| fc6ed1594aebe63aafa31af2bd01c41fab36d6cc |
|
17-Nov-2014 |
Kenny Root <kroot@google.com> |
Follow-up for 1.0.1j upgrade, part 2
The error messages SSL_R_NO_P256_SUPPORT from an internal patch and
SSL_R_INAPPROPRIATE_FALLBACK from 1.0.1j upgrade conflict resulting in
weird error messages.
Tests were added to catch this regression in libcore change
If8896d8f644095c13cbe44dd8ba7d4ef235385cf
(cherry picked from commit b4e20dd70acc0a67c2aa2832b0ffad3a0bcb9bdd)
Bug: 18018599
Change-Id: I62e50f14a41a9f3b53afbbd6382800a6e18e55ec
/external/openssl/include/openssl/ssl.h
|
| c64f6fe2be99cb3fa8e491b5bede9a217de87a4c |
|
06-Nov-2014 |
Kenny Root <kroot@google.com> |
Upgrade to 1.0.1j
Upgraded from archive:
cff86857507624f0ad42d922bb6f77c4f1c2b819 openssl-1.0.1j.tar.gz
(cherry picked from commit c642a4957fa6f518a02839abc38de4e1476cdfc6)
Bug: 18018599
Change-Id: I7db55f15e6c5670cc2ced1ffbc736b1b354be740
/external/openssl/include/openssl/ssl.h
|
| 9a68a8fb86e7440763286e3ea8578099abd598e7 |
|
03-Oct-2014 |
Bodo Moeller <bmoeller@google.com> |
Add support for TLS_FALLBACK_SCSV
Bug: 17750026
Change-Id: I4b5ba1a6edbdac57c29e1e3b9425b9f69275784f
/external/openssl/include/openssl/ssl.h
|
| 8e8ec665ac4a328d173417afae1ee58d0e7ea1b4 |
|
06-Aug-2014 |
Kenny Root <kroot@google.com> |
Retry sending record split fragment when SSL write fails
When the write size was exactly SSL3_RT_MAX_PLAIN_LENGTH+1 and record
splitting is needed, an extra byte would be added to the max size of the
message to be written. This would cause the requested size to not exceed
the max. If the SSL_WANT_WRITE error were returned, the next packet
would not get the extra byte added to the max packet size since
record_split_done is set. Since a different set of arguments
(SSL3_RT_MAX_PLAIN_LENGTH+1 vs SSL3_RT_MAX_PLAIN_LENGTH) would be passed
to do_ssl3_write, it would get an "SSL3_WRITE_PENDING:bad write retry"
error.
To avoid a failure in the opposite direction, the max variable increment
is removed as well. This can happen when SSL_MODE_ENABLE_PARTIAL_WRITE
is not enabled, the call to ssl3_write_bytes contains, e.g., buffer of
2*SSL3_RT_MAX_PLAIN_LENGTH where the first call into do_ssl3_write
succeeds writing the first SSL3_RT_MAX_PLAIN_LENGTH bytes, but the
writing the second SSL3_RT_MAX_PLAIN_LENGTH bytes fails. This means the
first time the the second section of SSL3_RT_MAX_PLAIN_LENGTH bytes has
called do_ssl3_write with "max" bytes, but next call to ssl3_write_bytes
in turn calls into do_ssl3_write with "max+1" bytes.
(cherry picked from commit 455e02af15d07aa8f8b22b5f6558c23f041c6b2a)
Bug: 16482963
Change-Id: I28a515a970d535a7fbba9c0ba325c9aed633d1cc
/external/openssl/include/openssl/ssl.h
|
| b0a77b1a27bcd7096df02a155b5aa5d2e8fdc768 |
|
17-Jun-2014 |
Alex Klyubin <klyubin@google.com> |
Add a missing declaration of SSL_CIPHER_authentication_method.
The declaration of this method was accidentally removed from ssl.h in
392aa7cc7d2b122614c5393c3e357da07fd07af3.
