From 3a3b1973279105d8db80c90b331a82e1877e5f28 Mon Sep 17 00:00:00 2001 From: Alexey Kuzmin Date: Tue, 6 Nov 2018 17:07:09 +0100 Subject: [PATCH] fix: update the "SSL_get_tlsext_status_type" patch (#15587) It has been upstreamed by @nornagon https://github.com/google/boringssl/commit/c0c9001440db8121bdc1ff1307b3a9aedf26fcd8 --- patches/common/boringssl/.patches | 2 +- ...implement-SSL_get_tlsext_status_type.patch | 40 ------------- ...implement_ssl_get_tlsext_status_type.patch | 58 +++++++++++++++++++ 3 files changed, 59 insertions(+), 41 deletions(-) delete mode 100644 patches/common/boringssl/implement-SSL_get_tlsext_status_type.patch create mode 100644 patches/common/boringssl/implement_ssl_get_tlsext_status_type.patch diff --git a/patches/common/boringssl/.patches b/patches/common/boringssl/.patches index ceec4586db..eb67e3c35a 100644 --- a/patches/common/boringssl/.patches +++ b/patches/common/boringssl/.patches @@ -1 +1 @@ -implement-SSL_get_tlsext_status_type.patch +implement_ssl_get_tlsext_status_type.patch diff --git a/patches/common/boringssl/implement-SSL_get_tlsext_status_type.patch b/patches/common/boringssl/implement-SSL_get_tlsext_status_type.patch deleted file mode 100644 index b05f9359db..0000000000 --- a/patches/common/boringssl/implement-SSL_get_tlsext_status_type.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Aleksei Kuzmin -Date: Mon, 22 Oct 2018 10:46:33 -0700 -Subject: implement-SSL_get_tlsext_status_type.patch - -BoringSSL doesn't implement `SSL_get_tlsext_status_type()`, -but Node.js expects it to be present cause OpenSSL has it. - -diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h -index f693030a8a7c4bf79dd791e1abd0e94f8e97a292..59c1881b34289401e6c998cd266cb1e2fb8f7cc9 100644 ---- a/include/openssl/ssl.h -+++ b/include/openssl/ssl.h -@@ -4293,6 +4293,8 @@ OPENSSL_EXPORT int OPENSSL_init_ssl(uint64_t opts, - // Use |SSL_enable_ocsp_stapling| instead. - OPENSSL_EXPORT int SSL_set_tlsext_status_type(SSL *ssl, int type); - -+OPENSSL_EXPORT int SSL_get_tlsext_status_type(SSL *ssl); -+ - // SSL_set_tlsext_status_ocsp_resp sets the OCSP response. It returns one on - // success and zero on error. On success, |ssl| takes ownership of |resp|, which - // must have been allocated by |OPENSSL_malloc|. -diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc -index c68968a514b76717d4c42448ef4b9c440c330fb2..c82ffeaa37268e54c6b142b31706d478ba93ff63 100644 ---- a/ssl/ssl_lib.cc -+++ b/ssl/ssl_lib.cc -@@ -2896,6 +2896,14 @@ int SSL_set_tlsext_status_type(SSL *ssl, int type) { - return 1; - } - -+int SSL_get_tlsext_status_type(SSL *ssl) { -+ if (ssl->config->ocsp_stapling_enabled) { -+ return TLSEXT_STATUSTYPE_ocsp; -+ } -+ -+ return TLSEXT_STATUSTYPE_nothing; -+} -+ - int SSL_set_tlsext_status_ocsp_resp(SSL *ssl, uint8_t *resp, size_t resp_len) { - if (SSL_set_ocsp_response(ssl, resp, resp_len)) { - OPENSSL_free(resp); diff --git a/patches/common/boringssl/implement_ssl_get_tlsext_status_type.patch b/patches/common/boringssl/implement_ssl_get_tlsext_status_type.patch new file mode 100644 index 0000000000..1dab9c66d8 --- /dev/null +++ b/patches/common/boringssl/implement_ssl_get_tlsext_status_type.patch @@ -0,0 +1,58 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jeremy Apthorp +Date: Thu, 18 Oct 2018 14:18:05 -0700 +Subject: Implement SSL_get_tlsext_status_type + +It's used by Node.js[1], and is simple to implement. + +[1]: https://github.com/nodejs/node/blob/e2f58c71ddf0f91256cc85e6bb226a068256c5eb/src/node_crypto.cc#L2390 + +Change-Id: Ie5c76b848623d00f7478aeae0214c25472de523c +Reviewed-on: https://boringssl-review.googlesource.com/c/32525 +Reviewed-by: David Benjamin +Commit-Queue: David Benjamin +CQ-Verified: CQ bot account: commit-bot@chromium.org + +diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h +index ae8b8385fc73701a4346202f213b5974af4e2aed..0f3d1747173ffb09eafd5c7d5d692ae3c35c9874 100644 +--- a/include/openssl/ssl.h ++++ b/include/openssl/ssl.h +@@ -4268,6 +4268,14 @@ OPENSSL_EXPORT int OPENSSL_init_ssl(uint64_t opts, + // Use |SSL_enable_ocsp_stapling| instead. + OPENSSL_EXPORT int SSL_set_tlsext_status_type(SSL *ssl, int type); + ++// SSL_get_tlsext_status_type returns |TLSEXT_STATUSTYPE_ocsp| if the client ++// requested OCSP stapling and |TLSEXT_STATUSTYPE_nothing| otherwise. On the ++// client, this reflects whether OCSP stapling was enabled via, e.g., ++// |SSL_set_tlsext_status_type|. On the server, this is determined during the ++// handshake. It may be queried in callbacks set by |SSL_CTX_set_cert_cb|. The ++// result is undefined after the handshake completes. ++OPENSSL_EXPORT int SSL_get_tlsext_status_type(const SSL *ssl); ++ + // SSL_set_tlsext_status_ocsp_resp sets the OCSP response. It returns one on + // success and zero on error. On success, |ssl| takes ownership of |resp|, which + // must have been allocated by |OPENSSL_malloc|. +diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc +index 9c16de4958ef29d638e05e0f90b9b15b11b15cac..1f648658b8cb6ae7b82132b276b927e8fb11a47a 100644 +--- a/ssl/ssl_lib.cc ++++ b/ssl/ssl_lib.cc +@@ -2751,6 +2751,19 @@ int SSL_set_tlsext_status_type(SSL *ssl, int type) { + return 1; + } + ++int SSL_get_tlsext_status_type(const SSL *ssl) { ++ if (ssl->server) { ++ SSL_HANDSHAKE *hs = ssl->s3->hs.get(); ++ return hs != nullptr && hs->ocsp_stapling_requested ++ ? TLSEXT_STATUSTYPE_ocsp ++ : TLSEXT_STATUSTYPE_nothing; ++ } ++ ++ return ssl->config != nullptr && ssl->config->ocsp_stapling_enabled ++ ? TLSEXT_STATUSTYPE_ocsp ++ : TLSEXT_STATUSTYPE_nothing; ++} ++ + int SSL_set_tlsext_status_ocsp_resp(SSL *ssl, uint8_t *resp, size_t resp_len) { + if (SSL_set_ocsp_response(ssl, resp, resp_len)) { + OPENSSL_free(resp);