hakasenyang / openssl-patch Goto Github PK

latest_nginx=$(curl -L http://nginx.org/en/download.html | egrep -o "nginx\-[0-9.]+\.tar[.a-z]*" | head -n 1)
git clone https://github.com/openssl/openssl.git --branch OpenSSL_1_1_1-stable
git clone https://github.com/hakasenyang/openssl-patch.git
cd openssl
patch -p1 < ../openssl-patch/openssl-1.1.1d-chacha_draft.patch

Hunk #1 succeeded at 919 (offset 4 lines).
patching file include/openssl/obj_mac.h
patching file include/openssl/ssl.h
patching file include/openssl/tls1.h
patching file ssl/s3_lib.c
patching file ssl/ssl_ciph.c
Hunk #4 succeeded at 1795 (offset 1 line).
Hunk #5 succeeded at 2122 (offset 1 line).
can't find file to patch at input line 486
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
|index fa0f6d018c..f2a95c263a 100644
|--- a/ssl/ssl_locl.h
|+++ b/ssl/ssl_locl.h
-------------------------

$ /usr/src/openssl-1.1.1d # patch -p1 < openssl-equal-1.1.1d_ciphers.patch

patching file doc/man1/ciphers.pod
patching file include/openssl/ssl.h
patching file include/openssl/sslerr.h
Hunk #1 succeeded at 600 (offset 4 lines).
Hunk #2 succeeded at 733 (offset 4 lines).
patching file ssl/s3_lib.c
Hunk #9 succeeded at 4130 (offset 1 line).
Hunk #10 succeeded at 4150 (offset 1 line).
Hunk #11 succeeded at 4194 (offset 1 line).
Hunk #12 succeeded at 4231 (offset 1 line).
Hunk #13 succeeded at 4262 (offset 1 line).
Hunk #14 succeeded at 4282 (offset 1 line).
Hunk #15 succeeded at 4297 (offset 1 line).
Hunk #16 succeeded at 4309 (offset 1 line).
patching file ssl/ssl_ciph.c
Hunk #14 FAILED at 1437.
Hunk #15 FAILED at 1450.
Hunk #16 succeeded at 1460 (offset 1 line).
Hunk #17 succeeded at 1522 (offset 1 line).
Hunk #18 succeeded at 1540 (offset 1 line).
Hunk #19 succeeded at 1554 (offset 1 line).
Hunk #20 succeeded at 1579 (offset 1 line).
Hunk #21 succeeded at 1595 (offset 1 line).
Hunk #22 succeeded at 1617 (offset 1 line).
Hunk #23 succeeded at 1643 (offset 1 line).
Hunk #24 succeeded at 1680 (offset 1 line).
2 out of 24 hunks FAILED -- saving rejects to file ssl/ssl_ciph.c.rej
patching file ssl/ssl_err.c
patching file ssl/ssl_lib.c
Hunk #1 succeeded at 1122 (offset 5 lines).
Hunk #2 succeeded at 1227 (offset 5 lines).
Hunk #3 succeeded at 2502 (offset 6 lines).
Hunk #4 succeeded at 2578 (offset 6 lines).
Hunk #5 succeeded at 3029 (offset 6 lines).
Hunk #6 succeeded at 3205 (offset 6 lines).
Hunk #7 succeeded at 3883 (offset 6 lines).
patching file ssl/ssl_locl.h
patching file ssl/statem/statem_srvr.c
Hunk #4 succeeded at 2252 (offset -2 lines).

gcc  -I. -Iinclude  -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -march=native -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/etc/pki/tls\"" -DENGINESDIR="\"/data/src/openssl/.openssl/lib/engines-1.1\"" -DZLIB -DNDEBUG  -MMD -MF ssl/libssl-shlib-ssl_asn1.d.tmp -MT ssl/libssl-shlib-ssl_asn1.o -c -o ssl/libssl-shlib-ssl_asn1.o ssl/ssl_asn1.c
Disordered ordinals, 4534 < 4553 at ./util/mkdef.pl line 153.
make[1]: *** [Makefile:6100: libcrypto.ld] Error 25
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory '/data/src/openssl'
make: *** [Makefile:171: all] Error 2

