lukechilds
/
node
mirror of https://github.com/lukechilds/node.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

openssl: remove obsolete patch files 

These patches were provided by Android and Chromium. In this form they
are not useful. The ones that we need are landed as separate commits.

As of openssl 1.0.1c, three of them made it upstream:
  * npn.patch (Next Protocol Negotiation support)
  * tls_exporter.patch (RFC 5705 Keying Material Exporters for TLS)
  * openssl_no_dtls1.patch (minor bugfix)
v0.9.2-release
Bert Belder 12 years ago
parent
8d082d0f88
commit
4b8721aad0
11 changed files with 0 additions and 2777 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 96
      deps/openssl/README.chromium
  2. 11
      deps/openssl/patches/empty_OPENSSL_cpuid_setup.patch
  3. 275
      deps/openssl/patches/handshake_cutthrough.patch
  4. 426
      deps/openssl/patches/jsse.patch
  5. 1293
      deps/openssl/patches/npn.patch
  6. 13
      deps/openssl/patches/openssl_no_dtls1.patch
  7. 54
      deps/openssl/patches/progs.patch
  8. 21
      deps/openssl/patches/sha1_armv4_large.patch
  9. 337
      deps/openssl/patches/small_records.patch
  10. 220
      deps/openssl/patches/tls_exporter.patch
  11. 31
      deps/openssl/patches/x509_hash_name_algorithm_change.patch

96
deps/openssl/README.chromium
View File

@ -1,96 +0,0 @@
Name: openssl
URL: http://openssl.org/source/
Version: 1.0.0f
License: BSDish
License File: openssl/LICENSE
Description:
This is OpenSSL, the standard SSL/TLS library, which is used only in Android.
It's an unmodified, upstream source except for the patches listed below.
********************************************************************************
The following patches are taken from Android Open Source Project.
progs.patch:
Fixup sources under the apps/ directory that are not built under the android environment.
small_records.patch:
Reduce OpenSSL memory consumption.
SSL records may be as large as 16K, but are typically < 2K. In
addition, a historic bug in Windows allowed records to be as large
32K. OpenSSL statically allocates read and write buffers (34K and
18K respectively) used for processing records.
With this patch, OpenSSL statically allocates 4K + 4K buffers, with
the option of dynamically growing buffers to 34K + 4K, which is a
saving of 44K per connection for the typical case.
handshake_cutthrough.patch
Enables SSL3+ clients to send application data immediately following the
Finished message even when negotiating full-handshakes. With this patch,
clients can negotiate SSL connections in 1-RTT even when performing
full-handshakes.
jsse.patch
Support for JSSE implementation based on OpenSSL.
npn.patch
Transport Layer Security (TLS) Next Protocol Negotiation Extension
sha1_armv4_large.patch
This patch eliminates memory stores to addresses below SP.
openssl_no_dtls1.patch
Add missing #ifndef OPENSSL_NO_DTLS1
********************************************************************************
The following patches are needed to compile this openssl on Chromium and pass
the related net unit tests.
empty_OPENSSL_cpuid_setup.patch
Use a empty implementation for function OPENSSL_cpuid_setup to resolve link
error. We should figure out how to geenrate platform specific implementation
of OPENSSL_cpuid_setup by leveraging crypto/*cpuid.pl.
x509_hash_name_algorithm_change.patch
There are many symbolic links under /etc/ssl/certs created by using hash of
the pem certificates in order for OpenSSL to find those certificate.
Openssl has a tool to help you create hash symbolic links. (See tools/c_rehash)
However the new openssl changed the hash algorithm, Unless you compile/install
the latest openssl library and re-create all related symbolic links, the new
openssl can not find some certificates because the links of those certificates
were created by using old hash algorithm, which causes some tests failed.
This patch gives a way to find a certificate according to its hash by using both
new algorithm and old algorithm.
crbug.com/111045 is used to track this issue.
tls_exporter.patch
Keying Material Exporters for Transport Layer Security (RFC 5705).
Android platform support
Copy config/android/openssl/opensslconf.h from Android's
external/openssl/include/openssl/opensslconf.h

11
deps/openssl/patches/empty_OPENSSL_cpuid_setup.patch
View File

@ -1,11 +0,0 @@
--- openssl-1.0.0f-origin/crypto/cryptlib.c 2011-06-22 23:39:00.000000000 +0800
+++ openssl-1.0.0f/crypto/cryptlib.c 2012-01-19 02:17:50.261681856 +0800
@@ -690,7 +690,7 @@
unsigned long *OPENSSL_ia32cap_loc(void) { return NULL; }
#endif
int OPENSSL_NONPIC_relocated = 0;
-#if !defined(OPENSSL_CPUID_SETUP) && !defined(OPENSSL_CPUID_OBJ)
+#if !defined(OPENSSL_CPUID_SETUP)
void OPENSSL_cpuid_setup(void) {}
#endif

