jinql
/
openssl-patch
mirror of https://github.com/hakasenyang/openssl-patch
1
0
Fork 0
Code Issues Releases Wiki Activity

Update 3.0.0-dev patches.

tls13_draft
Hakase 2019-01-18 00:54:40 +09:00
parent 0709965a2d
commit 5146f0934a
No known key found for this signature in database
GPG Key ID: BB2821A9E0DF48C9
3 changed files with 96 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
openssl-3.0.0-dev-chacha_draft.patch
View File

@ -220,7 +220,7 @@ index 0d4612f314..5a3516d642 100644
# endif
#endif
diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
index 86bcfcaee0..09c53e087a 100644
index 859795fa50..550e794fca 100644
--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
@@ -1079,7 +1079,7 @@ static const unsigned char so[7767] = {
@ -291,7 +291,7 @@ index 851e31e5aa..e5b288d999 100644
ISO-US 10046 2 1 : dhpublicnumber : X9.42 DH
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index ede4b1429b..c04f51bd37 100644
index 9f1dbd4b8b..774f102e48 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -928,6 +928,7 @@ const EVP_CIPHER *EVP_camellia_256_ctr(void);
@ -303,7 +303,7 @@ index ede4b1429b..c04f51bd37 100644
# endif
diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h
index 8ad2728dde..8c1b7ab042 100644
index 242eaeb6ce..c8960d0e5c 100644
--- a/include/openssl/obj_mac.h
+++ b/include/openssl/obj_mac.h
@@ -4824,6 +4824,10 @@
@ -330,10 +330,10 @@ index ea41dd089e..212c6eae89 100644
# define SSL_TXT_ARIA "ARIA"
# define SSL_TXT_ARIA_GCM "ARIAGCM"
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index c57344ca0e..d219aa25ba 100644
index 166f15ad5c..4fa1d8a32d 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -597,7 +597,12 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
@@ -599,7 +599,12 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
# define TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 0x0300C09A
# define TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 0x0300C09B
@ -347,7 +347,7 @@ index c57344ca0e..d219aa25ba 100644
# define TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305 0x0300CCA8
# define TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 0x0300CCA9
# define TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305 0x0300CCAA
@@ -762,6 +767,9 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
@@ -764,6 +769,9 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
# define TLS1_RFC_DHE_RSA_WITH_CHACHA20_POLY1305 "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
# define TLS1_RFC_ECDHE_RSA_WITH_CHACHA20_POLY1305 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
# define TLS1_RFC_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
@ -357,7 +357,7 @@ index c57344ca0e..d219aa25ba 100644
# define TLS1_RFC_PSK_WITH_CHACHA20_POLY1305 "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256"
# define TLS1_RFC_ECDHE_PSK_WITH_CHACHA20_POLY1305 "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256"
# define TLS1_RFC_DHE_PSK_WITH_CHACHA20_POLY1305 "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256"
@@ -1090,7 +1098,12 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
@@ -1092,7 +1100,12 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
