| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clang now is performant enough to use instead of GCC. We can later
switch on ftrapv to better deal with potential problems. Clang was
having problems with BN multiply operations, but it appears to not
affect RSA speeds anymore.
gcc:
openssl speed -elapsed rsa
sign verify sign/s verify/s
rsa 512 bits 0.000759s 0.000073s 1317.5 13621.0
rsa 1024 bits 0.004109s 0.000234s 243.4 4276.1
rsa 2048 bits 0.027652s 0.000842s 36.2 1188.3
rsa 4096 bits 0.198824s 0.003204s 5.0 312.1
clang:
openssl speed -elapsed rsa
sign verify sign/s verify/s
rsa 512 bits 0.000784s 0.000074s 1274.9 13522.6
rsa 1024 bits 0.004132s 0.000235s 242.0 4256.9
rsa 2048 bits 0.027680s 0.000851s 36.1 1175.5
rsa 4096 bits 0.198824s 0.003245s 5.0 308.2
Change-Id: Iadad4739cf925a552158463047bdf1e19f9d0e83
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This modifies import_openssl.sh to parse the configured Makefile
and extract the appropriate compiler flags that were currently
defined manually in android-config.mk
- Modifies openssl.config to add missing configure options to
ensure the final result is the same than before the patch.
This also updates crypto/opensslconf.h.
- The generated output is stored in build-config.mk which content
directly comes from the OpenSSL Makefile.
- android-config.mk is still used to define LOCAL_CFLAGS from
the definitions in build-config.mk, as well as perform minimal
extra filtering.
- Remove the section in README.android about manually changing
android-config.mk.
Change-Id: I5275de69a817aa7c9880ea48e5d6a8ac1652a1e4
|
| |
|
|
|
|
| |
Bug: 7079965
Change-Id: I0efabd6bfb88ca841f68c0669a9c1f1a7d9bd6cf
|
| |
|
|
|
|
|
|
|
| |
Add missing file from OpenSSL 1.0.1c and fix flags since Windows
does not have dlfcn.h.
(cherry-picked from b4f245f7519f2f8b8dd7fa0b3897220eda17a7ef)
Change-Id: I937c1effd937dfe7922d6472c7adec063103c924
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug: https://bugs.launchpad.net/ubuntu/+source/wpasupplicant/+bug/969343/comments/70
Bug: http://rt.openssl.org/Ticket/Display.html?id=2825#txn-34312
Bug: http://code.google.com/p/android/issues/detail?id=34212
Bug: 6883259
(cherry-picked from 9b4b062050bf9a39ae49bce7b735a3c046d7452c)
Change-Id: I440deb622b51fd38d575f32bf70e9f1ce990aa71
|
| |
|
|
|
|
| |
Bug: 6168278
Change-Id: I648f9172828120df5d19a14425e9ceec92647921
|
| |
|
|
|
|
|
|
|
|
|
| |
The new keystore work requires OpenSSL engines to be enabled again.
This adds back the Android.mk rules, tweaks the android-config.mk to
build engine support, and adds in some essential files that were deleted
during the subsequent merges since engine support was removed
(crypto/engine/tb_asnmth.c and crypto/engine/tb_pkmeth.c)
Change-Id: I7b8190d21f50c1dd1ed12bbd0961b6e543c18ecf
|
| |
|
|
|
| |
Bug: 5822335
Change-Id: Iadf81526a10b072ff323730db0e1897faea7a13f
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Recent a bug was found that would have been much more obvious if not
for the confusion that "sha" means "SHA-0" in openssl and "SHA" means
"SHA-1" to Java programmers. Removing SHA-0 should be not be an
interoperability issue, it was never really used, was apparently
flawed, so like MD2 we will just remove it.
