Add pre10 patches
Hakase
parent
f0931b8a03
commit
4966584cdb
20
README.md
20
README.md
|
|
@ -25,21 +25,21 @@ Default support is in bold type.
|
||||||
- Twitter : **TLSv1.2**
|
- Twitter : **TLSv1.2**
|
||||||
- **My Site** : _TLSv1.3_ draft 23, 26, 28, **final**
|
- **My Site** : _TLSv1.3_ draft 23, 26, 28, **final**
|
||||||
- Facebook : _TLSv1.3_ draft 23, 26, 28, **final**
|
- Facebook : _TLSv1.3_ draft 23, 26, 28, **final**
|
||||||
|
- Cloudflare : _TLSv1.3_ draft 23, 28, **final**
|
||||||
- Google(Gmail) : _TLSv1.3_ draft 23, **28**
|
- Google(Gmail) : _TLSv1.3_ draft 23, **28**
|
||||||
- Cloudflare : _TLSv1.3_ draft **23**, 28
|
|
||||||
|
|
||||||
[Compatible OpenSSL-1.1.1-pre9-dev (OpenSSL, 22644 commits)](https://github.com/openssl/openssl/tree/2805ee1e095a78f596dc7adf778441e2edb9f15c)
|
[Compatible OpenSSL-1.1.1-pre10-dev (OpenSSL, 22668 commits)](https://github.com/openssl/openssl/tree/2fe3e2b68272e803a6e35259a49919d57205418b)
|
||||||
|
|
||||||
## Patch files
|
## Patch files
|
||||||
|
|
||||||
You can find the _OpenSSL 1.1.0h_ patch is [here.](https://gitlab.com/buik/openssl/blob/openssl-patch/openssl-1.1/OpenSSL1.1h-equal-preference-cipher-groups.patch)
|
You can find the _OpenSSL 1.1.0h_ patch is [here.](https://gitlab.com/buik/openssl/blob/openssl-patch/openssl-1.1/OpenSSL1.1h-equal-preference-cipher-groups.patch)
|
||||||
|
|
||||||
Here is the basic patch content.
|
Here is the basic patch content.
|
||||||
- Support TLS 1.3 draft 23 + 26 + 28 **(Pre9) + final** (Not support pre2 - 26, 28, final)
|
- Support TLS 1.3 draft 23 + 26 + 28 **(Pre9~10) + final** (Not support pre2 - 26, 28, final)
|
||||||
- Server: draft 23 + 26 + 28
|
- Server: draft 23 + 26 + 28
|
||||||
- Client: draft 23 + 26 + 27 + 28
|
- Client: draft 23 + 26 + 27 + 28
|
||||||
- (pre9)Server: draft 23 + 26 + 28 + final
|
- (pre9~10)Server: draft 23 + 26 + 28 + final
|
||||||
- (pre9)Client: draft 23 + 26 + 27 + 28 + final
|
- (pre9~10)Client: draft 23 + 26 + 27 + 28 + final
|
||||||
- BoringSSL's Equal Preference Patch
|
- BoringSSL's Equal Preference Patch
|
||||||
- Weak 3DES and not using ECDHE ciphers is not used in TLSv1.1 or later.
|
- Weak 3DES and not using ECDHE ciphers is not used in TLSv1.1 or later.
|
||||||
|
|
||||||
|
|
@ -48,8 +48,8 @@ Here is the basic patch content.
