diff --git a/patches/common/boringssl/.patches b/patches/common/boringssl/.patches index ba4d3c3fe9a3..5959cf4590c3 100644 --- a/patches/common/boringssl/.patches +++ b/patches/common/boringssl/.patches @@ -1,3 +1,2 @@ -implement_ssl_get_tlsext_status_type.patch add_ec_group_order_bits_for_openssl_compatibility.patch add_ec_key_key2buf_for_openssl_compatibility.patch diff --git a/patches/common/boringssl/add_ec_group_order_bits_for_openssl_compatibility.patch b/patches/common/boringssl/add_ec_group_order_bits_for_openssl_compatibility.patch index 1db5350f5cfc..1995ab549373 100644 --- a/patches/common/boringssl/add_ec_group_order_bits_for_openssl_compatibility.patch +++ b/patches/common/boringssl/add_ec_group_order_bits_for_openssl_compatibility.patch @@ -9,10 +9,10 @@ Commit-Queue: Adam Langley Reviewed-by: Adam Langley diff --git a/crypto/fipsmodule/ec/ec.c b/crypto/fipsmodule/ec/ec.c -index 908e35e9d04e657c13ba61c8ea5bf4a4519228c5..43e170b9190bf1813216b10863bbaf6402331161 100644 +index bd0662a703d6285df51735c5d4870d21a82b39cf..90b9d71f61f8d6d7ddf838c47a59729748d0d0f2 100644 --- a/crypto/fipsmodule/ec/ec.c +++ b/crypto/fipsmodule/ec/ec.c -@@ -605,6 +605,10 @@ int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx) { +@@ -625,6 +625,10 @@ int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx) { return 1; } @@ -24,7 +24,7 @@ index 908e35e9d04e657c13ba61c8ea5bf4a4519228c5..43e170b9190bf1813216b10863bbaf64 BN_CTX *ctx) { // All |EC_GROUP|s have cofactor 1. diff --git a/include/openssl/ec.h b/include/openssl/ec.h -index 41a9c34c5ad1bbfdff8e37c1e245ac7fac7a3869..e4195fc15a26e61ef1e74ac7054ddabb256ae9a3 100644 +index 966393ea3b726214aa84a604c8e5a13654dcdf76..c65a1a7519fd80b681d1cf899792ee46aaa8bad6 100644 --- a/include/openssl/ec.h +++ b/include/openssl/ec.h @@ -133,6 +133,9 @@ OPENSSL_EXPORT const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group); diff --git a/patches/common/boringssl/add_ec_key_key2buf_for_openssl_compatibility.patch b/patches/common/boringssl/add_ec_key_key2buf_for_openssl_compatibility.patch index aa8f3d7ec320..d2e21d3c0d14 100644 --- a/patches/common/boringssl/add_ec_key_key2buf_for_openssl_compatibility.patch +++ b/patches/common/boringssl/add_ec_key_key2buf_for_openssl_compatibility.patch @@ -9,7 +9,7 @@ Reviewed-by: Adam Langley Commit-Queue: Adam Langley diff --git a/crypto/fipsmodule/ec/ec_key.c b/crypto/fipsmodule/ec/ec_key.c -index a6d469767adfad1c9095cc58c567b10c71e95cfa..ba69e83cb8f49c70a98c8fd68fd7fa4b122da5cd 100644 +index 632dc9b2d902dfba01567f4c02ad7ad6d0c8c3e8..4bc12a073650f66f5ae8ba2beabb9a6fb2b21878 100644 --- a/crypto/fipsmodule/ec/ec_key.c +++ b/crypto/fipsmodule/ec/ec_key.c @@ -394,6 +394,33 @@ err: diff --git a/patches/common/boringssl/implement_ssl_get_tlsext_status_type.patch b/patches/common/boringssl/implement_ssl_get_tlsext_status_type.patch deleted file mode 100644 index f552ab39c6bd..000000000000 --- a/patches/common/boringssl/implement_ssl_get_tlsext_status_type.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Jeremy Apthorp -Date: Thu, 18 Oct 2018 14:18:05 -0700 -Subject: Implement SSL_get_tlsext_status_type - -It's used by Node.js[1], and is simple to implement. - -[1]: https://github.com/nodejs/node/blob/e2f58c71ddf0f91256cc85e6bb226a068256c5eb/src/node_crypto.cc#L2390 - -Change-Id: Ie5c76b848623d00f7478aeae0214c25472de523c -Reviewed-on: https://boringssl-review.googlesource.com/c/32525 -Reviewed-by: David Benjamin -Commit-Queue: David Benjamin -CQ-Verified: CQ bot account: commit-bot@chromium.org - -diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h -index c0d44ce2820fb20273b453def0b5bcb5ddcc14e9..f0d9dd45e2c41968a84c8a3f31a8c9e4f621f018 100644 ---- a/include/openssl/ssl.h -+++ b/include/openssl/ssl.h -@@ -4268,6 +4268,14 @@ OPENSSL_EXPORT int OPENSSL_init_ssl(uint64_t opts, - // Use |SSL_enable_ocsp_stapling| instead. - OPENSSL_EXPORT int SSL_set_tlsext_status_type(SSL *ssl, int type); - -+// SSL_get_tlsext_status_type returns |TLSEXT_STATUSTYPE_ocsp| if the client -+// requested OCSP stapling and |TLSEXT_STATUSTYPE_nothing| otherwise. On the -+// client, this reflects whether OCSP stapling was enabled via, e.g., -+// |SSL_set_tlsext_status_type|. On the server, this is determined during the -+// handshake. It may be queried in callbacks set by |SSL_CTX_set_cert_cb|. The -+// result is undefined after the handshake completes. -+OPENSSL_EXPORT int SSL_get_tlsext_status_type(const SSL *ssl); -+ - // SSL_set_tlsext_status_ocsp_resp sets the OCSP response. It returns one on - // success and zero on error. On success, |ssl| takes ownership of |resp|, which - // must have been allocated by |OPENSSL_malloc|. -diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc -index 9c16de4958ef29d638e05e0f90b9b15b11b15cac..1f648658b8cb6ae7b82132b276b927e8fb11a47a 100644 ---- a/ssl/ssl_lib.cc -+++ b/ssl/ssl_lib.cc -@@ -2751,6 +2751,19 @@ int SSL_set_tlsext_status_type(SSL *ssl, int type) { - return 1; - } - -+int SSL_get_tlsext_status_type(const SSL *ssl) { -+ if (ssl->server) { -+ SSL_HANDSHAKE *hs = ssl->s3->hs.get(); -+ return hs != nullptr && hs->ocsp_stapling_requested -+ ? TLSEXT_STATUSTYPE_ocsp -+ : TLSEXT_STATUSTYPE_nothing; -+ } -+ -+ return ssl->config != nullptr && ssl->config->ocsp_stapling_enabled -+ ? TLSEXT_STATUSTYPE_ocsp -+ : TLSEXT_STATUSTYPE_nothing; -+} -+ - int SSL_set_tlsext_status_ocsp_resp(SSL *ssl, uint8_t *resp, size_t resp_len) { - if (SSL_set_ocsp_response(ssl, resp, resp_len)) { - OPENSSL_free(resp);