Verified Commit 2a23d6b6 authored by Hakase's avatar Hakase

Update latest patch (1.1.2-dev)

parent e48b924f
......@@ -220,69 +220,69 @@ index c1917bb86a..ea64c6b70e 100644
# endif
#endif
diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
index d9365ceccd..cba1bcd172 100644
index 7d058fce01..b8e6cc2c83 100644
--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
@@ -1079,7 +1079,7 @@ static const unsigned char so[7767] = {
0x28,0xCC,0x45,0x03,0x04, /* [ 7761] OBJ_gmac */
};
-#define NUM_NID 1196
+#define NUM_NID 1197
-#define NUM_NID 1198
+#define NUM_NID 1199
static const ASN1_OBJECT nid_objs[NUM_NID] = {
{"UNDEF", "undefined", NID_undef},
{"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
@@ -2277,9 +2277,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
{"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]},
{"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]},
@@ -2279,9 +2279,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
{"GMAC", "gmac", NID_gmac, 5, &so[7761]},
{"KMAC128", "kmac128", NID_kmac128},
{"KMAC256", "kmac256", NID_kmac256},
+ {"ChaCha20-Poly1305-D", "chacha20-poly1305-draft", NID_chacha20_poly1305_draft },
};
-#define NUM_SN 1187
+#define NUM_SN 1188
-#define NUM_SN 1189
+#define NUM_SN 1190
static const unsigned int sn_objs[NUM_SN] = {
364, /* "AD_DVCS" */
419, /* "AES-128-CBC" */
@@ -2397,6 +2398,7 @@ static const unsigned int sn_objs[NUM_SN] = {
@@ -2399,6 +2400,7 @@ static const unsigned int sn_objs[NUM_SN] = {
417, /* "CSPName" */
1019, /* "ChaCha20" */
1018, /* "ChaCha20-Poly1305" */
+ 1196, /* "chacha20-poly1305-draft" */
+ 1198, /* "chacha20-poly1305-draft" */
367, /* "CrlID" */
391, /* "DC" */
31, /* "DES-CBC" */
@@ -3470,7 +3472,7 @@ static const unsigned int sn_objs[NUM_SN] = {
@@ -3474,7 +3476,7 @@ static const unsigned int sn_objs[NUM_SN] = {
1093, /* "x509ExtAdmission" */
};
-#define NUM_LN 1187
+#define NUM_LN 1188
-#define NUM_LN 1189
+#define NUM_LN 1190
static const unsigned int ln_objs[NUM_LN] = {
363, /* "AD Time Stamping" */
405, /* "ANSI X9.62" */
@@ -3849,6 +3851,7 @@ static const unsigned int ln_objs[NUM_LN] = {
@@ -3853,6 +3855,7 @@ static const unsigned int ln_objs[NUM_LN] = {
883, /* "certificateRevocationList" */
1019, /* "chacha20" */
1018, /* "chacha20-poly1305" */
+ 1196, /* "ChaCha20-Poly1305-D" */
+ 1198, /* "ChaCha20-Poly1305-D" */
54, /* "challengePassword" */
407, /* "characteristic-two-field" */
395, /* "clearance" */
diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
index 487eefff8d..2c1ed0b659 100644
index ad47750f5d..c6b6bd79cc 100644
--- a/crypto/objects/obj_mac.num
+++ b/crypto/objects/obj_mac.num
@@ -1193,3 +1193,4 @@ magma_mac 1192
hmacWithSHA512_224 1193
hmacWithSHA512_256 1194
@@ -1195,3 +1195,4 @@ hmacWithSHA512_256 1194
gmac 1195
+chacha20_poly1305_draft 1196
kmac128 1196
kmac256 1197
+chacha20_poly1305_draft 1198
diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
index 1e83dffc09..d1f21424db 100644
index 590bbe9a13..39a76eb2e1 100644
--- a/crypto/objects/objects.txt
+++ b/crypto/objects/objects.txt
@@ -1537,6 +1537,7 @@ sm-scheme 104 7 : SM4-CTR : sm4-ctr
@@ -1541,6 +1541,7 @@ sm-scheme 104 7 : SM4-CTR : sm4-ctr
: AES-192-CBC-HMAC-SHA256 : aes-192-cbc-hmac-sha256
: AES-256-CBC-HMAC-SHA256 : aes-256-cbc-hmac-sha256
: ChaCha20-Poly1305 : chacha20-poly1305
......@@ -291,10 +291,10 @@ index 1e83dffc09..d1f21424db 100644
ISO-US 10046 2 1 : dhpublicnumber : X9.42 DH
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index a0b7a54d3c..90b778294a 100644
index d22956d343..77006675f3 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -917,6 +917,7 @@ const EVP_CIPHER *EVP_camellia_256_ctr(void);
@@ -918,6 +918,7 @@ const EVP_CIPHER *EVP_camellia_256_ctr(void);
const EVP_CIPHER *EVP_chacha20(void);
