patch openssl-equal-3.0.0-dev_ciphers_revert.patch failed #39
Description
Nginx version: 1.18.0
OpenSSL version: Compatible OpenSSL-3.0.0-dev-revert (OpenSSL, 25746 commits)
Patch logs:
patching file crypto/err/openssl.txt
�[91mPossibly reversed hunk 1 at 3476
Hunk 1 FAILED 3009/3009.
SM2_R_INVALID_FIELD:105:invalid field
SM2_R_NO_PARAMETERS_SET:109:no parameters set
SM2_R_USER_ID_TOO_LARGE:106:user id too large
+SSL_R_ALGORITHM_FETCH_FAILED:295:algorithm fetch failed
SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY:291:\
application data after close notify
SSL_R_APP_DATA_IN_HANDSHAKE:100:app data in handshake
�[0m
�[91mPossibly reversed hunk 1 at 814
Hunk 1 FAILED 405/405.
=back
+=head1 EQUAL PREFERENCE GROUPS
+
+If configuring a server, one may also configure equal-preference groups to
+partially respect the client's preferences when
+B<SSL_OP_CIPHER_SERVER_PREFERENCE> is enabled. Ciphers in an equal-preference
+group have equal priority and use the client order. This may be used to
+enforce that AEADs are preferred but select AES-GCM vs. ChaCha20-Poly1305
+based on client preferences. An equal-preference is specified with square
+brackets, combining multiple selectors separated by |. For example:
+
+ [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]
+
+ Once an equal-preference group is used, future directives must be
+ opcode-less.
+
=head1 CIPHER SUITE NAMES
The following lists give the SSL or TLS cipher suites names from the
�[0m
�[91mHunk 1 FAILED 10/10.
#ifndef OPENSSL_SSLERR_H
# define OPENSSL_SSLERR_H
-# pragma once
-
-# include <openssl/macros.h>
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-# define HEADER_SSLERR_H
-# endif
# include <openssl/opensslconf.h>
# include <openssl/symhacks.h>
�[0m
�[91mHunk 6 FAILED 266/272.
SSL_aRSA,
SSL_AES128,
SSL_SHA1,
- SSL3_VERSION, TLS1_2_VERSION,
+ SSL3_VERSION, TLS1_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
�[0m
�[91mPossibly reversed hunk 1 at 2276
Hunk 1 FAILED 193/193.
const SSL_CIPHER *cipher;
int active;
int dead;
+ int in_group;
struct cipher_order_st *next, *prev;
} CIPHER_ORDER;
�[0m
�[91mPossibly reversed hunk 1 at 571
Hunk 1 FAILED 14/14.
#ifndef OPENSSL_NO_ERR
static const ERR_STRING_DATA SSL_str_reasons[] = {
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ALGORITHM_FETCH_FAILED),
+ "algorithm fetch failed"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY),
"application data after close notify"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APP_DATA_IN_HANDSHAKE),
�[0m
�[91mPossibly reversed hunk 1 at 5904
Hunk 1 FAILED 1127/1127.
return X509_VERIFY_PARAM_set1(ssl->param, vpm);
}
+void ssl_cipher_preference_list_free(struct ssl_cipher_preference_list_st
+ *cipher_list)
+{
+ sk_SSL_CIPHER_free(cipher_list->ciphers);
+ OPENSSL_free(cipher_list->in_group_flags);
+ OPENSSL_free(cipher_list);
+}
+
+struct ssl_cipher_preference_list_st*
+ssl_cipher_preference_list_dup(struct ssl_cipher_preference_list_st
+ *cipher_list)
+{
+ struct ssl_cipher_preference_list_st* ret = NULL;
+ size_t n = sk_SSL_CIPHER_num(cipher_list->ciphers);
+
+ ret = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
+ if (!ret)
+ goto err;
+ ret->ciphers = NULL;
+ ret->in_group_flags = NULL;
+ ret->ciphers = sk_SSL_CIPHER_dup(cipher_list->ciphers);
+ if (!ret->ciphers)
+ goto err;
+ ret->in_group_flags = OPENSSL_malloc(n);
+ if (!ret->in_group_flags)
+ goto err;
+ memcpy(ret->in_group_flags, cipher_list->in_group_flags, n);
+ return ret;
+
+err:
+ if (ret->ciphers)
+ sk_SSL_CIPHER_free(ret->ciphers);
+ if (ret)
+ OPENSSL_free(ret);
+ return NULL;
+}
+
+struct ssl_cipher_preference_list_st*
+ssl_cipher_preference_list_from_ciphers(STACK_OF(SSL_CIPHER) *ciphers)
+{
+ struct ssl_cipher_preference_list_st* ret = NULL;
+ size_t n = sk_SSL_CIPHER_num(ciphers);
+
+ ret = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
+ if (!ret)
+ goto err;
+ ret->ciphers = NULL;
+ ret->in_group_flags = NULL;
+ ret->ciphers = sk_SSL_CIPHER_dup(ciphers);
+ if (!ret->ciphers)
+ goto err;
+ ret->in_group_flags = OPENSSL_malloc(n);
+ if (!ret->in_group_flags)
+ goto err;
+ memset(ret->in_group_flags, 0, n);
+ return ret;
+
+err:
+ if (ret->ciphers)
+ sk_SSL_CIPHER_free(ret->ciphers);
+ if (ret)
+ OPENSSL_free(ret);
+ return NULL;
+}
+
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
{
return ctx->param;
�[0m
�[91mPossibly reversed hunk 1 at 2775
Hunk 1 FAILED 763/763.