|
||||||
| openssl-equal-pre2.patch | **_Not support_** draft **26, 28**. |
|
| openssl-equal-pre2.patch | **_Not support_** draft **26, 28**. |
|
||||||
| openssl-equal-pre7.patch<br />openssl-equal-pre8.patch | TLS 1.3 cipher settings **_can not_** be changed on _nginx_. |
|
| openssl-equal-pre7.patch<br />openssl-equal-pre8.patch | TLS 1.3 cipher settings **_can not_** be changed on _nginx_. |
|
||||||
| openssl-equal-pre7_ciphers.patch<br />openssl-equal-pre8_ciphers.patch | TLS 1.3 cipher settings **_can_** be changed on _nginx_. |
|
| openssl-equal-pre7_ciphers.patch<br />openssl-equal-pre8_ciphers.patch | TLS 1.3 cipher settings **_can_** be changed on _nginx_. |
|
||||||
| openssl-equal-pre9.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can not_** be changed on _nginx_. |
|
| openssl-equal-pre9.patch<br />openssl-equal-pre10.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can not_** be changed on _nginx_. |
|
||||||
| openssl-equal-pre9_ciphers.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can_** be changed on _nginx_. |
|
| openssl-equal-pre9_ciphers.patch<br />openssl-equal-pre10_ciphers.patch | Support **final (TLS 1.3)**, TLS 1.3 cipher settings **_can_** be changed on _nginx_. |
|
||||||
|
|
||||||
**The "_ciphers" patch file is a temporary change to the TLS 1.3 configuration.**
|
**The "_ciphers" patch file is a temporary change to the TLS 1.3 configuration.**
|
||||||
|
|
||||||
|
|
@ -77,7 +77,7 @@ Example of setting TLS 1.3 cipher in nginx (pre7 or higher):
|
||||||
git clone https://github.com/openssl/openssl.git
|
git clone https://github.com/openssl/openssl.git
|
||||||
git clone https://github.com/hakasenyang/openssl-patch.git
|
git clone https://github.com/hakasenyang/openssl-patch.git
|
||||||
cd openssl
|
cd openssl
|
||||||
patch -p1 < ../openssl-patch/openssl-equal-pre9_ciphers.patch
|
patch -p1 < ../openssl-patch/openssl-equal-pre10_ciphers.patch
|
||||||
```
|
```
|
||||||
|
|
||||||
And then use --with-openssl in nginx or build after ./config.
|
And then use --with-openssl in nginx or build after ./config.
|
||||||
|
|
@ -121,12 +121,12 @@ ssl_prefer_server_ciphers on;
|
||||||
[TLS13-AES-128-GCM-SHA256|TLS13-AES-256-GCM-SHA384|TLS13-CHACHA20-POLY1305-SHA256]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
|
[TLS13-AES-128-GCM-SHA256|TLS13-AES-256-GCM-SHA384|TLS13-CHACHA20-POLY1305-SHA256]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
|
||||||
```
|
```
|
||||||
|
|
||||||
### OpenSSL-1.1.1-pre7~9 ciphers (draft 23, 26, 28, **(pre9) - final**)
|
### OpenSSL-1.1.1-pre7~10 ciphers (draft 23, 26, 28, **(pre9~10) - final**)
|
||||||
```
|
```
|
||||||
[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
|
[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
|
||||||
```
|
```
|
||||||
|
|
||||||
### OpenSSL-1.1.1-pre7~9_ciphers ciphers (draft 23, 26, 28, **(pre9) - final**)
|
### OpenSSL-1.1.1-pre7~10_ciphers ciphers (draft 23, 26, 28, **(pre9~10) - final**)
|
||||||
```
|
```
|
||||||
[TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
|
[TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
|
||||||
```
|
```
|
||||||
|
|
|
||||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
|
@ -25,7 +25,7 @@ index 3aea982384..3c93eba0bf 100644
|
||||||
|
|
||||||
The following lists give the SSL or TLS cipher suites names from the
|
The following lists give the SSL or TLS cipher suites names from the
|
||||||
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
|
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
|
||||||
index 155d6515e1..651bc3c6b4 100644
|
index eb689c1c36..3191b68efe 100644
|
||||||
--- a/include/openssl/ssl.h
|
--- a/include/openssl/ssl.h