275
deps/openssl/patches/handshake_cutthrough.patch
View File

@ -1,275 +0,0 @@
diff -uarp openssl-1.0.0.orig/apps/s_client.c openssl-1.0.0/apps/s_client.c
--- openssl-1.0.0.orig/apps/s_client.c 2009-12-16 15:28:28.000000000 -0500
+++ openssl-1.0.0/apps/s_client.c 2010-04-21 14:39:49.000000000 -0400
@@ -248,6 +248,7 @@ static void sc_usage(void)
BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
BIO_printf(bio_err," -status - request certificate status from server\n");
BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
+ BIO_printf(bio_err," -cutthrough - enable 1-RTT full-handshake for strong ciphers\n");
#endif
}
@@ -304,6 +305,7 @@ int MAIN(int argc, char **argv)
EVP_PKEY *key = NULL;
char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
+ int cutthrough=0;
int crlf=0;
int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
SSL_CTX *ctx=NULL;
@@ -533,6 +535,8 @@ int MAIN(int argc, char **argv)
else if (strcmp(*argv,"-no_ticket") == 0)
{ off|=SSL_OP_NO_TICKET; }
#endif
+ else if (strcmp(*argv,"-cutthrough") == 0)
+ cutthrough=1;
else if (strcmp(*argv,"-serverpref") == 0)
off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
else if (strcmp(*argv,"-cipher") == 0)
@@ -714,6 +718,15 @@ bad:
*/
if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
+ /* Enable handshake cutthrough for client connections using
+ * strong ciphers. */
+ if (cutthrough)
+ {
+ int ssl_mode = SSL_CTX_get_mode(ctx);
+ ssl_mode |= SSL_MODE_HANDSHAKE_CUTTHROUGH;
+ SSL_CTX_set_mode(ctx, ssl_mode);
+ }
+
if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
if (cipher != NULL)
if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
diff -uarp openssl-1.0.0.orig/ssl/s3_clnt.c openssl-1.0.0/ssl/s3_clnt.c
--- openssl-1.0.0.orig/ssl/s3_clnt.c 2010-02-27 19:24:24.000000000 -0500
+++ openssl-1.0.0/ssl/s3_clnt.c 2010-04-21 14:39:49.000000000 -0400
@@ -186,6 +186,18 @@ int ssl3_connect(SSL *s)
s->in_handshake++;
if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
+#if 0 /* Send app data in separate packet, otherwise, some particular site
+ * (only one site so far) closes the socket.
+ * Note: there is a very small chance that two TCP packets
+ * could be arriving at server combined into a single TCP packet,
+ * then trigger that site to break. We haven't encounter that though.
+ */
+ if (SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH)
+ {
+ /* Send app data along with CCS/Finished */
+ s->s3->flags |= SSL3_FLAGS_DELAY_CLIENT_FINISHED;
+ }
+#endif
for (;;)
{
@@ -454,14 +468,31 @@ int ssl3_connect(SSL *s)
}
else
{
-#ifndef OPENSSL_NO_TLSEXT
- /* Allow NewSessionTicket if ticket expected */
- if (s->tlsext_ticket_expected)
- s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A;
+ if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) && SSL_get_cipher_bits(s, NULL) >= 128
+ && s->s3->previous_server_finished_len == 0 /* no cutthrough on renegotiation (would complicate the state machine) */
+ )
+ {
+ if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
+ {
+ s->state=SSL3_ST_CUTTHROUGH_COMPLETE;
+ s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
+ s->s3->delay_buf_pop_ret=0;
+ }
+ else
+ {
+ s->s3->tmp.next_state=SSL3_ST_CUTTHROUGH_COMPLETE;
+ }
+ }
else
+ {
+#ifndef OPENSSL_NO_TLSEXT
+ /* Allow NewSessionTicket if ticket expected */
+ if (s->tlsext_ticket_expected)
+ s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A;
+ else
#endif
-
- s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
+ s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
+ }
}
s->init_num=0;
break;
@@ -512,6 +541,24 @@ int ssl3_connect(SSL *s)
s->state=s->s3->tmp.next_state;
break;
+ case SSL3_ST_CUTTHROUGH_COMPLETE:
+#ifndef OPENSSL_NO_TLSEXT
+ /* Allow NewSessionTicket if ticket expected */
+ if (s->tlsext_ticket_expected)
+ s->state=SSL3_ST_CR_SESSION_TICKET_A;
+ else
+#endif
+ s->state=SSL3_ST_CR_FINISHED_A;
+
+ /* SSL_write() will take care of flushing buffered data if
+ * DELAY_CLIENT_FINISHED is set.
+ */
+ if (!(s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED))
+ ssl_free_wbio_buffer(s);
+ ret = 1;
+ goto end;
+ /* break; */
+
case SSL_ST_OK:
/* clean a few things up */
ssl3_cleanup_key_block(s);
diff -uarp openssl-1.0.0.orig/ssl/s3_lib.c openssl-1.0.0/ssl/s3_lib.c
-- openssl-1.0.0.orig/ssl/s3_lib.c 2009-10-16 11:24:19.000000000 -0400
+++ openssl-1.0.0/ssl/s3_lib.c 2010-04-21 14:39:49.000000000 -0400
@@ -2551,9 +2551,22 @@ int ssl3_write(SSL *s, const void *buf,
static int ssl3_read_internal(SSL *s, void *buf, int len, int peek)
{
- int ret;
+ int n,ret;
clear_sys_error();
+ if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio))
+ {
+ /* Deal with an application that calls SSL_read() when handshake data
+ * is yet to be written.
+ */
+ if (BIO_wpending(s->wbio) > 0)
+ {
+ s->rwstate=SSL_WRITING;
+ n=BIO_flush(s->wbio);
+ if (n <= 0) return(n);
+ s->rwstate=SSL_NOTHING;
+ }
+ }
if (s->s3->renegotiate) ssl3_renegotiate_check(s);
s->s3->in_read_app_data=1;
ret=s->method->ssl_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
diff -uarp openssl-1.0.0.orig/ssl/ssl.h openssl-1.0.0/ssl/ssl.h
--- openssl-1.0.0.orig/ssl/ssl.h 2010-01-06 12:37:38.000000000 -0500
+++ openssl-1.0.0/ssl/ssl.h 2010-04-21 16:57:49.000000000 -0400
@@ -605,6 +605,10 @@ typedef struct ssl_session_st
/* Use small read and write buffers: (a) lazy allocate read buffers for
* large incoming records, and (b) limit the size of outgoing records. */
#define SSL_MODE_SMALL_BUFFERS 0x00000020L
+/* When set, clients may send application data before receipt of CCS
+ * and Finished. This mode enables full-handshakes to 'complete' in
+ * one RTT. */
+#define SSL_MODE_HANDSHAKE_CUTTHROUGH 0x00000040L
/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
* they cannot be used to clear bits. */
@@ -1097,10 +1101,12 @@ extern "C" {
/* Is the SSL_connection established? */
#define SSL_get_state(a) SSL_state(a)
#define SSL_is_init_finished(a) (SSL_state(a) == SSL_ST_OK)
-#define SSL_in_init(a) (SSL_state(a)&SSL_ST_INIT)
+#define SSL_in_init(a) ((SSL_state(a)&SSL_ST_INIT) && \
+ !SSL_cutthrough_complete(a))
#define SSL_in_before(a) (SSL_state(a)&SSL_ST_BEFORE)
#define SSL_in_connect_init(a) (SSL_state(a)&SSL_ST_CONNECT)
#define SSL_in_accept_init(a) (SSL_state(a)&SSL_ST_ACCEPT)
+int SSL_cutthrough_complete(const SSL *s);
/* The following 2 states are kept in ssl->rstate when reads fail,
* you should not need these */
Only in openssl-1.0.0/ssl: ssl.h.orig
diff -uarp openssl-1.0.0.orig/ssl/ssl3.h openssl-1.0.0/ssl/ssl3.h
-- openssl-1.0.0.orig/ssl/ssl3.h 2010-01-06 12:37:38.000000000 -0500
+++ openssl-1.0.0/ssl/ssl3.h 2010-04-21 14:39:49.000000000 -0400
@@ -456,6 +456,7 @@ typedef struct ssl3_state_st
/*client */
/* extra state */
#define SSL3_ST_CW_FLUSH (0x100|SSL_ST_CONNECT)
+#define SSL3_ST_CUTTHROUGH_COMPLETE (0x101|SSL_ST_CONNECT)
/* write to server */
#define SSL3_ST_CW_CLNT_HELLO_A (0x110|SSL_ST_CONNECT)
#define SSL3_ST_CW_CLNT_HELLO_B (0x111|SSL_ST_CONNECT)
diff -uarp openssl-1.0.0.orig/ssl/ssl_lib.c openssl-1.0.0/ssl/ssl_lib.c
--- openssl-1.0.0.orig/ssl/ssl_lib.c 2010-02-17 14:43:46.000000000 -0500
+++ openssl-1.0.0/ssl/ssl_lib.c 2010-04-21 17:02:45.000000000 -0400
@@ -3031,6 +3031,19 @@ void SSL_set_msg_callback(SSL *ssl, void
SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
}
+int SSL_cutthrough_complete(const SSL *s)
+ {
+ return (!s->server && /* cutthrough only applies to clients */
+ !s->hit && /* full-handshake */
+ s->version >= SSL3_VERSION &&
+ s->s3->in_read_app_data == 0 && /* cutthrough only applies to write() */
+ (SSL_get_mode((SSL*)s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) && /* cutthrough enabled */
+ SSL_get_cipher_bits(s, NULL) >= 128 && /* strong cipher choosen */
+ s->s3->previous_server_finished_len == 0 && /* not a renegotiation handshake */
+ (s->state == SSL3_ST_CR_SESSION_TICKET_A || /* ready to write app-data*/
+ s->state == SSL3_ST_CR_FINISHED_A));
+ }
+
/* Allocates new EVP_MD_CTX and sets pointer to it into given pointer
* vairable, freeing EVP_MD_CTX previously stored in that variable, if
* any. If EVP_MD pointer is passed, initializes ctx with this md
diff -uarp openssl-1.0.0.orig/ssl/ssltest.c openssl-1.0.0/ssl/ssltest.c
--- openssl-1.0.0.orig/ssl/ssltest.c 2010-01-24 11:57:38.000000000 -0500
+++ openssl-1.0.0/ssl/ssltest.c 2010-04-21 17:06:35.000000000 -0400
@@ -279,6 +279,7 @@ static void sv_usage(void)
fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
fprintf(stderr," -c_small_records - enable client side use of small SSL record buffers\n");
fprintf(stderr," -s_small_records - enable server side use of small SSL record buffers\n");
+ fprintf(stderr," -cutthrough - enable 1-RTT full-handshake for strong ciphers\n");
}
static void print_details(SSL *c_ssl, const char *prefix)
@@ -436,6 +437,7 @@ int main(int argc, char *argv[])
int ssl_mode = 0;
int c_small_records=0;
int s_small_records=0;
+ int cutthrough = 0;
verbose = 0;
debug = 0;
@@ -632,6 +634,10 @@ int main(int argc, char *argv[])
{
s_small_records = 1;
}
+ else if (strcmp(*argv, "-cutthrough") == 0)
+ {
+ cutthrough = 1;
+ }
else
{
fprintf(stderr,"unknown option %s\n",*argv);
@@ -782,6 +788,13 @@ bad:
ssl_mode |= SSL_MODE_SMALL_BUFFERS;
SSL_CTX_set_mode(s_ctx, ssl_mode);
}
+ ssl_mode = 0;
+ if (cutthrough)
+ {
+ ssl_mode = SSL_CTX_get_mode(c_ctx);
+ ssl_mode = SSL_MODE_HANDSHAKE_CUTTHROUGH;
+ SSL_CTX_set_mode(c_ctx, ssl_mode);
+ }
#ifndef OPENSSL_NO_DH
if (!no_dhe)
diff -uarp openssl-1.0.0.orig/test/testssl openssl-1.0.0/test/testssl
--- openssl-1.0.0.orig/test/testssl 2006-03-10 18:06:27.000000000 -0500
+++ openssl-1.0.0/test/testssl 2010-04-21 16:50:13.000000000 -0400
@@ -79,6 +79,8 @@ $ssltest -server_auth -client_auth -s_sm
echo test sslv2/sslv3 with both client and server authentication and small client and server buffers
$ssltest -server_auth -client_auth -c_small_records -s_small_records $CA $extra || exit 1
+echo test sslv2/sslv3 with both client and server authentication and handshake cutthrough
+$ssltest -server_auth -client_auth -cutthrough $CA $extra || exit 1
echo test sslv2 via BIO pair
$ssltest -bio_pair -ssl2 $extra || exit 1