size_t max_size);
size_t ssl_hmac_size(const SSL_HMAC *ctx);
+/* ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with
+ * equal-preference groups. For TLS clients, the groups are moot because the
+ * server picks the cipher and groups cannot be expressed on the wire. However,
+ * for servers, the equal-preference groups allow the client's preferences to
+ * be partially respected. (This only has an effect with
+ * SSL_OP_CIPHER_SERVER_PREFERENCE).
+ *
+ * The equal-preference groups are expressed by grouping SSL_CIPHERs together.
+ * All elements of a group have the same priority: no ordering is expressed
+ * within a group.
+ *
+ * The values in |ciphers| are in one-to-one correspondence with
+ * |in_group_flags|. (That is, sk_SSL_CIPHER_num(ciphers) is the number of
+ * bytes in |in_group_flags|.) The bytes in |in_group_flags| are either 1, to
+ * indicate that the corresponding SSL_CIPHER is not the last element of a
+ * group, or 0 to indicate that it is.
+ *
+ * For example, if |in_group_flags| contains all zeros then that indicates a
+ * traditional, fully-ordered preference. Every SSL_CIPHER is the last element
+ * of the group (i.e. they are all in a one-element group).
+ *
+ * For a more complex example, consider:
+ * ciphers: A B C D E F
+ * in_group_flags: 1 1 0 0 1 0
+ *
+ * That would express the following, order:
+ *
+ * A E
+ * B -> D -> F
+ * C
+ */
+struct ssl_cipher_preference_list_st {
+ STACK_OF(SSL_CIPHER) *ciphers;
+ uint8_t *in_group_flags;
+};
+
+
struct ssl_ctx_st {
OPENSSL_CTX *libctx;
const SSL_METHOD *method;
- STACK_OF(SSL_CIPHER) *cipher_list;
+ struct ssl_cipher_preference_list_st *cipher_list;
/* same as above but sorted for lookup */
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* TLSv1.3 specific ciphersuites */
�[0m
�[91mHunk 1 FAILED 1774/1774.
/* For TLSv1.3 we must select the ciphersuite *before* session resumption */
if (SSL_IS_TLS13(s)) {
const SSL_CIPHER *cipher =
- ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
+ ssl3_choose_cipher(s, ciphers, ssl_get_cipher_preferences(s));
if (cipher == NULL) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
�[0m
�[91mHunk 1 FAILED 3340/3340.
PEM_read_PKCS8_PRIV_KEY_INFO 3410 3_0_0 EXIST::FUNCTION:STDIO
TS_VERIFY_CTX_new 3411 3_0_0 EXIST::FUNCTION:TS
BUF_MEM_new_ex 3412 3_0_0 EXIST::FUNCTION:
-RSA_padding_add_X931 3413 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_padding_add_X931 3413 3_0_0 EXIST::FUNCTION:RSA
BN_get0_nist_prime_256 3414 3_0_0 EXIST::FUNCTION:
CRYPTO_memcmp 3415 3_0_0 EXIST::FUNCTION:
DH_check_pub_key 3416 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
ASN1_mbstring_copy 3417 3_0_0 EXIST::FUNCTION:
PKCS7_set_type 3418 3_0_0 EXIST::FUNCTION:
BIO_gets 3419 3_0_0 EXIST::FUNCTION:
-RSA_padding_check_PKCS1_type_1 3420 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_padding_check_PKCS1_type_1 3420 3_0_0 EXIST::FUNCTION:RSA
UI_ctrl 3421 3_0_0 EXIST::FUNCTION:
i2d_X509_REQ_fp 3422 3_0_0 EXIST::FUNCTION:STDIO
BN_BLINDING_convert_ex 3423 3_0_0 EXIST::FUNCTION:
�[0m
patching file doc/man1/openssl-ciphers.pod.in
patching file include/openssl/sslerr.h
patching file ssl/s3_lib.c
patching file ssl/ssl_ciph.c
patching file ssl/ssl_err.c
patching file ssl/ssl_lib.c
patching file ssl/ssl_local.h
patching file ssl/statem/statem_srvr.c
patching file util/libcrypto.num
If skip this patch, nginx will compile successfully.