|
||||||
+++ b/include/openssl/ssl.h
|
+++ b/include/openssl/ssl.h
|
||||||
@@ -173,12 +173,12 @@ extern "C" {
|
@@ -173,12 +173,12 @@ extern "C" {
|
||||||
|
|
@ -824,10 +824,10 @@ index 11331ce41f..cfc770b8d6 100644
|
||||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
|
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
|
||||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
|
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
|
||||||
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
||||||
index a486356c2a..d753825aa1 100644
|
index 7e8093bcfd..8f50d6d343 100644
|
||||||
--- a/ssl/ssl_lib.c
|
--- a/ssl/ssl_lib.c
|
||||||
+++ b/ssl/ssl_lib.c
|
+++ b/ssl/ssl_lib.c
|
||||||
@@ -1112,6 +1112,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
|
@@ -1113,6 +1113,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
|
||||||
return X509_VERIFY_PARAM_set1(ssl->param, vpm);
|
return X509_VERIFY_PARAM_set1(ssl->param, vpm);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -899,7 +899,7 @@ index a486356c2a..d753825aa1 100644
|
||||||
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
|
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
|
||||||
{
|
{
|
||||||
return ctx->param;
|
return ctx->param;
|
||||||
@@ -1152,7 +1217,8 @@ void SSL_free(SSL *s)
|
@@ -1153,7 +1218,8 @@ void SSL_free(SSL *s)
|
||||||
BUF_MEM_free(s->init_buf);
|
BUF_MEM_free(s->init_buf);
|
||||||
|
|
||||||
/* add extra stuff */
|
/* add extra stuff */
|
||||||
|
|
@ -909,7 +909,7 @@ index a486356c2a..d753825aa1 100644
|
||||||
sk_SSL_CIPHER_free(s->cipher_list_by_id);
|
sk_SSL_CIPHER_free(s->cipher_list_by_id);
|
||||||
sk_SSL_CIPHER_free(s->tls13_ciphersuites);
|
sk_SSL_CIPHER_free(s->tls13_ciphersuites);
|
||||||
|
|
||||||
@@ -2421,9 +2487,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
|
@@ -2422,9 +2488,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
|
||||||
{
|
{
|
||||||
if (s != NULL) {
|
if (s != NULL) {
|
||||||
if (s->cipher_list != NULL) {
|
if (s->cipher_list != NULL) {
|
||||||
|
|
@ -921,7 +921,7 @@ index a486356c2a..d753825aa1 100644
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return NULL;
|
return NULL;
|
||||||
@@ -2497,8 +2563,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
|
@@ -2498,8 +2564,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
|
||||||
* preference */
|
* preference */
|
||||||
STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
|
STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
|
||||||
{
|
{
|
||||||
|
|
@ -932,7 +932,7 @@ index a486356c2a..d753825aa1 100644
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2933,7 +2999,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
|
@@ -2934,7 +3000,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
|
||||||
ret->tls13_ciphersuites,
|
ret->tls13_ciphersuites,
|
||||||
&ret->cipher_list, &ret->cipher_list_by_id,
|
&ret->cipher_list, &ret->cipher_list_by_id,
|
||||||
SSL_DEFAULT_CIPHER_LIST, ret->cert)
|
SSL_DEFAULT_CIPHER_LIST, ret->cert)
|
||||||
|
|
@ -941,7 +941,7 @@ index a486356c2a..d753825aa1 100644
|
||||||
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
||||||
goto err2;
|
goto err2;
|
||||||
}
|
}
|
||||||
@@ -3106,7 +3172,7 @@ void SSL_CTX_free(SSL_CTX *a)
|
@@ -3107,7 +3173,7 @@ void SSL_CTX_free(SSL_CTX *a)
|
||||||
#ifndef OPENSSL_NO_CT
|
#ifndef OPENSSL_NO_CT
|
||||||
CTLOG_STORE_free(a->ctlog_store);
|
CTLOG_STORE_free(a->ctlog_store);
|
||||||
#endif
|
#endif
|
||||||
|
|
@ -950,7 +950,7 @@ index a486356c2a..d753825aa1 100644
|
||||||
sk_SSL_CIPHER_free(a->cipher_list_by_id);
|
sk_SSL_CIPHER_free(a->cipher_list_by_id);
|
||||||
sk_SSL_CIPHER_free(a->tls13_ciphersuites);
