[boring-nginx] new tls1.3 patch

2025-04-19 20:09:16 +00:00 · 2018-04-13 22:11:55 +02:00 · 2018-04-13 22:11:55 +02:00 · 236df8b910
commit 236df8b910
parent 2196a24f96
2 changed files with 65 additions and 1 deletions
--- a/boring-nginx/Dockerfile
+++ b/boring-nginx/Dockerfile
@ -64,7 +64,8 @@ RUN NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \
 && cd /tmp && git clone https://github.com/openresty/headers-more-nginx-module --depth=1 \
 && git clone https://boringssl.googlesource.com/boringssl --depth=1 \
 && cd boringssl \
- && sed -i 's@ssl->version[ ]*=[ ]*TLS1_2_VERSION@ssl->version = TLS1_3_VERSION@' ssl/s3_lib.cc \
+ && wget https://gitlab.com/buik/boringssl/raw/boringssl-patch/Enable-TLS13-BoringSSL.patch -O tls13.patch \
+ && git apply tls13.patch \
 && sed -i 's@\$shaext[ ]*=[ ]*0;@\$shaext = 1;@' crypto/*/*/asm/*.pl \
 && sed -i 's@\$avx[ ]*=[ ]*[0|1];@\$avx = 2;@' crypto/*/*/asm/*.pl \
 && sed -i 's@\$addx[ ]*=[ ]*0;@\$addx = 1;@' crypto/*/*/asm/*.pl \
--- a/boring-nginx/tls13.patch
+++ b/boring-nginx/tls13.patch
@ -0,0 +1,63 @@
+From cfc32a1e540e4f542egggd3008 Mon Sep 17 00:00:00 2001
+From: Buik / Bassie <bassie@buik.locale>
+Date: Tue, 09 Apr 2018 12:55:23 +0800
+
+Subject: [PATCH] Enable TLS 1.3 on BoringSSL
+
+Enable TLS 1.3 on BoringSSL.
+Tested on Nginx 1.13.11 with BoringSSL chromium-stable and BoringSSL master (git branch April 09 2018)
+
+--- 
+ s3_lib.cc       | 2 +-
+ ssl_test.cc     | 4 ++--
+ ssl_versions.cc | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/ssl/s3_lib.cc b/ssl/s3_lib.cc
+index a3fc8d7..b28bbc8 100644
+--- a/ssl/s3_lib.cc
+++ b/ssl/s3_lib.cc
+@@ -201,7 +201,7 @@ bool ssl3_new(SSL *ssl) {
+   // TODO(davidben): Move this field into |s3|, have it store the normalized
+   // protocol version, and implement this pre-negotiation quirk in |SSL_version|
+   // at the API boundary rather than in internal state.
+-  ssl->version = TLS1_2_VERSION;
+  ssl->version = TLS1_3_VERSION;
+   return true;
+ }
+ 
+diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
+index 12f044c..cfc4af1 100644
+--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
+@@ -2607,7 +2607,7 @@ TEST(SSLTest, SetVersion) {
+ 
+   // Zero is the default version.
+   EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
+-  EXPECT_EQ(TLS1_2_VERSION, ctx->conf_max_version);
+  EXPECT_EQ(TLS1_3_VERSION, ctx->conf_max_version);
+   EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
+   EXPECT_EQ(TLS1_VERSION, ctx->conf_min_version);
+ 
+@@ -2640,7 +2640,7 @@ TEST(SSLTest, SetVersion) {
+   EXPECT_FALSE(SSL_CTX_set_min_proto_version(ctx.get(), 0x1234));
+ 
+   EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
+-  EXPECT_EQ(TLS1_2_VERSION, ctx->conf_max_version);
+  EXPECT_EQ(TLS1_3_VERSION, ctx->conf_max_version);
+   EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
+   EXPECT_EQ(TLS1_1_VERSION, ctx->conf_min_version);
+ }
+diff --git a/ssl/ssl_versions.cc b/ssl/ssl_versions.cc
+index 73ea26f..da10cb2 100644
+--- a/ssl/ssl_versions.cc
+++ b/ssl/ssl_versions.cc
+@@ -189,7 +189,7 @@ static bool set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
+                             uint16_t version) {
+   // Zero is interpreted as the default maximum version.
+   if (version == 0) {
+-    *out = TLS1_2_VERSION;
+    *out = TLS1_3_VERSION;
+     return true;
+   }
+