From 8199e97a90044d49b369ad4d4b9f28483050cfa0 Mon Sep 17 00:00:00 2001
From: Hakase <hakase@hakase.app>
Date: Mon, 18 Jun 2018 16:43:12 +0900
Subject: [PATCH] Add support draft 26

---
 README.md                        | 14 +++++++-------
 openssl-equal-pre7.patch         |  5 +++--
 openssl-equal-pre7_ciphers.patch |  5 +++--
 openssl-equal-pre8.patch         |  5 +++--
 openssl-equal-pre8_ciphers.patch |  5 +++--
 5 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index 1332758..3c48192 100644
--- a/README.md
+++ b/README.md
@@ -10,10 +10,10 @@
 
 ## Information
 
-- [Test Page - (TLS 1.3 draft 23, 28)](https://ssl.hakase.io/)
+- [Test Page - (TLS 1.3 draft 23, 26, 28)](https://ssl.hakase.io/)
 - [SSL Test Result - testssl.sh](https://ssl.hakase.io/ssltest/hakase.io.html)
 - [SSL Test Result - dev.ssllabs.com](https://dev.ssllabs.com/ssltest/analyze.html?d=hakase.io)
-- **If you link site to a browser that supports draft 23 or 28, you'll see a TLS 1.3 message.**
+- **If you link site to a browser that supports draft 23 or 26 or 28, you'll see a TLS 1.3 message.**
 
 **Support TLS 1.3 draft 28 browsers - _Chrome Canary, Firefox Nightly_**
 
@@ -24,15 +24,15 @@
 You can find the _OpenSSL 1.1.0h_ patch is [here.](https://gitlab.com/buik/openssl/blob/openssl-patch/openssl-1.1/OpenSSL1.1h-equal-preference-cipher-groups.patch)
 
 Here is the basic patch content.
-- Support TLS 1.3 draft 23 + 28 (Not support pre2)
-    - Server: draft 23 + 28
+- Support TLS 1.3 draft 23 + 26 + 28 (Not support pre2)
+    - Server: draft 23 + 26 + 28
     - Client: draft 23 + 26 + 27 + 28
 - BoringSSL's Equal Preference Patch
 - Weak 3DES and not using ECDHE ciphers is not used in TLSv1.1 or later.
 
 | Patch file name | Patch list |
 | :--- | :--- |
-| openssl-equal-pre2.patch | **_Not support_** draft **28**. |
+| openssl-equal-pre2.patch | **_Not support_** draft **26, 28**. |
 | openssl-equal-pre7.patch<br />openssl-equal-pre8.patch | TLS 1.3 cipher settings **_can not_** be changed on _nginx_. |
 | openssl-equal-pre7_ciphers.patch<br />openssl-equal-pre8_ciphers.patch | TLS 1.3 cipher settings **_can_** be changed on _nginx_. |
 