# ifndef OPENSSL_NO_POLY1305
const EVP_CIPHER *EVP_chacha20_poly1305(void);
......@@ -303,22 +303,22 @@ index a0b7a54d3c..90b778294a 100644
# endif
diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h
index 0a3e4c509a..531a26bd3c 100644
index e977a24c66..280efb665e 100644
--- a/include/openssl/obj_mac.h
+++ b/include/openssl/obj_mac.h
@@ -4816,6 +4816,10 @@
@@ -4824,6 +4824,10 @@
#define LN_chacha20 "chacha20"
#define NID_chacha20 1019
+#define SN_chacha20_poly1305_draft "ChaCha20-Poly1305-D"
+#define LN_chacha20_poly1305_draft "chacha20-poly1305-draft"
+#define NID_chacha20_poly1305_draft 1195
+#define NID_chacha20_poly1305_draft 1198
+
#define SN_dhpublicnumber "dhpublicnumber"
#define LN_dhpublicnumber "X9.42 DH"
#define NID_dhpublicnumber 920
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index ffe158388d..54dcd2702f 100644
index cceb2d495a..fa16d42d79 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -125,6 +125,7 @@ extern "C" {
......@@ -330,10 +330,10 @@ index ffe158388d..54dcd2702f 100644
# define SSL_TXT_ARIA "ARIA"
# define SSL_TXT_ARIA_GCM "ARIAGCM"
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index 2e46cf80d3..cc750bf735 100644
index e13b5dd4bc..53d43c121e 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -596,7 +596,12 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
@@ -597,7 +597,12 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
# define TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 0x0300C09A
# define TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 0x0300C09B
......@@ -347,7 +347,7 @@ index 2e46cf80d3..cc750bf735 100644
# define TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305 0x0300CCA8
# define TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 0x0300CCA9
# define TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305 0x0300CCAA
@@ -761,6 +766,9 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
@@ -762,6 +767,9 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
# define TLS1_RFC_DHE_RSA_WITH_CHACHA20_POLY1305 "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
# define TLS1_RFC_ECDHE_RSA_WITH_CHACHA20_POLY1305 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
# define TLS1_RFC_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
......@@ -357,7 +357,7 @@ index 2e46cf80d3..cc750bf735 100644
# define TLS1_RFC_PSK_WITH_CHACHA20_POLY1305 "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256"
# define TLS1_RFC_ECDHE_PSK_WITH_CHACHA20_POLY1305 "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256"
# define TLS1_RFC_DHE_PSK_WITH_CHACHA20_POLY1305 "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256"
@@ -1089,7 +1097,12 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
@@ -1090,7 +1098,12 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
# define TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 "ECDH-RSA-CAMELLIA128-SHA256"
# define TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 "ECDH-RSA-CAMELLIA256-SHA384"
......@@ -372,7 +372,7 @@ index 2e46cf80d3..cc750bf735 100644
# define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 "ECDHE-ECDSA-CHACHA20-POLY1305"
# define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305 "DHE-RSA-CHACHA20-POLY1305"
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 7713f767b2..cb37dd6e6f 100644
index 866ca4dfa9..40b0205e52 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -2082,6 +2082,54 @@ static SSL_CIPHER ssl3_ciphers[] = {
......@@ -480,7 +480,7 @@ index 14066d0ea4..0ded2bd6b6 100644
} else if (c->algorithm_mac & SSL_AEAD) {
/* We're supposed to have handled all the AEAD modes above */
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index c22c1f9ee8..6c4595c49b 100644
index e9c5c5cf80..ebefd70f84 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -230,12 +230,13 @@
......
