tobi/M7350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

M7350v1_en_gpl

Browse Source
This commit is contained in:
T
2024-09-09 08:52:07 +00:00
commit f9cc65cfda
65988 changed files with 26357421 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
bootable/bootloader/lk/lib/openssl/patches/README Normal file
View File

@@ -0,0 +1,37 @@
progs.patch:
Fixup sources under the apps/ directory that are not built under the android environment.
small_records.patch:
Reduce OpenSSL memory consumption.
SSL records may be as large as 16K, but are typically < 2K. In
addition, a historic bug in Windows allowed records to be as large
32K. OpenSSL statically allocates read and write buffers (34K and
18K respectively) used for processing records.
With this patch, OpenSSL statically allocates 4K + 4K buffers, with
the option of dynamically growing buffers to 34K + 4K, which is a
saving of 44K per connection for the typical case.
handshake_cutthrough.patch
Enables SSL3+ clients to send application data immediately following the
Finished message even when negotiating full-handshakes. With this patch,
clients can negotiate SSL connections in 1-RTT even when performing
full-handshakes.
jsse.patch
Support for JSSE implementation based on OpenSSL.
secadv_20101116-2.patch
OpenSSL Security Advisory [16 November 2010]
TLS extension parsing race condition. (UPDATED)
CVE-2010-3864
http://www.openssl.org/news/secadv_20101116-2.txt

79
bootable/bootloader/lk/lib/openssl/patches/apps_Android.mk Normal file
View File

@@ -0,0 +1,79 @@
# Copyright 2006 The Android Open Source Project
LOCAL_PATH:= $(call my-dir)
include $(CLEAR_VARS)
LOCAL_SRC_FILES:= \
app_rand.c \
apps.c \
asn1pars.c \
ca.c \
ciphers.c \
crl.c \
crl2p7.c \
dgst.c \
dh.c \
dhparam.c \
dsa.c \
dsaparam.c \
ecparam.c \
ec.c \
enc.c \
engine.c \
errstr.c \
gendh.c \
gendsa.c \
genpkey.c \
genrsa.c \
nseq.c \
ocsp.c \
openssl.c \
passwd.c \
pkcs12.c \
pkcs7.c \
pkcs8.c \
pkey.c \
pkeyparam.c \
pkeyutl.c \
prime.c \
rand.c \
req.c \
rsa.c \
rsautl.c \
s_cb.c \
s_client.c \
s_server.c \
s_socket.c \
s_time.c \
sess_id.c \
smime.c \
speed.c \
spkac.c \
verify.c \
version.c \
x509.c
# cms.c ec.c s_server.c
LOCAL_SHARED_LIBRARIES := \
libssl \
libcrypto
LOCAL_C_INCLUDES := \
external/openssl \
external/openssl/include
LOCAL_CFLAGS := -DMONOLITH
include $(LOCAL_PATH)/../android-config.mk
# These flags omit whole features from the commandline "openssl".
# However, portions of these features are actually turned on.
LOCAL_CFLAGS += -DOPENSSL_NO_DTLS1
LOCAL_MODULE:= openssl
LOCAL_MODULE_TAGS := tests
include $(BUILD_EXECUTABLE)

538
bootable/bootloader/lk/lib/openssl/patches/crypto_Android.mk Normal file
View File

