Merge remote-tracking branch 'upstream/master'

pmkol · Sep 14, 2024 · f58351d · f58351d
2 parents cabedc9 + bb00044
commit f58351d
Show file tree

Hide file tree

Showing 14 changed files with 67 additions and 68 deletions.
diff --git a/openwrt/patch/openssl/quic/0001-QUIC-Add-support-for-BoringSSL-QUIC-APIs.patch b/openwrt/patch/openssl/quic/0001-QUIC-Add-support-for-BoringSSL-QUIC-APIs.patch
@@ -42,7 +42,7 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37
  ssl/statem/statem_quic.c | 106 ++++++++++++
  ssl/tls13_enc.c | 59 +++++++
  test/helpers/ssltestlib.c | 5 +
- test/sslapitest.c | 132 ++++++++++++++
+ test/sslapitest.c | 131 ++++++++++++++
  test/tls13secretstest.c | 7 +
  util/libssl.num | 11 ++
  util/other.syms | 2 +
@@ -53,15 +53,15 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37
 
 --- a/Configure
 +++ b/Configure
-@@ -468,6 +468,7 @@ my @disablables = (
+@@ -467,6 +467,7 @@ my @disablables = (
  "poly1305",
  "posix-io",
  "psk",
 + "quic",
  "rc2",
  "rc4",
  "rc5",
-@@ -636,6 +637,7 @@ my @disable_cascades = (
+@@ -635,6 +636,7 @@ my @disable_cascades = (
  "legacy" => [ "md2" ],
 
  "cmp" => [ "crmf" ],
@@ -645,7 +645,7 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37
  if (s->handshake_func == NULL) {
  ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
  return -1;
-@@ -3858,6 +3892,11 @@ int SSL_get_error(const SSL *s, int i)
+@@ -3875,6 +3909,11 @@ int SSL_get_error(const SSL *s, int i)
  }
 
  if (SSL_want_read(s)) {
@@ -657,7 +657,7 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37
  bio = SSL_get_rbio(s);
  if (BIO_should_read(bio))
  return SSL_ERROR_WANT_READ;
-@@ -4225,7 +4264,7 @@ EVP_PKEY *SSL_CTX_get0_privatekey(const
+@@ -4242,7 +4281,7 @@ EVP_PKEY *SSL_CTX_get0_privatekey(const
 
  const SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
  {
@@ -1023,7 +1023,7 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37
  {
  /* Must be immediately before pre_shared_key */
  TLSEXT_TYPE_padding,
-@@ -1728,3 +1745,15 @@ static int final_psk(SSL *s, unsigned in
+@@ -1722,3 +1739,15 @@ static int final_psk(SSL *s, unsigned in
 
  return 1;
  }
@@ -1071,7 +1071,7 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37
  /*
  * Parse the server's renegotiation binding and abort if it's not right
  */
-@@ -1981,3 +2003,29 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p
+@@ -2006,3 +2028,29 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p
 
  return 1;
  }
@@ -1103,7 +1103,7 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37
 +#endif
 --- a/ssl/statem/extensions_srvr.c
 +++ b/ssl/statem/extensions_srvr.c
-@@ -1232,6 +1232,33 @@ int tls_parse_ctos_post_handshake_auth(S
+@@ -1237,6 +1237,33 @@ int tls_parse_ctos_post_handshake_auth(S
  return 1;
  }
 
@@ -1137,7 +1137,7 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37
  /*
  * Add the server's renegotiation binding
  */
-@@ -1914,3 +1941,27 @@ EXT_RETURN tls_construct_stoc_psk(SSL *s
+@@ -1920,3 +1947,27 @@ EXT_RETURN tls_construct_stoc_psk(SSL *s
 
  return EXT_RETURN_SENT;
  }
@@ -1243,7 +1243,7 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37
  if (ret <= 0)
  return -1;
  if (type == SSL3_RT_HANDSHAKE)
-@@ -1169,6 +1183,7 @@ int tls_get_message_header(SSL *s, int *
+@@ -1173,6 +1187,7 @@ int tls_get_message_header(SSL *s, int *
 
  do {
  while (s->init_num < SSL3_HM_HEADER_LENGTH) {
@@ -1554,10 +1554,10 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37
  * This will ensure we have received the NewSessionTicket in TLSv1.3 where
 --- a/test/sslapitest.c
 +++ b/test/sslapitest.c
-@@ -10765,6 +10765,135 @@ static int test_multi_resume(int idx)
+@@ -10764,6 +10764,134 @@ static int test_multi_resume(int idx)
+ SSL_SESSION_free(sess);
  return testresult;
  }
-
 +#ifndef OPENSSL_NO_QUIC
 +static int test_quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
 + const uint8_t *read_secret,
@@ -1686,14 +1686,13 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37
 + return testresult;
 +}
 +#endif /* OPENSSL_NO_QUIC */
-+
- OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
 
- int setup_tests(void)
-@@ -11041,6 +11170,9 @@ int setup_tests(void)
+ static struct next_proto_st {
+ int serverlen;
+@@ -11407,6 +11535,9 @@ int setup_tests(void)
+ ADD_ALL_TESTS(test_npn, 5);
  #endif
- ADD_ALL_TESTS(test_handshake_retry, 16);
- ADD_ALL_TESTS(test_multi_resume, 5);
+ ADD_ALL_TESTS(test_alpn, 4);
 +#ifndef OPENSSL_NO_QUIC
 + ADD_TEST(test_quic_api);
 +#endif

diff --git a/openwrt/patch/openssl/quic/0007-QUIC-Fix-quic_transport-constructors-parsers.patch b/openwrt/patch/openssl/quic/0007-QUIC-Fix-quic_transport-constructors-parsers.patch
@@ -23,7 +23,7 @@ Subject: [PATCH 07/43] QUIC: Fix quic_transport constructors/parsers
  SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  return EXT_RETURN_FAIL;
  }
-@@ -2008,19 +2006,11 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p
+@@ -2033,19 +2031,11 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p
  int tls_parse_stoc_quic_transport_params(SSL *s, PACKET *pkt, unsigned int context,
  X509 *x, size_t chainidx)
  {
@@ -46,7 +46,7 @@ Subject: [PATCH 07/43] QUIC: Fix quic_transport constructors/parsers
  SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
 --- a/ssl/statem/extensions_srvr.c
 +++ b/ssl/statem/extensions_srvr.c
-@@ -1237,19 +1237,11 @@ int tls_parse_ctos_post_handshake_auth(S
+@@ -1242,19 +1242,11 @@ int tls_parse_ctos_post_handshake_auth(S
  int tls_parse_ctos_quic_transport_params(SSL *s, PACKET *pkt, unsigned int context,
  X509 *x, size_t chainidx)
  {
@@ -67,7 +67,7 @@ Subject: [PATCH 07/43] QUIC: Fix quic_transport constructors/parsers
  &s->ext.peer_quic_transport_params,
  &s->ext.peer_quic_transport_params_len)) {
  SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
-@@ -1954,10 +1946,8 @@ EXT_RETURN tls_construct_stoc_quic_trans
+@@ -1960,10 +1952,8 @@ EXT_RETURN tls_construct_stoc_quic_trans
  }
 
  if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_quic_transport_parameters)

diff --git a/openwrt/patch/openssl/quic/0018-QUIC-Handle-EndOfEarlyData-and-MaxEarlyData.patch b/openwrt/patch/openssl/quic/0018-QUIC-Handle-EndOfEarlyData-and-MaxEarlyData.patch
@@ -12,7 +12,7 @@ Subject: [PATCH 18/43] QUIC: Handle EndOfEarlyData and MaxEarlyData
 
 --- a/ssl/statem/extensions_clnt.c
 +++ b/ssl/statem/extensions_clnt.c
-@@ -1919,6 +1919,17 @@ int tls_parse_stoc_early_data(SSL *s, PA
+@@ -1944,6 +1944,17 @@ int tls_parse_stoc_early_data(SSL *s, PA
  return 0;
  }
 