......@@ -25,7 +25,7 @@ index 3aea982384..3c93eba0bf 100644
The following lists give the SSL or TLS cipher suites names from the
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index ffe158388d..6f2c726dea 100644
index cceb2d495a..e3a0684c6f 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -173,12 +173,12 @@ extern "C" {
......@@ -71,7 +71,7 @@ index 87b295c9f9..d118d8e864 100644
# define SSL_R_UNINITIALIZED 276
# define SSL_R_UNKNOWN_ALERT_TYPE 246
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index 2e46cf80d3..0accc837a3 100644
index e13b5dd4bc..779341c948 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -30,6 +30,16 @@ extern "C" {
......@@ -108,7 +108,7 @@ index a11ed483e6..4fd583dd03 100644
(unsigned int)rec->length) <= 0
|| EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 7713f767b2..5a3f9e2c27 100644
index 866ca4dfa9..7b98b670d2 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -167,7 +167,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
......@@ -138,7 +138,7 @@ index 7713f767b2..5a3f9e2c27 100644
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
@@ -4104,6 +4104,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
@@ -4124,6 +4124,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
return 1;
}
......@@ -156,7 +156,7 @@ index 7713f767b2..5a3f9e2c27 100644
/*
* ssl3_choose_cipher - choose a cipher from those offered by the client
* @s: SSL connection
@@ -4113,16 +4124,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
@@ -4133,16 +4144,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
* Returns the selected cipher or NULL when no common ciphers.
*/
const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
......@@ -187,7 +187,7 @@ index 7713f767b2..5a3f9e2c27 100644
/* Let's see which ciphers we can support */
@@ -4149,54 +4168,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4169,54 +4188,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
#endif
/* SUITE-B takes precedence over server preference and ChaCha priortiy */
......@@ -245,7 +245,7 @@ index 7713f767b2..5a3f9e2c27 100644
allow = srvr;
}
@@ -4227,14 +4205,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4247,14 +4225,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
c = sk_SSL_CIPHER_value(prio, i);
......@@ -264,7 +264,7 @@ index 7713f767b2..5a3f9e2c27 100644
/*
* Since TLS 1.3 ciphersuites can be used with any auth or
@@ -4256,10 +4236,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4276,10 +4256,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
#ifndef OPENSSL_NO_PSK
/* with PSK there must be server callback set */
if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL)
......@@ -277,7 +277,7 @@ index 7713f767b2..5a3f9e2c27 100644
#ifdef CIPHER_DEBUG
fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
alg_a, mask_k, mask_a, (void *)c, c->name);
@@ -4276,6 +4256,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4296,6 +4276,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
if (!ok)
continue;
......@@ -292,7 +292,7 @@ index 7713f767b2..5a3f9e2c27 100644
}
ii = sk_SSL_CIPHER_find(allow, c);
if (ii >= 0) {
@@ -4283,14 +4271,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4303,14 +4291,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
c->strength_bits, 0, (void *)c))
continue;
......@@ -308,7 +308,7 @@ index 7713f767b2..5a3f9e2c27 100644
if (prefer_sha256) {
const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
@@ -4302,13 +4283,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4322,13 +4303,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
ret = tmp;
continue;
}
......@@ -824,7 +824,7 @@ index 11331ce41f..cfc770b8d6 100644
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index e7e8aa90f9..e2612c5bb0 100644
index 087f768b0b..1cc5e6c3a9 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1115,6 +1115,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
......@@ -909,7 +909,7 @@ index e7e8aa90f9..e2612c5bb0 100644
sk_SSL_CIPHER_free(s->cipher_list_by_id);
sk_SSL_CIPHER_free(s->tls13_ciphersuites);
@@ -2424,9 +2490,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
@@ -2425,9 +2491,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
{
if (s != NULL) {
if (s->cipher_list != NULL) {
......@@ -921,7 +921,7 @@ index e7e8aa90f9..e2612c5bb0 100644
}
}
return NULL;
@@ -2500,8 +2566,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
@@ -2501,8 +2567,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
* preference */
STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
{
