diff --git a/README.md b/README.md index 3347c9f..496383c 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ **Support TLS 1.3 draft 28 browsers - _Chrome Canary, Firefox Nightly_** -[Compatible OpenSSL-1.1.1-pre9-dev (OpenSSL, 22444 commits)](https://github.com/openssl/openssl/tree/a091e212fc55244fe03a4c7db7d8978c5b5014cb) +[Compatible OpenSSL-1.1.1-pre9-dev (OpenSSL, 22461 commits)](https://github.com/openssl/openssl/tree/a9f3f1ccbbf84f4ef804ede82d4b072492b54c03) ## Patch files diff --git a/openssl-equal-pre9.patch b/openssl-equal-pre9.patch index 3c3dc73..088e6b7 100644 --- a/openssl-equal-pre9.patch +++ b/openssl-equal-pre9.patch @@ -1,5 +1,5 @@ diff --git a/doc/man1/ciphers.pod b/doc/man1/ciphers.pod -index 3786e9a028..8dd0d2c028 100644 +index e3278eb6db..8e43cdd028 100644 --- a/doc/man1/ciphers.pod +++ b/doc/man1/ciphers.pod @@ -418,6 +418,21 @@ permissible. @@ -25,7 +25,7 @@ index 3786e9a028..8dd0d2c028 100644 The following lists give the SSL or TLS cipher suites names from the diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h -index 943a8d6c9f..7cdb24fe53 100644 +index bbcfb3c0b3..a4e0316980 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -173,12 +173,12 @@ extern "C" { @@ -819,10 +819,10 @@ index 9ce643ae8e..b88c534495 100644 {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"}, diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 6ced147ab8..1260b1dff3 100644 +index 1387067b30..1dbc36139b 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c -@@ -1108,6 +1108,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm) +@@ -1111,6 +1111,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm) return X509_VERIFY_PARAM_set1(ssl->param, vpm); } @@ -894,7 +894,7 @@ index 6ced147ab8..1260b1dff3 100644 X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx) { return ctx->param; -@@ -1148,7 +1213,8 @@ void SSL_free(SSL *s) +@@ -1151,7 +1216,8 @@ void SSL_free(SSL *s) BUF_MEM_free(s->init_buf); /* add extra stuff */ @@ -904,7 +904,7 @@ index 6ced147ab8..1260b1dff3 100644 sk_SSL_CIPHER_free(s->cipher_list_by_id); sk_SSL_CIPHER_free(s->tls13_ciphersuites); -@@ -2431,9 +2497,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s) +@@ -2434,9 +2500,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s) { if (s != NULL) { if (s->cipher_list != NULL) { @@ -916,7 +916,7 @@ index 6ced147ab8..1260b1dff3 100644 } } return NULL; -@@ -2507,8 +2573,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n) +@@ -2510,8 +2576,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n) * preference */ STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx) { @@ -927,7 +927,7 @@ index 6ced147ab8..1260b1dff3 100644 return NULL; } -@@ -2932,7 +2998,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) +@@ -2935,7 +3001,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->tls13_ciphersuites, &ret->cipher_list, &ret->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST, ret->cert) @@ -936,7 +936,7 @@ index 6ced147ab8..1260b1dff3 100644 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS); goto err2; } -@@ -3095,7 +3161,7 @@ void SSL_CTX_free(SSL_CTX *a) +@@ -3098,7 +3164,7 @@ void SSL_CTX_free(SSL_CTX *a) #ifndef OPENSSL_NO_CT CTLOG_STORE_free(a->ctlog_store); #endif @@ -945,7 +945,7 @@ index 6ced147ab8..1260b1dff3 100644 sk_SSL_CIPHER_free(a->cipher_list_by_id); sk_SSL_CIPHER_free(a->tls13_ciphersuites); ssl_cert_free(a->cert); -@@ -3750,13 +3816,15 @@ SSL *SSL_dup(SSL *s) +@@ -3754,13 +3820,15 @@ SSL *SSL_dup(SSL *s) /* dup the cipher_list and cipher_list_by_id stacks */ if (s->cipher_list != NULL) { @@ -966,7 +966,7 @@ index 6ced147ab8..1260b1dff3 100644 /* Dup the client_CA list */ if (s->ca_names != NULL) { diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h -index a4d1376cc3..cf5e252019 100644 +index 6a2edeb190..53dbbd596c 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -736,9 +736,46 @@ typedef struct ssl_ctx_ext_secure_st { @@ -1017,7 +1017,7 @@ index a4d1376cc3..cf5e252019 100644 /* same as above but sorted for lookup */ STACK_OF(SSL_CIPHER) *cipher_list_by_id; /* TLSv1.3 