@@ -32,7 +32,7 @@ Subject: [PATCH 18/43] QUIC: Handle EndOfEarlyData and MaxEarlyData
  return 1;
 --- a/ssl/statem/extensions_srvr.c
 +++ b/ssl/statem/extensions_srvr.c
-@@ -1890,12 +1890,20 @@ EXT_RETURN tls_construct_stoc_early_data
+@@ -1896,12 +1896,20 @@ EXT_RETURN tls_construct_stoc_early_data
  size_t chainidx)
  {
  if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {

diff --git a/openwrt/patch/openssl/quic/0020-QUIC-Some-cleanup-for-the-main-QUIC-changes.patch b/openwrt/patch/openssl/quic/0020-QUIC-Some-cleanup-for-the-main-QUIC-changes.patch
@@ -179,7 +179,7 @@ Update referenced I-D versions.
 +#endif
 --- a/ssl/ssl_lib.c
 +++ b/ssl/ssl_lib.c
-@@ -4264,7 +4264,7 @@ EVP_PKEY *SSL_CTX_get0_privatekey(const
+@@ -4281,7 +4281,7 @@ EVP_PKEY *SSL_CTX_get0_privatekey(const
 
  const SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
  {
@@ -304,7 +304,7 @@ Update referenced I-D versions.
 -#endif
 --- a/ssl/statem/extensions_clnt.c
 +++ b/ssl/statem/extensions_clnt.c
-@@ -1922,7 +1922,7 @@ int tls_parse_stoc_early_data(SSL *s, PA
+@@ -1947,7 +1947,7 @@ int tls_parse_stoc_early_data(SSL *s, PA
  #ifndef OPENSSL_NO_QUIC
  /*
  * QUIC server must send 0xFFFFFFFF or it's a PROTOCOL_VIOLATION
@@ -315,7 +315,7 @@ Update referenced I-D versions.
  SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_MAX_EARLY_DATA);
 --- a/ssl/statem/extensions_srvr.c
 +++ b/ssl/statem/extensions_srvr.c
-@@ -1896,7 +1896,7 @@ EXT_RETURN tls_construct_stoc_early_data
+@@ -1902,7 +1902,7 @@ EXT_RETURN tls_construct_stoc_early_data
  return EXT_RETURN_NOT_SENT;
 
  #ifndef OPENSSL_NO_QUIC
@@ -378,7 +378,7 @@ Update referenced I-D versions.
  }
  } else
  #endif
-@@ -1183,7 +1190,6 @@ int tls_get_message_header(SSL *s, int *
+@@ -1187,7 +1194,6 @@ int tls_get_message_header(SSL *s, int *
 
  do {
  while (s->init_num < SSL3_HM_HEADER_LENGTH) {
@@ -598,9 +598,9 @@ Update referenced I-D versions.
  unsigned char *iv;
 --- a/test/sslapitest.c
 +++ b/test/sslapitest.c
-@@ -10766,9 +10766,11 @@ static int test_multi_resume(int idx)
+@@ -10765,9 +10765,11 @@ static int test_multi_resume(int idx)
+ return testresult;
  }
-
  #ifndef OPENSSL_NO_QUIC
 -static int test_quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level,
 +static int test_quic_set_encryption_secrets(SSL *ssl,
@@ -612,7 +612,7 @@ Update referenced I-D versions.
  {
  test_printf_stderr("quic_set_encryption_secrets() %s, lvl=%d, len=%zd\n",
  ssl->server ? "server" : "client", level, secret_len);
-@@ -10780,11 +10782,12 @@ static int test_quic_add_handshake_data(
+@@ -10779,11 +10781,12 @@ static int test_quic_add_handshake_data(
  {
  SSL *peer = (SSL*)SSL_get_app_data(ssl);
 

diff --git a/openwrt/patch/openssl/quic/0021-QUIC-Prevent-KeyUpdate-for-QUIC.patch b/openwrt/patch/openssl/quic/0021-QUIC-Prevent-KeyUpdate-for-QUIC.patch
@@ -40,7 +40,7 @@ input to the TLS layer for a QUIC connection).
  if (qd == NULL) {
 --- a/ssl/statem/statem_lib.c
 +++ b/ssl/statem/statem_lib.c
-@@ -662,6 +662,13 @@ int tls_construct_finished(SSL *s, WPACK
+@@ -666,6 +666,13 @@ int tls_construct_finished(SSL *s, WPACK
 
  int tls_construct_key_update(SSL *s, WPACKET *pkt)
  {
@@ -54,7 +54,7 @@ input to the TLS layer for a QUIC connection).
  if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
  SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  return 0;
-@@ -684,6 +691,13 @@ MSG_PROCESS_RETURN tls_process_key_updat
+@@ -688,6 +695,13 @@ MSG_PROCESS_RETURN tls_process_key_updat
  return MSG_PROCESS_ERROR;
  }
 

diff --git a/openwrt/patch/openssl/quic/0022-QUIC-Test-KeyUpdate-rejection.patch b/openwrt/patch/openssl/quic/0022-QUIC-Test-KeyUpdate-rejection.patch
@@ -12,7 +12,7 @@ integrated into the TLSProxy setup.
 
 --- a/test/sslapitest.c
 +++ b/test/sslapitest.c
-@@ -10890,6 +10890,17 @@ static int test_quic_api(void)
+@@ -10889,6 +10889,17 @@ static int test_quic_api(void)
  || !TEST_true(SSL_process_quic_post_handshake(clientssl)))
  goto end;
 

diff --git a/openwrt/patch/openssl/quic/0025-QUIC-add-v1-quic_transport_parameters.patch b/openwrt/patch/openssl/quic/0025-QUIC-add-v1-quic_transport_parameters.patch
@@ -255,7 +255,7 @@ Subject: [PATCH 25/43] QUIC: add v1 quic_transport_parameters
  TLSEXT_TYPE_quic_transport_parameters,
  SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
  | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
-@@ -1752,8 +1762,37 @@ static int init_quic_transport_params(SS
+@@ -1746,8 +1756,37 @@ static int init_quic_transport_params(SS
  return 1;
  }
 
@@ -332,7 +332,7 @@ Subject: [PATCH 25/43] QUIC: add v1 quic_transport_parameters
  return EXT_RETURN_NOT_SENT;
  }
 
-@@ -2013,7 +2033,23 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p
+@@ -2038,7 +2058,23 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p
  return 1;
  }
  #ifndef OPENSSL_NO_QUIC
@@ -359,7 +359,7 @@ Subject: [PATCH 25/43] QUIC: add v1 quic_transport_parameters
  {
 --- a/ssl/statem/extensions_srvr.c
 +++ b/ssl/statem/extensions_srvr.c
-@@ -1233,7 +1233,22 @@ int tls_parse_ctos_post_handshake_auth(S
+@@ -1238,7 +1238,22 @@ int tls_parse_ctos_post_handshake_auth(S
  }
 
  #ifndef OPENSSL_NO_QUIC
@@ -383,7 +383,7 @@ Subject: [PATCH 25/43] QUIC: add v1 quic_transport_parameters
  int tls_parse_ctos_quic_transport_params(SSL *s, PACKET *pkt, unsigned int context,
  X509 *x, size_t chainidx)
  {
-@@ -1943,13 +1958,36 @@ EXT_RETURN tls_construct_stoc_psk(SSL *s
+@@ -1949,13 +1964,36 @@ EXT_RETURN tls_construct_stoc_psk(SSL *s
  }
 
  #ifndef OPENSSL_NO_QUIC
@@ -472,7 +472,7 @@ Subject: [PATCH 25/43] QUIC: add v1 quic_transport_parameters
  #endif
 --- a/test/sslapitest.c
 +++ b/test/sslapitest.c
-@@ -10816,7 +10816,13 @@ static SSL_QUIC_METHOD quic_method = {
+@@ -10815,7 +10815,13 @@ static SSL_QUIC_METHOD quic_method = {
  test_quic_send_alert,
  };
 
@@ -487,7 +487,7 @@ Subject: [PATCH 25/43] QUIC: add v1 quic_transport_parameters
  {
  SSL_CTX *cctx = NULL, *sctx = NULL;
  SSL *clientssl = NULL, *serverssl = NULL;
-@@ -10827,29 +10833,7 @@ static int test_quic_api(void)
+@@ -10826,29 +10832,7 @@ static int test_quic_api(void)
  const uint8_t *peer_str;
  size_t peer_str_len;
 
