jinql
/
openssl-patch
mirror of https://github.com/hakasenyang/openssl-patch
1
0
Fork 0
Code Issues Releases Wiki Activity

Latest update - OpenSSL v3.0.0-dev

pull/25/head
Hakase 2019-06-19 19:24:34 +09:00
parent c4a1577ba3
commit 777dd976b1
No known key found for this signature in database
GPG Key ID: BB2821A9E0DF48C9
4 changed files with 153 additions and 150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -31,7 +31,7 @@ Default support is in bold type.
- [Google(Gmail)](https://gmail.com/) : _TLSv1.3_ **final**
- [NSS TLS 1.3(Mozilla)](https://tls13.crypto.mozilla.org/) : _TLSv1.3_ **final**
[Compatible OpenSSL-3.0.0-dev (OpenSSL, 23804 commits)](https://github.com/openssl/openssl/tree/4679345149f04eece835593823932263d9421456)
[Compatible OpenSSL-3.0.0-dev (OpenSSL, 24014 commits)](https://github.com/openssl/openssl/tree/4cdb302fef1f2160b74acbe1739f62c713fd99f5)
## Patch files

66
openssl-3.0.0-dev-chacha_draft.patch
View File

@ -220,66 +220,66 @@ index ccef031b89..083179398c 100644
# endif
#endif
diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
index c778d45aa9..b761ad1e47 100644
index 876bab2a7f..0e825e5b8b 100644
--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
@@ -1080,7 +1080,7 @@ static const unsigned char so[7775] = {
0x2A,0x81,0x1C,0xCF,0x55,0x01,0x83,0x75, /* [ 7766] OBJ_SM2_with_SM3 */
};
-#define NUM_NID 1206
+#define NUM_NID 1207
-#define NUM_NID 1207
+#define NUM_NID 1208
static const ASN1_OBJECT nid_objs[NUM_NID] = {
{"UNDEF", "undefined", NID_undef},
{"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
@@ -2288,9 +2288,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
{"SSHKDF", "sshkdf", NID_sshkdf},
@@ -2289,9 +2289,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
{"SM2-SM3", "SM2-with-SM3", NID_SM2_with_SM3, 8, &so[7766]},
{"SSKDF", "sskdf", NID_sskdf},
{"X963KDF", "x963kdf", NID_x963kdf},
+ {"ChaCha20-Poly1305-D", "chacha20-poly1305-draft", NID_chacha20_poly1305_draft},
};
-#define NUM_SN 1197
+#define NUM_SN 1198
-#define NUM_SN 1198
+#define NUM_SN 1199
static const unsigned int sn_objs[NUM_SN] = {
364, /* "AD_DVCS" */
419, /* "AES-128-CBC" */
@@ -2413,6 +2414,7 @@ static const unsigned int sn_objs[NUM_SN] = {
@@ -2414,6 +2415,7 @@ static const unsigned int sn_objs[NUM_SN] = {
417, /* "CSPName" */
1019, /* "ChaCha20" */
1018, /* "ChaCha20-Poly1305" */
+ 1206, /* "ChaCha20-Poly1305-D" */
+ 1207, /* "ChaCha20-Poly1305-D" */
367, /* "CrlID" */
391, /* "DC" */
31, /* "DES-CBC" */
@@ -3491,7 +3493,7 @@ static const unsigned int sn_objs[NUM_SN] = {
@@ -3493,7 +3495,7 @@ static const unsigned int sn_objs[NUM_SN] = {
1093, /* "x509ExtAdmission" */
};
-#define NUM_LN 1197
+#define NUM_LN 1198
-#define NUM_LN 1198
+#define NUM_LN 1199
static const unsigned int ln_objs[NUM_LN] = {
363, /* "AD Time Stamping" */
405, /* "ANSI X9.62" */
@@ -3876,6 +3878,7 @@ static const unsigned int ln_objs[NUM_LN] = {
@@ -3878,6 +3880,7 @@ static const unsigned int ln_objs[NUM_LN] = {
883, /* "certificateRevocationList" */
1019, /* "chacha20" */
1018, /* "chacha20-poly1305" */
+ 1206, /* "chacha20-poly1305-draft" */
+ 1207, /* "chacha20-poly1305-draft" */
54, /* "challengePassword" */
407, /* "characteristic-two-field" */
395, /* "clearance" */
diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
index 44820a7c8d..03c87d5b33 100644
index e0969fe1fd..957a28d47a 100644
--- a/crypto/objects/obj_mac.num
+++ b/crypto/objects/obj_mac.num
@@ -1203,3 +1203,4 @@ blake2smac 1202
sshkdf 1203
@@ -1204,3 +1204,4 @@ sshkdf 1203
SM2_with_SM3 1204
sskdf 1205
+chacha20_poly1305_draft 1206
x963kdf 1206
+chacha20_poly1305_draft 1207
diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
index 2240916ff4..2a61f1a23a 100644
index 566438948f..92f235d5d5 100644
--- a/crypto/objects/objects.txt
+++ b/crypto/objects/objects.txt
@@ -1545,6 +1545,7 @@ sm-scheme 104 7 : SM4-CTR : sm4-ctr
@ -291,10 +291,10 @@ index 2240916ff4..2a61f1a23a 100644
ISO-US 10046 2 1 : dhpublicnumber : X9.42 DH
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 6fc0f35114..c26c6d0182 100644