==> Downloading https://github.com/hakasenyang/openssl-patch/raw/master/openssl-1.1.1e-dev-chacha_draft.patch
==> Downloading from https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/openssl-1.1.1e-dev-chacha_draft.
######################################################################## 100.0%
Warning: Cannot verify integrity of 14e39691ac62d013e7709a381d08f64e7b13645a82e8599464de9c7c6997c6e3--openssl-1.1.1e-dev-chacha_draft.patch
A checksum was not provided for this resource.
For your reference the SHA-256 is: 4f2f2a9abcee9476f6aae7e5160b82efbf7720f0a2b0cdb45d1b9ea7c059289c
==> Patching
==> Applying openssl-1.1.1c-prioritize_chacha_draft.patch
patching file ssl/s3_lib.c
==> Applying openssl-1.1.1e-dev-chacha_draft.patch
patching file crypto/evp/c_allc.c
patching file crypto/evp/e_chacha20_poly1305.c
Hunk #7 succeeded at 580 (offset 4 lines).
Hunk #8 succeeded at 672 (offset 5 lines).
patching file crypto/objects/obj_dat.h
patching file crypto/objects/obj_mac.num
patching file crypto/objects/objects.txt
patching file include/openssl/evp.h
Hunk #1 succeeded at 919 (offset 4 lines).
patching file include/openssl/obj_mac.h
patching file include/openssl/ssl.h
patching file include/openssl/tls1.h
patching file ssl/s3_lib.c
patching file ssl/ssl_ciph.c
Hunk #4 succeeded at 1795 (offset 1 line).
Hunk #5 succeeded at 2122 (offset 1 line).
patching file ssl/ssl_local.h
patching file util/libcrypto.num
Hunk #1 FAILED at 4582.
1 out of 1 hunk FAILED -- saving rejects to file util/libcrypto.num.rej
Error: Failure while executing; `patch -g 0 -f -p1 -i /private/tmp/[email protected]/openssl-1.1.1e-dev-chacha_draft.patch` exited with 1.

$ curl -L https://github.com/hakasenyang/openssl-patch/raw/master/openssl-1.1.1c-chacha_draft.patch | patch -p1
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   166  100   166    0     0     26      0  0:00:06  0:00:06 --:--:--    40
100 21643  100 21643    0     0   2868      0  0:00:07  0:00:07 --:--:--  101k
patching file crypto/evp/c_allc.c
patching file crypto/evp/e_chacha20_poly1305.c
patching file crypto/objects/obj_dat.h
patching file crypto/objects/obj_mac.num
patching file crypto/objects/objects.txt
patching file include/openssl/evp.h
patching file include/openssl/obj_mac.h
patching file include/openssl/ssl.h
patching file include/openssl/tls1.h
patching file ssl/s3_lib.c
Hunk #1 succeeded at 2088 (offset 6 lines).
patching file ssl/ssl_ciph.c
Hunk #3 succeeded at 278 (offset 1 line).
Hunk #4 succeeded at 1873 (offset 79 lines).
Hunk #5 succeeded at 2200 (offset 79 lines).
patching file ssl/ssl_locl.h
patching file util/libcrypto.num
Hunk #1 FAILED at 4579.
1 out of 1 hunk FAILED -- saving rejects to file util/libcrypto.num.rej

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 7713f76..e8ad162 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -4159,7 +4159,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
         /* If ChaCha20 is at the top of the client preference list,
            and there are ChaCha20 ciphers in the server list, then
            temporarily prioritize all ChaCha20 ciphers in the servers list. */
-        if (s->options & SSL_OP_PRIORITIZE_CHACHA && sk_SSL_CIPHER_num(clnt) > 0) {
+        if (sk_SSL_CIPHER_num(clnt) > 0) {
             c = sk_SSL_CIPHER_value(clnt, 0);
             if (c->algorithm_enc == SSL_CHACHA20POLY1305) {
                 /* ChaCha20 is client preferred, check server... */

$ patch -p1 < openssl-1.1.1a-tls13_draft.patch < openssl-equal-1.1.1a_ciphers.patch
patching file include/openssl/ssl.h
patching file include/openssl/tls1.h
patching file ssl/record/ssl3_record_tls13.c
patching file ssl/ssl_locl.h
patching file ssl/statem/extensions_clnt.c
patching file ssl/statem/extensions_srvr.c
patching file ssl/statem/statem_lib.c
Hunk #1 succeeded at 1788 (offset 2 lines).
Hunk #2 succeeded at 1811 (offset 2 lines).
Hunk #3 succeeded at 1850 (offset 2 lines).
patching file ssl/t1_trce.c
patching file doc/man1/ciphers.pod
patching file include/openssl/sslerr.h
patching file include/openssl/tls1.h
Reversed (or previously applied) patch detected!  Assume -R? [n] ^C

