diff --git a/openwrt/patch/openssl/quic/0001-QUIC-Add-support-for-BoringSSL-QUIC-APIs.patch b/openwrt/patch/openssl/quic/0001-QUIC-Add-support-for-BoringSSL-QUIC-APIs.patch index 8d54fabc7..9c197f286 100644 --- a/openwrt/patch/openssl/quic/0001-QUIC-Add-support-for-BoringSSL-QUIC-APIs.patch +++ b/openwrt/patch/openssl/quic/0001-QUIC-Add-support-for-BoringSSL-QUIC-APIs.patch @@ -42,7 +42,7 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37 ssl/statem/statem_quic.c | 106 ++++++++++++ ssl/tls13_enc.c | 59 +++++++ test/helpers/ssltestlib.c | 5 + - test/sslapitest.c | 132 ++++++++++++++ + test/sslapitest.c | 131 ++++++++++++++ test/tls13secretstest.c | 7 + util/libssl.num | 11 ++ util/other.syms | 2 + @@ -53,7 +53,7 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37 --- a/Configure +++ b/Configure -@@ -468,6 +468,7 @@ my @disablables = ( +@@ -467,6 +467,7 @@ my @disablables = ( "poly1305", "posix-io", "psk", @@ -61,7 +61,7 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37 "rc2", "rc4", "rc5", -@@ -636,6 +637,7 @@ my @disable_cascades = ( +@@ -635,6 +636,7 @@ my @disable_cascades = ( "legacy" => [ "md2" ], "cmp" => [ "crmf" ], @@ -645,7 +645,7 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37 if (s->handshake_func == NULL) { ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED); return -1; -@@ -3858,6 +3892,11 @@ int SSL_get_error(const SSL *s, int i) +@@ -3875,6 +3909,11 @@ int SSL_get_error(const SSL *s, int i) } if (SSL_want_read(s)) { @@ -657,7 +657,7 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37 bio = SSL_get_rbio(s); if (BIO_should_read(bio)) return SSL_ERROR_WANT_READ; -@@ -4225,7 +4264,7 @@ EVP_PKEY *SSL_CTX_get0_privatekey(const +@@ -4242,7 +4281,7 @@ EVP_PKEY *SSL_CTX_get0_privatekey(const const SSL_CIPHER *SSL_get_current_cipher(const SSL *s) { @@ -1023,7 +1023,7 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37 { /* Must be immediately before pre_shared_key */ TLSEXT_TYPE_padding, -@@ -1728,3 +1745,15 @@ static int final_psk(SSL *s, unsigned in +@@ -1722,3 +1739,15 @@ static int final_psk(SSL *s, unsigned in return 1; } @@ -1071,7 +1071,7 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37 /* * Parse the server's renegotiation binding and abort if it's not right */ -@@ -1981,3 +2003,29 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p +@@ -2006,3 +2028,29 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p return 1; } @@ -1103,7 +1103,7 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37 +#endif --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c -@@ -1232,6 +1232,33 @@ int tls_parse_ctos_post_handshake_auth(S +@@ -1237,6 +1237,33 @@ int tls_parse_ctos_post_handshake_auth(S return 1; } @@ -1137,7 +1137,7 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37 /* * Add the server's renegotiation binding */ -@@ -1914,3 +1941,27 @@ EXT_RETURN tls_construct_stoc_psk(SSL *s +@@ -1920,3 +1947,27 @@ EXT_RETURN tls_construct_stoc_psk(SSL *s return EXT_RETURN_SENT; } @@ -1243,7 +1243,7 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37 if (ret <= 0) return -1; if (type == SSL3_RT_HANDSHAKE) -@@ -1169,6 +1183,7 @@ int tls_get_message_header(SSL *s, int * +@@ -1173,6 +1187,7 @@ int tls_get_message_header(SSL *s, int * do { while (s->init_num < SSL3_HM_HEADER_LENGTH) { @@ -1554,10 +1554,10 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37 * This will ensure we have received the NewSessionTicket in TLSv1.3 where --- a/test/sslapitest.c +++ b/test/sslapitest.c -@@ -10765,6 +10765,135 @@ static int test_multi_resume(int idx) +@@ -10764,6 +10764,134 @@ static int test_multi_resume(int idx) + SSL_SESSION_free(sess); return testresult; } - +#ifndef OPENSSL_NO_QUIC +static int test_quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level, + const uint8_t *read_secret, @@ -1686,14 +1686,13 @@ Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37 + return testresult; +} +#endif /* OPENSSL_NO_QUIC */ -+ - OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n") - int setup_tests(void) -@@ -11041,6 +11170,9 @@ int setup_tests(void) + static struct next_proto_st { + int serverlen; +@@ -11407,6 +11535,9 @@ int setup_tests(void) + ADD_ALL_TESTS(test_npn, 5); #endif - ADD_ALL_TESTS(test_handshake_retry, 16); - ADD_ALL_TESTS(test_multi_resume, 5); + ADD_ALL_TESTS(test_alpn, 4); +#ifndef OPENSSL_NO_QUIC + ADD_TEST(test_quic_api); +#endif diff --git a/openwrt/patch/openssl/quic/0007-QUIC-Fix-quic_transport-constructors-parsers.patch b/openwrt/patch/openssl/quic/0007-QUIC-Fix-quic_transport-constructors-parsers.patch index 667ff9c81..7cccda434 100644 --- a/openwrt/patch/openssl/quic/0007-QUIC-Fix-quic_transport-constructors-parsers.patch +++ b/openwrt/patch/openssl/quic/0007-QUIC-Fix-quic_transport-constructors-parsers.patch @@ -23,7 +23,7 @@ Subject: [PATCH 07/43] QUIC: Fix quic_transport constructors/parsers SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; } -@@ -2008,19 +2006,11 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p +@@ -2033,19 +2031,11 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p int tls_parse_stoc_quic_transport_params(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { @@ -46,7 +46,7 @@ Subject: [PATCH 07/43] QUIC: Fix quic_transport constructors/parsers SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c -@@ -1237,19 +1237,11 @@ int tls_parse_ctos_post_handshake_auth(S +@@ -1242,19 +1242,11 @@ int tls_parse_ctos_post_handshake_auth(S int tls_parse_ctos_quic_transport_params(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { @@ -67,7 +67,7 @@ Subject: [PATCH 07/43] QUIC: Fix quic_transport constructors/parsers &s->ext.peer_quic_transport_params, &s->ext.peer_quic_transport_params_len)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); -@@ -1954,10 +1946,8 @@ EXT_RETURN tls_construct_stoc_quic_trans +@@ -1960,10 +1952,8 @@ EXT_RETURN tls_construct_stoc_quic_trans } if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_quic_transport_parameters) diff --git a/openwrt/patch/openssl/quic/0018-QUIC-Handle-EndOfEarlyData-and-MaxEarlyData.patch b/openwrt/patch/openssl/quic/0018-QUIC-Handle-EndOfEarlyData-and-MaxEarlyData.patch index 9943ad8d1..1c33b23d0 100644 --- a/openwrt/patch/openssl/quic/0018-QUIC-Handle-EndOfEarlyData-and-MaxEarlyData.patch +++ b/openwrt/patch/openssl/quic/0018-QUIC-Handle-EndOfEarlyData-and-MaxEarlyData.patch @@ -12,7 +12,7 @@ Subject: [PATCH 18/43] QUIC: Handle EndOfEarlyData and MaxEarlyData --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c -@@ -1919,6 +1919,17 @@ int tls_parse_stoc_early_data(SSL *s, PA +@@ -1944,6 +1944,17 @@ int tls_parse_stoc_early_data(SSL *s, PA return 0; } @@ -32,7 +32,7 @@ Subject: [PATCH 18/43] QUIC: Handle EndOfEarlyData and MaxEarlyData return 1; --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c -@@ -1890,12 +1890,20 @@ EXT_RETURN tls_construct_stoc_early_data +@@ -1896,12 +1896,20 @@ EXT_RETURN tls_construct_stoc_early_data size_t