index 5fb04d15c3..0c35685846 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -933,6 +933,7 @@ const EVP_CIPHER *EVP_camellia_256_ctr(void);
@@ -936,6 +936,7 @@ const EVP_CIPHER *EVP_camellia_256_ctr(void);
const EVP_CIPHER *EVP_chacha20(void);
# ifndef OPENSSL_NO_POLY1305
const EVP_CIPHER *EVP_chacha20_poly1305(void);
@ -303,7 +303,7 @@ index 6fc0f35114..c26c6d0182 100644
# endif
diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h
index a0d4eed358..6ab0a3bd3f 100644
index 147bad12db..6e9f141ba5 100644
--- a/include/openssl/obj_mac.h
+++ b/include/openssl/obj_mac.h
@@ -4833,6 +4833,10 @@
@ -312,13 +312,13 @@ index a0d4eed358..6ab0a3bd3f 100644
+#define SN_chacha20_poly1305_draft "ChaCha20-Poly1305-D"
+#define LN_chacha20_poly1305_draft "chacha20-poly1305-draft"
+#define NID_chacha20_poly1305_draft 1206
+#define NID_chacha20_poly1305_draft 1207
+
#define SN_chacha20 "ChaCha20"
#define LN_chacha20 "chacha20"
#define NID_chacha20 1019
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index f4b17f1beb..bb3fe66300 100644
index 7219d83420..b569270f84 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -125,6 +125,7 @@ extern "C" {
@ -372,7 +372,7 @@ index 4db2b6a0db..5b07fb3cba 100644
# define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 "ECDHE-ECDSA-CHACHA20-POLY1305"
# define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305 "DHE-RSA-CHACHA20-POLY1305"
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 5ea2c2d029..5877f6876c 100644
index 3238fd9b7e..c281fed428 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -2083,6 +2083,54 @@ static SSL_CIPHER ssl3_ciphers[] = {
@ -431,7 +431,7 @@ index 5ea2c2d029..5877f6876c 100644
1,
TLS1_TXT_PSK_WITH_CHACHA20_POLY1305,
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 5aa04dbd53..8b2b7e7b36 100644
index 6cb8b33b5b..d94adfc6a2 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -44,7 +44,8 @@
@ -480,7 +480,7 @@ index 5aa04dbd53..8b2b7e7b36 100644
} else if (c->algorithm_mac & SSL_AEAD) {
/* We're supposed to have handled all the AEAD modes above */
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 4a72864980..5da1a0f0c0 100644
index a61987f327..898932910f 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -234,12 +234,13 @@
@ -499,11 +499,11 @@ index 4a72864980..5da1a0f0c0 100644
# define SSL_ARIA (SSL_ARIAGCM)
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 010f8686d5..e6ae934b4d 100644
index 0b181070eb..c4b68ae6ca 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4804,3 +4804,4 @@ EVP_KDF_CTX_new 4751 3_0_0 EXIST::FUNCTION:
EVP_KDF_CTX_kdf 4752 3_0_0 EXIST::FUNCTION:
EVP_KDF_nid 4753 3_0_0 EXIST::FUNCTION:
EVP_get_kdfbyname 4754 3_0_0 EXIST::FUNCTION:
+EVP_chacha20_poly1305_draft 4755 3_0_0 EXIST::FUNCTION:CHACHA,POLY1305
@@ -4832,3 +4832,4 @@ OPENSSL_CTX_get0_private_drbg 4776 3_0_0 EXIST::FUNCTION:
BN_CTX_new_ex 4777 3_0_0 EXIST::FUNCTION:
BN_CTX_secure_new_ex 4778 3_0_0 EXIST::FUNCTION:
OPENSSL_thread_stop_ex 4779 3_0_0 EXIST::FUNCTION:
+EVP_chacha20_poly1305_draft 4780 3_0_0 EXIST::FUNCTION:CHACHA,POLY1305

92
openssl-equal-3.0.0-dev.patch
View File

@ -1,8 +1,8 @@
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 8ad85f5025..17de01ad22 100644
index 23c0ddae4f..f1663dec44 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -2925,6 +2925,8 @@ SSL_R_MISSING_TMP_DH_KEY:171:missing tmp dh key
@@ -2943,6 +2943,8 @@ SSL_R_MISSING_TMP_DH_KEY:171:missing tmp dh key
SSL_R_MISSING_TMP_ECDH_KEY:311:missing tmp ecdh key
SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA:293:\
mixed handshake and non handshake data
@ -11,7 +11,7 @@ index 8ad85f5025..17de01ad22 100644
SSL_R_NOT_ON_RECORD_BOUNDARY:182:not on record boundary
SSL_R_NOT_REPLACING_CERTIFICATE:289:not replacing certificate
SSL_R_NOT_SERVER:284:not server
@@ -3031,7 +3033,9 @@ SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:242:unable to load ssl3 md5 routines
@@ -3049,7 +3051,9 @@ SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:242:unable to load ssl3 md5 routines
SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES:243:unable to load ssl3 sha1 routines