specific ciphersuites */ -@@ -1115,7 +1152,7 @@ struct ssl_st { +@@ -1119,7 +1156,7 @@ struct ssl_st { /* Per connection DANE state */ SSL_DANE dane; /* crypto */ @@ -1026,7 +1026,7 @@ index a4d1376cc3..cf5e252019 100644 STACK_OF(SSL_CIPHER) *cipher_list_by_id; /* TLSv1.3 specific ciphersuites */ STACK_OF(SSL_CIPHER) *tls13_ciphersuites; -@@ -2223,7 +2260,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap, +@@ -2232,7 +2269,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap, __owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const char *str); __owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER) *tls13_ciphersuites, @@ -1035,7 +1035,7 @@ index a4d1376cc3..cf5e252019 100644 STACK_OF(SSL_CIPHER) **cipher_list_by_id, const char *rule_str, CERT *c); -@@ -2233,6 +2270,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites, +@@ -2242,6 +2279,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites, STACK_OF(SSL_CIPHER) **scsvs, int sslv2format, int fatal); void ssl_update_cache(SSL *s, int mode); @@ -1049,7 +1049,7 @@ index a4d1376cc3..cf5e252019 100644 __owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, const EVP_MD **md, int *mac_pkey_type, size_t *mac_secret_size, SSL_COMP **comp, -@@ -2315,7 +2359,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, +@@ -2324,7 +2368,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk); __owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl, STACK_OF(SSL_CIPHER) *clnt, @@ -1086,10 +1086,10 @@ index cc4563b357..4fb02935e9 100644 /* * The only protocol version we support which is valid in this extension in diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c -index 91d304e2b4..38a1684793 100644 +index 61fc3caa1c..68dd92a76c 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c -@@ -1708,8 +1708,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd) +@@ -1717,8 +1717,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd) while (PACKET_get_net_2(&versionslist, &candidate_vers)) { /* TODO(TLS1.3): Remove this before release */ if (candidate_vers == TLS1_3_VERSION_DRAFT @@ -1101,7 +1101,7 @@ index 91d304e2b4..38a1684793 100644 && orig_candidate > candidate_vers) continue; diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c -index 9c44be0301..d0a1600435 100644 +index 5c59eb8b1e..92ff931982 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1710,7 +1710,7 @@ static int tls_early_post_process_client_hello(SSL *s) diff --git a/openssl-equal-pre9_ciphers.patch b/openssl-equal-pre9_ciphers.patch index dfb6d73..4ce5b86 100644 --- a/openssl-equal-pre9_ciphers.patch +++ b/openssl-equal-pre9_ciphers.patch @@ -1,5 +1,5 @@ diff --git a/doc/man1/ciphers.pod b/doc/man1/ciphers.pod -index 3786e9a028..8dd0d2c028 100644 +index e3278eb6db..8e43cdd028 100644 --- a/doc/man1/ciphers.pod +++ b/doc/man1/ciphers.pod @@ -418,6 +418,21 @@ permissible. @@ -854,10 +854,10 @@ index 9ce643ae8e..b88c534495 100644 {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"}, diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 6ced147ab8..1260b1dff3 100644 +index 1387067b30..1dbc36139b 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c -@@ -1108,6 +1108,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm) +@@ -1111,6 +1111,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm) return X509_VERIFY_PARAM_set1(ssl->param, vpm); } @@ -929,7 +929,7 @@ index 6ced147ab8..1260b1dff3 100644 X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx) { return ctx->param; -@@ -1148,7 +1213,8 @@ void SSL_free(SSL *s) +@@ -1151,7 +1216,8 @@ void SSL_free(SSL *s) BUF_MEM_free(s->init_buf); /* add extra stuff */ @@ -939,7 +939,7 @@ index 6ced147ab8..1260b1dff3 100644 sk_SSL_CIPHER_free(s->cipher_list_by_id); sk_SSL_CIPHER_free(s->tls13_ciphersuites); -@@ -2431,9 +2497,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s) +@@ -2434,9 +2500,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s) { if (s != NULL) { if (s->cipher_list != NULL) { @@ -951,7 +951,7 @@ index 6ced147ab8..1260b1dff3 100644 } } return NULL; -@@ -2507,8 +2573,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n) +@@ -2510,8 +2576,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n) * preference */ STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx) { @@ -962,7 +962,7 @@ index 6ced147ab8..1260b1dff3 100644 return NULL; } -@@ -2932,7 +2998,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) +@@ -2935,7 +3001,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->tls13_ciphersuites, &ret->cipher_list, &ret->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST, ret->cert) @@ -971,7 +971,7 @@ index 6ced147ab8..1260b1dff3 100644 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS); goto err2; } -@@ -3095,7 +3161,7 @@ void SSL_CTX_free(SSL_CTX *a) +@@ -3098,7 +3164,7 @@ void SSL_CTX_free(SSL_CTX *a) #ifndef OPENSSL_NO_CT CTLOG_STORE_free(a->ctlog_store); #endif @@ -980,7 +980,7 @@ index 6ced147ab8..1260b1dff3 100644 sk_SSL_CIPHER_free(a->cipher_list_by_id); sk_SSL_CIPHER_free(a->tls13_ciphersuites); ssl_cert_free(a->cert); -@@ -3750,13 +3816,15 @@ SSL *SSL_dup(SSL *s) +@@ -3754,13 +3820,15 @@ SSL *SSL_dup(SSL *s) /* dup the cipher_list and cipher_list_by_id stacks */ if (s->cipher_list != NULL) { @@ -1001,7 +1001,7 @@ index 6ced147ab8..1260b1dff3 100644 /* Dup the client_CA list */ if (s->ca_names != NULL) { diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h -index a4d1376cc3..cf5e252019 100644 +index 6a2edeb190..53dbbd596c 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -736,9 +736,46 @@ typedef struct ssl_ctx_ext_secure_st { @@ -1052,7 +1052,7 @@ index a4d1376cc3..cf5e252019 100644 /* same as above but sorted for lookup */ STACK_OF(SSL_CIPHER) *cipher_list_by_id; /* TLSv1.3 specific ciphersuites */ -@@ -1115,7 +1152,7 @@ struct ssl_st { +@@ -1119,7 +1156,7 @@ struct ssl_st { /* Per connection DANE state */ SSL_DANE dane; /* crypto */ @@ -1061,7 +1061,7 @@ index a4d1376cc3..cf5e252019 100644 STACK_OF(SSL_CIPHER) *cipher_list_by_id; /* TLSv1.3 specific ciphersuites */ STACK_OF(SSL_CIPHER) *tls13_ciphersuites; -@@ -2223,7 +2260,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap, +@@ -2232,7 +2269,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap, __owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const char *str); __owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER) *tls13_ciphersuites, @@ -1070,7 +1070,7 @@ index a4d1376cc3..cf5e252019 100644 STACK_OF(SSL_CIPHER) **cipher_list_by_id, const char *rule_str, CERT *c); -@@ -2233,6 +2270,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites, +@@ -2242,6 +2279,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites, STACK_OF(SSL_CIPHER) **scsvs, int sslv2format, int fatal); void ssl_update_cache(SSL *s, int mode); @@ -1084,7 +1084,7 @@ index a4d1376cc3..cf5e252019 100644 __owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, const EVP_MD **md, int *mac_pkey_type, size_t *mac_secret_size, SSL_COMP **comp, -@@ -2315,7 +2359,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, +@@ -2324,7 +2368,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk); __owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl, STACK_OF(SSL_CIPHER) *clnt, @@ -1121,10 +1121,10 @@ index cc4563b357..4fb02935e9 100644 /* * The only protocol version we support which is valid in this extension in diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c -index 91d304e2b4..38a1684793 100644 +index 61fc3caa1c..68dd92a76c 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c -@@ -1708,8 +1708,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd) +@@ -1717,8 +1717,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd) while (PACKET_get_net_2(&versionslist, &candidate_vers)) { /* TODO(TLS1.3): Remove this before release */ if (candidate_vers == TLS1_3_VERSION_DRAFT @@ -1136,7 +1136,7 @@ index 91d304e2b4..38a1684793 100644 && orig_candidate > candidate_vers) continue; diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c -index 9c44be0301..d0a1600435 100644 +index 5c59eb8b1e..92ff931982 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1710,7 +1710,7 @@ static int tls_early_post_process_client_hello(SSL *s)