@@ -69,12 +69,12 @@ ssl_prefer_server_ciphers on;
 [TLS13-AES-128-GCM-SHA256|TLS13-AES-256-GCM-SHA384|TLS13-CHACHA20-POLY1305-SHA256]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
 ```
 
-### OpenSSL-1.1.1-pre7, pre8 ciphers (draft 23, 28)
+### OpenSSL-1.1.1-pre7, pre8 ciphers (draft 23, 26, 28)
 ```
 [EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
 ```
 
-### OpenSSL-1.1.1-pre7_ciphers, pre8_ciphers ciphers (draft 23, 28)
+### OpenSSL-1.1.1-pre7_ciphers, pre8_ciphers ciphers (draft 23, 26, 28)
 ```
 [TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES
 ```
diff --git a/openssl-equal-pre7.patch b/openssl-equal-pre7.patch
index 5f548f0..28d181e 100644
--- a/openssl-equal-pre7.patch
+++ b/openssl-equal-pre7.patch
@@ -1086,15 +1086,16 @@ index cc4563b357..4fb02935e9 100644
      /*
       * The only protocol version we support which is valid in this extension in
 diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
-index 91d304e2b4..1f2eecad0b 100644
+index 91d304e2b4..38a1684793 100644
 --- a/ssl/statem/statem_lib.c
 +++ b/ssl/statem/statem_lib.c
-@@ -1708,8 +1708,7 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
+@@ -1708,8 +1708,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
          while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
              /* TODO(TLS1.3): Remove this before release */
              if (candidate_vers == TLS1_3_VERSION_DRAFT
 -                    || candidate_vers == TLS1_3_VERSION_DRAFT_27
 -                    || candidate_vers == TLS1_3_VERSION_DRAFT_26) {
++                    || candidate_vers == TLS1_3_VERSION_DRAFT_26
 +                    || candidate_vers == TLS1_3_VERSION_DRAFT_23) {
                  if (best_vers == TLS1_3_VERSION
                          && orig_candidate > candidate_vers)
diff --git a/openssl-equal-pre7_ciphers.patch b/openssl-equal-pre7_ciphers.patch
index 098de82..cc59d3f 100644
--- a/openssl-equal-pre7_ciphers.patch
+++ b/openssl-equal-pre7_ciphers.patch
@@ -1121,15 +1121,16 @@ index cc4563b357..4fb02935e9 100644
      /*
       * The only protocol version we support which is valid in this extension in
 diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
-index 91d304e2b4..1f2eecad0b 100644
+index 91d304e2b4..38a1684793 100644
 --- a/ssl/statem/statem_lib.c
 +++ b/ssl/statem/statem_lib.c
-@@ -1708,8 +1708,7 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
+@@ -1708,8 +1708,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
          while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
              /* TODO(TLS1.3): Remove this before release */
              if (candidate_vers == TLS1_3_VERSION_DRAFT
 -                    || candidate_vers == TLS1_3_VERSION_DRAFT_27
 -                    || candidate_vers == TLS1_3_VERSION_DRAFT_26) {
++                    || candidate_vers == TLS1_3_VERSION_DRAFT_26
 +                    || candidate_vers == TLS1_3_VERSION_DRAFT_23) {
                  if (best_vers == TLS1_3_VERSION
                          && orig_candidate > candidate_vers)
diff --git a/openssl-equal-pre8.patch b/openssl-equal-pre8.patch
index 8e697b6..17719ea 100644
--- a/openssl-equal-pre8.patch
+++ b/openssl-equal-pre8.patch
@@ -1086,15 +1086,16 @@ index cc4563b357..4fb02935e9 100644
      /*
       * The only protocol version we support which is valid in this extension in
 diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
-index 91d304e2b4..1f2eecad0b 100644
+index 91d304e2b4..38a1684793 100644
 --- a/ssl/statem/statem_lib.c
 +++ b/ssl/statem/statem_lib.c
-@@ -1708,8 +1708,7 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
+@@ -1708,8 +1708,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
          while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
              /* TODO(TLS1.3): Remove this before release */
              if (candidate_vers == TLS1_3_VERSION_DRAFT
 -                    || candidate_vers == TLS1_3_VERSION_DRAFT_27
 -                    || candidate_vers == TLS1_3_VERSION_DRAFT_26) {
++                    || candidate_vers == TLS1_3_VERSION_DRAFT_26
 +                    || candidate_vers == TLS1_3_VERSION_DRAFT_23) {
                  if (best_vers == TLS1_3_VERSION
                          && orig_candidate > candidate_vers)
diff --git a/openssl-equal-pre8_ciphers.patch b/openssl-equal-pre8_ciphers.patch
index 6b36407..6f26cc5 100644
--- a/openssl-equal-pre8_ciphers.patch
+++ b/openssl-equal-pre8_ciphers.patch
@@ -1121,15 +1121,16 @@ index cc4563b357..4fb02935e9 100644
      /*
       * The only protocol version we support which is valid in this extension in
 diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
-index 91d304e2b4..1f2eecad0b 100644
+index 91d304e2b4..38a1684793 100644
 --- a/ssl/statem/statem_lib.c
 +++ b/ssl/statem/statem_lib.c
-@@ -1708,8 +1708,7 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
+@@ -1708,8 +1708,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
          while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
              /* TODO(TLS1.3): Remove this before release */
              if (candidate_vers == TLS1_3_VERSION_DRAFT
 -                    || candidate_vers == TLS1_3_VERSION_DRAFT_27
 -                    || candidate_vers == TLS1_3_VERSION_DRAFT_26) {
++                    || candidate_vers == TLS1_3_VERSION_DRAFT_26
 +                    || candidate_vers == TLS1_3_VERSION_DRAFT_23) {
                  if (best_vers == TLS1_3_VERSION
                          && orig_candidate > candidate_vers)