SSL_R_UNEXPECTED_CCS_MESSAGE:262:unexpected ccs message
SSL_R_UNEXPECTED_END_OF_EARLY_DATA:178:unexpected end of early data
@ -48,10 +48,10 @@ index e29c5d7ced..7d795c390e 100644
The following lists give the SSL or TLS cipher suites names from the
diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
index 7f776f97f7..bef78d6c2c 100644
index 385fda37a4..ece73c495c 100644
--- a/include/openssl/sslerr.h
+++ b/include/openssl/sslerr.h
@@ -600,6 +600,8 @@ int ERR_load_SSL_strings(void);
@@ -601,6 +601,8 @@ int ERR_load_SSL_strings(void);
# define SSL_R_MISSING_TMP_DH_KEY 171
# define SSL_R_MISSING_TMP_ECDH_KEY 311
# define SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA 293
@ -60,7 +60,7 @@ index 7f776f97f7..bef78d6c2c 100644
# define SSL_R_NOT_ON_RECORD_BOUNDARY 182
# define SSL_R_NOT_REPLACING_CERTIFICATE 289
# define SSL_R_NOT_SERVER 284
@@ -730,7 +732,9 @@ int ERR_load_SSL_strings(void);
@@ -731,7 +733,9 @@ int ERR_load_SSL_strings(void);
# define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243
# define SSL_R_UNEXPECTED_CCS_MESSAGE 262
# define SSL_R_UNEXPECTED_END_OF_EARLY_DATA 178
@ -71,7 +71,7 @@ index 7f776f97f7..bef78d6c2c 100644
# define SSL_R_UNINITIALIZED 276
# define SSL_R_UNKNOWN_ALERT_TYPE 246
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 5ea2c2d029..4c388ad992 100644
index 3238fd9b7e..3bcb63886b 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -168,7 +168,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
@ -101,7 +101,7 @@ index 5ea2c2d029..4c388ad992 100644
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
@@ -4109,6 +4109,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
@@ -4110,6 +4110,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
return 1;
}
@ -119,7 +119,7 @@ index 5ea2c2d029..4c388ad992 100644
/*
* ssl3_choose_cipher - choose a cipher from those offered by the client
* @s: SSL connection
@@ -4118,16 +4129,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
@@ -4119,16 +4130,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
* Returns the selected cipher or NULL when no common ciphers.
*/
const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@ -150,7 +150,7 @@ index 5ea2c2d029..4c388ad992 100644
/* Let's see which ciphers we can support */
@@ -4154,54 +4173,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4155,54 +4174,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
} OSSL_TRACE_END(TLS_CIPHER);
/* SUITE-B takes precedence over server preference and ChaCha priortiy */
@ -208,7 +208,7 @@ index 5ea2c2d029..4c388ad992 100644
allow = srvr;
}
@@ -4232,14 +4210,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4233,14 +4211,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
c = sk_SSL_CIPHER_value(prio, i);
@ -227,7 +227,7 @@ index 5ea2c2d029..4c388ad992 100644
/*
* Since TLS 1.3 ciphersuites can be used with any auth or
@@ -4261,10 +4241,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4262,10 +4242,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
#ifndef OPENSSL_NO_PSK
/* with PSK there must be server callback set */
if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL)
@ -240,7 +240,7 @@ index 5ea2c2d029..4c388ad992 100644
OSSL_TRACE7(TLS_CIPHER,
"%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",
ok, alg_k, alg_a, mask_k, mask_a, (void *)c, c->name);
@@ -4280,6 +4260,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4281,6 +4261,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
if (!ok)
continue;
@ -255,7 +255,7 @@ index 5ea2c2d029..4c388ad992 100644
}
ii = sk_SSL_CIPHER_find(allow, c);
if (ii >= 0) {
@@ -4287,14 +4275,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4288,14 +4276,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
c->strength_bits, 0, (void *)c))
continue;
@ -271,7 +271,7 @@ index 5ea2c2d029..4c388ad992 100644
if (prefer_sha256) {
const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
@@ -4306,13 +4287,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4307,13 +4288,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