$ openssl s_client -connect 115.159.188.148:443
CONNECTED(00000003)
140135929659840:error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:../ssl/record/rec_layer_s3.c:1399:SSL alert number 112
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1543853957
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

$ openssl s_client -connect 115.159.188.148:443
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
verify return:1
depth=1 C = US, ST = CO, L = Denver, O = TrustOcean Ltd., OU = ECC Domain Validation Secure Server - 2018, CN = TrustOcean SSL CA - ECC - 2018
verify return:1
depth=0 CN = giuem.com
verify return:1
---
Certificate chain
 0 s:/CN=giuem.com
   i:/C=US/ST=CO/L=Denver/O=TrustOcean Ltd./OU=ECC Domain Validation Secure Server - 2018/CN=TrustOcean SSL CA - ECC - 2018
 1 s:/C=US/ST=CO/L=Denver/O=TrustOcean Ltd./OU=ECC Domain Validation Secure Server - 2018/CN=TrustOcean SSL CA - ECC - 2018
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust ECC Certification Authority
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust ECC Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEdDCCBBqgAwIBAgIRALGKW4Iu4GYlcFoTblsWpMAwCgYIKoZIzj0EAwIwgaMx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRgwFgYD
VQQKEw9UcnVzdE9jZWFuIEx0ZC4xMzAxBgNVBAsTKkVDQyBEb21haW4gVmFsaWRh
dGlvbiBTZWN1cmUgU2VydmVyIC0gMjAxODEnMCUGA1UEAxMeVHJ1c3RPY2VhbiBT
U0wgQ0EgLSBFQ0MgLSAyMDE4MB4XDTE4MTIwMzAwMDAwMFoXDTE5MDMwMzIzNTk1
OVowFDESMBAGA1UEAxMJZ2l1ZW0uY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAEl0UHaGSKQ1Nx+fouu1y9oETNDOI1Mqf3a78ntg7aTYKTBGmcf6zBWUE5/Bpf
cYp3EKkh66+psdRWLIgtH6y+yqOCArswggK3MB8GA1UdIwQYMBaAFDiF49YKamxI
k2wf+YG2R9vIJJ9lMB0GA1UdDgQWBBSiKA7abgcMCQPOw2vnTI6ktvFsHzAOBgNV
HQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwSwYDVR0gBEQwQjA2BgsrBgEEAbIxAQICPzAnMCUGCCsGAQUFBwIB
FhlodHRwczovL2Nwcy51c2VydHJ1c3QuY29tMAgGBmeBDAECATBGBgNVHR8EPzA9
MDugOaA3hjVodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVHJ1c3RPY2VhblNTTENB
LUVDQy0yMDE4LmNybDB4BggrBgEFBQcBAQRsMGowQQYIKwYBBQUHMAKGNWh0dHA6
Ly9jcnQudXNlcnRydXN0LmNvbS9UcnVzdE9jZWFuU1NMQ0EtRUNDLTIwMTguY3J0
MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMCAGA1UdEQQZ
MBeCCWdpdWVtLmNvbYcEc5+8lIcEdxwCIzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA
8QB2ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABZ3SNoukAAAQD
AEcwRQIgCrCtafblX97qkZR0fzkkeb+ZmJ0Sy9oDSdOqVrfC5/YCIQCZPlQNxWhi
vAvYcLrWinilsV+rOCPplR6hKzlfE4axKwB3AHR+2oMxrTMQkSGcziVPQnDCv/1e
QiAIxjc1eeYQe8xWAAABZ3SNoycAAAQDAEgwRgIhAOinNvBggMhnUuUdjHVSGx4L
6xS0pt+Cjff+SCSY0u4fAiEAs+r4Rnq1ZY2ZK3ArJZZO7UdNJ0r5HhcW/NSK2rLP
K+owCgYIKoZIzj0EAwIDSAAwRQIhAPnZzWcrZAb44txbtRkeDnlMmTHGtTlgdaSL
ekHicTjaAiA+G1fgffGrx7mhletd/6ifzG64RIECSsUrSEYVMFD96g==
-----END CERTIFICATE-----
subject=/CN=giuem.com
issuer=/C=US/ST=CO/L=Denver/O=TrustOcean Ltd./OU=ECC Domain Validation Secure Server - 2018/CN=TrustOcean SSL CA - ECC - 2018
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3384 bytes and written 261 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-CHACHA20-POLY1305
    Session-ID: E8F080DC8E9B1DBE0744EE6AD114355AF878FA24DE51E2B6BC992FCB593F4738
    Session-ID-ctx: 
    Master-Key: 764A48BCF33970A8A6BF53FCA978A7B2615846E40DE16FD5C914A7D9B98CC563963EA1A855CA9EFAC9DF3444C2A14469
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1543854011
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
closed