@@ -0,0 +1,538 @@
LOCAL_PATH:= $(call my-dir)
arm_cflags := -DOPENSSL_BN_ASM_MONT -DAES_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
arm_src_files := \
aes/asm/aes-armv4.s \
bn/asm/armv4-mont.s \
sha/asm/sha1-armv4-large.s \
sha/asm/sha256-armv4.s \
sha/asm/sha512-armv4.s
non_arm_src_files := aes/aes_core.c
local_src_files := \
cryptlib.c \
mem.c \
mem_clr.c \
mem_dbg.c \
cversion.c \
ex_data.c \
cpt_err.c \
ebcdic.c \
uid.c \
o_time.c \
o_str.c \
o_dir.c \
aes/aes_cbc.c \
aes/aes_cfb.c \
aes/aes_ctr.c \
aes/aes_ecb.c \
aes/aes_misc.c \
aes/aes_ofb.c \
aes/aes_wrap.c \
asn1/a_bitstr.c \
asn1/a_bool.c \
asn1/a_bytes.c \
asn1/a_d2i_fp.c \
asn1/a_digest.c \
asn1/a_dup.c \
asn1/a_enum.c \
asn1/a_gentm.c \
asn1/a_i2d_fp.c \
asn1/a_int.c \
asn1/a_mbstr.c \
asn1/a_object.c \
asn1/a_octet.c \
asn1/a_print.c \
asn1/a_set.c \
asn1/a_sign.c \
asn1/a_strex.c \
asn1/a_strnid.c \
asn1/a_time.c \
asn1/a_type.c \
asn1/a_utctm.c \
asn1/a_utf8.c \
asn1/a_verify.c \
asn1/ameth_lib.c \
asn1/asn1_err.c \
asn1/asn1_gen.c \
asn1/asn1_lib.c \
asn1/asn1_par.c \
asn1/asn_mime.c \
asn1/asn_moid.c \
asn1/asn_pack.c \
asn1/bio_asn1.c \
asn1/bio_ndef.c \
asn1/d2i_pr.c \
asn1/d2i_pu.c \
asn1/evp_asn1.c \
asn1/f_enum.c \
asn1/f_int.c \
asn1/f_string.c \
asn1/i2d_pr.c \
asn1/i2d_pu.c \
asn1/n_pkey.c \
asn1/nsseq.c \
asn1/p5_pbe.c \
asn1/p5_pbev2.c \
asn1/p8_pkey.c \
asn1/t_bitst.c \
asn1/t_crl.c \
asn1/t_pkey.c \
asn1/t_req.c \
asn1/t_spki.c \
asn1/t_x509.c \
asn1/t_x509a.c \
asn1/tasn_dec.c \
asn1/tasn_enc.c \
asn1/tasn_fre.c \
asn1/tasn_new.c \
asn1/tasn_prn.c \
asn1/tasn_typ.c \
asn1/tasn_utl.c \
asn1/x_algor.c \
asn1/x_attrib.c \
asn1/x_bignum.c \
asn1/x_crl.c \
asn1/x_exten.c \
asn1/x_info.c \
asn1/x_long.c \
asn1/x_name.c \
asn1/x_nx509.c \
asn1/x_pkey.c \
asn1/x_pubkey.c \
asn1/x_req.c \
asn1/x_sig.c \
asn1/x_spki.c \
asn1/x_val.c \
asn1/x_x509.c \
asn1/x_x509a.c \
bf/bf_cfb64.c \
bf/bf_ecb.c \
bf/bf_enc.c \
bf/bf_ofb64.c \
bf/bf_skey.c \
bio/b_dump.c \
bio/b_print.c \
bio/b_sock.c \
bio/bf_buff.c \
bio/bf_nbio.c \
bio/bf_null.c \
bio/bio_cb.c \
bio/bio_err.c \
bio/bio_lib.c \
bio/bss_acpt.c \
bio/bss_bio.c \
bio/bss_conn.c \
bio/bss_dgram.c \
bio/bss_fd.c \
bio/bss_file.c \
bio/bss_log.c \
bio/bss_mem.c \
bio/bss_null.c \
bio/bss_sock.c \
bn/bn_add.c \
bn/bn_asm.c \
bn/bn_blind.c \
bn/bn_ctx.c \
bn/bn_div.c \
bn/bn_err.c \
bn/bn_exp.c \
bn/bn_exp2.c \
bn/bn_gcd.c \
bn/bn_gf2m.c \
bn/bn_kron.c \
bn/bn_lib.c \
bn/bn_mod.c \
bn/bn_mont.c \
bn/bn_mpi.c \
bn/bn_mul.c \
bn/bn_nist.c \
bn/bn_prime.c \
bn/bn_print.c \
bn/bn_rand.c \
bn/bn_recp.c \
bn/bn_shift.c \
bn/bn_sqr.c \
bn/bn_sqrt.c \
bn/bn_word.c \
buffer/buf_err.c \
buffer/buffer.c \
comp/c_rle.c \
comp/c_zlib.c \
comp/comp_err.c \
comp/comp_lib.c \
conf/conf_api.c \
conf/conf_def.c \
conf/conf_err.c \
conf/conf_lib.c \
conf/conf_mall.c \
conf/conf_mod.c \
conf/conf_sap.c \
des/cbc_cksm.c \
des/cbc_enc.c \
des/cfb64ede.c \
des/cfb64enc.c \
des/cfb_enc.c \
des/des_enc.c \
des/des_old.c \
des/des_old2.c \
des/ecb3_enc.c \
des/ecb_enc.c \
des/ede_cbcm_enc.c \
des/enc_read.c \
des/enc_writ.c \
des/fcrypt.c \
des/fcrypt_b.c \
des/ofb64ede.c \
des/ofb64enc.c \
des/ofb_enc.c \
des/pcbc_enc.c \
des/qud_cksm.c \
des/rand_key.c \
des/read2pwd.c \
des/rpc_enc.c \
des/set_key.c \
des/str2key.c \
des/xcbc_enc.c \
dh/dh_ameth.c \
dh/dh_asn1.c \
dh/dh_check.c \
dh/dh_depr.c \
dh/dh_err.c \
dh/dh_gen.c \
dh/dh_key.c \
dh/dh_lib.c \
dh/dh_pmeth.c \
dsa/dsa_ameth.c \
dsa/dsa_asn1.c \
dsa/dsa_depr.c \
dsa/dsa_err.c \
dsa/dsa_gen.c \
dsa/dsa_key.c \
dsa/dsa_lib.c \
dsa/dsa_ossl.c \
dsa/dsa_pmeth.c \
dsa/dsa_prn.c \
dsa/dsa_sign.c \
dsa/dsa_vrf.c \
dso/dso_dl.c \
dso/dso_dlfcn.c \
dso/dso_err.c \
dso/dso_lib.c \
dso/dso_null.c \
dso/dso_openssl.c \
dso/dso_vms.c \
dso/dso_win32.c \
ec/ec2_mult.c \
ec/ec2_smpl.c \
ec/ec_ameth.c \
ec/ec_asn1.c \
ec/ec_check.c \
ec/ec_curve.c \
ec/ec_cvt.c \
ec/ec_err.c \
ec/ec_key.c \
ec/ec_lib.c \
ec/ec_mult.c \
ec/ec_pmeth.c \
ec/ec_print.c \
ec/eck_prn.c \
ec/ecp_mont.c \
ec/ecp_nist.c \
ec/ecp_smpl.c \
ecdh/ech_err.c \
ecdh/ech_key.c \
ecdh/ech_lib.c \
ecdh/ech_ossl.c \
ecdsa/ecs_asn1.c \
ecdsa/ecs_err.c \
ecdsa/ecs_lib.c \
ecdsa/ecs_ossl.c \
ecdsa/ecs_sign.c \
ecdsa/ecs_vrf.c \
err/err.c \
err/err_all.c \
err/err_prn.c \
evp/bio_b64.c \
evp/bio_enc.c \
evp/bio_md.c \
evp/bio_ok.c \
evp/c_all.c \
evp/c_allc.c \
evp/c_alld.c \
evp/digest.c \
evp/e_aes.c \
evp/e_bf.c \
evp/e_des.c \
evp/e_des3.c \
evp/e_null.c \
evp/e_old.c \
evp/e_rc2.c \
evp/e_rc4.c \
evp/e_rc5.c \
evp/e_xcbc_d.c \
evp/encode.c \
evp/evp_acnf.c \
evp/evp_enc.c \
evp/evp_err.c \
evp/evp_key.c \
evp/evp_lib.c \
evp/evp_pbe.c \
evp/evp_pkey.c \
evp/m_dss.c \
evp/m_dss1.c \
evp/m_ecdsa.c \
evp/m_md4.c \
evp/m_md5.c \
evp/m_mdc2.c \
evp/m_null.c \
evp/m_ripemd.c \
evp/m_sha1.c \
evp/m_sigver.c \
evp/m_wp.c \
evp/names.c \
evp/p5_crpt.c \
evp/p5_crpt2.c \
evp/p_dec.c \
evp/p_enc.c \
evp/p_lib.c \
evp/p_open.c \
evp/p_seal.c \
evp/p_sign.c \
evp/p_verify.c \
evp/pmeth_fn.c \
evp/pmeth_gn.c \
evp/pmeth_lib.c \
hmac/hm_ameth.c \
hmac/hm_pmeth.c \
hmac/hmac.c \
krb5/krb5_asn.c \
lhash/lh_stats.c \
lhash/lhash.c \
md4/md4_dgst.c \
md4/md4_one.c \
md5/md5_dgst.c \
md5/md5_one.c \
modes/cbc128.c \
modes/cfb128.c \
modes/ctr128.c \
modes/ofb128.c \
objects/o_names.c \
objects/obj_dat.c \
objects/obj_err.c \
objects/obj_lib.c \
objects/obj_xref.c \
ocsp/ocsp_asn.c \
ocsp/ocsp_cl.c \
ocsp/ocsp_err.c \
ocsp/ocsp_ext.c \
ocsp/ocsp_ht.c \
ocsp/ocsp_lib.c \
ocsp/ocsp_prn.c \
ocsp/ocsp_srv.c \
ocsp/ocsp_vfy.c \
pem/pem_all.c \
pem/pem_err.c \
pem/pem_info.c \
pem/pem_lib.c \
pem/pem_oth.c \
pem/pem_pk8.c \
pem/pem_pkey.c \
pem/pem_seal.c \
pem/pem_sign.c \
pem/pem_x509.c \
pem/pem_xaux.c \
pem/pvkfmt.c \
pkcs12/p12_add.c \
pkcs12/p12_asn.c \
pkcs12/p12_attr.c \
pkcs12/p12_crpt.c \
pkcs12/p12_crt.c \
pkcs12/p12_decr.c \
pkcs12/p12_init.c \
pkcs12/p12_key.c \
pkcs12/p12_kiss.c \
pkcs12/p12_mutl.c \
pkcs12/p12_npas.c \
pkcs12/p12_p8d.c \
pkcs12/p12_p8e.c \
pkcs12/p12_utl.c \
pkcs12/pk12err.c \
pkcs7/pk7_asn1.c \
pkcs7/pk7_attr.c \
pkcs7/pk7_doit.c \
pkcs7/pk7_lib.c \
pkcs7/pk7_mime.c \
pkcs7/pk7_smime.c \
pkcs7/pkcs7err.c \
rand/md_rand.c \
rand/rand_egd.c \
rand/rand_err.c \
rand/rand_lib.c \
rand/rand_unix.c \
rand/randfile.c \
rc2/rc2_cbc.c \
rc2/rc2_ecb.c \
rc2/rc2_skey.c \
rc2/rc2cfb64.c \
rc2/rc2ofb64.c \
rc4/rc4_enc.c \
rc4/rc4_skey.c \
ripemd/rmd_dgst.c \
ripemd/rmd_one.c \
rsa/rsa_ameth.c \
rsa/rsa_asn1.c \
rsa/rsa_chk.c \
rsa/rsa_eay.c \
rsa/rsa_err.c \
rsa/rsa_gen.c \
rsa/rsa_lib.c \
rsa/rsa_none.c \
rsa/rsa_null.c \
rsa/rsa_oaep.c \
rsa/rsa_pk1.c \
rsa/rsa_pmeth.c \
rsa/rsa_prn.c \
rsa/rsa_pss.c \
rsa/rsa_saos.c \
rsa/rsa_sign.c \
rsa/rsa_ssl.c \
rsa/rsa_x931.c \
sha/sha1_one.c \
sha/sha1dgst.c \
sha/sha256.c \
sha/sha512.c \
sha/sha_dgst.c \
stack/stack.c \
ts/ts_err.c \
txt_db/txt_db.c \
ui/ui_compat.c \
ui/ui_err.c \
ui/ui_lib.c \
ui/ui_openssl.c \
ui/ui_util.c \
x509/by_dir.c \
x509/by_file.c \
x509/x509_att.c \
x509/x509_cmp.c \
x509/x509_d2.c \
x509/x509_def.c \
x509/x509_err.c \
x509/x509_ext.c \
x509/x509_lu.c \
x509/x509_obj.c \
x509/x509_r2x.c \
x509/x509_req.c \
x509/x509_set.c \
x509/x509_trs.c \
x509/x509_txt.c \
x509/x509_v3.c \
x509/x509_vfy.c \
x509/x509_vpm.c \
x509/x509cset.c \
x509/x509name.c \
x509/x509rset.c \
x509/x509spki.c \
x509/x509type.c \
x509/x_all.c \
x509v3/pcy_cache.c \
x509v3/pcy_data.c \
x509v3/pcy_lib.c \
x509v3/pcy_map.c \
x509v3/pcy_node.c \
x509v3/pcy_tree.c \
x509v3/v3_akey.c \
x509v3/v3_akeya.c \
x509v3/v3_alt.c \
x509v3/v3_bcons.c \
x509v3/v3_bitst.c \
x509v3/v3_conf.c \
x509v3/v3_cpols.c \
x509v3/v3_crld.c \
x509v3/v3_enum.c \
x509v3/v3_extku.c \
x509v3/v3_genn.c \
x509v3/v3_ia5.c \
x509v3/v3_info.c \
x509v3/v3_int.c \
x509v3/v3_lib.c \
x509v3/v3_ncons.c \
x509v3/v3_ocsp.c \
x509v3/v3_pci.c \
x509v3/v3_pcia.c \
x509v3/v3_pcons.c \
x509v3/v3_pku.c \
x509v3/v3_pmaps.c \
x509v3/v3_prn.c \
x509v3/v3_purp.c \
x509v3/v3_skey.c \
x509v3/v3_sxnet.c \
x509v3/v3_utl.c \
x509v3/v3err.c
local_c_includes := \
external/openssl \
external/openssl/crypto/asn1 \
external/openssl/crypto/evp \
external/openssl/include \
external/openssl/include/openssl \
external/zlib
local_c_flags := -DNO_WINDOWS_BRAINDEATH
#######################################
# target
include $(CLEAR_VARS)
include $(LOCAL_PATH)/../android-config.mk
LOCAL_SRC_FILES += $(local_src_files)
LOCAL_CFLAGS += $(local_c_flags)
LOCAL_C_INCLUDES += $(local_c_includes)
LOCAL_SHARED_LIBRARIES += libz
ifeq ($(TARGET_ARCH),arm)
LOCAL_SRC_FILES += $(arm_src_files)
LOCAL_CFLAGS += $(arm_cflags)
else
LOCAL_SRC_FILES += $(non_arm_src_files)
endif
ifeq ($(TARGET_SIMULATOR),true)
# Make valgrind happy.
LOCAL_CFLAGS += -DPURIFY
LOCAL_LDLIBS += -ldl
else
LOCAL_SHARED_LIBRARIES += libdl
endif
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE:= libcrypto
include $(BUILD_SHARED_LIBRARY)
#######################################
# host shared library
ifeq ($(WITH_HOST_DALVIK),true)
include $(CLEAR_VARS)
include $(LOCAL_PATH)/../android-config.mk
LOCAL_SRC_FILES += $(local_src_files)
LOCAL_CFLAGS += $(local_c_flags) -DPURIFY
LOCAL_C_INCLUDES += $(local_c_includes)
LOCAL_SRC_FILES += $(non_arm_src_files)
LOCAL_STATIC_LIBRARIES += libz
LOCAL_LDLIBS += -ldl
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE:= libcrypto
include $(BUILD_HOST_SHARED_LIBRARY)
endif
########################################
# host static library, which is used by some SDK tools.
include $(CLEAR_VARS)
include $(LOCAL_PATH)/../android-config.mk
LOCAL_SRC_FILES += $(local_src_files)
LOCAL_CFLAGS += $(local_c_flags) -DPURIFY
LOCAL_C_INCLUDES += $(local_c_includes)
LOCAL_SRC_FILES += $(non_arm_src_files)
LOCAL_STATIC_LIBRARIES += libz
LOCAL_LDLIBS += -ldl
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE:= libcrypto_static
include $(BUILD_HOST_STATIC_LIBRARY)

275
bootable/bootloader/lk/lib/openssl/patches/handshake_cutthrough.patch Normal file
View File

@@ -0,0 +1,275 @@
diff -uarp openssl-1.0.0.orig/apps/s_client.c openssl-1.0.0/apps/s_client.c
--- openssl-1.0.0.orig/apps/s_client.c 2009-12-16 15:28:28.000000000 -0500
+++ openssl-1.0.0/apps/s_client.c 2010-04-21 14:39:49.000000000 -0400
@@ -248,6 +248,7 @@ static void sc_usage(void)
BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
BIO_printf(bio_err," -status - request certificate status from server\n");
BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
+ BIO_printf(bio_err," -cutthrough - enable 1-RTT full-handshake for strong ciphers\n");
#endif
}
@@ -304,6 +305,7 @@ int MAIN(int argc, char **argv)
EVP_PKEY *key = NULL;
char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
+ int cutthrough=0;
int crlf=0;
int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
SSL_CTX *ctx=NULL;
@@ -533,6 +535,8 @@ int MAIN(int argc, char **argv)
else if (strcmp(*argv,"-no_ticket") == 0)
{ off|=SSL_OP_NO_TICKET; }
#endif
+ else if (strcmp(*argv,"-cutthrough") == 0)
+ cutthrough=1;
else if (strcmp(*argv,"-serverpref") == 0)
off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
else if (strcmp(*argv,"-cipher") == 0)
@@ -714,6 +718,15 @@ bad:
*/
if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
+ /* Enable handshake cutthrough for client connections using
+ * strong ciphers. */
+ if (cutthrough)
+ {
+ int ssl_mode = SSL_CTX_get_mode(ctx);
+ ssl_mode |= SSL_MODE_HANDSHAKE_CUTTHROUGH;
+ SSL_CTX_set_mode(ctx, ssl_mode);
+ }
+
if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
if (cipher != NULL)
if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
diff -uarp openssl-1.0.0.orig/ssl/s3_clnt.c openssl-1.0.0/ssl/s3_clnt.c
--- openssl-1.0.0.orig/ssl/s3_clnt.c 2010-02-27 19:24:24.000000000 -0500
+++ openssl-1.0.0/ssl/s3_clnt.c 2010-04-21 14:39:49.000000000 -0400
@@ -186,6 +186,18 @@ int ssl3_connect(SSL *s)
s->in_handshake++;
if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
+#if 0 /* Send app data in separate packet, otherwise, some particular site
+ * (only one site so far) closes the socket.
+ * Note: there is a very small chance that two TCP packets
+ * could be arriving at server combined into a single TCP packet,
+ * then trigger that site to break. We haven't encounter that though.
+ */
+ if (SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH)
+ {
+ /* Send app data along with CCS/Finished */
+ s->s3->flags |= SSL3_FLAGS_DELAY_CLIENT_FINISHED;
+ }
+#endif
for (;;)
{
@@ -454,14 +468,31 @@ int ssl3_connect(SSL *s)
}
else
{
-#ifndef OPENSSL_NO_TLSEXT
- /* Allow NewSessionTicket if ticket expected */
- if (s->tlsext_ticket_expected)
- s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A;
+ if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) && SSL_get_cipher_bits(s, NULL) >= 128
+ && s->s3->previous_server_finished_len == 0 /* no cutthrough on renegotiation (would complicate the state machine) */
+ )
+ {
+ if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
+ {
+ s->state=SSL3_ST_CUTTHROUGH_COMPLETE;
+ s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
+ s->s3->delay_buf_pop_ret=0;
+ }
+ else
+ {
+ s->s3->tmp.next_state=SSL3_ST_CUTTHROUGH_COMPLETE;
+ }
+ }
else
+ {
+#ifndef OPENSSL_NO_TLSEXT
+ /* Allow NewSessionTicket if ticket expected */
+ if (s->tlsext_ticket_expected)
+ s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A;
+ else
#endif
-
- s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
+ s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
+ }
}
s->init_num=0;
break;
@@ -512,6 +541,24 @@ int ssl3_connect(SSL *s)
s->state=s->s3->tmp.next_state;
break;
+ case SSL3_ST_CUTTHROUGH_COMPLETE:
+#ifndef OPENSSL_NO_TLSEXT
+ /* Allow NewSessionTicket if ticket expected */
+ if (s->tlsext_ticket_expected)
+ s->state=SSL3_ST_CR_SESSION_TICKET_A;
+ else
+#endif
+ s->state=SSL3_ST_CR_FINISHED_A;
+
+ /* SSL_write() will take care of flushing buffered data if
+ * DELAY_CLIENT_FINISHED is set.
+ */
+ if (!(s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED))
+ ssl_free_wbio_buffer(s);
+ ret = 1;
+ goto end;
+ /* break; */
+
case SSL_ST_OK:
/* clean a few things up */
ssl3_cleanup_key_block(s);
diff -uarp openssl-1.0.0.orig/ssl/s3_lib.c openssl-1.0.0/ssl/s3_lib.c
-- openssl-1.0.0.orig/ssl/s3_lib.c 2009-10-16 11:24:19.000000000 -0400
+++ openssl-1.0.0/ssl/s3_lib.c 2010-04-21 14:39:49.000000000 -0400
@@ -2551,9 +2551,22 @@ int ssl3_write(SSL *s, const void *buf,
static int ssl3_read_internal(SSL *s, void *buf, int len, int peek)
{
- int ret;
+ int n,ret;
clear_sys_error();
+ if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio))
+ {
+ /* Deal with an application that calls SSL_read() when handshake data
+ * is yet to be written.
+ */
+ if (BIO_wpending(s->wbio) > 0)
+ {
+ s->rwstate=SSL_WRITING;
+ n=BIO_flush(s->wbio);
+ if (n <= 0) return(n);
+ s->rwstate=SSL_NOTHING;
+ }
+ }
if (s->s3->renegotiate) ssl3_renegotiate_check(s);
s->s3->in_read_app_data=1;
ret=s->method->ssl_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
diff -uarp openssl-1.0.0.orig/ssl/ssl.h openssl-1.0.0/ssl/ssl.h
--- openssl-1.0.0.orig/ssl/ssl.h 2010-01-06 12:37:38.000000000 -0500
+++ openssl-1.0.0/ssl/ssl.h 2010-04-21 16:57:49.000000000 -0400
@@ -605,6 +605,10 @@ typedef struct ssl_session_st
/* Use small read and write buffers: (a) lazy allocate read buffers for
* large incoming records, and (b) limit the size of outgoing records. */
#define SSL_MODE_SMALL_BUFFERS 0x00000020L
+/* When set, clients may send application data before receipt of CCS
+ * and Finished. This mode enables full-handshakes to 'complete' in
+ * one RTT. */
+#define SSL_MODE_HANDSHAKE_CUTTHROUGH 0x00000040L
/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
* they cannot be used to clear bits. */
@@ -1097,10 +1101,12 @@ extern "C" {
/* Is the SSL_connection established? */
#define SSL_get_state(a) SSL_state(a)
#define SSL_is_init_finished(a) (SSL_state(a) == SSL_ST_OK)
-#define SSL_in_init(a) (SSL_state(a)&SSL_ST_INIT)
+#define SSL_in_init(a) ((SSL_state(a)&SSL_ST_INIT) && \
+ !SSL_cutthrough_complete(a))
#define SSL_in_before(a) (SSL_state(a)&SSL_ST_BEFORE)
#define SSL_in_connect_init(a) (SSL_state(a)&SSL_ST_CONNECT)
#define SSL_in_accept_init(a) (SSL_state(a)&SSL_ST_ACCEPT)
+int SSL_cutthrough_complete(const SSL *s);
/* The following 2 states are kept in ssl->rstate when reads fail,
* you should not need these */
Only in openssl-1.0.0/ssl: ssl.h.orig
diff -uarp openssl-1.0.0.orig/ssl/ssl3.h openssl-1.0.0/ssl/ssl3.h
-- openssl-1.0.0.orig/ssl/ssl3.h 2010-01-06 12:37:38.000000000 -0500
+++ openssl-1.0.0/ssl/ssl3.h 2010-04-21 14:39:49.000000000 -0400
@@ -456,6 +456,7 @@ typedef struct ssl3_state_st
/*client */
/* extra state */
#define SSL3_ST_CW_FLUSH (0x100|SSL_ST_CONNECT)
+#define SSL3_ST_CUTTHROUGH_COMPLETE (0x101|SSL_ST_CONNECT)
/* write to server */
#define SSL3_ST_CW_CLNT_HELLO_A (0x110|SSL_ST_CONNECT)
#define SSL3_ST_CW_CLNT_HELLO_B (0x111|SSL_ST_CONNECT)
diff -uarp openssl-1.0.0.orig/ssl/ssl_lib.c openssl-1.0.0/ssl/ssl_lib.c
--- openssl-1.0.0.orig/ssl/ssl_lib.c 2010-02-17 14:43:46.000000000 -0500
+++ openssl-1.0.0/ssl/ssl_lib.c 2010-04-21 17:02:45.000000000 -0400
@@ -3031,6 +3031,19 @@ void SSL_set_msg_callback(SSL *ssl, void
SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
}
+int SSL_cutthrough_complete(const SSL *s)
+ {
+ return (!s->server && /* cutthrough only applies to clients */
+ !s->hit && /* full-handshake */
+ s->version >= SSL3_VERSION &&
+ s->s3->in_read_app_data == 0 && /* cutthrough only applies to write() */
+ (SSL_get_mode((SSL*)s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) && /* cutthrough enabled */
+ SSL_get_cipher_bits(s, NULL) >= 128 && /* strong cipher choosen */
+ s->s3->previous_server_finished_len == 0 && /* not a renegotiation handshake */
+ (s->state == SSL3_ST_CR_SESSION_TICKET_A || /* ready to write app-data*/
+ s->state == SSL3_ST_CR_FINISHED_A));
+ }
+
/* Allocates new EVP_MD_CTX and sets pointer to it into given pointer
* vairable, freeing EVP_MD_CTX previously stored in that variable, if
* any. If EVP_MD pointer is passed, initializes ctx with this md
diff -uarp openssl-1.0.0.orig/ssl/ssltest.c openssl-1.0.0/ssl/ssltest.c
--- openssl-1.0.0.orig/ssl/ssltest.c 2010-01-24 11:57:38.000000000 -0500
+++ openssl-1.0.0/ssl/ssltest.c 2010-04-21 17:06:35.000000000 -0400
@@ -279,6 +279,7 @@ static void sv_usage(void)
fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
fprintf(stderr," -c_small_records - enable client side use of small SSL record buffers\n");
fprintf(stderr," -s_small_records - enable server side use of small SSL record buffers\n");
+ fprintf(stderr," -cutthrough - enable 1-RTT full-handshake for strong ciphers\n");
}
static void print_details(SSL *c_ssl, const char *prefix)
@@ -436,6 +437,7 @@ int main(int argc, char *argv[])
int ssl_mode = 0;
int c_small_records=0;
int s_small_records=0;
+ int cutthrough = 0;
verbose = 0;
debug = 0;
@@ -632,6 +634,10 @@ int main(int argc, char *argv[])
{
s_small_records = 1;
}
+ else if (strcmp(*argv, "-cutthrough") == 0)
+ {
+ cutthrough = 1;
+ }
else
{
fprintf(stderr,"unknown option %s\n",*argv);
@@ -782,6 +788,13 @@ bad:
ssl_mode |= SSL_MODE_SMALL_BUFFERS;
SSL_CTX_set_mode(s_ctx, ssl_mode);
}
+ ssl_mode = 0;
+ if (cutthrough)
+ {
+ ssl_mode = SSL_CTX_get_mode(c_ctx);
+ ssl_mode = SSL_MODE_HANDSHAKE_CUTTHROUGH;
+ SSL_CTX_set_mode(c_ctx, ssl_mode);
+ }
#ifndef OPENSSL_NO_DH
if (!no_dhe)
diff -uarp openssl-1.0.0.orig/test/testssl openssl-1.0.0/test/testssl
--- openssl-1.0.0.orig/test/testssl 2006-03-10 18:06:27.000000000 -0500
+++ openssl-1.0.0/test/testssl 2010-04-21 16:50:13.000000000 -0400
@@ -79,6 +79,8 @@ $ssltest -server_auth -client_auth -s_sm
echo test sslv2/sslv3 with both client and server authentication and small client and server buffers
$ssltest -server_auth -client_auth -c_small_records -s_small_records $CA $extra || exit 1
+echo test sslv2/sslv3 with both client and server authentication and handshake cutthrough
+$ssltest -server_auth -client_auth -cutthrough $CA $extra || exit 1
echo test sslv2 via BIO pair
$ssltest -bio_pair -ssl2 $extra || exit 1

297
bootable/bootloader/lk/lib/openssl/patches/jsse.patch Normal file
View File

@@ -0,0 +1,297 @@
--- openssl-1.0.0.orig/ssl/ssl.h 2010-07-13 22:24:27.000000000 +0000
+++ openssl-1.0.0/ssl/ssl.h 2010-07-13 22:24:27.000000000 +0000
@@ -1090,6 +1090,9 @@ struct ssl_st
/* This can also be in the session once a session is established */
SSL_SESSION *session;
+ /* This can be disabled to prevent the use of uncached sessions */
+ int session_creation_enabled;
+
/* Default generate session ID callback. */
GEN_SESSION_CB generate_session_id;
@@ -1509,6 +1512,7 @@ BIO * SSL_get_rbio(const SSL *s);
BIO * SSL_get_wbio(const SSL *s);
#endif
int SSL_set_cipher_list(SSL *s, const char *str);
+int SSL_set_cipher_lists(SSL *s, STACK_OF(SSL_CIPHER) *sk);
void SSL_set_read_ahead(SSL *s, int yes);
int SSL_get_verify_mode(const SSL *s);
int SSL_get_verify_depth(const SSL *s);
@@ -1524,6 +1528,8 @@ int SSL_use_PrivateKey(SSL *ssl, EVP_PKE
int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, const unsigned char *d, long len);
int SSL_use_certificate(SSL *ssl, X509 *x);
int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len);
+int SSL_use_certificate_chain(SSL *ssl, STACK_OF(X509) *cert_chain);
+STACK_OF(X509) * SSL_get_certificate_chain(SSL *ssl, X509 *x);
#ifndef OPENSSL_NO_STDIO
int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
@@ -1568,6 +1574,7 @@ int SSL_SESSION_print(BIO *fp,const SSL_
void SSL_SESSION_free(SSL_SESSION *ses);
int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
int SSL_set_session(SSL *to, SSL_SESSION *session);
+void SSL_set_session_creation_enabled(SSL *, int);
int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
int SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c);
int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB);
@@ -2009,6 +2016,7 @@ void ERR_load_SSL_strings(void);
#define SSL_F_SSL_UNDEFINED_VOID_FUNCTION 244
#define SSL_F_SSL_USE_CERTIFICATE 198
#define SSL_F_SSL_USE_CERTIFICATE_ASN1 199
+#define SSL_F_SSL_USE_CERTIFICATE_CHAIN 2000
#define SSL_F_SSL_USE_CERTIFICATE_FILE 200
#define SSL_F_SSL_USE_PRIVATEKEY 201
#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 202
@@ -2213,6 +2221,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 345
#define SSL_R_SERVERHELLO_TLSEXT 275
#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277
+#define SSL_R_SESSION_MAY_NOT_BE_CREATED 2000
#define SSL_R_SHORT_READ 219
#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221
--- openssl-1.0.0.orig/ssl/d1_clnt.c 2010-01-26 19:46:29.000000000 +0000
+++ openssl-1.0.0/ssl/d1_clnt.c 2010-07-13 22:24:27.000000000 +0000
@@ -613,6 +613,12 @@ int dtls1_client_hello(SSL *s)
#endif
(s->session->not_resumable))
{
+ if (!s->session_creation_enabled)
+ {
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+ SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
+ goto err;
+ }
if (!ssl_get_new_session(s,0))
goto err;
}
--- openssl-1.0.0.orig/ssl/s23_clnt.c 2010-02-16 14:20:40.000000000 +0000
+++ openssl-1.0.0/ssl/s23_clnt.c 2010-07-13 22:24:27.000000000 +0000
@@ -687,6 +687,13 @@ static int ssl23_get_server_hello(SSL *s
/* Since, if we are sending a ssl23 client hello, we are not
* reusing a session-id */
+ if (!s->session_creation_enabled)
+ {
+ if (!(s->client_version == SSL2_VERSION))
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
+ goto err;
+ }
if (!ssl_get_new_session(s,0))
goto err;
--- openssl-1.0.0.orig/ssl/s3_both.c 2010-07-13 22:24:27.000000000 +0000
+++ openssl-1.0.0/ssl/s3_both.c 2010-07-13 22:24:27.000000000 +0000
@@ -322,8 +322,11 @@ unsigned long ssl3_output_cert_chain(SSL
unsigned long l=7;
BUF_MEM *buf;
int no_chain;
+ STACK_OF(X509) *cert_chain;
- if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs)
+ cert_chain = SSL_get_certificate_chain(s, x);
+
+ if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs || cert_chain)
no_chain = 1;
else
no_chain = 0;
@@ -375,6 +378,10 @@ unsigned long ssl3_output_cert_chain(SSL
return(0);
}
+ for (i=0; i<sk_X509_num(cert_chain); i++)
+ if (ssl3_add_cert_to_buf(buf, &l, sk_X509_value(cert_chain,i)))
+ return(0);
+
l-=7;
p=(unsigned char *)&(buf->data[4]);
l2n3(l,p);
--- openssl-1.0.0.orig/ssl/s3_clnt.c 2010-07-13 22:24:27.000000000 +0000
+++ openssl-1.0.0/ssl/s3_clnt.c 2010-07-13 22:24:27.000000000 +0000
@@ -668,6 +668,12 @@ int ssl3_client_hello(SSL *s)
#endif
(sess->not_resumable))
{
+ if (!s->session_creation_enabled)
+ {
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+ SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
+ goto err;
+ }
if (!ssl_get_new_session(s,0))
goto err;
}
@@ -876,6 +882,12 @@ int ssl3_get_server_hello(SSL *s)
s->hit=0;
if (s->session->session_id_length > 0)
{
+ if (!s->session_creation_enabled)
+ {
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
+ goto err;
+ }
if (!ssl_get_new_session(s,0))
{
al=SSL_AD_INTERNAL_ERROR;
--- openssl-1.0.0.orig/ssl/s3_srvr.c 2010-02-27 23:04:10.000000000 +0000
+++ openssl-1.0.0/ssl/s3_srvr.c 2010-07-13 22:24:27.000000000 +0000
@@ -869,6 +869,12 @@ int ssl3_get_client_hello(SSL *s)
*/
if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)))
{
+ if (!s->session_creation_enabled)
+ {
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
+ goto err;
+ }
if (!ssl_get_new_session(s,1))
goto err;
}
@@ -883,6 +889,12 @@ int ssl3_get_client_hello(SSL *s)
goto err;
else /* i == 0 */
{
+ if (!s->session_creation_enabled)
+ {
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
+ goto err;
+ }
if (!ssl_get_new_session(s,1))
goto err;
}
--- openssl-1.0.0.orig/ssl/ssl_err.c 2010-01-06 17:37:38.000000000 +0000
+++ openssl-1.0.0/ssl/ssl_err.c 2010-07-13 22:24:27.000000000 +0000
@@ -462,6 +462,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
{ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegotiating"},
{ERR_REASON(SSL_R_SERVERHELLO_TLSEXT) ,"serverhello tlsext"},
{ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"},
+{ERR_REASON(SSL_R_SESSION_MAY_NOT_BE_CREATED),"session may not be created"},
{ERR_REASON(SSL_R_SHORT_READ) ,"short read"},
{ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"},
{ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE),"ssl23 doing session id reuse"},
--- openssl-1.0.0.orig/ssl/ssl_lib.c 2010-07-13 22:24:27.000000000 +0000
+++ openssl-1.0.0/ssl/ssl_lib.c 2010-07-13 22:24:27.000000000 +0000
@@ -326,6 +326,7 @@ SSL *SSL_new(SSL_CTX *ctx)
OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
s->verify_callback=ctx->default_verify_callback;
+ s->session_creation_enabled=1;
s->generate_session_id=ctx->generate_session_id;
s->param = X509_VERIFY_PARAM_new();
@@ -1303,6 +1304,32 @@ int SSL_set_cipher_list(SSL *s,const cha
return 1;
}
+/** specify the ciphers to be used by the SSL */
+int SSL_set_cipher_lists(SSL *s,STACK_OF(SSL_CIPHER) *sk)
+ {
+ STACK_OF(SSL_CIPHER) *tmp_cipher_list;
+
+ if (sk == NULL)
+ return 0;
+
+ /* Based on end of ssl_create_cipher_list */
+ tmp_cipher_list = sk_SSL_CIPHER_dup(sk);
+ if (tmp_cipher_list == NULL)
+ {
+ return 0;
+ }
+ if (s->cipher_list != NULL)
+ sk_SSL_CIPHER_free(s->cipher_list);
+ s->cipher_list = sk;
+ if (s->cipher_list_by_id != NULL)
+ sk_SSL_CIPHER_free(s->cipher_list_by_id);
+ s->cipher_list_by_id = tmp_cipher_list;
+ (void)sk_SSL_CIPHER_set_cmp_func(s->cipher_list_by_id,ssl_cipher_ptr_id_cmp);
+
+ sk_SSL_CIPHER_sort(s->cipher_list_by_id);
+ return 1;
+ }
+
/* works well for SSLv2, not so good for SSLv3 */
char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
{
--- openssl-1.0.0.orig/ssl/ssl_locl.h 2009-12-08 11:38:18.000000000 +0000
+++ openssl-1.0.0/ssl/ssl_locl.h 2010-07-13 22:24:27.000000000 +0000
@@ -456,6 +456,7 @@
typedef struct cert_pkey_st
{
X509 *x509;
+ STACK_OF(X509) *cert_chain;
EVP_PKEY *privatekey;
} CERT_PKEY;
--- openssl-1.0.0.orig/ssl/ssl_rsa.c 2009-09-12 23:09:26.000000000 +0000
+++ openssl-1.0.0/ssl/ssl_rsa.c 2010-07-13 22:24:27.000000000 +0000
@@ -697,6 +697,42 @@ int SSL_CTX_use_PrivateKey_ASN1(int type
}
+int SSL_use_certificate_chain(SSL *ssl, STACK_OF(X509) *cert_chain)
+ {
+ if (ssl == NULL)
+ {
+ SSLerr(SSL_F_SSL_USE_CERTIFICATE_CHAIN,ERR_R_PASSED_NULL_PARAMETER);
+ return(0);
+ }
+ if (ssl->cert == NULL)
+ {
+ SSLerr(SSL_F_SSL_USE_CERTIFICATE_CHAIN,SSL_R_NO_CERTIFICATE_ASSIGNED);
+ return(0);
+ }
+ if (ssl->cert->key == NULL)
+ {
+ SSLerr(SSL_F_SSL_USE_CERTIFICATE_CHAIN,SSL_R_NO_CERTIFICATE_ASSIGNED);
+ return(0);
+ }
+ ssl->cert->key->cert_chain = cert_chain;
+ return(1);
+ }
+
+STACK_OF(X509) *SSL_get_certificate_chain(SSL *ssl, X509 *x)
+ {
+ int i;
+ if (x == NULL)
+ return NULL;
+ if (ssl == NULL)
+ return NULL;
+ if (ssl->cert == NULL)
+ return NULL;
+ for (i = 0; i < SSL_PKEY_NUM; i++)
+ if (ssl->cert->pkeys[i].x509 == x)
+ return ssl->cert->pkeys[i].cert_chain;
+ return NULL;
+ }
+
#ifndef OPENSSL_NO_STDIO
/* Read a file that contains our certificate in "PEM" format,
* possibly followed by a sequence of CA certificates that should be
--- openssl-1.0.0.orig/ssl/ssl_sess.c 2010-02-01 16:49:42.000000000 +0000
+++ openssl-1.0.0/ssl/ssl_sess.c 2010-07-13 22:24:27.000000000 +0000
@@ -261,6 +261,11 @@ static int def_generate_session_id(const
return 0;
}
+void SSL_set_session_creation_enabled (SSL *s, int creation_enabled)
+ {
+ s->session_creation_enabled = creation_enabled;
+ }
+
int ssl_get_new_session(SSL *s, int session)
{
/* This gets used by clients and servers. */
@@ -269,6 +274,8 @@ int ssl_get_new_session(SSL *s, int sess
SSL_SESSION *ss=NULL;
GEN_SESSION_CB cb = def_generate_session_id;
+ /* caller should check this if they can do better error handling */
+ if (!s->session_creation_enabled) return(0);
if ((ss=SSL_SESSION_new()) == NULL) return(0);
/* If the context has a default timeout, use it */