ret = tmp;
continue;
}
@ -315,7 +315,7 @@ index 5ea2c2d029..4c388ad992 100644
}
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 5aa04dbd53..655e259c9b 100644
index 6cb8b33b5b..7cb418a0d6 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -193,6 +193,7 @@ typedef struct cipher_order_st {
@ -763,10 +763,10 @@ index 5aa04dbd53..655e259c9b 100644
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index afe1b58214..f38ac1558c 100644
index daeee1ecc4..485f8b7eb5 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -966,6 +966,9 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
@@ -967,6 +967,9 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
"missing tmp ecdh key"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA),
"mixed handshake and non handshake data"},
@ -776,7 +776,7 @@ index afe1b58214..f38ac1558c 100644
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_ON_RECORD_BOUNDARY),
"not on record boundary"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_REPLACING_CERTIFICATE),
@@ -1200,7 +1203,11 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
@@ -1201,7 +1204,11 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
"unexpected ccs message"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA),
"unexpected end of early data"},
@ -789,10 +789,10 @@ index afe1b58214..f38ac1558c 100644
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 89a410057b..88a037e6c4 100644
index d15b743f50..0759bc639b 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1120,6 +1120,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
@@ -1122,6 +1122,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
return X509_VERIFY_PARAM_set1(ssl->param, vpm);
}
@ -864,7 +864,7 @@ index 89a410057b..88a037e6c4 100644
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
{
return ctx->param;
@@ -1164,7 +1229,8 @@ void SSL_free(SSL *s)
@@ -1166,7 +1231,8 @@ void SSL_free(SSL *s)
BUF_MEM_free(s->init_buf);
/* add extra stuff */
@ -873,8 +873,8 @@ index 89a410057b..88a037e6c4 100644
+ ssl_cipher_preference_list_free(s->cipher_list);
sk_SSL_CIPHER_free(s->cipher_list_by_id);
sk_SSL_CIPHER_free(s->tls13_ciphersuites);
@@ -2492,9 +2558,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
sk_SSL_CIPHER_free(s->peer_ciphers);
@@ -2563,9 +2629,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
{
if (s != NULL) {
if (s->cipher_list != NULL) {
@ -886,7 +886,7 @@ index 89a410057b..88a037e6c4 100644
}
}
return NULL;
@@ -2568,8 +2634,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
@@ -2639,8 +2705,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
* preference */
STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
{
@ -897,16 +897,16 @@ index 89a410057b..88a037e6c4 100644
return NULL;
}
@@ -3018,7 +3084,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
@@ -3088,7 +3154,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id,
SSL_DEFAULT_CIPHER_LIST, ret->cert)
OSSL_default_cipher_list(), ret->cert)
- || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
+ || sk_SSL_CIPHER_num(ret->cipher_list->ciphers) <= 0) {
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err2;
}
@@ -3194,7 +3260,7 @@ void SSL_CTX_free(SSL_CTX *a)
@@ -3264,7 +3330,7 @@ void SSL_CTX_free(SSL_CTX *a)
#ifndef OPENSSL_NO_CT
CTLOG_STORE_free(a->ctlog_store);
#endif
@ -915,7 +915,7 @@ index 89a410057b..88a037e6c4 100644
sk_SSL_CIPHER_free(a->cipher_list_by_id);
sk_SSL_CIPHER_free(a->tls13_ciphersuites);
ssl_cert_free(a->cert);
@@ -3870,13 +3936,15 @@ SSL *SSL_dup(SSL *s)
@@ -3940,13 +4006,15 @@ SSL *SSL_dup(SSL *s)
/* dup the cipher_list and cipher_list_by_id stacks */
if (s->cipher_list != NULL) {
@ -936,10 +936,10 @@ index 89a410057b..88a037e6c4 100644
/* Dup the client_CA list */
if (!dup_ca_names(&ret->ca_names, s->ca_names)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 4a72864980..20954aea62 100644
index a61987f327..e03be541e1 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -744,9 +744,46 @@ typedef struct ssl_ctx_ext_secure_st {
@@ -737,9 +737,46 @@ typedef struct ssl_ctx_ext_secure_st {