patch -p1 < ../openssl-patch/openssl-equal-3.0.0-dev_ciphers.patch
patching file crypto/err/openssl.txt
Hunk #1 succeeded at 2922 (offset 30 lines).
Hunk #2 succeeded at 3030 (offset 30 lines).
patching file doc/man1/ciphers.pod
patching file include/openssl/sslerr.h
patching file ssl/s3_lib.c
Hunk #6 succeeded at 4115 (offset -9 lines).
Hunk #7 succeeded at 4135 (offset -9 lines).
Hunk #8 succeeded at 4179 (offset -9 lines).
Hunk #9 succeeded at 4216 (offset -9 lines).
Hunk #10 succeeded at 4247 (offset -9 lines).
Hunk #11 succeeded at 4266 (offset -9 lines).
Hunk #12 FAILED at 4290.
Hunk #13 succeeded at 4300 (offset -9 lines).
1 out of 13 hunks FAILED -- saving rejects to file ssl/s3_lib.c.rej
patching file ssl/ssl_ciph.c
patching file ssl/ssl_err.c
patching file ssl/ssl_lib.c
Hunk #3 succeeded at 2558 (offset -7 lines).
Hunk #4 succeeded at 2634 (offset -7 lines).
Hunk #5 succeeded at 3077 (offset -9 lines).
Hunk #6 succeeded at 3253 (offset -9 lines).
Hunk #7 succeeded at 3929 (offset -9 lines).
patching file ssl/ssl_locl.h
Hunk #2 succeeded at 1356 (offset 174 lines).
patching file ssl/statem/statem_srvr.c

ccache gcc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -Wno-error=strict-aliasing -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting  -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -gsplit-dwarf -Wno-deprecated-declarations -DNDK_SET_VAR -DNDK_UPSTREAM_LIST -I src/core -I src/event -I src/event/modules -I src/os/unix -I /usr/local/include -I ../ngx_devel_kit-0.3.0/objs -I objs/addon/ndk -I ../ngx_devel_kit-0.3.0/src -I ../ngx_devel_kit-0.3.0/objs -I objs/addon/ndk -I ../pcre-8.42 -I ../openssl-tls1.3/.openssl/include -I ../zlib-cloudflare-1.3.0 -I objs -I src/http -I src/http/modules -I src/http/v2 -I ../ngx_devel_kit-0.3.0/src \
        -o objs/src/http/modules/ngx_http_index_module.o \
        src/http/modules/ngx_http_index_module.c
src/http/v2/ngx_http_v2.c: In function ‘ngx_http_v2_state_settings_params’:
src/http/v2/ngx_http_v2.c:2083:9: error: duplicate case value
         case NGX_HTTP_V2_HEADER_TABLE_SIZE_SETTING:
         ^~~~
src/http/v2/ngx_http_v2.c:2078:9: note: previously used here
         case NGX_HTTP_V2_HEADER_TABLE_SIZE_SETTING:
         ^~~~
make[1]: *** [objs/src/http/v2/ngx_http_v2.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory `/svr-setup/nginx-master'
make: *** [build] Error 2