Bug: 2997009
Change-Id: I630c851fb2f5f344ef7a2c62c7092843cb40818c
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual changes:
Changing build/config to remove OPENSSL_NO_BF and no-bf
openssl.config
android-config.mk
Add list of new files to build for blowfish
patches/crypto_Android.mk
Need to clean because we are changing build flags
CleanSpec.mk
Derived changes:
Changed by import_openssl.sh based on android-config.mk change
crypto/opensslconf.h
include/openssl/opensslconf.h
Derived from patches/crypto_Android.mk by import_openssl.sh
crypto/Android.mk
Newly imported files by import_openssl.sh with updated openssl.config
crypto/bf/COPYRIGHT
crypto/bf/asm/bf-586.pl
crypto/bf/asm/bf-686.pl
crypto/bf/bf_cfb64.c
crypto/bf/bf_ecb.c
crypto/bf/bf_enc.c
crypto/bf/bf_locl.h
crypto/bf/bf_ofb64.c
crypto/bf/bf_pi.h
crypto/bf/bf_skey.c
crypto/bf/blowfish.h
include/openssl/blowfish.h
Bug: 1856777
Change-Id: Id984df3834fa1d935feb9910c26a082242a9a8e1
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
See also b/1569612
Summary:
- OpenSSlSocket support for SNI, session tickets, compression
- URLConnection mimics Chrome behavior of trying connection with these enabled,
falling back to SSL w/o encryption on failure
Details:
libcore
URLConnection https retry
Change HttpConnection.getSecureSocket to enable non-standard features on first
connection attempt. On second attempt, we back off to SSLv3 from
TLSv1, mimicking Chrome's behavior.
luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/http/HttpConnection.java
Change HttpsEngine.connect to implement SSL reconnect
luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/https/HttpsURLConnectionImpl.java
OpenSSL SSLSocket implementation
OpenSSLSocketImpl and OpenSSLServerSocketImpl now have an array of
enabled compression methods interface and implementation to
parallel that of procotols and ciphersuites.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
OpenSSLSessionImpl now has a cache of the native
compressionMethod. Since null is allowed, we default the cache to
a different sentinel value, the empty string, to determine if we
have to make the JNI call to fill in the value. Also replaced
"gives" javadoc working with "returns".
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
OpenSSLSocketImpl session caching now needs to skip cached
sessions with mismatched compression requirements. Again the fact
that null is an allowed special case makes it slightly different
than the existing protocol and cipher suite code path.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
OpenSSLSocketImpl.startHandshake now uses NativeCrypto to support
our non-standard extensions.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
NativeCrypto changes
- Added declaration of SSL options for tickets and compression.
- Added general "compression methods" interface
paralleling "cipher suites" and "protocols" interfaces. Primary
difference is that a empty array, signifying no compression
desired, is allowed. Alternative would be to require a "NULL"
compression method to be specified.
- Added SSL_set_tlsext_host_name to set SNI (Server Name Indication) value
- Added SSL_get_servername to read SNI (Server Name Indication) value
- Added SSL_SESSION_compress_meth read negotiated compression method
- SSL_new makes sure to default compression to off for compatibility
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/native/NativeCrypto.cpp
Testing
Added URLConnectionTest.testConnectViaHttpsWithSSLFallback to make
sure we properly retry an https connection if the server
terminates unexpectedly. Fixed up
URLConnectionTest.testHttpsWithCustomTrustManager with new
expected certificate chain. Fixed a few mistaken
TestSSLContext.serverContext uses to clientContext
luni/src/test/java/java/net/URLConnectionTest.java
Added test_SSL_set_tlsext_host_name, test_SSL_get_servername,
test_SSL_SESSION_compress_meth. Added a number of missing fail()
calls in expected exception cases which caught one test with
mistaken expectations. Removed some unnecessary scopes. Fixed some
badly scoped catch blocks.
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Changed MockWebServer to support a new MockResponse propery of
disconnectAtStart, which immediately terminates the connection
support/src/test/java/tests/http/MockResponse.java
support/src/test/java/tests/http/MockWebServer.java
external/openssl
Restore -ZLIB to OpenSSL build. Note that NativeCrypto.SSL_new
disables compression by for default SSLSocket for compatibility.
android-config.mk
Force clean build with new CFLAGS
CleanSpec.mk
Change-Id: Ic8158c7e7ffafdb70f8897b04a861849cb9ac1d7
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tested with
./import_openssl.sh import .../openssl-1.0.0.tar.gz
and confirmed no source changes
Also added debug flags in android-config.mk for later use
Change-Id: Idbfefe7bc16790060eb58c116b0961c195b3a087
Conflicts:
openssl.config
|
| |\
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
CleanSpec.mk
android-config.mk
Change-Id: I152eb24cb71e93b8d97afadda41012baa8ea06a2
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Although we initially considered enabling ZLIB (b/2361399) this was
disabled because some some sites fail to handshake if its enabled
(b/2710492, b/2710497, ...)
Change-Id: I5e42863157a9d0b1c30f00d5f47a90f470436a6a
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Summary:
- adding SSL_set_cipher_lists for JSSE support
- enabling elliptic curve for new JSSE cipher suites
Details:
Adding SSL_set_cipher_lists that allows setting of SSL ciphers (and
indirectly ciphers_by_id). This allows us to explicitly set a desired
cipher suite lists with our own ordering for JSSE support.
patches/jsse.patch
Enabling EC, ECDH, and ECDSA which are needed for RI 6 elliptic curve cipher suites.