unsigned char tick_aes_key[TLSEXT_TICK_KEY_LENGTH];
} SSL_CTX_EXT_SECURE;
@ -987,16 +987,16 @@ index 4a72864980..20954aea62 100644
/* same as above but sorted for lookup */
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* TLSv1.3 specific ciphersuites */
@@ -1319,7 +1356,7 @@ struct ssl_st {
/* Per connection DANE state */
@@ -1314,7 +1351,7 @@ struct ssl_st {
SSL_DANE dane;
/* crypto */
STACK_OF(SSL_CIPHER) *peer_ciphers;
- STACK_OF(SSL_CIPHER) *cipher_list;
+ struct ssl_cipher_preference_list_st *cipher_list;
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* TLSv1.3 specific ciphersuites */
STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
@@ -2278,7 +2315,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
@@ -2287,7 +2324,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
const SSL_CIPHER *const *bp);
__owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
@ -1005,7 +1005,7 @@ index 4a72864980..20954aea62 100644
STACK_OF(SSL_CIPHER) **cipher_list_by_id,
const char *rule_str,
CERT *c);
@@ -2288,6 +2325,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
@@ -2297,6 +2334,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
int fatal);
void ssl_update_cache(SSL *s, int mode);
@ -1019,7 +1019,7 @@ index 4a72864980..20954aea62 100644
__owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
const EVP_MD **md, int *mac_pkey_type,
size_t *mac_secret_size, SSL_COMP **comp,
@@ -2371,7 +2415,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
@@ -2382,7 +2426,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
CERT_PKEY *cpk);
__owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
STACK_OF(SSL_CIPHER) *clnt,
@ -1029,10 +1029,10 @@ index 4a72864980..20954aea62 100644
__owur int ssl3_new(SSL *s);
void ssl3_free(SSL *s);
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index fe495a3a68..cdfbfbd52b 100644
index 79c2aa0ede..a39647431f 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1755,7 +1755,7 @@ static int tls_early_post_process_client_hello(SSL *s)
@@ -1749,7 +1749,7 @@ static int tls_early_post_process_client_hello(SSL *s)
/* For TLSv1.3 we must select the ciphersuite *before* session resumption */
if (SSL_IS_TLS13(s)) {
const SSL_CIPHER *cipher =
@ -1041,33 +1041,33 @@ index fe495a3a68..cdfbfbd52b 100644
if (cipher == NULL) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
@@ -1938,7 +1938,7 @@ static int tls_early_post_process_client_hello(SSL *s)
@@ -1932,7 +1932,7 @@ static int tls_early_post_process_client_hello(SSL *s)
/* check if some cipher was preferred by call back */
if (pref_cipher == NULL)
pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
pref_cipher = ssl3_choose_cipher(s, s->peer_ciphers,
- SSL_get_ciphers(s));
+ ssl_get_cipher_preferences(s));
if (pref_cipher == NULL) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
@@ -1947,8 +1947,9 @@ static int tls_early_post_process_client_hello(SSL *s)
@@ -1941,8 +1941,9 @@ static int tls_early_post_process_client_hello(SSL *s)
}
s->session->cipher = pref_cipher;
- sk_SSL_CIPHER_free(s->cipher_list);
- s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
- s->cipher_list = sk_SSL_CIPHER_dup(s->peer_ciphers);
+ ssl_cipher_preference_list_free(s->cipher_list);
+ s->cipher_list = ssl_cipher_preference_list_from_ciphers(
+ s->session->ciphers);
sk_SSL_CIPHER_free(s->cipher_list_by_id);
s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->peer_ciphers);
}
@@ -2262,7 +2263,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
@@ -2256,7 +2257,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
/* In TLSv1.3 we selected the ciphersuite before resumption */
if (!SSL_IS_TLS13(s)) {
cipher =
- ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
+ ssl3_choose_cipher(s, s->session->ciphers, ssl_get_cipher_preferences(s));
- ssl3_choose_cipher(s, s->peer_ciphers, SSL_get_ciphers(s));
+ ssl3_choose_cipher(s, s->peer_ciphers, ssl_get_cipher_preferences(s));
if (cipher == NULL) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,

143
openssl-equal-3.0.0-dev_ciphers.patch