# define TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 "ECDH-RSA-CAMELLIA128-SHA256"
# define TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 "ECDH-RSA-CAMELLIA256-SHA384"
@ -431,7 +431,7 @@ index a5b3dbbfd5..a5a7993065 100644
1,
TLS1_TXT_PSK_WITH_CHACHA20_POLY1305,
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index bd97c0fdab..020ba7ac63 100644
index 461a9debab..84f90c1621 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -43,7 +43,8 @@
@ -452,7 +452,7 @@ index bd97c0fdab..020ba7ac63 100644
};
static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX];
@@ -273,6 +275,7 @@ static const SSL_CIPHER cipher_aliases[] = {
@@ -275,6 +277,7 @@ static const SSL_CIPHER cipher_aliases[] = {
{0, SSL_TXT_CAMELLIA256, NULL, 0, 0, 0, SSL_CAMELLIA256},
{0, SSL_TXT_CAMELLIA, NULL, 0, 0, 0, SSL_CAMELLIA},
{0, SSL_TXT_CHACHA20, NULL, 0, 0, 0, SSL_CHACHA20},
@ -460,7 +460,7 @@ index bd97c0fdab..020ba7ac63 100644
{0, SSL_TXT_ARIA, NULL, 0, 0, 0, SSL_ARIA},
{0, SSL_TXT_ARIA_GCM, NULL, 0, 0, 0, SSL_ARIA128GCM | SSL_ARIA256GCM},
@@ -1789,6 +1792,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
@@ -1791,6 +1794,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
case SSL_CHACHA20POLY1305:
enc = "CHACHA20/POLY1305(256)";
break;
@ -470,7 +470,7 @@ index bd97c0fdab..020ba7ac63 100644
default:
enc = "unknown";
break;
@@ -2113,7 +2119,7 @@ int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead,
@@ -2115,7 +2121,7 @@ int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead,
out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 16;
} else if (c->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) {
out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 8;
@ -480,10 +480,10 @@ index bd97c0fdab..020ba7ac63 100644
} else if (c->algorithm_mac & SSL_AEAD) {
/* We're supposed to have handled all the AEAD modes above */
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index c2e6474f86..8452fe21da 100644
index 2d68691a0f..441242e581 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -231,12 +231,13 @@
@@ -234,12 +234,13 @@
# define SSL_CHACHA20POLY1305 0x00080000U
# define SSL_ARIA128GCM 0x00100000U
# define SSL_ARIA256GCM 0x00200000U
@ -499,11 +499,11 @@ index c2e6474f86..8452fe21da 100644
# define SSL_ARIA (SSL_ARIAGCM)
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 59fc3470f1..5439eafc87 100644
index b8b19801b2..84db7a524a 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4620,3 +4620,4 @@ CRYPTO_siv128_set_tag 4575 3_0_0 EXIST::FUNCTION:SIV
CRYPTO_siv128_get_tag 4576 3_0_0 EXIST::FUNCTION:SIV
CRYPTO_siv128_cleanup 4577 3_0_0 EXIST::FUNCTION:SIV
@@ -4622,3 +4622,4 @@ CRYPTO_siv128_cleanup 4577 3_0_0 EXIST::FUNCTION:SIV
CRYPTO_siv128_speed 4578 3_0_0 EXIST::FUNCTION:SIV
+EVP_chacha20_poly1305_draft 4579 3_0_0 EXIST::FUNCTION:CHACHA,POLY1305_DRAFT
OPENSSL_INIT_set_config_filename 4579 3_0_0 EXIST::FUNCTION:STDIO
OPENSSL_INIT_set_config_file_flags 4580 3_0_0 EXIST::FUNCTION:STDIO
+EVP_chacha20_poly1305_draft 4581 3_0_0 EXIST::FUNCTION:CHACHA,POLY1305_DRAFT

76
openssl-equal-3.0.0-dev.patch
View File

@ -1,5 +1,5 @@
diff --git a/doc/man1/ciphers.pod b/doc/man1/ciphers.pod
index 4a2deccd24..43680fb7ec 100644
index e29c5d7ced..b5bca974c9 100644
--- a/doc/man1/ciphers.pod
+++ b/doc/man1/ciphers.pod
@@ -400,6 +400,21 @@ permissible.
