENSSL_NO_CT
CTLOG_STORE_free(a->ctlog_store);
#endif
@ -985,7 +985,7 @@ index a486356c2a..d753825aa1 100644
sk_SSL_CIPHER_free(a->cipher_list_by_id);
sk_SSL_CIPHER_free(a->tls13_ciphersuites);
ssl_cert_free(a->cert);
@@ -3761,13 +3827,15 @@ SSL *SSL_dup(SSL *s)
@@ -3762,13 +3828,15 @@ SSL *SSL_dup(SSL *s)
/* dup the cipher_list and cipher_list_by_id stacks */
if (s->cipher_list != NULL) {
@ -1006,7 +1006,7 @@ index a486356c2a..d753825aa1 100644
/* Dup the client_CA list */
if (s->ca_names != NULL) {
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 6d6404ba3d..38e95528f2 100644
index 362ae1cbe5..bc70199224 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -737,9 +737,46 @@ typedef struct ssl_ctx_ext_secure_st {
@ -1057,7 +1057,7 @@ index 6d6404ba3d..38e95528f2 100644
/* same as above but sorted for lookup */
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* TLSv1.3 specific ciphersuites */
@@ -1071,6 +1108,8 @@ struct ssl_st {
@@ -1074,6 +1111,8 @@ struct ssl_st {
* DTLS1_VERSION)
*/
int version;
@ -1066,7 +1066,7 @@ index 6d6404ba3d..38e95528f2 100644
/* SSLv3 */
const SSL_METHOD *method;
/*
@@ -1129,7 +1168,7 @@ struct ssl_st {
@@ -1132,7 +1171,7 @@ struct ssl_st {
/* Per connection DANE state */
SSL_DANE dane;
/* crypto */
@ -1075,7 +1075,7 @@ index 6d6404ba3d..38e95528f2 100644
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* TLSv1.3 specific ciphersuites */
STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
@@ -2251,7 +2290,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
@@ -2254,7 +2293,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
__owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const char *str);
__owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
@ -1084,7 +1084,7 @@ index 6d6404ba3d..38e95528f2 100644
STACK_OF(SSL_CIPHER) **cipher_list_by_id,
const char *rule_str,
CERT *c);
@@ -2261,6 +2300,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
@@ -2264,6 +2303,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
int fatal);
void ssl_update_cache(SSL *s, int mode);
@ -1098,7 +1098,7 @@ index 6d6404ba3d..38e95528f2 100644
__owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
const EVP_MD **md, int *mac_pkey_type,
size_t *mac_secret_size, SSL_COMP **comp,
@@ -2344,7 +2390,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
@@ -2347,7 +2393,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
CERT_PKEY *cpk);
__owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
STACK_OF(SSL_CIPHER) *clnt,
@ -1108,7 +1108,7 @@ index 6d6404ba3d..38e95528f2 100644
__owur int ssl3_new(SSL *s);
void ssl3_free(SSL *s);
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 86d6189ea1..a1defe7493 100644
index 2d5b60a737..39a60a2167 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -530,8 +530,25 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
@ -1138,7 +1138,7 @@ index 86d6189ea1..a1defe7493 100644
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
ERR_R_INTERNAL_ERROR);
@@ -1775,6 +1792,15 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
@@ -1760,6 +1777,15 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
return 0;
}