View File

@ -1,8 +1,8 @@
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 8ad85f5025..17de01ad22 100644
index 23c0ddae4f..f1663dec44 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -2925,6 +2925,8 @@ SSL_R_MISSING_TMP_DH_KEY:171:missing tmp dh key
@@ -2943,6 +2943,8 @@ SSL_R_MISSING_TMP_DH_KEY:171:missing tmp dh key
SSL_R_MISSING_TMP_ECDH_KEY:311:missing tmp ecdh key
SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA:293:\
mixed handshake and non handshake data
@ -11,7 +11,7 @@ index 8ad85f5025..17de01ad22 100644
SSL_R_NOT_ON_RECORD_BOUNDARY:182:not on record boundary
SSL_R_NOT_REPLACING_CERTIFICATE:289:not replacing certificate
SSL_R_NOT_SERVER:284:not server
@@ -3031,7 +3033,9 @@ SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:242:unable to load ssl3 md5 routines
@@ -3049,7 +3051,9 @@ SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:242:unable to load ssl3 md5 routines
SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES:243:unable to load ssl3 sha1 routines
SSL_R_UNEXPECTED_CCS_MESSAGE:262:unexpected ccs message
SSL_R_UNEXPECTED_END_OF_EARLY_DATA:178:unexpected end of early data
@ -48,10 +48,10 @@ index e29c5d7ced..7d795c390e 100644
The following lists give the SSL or TLS cipher suites names from the
diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
index 7f776f97f7..bef78d6c2c 100644
index 385fda37a4..ece73c495c 100644
--- a/include/openssl/sslerr.h
+++ b/include/openssl/sslerr.h
@@ -600,6 +600,8 @@ int ERR_load_SSL_strings(void);
@@ -601,6 +601,8 @@ int ERR_load_SSL_strings(void);
# define SSL_R_MISSING_TMP_DH_KEY 171
# define SSL_R_MISSING_TMP_ECDH_KEY 311
# define SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA 293
@ -60,7 +60,7 @@ index 7f776f97f7..bef78d6c2c 100644
# define SSL_R_NOT_ON_RECORD_BOUNDARY 182
# define SSL_R_NOT_REPLACING_CERTIFICATE 289
# define SSL_R_NOT_SERVER 284
@@ -730,7 +732,9 @@ int ERR_load_SSL_strings(void);
@@ -731,7 +733,9 @@ int ERR_load_SSL_strings(void);
# define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243
# define SSL_R_UNEXPECTED_CCS_MESSAGE 262
# define SSL_R_UNEXPECTED_END_OF_EARLY_DATA 178
@ -71,7 +71,7 @@ index 7f776f97f7..bef78d6c2c 100644
# define SSL_R_UNINITIALIZED 276
# define SSL_R_UNKNOWN_ALERT_TYPE 246
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 5ea2c2d029..30361e6d58 100644
index 3238fd9b7e..07136c6976 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -32,7 +32,25 @@ const unsigned char tls12downgrade[] = {
@ -128,6 +128,15 @@ index 5ea2c2d029..30361e6d58 100644
SSL_3DES,
SSL_SHA1,
- SSL3_VERSION, TLS1_2_VERSION,
+ SSL3_VERSION, TLS1_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
@@ -200,7 +206,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_3DES,
SSL_SHA1,
- SSL3_VERSION, TLS1_2_VERSION,
+ SSL3_VERSION, TLS1_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
@ -137,6 +146,15 @@ index 5ea2c2d029..30361e6d58 100644
SSL_AES128,
SSL_SHA1,
- SSL3_VERSION, TLS1_2_VERSION,
+ SSL3_VERSION, TLS1_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
@@ -265,7 +271,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES128,
SSL_SHA1,
- SSL3_VERSION, TLS1_2_VERSION,
+ SSL3_VERSION, TLS1_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
@ -150,7 +168,16 @@ index 5ea2c2d029..30361e6d58 100644
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
@@ -4109,6 +4115,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
@@ -329,7 +335,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_aRSA,
SSL_AES256,
SSL_SHA1,
- SSL3_VERSION, TLS1_2_VERSION,
+ SSL3_VERSION, TLS1_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
@@ -4110,6 +4116,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
return 1;
}
@ -168,7 +195,7 @@ index 5ea2c2d029..30361e6d58 100644
/*
* ssl3_choose_cipher - choose a cipher from those offered by the client
* @s: SSL connection
@@ -4118,16 +4135,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
@@ -4119,16 +4136,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
* Returns the selected cipher or NULL when no common ciphers.