@ -71,12 +71,12 @@ index f8783717bc..0e7ad2818b 100644
# define SSL_R_UNINITIALIZED 276
# define SSL_R_UNKNOWN_ALERT_TYPE 246
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index c57344ca0e..ca2c892ed6 100644
index 166f15ad5c..3205f1cbfb 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -30,6 +30,16 @@ extern "C" {
# define TLS1_3_VERSION 0x0304
# define TLS_MAX_VERSION TLS1_3_VERSION
@@ -32,6 +32,16 @@ extern "C" {
# define TLS_MAX_VERSION TLS1_3_VERSION
# endif
+/* TODO(TLS1.3) REMOVE ME: Version indicators for draft version */
+# define TLS1_3_VERSION_DRAFT_23 0x7f17
@ -352,10 +352,10 @@ index a5b3dbbfd5..505c32d18e 100644
}
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index bd97c0fdab..add5843bfb 100644
index 461a9debab..c8d8517735 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -190,6 +190,7 @@ typedef struct cipher_order_st {
@@ -192,6 +192,7 @@ typedef struct cipher_order_st {
const SSL_CIPHER *cipher;
int active;
int dead;
@ -363,7 +363,7 @@ index bd97c0fdab..add5843bfb 100644
struct cipher_order_st *next, *prev;
} CIPHER_ORDER;
@@ -679,6 +680,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
@@ -681,6 +682,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
co_list[co_list_num].next = NULL;
co_list[co_list_num].prev = NULL;
co_list[co_list_num].active = 0;
@ -371,7 +371,7 @@ index bd97c0fdab..add5843bfb 100644
co_list_num++;
}
@@ -772,8 +774,8 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
@@ -774,8 +776,8 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
uint32_t alg_auth, uint32_t alg_enc,
uint32_t alg_mac, int min_tls,
uint32_t algo_strength, int rule,
@ -382,7 +382,7 @@ index bd97c0fdab..add5843bfb 100644
{
CIPHER_ORDER *head, *tail, *curr, *next, *last;
const SSL_CIPHER *cp;
@@ -781,9 +783,9 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
@@ -783,9 +785,9 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
#ifdef CIPHER_DEBUG
fprintf(stderr,
@ -394,7 +394,7 @@ index bd97c0fdab..add5843bfb 100644
#endif
if (rule == CIPHER_DEL || rule == CIPHER_BUMP)
@@ -860,6 +862,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
@@ -862,6 +864,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
if (!curr->active) {
ll_append_tail(&head, curr, &tail);
curr->active = 1;
@ -402,7 +402,7 @@ index bd97c0fdab..add5843bfb 100644
}
}
/* Move the added cipher to this location */
@@ -867,6 +870,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
@@ -869,6 +872,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
/* reverse == 0 */
if (curr->active) {
ll_append_tail(&head, curr, &tail);
@ -410,7 +410,7 @@ index bd97c0fdab..add5843bfb 100644
}
} else if (rule == CIPHER_DEL) {
/* reverse == 1 */
@@ -878,6 +882,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
@@ -880,6 +884,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
*/
ll_append_head(&head, curr, &tail);
curr->active = 0;
@ -418,7 +418,7 @@ index bd97c0fdab..add5843bfb 100644
}
} else if (rule == CIPHER_BUMP) {
if (curr->active)
@@ -945,8 +950,8 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
@@ -947,8 +952,8 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
*/
for (i = max_strength_bits; i >= 0; i--)
if (number_uses[i] > 0)
@ -429,7 +429,7 @@ index bd97c0fdab..add5843bfb 100644
OPENSSL_free(number_uses);
return 1;
@@ -960,7 +965,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
@@ -962,7 +967,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, algo_strength;
int min_tls;
const char *l, *buf;
@ -438,7 +438,7 @@ index bd97c0fdab..add5843bfb 100644
uint32_t cipher_id = 0;
char ch;
@@ -971,18 +976,66 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
@@ -973,18 +978,66 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
if (ch == '\0')
break; /* done */
@ -506,7 +506,7 @@ index bd97c0fdab..add5843bfb 100644
} else {
rule = CIPHER_ADD;
}
@@ -1024,7 +1077,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
@@ -1026,7 +1079,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
* alphanumeric, so we call this an error.
*/
SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);
@ -515,7 +515,7 @@ index bd97c0fdab..add5843bfb 100644
l++;
break;
}
@@ -1203,8 +1256,8 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
@@ -1205,8 +1258,8 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
} else if (found) {
ssl_cipher_apply_rule(cipher_id,
alg_mkey, alg_auth, alg_enc, alg_mac,
@ -526,7 +526,7 @@ index bd97c0fdab..add5843bfb 100644
} else {
while ((*l != '\0') && !ITEM_SEP(*l))
l++;
@@ -1213,6 +1266,11 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
@@ -1215,6 +1268,11 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
break; /* done */
}
@ -538,7 +538,7 @@ index bd97c0fdab..add5843bfb 100644
return retval;
}
@@ -1377,7 +1435,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
@@ -1379,7 +1437,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
if (ret && ctx->cipher_list != NULL) {
/* We already have a cipher_list, so we need to update it */
@ -547,7 +547,7 @@ index bd97c0fdab..add5843bfb 100644
ctx->tls13_ciphersuites);
}
@@ -1390,7 +1448,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
@@ -1392,7 +1450,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
if (ret && s->cipher_list != NULL) {
/* We already have a cipher_list, so we need to update it */
@ -556,7 +556,7 @@ index bd97c0fdab..add5843bfb 100644
s->tls13_ciphersuites);
}
@@ -1399,17 +1457,20 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
@@ -1401,17 +1459,20 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
@ -581,7 +581,7 @@ index bd97c0fdab..add5843bfb 100644
/*
* Return with error if nothing to do.