......@@ -932,7 +932,7 @@ index e7e8aa90f9..e2612c5bb0 100644
return NULL;
}
@@ -2932,7 +2998,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
@@ -2933,7 +2999,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id,
SSL_DEFAULT_CIPHER_LIST, ret->cert)
......@@ -941,7 +941,7 @@ index e7e8aa90f9..e2612c5bb0 100644
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err2;
}
@@ -3105,7 +3171,7 @@ void SSL_CTX_free(SSL_CTX *a)
@@ -3109,7 +3175,7 @@ void SSL_CTX_free(SSL_CTX *a)
#ifndef OPENSSL_NO_CT
CTLOG_STORE_free(a->ctlog_store);
#endif
......@@ -950,7 +950,7 @@ index e7e8aa90f9..e2612c5bb0 100644
sk_SSL_CIPHER_free(a->cipher_list_by_id);
sk_SSL_CIPHER_free(a->tls13_ciphersuites);
ssl_cert_free(a->cert);
@@ -3754,13 +3820,15 @@ SSL *SSL_dup(SSL *s)
@@ -3787,13 +3853,15 @@ SSL *SSL_dup(SSL *s)
/* dup the cipher_list and cipher_list_by_id stacks */
if (s->cipher_list != NULL) {
......@@ -969,9 +969,9 @@ index e7e8aa90f9..e2612c5bb0 100644
+ }
/* Dup the client_CA list */
if (s->ca_names != NULL) {
if (!dup_ca_names(&ret->ca_names, s->ca_names)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index c22c1f9ee8..cf1b0c6081 100644
index e9c5c5cf80..fb153bf5bf 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -741,9 +741,46 @@ typedef struct ssl_ctx_ext_secure_st {
......@@ -1022,7 +1022,7 @@ index c22c1f9ee8..cf1b0c6081 100644
/* same as above but sorted for lookup */
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* TLSv1.3 specific ciphersuites */
@@ -1078,6 +1115,8 @@ struct ssl_st {
@@ -1080,6 +1117,8 @@ struct ssl_st {
* DTLS1_VERSION)
*/
int version;
......@@ -1031,7 +1031,7 @@ index c22c1f9ee8..cf1b0c6081 100644
/* SSLv3 */
const SSL_METHOD *method;
/*
@@ -1136,7 +1175,7 @@ struct ssl_st {
@@ -1138,7 +1177,7 @@ struct ssl_st {
/* Per connection DANE state */
SSL_DANE dane;
/* crypto */
......@@ -1040,7 +1040,7 @@ index c22c1f9ee8..cf1b0c6081 100644
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* TLSv1.3 specific ciphersuites */
STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
@@ -2257,7 +2296,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
@@ -2265,7 +2304,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
const SSL_CIPHER *const *bp);
__owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
......@@ -1049,7 +1049,7 @@ index c22c1f9ee8..cf1b0c6081 100644
STACK_OF(SSL_CIPHER) **cipher_list_by_id,
const char *rule_str,
CERT *c);
@@ -2267,6 +2306,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
@@ -2275,6 +2314,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
int fatal);
void ssl_update_cache(SSL *s, int mode);
......@@ -1063,7 +1063,7 @@ index c22c1f9ee8..cf1b0c6081 100644
__owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
const EVP_MD **md, int *mac_pkey_type,
size_t *mac_secret_size, SSL_COMP **comp,
@@ -2350,7 +2396,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
@@ -2358,7 +2404,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
CERT_PKEY *cpk);
__owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
STACK_OF(SSL_CIPHER) *clnt,
......@@ -1144,10 +1144,10 @@ index 0f2b22392b..6c1ce9813f 100644
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 75cf321b98..fd75694ab7 100644
index 95c22062ba..645cfc2d90 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1765,6 +1765,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
@@ -1779,6 +1779,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
unsigned int best_vers = 0;
const SSL_METHOD *best_method = NULL;
PACKET versionslist;
......@@ -1156,7 +1156,7 @@ index 75cf321b98..fd75694ab7 100644
suppversions->parsed = 1;
@@ -1786,6 +1788,23 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
@@ -1800,6 +1802,23 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
return SSL_R_BAD_LEGACY_VERSION;
while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
......@@ -1180,7 +1180,7 @@ index 75cf321b98..fd75694ab7 100644
if (version_cmp(s, candidate_vers, best_vers) <= 0)
continue;
if (ssl_version_supported(s, candidate_vers, &best_method))
@@ -1808,6 +1827,9 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
@@ -1822,6 +1841,9 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
}
check_for_downgrade(s, best_vers, dgrd);
s->version = best_vers;
......@@ -1191,7 +1191,7 @@ index 75cf321b98..fd75694ab7 100644
return 0;
}
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 7d0e9d0ba8..d11dbc9ea0 100644
index e7c11c4bea..a2a6c1e44e 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1744,7 +1744,7 @@ static int tls_early_post_process_client_hello(SSL *s)
......