chainidx) { if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) { diff --git a/openwrt/patch/openssl/quic/0020-QUIC-Some-cleanup-for-the-main-QUIC-changes.patch b/openwrt/patch/openssl/quic/0020-QUIC-Some-cleanup-for-the-main-QUIC-changes.patch index fe82fd5cf..ff12006d2 100644 --- a/openwrt/patch/openssl/quic/0020-QUIC-Some-cleanup-for-the-main-QUIC-changes.patch +++ b/openwrt/patch/openssl/quic/0020-QUIC-Some-cleanup-for-the-main-QUIC-changes.patch @@ -179,7 +179,7 @@ Update referenced I-D versions. +#endif --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c -@@ -4264,7 +4264,7 @@ EVP_PKEY *SSL_CTX_get0_privatekey(const +@@ -4281,7 +4281,7 @@ EVP_PKEY *SSL_CTX_get0_privatekey(const const SSL_CIPHER *SSL_get_current_cipher(const SSL *s) { @@ -304,7 +304,7 @@ Update referenced I-D versions. -#endif --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c -@@ -1922,7 +1922,7 @@ int tls_parse_stoc_early_data(SSL *s, PA +@@ -1947,7 +1947,7 @@ int tls_parse_stoc_early_data(SSL *s, PA #ifndef OPENSSL_NO_QUIC /* * QUIC server must send 0xFFFFFFFF or it's a PROTOCOL_VIOLATION @@ -315,7 +315,7 @@ Update referenced I-D versions. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_MAX_EARLY_DATA); --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c -@@ -1896,7 +1896,7 @@ EXT_RETURN tls_construct_stoc_early_data +@@ -1902,7 +1902,7 @@ EXT_RETURN tls_construct_stoc_early_data return EXT_RETURN_NOT_SENT; #ifndef OPENSSL_NO_QUIC @@ -378,7 +378,7 @@ Update referenced I-D versions. } } else #endif -@@ -1183,7 +1190,6 @@ int tls_get_message_header(SSL *s, int * +@@ -1187,7 +1194,6 @@ int tls_get_message_header(SSL *s, int * do { while (s->init_num < SSL3_HM_HEADER_LENGTH) { @@ -598,9 +598,9 @@ Update referenced I-D versions. unsigned char *iv; --- a/test/sslapitest.c +++ b/test/sslapitest.c -@@ -10766,9 +10766,11 @@ static int test_multi_resume(int idx) +@@ -10765,9 +10765,11 @@ static int test_multi_resume(int idx) + return testresult; } - #ifndef OPENSSL_NO_QUIC -static int test_quic_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL level, +static int test_quic_set_encryption_secrets(SSL *ssl, @@ -612,7 +612,7 @@ Update referenced I-D versions. { test_printf_stderr("quic_set_encryption_secrets() %s, lvl=%d, len=%zd\n", ssl->server ? "server" : "client", level, secret_len); -@@ -10780,11 +10782,12 @@ static int test_quic_add_handshake_data( +@@ -10779,11 +10781,12 @@ static int test_quic_add_handshake_data( { SSL *peer = (SSL*)SSL_get_app_data(ssl); diff --git a/openwrt/patch/openssl/quic/0021-QUIC-Prevent-KeyUpdate-for-QUIC.patch b/openwrt/patch/openssl/quic/0021-QUIC-Prevent-KeyUpdate-for-QUIC.patch index 37bfbbe0c..931608807 100644 --- a/openwrt/patch/openssl/quic/0021-QUIC-Prevent-KeyUpdate-for-QUIC.patch +++ b/openwrt/patch/openssl/quic/0021-QUIC-Prevent-KeyUpdate-for-QUIC.patch @@ -40,7 +40,7 @@ input to the TLS layer for a QUIC connection). if (qd == NULL) { --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c -@@ -662,6 +662,13 @@ int tls_construct_finished(SSL *s, WPACK +@@ -666,6 +666,13 @@ int tls_construct_finished(SSL *s, WPACK int tls_construct_key_update(SSL *s, WPACKET *pkt) { @@ -54,7 +54,7 @@ input to the TLS layer for a QUIC connection). if (!WPACKET_put_bytes_u8(pkt, s->key_update)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; -@@ -684,6 +691,13 @@ MSG_PROCESS_RETURN tls_process_key_updat +@@ -688,6 +695,13 @@ MSG_PROCESS_RETURN tls_process_key_updat return MSG_PROCESS_ERROR; } diff --git a/openwrt/patch/openssl/quic/0022-QUIC-Test-KeyUpdate-rejection.patch b/openwrt/patch/openssl/quic/0022-QUIC-Test-KeyUpdate-rejection.patch index 8d252fca0..03f5ef565 100644 --- a/openwrt/patch/openssl/quic/0022-QUIC-Test-KeyUpdate-rejection.patch +++ b/openwrt/patch/openssl/quic/0022-QUIC-Test-KeyUpdate-rejection.patch @@ -12,7 +12,7 @@ integrated into the TLSProxy setup. --- a/test/sslapitest.c +++ b/test/sslapitest.c -@@ -10890,6 +10890,17 @@ static int test_quic_api(void) +@@ -10889,6 +10889,17 @@ static int test_quic_api(void) || !TEST_true(SSL_process_quic_post_handshake(clientssl))) goto end; diff --git a/openwrt/patch/openssl/quic/0025-QUIC-add-v1-quic_transport_parameters.patch b/openwrt/patch/openssl/quic/0025-QUIC-add-v1-quic_transport_parameters.patch index fbfa77603..44ff85d70 100644 --- a/openwrt/patch/openssl/quic/0025-QUIC-add-v1-quic_transport_parameters.patch +++ b/openwrt/patch/openssl/quic/0025-QUIC-add-v1-quic_transport_parameters.patch @@ -255,7 +255,7 @@ Subject: [PATCH 25/43] QUIC: add v1 quic_transport_parameters TLSEXT_TYPE_quic_transport_parameters, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY, -@@ -1752,8 +1762,37 @@ static int init_quic_transport_params(SS +@@ -1746,8 +1756,37 @@ static int init_quic_transport_params(SS return 1; } @@ -332,7 +332,7 @@ Subject: [PATCH 25/43] QUIC: add v1 quic_transport_parameters return EXT_RETURN_NOT_SENT; } -@@ -2013,7 +2033,23 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p +@@ -2038,7 +2058,23 @@ int tls_parse_stoc_psk(SSL *s, PACKET *p return 1; } #ifndef OPENSSL_NO_QUIC @@ -359,7 +359,7 @@ Subject: [PATCH 25/43] QUIC: add v1 quic_transport_parameters { --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c -@@ -1233,7 +1233,22 @@ int tls_parse_ctos_post_handshake_auth(S +@@ -1238,7 +1238,22 @@ int tls_parse_ctos_post_handshake_auth(S } #ifndef OPENSSL_NO_QUIC @@ -383,7 +383,7 @@ Subject: [PATCH 25/43] QUIC: add v1 quic_transport_parameters int tls_parse_ctos_quic_transport_params(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { -@@ -1943,13 +1958,36 @@ EXT_RETURN tls_construct_stoc_psk(SSL *s +@@ -1949,13 +1964,36 @@ EXT_RETURN tls_construct_stoc_psk(SSL *s } #ifndef OPENSSL_NO_QUIC @@ -472,7 +472,7 @@ Subject: [PATCH 25/43] QUIC: add v1 quic_transport_parameters #endif --- a/test/sslapitest.c +++ b/test/sslapitest.c -@@ -10816,7 +10816,13 @@ static SSL_QUIC_METHOD quic_method = { +@@ -10815,7 +10815,13 @@ static SSL_QUIC_METHOD quic_method = { test_quic_send_alert, }; @@ -487,7 +487,7 @@ Subject: [PATCH 25/43] QUIC: add v1 quic_transport_parameters { SSL_CTX *cctx = NULL, *sctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; -@@ -10827,29 +10833,7 @@ static int test_quic_api(void) +@@ -10826,29 +10832,7 @@ static int test_quic_api(void) const uint8_t *peer_str; size_t peer_str_len; @@ -518,7 +518,7 @@ Subject: [PATCH 25/43] QUIC: add v1 quic_transport_parameters if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), -@@ -10868,6 +10852,8 @@ static int test_quic_api(void) +@@ -10867,6 +10851,8 @@ static int test_quic_api(void) sizeof(client_str))) || !TEST_true(SSL_set_app_data(serverssl, clientssl)) || !TEST_true(SSL_set_app_data(clientssl, serverssl)) @@ -527,7 +527,7 @@ Subject: [PATCH 25/43] QUIC: add v1 quic_transport_parameters || !TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) || !TEST_true(SSL_version(serverssl) == TLS1_3_VERSION) -@@ -10901,11 +10887,85 @@ static int test_quic_api(void) +@@ -10900,11 +10886,85 @@ static int test_quic_api(void) || !TEST_int_le(SSL_do_handshake(serverssl), 0)) goto end; @@ -612,10 +612,10 @@ Subject: [PATCH 25/43] QUIC: add v1 quic_transport_parameters +} #endif /* OPENSSL_NO_QUIC */ - OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n") -@@ -11185,7 +11245,7 @@ int setup_tests(void) - ADD_ALL_TESTS(test_handshake_retry, 16); - ADD_ALL_TESTS(test_multi_resume, 5); + static struct next_proto_st { +@@ -11550,7 +11610,7 @@ int setup_tests(void) + #endif + ADD_ALL_TESTS(test_alpn, 4); #ifndef OPENSSL_NO_QUIC - ADD_TEST(test_quic_api); + ADD_ALL_TESTS(test_quic_api, 9); diff --git a/openwrt/patch/openssl/quic/0031-QUIC-Add-early-data-support.patch b/openwrt/patch/openssl/quic/0031-QUIC-Add-early-data-support.patch index 9681c281e..818f4ca76 100644 --- a/openwrt/patch/openssl/quic/0031-QUIC-Add-early-data-support.patch +++ b/openwrt/patch/openssl/quic/0031-QUIC-Add-early-data-support.patch @@ -64,7 +64,7 @@ support to QUIC. # ifdef __cplusplus --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c -@@ -3998,6 +3998,21 @@ int SSL_do_handshake(SSL *s) +@@ -4015,6 +4015,21 @@ int SSL_do_handshake(SSL *s) ret = s->handshake_func(s); } } @@ -306,7 +306,7 @@ support to QUIC. ret = 1; --- a/test/sslapitest.c +++ b/test/sslapitest.c -@@ -10966,6 +10966,159 @@ end: +@@ -10965,6 +10965,159 @@ end: serverssl = NULL; return testresult; } @@ -465,9 +465,9 @@ support to QUIC. +# endif /* OSSL_NO_USABLE_TLS1_3 */ #endif /* OPENSSL_NO_QUIC */ - OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n") -@@ -11246,6 +11399,9 @@ int setup_tests(void) - ADD_ALL_TESTS(test_multi_resume, 5); + static struct next_proto_st { +@@ -11611,6 +11764,9 @@ int setup_tests(void) + ADD_ALL_TESTS(test_alpn, 4); #ifndef OPENSSL_NO_QUIC ADD_ALL_TESTS(test_quic_api, 9); +# ifndef OSSL_NO_USABLE_TLS1_3 diff --git a/openwrt/patch/openssl/quic/0033-QUIC-Process-multiple-post-handshake-messages-in-a-s.patch b/openwrt/patch/openssl/quic/0033-QUIC-Process-multiple-post-handshake-messages-in-a-s.patch index 10654746c..84d7ff731 100644 --- a/openwrt/patch/openssl/quic/0033-QUIC-Process-multiple-post-handshake-messages-in-a-s.patch +++ b/openwrt/patch/openssl/quic/0033-QUIC-Process-multiple-post-handshake-messages-in-a-s.patch @@ -46,7 +46,7 @@ Subject: [PATCH 33/43] QUIC: Process multiple post-handshake messages in a --- a/test/sslapitest.c +++ b/test/sslapitest.c -@@ -10872,8 +10872,7 @@ static int test_quic_api_version(int cln +@@ -10871,8 +10871,7 @@ static int test_quic_api_version(int cln goto end; /* Deal with two NewSessionTickets */ @@ -56,7 +56,7 @@ Subject: [PATCH 33/43] QUIC: Process multiple post-handshake messages in a goto end; /* Dummy handshake call should succeed */ -@@ -11060,8 +11059,7 @@ static int quic_setupearly_data_test(SSL +@@ -11059,8 +11058,7 @@ static int quic_setupearly_data_test(SSL return 0; /* Deal with two NewSessionTickets */ diff --git a/openwrt/patch/openssl/quic/0034-QUIC-Fix-CI.patch b/openwrt/patch/openssl/quic/0034-QUIC-Fix-CI.patch index a5a6893ab..3675b0605 100644 --- a/openwrt/patch/openssl/quic/0034-QUIC-Fix-CI.patch +++ b/openwrt/patch/openssl/quic/0034-QUIC-Fix-CI.patch @@ -15,7 +15,7 @@ Fixes an issue with extension defintions and `no-quic` --- a/Configure +++ b/Configure -@@ -579,6 +579,7 @@ my @disable_cascades = ( +@@ -578,6 +578,7 @@ my @disable_cascades = ( "sm3", "sm4", "srp", "srtp", "ssl3-method", "ssl-trace", "ts", "ui-console", "whirlpool", @@ -23,7 +23,7 @@ Fixes an issue with extension defintions and `no-quic` "fips-securitychecks" ], sub { $config{processor} eq "386" } => [ "sse2" ], -@@ -586,7 +587,7 @@ my @disable_cascades = ( +@@ -585,7 +586,7 @@ my @disable_cascades = ( "ssl3-method" => [ "ssl3" ], "zlib" => [ "zlib-dynamic" ], "des" => [ "mdc2" ], @@ -73,7 +73,7 @@ Fixes an issue with extension defintions and `no-quic` /* Must be immediately before pre_shared_key */ --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c -@@ -1912,7 +1912,7 @@ EXT_RETURN tls_construct_stoc_early_data +@@ -1918,7 +1918,7 @@ EXT_RETURN tls_construct_stoc_early_data #ifndef OPENSSL_NO_QUIC /* QUIC server must always send 0xFFFFFFFF, per draft-ietf-quic-tls-27 S4.5 */ diff --git a/openwrt/patch/openssl/quic/0037-QUIC-Update-RFC-references.patch b/openwrt/patch/openssl/quic/0037-QUIC-Update-RFC-references.patch index f5d109555..272b2c0aa 100644 --- a/openwrt/patch/openssl/quic/0037-QUIC-Update-RFC-references.patch +++ b/openwrt/patch/openssl/quic/0037-QUIC-Update-RFC-references.patch @@ -66,7 +66,7 @@ Subject: [PATCH 37/43] QUIC: Update RFC references --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c -@@ -1942,7 +1942,7 @@ int tls_parse_stoc_early_data(SSL *s, PA +@@ -1967,7 +1967,7 @@ int tls_parse_stoc_early_data(SSL *s, PA #ifndef OPENSSL_NO_QUIC /* * QUIC server must send 0xFFFFFFFF or it's a PROTOCOL_VIOLATION @@ -77,7 +77,7 @@ Subject: [PATCH 37/43] QUIC: Update RFC references SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_MAX_EARLY_DATA); --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c -@@ -1911,7 +1911,7 @@ EXT_RETURN tls_construct_stoc_early_data +@@ -1917,7 +1917,7 @@ EXT_RETURN tls_construct_stoc_early_data return EXT_RETURN_NOT_SENT; #ifndef OPENSSL_NO_QUIC diff --git a/openwrt/patch/openssl/quic/0039-QUIC-use-SSL_IS_QUIC-in-more-places.patch b/openwrt/patch/openssl/quic/0039-QUIC-use-SSL_IS_QUIC-in-more-places.patch index 73312bd6c..f1842d866 100644 --- a/openwrt/patch/openssl/quic/0039-QUIC-use-SSL_IS_QUIC-in-more-places.patch +++ b/openwrt/patch/openssl/quic/0039-QUIC-use-SSL_IS_QUIC-in-more-places.patch @@ -22,7 +22,7 @@ Subject: [PATCH 39/43] QUIC: use SSL_IS_QUIC() in more places SSL_set_quic_early_data_enabled() enables QUIC early data if a nonzero --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c -@@ -1944,7 +1944,7 @@ int tls_parse_stoc_early_data(SSL *s, PA +@@ -1969,7 +1969,7 @@ int tls_parse_stoc_early_data(SSL *s, PA * QUIC server must send 0xFFFFFFFF or it's a PROTOCOL_VIOLATION * per RFC9001 S4.6.1 */ diff --git a/openwrt/patch/openssl/quic/0041-QUIC-Update-SSL_clear-to-clear-quic-data.patch b/openwrt/patch/openssl/quic/0041-QUIC-Update-SSL_clear-to-clear-quic-data.patch index 8d764eae5..6d130e634 100644 --- a/openwrt/patch/openssl/quic/0041-QUIC-Update-SSL_clear-to-clear-quic-data.patch +++ b/openwrt/patch/openssl/quic/0041-QUIC-Update-SSL_clear-to-clear-quic-data.patch @@ -69,7 +69,7 @@ from the server SSL. * This will ensure we have received the NewSessionTicket in TLSv1.3 where --- a/test/sslapitest.c +++ b/test/sslapitest.c -@@ -10832,6 +10832,7 @@ static int test_quic_api_version(int cln +@@ -10831,6 +10831,7 @@ static int test_quic_api_version(int cln static const char *client_str = "CLIENT"; const uint8_t *peer_str; size_t peer_str_len; @@ -77,7 +77,7 @@ from the server SSL. TEST_info("original clnt=0x%X, srvr=0x%X\n", clnt, srvr); -@@ -10854,8 +10855,10 @@ static int test_quic_api_version(int cln +@@ -10853,8 +10854,10 @@ static int test_quic_api_version(int cln || !TEST_true(SSL_set_app_data(clientssl, serverssl)) || !TEST_true(test_quic_api_set_versions(clientssl, clnt)) || !TEST_true(test_quic_api_set_versions(serverssl, srvr)) @@ -90,7 +90,7 @@ from the server SSL. || !TEST_true(SSL_version(serverssl) == TLS1_3_VERSION) || !TEST_true(SSL_version(clientssl) == TLS1_3_VERSION) || !