- EC = Elliptic Curve
- ECDH = Elliptic Curve Diffie-Hellman
- ECDSA = Elliptic Curve Digital Signature Algorithm
android-config.mk
patches/apps_Android.mk
patches/crypto_Android.mk
openssl.config
Remove warning from openssl output to remove testssl warnings
patches/progs.patch
openssl.config
Misc
Update clean, build, and test instructions
README.android
Fixing whitespace inconsistency noted when updating clean target
patches/ssl_Android.mk
Generated files
Copied from patches:
apps/Android.mk
crypto/Android.mk
ssl/Android.mk
Newly imported EC files from openssl-1.0.0.tar.gz
Interestingly most of the needed files were already present, if not compiled.
crypto/ec/ec_ameth.c
crypto/ec/ec_pmeth.c
crypto/ec/eck_prn.c
SSL_set_cipher_lists
include/openssl/ssl.h
ssl/ssl.h
ssl/ssl_lib.c
Disabled warning
apps/openssl.c
Change-Id: I1d75f64b64e03f7bfb45456876b60ebbf3a09de5
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
external/openssl
Updated version to 1.0.0
openssl.version
Updated small records patch for 1.0.0. This is probably the most significant change.
patches/small_records.patch
Removed bad_version.patch since fix is included in 0.9.8n and beyond
patches/README
patches/bad_version.patch
openssl.config
Changed import_openssl.sh to generate armv4 asm with the 1.0.0
scripts, not our backported 0.9.9-dev backported version in
patches/arm-asm.patch.
import_openssl.sh
openssl.config
patches/README
patches/arm-asm.patch
Added -DOPENSSL_NO_STORE to match ./Configure output
Added -DOPENSSL_NO_WHIRLPOOL (no-whrlpool) to skip new optional cipher
android-config.mk
openssl.config
Fixed import to remove include directory during import like other
imported directories (apps, ssl, crypto)
import_openssl.sh
Updated UNNEEDED_SOURCES. Pruned Makefiles which we don't use.
openssl.config
Updated to build newly required files
patches/apps_Android.mk
patches/crypto_Android.mk
Disable some new openssl tools
patches/progs.patch
Updated upgrade testing notes to include running BigInteger tests
README.android
Automatically imported
android.testssl/
apps/
crypto/
e_os.h
e_os2.h
include/
ssl/
dalvik
Change makeCipherList to skip SSLv2 ciphers that 1.0.0 now returns
so there are not duplicate ciphersuite names in getEnabledCipherSuites.
libcore/x-net/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Updated OpenSSLSocketImpl_cipherauthenticationmethod for new
SSL_CIPHER algorithms -> algorithm_auth (and const-ness)
libcore/x-net/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Update to const SSL_CIPHER in OpenSSLSessionImpl_getCipherSuite (and cipherauthenticationmethod)
libcore/x-net/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
test_EnabledCipherSuites on both SSLSocketTest and
SSLServerSocketTest caught the makeCipherList problem. However the
asserts where a bit out of sync and didn't give good messages
because they didn't actually show what was going on. As part of
debugging the issue they found, I tried to make align the asserts
and improve their output for the future.
libcore/x-net/src/test/java/tests/api/javax/net/ssl/SSLServerSocketTest.java
libcore/x-net/src/test/java/tests/api/javax/net/ssl/SSLSocketTest.java
vendor/google
Add const to X509V3_EXT_METHOD* for 1.0.0 compatibility
libraries/libjingle/talk/base/openssladapter.cc
Change-Id: I90fb1566dede6034eebc96d2b0dcf4533d9643bf
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
such as imap.gmail.com:993
Issue http://b/2557948
Android has historically built openssl with TLS extensions
disabled. However, starting with 0.9.8m, the openssl client started
sending client hello messages that required TLS extensions to be
enabled in order to parse the server hello response. imap.gmail.com
recently rolled out 0.9.8m code that started responding to our
extended client hello, which started causing our client to choke since
it was not able to parse the tls extension in the server hello
response.
This change enables TLSEXT in openssl, which also requires that we
enabled OCSP (Online Certificate Status Protocol) which is one of the
TLS extensions.
