search

cloudflare / sslconfig

Cloudflare's Internet facing SSL configuration
BSD 3-Clause "New" or "Revised" License
1.3k stars 132 forks source link

Patch fails with OpenSSL 1.0.2i #42

Closed HansVanEijsden closed 7 years ago

HansVanEijsden commented 7 years ago

Unfortunately I cannot patch the new OpenSSL 1.0.2i.

$ wget "https://raw.githubusercontent.com/cloudflare/sslconfig/master/patches/openssl__chacha20_poly1305_draft_and_rfc_ossl102g.patch"

$ patch -p1 < openssl__chacha20_poly1305_draft_and_rfc_ossl102g.patch
patching file Configure
Hunk #1 succeeded at 150 (offset 4 lines).
Hunk #2 succeeded at 714 (offset 4 lines).
Hunk #3 succeeded at 757 (offset 4 lines).
Hunk #4 succeeded at 1213 (offset 1 line).
Hunk #5 succeeded at 1242 (offset 1 line).
Hunk #6 succeeded at 1410 (offset 2 lines).
Hunk #7 FAILED at 1561.
Hunk #8 succeeded at 1754 (offset 11 lines).
Hunk #9 succeeded at 1817 (offset 11 lines).
Hunk #10 succeeded at 2216 (offset 11 lines).
Hunk #11 succeeded at 2247 (offset 11 lines).
1 out of 11 hunks FAILED -- saving rejects to file Configure.rej
patching file Makefile.org
Hunk #1 succeeded at 92 (offset 1 line).
Hunk #2 succeeded at 150 (offset 1 line).
Hunk #3 succeeded at 237 (offset 2 lines).
patching file apps/speed.c
patching file crypto/chacha20poly1305/Makefile
patching file crypto/chacha20poly1305/asm/chacha20_avx.pl
patching file crypto/chacha20poly1305/asm/chacha20_avx2.pl
patching file crypto/chacha20poly1305/asm/poly1305_avx.pl
patching file crypto/chacha20poly1305/asm/poly1305_avx2.pl
patching file crypto/chacha20poly1305/asm/poly1305_x64.pl
patching file crypto/chacha20poly1305/chacha20.c
patching file crypto/chacha20poly1305/chacha20poly1305.h
patching file crypto/chacha20poly1305/chapolytest.c
patching file crypto/chacha20poly1305/poly1305.c
patching file crypto/cryptlib.c
patching file crypto/evp/Makefile
Hunk #3 succeeded at 266 (offset 1 line).
patching file crypto/evp/e_chacha20poly1305.c
patching file crypto/evp/evp.h
patching file ssl/s3_lib.c
Hunk #1 succeeded at 2945 (offset 54 lines).
Hunk #2 succeeded at 4195 (offset 54 lines).
Hunk #3 succeeded at 4229 (offset 54 lines).
Hunk #4 succeeded at 4251 (offset 54 lines).
patching file ssl/ssl.h
patching file ssl/ssl_ciph.c
Hunk #2 succeeded at 364 (offset -1 lines).
Hunk #3 succeeded at 436 (offset -1 lines).
Hunk #4 succeeded at 591 (offset -1 lines).
Hunk #5 succeeded at 812 (offset -1 lines).
patching file ssl/ssl_locl.h
patching file ssl/tls1.h
patching file test/Makefile
Hunk #1 FAILED at 71.
Hunk #2 FAILED at 84.
Hunk #3 FAILED at 98.
Hunk #4 FAILED at 109.
Hunk #5 succeeded at 150 (offset 5 lines).
Hunk #6 succeeded at 380 with fuzz 2 (offset 14 lines).
Hunk #7 succeeded at 570 with fuzz 2 (offset 20 lines).
Hunk #8 succeeded at 660 (offset 39 lines).
4 out of 8 hunks FAILED -- saving rejects to file test/Makefile.rej