@@ -518,7 +518,7 @@ Subject: [PATCH 25/43] QUIC: add v1 quic_transport_parameters
 
  if (!TEST_true(create_ssl_ctx_pair(libctx,
  TLS_server_method(),
-@@ -10868,6 +10852,8 @@ static int test_quic_api(void)
+@@ -10867,6 +10851,8 @@ static int test_quic_api(void)
  sizeof(client_str)))
  || !TEST_true(SSL_set_app_data(serverssl, clientssl))
  || !TEST_true(SSL_set_app_data(clientssl, serverssl))
@@ -527,7 +527,7 @@ Subject: [PATCH 25/43] QUIC: add v1 quic_transport_parameters
  || !TEST_true(create_ssl_connection(serverssl, clientssl,
  SSL_ERROR_NONE))
  || !TEST_true(SSL_version(serverssl) == TLS1_3_VERSION)
-@@ -10901,11 +10887,85 @@ static int test_quic_api(void)
+@@ -10900,11 +10886,85 @@ static int test_quic_api(void)
  || !TEST_int_le(SSL_do_handshake(serverssl), 0))
  goto end;
 
@@ -612,10 +612,10 @@ Subject: [PATCH 25/43] QUIC: add v1 quic_transport_parameters
 +}
  #endif /* OPENSSL_NO_QUIC */
 
- OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
-@@ -11185,7 +11245,7 @@ int setup_tests(void)
-  ADD_ALL_TESTS(test_handshake_retry, 16);
- ADD_ALL_TESTS(test_multi_resume, 5);
+ static struct next_proto_st {
+@@ -11550,7 +11610,7 @@ int setup_tests(void)
+ #endif
+ ADD_ALL_TESTS(test_alpn, 4);
  #ifndef OPENSSL_NO_QUIC
 - ADD_TEST(test_quic_api);
 + ADD_ALL_TESTS(test_quic_api, 9);

diff --git a/openwrt/patch/openssl/quic/0031-QUIC-Add-early-data-support.patch b/openwrt/patch/openssl/quic/0031-QUIC-Add-early-data-support.patch
@@ -64,7 +64,7 @@ support to QUIC.
  # ifdef __cplusplus
 --- a/ssl/ssl_lib.c
 +++ b/ssl/ssl_lib.c
-@@ -3998,6 +3998,21 @@ int SSL_do_handshake(SSL *s)
+@@ -4015,6 +4015,21 @@ int SSL_do_handshake(SSL *s)
  ret = s->handshake_func(s);
  }
  }
@@ -306,7 +306,7 @@ support to QUIC.
  ret = 1;
 --- a/test/sslapitest.c
 +++ b/test/sslapitest.c
-@@ -10966,6 +10966,159 @@ end:
+@@ -10965,6 +10965,159 @@ end:
  serverssl = NULL;
  return testresult;
  }
@@ -465,9 +465,9 @@ support to QUIC.
 +# endif /* OSSL_NO_USABLE_TLS1_3 */
  #endif /* OPENSSL_NO_QUIC */
 
- OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
-@@ -11246,6 +11399,9 @@ int setup_tests(void)
- ADD_ALL_TESTS(test_multi_resume, 5);
+ static struct next_proto_st {
+@@ -11611,6 +11764,9 @@ int setup_tests(void)
+ ADD_ALL_TESTS(test_alpn, 4);
  #ifndef OPENSSL_NO_QUIC
  ADD_ALL_TESTS(test_quic_api, 9);
 +# ifndef OSSL_NO_USABLE_TLS1_3

diff --git a/openwrt/patch/openssl/quic/0033-QUIC-Process-multiple-post-handshake-messages-in-a-s.patch b/openwrt/patch/openssl/quic/0033-QUIC-Process-multiple-post-handshake-messages-in-a-s.patch
@@ -46,7 +46,7 @@ Subject: [PATCH 33/43] QUIC: Process multiple post-handshake messages in a
 
 --- a/test/sslapitest.c
 +++ b/test/sslapitest.c
-@@ -10872,8 +10872,7 @@ static int test_quic_api_version(int cln
+@@ -10871,8 +10871,7 @@ static int test_quic_api_version(int cln
  goto end;
 
  /* Deal with two NewSessionTickets */
@@ -56,7 +56,7 @@ Subject: [PATCH 33/43] QUIC: Process multiple post-handshake messages in a
  goto end;
 
  /* Dummy handshake call should succeed */
-@@ -11060,8 +11059,7 @@ static int quic_setupearly_data_test(SSL
+@@ -11059,8 +11058,7 @@ static int quic_setupearly_data_test(SSL
  return 0;
 
  /* Deal with two NewSessionTickets */