|
sk_SSL_CIPHER_free(a->tls13_ciphersuites);
|
||||||
ssl_cert_free(a->cert);
|
ssl_cert_free(a->cert);
|
||||||
@@ -3761,13 +3827,15 @@ SSL *SSL_dup(SSL *s)
|
@@ -3762,13 +3828,15 @@ SSL *SSL_dup(SSL *s)
|
||||||
|
|
||||||
/* dup the cipher_list and cipher_list_by_id stacks */
|
/* dup the cipher_list and cipher_list_by_id stacks */
|
||||||
if (s->cipher_list != NULL) {
|
if (s->cipher_list != NULL) {
|
||||||
|
|
@ -971,7 +971,7 @@ index a486356c2a..d753825aa1 100644
|
||||||
/* Dup the client_CA list */
|
/* Dup the client_CA list */
|
||||||
if (s->ca_names != NULL) {
|
if (s->ca_names != NULL) {
|
||||||
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
|
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
|
||||||
index 6d6404ba3d..38e95528f2 100644
|
index 362ae1cbe5..bc70199224 100644
|
||||||
--- a/ssl/ssl_locl.h
|
--- a/ssl/ssl_locl.h
|
||||||
+++ b/ssl/ssl_locl.h
|
+++ b/ssl/ssl_locl.h
|
||||||
@@ -737,9 +737,46 @@ typedef struct ssl_ctx_ext_secure_st {
|
@@ -737,9 +737,46 @@ typedef struct ssl_ctx_ext_secure_st {
|
||||||
|
|
@ -1022,7 +1022,7 @@ index 6d6404ba3d..38e95528f2 100644
|
||||||
/* same as above but sorted for lookup */
|
/* same as above but sorted for lookup */
|
||||||
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
|
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
|
||||||
/* TLSv1.3 specific ciphersuites */
|
/* TLSv1.3 specific ciphersuites */
|
||||||
@@ -1071,6 +1108,8 @@ struct ssl_st {
|
@@ -1074,6 +1111,8 @@ struct ssl_st {
|
||||||
* DTLS1_VERSION)
|
* DTLS1_VERSION)
|
||||||
*/
|
*/
|
||||||
int version;
|
int version;
|
||||||
|
|
@ -1031,7 +1031,7 @@ index 6d6404ba3d..38e95528f2 100644
|
||||||
/* SSLv3 */
|
/* SSLv3 */
|
||||||
const SSL_METHOD *method;
|
const SSL_METHOD *method;
|
||||||
/*
|
/*
|
||||||
@@ -1129,7 +1168,7 @@ struct ssl_st {
|
@@ -1132,7 +1171,7 @@ struct ssl_st {
|
||||||
/* Per connection DANE state */
|
/* Per connection DANE state */
|
||||||
SSL_DANE dane;
|
SSL_DANE dane;
|
||||||
/* crypto */
|
/* crypto */
|
||||||
|
|
@ -1040,7 +1040,7 @@ index 6d6404ba3d..38e95528f2 100644
|
||||||
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
|
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
|
||||||
/* TLSv1.3 specific ciphersuites */
|
/* TLSv1.3 specific ciphersuites */
|
||||||
STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
|
STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
|
||||||
@@ -2251,7 +2290,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
|
@@ -2254,7 +2293,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
|
||||||
__owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const char *str);
|
__owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const char *str);
|
||||||
__owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
__owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||||
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
|
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
|
||||||
|
|
@ -1049,7 +1049,7 @@ index 6d6404ba3d..38e95528f2 100644
|
||||||
STACK_OF(SSL_CIPHER) **cipher_list_by_id,
|
STACK_OF(SSL_CIPHER) **cipher_list_by_id,
|
||||||
const char *rule_str,
|
const char *rule_str,
|
||||||
CERT *c);
|
CERT *c);
|
||||||
@@ -2261,6 +2300,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
|
@@ -2264,6 +2303,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
|
||||||
STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
|
STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
|
||||||
int fatal);
|
int fatal);
|
||||||
void ssl_update_cache(SSL *s, int mode);
|
void ssl_update_cache(SSL *s, int mode);
|
||||||
|
|
@ -1063,7 +1063,7 @@ index 6d6404ba3d..38e95528f2 100644
|
||||||
__owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
|
__owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
|
||||||
const EVP_MD **md, int *mac_pkey_type,
|
const EVP_MD **md, int *mac_pkey_type,
|
||||||
size_t *mac_secret_size, SSL_COMP **comp,
|
size_t *mac_secret_size, SSL_COMP **comp,
|
||||||
@@ -2344,7 +2390,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
|
@@ -2347,7 +2393,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
|
||||||
CERT_PKEY *cpk);
|
CERT_PKEY *cpk);
|
||||||
__owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
|
__owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
|
||||||
STACK_OF(SSL_CIPHER) *clnt,
|
STACK_OF(SSL_CIPHER) *clnt,
|
||||||
|
|
@ -1073,7 +1073,7 @@ index 6d6404ba3d..38e95528f2 100644
|
||||||
__owur int ssl3_new(SSL *s);
|
__owur int ssl3_new(SSL *s);
|
||||||
void ssl3_free(SSL *s);
|
void ssl3_free(SSL *s);
|
||||||
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
|
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
|
||||||
index 86d6189ea1..a1defe7493 100644
|
index 2d5b60a737..39a60a2167 100644
|
||||||
--- a/ssl/statem/extensions_clnt.c
|
--- a/ssl/statem/extensions_clnt.c
|
||||||
+++ b/ssl/statem/extensions_clnt.c
|
+++ b/ssl/statem/extensions_clnt.c
|
||||||
@@ -530,8 +530,25 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
|
@@ -530,8 +530,25 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
|
||||||
|
|
@ -1103,7 +1103,7 @@ index 86d6189ea1..a1defe7493 100644
|
||||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
||||||
SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
|
SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
|
||||||
ERR_R_INTERNAL_ERROR);
|
ERR_R_INTERNAL_ERROR);
|
||||||
@@ -1775,6 +1792,15 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
|
@@ -1760,6 +1777,15 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -859,10 +859,10 @@ index 11331ce41f..cfc770b8d6 100644
|
||||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
|
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
|
||||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
|
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
|
||||||
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
||||||
index a486356c2a..d753825aa1 100644
|
index 7e8093bcfd..8f50d6d343 100644
|
||||||
--- a/ssl/ssl_lib.c
|
--- a/ssl/ssl_lib.c
|
||||||
+++ b/ssl/ssl_lib.c
|
+++ b/ssl/ssl_lib.c
|
||||||
@@ -1112,6 +1112,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
|
@@ -1113,6 +1113,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
|
||||||
return X509_VERIFY_PARAM_set1(ssl->param, vpm);
|
return X509_VERIFY_PARAM_set1(ssl->param, vpm);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -934,7 +934,7 @@ index a486356c2a..d753825aa1 100644
|
||||||
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
|
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
|
||||||
{
|
{
|
||||||
return ctx->param;
|
return ctx->param;
|
||||||
@@ -1152,7 +1217,8 @@ void SSL_free(SSL *s)
|
@@ -1153,7 +1218,8 @@ void SSL_free(SSL *s)
|
||||||
BUF_MEM_free(s->init_buf);
|
BUF_MEM_free(s->init_buf);
|
||||||
|
|
||||||
/* add extra stuff */
|
/* add extra stuff */
|
||||||
|
|
@ -944,7 +944,7 @@ index a486356c2a..d753825aa1 100644
|
||||||
sk_SSL_CIPHER_free(s->cipher_list_by_id);
|
sk_SSL_CIPHER_free(s->cipher_list_by_id);
|
||||||
sk_SSL_CIPHER_free(s->tls13_ciphersuites);
|
sk_SSL_CIPHER_free(s->tls13_ciphersuites);
|
||||||
|
|
||||||
@@ -2421,9 +2487,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
|
@@ -2422,9 +2488,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
|
||||||
{
|
{
|
||||||
if (s != NULL) {
|
if (s != NULL) {
|
||||||
if (s->cipher_list != NULL) {
|
if (s->cipher_list != NULL) {
|
||||||
|
|
@ -956,7 +956,7 @@ index a486356c2a..d753825aa1 100644
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return NULL;
|
return NULL;
|
||||||
@@ -2497,8 +2563,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
|
@@ -2498,8 +2564,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
|
||||||
* preference */
|
* preference */
|
||||||
STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
|
STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
|
||||||
{
|
{
|
||||||
|
|
@ -967,7 +967,7 @@ index a486356c2a..d753825aa1 100644
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2933,7 +2999,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
|
@@ -2934,7 +3000,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
|
||||||
ret->tls13_ciphersuites,
|
ret->tls13_ciphersuites,
|
||||||
&ret->cipher_list, &ret->cipher_list_by_id,
|
&ret->cipher_list, &ret->cipher_list_by_id,
|
||||||
SSL_DEFAULT_CIPHER_LIST, ret->cert)
|
SSL_DEFAULT_CIPHER_LIST, ret->cert)
|
||||||
|
|
@ -976,7 +976,7 @@ index a486356c2a..d753825aa1 100644
|
||||||
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
||||||
goto err2;
|
goto err2;
|
||||||
}
|
}
|
||||||
@@ -3106,7 +3172,7 @@ void SSL_CTX_free(SSL_CTX *a)
|
@@ -3107,7 +3173,7 @@ void SSL_CTX_free(SSL_CTX *a)
|
||||||
#ifndef OPENSSL_NO_CT
|
#ifndef OPENSSL_NO_CT
|
||||||
CTLOG_STORE_free(a->ctlog_store);
|
CTLOG_STORE_free(a->ctlog_store);
|
||||||
#endif
|
#endif
|
||||||
|
|
@ -985,7 +985,7 @@ index a486356c2a..d753825aa1 100644
|
||||||
sk_SSL_CIPHER_free(a->cipher_list_by_id);
|
sk_SSL_CIPHER_free(a->cipher_list_by_id);
|
||||||
sk_SSL_CIPHER_free(a->tls13_ciphersuites);
|
sk_SSL_CIPHER_free(a->tls13_ciphersuites);
|
||||||
ssl_cert_free(a->cert);
|
ssl_cert_free(a->cert);
|
||||||
@@ -3761,13 +3827,15 @@ SSL *SSL_dup(SSL *s)
|
@@ -3762,13 +3828,15 @@ SSL *SSL_dup(SSL *s)
|
||||||
|
|
||||||
/* dup the cipher_list and cipher_list_by_id stacks */
|
/* dup the cipher_list and cipher_list_by_id stacks */
|
||||||
if (s->cipher_list != NULL) {
|
if (s->cipher_list != NULL) {
|
||||||
|
|
@ -1006,7 +1006,7 @@ index a486356c2a..d753825aa1 100644
|
||||||
/* Dup the client_CA list */
|
/* Dup the client_CA list */
|
||||||
if (s->ca_names != NULL) {
|
if (s->ca_names != NULL) {
|
||||||
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
|
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
|
||||||
index 6d6404ba3d..38e95528f2 100644
|
index 362ae1cbe5..bc70199224 100644
|
||||||
--- a/ssl/ssl_locl.h
|
--- a/ssl/ssl_locl.h
|
||||||
+++ b/ssl/ssl_locl.h
|
+++ b/ssl/ssl_locl.h
|
||||||
@@ -737,9 +737,46 @@ typedef struct ssl_ctx_ext_secure_st {
|
@@ -737,9 +737,46 @@ typedef struct ssl_ctx_ext_secure_st {
|
||||||
|
|
@ -1057,7 +1057,7 @@ index 6d6404ba3d..38e95528f2 100644
|
||||||
/* same as above but sorted for lookup */
|
/* same as above but sorted for lookup */
|
||||||
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
|
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
|
||||||
/* TLSv1.3 specific ciphersuites */
|
/* TLSv1.3 specific ciphersuites */
|
||||||
@@ -1071,6 +1108,8 @@ struct ssl_st {
|
@@ -1074,6 +1111,8 @@ struct ssl_st {
|
||||||
* DTLS1_VERSION)
|
* DTLS1_VERSION)
|
||||||
*/
|
*/
|
||||||
int version;
|
int version;
|
||||||
|
|
@ -1066,7 +1066,7 @@ index 6d6404ba3d..38e95528f2 100644
|
||||||
/* SSLv3 */
|
/* SSLv3 */
|
||||||
const SSL_METHOD *method;
|
const SSL_METHOD *method;
|
||||||
/*
|
/*
|
||||||
@@ -1129,7 +1168,7 @@ struct ssl_st {
|
@@ -1132,7 +1171,7 @@ struct ssl_st {
|
||||||
/* Per connection DANE state */