$ cat Configure.rej 
--- Configure
+++ Configure
@@ -1561,6 +1564,14 @@ $bf_obj=$bf_enc      unless ($bf_obj =~ /\.o$/);
 $cast_obj=$cast_enc    unless ($cast_obj =~ /\.o$/);
 $rc4_obj=$rc4_enc  unless ($rc4_obj =~ /\.o$/);
 $rc5_obj=$rc5_enc  unless ($rc5_obj =~ /\.o$/);
+if ($chapoly_obj =~ /\.o$/)
+   {
+   $cflags.=" -DCHAPOLY_x86_64_ASM";
+   }
+else
+   {
+   $chapoly_obj=$chapoly_enc;
+   }
 if ($sha1_obj =~ /\.o$/)
    {
 #  $sha1_obj=$sha1_enc;
centminmod commented 7 years ago

yup same here https://community.centminmod.com/posts/36691/

ccache gcc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM   -c -o e_rc4_hmac_md5.o e_rc4_hmac_md5.c
ccache gcc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM   -c -o e_chacha20poly1305.o e_chacha20poly1305.c
e_chacha20poly1305.c: In function 'EVP_chacha20_poly1305_cipher':
e_chacha20poly1305.c:82:57: error: 'EVP_CHACHA20_POLY1305_CTX' has no member named 'poly_state'
     #define poly_update(c,i,l) CRYPTO_poly1305_update(&c->poly_state,i,l)
                                                         ^
e_chacha20poly1305.c:228:9: note: in expansion of macro 'poly_update'
         poly_update(aead_ctx, in, inl);
         ^
e_chacha20poly1305.c:251:9: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
         ((uint64_t *)(aead_ctx->nonce))[4]--;
xetorixik commented 7 years ago

@HansVanEijsden @centminmod You could easily fix the patch for OpenSSL 1.0.2i yourself.

Because the OpenSSL 1.0.2i code changed the < OpenSSL 1.0.2i based patch can't find the requested code (via the @@ position and location) and fails.

View the rejected code in the affected .rej files and reinsert it into the OpenSSL 1.0.2i base in the right place. Then diff the upstream vs new and update your patch.

No reason to ask Cloudflare every time for an up-to-date patch 123456. They have better things to do.

Their task is accomplished with the release of the source. Desired own efforts, not dependent on another.

rugk commented 7 years ago

@xetorixik Come on, be a bit friendly to this community here. Do you have a working patch?

charlesportwoodii commented 7 years ago

@HansVanEijsden @centminmod

Apply Cloudflare's patch, then re-add the reject 8 lines back in. If you need a patch for it, you can use: https://gist.github.com/charlesportwoodii/9e95c6a4ecde31ea23c17f6823bdb320.

Whissi commented 7 years ago

I backported the complete patch for 1.0.2i: https://github.com/Whissi/openssl/commit/5f22ddce5c2f301e9e6b2d38315e44388cefce5d

xetorixik commented 7 years ago

@rugk it is friendly intended. @HansVanEijsden linkedin profile, writes about Gymnasium (type of school). He is more than smart enough to adapt a few lines in the code.

Get out of your own strength :)

Separately, hours or a day or so after the release of a new Openssl version there are more than enough up-to-date (fork) patches on github. No reason thereby to bother Cloudflare time after time for 1233456 lines changed patches.

vkrasnov commented 7 years ago

Hi everyone, I am very excited to see so much interest in this patch, and thank you for the support @xetorixik :) I will try to update it next week.

rugk commented 7 years ago

writes about Gymnasium (type of school).

Ah, ehm, that's supposed to mean secondary school, high school or grammar school. School systems are sometimes different. :smiley:

xetorixik commented 7 years ago

@rugk Highest achievable in the Netherlands regarding high school. In short, @HansVanEijsden is a smart guy. He should be able to work on a patch. @vkrasnov Your Chacha patch is awesome so thank you, next stop if you ask me, releasing Cloudflare's Nginx http/2 server push patch :)

chrcoluk commented 7 years ago

Thanks Wissi.

vkrasnov commented 7 years ago

Updated to 1.0.2j.