(TEST_int_eq(SSL_quic_read_level(clientssl), ssl_encryption_application)) -@@ -10977,6 +10980,7 @@ static int quic_setupearly_data_test(SSL +@@ -10976,6 +10979,7 @@ static int quic_setupearly_data_test(SSL { static const char *server_str = "SERVER"; static const char *client_str = "CLIENT"; @@ -98,7 +98,7 @@ from the server SSL. if (*sctx == NULL && (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), -@@ -11054,8 +11058,10 @@ static int quic_setupearly_data_test(SSL +@@ -11053,8 +11057,10 @@ static int quic_setupearly_data_test(SSL if (sess == NULL) return 1; @@ -111,7 +111,7 @@ from the server SSL. return 0; /* Deal with two NewSessionTickets */ -@@ -11094,12 +11100,15 @@ static int test_quic_early_data(int tst) +@@ -11093,12 +11099,15 @@ static int test_quic_early_data(int tst) SSL *clientssl = NULL, *serverssl = NULL; int testresult = 0; SSL_SESSION *sess = NULL; diff --git a/openwrt/patch/openssl/quic/0042-QUIC-Better-SSL_clear.patch b/openwrt/patch/openssl/quic/0042-QUIC-Better-SSL_clear.patch index 885ec470e..a60075336 100644 --- a/openwrt/patch/openssl/quic/0042-QUIC-Better-SSL_clear.patch +++ b/openwrt/patch/openssl/quic/0042-QUIC-Better-SSL_clear.patch @@ -146,7 +146,7 @@ Don't make the new functions public. if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) { --- a/test/sslapitest.c +++ b/test/sslapitest.c -@@ -10832,7 +10832,6 @@ static int test_quic_api_version(int cln +@@ -10831,7 +10831,6 @@ static int test_quic_api_version(int cln static const char *client_str = "CLIENT"; const uint8_t *peer_str; size_t peer_str_len; @@ -154,7 +154,7 @@ Don't make the new functions public. TEST_info("original clnt=0x%X, srvr=0x%X\n", clnt, srvr); -@@ -10855,10 +10854,8 @@ static int test_quic_api_version(int cln +@@ -10854,10 +10853,8 @@ static int test_quic_api_version(int cln || !TEST_true(SSL_set_app_data(clientssl, serverssl)) || !TEST_true(test_quic_api_set_versions(clientssl, clnt)) || !TEST_true(test_quic_api_set_versions(serverssl, srvr)) @@ -166,7 +166,7 @@ Don't make the new functions public. || !TEST_true(SSL_version(serverssl) == TLS1_3_VERSION) || !TEST_true(SSL_version(clientssl) == TLS1_3_VERSION) || !(TEST_int_eq(SSL_quic_read_level(clientssl), ssl_encryption_application)) -@@ -10980,7 +10977,6 @@ static int quic_setupearly_data_test(SSL +@@ -10979,7 +10976,6 @@ static int quic_setupearly_data_test(SSL { static const char *server_str = "SERVER"; static const char *client_str = "CLIENT"; @@ -174,7 +174,7 @@ Don't make the new functions public. if (*sctx == NULL && (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), -@@ -11058,10 +11054,8 @@ static int quic_setupearly_data_test(SSL +@@ -11057,10 +11053,8 @@ static int quic_setupearly_data_test(SSL if (sess == NULL) return 1; @@ -187,7 +187,7 @@ Don't make the new functions public. return 0; /* Deal with two NewSessionTickets */ -@@ -11100,15 +11094,12 @@ static int test_quic_early_data(int tst) +@@ -11099,15 +11093,12 @@ static int test_quic_early_data(int tst) SSL *clientssl = NULL, *serverssl = NULL; int testresult = 0; SSL_SESSION *sess = NULL;