@@ -1458,16 +1519,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1460,16 +1521,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
* preference).
*/
ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD,
@ -605,7 +605,7 @@ index bd97c0fdab..add5843bfb 100644
&head, &tail);
/*
@@ -1476,13 +1537,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1478,13 +1539,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
* strength.
*/
ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD,
@ -622,7 +622,7 @@ index bd97c0fdab..add5843bfb 100644
&tail);
/*
@@ -1490,16 +1551,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1492,16 +1553,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
* disabled. (For applications that allow them, they aren't too bad, but
* we prefer authenticated ciphers.)
*/
@ -643,7 +643,7 @@ index bd97c0fdab..add5843bfb 100644
&tail);
/*
@@ -1515,7 +1576,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1517,7 +1578,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
* Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs.
* TODO(openssl-team): is there an easier way to accomplish all this?
*/
@ -652,7 +652,7 @@ index bd97c0fdab..add5843bfb 100644
&head, &tail);
/*
@@ -1531,15 +1592,15 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1533,15 +1594,15 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
* Because we now bump ciphers to the top of the list, we proceed in
* reverse order of preference.
*/
@ -672,7 +672,7 @@ index bd97c0fdab..add5843bfb 100644
/*
* We also need cipher aliases for selecting based on the rule_str.
@@ -1553,9 +1614,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1555,9 +1616,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
if (ca_list == NULL) {
@ -683,7 +683,7 @@ index bd97c0fdab..add5843bfb 100644
}
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
disabled_mkey, disabled_auth, disabled_enc,
@@ -1580,27 +1640,35 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1582,27 +1642,35 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
OPENSSL_free(ca_list); /* Not needed anymore */
@ -731,7 +731,7 @@ index bd97c0fdab..add5843bfb 100644
}
/*
@@ -1609,26 +1677,50 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1611,26 +1679,50 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
*/
for (curr = head; curr != NULL; curr = curr->next) {
if (curr->active) {
@ -971,10 +971,10 @@ index ba606e35ed..59ae36a554 100644
/* Dup the client_CA list */
if (!dup_ca_names(&ret->ca_names, s->ca_names)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index c2e6474f86..8fbede969c 100644
index 2d68691a0f..92821b7df0 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -742,9 +742,46 @@ typedef struct ssl_ctx_ext_secure_st {
@@ -745,9 +745,46 @@ typedef struct ssl_ctx_ext_secure_st {
unsigned char tick_aes_key[TLSEXT_TICK_KEY_LENGTH];
} SSL_CTX_EXT_SECURE;
@ -1022,7 +1022,7 @@ index c2e6474f86..8fbede969c 100644
/* same as above but sorted for lookup */
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* TLSv1.3 specific ciphersuites */
@@ -1081,6 +1118,8 @@ struct ssl_st {
@@ -1084,6 +1121,8 @@ struct ssl_st {
* DTLS1_VERSION)
*/
int version;
@ -1031,7 +1031,7 @@ index c2e6474f86..8fbede969c 100644
/* SSLv3 */
const SSL_METHOD *method;
/*
@@ -1139,7 +1178,7 @@ struct ssl_st {
@@ -1142,7 +1181,7 @@ struct ssl_st {
/* Per connection DANE state */
SSL_DANE dane;
/* crypto */
@ -1040,7 +1040,7 @@ index c2e6474f86..8fbede969c 100644
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* TLSv1.3 specific ciphersuites */
STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
@@ -2266,7 +2305,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
@@ -2269,7 +2308,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
const SSL_CIPHER *const *bp);
__owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
@ -1049,7 +1049,7 @@ index c2e6474f86..8fbede969c 100644
STACK_OF(SSL_CIPHER) **cipher_list_by_id,
const char *rule_str,
CERT *c);
@@ -2276,6 +2315,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
@@ -2279,6 +2318,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
int fatal);
void ssl_update_cache(SSL *s, int mode);
@ -1063,7 +1063,7 @@ index c2e6474f86..8fbede969c 100644
__owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
const EVP_MD **md, int *mac_pkey_type,
size_t *mac_secret_size, SSL_COMP **comp,
@@ -2359,7 +2405,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
@@ -2362,7 +2408,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
CERT_PKEY *cpk);
__owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
STACK_OF(SSL_CIPHER) *clnt,
@ -1144,7 +1144,7 @@ index 6545f5727d..15786a7bfc 100644
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 9e68e05ccf..d05fa9f532 100644
index 1a9aa41b99..a08f4fa013 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1788,6 +1788,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)

80
openssl-equal-3.0.0-dev_ciphers.patch
View File

@ -1,5 +1,5 @@
diff --git a/doc/man1/ciphers.pod b/doc/man1/ciphers.pod
index 4a2deccd24..43680fb7ec 100644
index e29c5d7ced..b5bca974c9 100644
--- a/doc/man1/ciphers.pod
+++ b/doc/man1/ciphers.pod
@@ -400,6 +400,21 @@ permissible.
@ -50,12 +50,12 @@ index f8783717bc..0e7ad2818b 100644
# define SSL_R_UNINITIALIZED 276
# define SSL_R_UNKNOWN_ALERT_TYPE 246
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index c57344ca0e..ca2c892ed6 100644
index 166f15ad5c..3205f1cbfb 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -30,6 +30,16 @@ extern "C" {
# define TLS1_3_VERSION 0x0304
# define TLS_MAX_VERSION TLS1_3_VERSION
@@ -32,6 +32,16 @@ extern "C" {
# define TLS_MAX_VERSION TLS1_3_VERSION
# endif
+/* TODO(TLS1.3) REMOVE ME: Version indicators for draft version */
+# define TLS1_3_VERSION_DRAFT_23 0x7f17
@ -380,10 +380,10 @@ index a5b3dbbfd5..6dd4ad4b68 100644
}
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index bd97c0fdab..eccce1509a 100644
index 461a9debab..8eb18f0e28 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -190,6 +190,7 @@ typedef struct cipher_order_st {
@@ -192,6 +192,7 @@ typedef struct cipher_order_st {
const SSL_CIPHER *cipher;
int active;
int dead;
@ -391,7 +391,7 @@ index bd97c0fdab..eccce1509a 100644
struct cipher_order_st *next, *prev;
} CIPHER_ORDER;
@@ -294,6 +295,7 @@ static const SSL_CIPHER cipher_aliases[] = {
@@ -296,6 +297,7 @@ static const SSL_CIPHER cipher_aliases[] = {
{0, SSL_TXT_TLSV1, NULL, 0, 0, 0, 0, 0, TLS1_VERSION},
{0, "TLSv1.0", NULL, 0, 0, 0, 0, 0, TLS1_VERSION},
{0, SSL_TXT_TLSV1_2, NULL, 0, 0, 0, 0, 0, TLS1_2_VERSION},
@ -399,7 +399,7 @@ index bd97c0fdab..eccce1509a 100644
/* strength classes */
{0, SSL_TXT_LOW, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_LOW},
@@ -679,6 +681,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
@@ -681,6 +683,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
co_list[co_list_num].next = NULL;
co_list[co_list_num].prev = NULL;
co_list[co_list_num].active = 0;
@ -407,7 +407,7 @@ index bd97c0fdab..eccce1509a 100644
co_list_num++;
}
@@ -772,8 +775,8 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
@@ -774,8 +777,8 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
uint32_t alg_auth, uint32_t alg_enc,
uint32_t alg_mac, int min_tls,
uint32_t algo_strength, int rule,
@ -418,7 +418,7 @@ index bd97c0fdab..eccce1509a 100644
{
CIPHER_ORDER *head, *tail, *curr, *next, *last;
const SSL_CIPHER *cp;
@@ -781,9 +784,9 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
@@ -783,9 +786,9 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
#ifdef CIPHER_DEBUG
fprintf(stderr,
@ -430,7 +430,7 @@ index bd97c0fdab..eccce1509a 100644
#endif
if (rule == CIPHER_DEL || rule == CIPHER_BUMP)
@@ -860,6 +863,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
@@ -862,6 +865,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
if (!curr->active) {
ll_append_tail(&head, curr, &tail);
curr->active = 1;
@ -438,7 +438,7 @@ index bd97c0fdab..eccce1509a 100644
}
}
/* Move the added cipher to this location */
@@ -867,6 +871,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
@@ -869,6 +873,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
/* reverse == 0 */
if (curr->active) {
ll_append_tail(&head, curr, &tail);
@ -446,7 +446,7 @@ index bd97c0fdab..eccce1509a 100644
}
} else if (rule == CIPHER_DEL) {
/* reverse == 1 */
@@ -878,6 +883,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
@@ -880,6 +885,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
*/
ll_append_head(&head, curr, &tail);
curr->active = 0;
@ -454,7 +454,7 @@ index bd97c0fdab..eccce1509a 100644
}
} else if (rule == CIPHER_BUMP) {
if (curr->active)
@@ -945,8 +951,8 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
@@ -947,8 +953,8 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
*/
for (i = max_strength_bits; i >= 0; i--)
if (number_uses[i] > 0)
@ -465,7 +465,7 @@ index bd97c0fdab..eccce1509a 100644
OPENSSL_free(number_uses);
return 1;
@@ -960,7 +966,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
@@ -962,7 +968,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, algo_strength;
int min_tls;
const char *l, *buf;
@ -474,7 +474,7 @@ index bd97c0fdab..eccce1509a 100644
uint32_t cipher_id = 0;
char ch;
@@ -971,18 +977,66 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
@@ -973,18 +979,66 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
if (ch == '\0')
break; /* done */
@ -542,7 +542,7 @@ index bd97c0fdab..eccce1509a 100644
} else {
rule = CIPHER_ADD;
}
@@ -1007,7 +1061,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
@@ -1009,7 +1063,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
while (((ch >= 'A') && (ch <= 'Z')) ||
((ch >= '0') && (ch <= '9')) ||
((ch >= 'a') && (ch <= 'z')) ||
@ -551,7 +551,7 @@ index bd97c0fdab..eccce1509a 100644
#else
while (isalnum((unsigned char)ch) || (ch == '-') || (ch == '.')
|| (ch == '='))
@@ -1024,7 +1078,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
@@ -1026,7 +1080,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
* alphanumeric, so we call this an error.
*/
SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);
@ -560,7 +560,7 @@ index bd97c0fdab..eccce1509a 100644
l++;
break;
}
@@ -1203,8 +1257,8 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
@@ -1205,8 +1259,8 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
} else if (found) {
ssl_cipher_apply_rule(cipher_id,
alg_mkey, alg_auth, alg_enc, alg_mac,
@ -571,7 +571,7 @@ index bd97c0fdab..eccce1509a 100644
} else {
while ((*l != '\0') && !ITEM_SEP(*l))
l++;
@@ -1213,6 +1267,11 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
@@ -1215,6 +1269,11 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
break; /* done */
}
@ -583,7 +583,7 @@ index bd97c0fdab..eccce1509a 100644
return retval;
}
@@ -1377,7 +1436,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
@@ -1379,7 +1438,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
if (ret && ctx->cipher_list != NULL) {
/* We already have a cipher_list, so we need to update it */
@ -592,7 +592,7 @@ index bd97c0fdab..eccce1509a 100644
ctx->tls13_ciphersuites);
}
@@ -1390,7 +1449,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
@@ -1392,7 +1451,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
if (ret && s->cipher_list != NULL) {
/* We already have a cipher_list, so we need to update it */
@ -601,7 +601,7 @@ index bd97c0fdab..eccce1509a 100644
s->tls13_ciphersuites);
}
@@ -1399,17 +1458,20 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
@@ -1401,17 +1460,20 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
@ -625,7 +625,7 @@ index bd97c0fdab..eccce1509a 100644
/*
* Return with error if nothing to do.
@@ -1458,16 +1520,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1460,16 +1522,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
* preference).
*/
ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD,
@ -649,7 +649,7 @@ index bd97c0fdab..eccce1509a 100644
&head, &tail);
/*
@@ -1476,13 +1538,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1478,13 +1540,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
* strength.