|
/* Per connection DANE state */
|
||||||
SSL_DANE dane;
|
SSL_DANE dane;
|
||||||
/* crypto */
|
/* crypto */
|
||||||
|
|
@ -1075,7 +1075,7 @@ index 6d6404ba3d..38e95528f2 100644
|
||||||
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
|
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
|
||||||
/* TLSv1.3 specific ciphersuites */
|
/* TLSv1.3 specific ciphersuites */
|
||||||
STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
|
STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
|
||||||
@@ -2251,7 +2290,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
|
@@ -2254,7 +2293,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
|
||||||
__owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const char *str);
|
__owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const char *str);
|
||||||
__owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
__owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||||
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
|
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
|
||||||
|
|
@ -1084,7 +1084,7 @@ index 6d6404ba3d..38e95528f2 100644
|
||||||
STACK_OF(SSL_CIPHER) **cipher_list_by_id,
|
STACK_OF(SSL_CIPHER) **cipher_list_by_id,
|
||||||
const char *rule_str,
|
const char *rule_str,
|
||||||
CERT *c);
|
CERT *c);
|
||||||
@@ -2261,6 +2300,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
|
@@ -2264,6 +2303,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
|
||||||
STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
|
STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
|
||||||
int fatal);
|
int fatal);
|
||||||
void ssl_update_cache(SSL *s, int mode);
|
void ssl_update_cache(SSL *s, int mode);
|
||||||
|
|
@ -1098,7 +1098,7 @@ index 6d6404ba3d..38e95528f2 100644
|
||||||
__owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
|
__owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
|
||||||
const EVP_MD **md, int *mac_pkey_type,
|
const EVP_MD **md, int *mac_pkey_type,
|
||||||
size_t *mac_secret_size, SSL_COMP **comp,
|
size_t *mac_secret_size, SSL_COMP **comp,
|
||||||
@@ -2344,7 +2390,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
|
@@ -2347,7 +2393,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
|
||||||
CERT_PKEY *cpk);
|
CERT_PKEY *cpk);
|
||||||
__owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
|
__owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
|
||||||
STACK_OF(SSL_CIPHER) *clnt,
|
STACK_OF(SSL_CIPHER) *clnt,
|
||||||
|
|
@ -1108,7 +1108,7 @@ index 6d6404ba3d..38e95528f2 100644
|
||||||
__owur int ssl3_new(SSL *s);
|
__owur int ssl3_new(SSL *s);
|
||||||
void ssl3_free(SSL *s);
|
void ssl3_free(SSL *s);
|
||||||
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
|
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
|
||||||
index 86d6189ea1..a1defe7493 100644
|
index 2d5b60a737..39a60a2167 100644
|
||||||
--- a/ssl/statem/extensions_clnt.c
|
--- a/ssl/statem/extensions_clnt.c
|
||||||
+++ b/ssl/statem/extensions_clnt.c
|
+++ b/ssl/statem/extensions_clnt.c
|
||||||
@@ -530,8 +530,25 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
|
@@ -530,8 +530,25 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
|
||||||
|
|
@ -1138,7 +1138,7 @@ index 86d6189ea1..a1defe7493 100644
|
||||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
||||||
SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
|
SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
|
||||||
ERR_R_INTERNAL_ERROR);
|
ERR_R_INTERNAL_ERROR);
|
||||||
@@ -1775,6 +1792,15 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
|
@@ -1760,6 +1777,15 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue