| Name: openssl |
| URL: http://openssl.org/source/ |
| Version: 1.0.1e |
| License: BSDish |
| License File: openssl/NOTICE |
| License Android Compatible: yes |
| Security Critical: yes |
| |
| Description: |
| This is OpenSSL, the standard SSL/TLS library, which is used *only* in |
| the following cases: |
| |
| - For Chrome/Chromium, only on Android to implement SSL/TLS support |
| (while certificate validation is performed through the platform APIs), |
| instead of using NSS as on other Linux-based operating systems. |
| |
| Note that there is no plans to support OpenSSL in Chromium on other |
| platforms. For more context, please read: |
| |
| https://groups.google.com/a/chromium.org/d/msg/chromium-dev/gmO3U9HLY3Y/RPGNiQ-NL-YJ |
| |
| - To implement net/tools/flip_server, a host-side tool. Read more about |
| it at the following page: |
| |
| http://dev.chromium.org/spdy/running_flipinmemserver |
| |
| This means that the library must be built for these systems: |
| |
| Android/ARM |
| Android/x86 |
| Linux/x86 |
| Linux/x86_64 |
| Darwin/x86 |
| Darwin/x86_64 |
| |
| Whenever you change it, try to rebuild Chromium for all these systems. |
| |
| ************************************************************************** |
| Automatic generation of source tree. |
| |
| Most of the sources in this directory are auto-generated and come from |
| the Android version of the OpenSSL sources, with a few Chromium-specific |
| patches applied. |
| |
| Said Android sources are themselves a patched subset of the official |
| OpenSSL release sources, generated by a special import script. |
| |
| To update the sources for Chromium, one has to modify |
| openssl-chromium.config or the content of patches.chromium/ then run: |
| |
| ./import_from_android.sh |
| |
| Before doing that, you should understand how everything works: |
| |
| 1) Android-specific files are taken from a given commit from the |
| AOSP git servers. See how 'openssl-chromium.config' defines the |
| following variables: |
| |
| ANDROID_OPENSSL_GIT_SOURCE -> point to source git server. |
| ANDROID_OPENSSL_GIT_COMMIT -> point to git commit |
| |
| 2) All downloaded Android-specific files are placed under the openssl/ |
| sub-directory. The most important files are the following: |
| |
| openssl/openssl.version |
| Configuration file telling which upstream version of |
| OpenSSL sources to use. |
| |
| openssl/patches/ |
| Directory containing several Android-specific patches to |
| apply to the official OpenSSL sources to create the |
| Android ones. See openssl/patches/README for a description |
| of what each of these patches do. |
| |
| openssl/openssl.config |
| Configuration file describing which build-time options |
| to enable, what patches to apply, which source files to compile |
| (including CPU architecture-specific variants), and which |
| sources to keep in the final source directory. |
| |
| openssl/import_openssl.sh |
| Import script used to regenerate all other Android-specific |
| source files, based on the configuration files above |
| and a tarball of the official OpenSSL source release. |
| |
| For example, to rebuild the full Android source tree (without any |
| Chromium patches), one would do something like: |
| |
| cd openssl/ |
| ./import_openssl.sh import /path/to/openssl-<version>.tar.gz |
| |
| where <version> matches the definition found in 'openssl.version'. |
| |
| 3) Chromium adds a few of its own files: |
| |
| openssl-chromium.config |
| Configuration file which indicates: |
| - The reference Android OpenSSL git repository and commit. |
| - The download location of official OpenSSL source tarballs. |
| - The corresponding SHA-1 sum, for sanity checking. |
| |
| patches.chromium/ |
| A set of additional patches to apply to the openssl/ tree |
| after it has been downloaded from the Android git repository. |
| |
| These patches are applied _before_ import_openssl.sh is run to |
| re-generate the final set of sources. This allows modifying the |
| content of any Android configuration file easily. |
| |
| openssl.gyp |
| A gyp build file for the library. Manually maintained, this file |
| includes openssl.gypi below. |
| |
| openssl.gypi |
| An *auto-generated* gyp include file that contains the required |
| definitions used to describe the library's sources to the |
| Chromium build system. Its content mirrors openssl/openssl.config |
| in a gyp-compatible way. |
| |
| config/x64/openssl/opensslconf.h |
| Another *auto-generated* file used for 64-bit builds of the library |
| only. This is required for correctness because the Android sources |
| only come with a single generic header which is tailored for |
| 32-bit builds. Using the latter results either in a broken build, |
| or even worse, in a library that doesn't work correctly. |
| |
| The content of this file is a simple copy of |
| openssl/include/openssl/opensslconf.h, with a few lines |
| altered to reflect that the target has 64-bit types. |
| |
| import_from_android.sh |
| The top-level script that will automatically perform the full |
| Chromium download + patching + import + auto-generation process. |
| |
| |
| More specifically, calling 'import_from_android.sh' will do the following: |
| |
| 1) Download a specific Android commit from AOSP git servers to openssl/ |
| 2) Download the corresponding official OpenSSL release tarball. |
| 3) Sainty check its SHA-1 against a hard-coded value. |
| 4) Apply chromium-specific patches. |
| 5) Re-run the Android 'import_openssl.sh' script. |
| 6) Auto-generate config/x64/openssl/opensslconf.h |
| 7) Auto-generate openssl.gypi |
| |
| Once the script is done, all you need to do is launch gyp again, rebuild |
| and run unit tests. Use the --verbose option to see what the script does, |
| or --help to see a detailed scription and a list of valid options. |
| |
| ************************************************************************** |
| Chromium-specific patches: |
| |
| The list of Chromium-specific patches to apply to the Android tree is |
| located in patches.chromium/. Currently this consists of: |
| |
| x509_hash_name_algorithm_change.patch |
| Ensure the library can find the right files under /etc/ssl/certs when |
| running on older systems. |
| |
| There are many symbolic links under /etc/ssl/certs created by using |
| hash of the PEM certificates in order for OpenSSL to find those |
| certificates. Openssl has a tool to help you create hash symbolic |
| links (tools/c_rehash). However newer versions of the library changed |
| the hash algorithm, which makes it unable to run properly on systems |
| that use the old /etc/ssl/certs layout (e.g. Ubuntu Lucid). |
| |
| This patch gives a way to find a certificate according to its hash by |
| using both the old and new algorithms. http://crbug.com/111045 is used |
| to track this issue. |
| |
| enable-dtls1.patch: |
| Enable DTLSv1, which is disabled by default in the Android platform |
| configuration. |
| |
| x86_64_source_excludes.patch |
| Exclude the source files bn_asm.c and rc4_skey.c for x86_64 because |
| they are replaced by x86_64-gcc.c and rc4-x86_64.S. |
| |
| z_reduce_client_hello_size.patch |
| Advertise support of only the NIST curves P-521, P-384, and P-256, |
| as well as only uncompressed points, to keep ClientHello small. |
| |
| channelid.patch |
| Add API so that channel ID private key can be set only after verifying the |
| remote server supports channel IDs. |
| |
| fix_lhash_iteration.patch |
| Fix a crash that happens when OpenSSL tries to delete items from a lhash |
| table that is being iterated over. This happens in certain rare cases |
| when SSL_CTX_flush_sessions() is called. See http://crbug.com/298606 |
| |
| chacha.patch |
| Add support for ChaCha20+Poly1305 cipher suites. |
| |
| paddingext.patch |
| paddingext2.patch |
| Add ClientHello padding to workaround bug in F5 terminators. |
| |
| stricter_cutthrough.patch |
| Requires NPN and a PFS cipher suite to enable cut-through (false start) on |
| the client. |
| |
| mac_osx32_assembly.patch |
| Add support for 32 bit OS X with assembly optimization. |
| |
| fix_limit_checks.patch |
| Fix limit checks in writing extensions. BUF_MEM_grow allocates 4/3 the size |
| requested, so it doesn't overflow the actual allocation. |
| |
| reorder_extensions.patch |
| Move the ECC extensions to the end of the ClientHello to work around a |
| server bug. Some servers are intolerant to the last extension being empty. |
| See https://crbug.com/363583 |
| |
| export_certificate_types.patch |
| Export the certificate_types field in CertificateRequest. |
| |
| send_client_verify_cleanup.patch |
| Clean up ssl3_send_client_verify so the various cases (TLS 1.2, pre-TLS-1.2 |
| cases for each cipher suite) are less intertwined. |
| |
| ************************************************************************** |
| Adding new Chromium patches: |
| |
| In the event you need to add a new Chromium-specific patch, follow this |
| procedure: |
| |
| 1) Use the --temp-dir option to download everything to a known directory |
| (by default, import_from_android.sh downloads everything into a |
| temporary directory that is erased when the script exits, even in |
| case of error). |
| |
| ./import_from_android.sh --temp-dir=/tmp/aaa |
| |
| 2) Save the "original" Android sources: |
| |
| cp -rp /tmp/aaa/build/android-openssl /tmp/aaa/build/android-openssl.orig |
| |
| 3) Modify the content of /tmp/aaa/build/android-openssl appropriately. |
| You do *not* have to run 'import_openssl.sh' |
| |
| 4) Create new patch: |
| |
| (cd /tmp/aaa/build && diff -burN android-openssl.orig android-openssl) > patches.chromium/my-new-change.patch |
| |
| 5) Re-run the script: |
| |
| ./import_from_android.sh |
| |
| Generally speaking, consider sending your patch directly to the Android |
| open-source review servers too. Once submitted there, you can update |
| the git commit in openssl-chromium.org and remove your local patch in |
| one new CL. |