54
bootable/bootloader/lk/lib/openssl/patches/progs.patch Normal file
View File

@@ -0,0 +1,54 @@
--- openssl-1.0.0.orig/apps/openssl.c 2009-10-04 09:43:21.000000000 -0700
+++ openssl-1.0.0/apps/openssl.c 2010-05-18 14:05:14.000000000 -0700
@@ -275,8 +275,10 @@ int main(int Argc, char *Argv[])
if (ERR_GET_REASON(ERR_peek_last_error())
== CONF_R_NO_SUCH_FILE)
{
+#if 0 /* ANDROID */
BIO_printf(bio_err,
"WARNING: can't open config file: %s\n",p);
+#endif
ERR_clear_error();
NCONF_free(config);
config = NULL;
--- openssl-1.0.0.orig/apps/progs.h 2009-06-30 08:08:38.000000000 -0700
+++ openssl-1.0.0/apps/progs.h 2010-05-18 14:05:38.000000000 -0700
@@ -146,7 +152,9 @@ FUNCTION functions[] = {
{FUNC_TYPE_GENERAL,"ocsp",ocsp_main},
#endif
{FUNC_TYPE_GENERAL,"prime",prime_main},
+#if 0 /* ANDROID */
{FUNC_TYPE_GENERAL,"ts",ts_main},
+#endif
#ifndef OPENSSL_NO_MD2
{FUNC_TYPE_MD,"md2",dgst_main},
#endif
--- openssl-1.0.0.orig/apps/speed.c 2010-03-03 11:56:17.000000000 -0800
+++ openssl-1.0.0/apps/speed.c 2010-05-18 14:05:57.000000000 -0700
@@ -1718,6 +1718,7 @@ int MAIN(int argc, char **argv)
}
}
+#if 0 /* ANDROID */
if (doit[D_IGE_128_AES])
{
for (j=0; j<SIZE_NUM; j++)
@@ -1763,6 +1764,7 @@ int MAIN(int argc, char **argv)
#endif
+#endif
#ifndef OPENSSL_NO_CAMELLIA
if (doit[D_CBC_128_CML])
{
--- openssl-1.0.0.orig/crypto/ui/ui_openssl.c 2009-10-04 09:43:21.000000000 -0700
+++ openssl-1.0.0/crypto/ui/ui_openssl.c 2010-05-18 13:36:26.000000000 -0700
@@ -184,7 +184,7 @@
# undef SGTTY
#endif
-#if defined(linux) && !defined(TERMIO)
+#if defined(linux) && !defined(TERMIO) && !defined(__ANDROID__)
# undef TERMIOS
# define TERMIO
# undef SGTTY

99
bootable/bootloader/lk/lib/openssl/patches/secadv_20101116-2.patch Normal file
View File

@@ -0,0 +1,99 @@
--- openssl-1.0.0.orig/ssl/t1_lib.c 15 Jun 2010 17:25:15 -0000 1.64.2.14
+++ openssl-1.0.0/ssl/t1_lib.c 15 Nov 2010 15:26:19 -0000
@@ -714,14 +714,23 @@
switch (servname_type)
{
case TLSEXT_NAMETYPE_host_name:
- if (s->session->tlsext_hostname == NULL)
+ if (!s->hit)
{
- if (len > TLSEXT_MAXLEN_host_name ||
- ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
+ if(s->session->tlsext_hostname)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+ if (len > TLSEXT_MAXLEN_host_name)
{
*al = TLS1_AD_UNRECOGNIZED_NAME;
return 0;
}
+ if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
+ {
+ *al = TLS1_AD_INTERNAL_ERROR;
+ return 0;
+ }
memcpy(s->session->tlsext_hostname, sdata, len);
s->session->tlsext_hostname[len]='\0';
if (strlen(s->session->tlsext_hostname) != len) {
@@ -734,7 +743,8 @@
}
else
- s->servername_done = strlen(s->session->tlsext_hostname) == len
+ s->servername_done = s->session->tlsext_hostname
+ && strlen(s->session->tlsext_hostname) == len
&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
break;
@@ -765,15 +775,22 @@
*al = TLS1_AD_DECODE_ERROR;
return 0;
}
- s->session->tlsext_ecpointformatlist_length = 0;
- if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
- if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
+ if (!s->hit)
{
- *al = TLS1_AD_INTERNAL_ERROR;
- return 0;
+ if(s->session->tlsext_ecpointformatlist)
+ {
+ *al = TLS1_AD_DECODE_ERROR;
+ return 0;
+ }
+ s->session->tlsext_ecpointformatlist_length = 0;
+ if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
+ {
+ *al = TLS1_AD_INTERNAL_ERROR;
+ return 0;
+ }
+ s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
+ memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
}
- s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
- memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
#if 0
fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
sdata = s->session->tlsext_ecpointformatlist;
@@ -794,15 +811,22 @@
*al = TLS1_AD_DECODE_ERROR;
return 0;
}
- s->session->tlsext_ellipticcurvelist_length = 0;
- if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist);
- if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
+ if (!s->hit)
{
- *al = TLS1_AD_INTERNAL_ERROR;
- return 0;
+ if(s->session->tlsext_ellipticcurvelist)
+ {
+ *al = TLS1_AD_DECODE_ERROR;
+ return 0;
+ }
+ s->session->tlsext_ellipticcurvelist_length = 0;
+ if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
+ {
+ *al = TLS1_AD_INTERNAL_ERROR;
+ return 0;
+ }
+ s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
+ memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
}
- s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
- memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
#if 0
fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
sdata = s->session->tlsext_ellipticcurvelist;

337
bootable/bootloader/lk/lib/openssl/patches/small_records.patch Normal file
View File

@@ -0,0 +1,337 @@
--- openssl-1.0.0a.orig/ssl/d1_pkt.c 2010-04-14 00:09:55.000000000 +0000
+++ openssl-1.0.0a/ssl/d1_pkt.c 2010-08-25 21:12:39.000000000 +0000
@@ -608,6 +608,24 @@ again:
goto again;
}
+ /* If we receive a valid record larger than the current buffer size,
+ * allocate some memory for it.
+ */
+ if (rr->length > s->s3->rbuf.len - DTLS1_RT_HEADER_LENGTH)
+ {
+ unsigned char *pp;
+ unsigned int newlen = rr->length + DTLS1_RT_HEADER_LENGTH;
+ if ((pp=OPENSSL_realloc(s->s3->rbuf.buf, newlen))==NULL)
+ {
+ SSLerr(SSL_F_DTLS1_GET_RECORD,ERR_R_MALLOC_FAILURE);
+ return(-1);
+ }
+ p = pp + (p - s->s3->rbuf.buf);
+ s->s3->rbuf.buf=pp;
+ s->s3->rbuf.len=newlen;
+ s->packet= &(s->s3->rbuf.buf[0]);
+ }
+
/* now s->rstate == SSL_ST_READ_BODY */
}
@@ -1342,6 +1360,7 @@ int do_dtls1_write(SSL *s, int type, con
SSL3_BUFFER *wb;
SSL_SESSION *sess;
int bs;
+ unsigned int len_with_overhead = len + SSL3_RT_DEFAULT_WRITE_OVERHEAD;
/* first check if there is a SSL3_BUFFER still being written
* out. This will happen with non blocking IO */
@@ -1351,6 +1370,16 @@ int do_dtls1_write(SSL *s, int type, con
return(ssl3_write_pending(s,type,buf,len));
}
+ if (s->s3->wbuf.len < len_with_overhead)
+ {
+ if ((p=OPENSSL_realloc(s->s3->wbuf.buf, len_with_overhead)) == NULL) {
+ SSLerr(SSL_F_DO_DTLS1_WRITE,ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ s->s3->wbuf.buf = p;
+ s->s3->wbuf.len = len_with_overhead;
+ }
+
/* If we have an alert to send, lets send it */
if (s->s3->alert_dispatch)
{
--- openssl-1.0.0a.orig/ssl/s23_srvr.c 2010-02-16 14:20:40.000000000 +0000
+++ openssl-1.0.0a/ssl/s23_srvr.c 2010-08-25 21:12:39.000000000 +0000
@@ -403,8 +403,13 @@ int ssl23_get_client_hello(SSL *s)
v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
v[1] = p[4];
+/* The SSL2 protocol allows n to be larger, just pick
+ * a reasonable buffer size. */
+#if SSL3_RT_DEFAULT_PACKET_SIZE < 1024*4 - SSL3_RT_DEFAULT_WRITE_OVERHEAD
+#error "SSL3_RT_DEFAULT_PACKET_SIZE is too small."
+#endif
n=((p[0]&0x7f)<<8)|p[1];
- if (n > (1024*4))
+ if (n > SSL3_RT_DEFAULT_PACKET_SIZE - 2)
{
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
goto err;
--- openssl-1.0.0a.orig/ssl/s3_both.c 2010-03-24 23:16:49.000000000 +0000
+++ openssl-1.0.0a/ssl/s3_both.c 2010-08-25 21:12:39.000000000 +0000
@@ -715,13 +722,20 @@ int ssl3_setup_read_buffer(SSL *s)
if (s->s3->rbuf.buf == NULL)
{
- len = SSL3_RT_MAX_PLAIN_LENGTH
- + SSL3_RT_MAX_ENCRYPTED_OVERHEAD
- + headerlen + align;
- if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
+ if (SSL_get_mode(s) & SSL_MODE_SMALL_BUFFERS)
{
- s->s3->init_extra = 1;
- len += SSL3_RT_MAX_EXTRA;
+ len = SSL3_RT_DEFAULT_PACKET_SIZE;
+ }
+ else
+ {
+ len = SSL3_RT_MAX_PLAIN_LENGTH
+ + SSL3_RT_MAX_ENCRYPTED_OVERHEAD
+ + headerlen + align;
+ if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
+ {
+ s->s3->init_extra = 1;
+ len += SSL3_RT_MAX_EXTRA;
+ }
}
#ifndef OPENSSL_NO_COMP
if (!(s->options & SSL_OP_NO_COMPRESSION))
@@ -757,7 +771,15 @@ int ssl3_setup_write_buffer(SSL *s)
if (s->s3->wbuf.buf == NULL)
{
- len = s->max_send_fragment
+ if (SSL_get_mode(s) & SSL_MODE_SMALL_BUFFERS)
+ {
+ len = SSL3_RT_DEFAULT_PACKET_SIZE;
+ }
+ else
+ {
+ len = s->max_send_fragment;
+ }
+ len += 0
+ SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
+ headerlen + align;
#ifndef OPENSSL_NO_COMP
@@ -767,7 +789,6 @@ int ssl3_setup_write_buffer(SSL *s)
if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
len += headerlen + align
+ SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
-
if ((p=freelist_extract(s->ctx, 0, len)) == NULL)
goto err;
s->s3->wbuf.buf = p;
@@ -810,4 +831,3 @@ int ssl3_release_read_buffer(SSL *s)
}
return 1;
}
-
--- openssl-1.0.0a.orig/ssl/s3_pkt.c 2010-03-25 11:22:42.000000000 +0000
+++ openssl-1.0.0a/ssl/s3_pkt.c 2010-08-25 21:12:39.000000000 +0000
@@ -293,6 +293,11 @@ static int ssl3_get_record(SSL *s)
size_t extra;
int decryption_failed_or_bad_record_mac = 0;
unsigned char *mac = NULL;
+#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
+ long align=SSL3_ALIGN_PAYLOAD;
+#else
+ long align=0;
+#endif
rr= &(s->s3->rrec);
sess=s->session;
@@ -301,7 +306,8 @@ static int ssl3_get_record(SSL *s)
extra=SSL3_RT_MAX_EXTRA;
else
extra=0;
- if (extra && !s->s3->init_extra)
+ if (!(SSL_get_mode(s) & SSL_MODE_SMALL_BUFFERS) &&
+ extra && !s->s3->init_extra)
{
/* An application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER
* set after ssl3_setup_buffers() was done */
@@ -350,6 +356,21 @@ fprintf(stderr, "Record type=%d, Length=
goto err;
}
+ /* If we receive a valid record larger than the current buffer size,
+ * allocate some memory for it.
+ */
+ if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH - align)
+ {
+ if ((p=OPENSSL_realloc(s->s3->rbuf.buf, rr->length + SSL3_RT_HEADER_LENGTH + align))==NULL)
+ {
+ SSLerr(SSL_F_SSL3_GET_RECORD,ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ s->s3->rbuf.buf=p;
+ s->s3->rbuf.len=rr->length + SSL3_RT_HEADER_LENGTH + align;
+ s->packet= &(s->s3->rbuf.buf[0]);
+ }
+
if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH)
{
al=SSL_AD_RECORD_OVERFLOW;
@@ -576,6 +597,7 @@ int ssl3_write_bytes(SSL *s, int type, c
const unsigned char *buf=buf_;
unsigned int tot,n,nw;
int i;
+ unsigned int max_plain_length;
s->rwstate=SSL_NOTHING;
tot=s->s3->wnum;
@@ -595,8 +617,13 @@ int ssl3_write_bytes(SSL *s, int type, c
n=(len-tot);
for (;;)
{
- if (n > s->max_send_fragment)
- nw=s->max_send_fragment;
+ if (type == SSL3_RT_APPLICATION_DATA && (SSL_get_mode(s) & SSL_MODE_SMALL_BUFFERS))
+ max_plain_length = SSL3_RT_DEFAULT_PLAIN_LENGTH;
+ else
+ max_plain_length = s->max_send_fragment;
+
+ if (n > max_plain_length)
+ nw = max_plain_length;
else
nw=n;
@@ -727,6 +727,18 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
s->s3->empty_fragment_done = 1;
}
+ /* resize if necessary to hold the data. */
+ if (len + SSL3_RT_DEFAULT_WRITE_OVERHEAD > wb->len)
+ {
+ if ((p=OPENSSL_realloc(wb->buf, len + SSL3_RT_DEFAULT_WRITE_OVERHEAD))==NULL)
+ {
+ SSLerr(SSL_F_DO_SSL3_WRITE,ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ wb->buf = p;
+ wb->len = len + SSL3_RT_DEFAULT_WRITE_OVERHEAD;
+ }
+
if (create_empty_fragment)
{
#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
--- openssl-1.0.0a.orig/ssl/ssl.h 2010-01-06 17:37:38.000000000 +0000
+++ openssl-1.0.0a/ssl/ssl.h 2010-08-25 21:12:39.000000000 +0000
@@ -602,6 +602,9 @@ typedef struct ssl_session_st
* TLS only.) "Released" buffers are put onto a free-list in the context
* or just freed (depending on the context's setting for freelist_max_len). */
#define SSL_MODE_RELEASE_BUFFERS 0x00000010L
+/* Use small read and write buffers: (a) lazy allocate read buffers for
+ * large incoming records, and (b) limit the size of outgoing records. */
+#define SSL_MODE_SMALL_BUFFERS 0x00000020L
/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
* they cannot be used to clear bits. */
--- openssl-1.0.0a.orig/ssl/ssl3.h 2010-01-06 17:37:38.000000000 +0000
+++ openssl-1.0.0a/ssl/ssl3.h 2010-08-25 21:12:39.000000000 +0000
@@ -280,6 +280,9 @@ extern "C" {
#define SSL3_RT_MAX_EXTRA (16384)
+/* Default buffer length used for writen records. Thus a generated record
+ * will contain plaintext no larger than this value. */
+#define SSL3_RT_DEFAULT_PLAIN_LENGTH 2048
/* Maximum plaintext length: defined by SSL/TLS standards */
#define SSL3_RT_MAX_PLAIN_LENGTH 16384
/* Maximum compression overhead: defined by SSL/TLS standards */
@@ -311,6 +314,13 @@ extern "C" {
#define SSL3_RT_MAX_PACKET_SIZE \
(SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH)
+/* Extra space for empty fragment, headers, MAC, and padding. */
+#define SSL3_RT_DEFAULT_WRITE_OVERHEAD 256
+#define SSL3_RT_DEFAULT_PACKET_SIZE 4096 - SSL3_RT_DEFAULT_WRITE_OVERHEAD
+#if SSL3_RT_DEFAULT_PLAIN_LENGTH + SSL3_RT_DEFAULT_WRITE_OVERHEAD > SSL3_RT_DEFAULT_PACKET_SIZE
+#error "Insufficient space allocated for write buffers."
+#endif
+
#define SSL3_MD_CLIENT_FINISHED_CONST "\x43\x4C\x4E\x54"
#define SSL3_MD_SERVER_FINISHED_CONST "\x53\x52\x56\x52"
@@ -634,4 +645,3 @@ typedef struct ssl3_state_st
}
#endif
#endif
-
--- openssl-1.0.0a.orig/ssl/ssltest.c 2010-01-24 16:57:38.000000000 +0000
+++ openssl-1.0.0a/ssl/ssltest.c 2010-08-25 21:12:39.000000000 +0000
@@ -316,6 +316,8 @@ static void sv_usage(void)
" (default is sect163r2).\n");
#endif
fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
+ fprintf(stderr," -c_small_records - enable client side use of small SSL record buffers\n");
+ fprintf(stderr," -s_small_records - enable server side use of small SSL record buffers\n");
}
static void print_details(SSL *c_ssl, const char *prefix)
@@ -444,6 +447,9 @@ int opaque_prf_input_cb(SSL *ssl, void *
return arg->ret;
}
#endif
+ int ssl_mode = 0;
+ int c_small_records=0;
+ int s_small_records=0;
int main(int argc, char *argv[])
{
@@ -680,6 +687,14 @@ int main(int argc, char *argv[])
{
test_cipherlist = 1;
}
+ else if (strcmp(*argv, "-c_small_records") == 0)
+ {
+ c_small_records = 1;
+ }
+ else if (strcmp(*argv, "-s_small_records") == 0)
+ {
+ s_small_records = 1;
+ }
else
{
fprintf(stderr,"unknown option %s\n",*argv);
@@ -802,6 +821,21 @@ bad:
SSL_CTX_set_cipher_list(s_ctx,cipher);
}
+ ssl_mode = 0;
+ if (c_small_records)
+ {
+ ssl_mode = SSL_CTX_get_mode(c_ctx);
+ ssl_mode |= SSL_MODE_SMALL_BUFFERS;
+ SSL_CTX_set_mode(c_ctx, ssl_mode);
+ }
+ ssl_mode = 0;
+ if (s_small_records)
+ {
+ ssl_mode = SSL_CTX_get_mode(s_ctx);
+ ssl_mode |= SSL_MODE_SMALL_BUFFERS;
+ SSL_CTX_set_mode(s_ctx, ssl_mode);
+ }
+
#ifndef OPENSSL_NO_DH
if (!no_dhe)
{
--- openssl-1.0.0.orig/test/testssl 2006-03-10 15:06:27.000000000 -0800
+++ openssl-1.0.0/test/testssl 2010-04-26 10:24:55.000000000 -0700
@@ -70,6 +70,16 @@ $ssltest -client_auth $CA $extra || exit
echo test sslv2/sslv3 with both client and server authentication
$ssltest -server_auth -client_auth $CA $extra || exit 1
+echo test sslv2/sslv3 with both client and server authentication and small client buffers
+$ssltest -server_auth -client_auth -c_small_records $CA $extra || exit 1
+
+echo test sslv2/sslv3 with both client and server authentication and small server buffers
+$ssltest -server_auth -client_auth -s_small_records $CA $extra || exit 1
+
+echo test sslv2/sslv3 with both client and server authentication and small client and server buffers
+$ssltest -server_auth -client_auth -c_small_records -s_small_records $CA $extra || exit 1
+
+
echo test sslv2 via BIO pair
$ssltest -bio_pair -ssl2 $extra || exit 1