......@@ -50,7 +50,7 @@ index 87b295c9f9..d118d8e864 100644
# define SSL_R_UNINITIALIZED 276
# define SSL_R_UNKNOWN_ALERT_TYPE 246
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index 2e46cf80d3..0accc837a3 100644
index e13b5dd4bc..779341c948 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -30,6 +30,16 @@ extern "C" {
......@@ -87,7 +87,7 @@ index a11ed483e6..4fd583dd03 100644
(unsigned int)rec->length) <= 0
|| EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 7713f767b2..a0af8ac001 100644
index 866ca4dfa9..1b6b99cb19 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -31,7 +31,25 @@ const unsigned char tls12downgrade[] = {
......@@ -166,7 +166,7 @@ index 7713f767b2..a0af8ac001 100644
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
@@ -4104,6 +4110,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
@@ -4124,6 +4130,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
return 1;
}
......@@ -184,7 +184,7 @@ index 7713f767b2..a0af8ac001 100644
/*
* ssl3_choose_cipher - choose a cipher from those offered by the client
* @s: SSL connection
@@ -4113,16 +4130,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
@@ -4133,16 +4150,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
* Returns the selected cipher or NULL when no common ciphers.
*/
const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
......@@ -215,7 +215,7 @@ index 7713f767b2..a0af8ac001 100644
/* Let's see which ciphers we can support */
@@ -4149,54 +4174,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4169,54 +4194,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
#endif
/* SUITE-B takes precedence over server preference and ChaCha priortiy */
......@@ -273,7 +273,7 @@ index 7713f767b2..a0af8ac001 100644
allow = srvr;
}
@@ -4227,14 +4211,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4247,14 +4231,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
c = sk_SSL_CIPHER_value(prio, i);
......@@ -292,7 +292,7 @@ index 7713f767b2..a0af8ac001 100644
/*
* Since TLS 1.3 ciphersuites can be used with any auth or
@@ -4256,10 +4242,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4276,10 +4262,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
#ifndef OPENSSL_NO_PSK
/* with PSK there must be server callback set */
if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL)
......@@ -305,7 +305,7 @@ index 7713f767b2..a0af8ac001 100644
#ifdef CIPHER_DEBUG
fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
alg_a, mask_k, mask_a, (void *)c, c->name);
@@ -4276,6 +4262,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4296,6 +4282,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
if (!ok)
continue;
......@@ -320,7 +320,7 @@ index 7713f767b2..a0af8ac001 100644
}
ii = sk_SSL_CIPHER_find(allow, c);
if (ii >= 0) {
@@ -4283,14 +4277,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4303,14 +4297,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
c->strength_bits, 0, (void *)c))
continue;
......@@ -336,7 +336,7 @@ index 7713f767b2..a0af8ac001 100644
if (prefer_sha256) {
const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
@@ -4302,13 +4289,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
@@ -4322,13 +4309,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
ret = tmp;
continue;
}
......@@ -859,7 +859,7 @@ index 11331ce41f..cfc770b8d6 100644
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index e7e8aa90f9..e2612c5bb0 100644
index 087f768b0b..1cc5e6c3a9 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1115,6 +1115,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
......@@ -944,7 +944,7 @@ index e7e8aa90f9..e2612c5bb0 100644
sk_SSL_CIPHER_free(s->cipher_list_by_id);
sk_SSL_CIPHER_free(s->tls13_ciphersuites);
@@ -2424,9 +2490,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
@@ -2425,9 +2491,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
{
if (s != NULL) {
if (s->cipher_list != NULL) {
......@@ -956,7 +956,7 @@ index e7e8aa90f9..e2612c5bb0 100644
}
}
return NULL;
@@ -2500,8 +2566,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
@@ -2501,8 +2567,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
* preference */
STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
{
......@@ -967,7 +967,7 @@ index e7e8aa90f9..e2612c5bb0 100644
return NULL;
}
@@ -2932,7 +2998,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
@@ -2933,7 +2999,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id,