Bug: 15675825
Change-Id: I2e563d74aaec08ae5aa636cd38e6add98efec480
/external/openssl/include/openssl/ssl.h
|
| 77c6be7176c48d2ce4d5979a84876d34204eedaf |
|
12-Jun-2014 |
Kenny Root <kroot@google.com> |
Upgrade to OpenSSL 1.0.1h
sha1sum of distribution:
b2239599c8bf8f7fc48590a55205c26abe560bf8 openssl-1.0.1h.tar.gz
Bug: 15442813
Change-Id: I9abd00afcb7efb0e80b27bf7beade3c6dc511082
/external/openssl/include/openssl/ssl.h
|
| 9ab523cb95e7ef674e9c41438d9f524063d14234 |
|
05-Jun-2014 |
Brian Carlstrom <bdc@google.com> |
Fix Early CCS bug
SSL/TLS MITM vulnerability (CVE-2014-0224)
(cherry picked from commit 9c58a18df94359edda520ebe95f6e0263e401aa4)
Bug: 15442813
(cherry picked from commit 581e6bdd03b82570fe3860110a61474837fa8779)
Change-Id: I8c18d49a3719906895326c82ea013b09be1a9b52
/external/openssl/include/openssl/ssl.h
|
| 3355e0f024c4cd610fbb32fdf148a6f376e9e74e |
|
05-May-2014 |
Alex Klyubin <klyubin@google.com> |
Fix TLS-PSK identity hint implementation issues.
PSK identity hint can be stored in SSL_CTX and in SSL/SSL_SESSION,
similar to other TLS parameters, with the value in SSL/SSL_SESSION
taking precedence over the one in SSL_CTX. The value in SSL_CTX is
shared (used as the default) between all SSL instances associated
with that SSL_CTX, whereas the value in SSL/SSL_SESSION is confined
to that particular TLS/SSL connection/session.
The existing implementation of TLS-PSK does not correctly distinguish
between PSK identity hint in SSL_CTX and in SSL/SSL_SESSION. This
change fixes these issues:
1. SSL_use_psk_identity_hint does nothing and returns "success" when
the SSL object does not have an associated SSL_SESSION.
2. On the client, the hint in SSL_CTX (which is shared between
multiple SSL instances) is overwritten with the hint received from
server or reset to NULL if no hint was received.
3. On the client, psk_client_callback is invoked with the hint from
SSL_CTX rather than from current SSL/SSL_SESSION (i.e., the one
received from the server). Issue #2 above masks this issue.
4. On the server, the hint in SSL/SSL_SESSION is ignored and the hint
from SSL_CTX is sent to the client.
5. On the server, the hint in SSL/SSL_SESSION is reset to the one in
SSL_CTX after the ClientKeyExchange message step.
This change fixes the issues by:
* Adding storage for the hint in the SSL object. The idea being that
the hint in the associated SSL_SESSION takes precedence.
* Reading the hint during the handshake only from the associated
SSL_SESSION object.
* Initializing the hint in SSL object with the one from the SSL_CTX
object.
* Initializing the hint in SSL_SESSION object with the one from the
SSL object.
* Making SSL_use_psk_identity_hint and SSL_get_psk_identity_hint
set/get the hint to/from SSL_SESSION associated with the provided
SSL object, or, if no SSL_SESSION is available, set/get the hint
to/from the provided SSL object.
* Removing code which resets the hint during handshake.
Change-Id: I13f51a5e942269a727c9f26f31155e3d5093903f
/external/openssl/include/openssl/ssl.h
|
| 7f7ea2d72f2e316ba518e82f06513e3477840c15 |
|
07-Apr-2014 |
Kenny Root <kroot@google.com> |
Update to OpenSSL 1.0.1g
Upgrade to the new OpenSSL 1.0.1g release. SHA-1 hash of file:
b28b3bcb1dc3ee7b55024c9f795be60eb3183e3c openssl-1.0.1g.tar.gz
Change-Id: Ie839cf2a4367afbd2919180ea4ce016b1c8d6668
/external/openssl/include/openssl/ssl.h
|
| ff41a4bc41ae1e1391f9b05117623ff70b985983 |
|
07-Jan-2014 |
Kenny Root <kroot@google.com> |
Import OpenSSL 1.0.1f
Upgrade to the new OpenSSL 1.0.1f release. SHA-1 hash of file:
9ef09e97dfc9f14ac2c042f3b7e301098794fc0f openssl-1.0.1f.tar.gz
Some changes had to be made to the existing source:
Fixed the import script to work with "sh -x" for debugging problems.