75
bootable/bootloader/lk/lib/openssl/patches/ssl_Android.mk Normal file
View File

@@ -0,0 +1,75 @@
LOCAL_PATH:= $(call my-dir)
local_c_includes := \
external/openssl \
external/openssl/include \
external/openssl/crypto
local_src_files:= \
s2_meth.c \
s2_srvr.c \
s2_clnt.c \
s2_lib.c \
s2_enc.c \
s2_pkt.c \
s3_meth.c \
s3_srvr.c \
s3_clnt.c \
s3_lib.c \
s3_enc.c \
s3_pkt.c \
s3_both.c \
s23_meth.c \
s23_srvr.c \
s23_clnt.c \
s23_lib.c \
s23_pkt.c \
t1_meth.c \
t1_srvr.c \
t1_clnt.c \
t1_lib.c \
t1_enc.c \
t1_reneg.c \
ssl_lib.c \
ssl_err2.c \
ssl_cert.c \
ssl_sess.c \
ssl_ciph.c \
ssl_stat.c \
ssl_rsa.c \
ssl_asn1.c \
ssl_txt.c \
ssl_algs.c \
bio_ssl.c \
ssl_err.c \
kssl.c
include $(CLEAR_VARS)
include $(LOCAL_PATH)/../android-config.mk
LOCAL_SRC_FILES += $(local_src_files)
LOCAL_C_INCLUDES += $(local_c_includes)
LOCAL_SHARED_LIBRARIES += libcrypto
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE:= libssl
include $(BUILD_SHARED_LIBRARY)
ifeq ($(WITH_HOST_DALVIK),true)
include $(CLEAR_VARS)
include $(LOCAL_PATH)/../android-config.mk
LOCAL_SRC_FILES += $(local_src_files)
LOCAL_C_INCLUDES += $(local_c_includes)
LOCAL_SHARED_LIBRARIES += libcrypto
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE:= libssl
include $(BUILD_HOST_SHARED_LIBRARY)
endif
# ssltest
include $(CLEAR_VARS)
include $(LOCAL_PATH)/../android-config.mk
LOCAL_SRC_FILES:= ssltest.c
LOCAL_C_INCLUDES += $(local_c_includes)
LOCAL_SHARED_LIBRARIES := libssl libcrypto
LOCAL_MODULE:= ssltest
LOCAL_MODULE_TAGS := optional
include $(BUILD_EXECUTABLE)

77
bootable/bootloader/lk/lib/openssl/patches/testssl.sh Normal file
View File

@@ -0,0 +1,77 @@
#!/bin/bash
#
# Copyright (C) 2010 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
#
# Android testssl.sh driver script for openssl's testssl
#
# based on openssl's test/testss script and test/Makefile's test_ssl target
#
set -e
trap "echo Exiting on unexpected error." ERR
device=/sdcard/android.testssl
digest='-sha1'
reqcmd="adb shell /system/bin/openssl req"
x509cmd="adb shell /system/bin/openssl x509 $digest"
CAkey="$device/keyCA.ss"
CAcert="$device/certCA.ss"
CAreq="$device/reqCA.ss"
CAconf="$device/CAss.cnf"
Uconf="$device/Uss.cnf"
Ureq="$device/reqU.ss"
Ukey="$device/keyU.ss"
Ucert="$device/certU.ss"
echo
echo "setting up"
adb remount
adb shell rm -r $device
adb shell mkdir $device
echo
echo "pushing test files to device"
adb push . $device
echo
echo "make a certificate request using 'req'"
adb shell "echo \"string to make the random number generator think it has entropy\" >> $device/.rnd"
req_new='-new'
$reqcmd -config $CAconf -out $CAreq -keyout $CAkey $req_new
echo
echo "convert the certificate request into a self signed certificate using 'x509'"
$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey -extfile $CAconf -extensions v3_ca
echo
echo "make a user certificate request using 'req'"
$reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new
echo
echo "sign user certificate request with the just created CA via 'x509'"
$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -extfile $Uconf -extensions v3_ee
echo
echo "running testssl"
./testssl $Ukey $Ucert $CAcert
echo
echo "cleaning up"
adb shell rm -r $device