patching file crypto/err/openssl.txt
�[91mPossibly reversed hunk 1 at 3476
Hunk 1 FAILED 3009/3009.
SM2_R_INVALID_FIELD:105:invalid field
SM2_R_NO_PARAMETERS_SET:109:no parameters set
SM2_R_USER_ID_TOO_LARGE:106:user id too large
+SSL_R_ALGORITHM_FETCH_FAILED:295:algorithm fetch failed
SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY:291:\
application data after close notify
SSL_R_APP_DATA_IN_HANDSHAKE:100:app data in handshake
�[0m
�[91mPossibly reversed hunk 1 at 814
Hunk 1 FAILED 405/405.
=back
+=head1 EQUAL PREFERENCE GROUPS
+
+If configuring a server, one may also configure equal-preference groups to
+partially respect the client's preferences when
+B<SSL_OP_CIPHER_SERVER_PREFERENCE> is enabled. Ciphers in an equal-preference
+group have equal priority and use the client order. This may be used to
+enforce that AEADs are preferred but select AES-GCM vs. ChaCha20-Poly1305
+based on client preferences. An equal-preference is specified with square
+brackets, combining multiple selectors separated by |. For example:
+
+ [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]
+
+ Once an equal-preference group is used, future directives must be
+ opcode-less.
+
=head1 CIPHER SUITE NAMES
The following lists give the SSL or TLS cipher suites names from the
�[0m
�[91mHunk 1 FAILED 10/10.
#ifndef OPENSSL_SSLERR_H
# define OPENSSL_SSLERR_H
-# pragma once
-
-# include <openssl/macros.h>
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-# define HEADER_SSLERR_H
-# endif
# include <openssl/opensslconf.h>
# include <openssl/symhacks.h>
�[0m
�[91mHunk 6 FAILED 266/272.
SSL_aRSA,
SSL_AES128,
SSL_SHA1,
- SSL3_VERSION, TLS1_2_VERSION,
+ SSL3_VERSION, TLS1_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
�[0m
�[91mPossibly reversed hunk 1 at 2276
Hunk 1 FAILED 193/193.
const SSL_CIPHER *cipher;
int active;
int dead;
+ int in_group;
struct cipher_order_st *next, *prev;
} CIPHER_ORDER;
�[0m
�[91mPossibly reversed hunk 1 at 571
Hunk 1 FAILED 14/14.
#ifndef OPENSSL_NO_ERR
static const ERR_STRING_DATA SSL_str_reasons[] = {
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ALGORITHM_FETCH_FAILED),
+ "algorithm fetch failed"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY),
"application data after close notify"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APP_DATA_IN_HANDSHAKE),
�[0m
�[91mPossibly reversed hunk 1 at 5904
Hunk 1 FAILED 1127/1127.
return X509_VERIFY_PARAM_set1(ssl->param, vpm);
}
+void ssl_cipher_preference_list_free(struct ssl_cipher_preference_list_st
+ *cipher_list)
+{
+ sk_SSL_CIPHER_free(cipher_list->ciphers);
+ OPENSSL_free(cipher_list->in_group_flags);
+ OPENSSL_free(cipher_list);
+}
+
+struct ssl_cipher_preference_list_st*
+ssl_cipher_preference_list_dup(struct ssl_cipher_preference_list_st
+ *cipher_list)
+{
+ struct ssl_cipher_preference_list_st* ret = NULL;
+ size_t n = sk_SSL_CIPHER_num(cipher_list->ciphers);
+
+ ret = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
+ if (!ret)
+ goto err;
+ ret->ciphers = NULL;
+ ret->in_group_flags = NULL;
+ ret->ciphers = sk_SSL_CIPHER_dup(cipher_list->ciphers);
+ if (!ret->ciphers)
+ goto err;
+ ret->in_group_flags = OPENSSL_malloc(n);
+ if (!ret->in_group_flags)
+ goto err;
+ memcpy(ret->in_group_flags, cipher_list->in_group_flags, n);
+ return ret;
+
+err:
+ if (ret->ciphers)
+ sk_SSL_CIPHER_free(ret->ciphers);
+ if (ret)
+ OPENSSL_free(ret);
+ return NULL;
+}
+
+struct ssl_cipher_preference_list_st*
+ssl_cipher_preference_list_from_ciphers(STACK_OF(SSL_CIPHER) *ciphers)
+{
+ struct ssl_cipher_preference_list_st* ret = NULL;
+ size_t n = sk_SSL_CIPHER_num(ciphers);
+
+ ret = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
+ if (!ret)
+ goto err;
+ ret->ciphers = NULL;
+ ret->in_group_flags = NULL;
+ ret->ciphers = sk_SSL_CIPHER_dup(ciphers);