*/
const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@ -199,7 +226,7 @@ index 5ea2c2d029..30361e6d58 100644
/* Let's see which ciphers we can support */
@@ -4154,54 +4179,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4155,54 +4180,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
} OSSL_TRACE_END(TLS_CIPHER);
/* SUITE-B takes precedence over server preference and ChaCha priortiy */
@ -257,7 +284,7 @@ index 5ea2c2d029..30361e6d58 100644
allow = srvr;
}
@@ -4232,14 +4216,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4233,14 +4217,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
c = sk_SSL_CIPHER_value(prio, i);
@ -276,7 +303,7 @@ index 5ea2c2d029..30361e6d58 100644
/*
* Since TLS 1.3 ciphersuites can be used with any auth or
@@ -4261,10 +4247,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4262,10 +4248,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
#ifndef OPENSSL_NO_PSK
/* with PSK there must be server callback set */
if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL)
@ -289,7 +316,7 @@ index 5ea2c2d029..30361e6d58 100644
OSSL_TRACE7(TLS_CIPHER,
"%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",
ok, alg_k, alg_a, mask_k, mask_a, (void *)c, c->name);
@@ -4280,6 +4266,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4281,6 +4267,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
if (!ok)
continue;
@ -304,7 +331,7 @@ index 5ea2c2d029..30361e6d58 100644
}
ii = sk_SSL_CIPHER_find(allow, c);
if (ii >= 0) {
@@ -4287,14 +4281,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4288,14 +4282,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
c->strength_bits, 0, (void *)c))
continue;
@ -320,7 +347,7 @@ index 5ea2c2d029..30361e6d58 100644
if (prefer_sha256) {
const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
@@ -4306,13 +4293,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4307,13 +4294,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
ret = tmp;
continue;
}
@ -364,7 +391,7 @@ index 5ea2c2d029..30361e6d58 100644
}
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 5aa04dbd53..655e259c9b 100644
index 6cb8b33b5b..7cb418a0d6 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -193,6 +193,7 @@ typedef struct cipher_order_st {
@ -812,10 +839,10 @@ index 5aa04dbd53..655e259c9b 100644
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index afe1b58214..f38ac1558c 100644
index daeee1ecc4..485f8b7eb5 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -966,6 +966,9 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
@@ -967,6 +967,9 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
"missing tmp ecdh key"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA),
"mixed handshake and non handshake data"},
@ -825,7 +852,7 @@ index afe1b58214..f38ac1558c 100644
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_ON_RECORD_BOUNDARY),
"not on record boundary"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_REPLACING_CERTIFICATE),
@@ -1200,7 +1203,11 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
@@ -1201,7 +1204,11 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
"unexpected ccs message"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA),
"unexpected end of early data"},
@ -838,10 +865,10 @@ index afe1b58214..f38ac1558c 100644
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 89a410057b..c81c7304a7 100644
index d15b743f50..0759bc639b 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1120,6 +1120,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
@@ -1122,6 +1122,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
return X509_VERIFY_PARAM_set1(ssl->param, vpm);
}
@ -913,7 +940,7 @@ index 89a410057b..c81c7304a7 100644
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
{
return ctx->param;
@@ -1164,7 +1229,8 @@ void SSL_free(SSL *s)
@@ -1166,7 +1231,8 @@ void SSL_free(SSL *s)
BUF_MEM_free(s->init_buf);
/* add extra stuff */
@ -922,8 +949,8 @@ index 89a410057b..c81c7304a7 100644
+ ssl_cipher_preference_list_free(s->cipher_list);
sk_SSL_CIPHER_free(s->cipher_list_by_id);
sk_SSL_CIPHER_free(s->tls13_ciphersuites);
@@ -2492,9 +2558,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
sk_SSL_CIPHER_free(s->peer_ciphers);
@@ -2563,9 +2629,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
{
if (s != NULL) {
if (s->cipher_list != NULL) {
@ -935,7 +962,7 @@ index 89a410057b..c81c7304a7 100644
}
}
return NULL;
@@ -2568,29 +2634,22 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
@@ -2639,8 +2705,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
* preference */
STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
{
@ -946,40 +973,16 @@ index 89a410057b..c81c7304a7 100644
return NULL;
}
/*
* Distinguish between ciphers controlled by set_ciphersuite() and
* set_cipher_list() when counting.
+ * Enabled "TLS13+AESGCM+AES128" or the others.
*/
static int cipher_list_tls12_num(STACK_OF(SSL_CIPHER) *sk)
{
- int i, num = 0;
- const SSL_CIPHER *c;
-
if (sk == NULL)
return 0;
- for (i = 0; i < sk_SSL_CIPHER_num(sk); ++i) {
- c = sk_SSL_CIPHER_value(sk, i);
- if (c->min_tls >= TLS1_3_VERSION)
- continue;
- num++;
- }
- return num;
+ else
+ return sk_SSL_CIPHER_num(sk);
}
/** specify the ciphers to be used by default by the SSL_CTX */
@@ -3018,7 +3077,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