426
deps/openssl/patches/jsse.patch
View File

@ -1,426 +0,0 @@
--- openssl-1.0.0b.orig/ssl/ssl.h 2010-11-30 00:03:46.000000000 +0000
+++ openssl-1.0.0b/ssl/ssl.h 2010-11-30 00:03:47.000000000 +0000
@@ -1133,6 +1133,9 @@ struct ssl_st
/* This can also be in the session once a session is established */
SSL_SESSION *session;
+ /* This can be disabled to prevent the use of uncached sessions */
+ int session_creation_enabled;
+
/* Default generate session ID callback. */
GEN_SESSION_CB generate_session_id;
@@ -1546,6 +1549,7 @@ const SSL_CIPHER *SSL_get_current_cipher
int SSL_CIPHER_get_bits(const SSL_CIPHER *c,int *alg_bits);
char * SSL_CIPHER_get_version(const SSL_CIPHER *c);
const char * SSL_CIPHER_get_name(const SSL_CIPHER *c);
+const char * SSL_CIPHER_authentication_method(const SSL_CIPHER *c);
int SSL_get_fd(const SSL *s);
int SSL_get_rfd(const SSL *s);
@@ -1554,6 +1558,7 @@ const char * SSL_get_cipher_list(const
char * SSL_get_shared_ciphers(const SSL *s, char *buf, int len);
int SSL_get_read_ahead(const SSL * s);
int SSL_pending(const SSL *s);
+const char * SSL_authentication_method(const SSL *c);
#ifndef OPENSSL_NO_SOCK
int SSL_set_fd(SSL *s, int fd);
int SSL_set_rfd(SSL *s, int fd);
@@ -1565,6 +1570,7 @@ BIO * SSL_get_rbio(const SSL *s);
BIO * SSL_get_wbio(const SSL *s);
#endif
int SSL_set_cipher_list(SSL *s, const char *str);
+int SSL_set_cipher_lists(SSL *s, STACK_OF(SSL_CIPHER) *sk);
void SSL_set_read_ahead(SSL *s, int yes);
int SSL_get_verify_mode(const SSL *s);
int SSL_get_verify_depth(const SSL *s);
@@ -1580,6 +1586,8 @@ int SSL_use_PrivateKey(SSL *ssl, EVP_PKE
int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, const unsigned char *d, long len);
int SSL_use_certificate(SSL *ssl, X509 *x);
int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len);
+int SSL_use_certificate_chain(SSL *ssl, STACK_OF(X509) *cert_chain);
+STACK_OF(X509) * SSL_get_certificate_chain(SSL *ssl, X509 *x);
#ifndef OPENSSL_NO_STDIO
int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
@@ -1615,6 +1623,7 @@ void SSL_copy_session_id(SSL *to,const S
SSL_SESSION *SSL_SESSION_new(void);
const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s,
unsigned int *len);
+const char * SSL_SESSION_get_version(const SSL_SESSION *s);
#ifndef OPENSSL_NO_FP_API
int SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses);
#endif
@@ -1624,6 +1633,7 @@ int SSL_SESSION_print(BIO *fp,const SSL_
void SSL_SESSION_free(SSL_SESSION *ses);
int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
int SSL_set_session(SSL *to, SSL_SESSION *session);
+void SSL_set_session_creation_enabled(SSL *, int);
int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
int SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c);
int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB);
@@ -2066,6 +2076,7 @@ void ERR_load_SSL_strings(void);
#define SSL_F_SSL_UNDEFINED_VOID_FUNCTION 244
#define SSL_F_SSL_USE_CERTIFICATE 198
#define SSL_F_SSL_USE_CERTIFICATE_ASN1 199
+#define SSL_F_SSL_USE_CERTIFICATE_CHAIN 2000
#define SSL_F_SSL_USE_CERTIFICATE_FILE 200
#define SSL_F_SSL_USE_PRIVATEKEY 201
#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 202
@@ -2272,6 +2283,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 345
#define SSL_R_SERVERHELLO_TLSEXT 275
#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277
+#define SSL_R_SESSION_MAY_NOT_BE_CREATED 2000
#define SSL_R_SHORT_READ 219
#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221
--- openssl-1.0.0b.orig/ssl/d1_clnt.c 2010-01-26 19:46:29.000000000 +0000
+++ openssl-1.0.0b/ssl/d1_clnt.c 2010-11-30 00:03:47.000000000 +0000
@@ -613,6 +613,12 @@ int dtls1_client_hello(SSL *s)
#endif
(s->session->not_resumable))
{
+ if (!s->session_creation_enabled)
+ {
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+ SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
+ goto err;
+ }
if (!ssl_get_new_session(s,0))
goto err;
}
--- openssl-1.0.0b.orig/ssl/s23_clnt.c 2010-02-16 14:20:40.000000000 +0000
+++ openssl-1.0.0b/ssl/s23_clnt.c 2010-11-30 00:03:47.000000000 +0000
@@ -687,6 +687,13 @@ static int ssl23_get_server_hello(SSL *s
/* Since, if we are sending a ssl23 client hello, we are not
* reusing a session-id */
+ if (!s->session_creation_enabled)
+ {
+ if (!(s->client_version == SSL2_VERSION))
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
+ goto err;
+ }
if (!ssl_get_new_session(s,0))
goto err;
--- openssl-1.0.0b.orig/ssl/s3_both.c 2010-11-30 00:03:46.000000000 +0000
+++ openssl-1.0.0b/ssl/s3_both.c 2010-11-30 00:03:47.000000000 +0000
@@ -347,8 +347,11 @@ unsigned long ssl3_output_cert_chain(SSL
unsigned long l=7;
BUF_MEM *buf;
int no_chain;
+ STACK_OF(X509) *cert_chain;
- if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs)
+ cert_chain = SSL_get_certificate_chain(s, x);
+
+ if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs || cert_chain)
no_chain = 1;
else
no_chain = 0;
@@ -400,6 +403,10 @@ unsigned long ssl3_output_cert_chain(SSL
return(0);
}
+ for (i=0; i<sk_X509_num(cert_chain); i++)
+ if (ssl3_add_cert_to_buf(buf, &l, sk_X509_value(cert_chain,i)))
+ return(0);
+
l-=7;
p=(unsigned char *)&(buf->data[4]);
l2n3(l,p);
--- openssl-1.0.0b.orig/ssl/s3_clnt.c 2010-11-30 00:03:46.000000000 +0000
+++ openssl-1.0.0b/ssl/s3_clnt.c 2010-11-30 00:03:47.000000000 +0000
@@ -686,6 +686,12 @@ int ssl3_client_hello(SSL *s)
#endif
(sess->not_resumable))
{
+ if (!s->session_creation_enabled)
+ {
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+ SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
+ goto err;
+ }
if (!ssl_get_new_session(s,0))
goto err;
}
@@ -894,6 +900,12 @@ int ssl3_get_server_hello(SSL *s)
s->hit=0;
if (s->session->session_id_length > 0)
{
+ if (!s->session_creation_enabled)
+ {
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
+ goto err;
+ }
if (!ssl_get_new_session(s,0))
{
al=SSL_AD_INTERNAL_ERROR;
--- openssl-1.0.0b.orig/ssl/s3_srvr.c 2010-11-30 00:03:46.000000000 +0000
+++ openssl-1.0.0b/ssl/s3_srvr.c 2010-11-30 00:03:47.000000000 +0000
@@ -902,6 +902,12 @@ int ssl3_get_client_hello(SSL *s)
*/
if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)))
{
+ if (!s->session_creation_enabled)
+ {
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
+ goto err;
+ }
if (!ssl_get_new_session(s,1))
goto err;
}
@@ -916,6 +922,12 @@ int ssl3_get_client_hello(SSL *s)
goto err;
else /* i == 0 */
{
+ if (!s->session_creation_enabled)
+ {
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
+ goto err;
+ }
if (!ssl_get_new_session(s,1))
goto err;
}
--- openssl-1.0.0b.orig/ssl/ssl_ciph.c 2010-06-15 17:25:14.000000000 +0000
+++ openssl-1.0.0b/ssl/ssl_ciph.c 2010-11-30 00:03:47.000000000 +0000
@@ -1652,6 +1652,52 @@ int SSL_CIPHER_get_bits(const SSL_CIPHER
return(ret);
}
+/* return string version of key exchange algorithm */
+const char* SSL_CIPHER_authentication_method(const SSL_CIPHER* cipher)
+ {
+ switch (cipher->algorithm_mkey)
+ {
+ case SSL_kRSA:
+ return SSL_TXT_RSA;
+ case SSL_kDHr:
+ return SSL_TXT_DH "_" SSL_TXT_RSA;
+ case SSL_kDHd:
+ return SSL_TXT_DH "_" SSL_TXT_DSS;
+ case SSL_kEDH:
+ switch (cipher->algorithm_auth)
+ {
+ case SSL_aDSS:
+ return "DHE_" SSL_TXT_DSS;
+ case SSL_aRSA:
+ return "DHE_" SSL_TXT_RSA;
+ case SSL_aNULL:
+ return SSL_TXT_DH "_anon";
+ default:
+ return "UNKNOWN";
+ }
+ case SSL_kKRB5:
+ return SSL_TXT_KRB5;
+ case SSL_kECDHr:
+ return SSL_TXT_ECDH "_" SSL_TXT_RSA;
+ case SSL_kECDHe:
+ return SSL_TXT_ECDH "_" SSL_TXT_ECDSA;
+ case SSL_kEECDH:
+ switch (cipher->algorithm_auth)
+ {
+ case SSL_aECDSA:
+ return "ECDHE_" SSL_TXT_ECDSA;
+ case SSL_aRSA:
+ return "ECDHE_" SSL_TXT_RSA;
+ case SSL_aNULL:
+ return SSL_TXT_ECDH "_anon";
+ default:
+ return "UNKNOWN";
+ }
+ default:
+ return "UNKNOWN";
+ }
+ }
+
SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
{
SSL_COMP *ctmp;
--- openssl-1.0.0b.orig/ssl/ssl_err.c 2010-11-30 00:03:46.000000000 +0000
+++ openssl-1.0.0b/ssl/ssl_err.c 2010-11-30 00:03:47.000000000 +0000
@@ -465,6 +465,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
{ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegotiating"},
{ERR_REASON(SSL_R_SERVERHELLO_TLSEXT) ,"serverhello tlsext"},
{ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"},
+{ERR_REASON(SSL_R_SESSION_MAY_NOT_BE_CREATED),"session may not be created"},
{ERR_REASON(SSL_R_SHORT_READ) ,"short read"},
{ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"},
{ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE),"ssl23 doing session id reuse"},
--- openssl-1.0.0b.orig/ssl/ssl_lib.c 2010-11-30 00:03:46.000000000 +0000
+++ openssl-1.0.0b/ssl/ssl_lib.c 2010-11-30 00:03:47.000000000 +0000
@@ -326,6 +326,7 @@ SSL *SSL_new(SSL_CTX *ctx)
OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
s->verify_callback=ctx->default_verify_callback;
+ s->session_creation_enabled=1;
s->generate_session_id=ctx->generate_session_id;
s->param = X509_VERIFY_PARAM_new();
@@ -1311,6 +1312,32 @@ int SSL_set_cipher_list(SSL *s,const cha
return 1;
}
+/** specify the ciphers to be used by the SSL */
+int SSL_set_cipher_lists(SSL *s,STACK_OF(SSL_CIPHER) *sk)
+ {
+ STACK_OF(SSL_CIPHER) *tmp_cipher_list;
+
+ if (sk == NULL)
+ return 0;
+
+ /* Based on end of ssl_create_cipher_list */
+ tmp_cipher_list = sk_SSL_CIPHER_dup(sk);
+ if (tmp_cipher_list == NULL)
+ {
+ return 0;
+ }
+ if (s->cipher_list != NULL)
+ sk_SSL_CIPHER_free(s->cipher_list);
+ s->cipher_list = sk;
+ if (s->cipher_list_by_id != NULL)
+ sk_SSL_CIPHER_free(s->cipher_list_by_id);
+ s->cipher_list_by_id = tmp_cipher_list;
+ (void)sk_SSL_CIPHER_set_cmp_func(s->cipher_list_by_id,ssl_cipher_ptr_id_cmp);
+
+ sk_SSL_CIPHER_sort(s->cipher_list_by_id);
+ return 1;
+ }
+
/* works well for SSLv2, not so good for SSLv3 */
char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
{
@@ -2551,18 +2578,45 @@ SSL_METHOD *ssl_bad_method(int ver)
return(NULL);
}
-const char *SSL_get_version(const SSL *s)
+static const char *ssl_get_version(int version)
{
- if (s->version == TLS1_VERSION)
+ if (version == TLS1_VERSION)
return("TLSv1");
- else if (s->version == SSL3_VERSION)
+ else if (version == SSL3_VERSION)
return("SSLv3");
- else if (s->version == SSL2_VERSION)
+ else if (version == SSL2_VERSION)
return("SSLv2");
else
return("unknown");
}
+const char *SSL_get_version(const SSL *s)
+ {
+ return ssl_get_version(s->version);
+ }
+
+const char *SSL_SESSION_get_version(const SSL_SESSION *s)
+ {
+ return ssl_get_version(s->ssl_version);
+ }
+
+const char* SSL_authentication_method(const SSL* ssl)
+ {
+ if (ssl->cert != NULL && ssl->cert->rsa_tmp != NULL)
+ return SSL_TXT_RSA "_" SSL_TXT_EXPORT;
+ switch (ssl->version)
+ {
+ case SSL2_VERSION:
+ return SSL_TXT_RSA;
+ case SSL3_VERSION:
+ case TLS1_VERSION:
+ case DTLS1_VERSION:
+ return SSL_CIPHER_authentication_method(ssl->s3->tmp.new_cipher);
+ default:
+ return "UNKNOWN";
+ }
+ }
+
SSL *SSL_dup(SSL *s)
{
STACK_OF(X509_NAME) *sk;
--- openssl-1.0.0b.orig/ssl/ssl_locl.h 2010-11-30 00:03:46.000000000 +0000
+++ openssl-1.0.0b/ssl/ssl_locl.h 2010-11-30 00:03:47.000000000 +0000
@@ -456,6 +456,7 @@
typedef struct cert_pkey_st
{
X509 *x509;
+ STACK_OF(X509) *cert_chain;
EVP_PKEY *privatekey;
} CERT_PKEY;
--- openssl-1.0.0b.orig/ssl/ssl_rsa.c 2009-09-12 23:09:26.000000000 +0000
+++ openssl-1.0.0b/ssl/ssl_rsa.c 2010-11-30 00:03:47.000000000 +0000
@@ -697,6 +697,42 @@ int SSL_CTX_use_PrivateKey_ASN1(int type
}
+int SSL_use_certificate_chain(SSL *ssl, STACK_OF(X509) *cert_chain)
+ {
+ if (ssl == NULL)
+ {
+ SSLerr(SSL_F_SSL_USE_CERTIFICATE_CHAIN,ERR_R_PASSED_NULL_PARAMETER);
+ return(0);
+ }
+ if (ssl->cert == NULL)
+ {
+ SSLerr(SSL_F_SSL_USE_CERTIFICATE_CHAIN,SSL_R_NO_CERTIFICATE_ASSIGNED);
+ return(0);
+ }
+ if (ssl->cert->key == NULL)
+ {
+ SSLerr(SSL_F_SSL_USE_CERTIFICATE_CHAIN,SSL_R_NO_CERTIFICATE_ASSIGNED);
+ return(0);
+ }
+ ssl->cert->key->cert_chain = cert_chain;
+ return(1);
+ }
+
+STACK_OF(X509) *SSL_get_certificate_chain(SSL *ssl, X509 *x)
+ {
+ int i;
+ if (x == NULL)
+ return NULL;
+ if (ssl == NULL)
+ return NULL;
+ if (ssl->cert == NULL)
+ return NULL;
+ for (i = 0; i < SSL_PKEY_NUM; i++)
+ if (ssl->cert->pkeys[i].x509 == x)
+ return ssl->cert->pkeys[i].cert_chain;
+ return NULL;
+ }
+
#ifndef OPENSSL_NO_STDIO
/* Read a file that contains our certificate in "PEM" format,
* possibly followed by a sequence of CA certificates that should be
--- openssl-1.0.0b.orig/ssl/ssl_sess.c 2010-02-01 16:49:42.000000000 +0000
+++ openssl-1.0.0b/ssl/ssl_sess.c 2010-11-30 00:03:47.000000000 +0000
@@ -261,6 +261,11 @@ static int def_generate_session_id(const
return 0;
}
+void SSL_set_session_creation_enabled (SSL *s, int creation_enabled)
+ {
+ s->session_creation_enabled = creation_enabled;
+ }
+
int ssl_get_new_session(SSL *s, int session)
{
/* This gets used by clients and servers. */
@@ -269,6 +274,8 @@ int ssl_get_new_session(SSL *s, int sess
SSL_SESSION *ss=NULL;
GEN_SESSION_CB cb = def_generate_session_id;
+ /* caller should check this if they can do better error handling */
+ if (!s->session_creation_enabled) return(0);
if ((ss=SSL_SESSION_new()) == NULL) return(0);
/* If the context has a default timeout, use it */

1293
deps/openssl/patches/npn.patch
View File

File diff suppressed because it is too large

13
deps/openssl/patches/openssl_no_dtls1.patch
View File

@ -1,13 +0,0 @@
--- openssl-1.0.0f.orig/ssl/ssl_lib.c 2012-01-04 22:13:21.000000000 +0000
+++ openssl-1.0.0f/ssl/ssl_lib.c 2012-01-04 22:13:21.000000000 +0000
@@ -1063,8 +1063,10 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v
s->max_cert_list=larg;
return(l);
case SSL_CTRL_SET_MTU:
+#ifndef OPENSSL_NO_DTLS1
if (larg < (long)dtls1_min_mtu())
return 0;
+#endif
if (SSL_version(s) == DTLS1_VERSION ||
SSL_version(s) == DTLS1_BAD_VER)

54
deps/openssl/patches/progs.patch
View File

@ -1,54 +0,0 @@
--- openssl-1.0.0.orig/apps/openssl.c 2009-10-04 09:43:21.000000000 -0700
+++ openssl-1.0.0/apps/openssl.c 2010-05-18 14:05:14.000000000 -0700
@@ -275,8 +275,10 @@ int main(int Argc, char *Argv[])
if (ERR_GET_REASON(ERR_peek_last_error())
== CONF_R_NO_SUCH_FILE)
{
+#if 0 /* ANDROID */
BIO_printf(bio_err,
"WARNING: can't open config file: %s\n",p);
+#endif
ERR_clear_error();
NCONF_free(config);
config = NULL;
--- openssl-1.0.0.orig/apps/progs.h 2009-06-30 08:08:38.000000000 -0700
+++ openssl-1.0.0/apps/progs.h 2010-05-18 14:05:38.000000000 -0700
@@ -146,7 +152,9 @@ FUNCTION functions[] = {
{FUNC_TYPE_GENERAL,"ocsp",ocsp_main},
#endif
{FUNC_TYPE_GENERAL,"prime",prime_main},
+#if 0 /* ANDROID */
{FUNC_TYPE_GENERAL,"ts",ts_main},
+#endif
#ifndef OPENSSL_NO_MD2
{FUNC_TYPE_MD,"md2",dgst_main},
#endif
--- openssl-1.0.0.orig/apps/speed.c 2010-03-03 11:56:17.000000000 -0800
+++ openssl-1.0.0/apps/speed.c 2010-05-18 14:05:57.000000000 -0700
@@ -1718,6 +1718,7 @@ int MAIN(int argc, char **argv)
}
}
+#if 0 /* ANDROID */
if (doit[D_IGE_128_AES])
{
for (j=0; j<SIZE_NUM; j++)
@@ -1763,6 +1764,7 @@ int MAIN(int argc, char **argv)
#endif
+#endif
#ifndef OPENSSL_NO_CAMELLIA
if (doit[D_CBC_128_CML])
{
--- openssl-1.0.0.orig/crypto/ui/ui_openssl.c 2009-10-04 09:43:21.000000000 -0700
+++ openssl-1.0.0/crypto/ui/ui_openssl.c 2010-05-18 13:36:26.000000000 -0700
@@ -184,7 +184,7 @@
# undef SGTTY
#endif
-#if defined(linux) && !defined(TERMIO)
+#if defined(linux) && !defined(TERMIO) && !defined(__ANDROID__)
# undef TERMIOS
# define TERMIO
# undef SGTTY

21
deps/openssl/patches/sha1_armv4_large.patch
View File

@ -1,21 +0,0 @@
diff --git a/crypto/sha/asm/sha1-armv4-large.pl b/crypto/sha/asm/sha1-armv4-large.pl
index 6e65fe3..79e3f61 100644
--- a/crypto/sha/asm/sha1-armv4-large.pl
+++ b/crypto/sha/asm/sha1-armv4-large.pl
@@ -161,6 +161,7 @@ for($i=0;$i<5;$i++) {
$code.=<<___;
teq $Xi,sp
bne .L_00_15 @ [((11+4)*5+2)*3]
+ sub sp,sp,#5*4
___
&BODY_00_15(@V); unshift(@V,pop(@V));
&BODY_16_19(@V); unshift(@V,pop(@V));
@@ -170,7 +171,7 @@ ___
$code.=<<___;
ldr $K,.LK_20_39 @ [+15+16*4]
- sub sp,sp,#25*4
+ sub sp,sp,#20*4
cmn sp,#0 @ [+3], clear carry to denote 20_39
.L_20_39_or_60_79:
___

337
deps/openssl/patches/small_records.patch
View File

@ -1,337 +0,0 @@
--- openssl-1.0.0a.orig/ssl/d1_pkt.c 2010-04-14 00:09:55.000000000 +0000
+++ openssl-1.0.0a/ssl/d1_pkt.c 2010-08-25 21:12:39.000000000 +0000
@@ -608,6 +608,24 @@ again:
goto again;
}
+ /* If we receive a valid record larger than the current buffer size,
+ * allocate some memory for it.
+ */
+ if (rr->length > s->s3->rbuf.len - DTLS1_RT_HEADER_LENGTH)
+ {
+ unsigned char *pp;
+ unsigned int newlen = rr->length + DTLS1_RT_HEADER_LENGTH;
+ if ((pp=OPENSSL_realloc(s->s3->rbuf.buf, newlen))==NULL)
+ {
+ SSLerr(SSL_F_DTLS1_GET_RECORD,ERR_R_MALLOC_FAILURE);
+ return(-1);
+ }
+ p = pp + (p - s->s3->rbuf.buf);
+ s->s3->rbuf.buf=pp;
+ s->s3->rbuf.len=newlen;
+ s->packet= &(s->s3->rbuf.buf[0]);
+ }
+
/* now s->rstate == SSL_ST_READ_BODY */
}
@@ -1342,6 +1360,7 @@ int do_dtls1_write(SSL *s, int type, con
SSL3_BUFFER *wb;
SSL_SESSION *sess;
int bs;
+ unsigned int len_with_overhead = len + SSL3_RT_DEFAULT_WRITE_OVERHEAD;
/* first check if there is a SSL3_BUFFER still being written
* out. This will happen with non blocking IO */
@@ -1351,6 +1370,16 @@ int do_dtls1_write(SSL *s, int type, con
return(ssl3_write_pending(s,type,buf,len));
}
+ if (s->s3->wbuf.len < len_with_overhead)
+ {
+ if ((p=OPENSSL_realloc(s->s3->wbuf.buf, len_with_overhead)) == NULL) {
+ SSLerr(SSL_F_DO_DTLS1_WRITE,ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ s->s3->wbuf.buf = p;
+ s->s3->wbuf.len = len_with_overhead;
+ }
+
/* If we have an alert to send, lets send it */
if (s->s3->alert_dispatch)
{
--- openssl-1.0.0a.orig/ssl/s23_srvr.c 2010-02-16 14:20:40.000000000 +0000
+++ openssl-1.0.0a/ssl/s23_srvr.c 2010-08-25 21:12:39.000000000 +0000
@@ -403,8 +403,13 @@ int ssl23_get_client_hello(SSL *s)
v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
v[1] = p[4];
+/* The SSL2 protocol allows n to be larger, just pick
+ * a reasonable buffer size. */
+#if SSL3_RT_DEFAULT_PACKET_SIZE < 1024*4 - SSL3_RT_DEFAULT_WRITE_OVERHEAD
+#error "SSL3_RT_DEFAULT_PACKET_SIZE is too small."
+#endif
n=((p[0]&0x7f)<<8)|p[1];
- if (n > (1024*4))
+ if (n > SSL3_RT_DEFAULT_PACKET_SIZE - 2)
{
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
goto err;
--- openssl-1.0.0a.orig/ssl/s3_both.c 2010-03-24 23:16:49.000000000 +0000
+++ openssl-1.0.0a/ssl/s3_both.c 2010-08-25 21:12:39.000000000 +0000
@@ -715,13 +722,20 @@ int ssl3_setup_read_buffer(SSL *s)
if (s->s3->rbuf.buf == NULL)
{
- len = SSL3_RT_MAX_PLAIN_LENGTH
- + SSL3_RT_MAX_ENCRYPTED_OVERHEAD
- + headerlen + align;
- if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
+ if (SSL_get_mode(s) & SSL_MODE_SMALL_BUFFERS)
{
- s->s3->init_extra = 1;
- len += SSL3_RT_MAX_EXTRA;
+ len = SSL3_RT_DEFAULT_PACKET_SIZE;
+ }
+ else
+ {
+ len = SSL3_RT_MAX_PLAIN_LENGTH
+ + SSL3_RT_MAX_ENCRYPTED_OVERHEAD
+ + headerlen + align;
+ if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
+ {
+ s->s3->init_extra = 1;
+ len += SSL3_RT_MAX_EXTRA;
+ }
}
#ifndef OPENSSL_NO_COMP
if (!(s->options & SSL_OP_NO_COMPRESSION))
@@ -757,7 +771,15 @@ int ssl3_setup_write_buffer(SSL *s)
if (s->s3->wbuf.buf == NULL)
{
- len = s->max_send_fragment
+ if (SSL_get_mode(s) & SSL_MODE_SMALL_BUFFERS)
+ {
+ len = SSL3_RT_DEFAULT_PACKET_SIZE;
+ }
+ else
+ {
+ len = s->max_send_fragment;
+ }
+ len += 0
+ SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
+ headerlen + align;
#ifndef OPENSSL_NO_COMP
@@ -767,7 +789,6 @@ int ssl3_setup_write_buffer(SSL *s)
if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
len += headerlen + align
+ SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
-
if ((p=freelist_extract(s->ctx, 0, len)) == NULL)
goto err;
s->s3->wbuf.buf = p;
@@ -810,4 +831,3 @@ int ssl3_release_read_buffer(SSL *s)
}
return 1;
}
-
--- openssl-1.0.0a.orig/ssl/s3_pkt.c 2010-03-25 11:22:42.000000000 +0000
+++ openssl-1.0.0a/ssl/s3_pkt.c 2010-08-25 21:12:39.000000000 +0000
@@ -293,6 +293,11 @@ static int ssl3_get_record(SSL *s)
size_t extra;
int decryption_failed_or_bad_record_mac = 0;
unsigned char *mac = NULL;
+#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
+ long align=SSL3_ALIGN_PAYLOAD;
+#else
+ long align=0;
+#endif
rr= &(s->s3->rrec);
sess=s->session;
@@ -301,7 +306,8 @@ static int ssl3_get_record(SSL *s)
extra=SSL3_RT_MAX_EXTRA;
else
extra=0;
- if (extra && !s->s3->init_extra)
+ if (!(SSL_get_mode(s) & SSL_MODE_SMALL_BUFFERS) &&
+ extra && !s->s3->init_extra)
{
/* An application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER
* set after ssl3_setup_buffers() was done */
@@ -350,6 +356,21 @@ fprintf(stderr, "Record type=%d, Length=
goto err;
}
+ /* If we receive a valid record larger than the current buffer size,
+ * allocate some memory for it.
+ */
+ if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH - align)
+ {
+ if ((p=OPENSSL_realloc(s->s3->rbuf.buf, rr->length + SSL3_RT_HEADER_LENGTH + align))==NULL)
+ {
+ SSLerr(SSL_F_SSL3_GET_RECORD,ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ s->s3->rbuf.buf=p;