+ if (!ret->ciphers)
+ goto err;
+ ret->in_group_flags = OPENSSL_malloc(n);
+ if (!ret->in_group_flags)
+ goto err;
+ memset(ret->in_group_flags, 0, n);
+ return ret;
+
+err:
+ if (ret->ciphers)
+ sk_SSL_CIPHER_free(ret->ciphers);
+ if (ret)
+ OPENSSL_free(ret);
+ return NULL;
+}
+
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
{
return ctx->param;
�[0m
�[91mPossibly reversed hunk 1 at 2775
Hunk 1 FAILED 763/763.
size_t max_size);
size_t ssl_hmac_size(const SSL_HMAC *ctx);
+/* ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with
+ * equal-preference groups. For TLS clients, the groups are moot because the
+ * server picks the cipher and groups cannot be expressed on the wire. However,
+ * for servers, the equal-preference groups allow the client's preferences to
+ * be partially respected. (This only has an effect with
+ * SSL_OP_CIPHER_SERVER_PREFERENCE).
+ *
+ * The equal-preference groups are expressed by grouping SSL_CIPHERs together.
+ * All elements of a group have the same priority: no ordering is expressed
+ * within a group.
+ *
+ * The values in |ciphers| are in one-to-one correspondence with
+ * |in_group_flags|. (That is, sk_SSL_CIPHER_num(ciphers) is the number of
+ * bytes in |in_group_flags|.) The bytes in |in_group_flags| are either 1, to
+ * indicate that the corresponding SSL_CIPHER is not the last element of a
+ * group, or 0 to indicate that it is.
+ *
+ * For example, if |in_group_flags| contains all zeros then that indicates a
+ * traditional, fully-ordered preference. Every SSL_CIPHER is the last element
+ * of the group (i.e. they are all in a one-element group).
+ *
+ * For a more complex example, consider:
+ * ciphers: A B C D E F
+ * in_group_flags: 1 1 0 0 1 0
+ *
+ * That would express the following, order:
+ *
+ * A E
+ * B -> D -> F
+ * C
+ */
+struct ssl_cipher_preference_list_st {
+ STACK_OF(SSL_CIPHER) *ciphers;
+ uint8_t *in_group_flags;
+};
+
+
struct ssl_ctx_st {
OPENSSL_CTX *libctx;
const SSL_METHOD *method;
- STACK_OF(SSL_CIPHER) *cipher_list;
+ struct ssl_cipher_preference_list_st *cipher_list;
/* same as above but sorted for lookup */
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* TLSv1.3 specific ciphersuites */
�[0m
�[91mHunk 1 FAILED 1774/1774.
/* For TLSv1.3 we must select the ciphersuite *before* session resumption */
if (SSL_IS_TLS13(s)) {
const SSL_CIPHER *cipher =
- ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
+ ssl3_choose_cipher(s, ciphers, ssl_get_cipher_preferences(s));
if (cipher == NULL) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
�[0m
�[91mHunk 1 FAILED 3340/3340.
PEM_read_PKCS8_PRIV_KEY_INFO 3410 3_0_0 EXIST::FUNCTION:STDIO
TS_VERIFY_CTX_new 3411 3_0_0 EXIST::FUNCTION:TS
BUF_MEM_new_ex 3412 3_0_0 EXIST::FUNCTION:
-RSA_padding_add_X931 3413 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_padding_add_X931 3413 3_0_0 EXIST::FUNCTION:RSA
BN_get0_nist_prime_256 3414 3_0_0 EXIST::FUNCTION:
CRYPTO_memcmp 3415 3_0_0 EXIST::FUNCTION:
DH_check_pub_key 3416 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
ASN1_mbstring_copy 3417 3_0_0 EXIST::FUNCTION:
PKCS7_set_type 3418 3_0_0 EXIST::FUNCTION:
BIO_gets 3419 3_0_0 EXIST::FUNCTION:
-RSA_padding_check_PKCS1_type_1 3420 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_padding_check_PKCS1_type_1 3420 3_0_0 EXIST::FUNCTION:RSA
UI_ctrl 3421 3_0_0 EXIST::FUNCTION:
i2d_X509_REQ_fp 3422 3_0_0 EXIST::FUNCTION:STDIO
BN_BLINDING_convert_ex 3423 3_0_0 EXIST::FUNCTION:
�[0m
patching file doc/man1/openssl-ciphers.pod.in
patching file include/openssl/sslerr.h
patching file ssl/s3_lib.c
patching file ssl/ssl_ciph.c
patching file ssl/ssl_err.c
patching file ssl/ssl_lib.c
patching file ssl/ssl_local.h
patching file ssl/statem/statem_srvr.c
patching file util/libcrypto.num