*/
ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD,
@ -666,7 +666,7 @@ index bd97c0fdab..eccce1509a 100644
&tail);
/*
@@ -1490,16 +1552,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1492,16 +1554,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
* disabled. (For applications that allow them, they aren't too bad, but
* we prefer authenticated ciphers.)
*/
@ -687,7 +687,7 @@ index bd97c0fdab..eccce1509a 100644
&tail);
/*
@@ -1515,7 +1577,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1517,7 +1579,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
* Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs.
* TODO(openssl-team): is there an easier way to accomplish all this?
*/
@ -696,7 +696,7 @@ index bd97c0fdab..eccce1509a 100644
&head, &tail);
/*
@@ -1531,15 +1593,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1533,15 +1595,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
* Because we now bump ciphers to the top of the list, we proceed in
* reverse order of preference.
*/
@ -719,7 +719,7 @@ index bd97c0fdab..eccce1509a 100644
/*
* We also need cipher aliases for selecting based on the rule_str.
@@ -1553,9 +1618,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1555,9 +1620,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
if (ca_list == NULL) {
@ -730,7 +730,7 @@ index bd97c0fdab..eccce1509a 100644
}
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
disabled_mkey, disabled_auth, disabled_enc,
@@ -1580,28 +1644,19 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1582,28 +1646,19 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
OPENSSL_free(ca_list); /* Not needed anymore */
@ -766,7 +766,7 @@ index bd97c0fdab..eccce1509a 100644
/*
* The cipher selection for the list is done. The ciphers are added
@@ -1609,26 +1664,50 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1611,26 +1666,50 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
*/
for (curr = head; curr != NULL; curr = curr->next) {
if (curr->active) {
@ -1006,10 +1006,10 @@ index ba606e35ed..59ae36a554 100644
/* Dup the client_CA list */
if (!dup_ca_names(&ret->ca_names, s->ca_names)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index c2e6474f86..8fbede969c 100644
index 2d68691a0f..92821b7df0 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -742,9 +742,46 @@ typedef struct ssl_ctx_ext_secure_st {
@@ -745,9 +745,46 @@ typedef struct ssl_ctx_ext_secure_st {
unsigned char tick_aes_key[TLSEXT_TICK_KEY_LENGTH];
} SSL_CTX_EXT_SECURE;
@ -1057,7 +1057,7 @@ index c2e6474f86..8fbede969c 100644
/* same as above but sorted for lookup */
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* TLSv1.3 specific ciphersuites */
@@ -1081,6 +1118,8 @@ struct ssl_st {
@@ -1084,6 +1121,8 @@ struct ssl_st {
* DTLS1_VERSION)
*/
int version;
@ -1066,7 +1066,7 @@ index c2e6474f86..8fbede969c 100644
/* SSLv3 */
const SSL_METHOD *method;
/*
@@ -1139,7 +1178,7 @@ struct ssl_st {
@@ -1142,7 +1181,7 @@ struct ssl_st {
/* Per connection DANE state */
SSL_DANE dane;
/* crypto */
@ -1075,7 +1075,7 @@ index c2e6474f86..8fbede969c 100644
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* TLSv1.3 specific ciphersuites */
STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
@@ -2266,7 +2305,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
@@ -2269,7 +2308,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
const SSL_CIPHER *const *bp);
__owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
@ -1084,7 +1084,7 @@ index c2e6474f86..8fbede969c 100644
STACK_OF(SSL_CIPHER) **cipher_list_by_id,
const char *rule_str,
CERT *c);
@@ -2276,6 +2315,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
@@ -2279,6 +2318,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
int fatal);
void ssl_update_cache(SSL *s, int mode);
@ -1098,7 +1098,7 @@ index c2e6474f86..8fbede969c 100644
__owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
const EVP_MD **md, int *mac_pkey_type,
size_t *mac_secret_size, SSL_COMP **comp,
@@ -2359,7 +2405,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
@@ -2362,7 +2408,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
CERT_PKEY *cpk);
__owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
STACK_OF(SSL_CIPHER) *clnt,
@ -1179,7 +1179,7 @@ index 6545f5727d..15786a7bfc 100644
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 9e68e05ccf..d05fa9f532 100644
index 1a9aa41b99..a08f4fa013 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1788,6 +1788,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)