Update some of the files from patches/ to work with 1.0.1f, because
1.0.1f fixes have used some of the constants that were used (0x20L was
changed to 0x80L and 0x40L was changed to 0x100L).
Delete the "Makefile.save" files that are newly present in the
OpenSSL 1.0.1f release tarball.
Change-Id: Ib0f13b91e863157da23ec1d736ff2d788897d9f1
/external/openssl/include/openssl/ssl.h
|
| e6443cd9084e98ea362375c3f177a0eab7aa8fdc |
|
05-Nov-2013 |
Adam Langley <agl@chromium.org> |
Implement CBC record splitting.
This patch removes support for empty records (which is almost
universally disabled via SSL_OP_ALL) and adds optional support for
1/n-1 record splitting.
The latter is not enabled by default, since it's not typically used
on servers, but it should be enabled in web browsers since there are
known attacks in that case (see BEAST).
Bug: 11514124
Change-Id: I3fef273edd417c51c5723d290656d2e03331d68a
/external/openssl/include/openssl/ssl.h
|
| ee53ab1212ec75db6e1704a6909c45c93dd411c3 |
|
24-Jun-2013 |
Kenny Root <kroot@google.com> |
Add ALPN support patch
This change adds support for ALPN[1] in OpenSSL. ALPN is the IETF
blessed version of NPN and we'll be supporting both ALPN and NPN for
some time yet.
[1] https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-00
Patch from Adam Langley <agl@chromium.org>
Change-Id: I556b1ee877f398ae8b7f1d4abbaddc44611e5f51
/external/openssl/include/openssl/ssl.h
|
| 365d7e8ba65197a3bad7349848dc13be13d6922a |
|
05-Mar-2013 |
David 'Digit' Turner <digit@android.com> |
Fix Clang build.
This contains a new Android-specific patch to fix the Chromium
linux Clang builds.
This updates patches/channelid.patch independently since this
patch hasn't been submitted upstream yet.
Change-Id: I9d9a2ca3ad8446a54db5a023571fde1bc0d276c5
/external/openssl/include/openssl/ssl.h
|
| 04ef91b390dfcc6125913e2f2af502d23d7a5112 |
|
05-Feb-2013 |
Brian Carlstrom <bdc@google.com> |
openssl-1.0.1d upgrade
Change-Id: Ie980c8834cf2c843858182d98d1f60c65a2a9b70
/external/openssl/include/openssl/ssl.h
|
| f04b7b0cd950a9bf3c07edcbafb48afe63d4fed3 |
|
17-Jan-2013 |
Brian Carlstrom <bdc@google.com> |
Remove small_records.patch in favor of SSL_MODE_RELEASE_BUFFERS
Restored handshake_cutthrough.patch to upstream having removed traces of the small_records.patch
Change-Id: Iae8df5f24fe5fe566e81421e9db4c2f1ea5f1b53
/external/openssl/include/openssl/ssl.h
|
| 45bcfbcc39acc2213abd00ebcc794dcc40be39f7 |
|
16-Jan-2013 |
Adam Langley <agl@chromium.org> |
Add support for the TLS Channel ID extension.
See http://tools.ietf.org/html/draft-balfanz-tls-channelid-00.