SSL_DEFAULT_CIPHER_LIST, ret->cert)
......@@ -976,7 +976,7 @@ index e7e8aa90f9..e2612c5bb0 100644
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err2;
}
@@ -3105,7 +3171,7 @@ void SSL_CTX_free(SSL_CTX *a)
@@ -3109,7 +3175,7 @@ void SSL_CTX_free(SSL_CTX *a)
#ifndef OPENSSL_NO_CT
CTLOG_STORE_free(a->ctlog_store);
#endif
......@@ -985,7 +985,7 @@ index e7e8aa90f9..e2612c5bb0 100644
sk_SSL_CIPHER_free(a->cipher_list_by_id);
sk_SSL_CIPHER_free(a->tls13_ciphersuites);
ssl_cert_free(a->cert);
@@ -3754,13 +3820,15 @@ SSL *SSL_dup(SSL *s)
@@ -3787,13 +3853,15 @@ SSL *SSL_dup(SSL *s)
/* dup the cipher_list and cipher_list_by_id stacks */
if (s->cipher_list != NULL) {
......@@ -1004,9 +1004,9 @@ index e7e8aa90f9..e2612c5bb0 100644
+ }
/* Dup the client_CA list */
if (s->ca_names != NULL) {
if (!dup_ca_names(&ret->ca_names, s->ca_names)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index c22c1f9ee8..cf1b0c6081 100644
index e9c5c5cf80..fb153bf5bf 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -741,9 +741,46 @@ typedef struct ssl_ctx_ext_secure_st {
......@@ -1057,7 +1057,7 @@ index c22c1f9ee8..cf1b0c6081 100644
/* same as above but sorted for lookup */
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* TLSv1.3 specific ciphersuites */
@@ -1078,6 +1115,8 @@ struct ssl_st {
@@ -1080,6 +1117,8 @@ struct ssl_st {
* DTLS1_VERSION)
*/
int version;
......@@ -1066,7 +1066,7 @@ index c22c1f9ee8..cf1b0c6081 100644
/* SSLv3 */
const SSL_METHOD *method;
/*
@@ -1136,7 +1175,7 @@ struct ssl_st {
@@ -1138,7 +1177,7 @@ struct ssl_st {
/* Per connection DANE state */
SSL_DANE dane;
/* crypto */
......@@ -1075,7 +1075,7 @@ index c22c1f9ee8..cf1b0c6081 100644
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* TLSv1.3 specific ciphersuites */
STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
@@ -2257,7 +2296,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
@@ -2265,7 +2304,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
const SSL_CIPHER *const *bp);
__owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
......@@ -1084,7 +1084,7 @@ index c22c1f9ee8..cf1b0c6081 100644
STACK_OF(SSL_CIPHER) **cipher_list_by_id,
const char *rule_str,
CERT *c);
@@ -2267,6 +2306,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
@@ -2275,6 +2314,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
int fatal);
void ssl_update_cache(SSL *s, int mode);
......@@ -1098,7 +1098,7 @@ index c22c1f9ee8..cf1b0c6081 100644
__owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
const EVP_MD **md, int *mac_pkey_type,
size_t *mac_secret_size, SSL_COMP **comp,
@@ -2350,7 +2396,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
@@ -2358,7 +2404,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
CERT_PKEY *cpk);
__owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
STACK_OF(SSL_CIPHER) *clnt,
......@@ -1179,10 +1179,10 @@ index 0f2b22392b..6c1ce9813f 100644
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 75cf321b98..fd75694ab7 100644
index 95c22062ba..645cfc2d90 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1765,6 +1765,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
@@ -1779,6 +1779,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
unsigned int best_vers = 0;
const SSL_METHOD *best_method = NULL;
PACKET versionslist;
......@@ -1191,7 +1191,7 @@ index 75cf321b98..fd75694ab7 100644
suppversions->parsed = 1;
@@ -1786,6 +1788,23 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
@@ -1800,6 +1802,23 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
return SSL_R_BAD_LEGACY_VERSION;
while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
......@@ -1215,7 +1215,7 @@ index 75cf321b98..fd75694ab7 100644
if (version_cmp(s, candidate_vers, best_vers) <= 0)
continue;
if (ssl_version_supported(s, candidate_vers, &best_method))
@@ -1808,6 +1827,9 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
@@ -1822,6 +1841,9 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
}
check_for_downgrade(s, best_vers, dgrd);
s->version = best_vers;
......@@ -1226,7 +1226,7 @@ index 75cf321b98..fd75694ab7 100644
return 0;
}
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 7d0e9d0ba8..d11dbc9ea0 100644
index e7c11c4bea..a2a6c1e44e 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1744,7 +1744,7 @@ static int tls_early_post_process_client_hello(SSL *s)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment