diff -Nru openssl-1.1.1/debian/changelog openssl-1.1.1/debian/changelog --- openssl-1.1.1/debian/changelog 2022-03-09 05:13:40.000000000 -0700 +++ openssl-1.1.1/debian/changelog 2022-03-16 11:05:32.000000000 -0600 @@ -1,3 +1,14 @@ +openssl (1.1.1-1ubuntu2.1~18.04.15ubuntu1) bionic; urgency=medium + + * Backport pr9780 but make it optional: + - d/p/pr9780_0002-Teach-TLSProxy-how-to-parse-CertificateRequest-messa.patch + - d/p/pr9780_0001-Don-t-send-a-status_request-extension-in-a-Certifica.patch + - d/p/lp1940141-make-pr-9780-optional.patch + - d/p/lp1940141-fix-tests-accordingly.patch + - d/p/lp1940141-update-manpages.patch + + -- Bruce Elrick Wed, 16 Mar 2022 17:05:32 +0000 + openssl (1.1.1-1ubuntu2.1~18.04.15) bionic-security; urgency=medium * SECURITY UPDATE: Infinite loop in BN_mod_sqrt() diff -Nru openssl-1.1.1/debian/patches/lp1940141-fix-tests-accordingly.patch openssl-1.1.1/debian/patches/lp1940141-fix-tests-accordingly.patch --- openssl-1.1.1/debian/patches/lp1940141-fix-tests-accordingly.patch 1969-12-31 17:00:00.000000000 -0700 +++ openssl-1.1.1/debian/patches/lp1940141-fix-tests-accordingly.patch 2022-03-16 09:27:07.000000000 -0600 @@ -0,0 +1,20 @@ +Index: openssl-1.1.1/test/recipes/70-test_tls13messages.t +=================================================================== +--- openssl-1.1.1.orig/test/recipes/70-test_tls13messages.t ++++ openssl-1.1.1/test/recipes/70-test_tls13messages.t +@@ -256,6 +256,7 @@ SKIP: { + "status_request handshake test"); + + #Test 6: A status_request handshake (client and server) with client auth ++ $ENV{'FIX_LP_1940141'} = 1; + $proxy->clear(); + $proxy->clientflags("-status -enable_pha -cert " + .srctop_file("apps", "server.pem")); +@@ -268,6 +269,7 @@ SKIP: { + | checkhandshake::STATUS_REQUEST_SRV_EXTENSION + | checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION, + "status_request handshake with client auth test"); ++ delete $ENV{'FIX_LP_1940141'}; + } + + #Test 7: A client auth handshake diff -Nru openssl-1.1.1/debian/patches/lp1940141-make-pr-9780-optional.patch openssl-1.1.1/debian/patches/lp1940141-make-pr-9780-optional.patch --- openssl-1.1.1/debian/patches/lp1940141-make-pr-9780-optional.patch 1969-12-31 17:00:00.000000000 -0700 +++ openssl-1.1.1/debian/patches/lp1940141-make-pr-9780-optional.patch 2022-03-16 09:27:07.000000000 -0600 @@ -0,0 +1,24 @@ +Index: openssl-1.1.1/ssl/statem/extensions_srvr.c +=================================================================== +--- openssl-1.1.1.orig/ssl/statem/extensions_srvr.c ++++ openssl-1.1.1/ssl/statem/extensions_srvr.c +@@ -7,6 +7,7 @@ + * https://www.openssl.org/source/license.html + */ + ++#include + #include + #include "../ssl_locl.h" + #include "statem_locl.h" +@@ -1488,8 +1489,9 @@ EXT_RETURN tls_construct_stoc_status_req + size_t chainidx) + { + /* We don't currently support this extension inside a CertificateRequest */ +- if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) +- return EXT_RETURN_NOT_SENT; ++ if (getenv("FIX_LP_1940141")) ++ if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) ++ return EXT_RETURN_NOT_SENT; + + if (!s->ext.status_expected) + return EXT_RETURN_NOT_SENT; diff -Nru openssl-1.1.1/debian/patches/lp1940141-update-manpages.patch openssl-1.1.1/debian/patches/lp1940141-update-manpages.patch --- openssl-1.1.1/debian/patches/lp1940141-update-manpages.patch 1969-12-31 17:00:00.000000000 -0700 +++ openssl-1.1.1/debian/patches/lp1940141-update-manpages.patch 2022-03-16 09:27:07.000000000 -0600 @@ -0,0 +1,42 @@ +Index: openssl-1.1.1/doc/man1/s_server.pod +=================================================================== +--- openssl-1.1.1.orig/doc/man1/s_server.pod ++++ openssl-1.1.1/doc/man1/s_server.pod +@@ -808,6 +808,15 @@ OpenSSL recognizes and the client suppor + There should be a way for the B program to print out details of any + unknown cipher suites a client says it supports. + ++GitHub issue "OpenSSL servers can send a non-empty status_request in a ++CertificateRequest #9767" (L) ++exists in OpenSSL 1.1.1. The fix for this issue is backported here under ++LaunchPad bug #1940141 ++(L). ++This fix is not enabled by default. To enable this fix, set the environment ++variable FIX_LP_1940141 to any value in the process running the OpenSSL server ++library code. ++ + =head1 SEE ALSO + + L, L, L, L +Index: openssl-1.1.1/doc/man3/OCSP_REQUEST_new.pod +=================================================================== +--- openssl-1.1.1.orig/doc/man3/OCSP_REQUEST_new.pod ++++ openssl-1.1.1/doc/man3/OCSP_REQUEST_new.pod +@@ -67,6 +67,17 @@ structures in B. + OCSP_request_onereq_get0() returns a pointer to an B structure + or B if the index value is out or range. + ++=head1 BUGS ++ ++GitHub issue "OpenSSL servers can send a non-empty status_request in a ++CertificateRequest #9767" (L) ++exists in OpenSSL 1.1.1. The fix for this issue is backported here under ++LaunchPad bug #1940141 ++(L). ++This fix is not enabled by default. To enable this fix, set the environment ++variable FIX_LP_1940141 to any value in the process running the OpenSSL server ++library code. ++ + =head1 NOTES + + An OCSP request structure contains one or more B structures diff -Nru openssl-1.1.1/debian/patches/pr9780_0001-Don-t-send-a-status_request-extension-in-a-Certifica.patch openssl-1.1.1/debian/patches/pr9780_0001-Don-t-send-a-status_request-extension-in-a-Certifica.patch --- openssl-1.1.1/debian/patches/pr9780_0001-Don-t-send-a-status_request-extension-in-a-Certifica.patch 1969-12-31 17:00:00.000000000 -0700 +++ openssl-1.1.1/debian/patches/pr9780_0001-Don-t-send-a-status_request-extension-in-a-Certifica.patch 2022-03-16 09:27:07.000000000 -0600 @@ -0,0 +1,44 @@ +From f8affa299534532b42b09eac5457f8bbf5216941 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 5 Sep 2019 16:43:57 +0100 +Subject: [PATCH 1/2] Don't send a status_request extension in a + CertificateRequest message + +If a TLSv1.3 server configured to respond to the status_request extension +also attempted to send a CertificateRequest then it was incorrectly +inserting a non zero length status_request extension into that message. + +The TLSv1.3 RFC does allow that extension in that message but it must +always be zero length. + +In fact we should not be sending the extension at all in that message +because we don't support it. + +Fixes #9767 + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/9780) + +(cherry picked from commit debb64a0ca43969eb3f043aa8895a4faa7f12b6e) +--- + ssl/statem/extensions_srvr.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c +index ff4287c584..ab5453f63e 100644 +--- a/ssl/statem/extensions_srvr.c ++++ b/ssl/statem/extensions_srvr.c +@@ -1487,6 +1487,10 @@ EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) + { ++ /* We don't currently support this extension inside a CertificateRequest */ ++ if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) ++ return EXT_RETURN_NOT_SENT; ++ + if (!s->ext.status_expected) + return EXT_RETURN_NOT_SENT; + +-- +2.17.1 + diff -Nru openssl-1.1.1/debian/patches/pr9780_0002-Teach-TLSProxy-how-to-parse-CertificateRequest-messa.patch openssl-1.1.1/debian/patches/pr9780_0002-Teach-TLSProxy-how-to-parse-CertificateRequest-messa.patch --- openssl-1.1.1/debian/patches/pr9780_0002-Teach-TLSProxy-how-to-parse-CertificateRequest-messa.patch 1969-12-31 17:00:00.000000000 -0700 +++ openssl-1.1.1/debian/patches/pr9780_0002-Teach-TLSProxy-how-to-parse-CertificateRequest-messa.patch 2022-03-16 09:27:07.000000000 -0600 @@ -0,0 +1,731 @@ +From 6f34a16ea9a4d37e11a26dd4c3694ea5b107e53f Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 5 Sep 2019 16:21:56 +0100 +Subject: [PATCH 2/2] Teach TLSProxy how to parse CertificateRequest messages + +We also use this in test_tls13messages to check that the extensions we +expect to see in a CertificateRequest are there. + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/9780) + +(cherry picked from commit dc5bcb88d819de55eb37460c122e02fec91c6d86) +--- + test/recipes/70-test_sslmessages.t | 25 +++++- + test/recipes/70-test_tls13kexmodes.t | 36 +++++++- + test/recipes/70-test_tls13messages.t | 89 +++++++++++++++---- + util/perl/TLSProxy/CertificateRequest.pm | 105 +++++++++++++++++++++++ + util/perl/TLSProxy/Message.pm | 14 +++ + util/perl/TLSProxy/Proxy.pm | 1 + + util/perl/checkhandshake.pm | 18 ++-- + 7 files changed, 262 insertions(+), 26 deletions(-) + create mode 100644 util/perl/TLSProxy/CertificateRequest.pm + +diff --git a/test/recipes/70-test_sslmessages.t b/test/recipes/70-test_sslmessages.t +index 1e4676973a..5ee99feab8 100644 +--- a/test/recipes/70-test_sslmessages.t ++++ b/test/recipes/70-test_sslmessages.t +@@ -95,58 +95,81 @@ my $proxy = TLSProxy::Proxy->new( + + @extensions = ( + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, ++ TLSProxy::Message::CLIENT, + checkhandshake::SERVER_NAME_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, ++ TLSProxy::Message::CLIENT, + checkhandshake::STATUS_REQUEST_CLI_EXTENSION], + (disabled("ec") ? () : + [TLSProxy::Message::MT_CLIENT_HELLO, + TLSProxy::Message::EXT_SUPPORTED_GROUPS, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS]), + (disabled("ec") ? () : + [TLSProxy::Message::MT_CLIENT_HELLO, + TLSProxy::Message::EXT_EC_POINT_FORMATS, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS]), + (disabled("tls1_2") ? () : + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS]), + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, ++ TLSProxy::Message::CLIENT, + checkhandshake::ALPN_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, ++ TLSProxy::Message::CLIENT, + checkhandshake::SCT_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE, ++ TLSProxy::Message::CLIENT, + checkhandshake::RENEGOTIATE_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN, ++ TLSProxy::Message::CLIENT, + checkhandshake::NPN_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP, ++ TLSProxy::Message::CLIENT, + checkhandshake::SRP_CLI_EXTENSION], + + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE, ++ TLSProxy::Message::SERVER, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, ++ TLSProxy::Message::SERVER, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, ++ TLSProxy::Message::SERVER, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, ++ TLSProxy::Message::SERVER, + checkhandshake::SESSION_TICKET_SRV_EXTENSION], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME, ++ TLSProxy::Message::SERVER, + checkhandshake::SERVER_NAME_SRV_EXTENSION], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, ++ TLSProxy::Message::SERVER, + checkhandshake::STATUS_REQUEST_SRV_EXTENSION], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN, ++ TLSProxy::Message::SERVER, + checkhandshake::ALPN_SRV_EXTENSION], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT, ++ TLSProxy::Message::SERVER, + checkhandshake::SCT_SRV_EXTENSION], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN, ++ TLSProxy::Message::SERVER, + checkhandshake::NPN_SRV_EXTENSION], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, ++ TLSProxy::Message::SERVER, + checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION], +- [0,0,0] ++ [0,0,0,0] + ); + + #Test 1: Check we get all the right messages for a default handshake +diff --git a/test/recipes/70-test_tls13kexmodes.t b/test/recipes/70-test_tls13kexmodes.t +index 716e260e5f..e5fcf8e271 100644 +--- a/test/recipes/70-test_tls13kexmodes.t ++++ b/test/recipes/70-test_tls13kexmodes.t +@@ -62,78 +62,112 @@ $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf"); + + @extensions = ( + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, ++ TLSProxy::Message::CLIENT, + checkhandshake::SERVER_NAME_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, ++ TLSProxy::Message::CLIENT, + checkhandshake::STATUS_REQUEST_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, ++ TLSProxy::Message::CLIENT, + checkhandshake::ALPN_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, ++ TLSProxy::Message::CLIENT, + checkhandshake::SCT_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES, ++ TLSProxy::Message::CLIENT, + checkhandshake::PSK_KEX_MODES_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK, ++ TLSProxy::Message::CLIENT, + checkhandshake::PSK_CLI_EXTENSION], + + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, ++ TLSProxy::Message::SERVER, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE, ++ TLSProxy::Message::SERVER, + checkhandshake::KEY_SHARE_HRR_EXTENSION], + + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, ++ TLSProxy::Message::CLIENT, + checkhandshake::SERVER_NAME_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, ++ TLSProxy::Message::CLIENT, + checkhandshake::STATUS_REQUEST_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, ++ TLSProxy::Message::CLIENT, + checkhandshake::ALPN_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, ++ TLSProxy::Message::CLIENT, + checkhandshake::SCT_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES, ++ TLSProxy::Message::CLIENT, + checkhandshake::PSK_KEX_MODES_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK, ++ TLSProxy::Message::CLIENT, + checkhandshake::PSK_CLI_EXTENSION], + + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, ++ TLSProxy::Message::SERVER, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE, ++ TLSProxy::Message::SERVER, + checkhandshake::KEY_SHARE_SRV_EXTENSION], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_PSK, ++ TLSProxy::Message::SERVER, + checkhandshake::PSK_SRV_EXTENSION], + + [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_STATUS_REQUEST, ++ TLSProxy::Message::SERVER, + checkhandshake::STATUS_REQUEST_SRV_EXTENSION], +- [0,0,0] ++ [0,0,0,0] + ); + + use constant { +diff --git a/test/recipes/70-test_tls13messages.t b/test/recipes/70-test_tls13messages.t +index be6a2db5d6..435fef57c6 100644 +--- a/test/recipes/70-test_tls13messages.t ++++ b/test/recipes/70-test_tls13messages.t +@@ -62,92 +62,136 @@ $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf"); + + @extensions = ( + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, ++ TLSProxy::Message::CLIENT, + checkhandshake::SERVER_NAME_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, ++ TLSProxy::Message::CLIENT, + checkhandshake::STATUS_REQUEST_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, ++ TLSProxy::Message::CLIENT, + checkhandshake::ALPN_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, ++ TLSProxy::Message::CLIENT, + checkhandshake::SCT_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK, ++ TLSProxy::Message::CLIENT, + checkhandshake::PSK_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH, ++ TLSProxy::Message::CLIENT, + checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION], + + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, ++ TLSProxy::Message::SERVER, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE, ++ TLSProxy::Message::SERVER, + checkhandshake::KEY_SHARE_HRR_EXTENSION], + + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, ++ TLSProxy::Message::CLIENT, + checkhandshake::SERVER_NAME_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, ++ TLSProxy::Message::CLIENT, + checkhandshake::STATUS_REQUEST_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, ++ TLSProxy::Message::CLIENT, + checkhandshake::ALPN_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, ++ TLSProxy::Message::CLIENT, + checkhandshake::SCT_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES, ++ TLSProxy::Message::CLIENT, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK, ++ TLSProxy::Message::CLIENT, + checkhandshake::PSK_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH, ++ TLSProxy::Message::CLIENT, + checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION], + + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, ++ TLSProxy::Message::SERVER, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE, ++ TLSProxy::Message::SERVER, + checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_PSK, ++ TLSProxy::Message::SERVER, + checkhandshake::PSK_SRV_EXTENSION], + + [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SERVER_NAME, ++ TLSProxy::Message::SERVER, + checkhandshake::SERVER_NAME_SRV_EXTENSION], + [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_ALPN, ++ TLSProxy::Message::SERVER, + checkhandshake::ALPN_SRV_EXTENSION], + [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SUPPORTED_GROUPS, ++ TLSProxy::Message::SERVER, + checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION], + ++ [TLSProxy::Message::MT_CERTIFICATE_REQUEST, TLSProxy::Message::EXT_SIG_ALGS, ++ TLSProxy::Message::SERVER, ++ checkhandshake::DEFAULT_EXTENSIONS], ++ + [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_STATUS_REQUEST, ++ TLSProxy::Message::SERVER, + checkhandshake::STATUS_REQUEST_SRV_EXTENSION], + [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_SCT, ++ TLSProxy::Message::SERVER, + checkhandshake::SCT_SRV_EXTENSION], + +- [0,0,0] ++ [0,0,0,0] + ); + + my $proxy = TLSProxy::Proxy->new( +@@ -163,7 +207,7 @@ $proxy->serverconnects(2); + $proxy->clientflags("-sess_out ".$session); + $proxy->sessionfile($session); + $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; +-plan tests => 16; ++plan tests => 17; + checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS, + "Default handshake test"); +@@ -179,7 +223,7 @@ checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE, + "Resumption handshake test"); + + SKIP: { +- skip "No OCSP support in this OpenSSL build", 3 ++ skip "No OCSP support in this OpenSSL build", 4 + if disabled("ct") || disabled("ec") || disabled("ocsp"); + #Test 3: A status_request handshake (client request only) + $proxy->clear(); +@@ -210,9 +254,23 @@ SKIP: { + | checkhandshake::STATUS_REQUEST_CLI_EXTENSION + | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, + "status_request handshake test"); ++ ++ #Test 6: A status_request handshake (client and server) with client auth ++ $proxy->clear(); ++ $proxy->clientflags("-status -enable_pha -cert " ++ .srctop_file("apps", "server.pem")); ++ $proxy->serverflags("-Verify 5 -status_file " ++ .srctop_file("test", "recipes", "ocsp-response.der")); ++ $proxy->start(); ++ checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE, ++ checkhandshake::DEFAULT_EXTENSIONS ++ | checkhandshake::STATUS_REQUEST_CLI_EXTENSION ++ | checkhandshake::STATUS_REQUEST_SRV_EXTENSION ++ | checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION, ++ "status_request handshake with client auth test"); + } + +-#Test 6: A client auth handshake ++#Test 7: A client auth handshake + $proxy->clear(); + $proxy->clientflags("-enable_pha -cert ".srctop_file("apps", "server.pem")); + $proxy->serverflags("-Verify 5"); +@@ -222,7 +280,7 @@ checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE, + checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION, + "Client auth handshake test"); + +-#Test 7: Server name handshake (no client request) ++#Test 8: Server name handshake (no client request) + $proxy->clear(); + $proxy->clientflags("-noservername"); + $proxy->start(); +@@ -231,7 +289,7 @@ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + & ~checkhandshake::SERVER_NAME_CLI_EXTENSION, + "Server name handshake test (client)"); + +-#Test 8: Server name handshake (server support only) ++#Test 9: Server name handshake (server support only) + $proxy->clear(); + $proxy->clientflags("-noservername"); + $proxy->serverflags("-servername testhost"); +@@ -241,7 +299,7 @@ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + & ~checkhandshake::SERVER_NAME_CLI_EXTENSION, + "Server name handshake test (server)"); + +-#Test 9: Server name handshake (client and server) ++#Test 10: Server name handshake (client and server) + $proxy->clear(); + $proxy->clientflags("-servername testhost"); + $proxy->serverflags("-servername testhost"); +@@ -251,7 +309,7 @@ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + | checkhandshake::SERVER_NAME_SRV_EXTENSION, + "Server name handshake test"); + +-#Test 10: ALPN handshake (client request only) ++#Test 11: ALPN handshake (client request only) + $proxy->clear(); + $proxy->clientflags("-alpn test"); + $proxy->start(); +@@ -260,7 +318,7 @@ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + | checkhandshake::ALPN_CLI_EXTENSION, + "ALPN handshake test (client)"); + +-#Test 11: ALPN handshake (server support only) ++#Test 12: ALPN handshake (server support only) + $proxy->clear(); + $proxy->serverflags("-alpn test"); + $proxy->start(); +@@ -268,7 +326,7 @@ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS, + "ALPN handshake test (server)"); + +-#Test 12: ALPN handshake (client and server) ++#Test 13: ALPN handshake (client and server) + $proxy->clear(); + $proxy->clientflags("-alpn test"); + $proxy->serverflags("-alpn test"); +@@ -283,7 +341,7 @@ SKIP: { + skip "No CT, EC or OCSP support in this OpenSSL build", 1 + if disabled("ct") || disabled("ec") || disabled("ocsp"); + +- #Test 13: SCT handshake (client request only) ++ #Test 14: SCT handshake (client request only) + $proxy->clear(); + #Note: -ct also sends status_request + $proxy->clientflags("-ct"); +@@ -300,10 +358,7 @@ SKIP: { + "SCT handshake test"); + } + +- +- +- +-#Test 14: HRR Handshake ++#Test 15: HRR Handshake + $proxy->clear(); + $proxy->serverflags("-curves P-256"); + $proxy->start(); +@@ -312,7 +367,7 @@ checkhandshake($proxy, checkhandshake::HRR_HANDSHAKE, + | checkhandshake::KEY_SHARE_HRR_EXTENSION, + "HRR handshake test"); + +-#Test 15: Resumption handshake with HRR ++#Test 16: Resumption handshake with HRR + $proxy->clear(); + $proxy->clientflags("-sess_in ".$session); + $proxy->serverflags("-curves P-256"); +@@ -324,7 +379,7 @@ checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE, + | checkhandshake::PSK_SRV_EXTENSION), + "Resumption handshake with HRR test"); + +-#Test 16: Acceptable but non preferred key_share ++#Test 17: Acceptable but non preferred key_share + $proxy->clear(); + $proxy->clientflags("-curves P-256"); + $proxy->start(); +diff --git a/util/perl/TLSProxy/CertificateRequest.pm b/util/perl/TLSProxy/CertificateRequest.pm +new file mode 100644 +index 0000000000..193bea168a +--- /dev/null ++++ b/util/perl/TLSProxy/CertificateRequest.pm +@@ -0,0 +1,105 @@ ++# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++use strict; ++ ++package TLSProxy::CertificateRequest; ++ ++use vars '@ISA'; ++push @ISA, 'TLSProxy::Message'; ++ ++sub new ++{ ++ my $class = shift; ++ my ($server, ++ $data, ++ $records, ++ $startoffset, ++ $message_frag_lens) = @_; ++ ++ my $self = $class->SUPER::new( ++ $server, ++ TLSProxy::Message::MT_CERTIFICATE_REQUEST, ++ $data, ++ $records, ++ $startoffset, ++ $message_frag_lens); ++ ++ $self->{extension_data} = ""; ++ ++ return $self; ++} ++ ++sub parse ++{ ++ my $self = shift; ++ my $ptr = 1; ++ ++ if (TLSProxy::Proxy->is_tls13()) { ++ my $request_ctx_len = unpack('C', $self->data); ++ my $request_ctx = substr($self->data, $ptr, $request_ctx_len); ++ $ptr += $request_ctx_len; ++ ++ my $extensions_len = unpack('n', substr($self->data, $ptr)); ++ $ptr += 2; ++ my $extension_data = substr($self->data, $ptr); ++ if (length($extension_data) != $extensions_len) { ++ die "Invalid extension length\n"; ++ } ++ my %extensions = (); ++ while (length($extension_data) >= 4) { ++ my ($type, $size) = unpack("nn", $extension_data); ++ my $extdata = substr($extension_data, 4, $size); ++ $extension_data = substr($extension_data, 4 + $size); ++ $extensions{$type} = $extdata; ++ } ++ $self->extension_data(\%extensions); ++ ++ print " Extensions Len:".$extensions_len."\n"; ++ } ++ # else parse TLSv1.2 version - we don't support that at the moment ++} ++ ++#Reconstruct the on-the-wire message data following changes ++sub set_message_contents ++{ ++ my $self = shift; ++ my $data; ++ my $extensions = ""; ++ ++ foreach my $key (keys %{$self->extension_data}) { ++ my $extdata = ${$self->extension_data}{$key}; ++ $extensions .= pack("n", $key); ++ $extensions .= pack("n", length($extdata)); ++ $extensions .= $extdata; ++ } ++ ++ $data = pack('n', length($extensions)); ++ $data .= $extensions; ++ $self->data($data); ++} ++ ++#Read/write accessors ++sub extension_data ++{ ++ my $self = shift; ++ if (@_) { ++ $self->{extension_data} = shift; ++ } ++ return $self->{extension_data}; ++} ++sub set_extension ++{ ++ my ($self, $ext_type, $ext_data) = @_; ++ $self->{extension_data}{$ext_type} = $ext_data; ++} ++sub delete_extension ++{ ++ my ($self, $ext_type) = @_; ++ delete $self->{extension_data}{$ext_type}; ++} ++1; +diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm +index 5682ae3e15..10b6156074 100644 +--- a/util/perl/TLSProxy/Message.pm ++++ b/util/perl/TLSProxy/Message.pm +@@ -129,6 +129,11 @@ use constant { + CIPHER_TLS13_AES_256_GCM_SHA384 => 0x1302 + }; + ++use constant { ++ CLIENT => 0, ++ SERVER => 1 ++}; ++ + my $payload = ""; + my $messlen = -1; + my $mt; +@@ -338,6 +343,15 @@ sub create_message + [@message_frag_lens] + ); + $message->parse(); ++ } elsif ($mt == MT_CERTIFICATE_REQUEST) { ++ $message = TLSProxy::CertificateRequest->new( ++ $server, ++ $data, ++ [@message_rec_list], ++ $startoffset, ++ [@message_frag_lens] ++ ); ++ $message->parse(); + } elsif ($mt == MT_CERTIFICATE_VERIFY) { + $message = TLSProxy::CertificateVerify->new( + $server, +diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm +index f7bca02e58..71acaff9b4 100644 +--- a/util/perl/TLSProxy/Proxy.pm ++++ b/util/perl/TLSProxy/Proxy.pm +@@ -19,6 +19,7 @@ use TLSProxy::ClientHello; + use TLSProxy::ServerHello; + use TLSProxy::EncryptedExtensions; + use TLSProxy::Certificate; ++use TLSProxy::CertificateRequest; + use TLSProxy::CertificateVerify; + use TLSProxy::ServerKeyExchange; + use TLSProxy::NewSessionTicket; +diff --git a/util/perl/checkhandshake.pm b/util/perl/checkhandshake.pm +index c53b96d5ee..07bf6608b3 100644 +--- a/util/perl/checkhandshake.pm ++++ b/util/perl/checkhandshake.pm +@@ -116,7 +116,8 @@ sub checkhandshake($$$$) + && $message->mt() != TLSProxy::Message::MT_SERVER_HELLO + && $message->mt() != + TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS +- && $message->mt() != TLSProxy::Message::MT_CERTIFICATE); ++ && $message->mt() != TLSProxy::Message::MT_CERTIFICATE ++ && $message->mt() != TLSProxy::Message::MT_CERTIFICATE_REQUEST); + + next if $message->mt() == TLSProxy::Message::MT_CERTIFICATE + && !TLSProxy::Proxy::is_tls13(); +@@ -124,7 +125,7 @@ sub checkhandshake($$$$) + my $extchnum = 1; + my $extshnum = 1; + for (my $extloop = 0; +- $extensions[$extloop][2] != 0; ++ $extensions[$extloop][3] != 0; + $extloop++) { + $extchnum = 2 if $extensions[$extloop][0] != TLSProxy::Message::MT_CLIENT_HELLO + && TLSProxy::Proxy::is_tls13(); +@@ -135,6 +136,7 @@ sub checkhandshake($$$$) + next if $extensions[$extloop][0] == TLSProxy::Message::MT_SERVER_HELLO + && $extshnum != $shnum; + next if ($message->mt() != $extensions[$extloop][0]); ++ next if ($message->server() != $extensions[$extloop][2]); + $numtests++; + } + $numtests++; +@@ -182,7 +184,8 @@ sub checkhandshake($$$$) + && $message->mt() != TLSProxy::Message::MT_SERVER_HELLO + && $message->mt() != + TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS +- && $message->mt() != TLSProxy::Message::MT_CERTIFICATE); ++ && $message->mt() != TLSProxy::Message::MT_CERTIFICATE ++ && $message->mt() != TLSProxy::Message::MT_CERTIFICATE_REQUEST); + + next if $message->mt() == TLSProxy::Message::MT_CERTIFICATE + && !TLSProxy::Proxy::is_tls13(); +@@ -197,7 +200,7 @@ sub checkhandshake($$$$) + my $msgexts = $message->extension_data(); + my $extchnum = 1; + my $extshnum = 1; +- for (my $extloop = 0, $extcount = 0; $extensions[$extloop][2] != 0; ++ for (my $extloop = 0, $extcount = 0; $extensions[$extloop][3] != 0; + $extloop++) { + #In TLSv1.3 we can have two ClientHellos if there has been a + #HelloRetryRequest, and they may have different extensions. Skip +@@ -211,12 +214,13 @@ sub checkhandshake($$$$) + next if $extensions[$extloop][0] == TLSProxy::Message::MT_SERVER_HELLO + && $extshnum != $shnum; + next if ($message->mt() != $extensions[$extloop][0]); +- ok (($extensions[$extloop][2] & $exttype) == 0 ++ next if ($message->server() != $extensions[$extloop][2]); ++ ok (($extensions[$extloop][3] & $exttype) == 0 + || defined ($msgexts->{$extensions[$extloop][1]}), + "Extension presence check (Message: ".$message->mt() +- ." Extension: ".($extensions[$extloop][2] & $exttype).", " ++ ." Extension: ".($extensions[$extloop][3] & $exttype).", " + .$extloop.")"); +- $extcount++ if (($extensions[$extloop][2] & $exttype) != 0); ++ $extcount++ if (($extensions[$extloop][3] & $exttype) != 0); + } + ok($extcount == keys %$msgexts, "Extensions count mismatch (" + .$extcount.", ".(keys %$msgexts) +-- +2.17.1 + diff -Nru openssl-1.1.1/debian/patches/series openssl-1.1.1/debian/patches/series --- openssl-1.1.1/debian/patches/series 2022-03-09 05:13:25.000000000 -0700 +++ openssl-1.1.1/debian/patches/series 2022-03-16 09:27:07.000000000 -0600 @@ -54,3 +54,8 @@ CVE-2022-0778-1.patch CVE-2022-0778-2.patch CVE-2022-0778-3.patch +pr9780_0001-Don-t-send-a-status_request-extension-in-a-Certifica.patch +pr9780_0002-Teach-TLSProxy-how-to-parse-CertificateRequest-messa.patch +lp1940141-make-pr-9780-optional.patch +lp1940141-fix-tests-accordingly.patch +lp1940141-update-manpages.patch