+ s->s3->rbuf.len=rr->length + SSL3_RT_HEADER_LENGTH + align;
+ s->packet= &(s->s3->rbuf.buf[0]);
+ }
+
if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH)
{
al=SSL_AD_RECORD_OVERFLOW;
@@ -576,6 +597,7 @@ int ssl3_write_bytes(SSL *s, int type, c
const unsigned char *buf=buf_;
unsigned int tot,n,nw;
int i;
+ unsigned int max_plain_length;
s->rwstate=SSL_NOTHING;
tot=s->s3->wnum;
@@ -595,8 +617,13 @@ int ssl3_write_bytes(SSL *s, int type, c
n=(len-tot);
for (;;)
{
- if (n > s->max_send_fragment)
- nw=s->max_send_fragment;
+ if (type == SSL3_RT_APPLICATION_DATA && (SSL_get_mode(s) & SSL_MODE_SMALL_BUFFERS))
+ max_plain_length = SSL3_RT_DEFAULT_PLAIN_LENGTH;
+ else
+ max_plain_length = s->max_send_fragment;
+
+ if (n > max_plain_length)
+ nw = max_plain_length;
else
nw=n;
@@ -727,6 +727,18 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
s->s3->empty_fragment_done = 1;
}
+ /* resize if necessary to hold the data. */
+ if (len + SSL3_RT_DEFAULT_WRITE_OVERHEAD > wb->len)
+ {
+ if ((p=OPENSSL_realloc(wb->buf, len + SSL3_RT_DEFAULT_WRITE_OVERHEAD))==NULL)
+ {
+ SSLerr(SSL_F_DO_SSL3_WRITE,ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ wb->buf = p;
+ wb->len = len + SSL3_RT_DEFAULT_WRITE_OVERHEAD;
+ }
+
if (create_empty_fragment)
{
#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
--- openssl-1.0.0a.orig/ssl/ssl.h 2010-01-06 17:37:38.000000000 +0000
+++ openssl-1.0.0a/ssl/ssl.h 2010-08-25 21:12:39.000000000 +0000
@@ -602,6 +602,9 @@ typedef struct ssl_session_st
* TLS only.) "Released" buffers are put onto a free-list in the context
* or just freed (depending on the context's setting for freelist_max_len). */
#define SSL_MODE_RELEASE_BUFFERS 0x00000010L
+/* Use small read and write buffers: (a) lazy allocate read buffers for
+ * large incoming records, and (b) limit the size of outgoing records. */
+#define SSL_MODE_SMALL_BUFFERS 0x00000020L
/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
* they cannot be used to clear bits. */
--- openssl-1.0.0a.orig/ssl/ssl3.h 2010-01-06 17:37:38.000000000 +0000
+++ openssl-1.0.0a/ssl/ssl3.h 2010-08-25 21:12:39.000000000 +0000
@@ -280,6 +280,9 @@ extern "C" {
#define SSL3_RT_MAX_EXTRA (16384)
+/* Default buffer length used for writen records. Thus a generated record
+ * will contain plaintext no larger than this value. */
+#define SSL3_RT_DEFAULT_PLAIN_LENGTH 2048
/* Maximum plaintext length: defined by SSL/TLS standards */
#define SSL3_RT_MAX_PLAIN_LENGTH 16384
/* Maximum compression overhead: defined by SSL/TLS standards */
@@ -311,6 +314,13 @@ extern "C" {
#define SSL3_RT_MAX_PACKET_SIZE \
(SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH)
+/* Extra space for empty fragment, headers, MAC, and padding. */
+#define SSL3_RT_DEFAULT_WRITE_OVERHEAD 256
+#define SSL3_RT_DEFAULT_PACKET_SIZE 4096 - SSL3_RT_DEFAULT_WRITE_OVERHEAD
+#if SSL3_RT_DEFAULT_PLAIN_LENGTH + SSL3_RT_DEFAULT_WRITE_OVERHEAD > SSL3_RT_DEFAULT_PACKET_SIZE
+#error "Insufficient space allocated for write buffers."
+#endif
+
#define SSL3_MD_CLIENT_FINISHED_CONST "\x43\x4C\x4E\x54"
#define SSL3_MD_SERVER_FINISHED_CONST "\x53\x52\x56\x52"
@@ -634,4 +645,3 @@ typedef struct ssl3_state_st
}
#endif
#endif
-
--- openssl-1.0.0a.orig/ssl/ssltest.c 2010-01-24 16:57:38.000000000 +0000
+++ openssl-1.0.0a/ssl/ssltest.c 2010-08-25 21:12:39.000000000 +0000
@@ -316,6 +316,8 @@ static void sv_usage(void)
" (default is sect163r2).\n");
#endif
fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
+ fprintf(stderr," -c_small_records - enable client side use of small SSL record buffers\n");
+ fprintf(stderr," -s_small_records - enable server side use of small SSL record buffers\n");
}
static void print_details(SSL *c_ssl, const char *prefix)
@@ -444,6 +447,9 @@ int opaque_prf_input_cb(SSL *ssl, void *
return arg->ret;
}
#endif
+ int ssl_mode = 0;
+ int c_small_records=0;
+ int s_small_records=0;
int main(int argc, char *argv[])
{
@@ -680,6 +687,14 @@ int main(int argc, char *argv[])
{
test_cipherlist = 1;
}
+ else if (strcmp(*argv, "-c_small_records") == 0)
+ {
+ c_small_records = 1;
+ }
+ else if (strcmp(*argv, "-s_small_records") == 0)
+ {
+ s_small_records = 1;
+ }
else
{
fprintf(stderr,"unknown option %s\n",*argv);
@@ -802,6 +821,21 @@ bad:
SSL_CTX_set_cipher_list(s_ctx,cipher);
}
+ ssl_mode = 0;
+ if (c_small_records)
+ {
+ ssl_mode = SSL_CTX_get_mode(c_ctx);
+ ssl_mode |= SSL_MODE_SMALL_BUFFERS;
+ SSL_CTX_set_mode(c_ctx, ssl_mode);
+ }
+ ssl_mode = 0;
+ if (s_small_records)
+ {
+ ssl_mode = SSL_CTX_get_mode(s_ctx);
+ ssl_mode |= SSL_MODE_SMALL_BUFFERS;
+ SSL_CTX_set_mode(s_ctx, ssl_mode);
+ }
+
#ifndef OPENSSL_NO_DH
if (!no_dhe)
{
--- openssl-1.0.0.orig/test/testssl 2006-03-10 15:06:27.000000000 -0800
+++ openssl-1.0.0/test/testssl 2010-04-26 10:24:55.000000000 -0700
@@ -70,6 +70,16 @@ $ssltest -client_auth $CA $extra || exit
echo test sslv2/sslv3 with both client and server authentication
$ssltest -server_auth -client_auth $CA $extra || exit 1
+echo test sslv2/sslv3 with both client and server authentication and small client buffers
+$ssltest -server_auth -client_auth -c_small_records $CA $extra || exit 1
+
+echo test sslv2/sslv3 with both client and server authentication and small server buffers
+$ssltest -server_auth -client_auth -s_small_records $CA $extra || exit 1
+
+echo test sslv2/sslv3 with both client and server authentication and small client and server buffers
+$ssltest -server_auth -client_auth -c_small_records -s_small_records $CA $extra || exit 1
+
+
echo test sslv2 via BIO pair
$ssltest -bio_pair -ssl2 $extra || exit 1