@@ -3088,7 +3154,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id,
SSL_DEFAULT_CIPHER_LIST, ret->cert)
OSSL_default_cipher_list(), ret->cert)
- || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
+ || sk_SSL_CIPHER_num(ret->cipher_list->ciphers) <= 0) {
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err2;
}
@@ -3194,7 +3253,7 @@ void SSL_CTX_free(SSL_CTX *a)
@@ -3264,7 +3330,7 @@ void SSL_CTX_free(SSL_CTX *a)
#ifndef OPENSSL_NO_CT
CTLOG_STORE_free(a->ctlog_store);
#endif
@ -988,7 +991,7 @@ index 89a410057b..c81c7304a7 100644
sk_SSL_CIPHER_free(a->cipher_list_by_id);
sk_SSL_CIPHER_free(a->tls13_ciphersuites);
ssl_cert_free(a->cert);
@@ -3870,13 +3929,15 @@ SSL *SSL_dup(SSL *s)
@@ -3940,13 +4006,15 @@ SSL *SSL_dup(SSL *s)
/* dup the cipher_list and cipher_list_by_id stacks */
if (s->cipher_list != NULL) {
@ -1009,10 +1012,10 @@ index 89a410057b..c81c7304a7 100644
/* Dup the client_CA list */
if (!dup_ca_names(&ret->ca_names, s->ca_names)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 4a72864980..20954aea62 100644
index a61987f327..e03be541e1 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -744,9 +744,46 @@ typedef struct ssl_ctx_ext_secure_st {
@@ -737,9 +737,46 @@ typedef struct ssl_ctx_ext_secure_st {
unsigned char tick_aes_key[TLSEXT_TICK_KEY_LENGTH];
} SSL_CTX_EXT_SECURE;
@ -1060,16 +1063,16 @@ index 4a72864980..20954aea62 100644
/* same as above but sorted for lookup */
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* TLSv1.3 specific ciphersuites */
@@ -1319,7 +1356,7 @@ struct ssl_st {
/* Per connection DANE state */
@@ -1314,7 +1351,7 @@ struct ssl_st {
SSL_DANE dane;
/* crypto */
STACK_OF(SSL_CIPHER) *peer_ciphers;
- STACK_OF(SSL_CIPHER) *cipher_list;
+ struct ssl_cipher_preference_list_st *cipher_list;
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* TLSv1.3 specific ciphersuites */
STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
@@ -2278,7 +2315,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
@@ -2287,7 +2324,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
const SSL_CIPHER *const *bp);
__owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
@ -1078,7 +1081,7 @@ index 4a72864980..20954aea62 100644
STACK_OF(SSL_CIPHER) **cipher_list_by_id,
const char *rule_str,
CERT *c);
@@ -2288,6 +2325,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
@@ -2297,6 +2334,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
int fatal);
void ssl_update_cache(SSL *s, int mode);
@ -1092,7 +1095,7 @@ index 4a72864980..20954aea62 100644
__owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
const EVP_MD **md, int *mac_pkey_type,
size_t *mac_secret_size, SSL_COMP **comp,
@@ -2371,7 +2415,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
@@ -2382,7 +2426,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
CERT_PKEY *cpk);
__owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
STACK_OF(SSL_CIPHER) *clnt,
@ -1102,10 +1105,10 @@ index 4a72864980..20954aea62 100644
__owur int ssl3_new(SSL *s);
void ssl3_free(SSL *s);
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index fe495a3a68..cdfbfbd52b 100644
index 79c2aa0ede..a39647431f 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1755,7 +1755,7 @@ static int tls_early_post_process_client_hello(SSL *s)
@@ -1749,7 +1749,7 @@ static int tls_early_post_process_client_hello(SSL *s)
/* For TLSv1.3 we must select the ciphersuite *before* session resumption */
if (SSL_IS_TLS13(s)) {
const SSL_CIPHER *cipher =
@ -1114,33 +1117,33 @@ index fe495a3a68..cdfbfbd52b 100644
if (cipher == NULL) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
@@ -1938,7 +1938,7 @@ static int tls_early_post_process_client_hello(SSL *s)
@@ -1932,7 +1932,7 @@ static int tls_early_post_process_client_hello(SSL *s)
/* check if some cipher was preferred by call back */
if (pref_cipher == NULL)
pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
pref_cipher = ssl3_choose_cipher(s, s->peer_ciphers,
- SSL_get_ciphers(s));
+ ssl_get_cipher_preferences(s));
if (pref_cipher == NULL) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
@@ -1947,8 +1947,9 @@ static int tls_early_post_process_client_hello(SSL *s)
@@ -1941,8 +1941,9 @@ static int tls_early_post_process_client_hello(SSL *s)
}
s->session->cipher = pref_cipher;
- sk_SSL_CIPHER_free(s->cipher_list);
- s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
- s->cipher_list = sk_SSL_CIPHER_dup(s->peer_ciphers);
+ ssl_cipher_preference_list_free(s->cipher_list);
+ s->cipher_list = ssl_cipher_preference_list_from_ciphers(
+ s->session->ciphers);
sk_SSL_CIPHER_free(s->cipher_list_by_id);
s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->peer_ciphers);
}
@@ -2262,7 +2263,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
@@ -2256,7 +2257,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
/* In TLSv1.3 we selected the ciphersuite before resumption */
if (!SSL_IS_TLS13(s)) {
cipher =
- ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
+ ssl3_choose_cipher(s, s->session->ciphers, ssl_get_cipher_preferences(s));
- ssl3_choose_cipher(s, s->peer_ciphers, SSL_get_ciphers(s));
+ ssl3_choose_cipher(s, s->peer_ciphers, ssl_get_cipher_preferences(s));
if (cipher == NULL) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,