Change-Id: I2be1cdead6f3d797bb33a56a4abd0a9a92142b57
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Testing Summary:
- Passed new android.testssl/testssl.sh
- General testing with BrowserActivity based program
Details:
Expanded detail in README.android about how to build and test openssl
upgrades based on my first experience.
modified: README.android
Significant rework of import_openssl.sh script that does most of
the work of the upgrade. Most of the existing code became the main
and import functions. The newly regenerate code helps regenerate
patch files, building on the fact that import now keeps and
original unmodified read-only source tree for use for patch
generation. Patch generation relies on additions to openssl.config
for defining which patches include which files. Note that
sometimes a file may be patched multiple times, in that case
manual review is still necessary to prune the patch after
auto-regeneration. Other enhancements to import_openssl.sh include
generating android.testssl and printing Makefile defines for
android-config.mk review.
modified: import_openssl.sh
Test support files for openssl/
Add support for building /system/bin/ssltest as test executible for
use by testssl script. Need confirmation that this is the right way
to define such a test binary.
modified: patches/ssl_Android.mk
Driver script that generates user and CA keys and certs on the
device with /system/bin/openssl before running testssl. Based on
openssl/test/testss for generation and openssl/test/Makefile
test_ssl for test execution.
new file: patches/testssl.sh
Note all following android.testssl files are automatically
imported from openssl, although possible with modifications by
import_openssl.sh
testssl script imported from openssl/test that does the bulk of
the testing. Includes new tests patched in for our additions.
new file: android.testssl/testssl
CA and user certificate configuration files from openssl.
Automatically imported from openssl/test/
new file: android.testssl/CAss.cnf
new file: android.testssl/Uss.cnf
certificate and key test file imported from openssl/apps
new file: android.testssl/server2.pem
Actual 0.9.8m upgrade specific bits
Trying to bring ngm's small records support into 0.9.8m. Needs
signoff by ngm although it does pass testing.
modified: patches/small_records.patch
Update openssl.config for 0.9.8m. Expanded lists of undeeded
directories and files for easier update and review, adding new
excludes. Also added new definitions to support "import_openssl.sh
regenerate" for patch updating.
modified: openssl.config
Updated OPENSSL_VERSION to 0.9.8m
modified: openssl.version
Automatically imported/patched files. Seems like it could be
further pruned in by openssl.config UNNEEDED_SOURCES, but extra
stuff doesn't end up impacting device.
modified: apps/...
modified: crypto/...
modified: include/...
modified: ssl/...
Other Android build stuff.
Note for these patches/... is source, .../Android.mk is derived.
Split LOCAL_CFLAGS additions into lines based on openssl/Makefile
source for easier comparison when upgrading. I knowingly left the
lines long and unwrapped for easy vdiff with openssl/Makefile
modified: android-config.mk
Removed local -DOPENSSL_NO_ECDH already in android-config.mk.
modified: patches/apps_Android.mk
Sync up with changes that had crept into derived crypto/Android.mk
modified: patches/crypto_Android.mk
Change-Id: I73204c56cdaccfc45d03a9c8088a6a93003d7ce6
|
| |
|
|
| |
Bug: 2361399
|
| |
|
|
|
|
| |
The source tree (and the size of the compiled library)
can be reduced further. This will be done in a future
commit.
|
| |
|
|
|
|
|
|
|
|
| |
This reverts commit e34c52b38bd2ef23d439758389767f87afda715c.
This is dependent on change Ic105b22aebec6a7af8656e60c79fe518d1dfa849
being applied to the external/ipsec-tools directory to remove dependency
on OpenSSL engine code.
Change-Id: Idf74c29c0dd265afac1563c8a6cdfbea36a91aa8
|
| |
|
|
|
|
|
|
|
| |
This reverts commit 6b515fe04b3ccea25fb2f1e686b2185880952a59.
Conflicts:
android-config.mk
crypto/Android.mk
|
| |
|
|
|
|
|
| |
OCSP is a good idea, but BouncyCastle implements its own OCSP. Nothing
in Android appears to use OpenSSL's OCSP implementation.
Removing OCSP saves about 22508 bytes from libcrypto.so
|
| |
|
|
|
|
|
|
| |
Nothing in Android appears to be using the elliptic curve cryptography
functions. There are some spec classes in libcore's jaa.security.spec,
but nothing that actually uses OpenSSL to implement it.
Removing this part from OpenSSL saves approximately 84116 bytes.
|
| |
|
|
|
|
|
|
|
| |
Part of the README.android directs you to remove the "engine" directory,
but misses the engine subdirectory of "crypto" This adds a flag to
remove the unused engine functions altogether.
This change saves about 17344 bytes from the final build of libcrypto.so
in Thumb mode.
|
| | |
|
| | |
|
| | |
|
| |
|