220
deps/openssl/patches/tls_exporter.patch
View File

@ -1,220 +0,0 @@
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index c3b77c8..a94290a 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -82,6 +82,7 @@ SSL3_ENC_METHOD DTLSv1_enc_data={
TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
tls1_alert_code,
+ tls1_export_keying_material,
};
long dtls1_default_timeout(void)
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index c19538a..1fecbbc 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -2087,6 +2087,9 @@ SSL3_ENC_METHOD SSLv3_enc_data={
SSL3_MD_CLIENT_FINISHED_CONST,4,
SSL3_MD_SERVER_FINISHED_CONST,4,
ssl3_alert_code,
+ (int (*)(SSL *, unsigned char *, size_t, const char *,
+ size_t, const unsigned char *, size_t,
+ int use_context)) ssl_undefined_function,
};
long ssl3_default_timeout(void)
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 9336af8..be4af2f 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2116,6 +2116,7 @@ void ERR_load_SSL_strings(void);
#define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 301
#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 303
#define SSL_F_SSL_PEEK 270
+#define SSL_F_TLS1_EXPORT_KEYING_MATERIAL 312
#define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 281
#define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 282
#define SSL_F_SSL_READ 223
@@ -2394,6 +2395,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112
#define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110
#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232
+#define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367
#define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 17d2cde..d6ad3c1 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3127,6 +3127,18 @@ void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, unsigned
}
#endif
+int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
+ const char *label, size_t llen, const unsigned char *p, size_t plen,
+ int use_context)
+ {
+ if (s->version < TLS1_VERSION)
+ return -1;
+
+ return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
+ llen, p, plen,
+ use_context);
+ }
+
int SSL_cutthrough_complete(const SSL *s)
{
return (!s->server && /* cutthrough only applies to clients */
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 146c89c..e7c6b9a 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -557,6 +557,10 @@ typedef struct ssl3_enc_method
const char *server_finished_label;
int server_finished_label_len;
int (*alert_value)(int);
+ int (*export_keying_material)(SSL *, unsigned char *, size_t,
+ const char *, size_t,
+ const unsigned char *, size_t,
+ int use_context);
} SSL3_ENC_METHOD;
#ifndef OPENSSL_NO_COMP
@@ -1041,6 +1045,9 @@ int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *p);
int tls1_mac(SSL *ssl, unsigned char *md, int snd);
int tls1_generate_master_secret(SSL *s, unsigned char *out,
unsigned char *p, int len);
+int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
+ const char *label, size_t llen, const unsigned char *p,
+ size_t plen, int use_context);
int tls1_alert_code(int code);
int ssl3_alert_code(int code);
int ssl_ok(SSL *s);
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 793ea43..b1d5b28 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -1001,6 +1001,95 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
return(SSL3_MASTER_SECRET_SIZE);
}
+int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
+ const char *label, size_t llen, const unsigned char *context,
+ size_t contextlen, int use_context)
+ {
+ unsigned char *buff;
+ unsigned char *val = NULL;
+ size_t vallen, currentvalpos;
+ int rv;
+
+#ifdef KSSL_DEBUG
+ printf ("tls1_export_keying_material(%p,%p,%d,%s,%d,%p,%d)\n", s, out, olen, label, llen, p, plen);
+#endif /* KSSL_DEBUG */
+
+ buff = OPENSSL_malloc(olen);
+ if (buff == NULL) goto err2;
+
+ /* construct PRF arguments
+ * we construct the PRF argument ourself rather than passing separate
+ * values into the TLS PRF to ensure that the concatenation of values
+ * does not create a prohibited label.
+ */
+ vallen = llen + SSL3_RANDOM_SIZE * 2;
+ if (use_context)
+ {
+ vallen += 2 + contextlen;
+ }
+
+ val = OPENSSL_malloc(vallen);
+ if (val == NULL) goto err2;
+ currentvalpos = 0;
+ memcpy(val + currentvalpos, (unsigned char *) label, llen);
+ currentvalpos += llen;
+ memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE);
+ currentvalpos += SSL3_RANDOM_SIZE;
+ memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE);
+ currentvalpos += SSL3_RANDOM_SIZE;
+
+ if (use_context)
+ {
+ val[currentvalpos] = (contextlen >> 8) & 0xff;
+ currentvalpos++;
+ val[currentvalpos] = contextlen & 0xff;
+ currentvalpos++;
+ if ((contextlen > 0) || (context != NULL))
+ {
+ memcpy(val + currentvalpos, context, contextlen);
+ }
+ }
+
+ /* disallow prohibited labels
+ * note that SSL3_RANDOM_SIZE > max(prohibited label len) =
+ * 15, so size of val > max(prohibited label len) = 15 and the
+ * comparisons won't have buffer overflow
+ */
+ if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST,
+ TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) goto err1;
+ if (memcmp(val, TLS_MD_SERVER_FINISH_CONST,
+ TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) goto err1;
+ if (memcmp(val, TLS_MD_MASTER_SECRET_CONST,
+ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) goto err1;
+ if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
+ TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) goto err1;
+
+ rv = tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
+ val, vallen,
+ NULL, 0,
+ NULL, 0,
+ NULL, 0,
+ NULL, 0,
+ s->session->master_key,s->session->master_key_length,
+ out,buff,olen);
+
+#ifdef KSSL_DEBUG
+ printf ("tls1_export_keying_material() complete\n");
+#endif /* KSSL_DEBUG */
+ goto ret;
+err1:
+ SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
+ rv = 0;
+ goto ret;
+err2:
+ SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE);
+ rv = 0;
+ret:
+ if (buff != NULL) OPENSSL_free(buff);
+ if (val != NULL) OPENSSL_free(val);
+ return(rv);
+ }
+
int tls1_alert_code(int code)
{
switch (code)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index daa65c9..c094471 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -209,6 +209,7 @@ SSL3_ENC_METHOD TLSv1_enc_data={
TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
tls1_alert_code,
+ tls1_export_keying_material,
};
long tls1_default_timeout(void)
diff --git a/ssl/tls1.h b/ssl/tls1.h
index 1fa96e5..7bbb875 100644
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -231,6 +231,9 @@ extern "C" {
const char *SSL_get_servername(const SSL *s, const int type) ;
int SSL_get_servername_type(const SSL *s) ;
+int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
+ const char *label, size_t llen, const unsigned char *p, size_t plen,
+ int use_context);
#define SSL_set_tlsext_host_name(s,name) \
SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name,(char *)name)

31
deps/openssl/patches/x509_hash_name_algorithm_change.patch
View File

@ -1,31 +0,0 @@
--- openssl-1.0.0f-origin/crypto/x509/by_dir.c 2012-01-19 02:20:24.821550944 +0800
+++ openssl-1.0.0f/crypto/x509/by_dir.c 2012-01-19 23:36:53.597870429 +0800
@@ -287,6 +287,8 @@
int ok=0;
int i,j,k;
unsigned long h;
+ unsigned long hash_array[2];
+ int hash_index;
BUF_MEM *b=NULL;
X509_OBJECT stmp,*tmp;
const char *postfix="";
@@ -323,6 +325,11 @@
ctx=(BY_DIR *)xl->method_data;
h=X509_NAME_hash(name);
+ hash_array[0]=h;
+ hash_array[1]=X509_NAME_hash_old(name);
+ for (hash_index=0; hash_index < 2; hash_index++)
+ {
+ h=hash_array[hash_index];
for (i=0; i < sk_BY_DIR_ENTRY_num(ctx->dirs); i++)
{
BY_DIR_ENTRY *ent;
@@ -476,6 +483,7 @@
goto finish;
}
}
+ }
finish:
if (b != NULL) BUF_MEM_free(b);
return(ok);
Write Preview
Loading…
Cancel
Save