Change-Id: Id5b9799f96c0f7a1ef5ed8db9e40111a700d091f
/external/openssl/include/openssl/ssl.h
|
| f42d491ab90c82302b0054c62014c1ee9b638aff |
|
28-Apr-2012 |
Brian Carlstrom <bdc@google.com> |
openssl-1.0.1b upgrade
Change-Id: I4fe854007f774cf7f386cd405a9d21e6ca94e7b6
/external/openssl/include/openssl/ssl.h
|
| a1a5710c055e139ea00e785f9eb55b3af3e4dab1 |
|
19-Apr-2012 |
Brian Carlstrom <bdc@google.com> |
openssl-1.0.1a upgrade
Bug: 6366068
Change-Id: I0b6ec75b5c2a8f082b4b0fe6db2697d24f2f9b00
/external/openssl/include/openssl/ssl.h
|
| 392aa7cc7d2b122614c5393c3e357da07fd07af3 |
|
16-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
openssl-1.0.1 upgrade
Bug: 6168278
Change-Id: I648f9172828120df5d19a14425e9ceec92647921
/external/openssl/include/openssl/ssl.h
|
| 21c841450af61d0a9119cdc863e93d019127bfe1 |
|
12-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
Upgrade to openssl-1.0.0h
Change-Id: I0bc9b6b486bf10ebae34b994b63cf6011afdf5e1
/external/openssl/include/openssl/ssl.h
|
| 7b476c43f6a45574eb34697244b592e7b09f05a3 |
|
04-Jan-2012 |
Brian Carlstrom <bdc@google.com> |
Upgrade to openssl-1.0.0f
Bug: 5822335
Change-Id: Iadf81526a10b072ff323730db0e1897faea7a13f
/external/openssl/include/openssl/ssl.h
|
| bf9ac266e34f910ace31880ea92b8deaf6212aa6 |
|
29-Nov-2010 |
Kristian Monsen <kristianm@google.com> |
Patch OpenSSL to enable SPDY
Change-Id: Ie076e26ab49f1addd7a918271e85d779f47167ac
/external/openssl/include/openssl/ssl.h
|
| d524efd1ee2dde250eb759c483c9db089f653d16 |
|
03-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Move NativeCrypto dependencies on openssl internals to jsse.patch
Change-Id: I3cb6fb47f8294e5bc912e7ed073433925e9b120b
/external/openssl/include/openssl/ssl.h
|
| 4f16e619f191ec2041275b4ff5235663d583e484 |
|
13-Jul-2010 |
Brian Carlstrom <bdc@google.com> |
Improved client certificate and certificate chain support
Summary:
- openssl: add openssl support for specifying per key certificate chains
- libcore: properly implement client certificate request call back
- libcore: properly implement sending certificate chain
- libcore: properly implement retreiving local certificate chain
- libcore: added an SSLContext for non-OpenSSL SSLSocket creation
Details:
external/openssl
Improve patch generate support by applying all other patches to
baseline to remove cross polluting other patch changes into target
patch. Move cleanup of ./Configure output to import script from
openssl.config.
import_openssl.sh
openssl.config
Adding SSL_use_certificate_chain and SSL_get_certificate_chain to
continue to finish most of remaining JSSE issues.
include/openssl/ssl.h
ssl/s3_both.c
ssl/ssl.h
ssl/ssl_locl.h
ssl/ssl_rsa.c
Updated patch (and list of input files to patch)
patches/jsse.patch
openssl.config
libcore
Restoring SSLContextImpl as provider of non-OpenSSL SSLSocketImpl
instances for interoperability testing. OpenSSLContextImpl is the
new subclass that provides OpenSSLSocketImpl. JSSEProvider
provides the old style SSLContexts, OpenSSLProvider provides the
OpenSSL SSLContext, which includes the "default" context. Changed
to register SSLContexts without aliases to match the RI.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLProvider.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/DefaultSSLContextImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLContextImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java
Native interface updates to support OpenSSLSocketImpl improvements
- KEY_TYPES now expanded based on what we are being provided by OpenSSL.
keyType function now maps key type values received from
clientCertificateRequested callback.
- Removed remaining uses of string PEM encoding, now using ASN1 DER consistently
Includes SSL_SESSION_get_peer_cert_chain, verifyCertificateChain
- Fixed clientCertificateRequested to properly include all key
types supported by server, not just the one from the cipher
suite. We also now properly include the list of supported CAs to
help the client select a certificate to use.
- Fixed NativeCrypto.SSL_use_certificate implementation to use new
SSL_use_certificate_chain function from openssl to pass chain to
OpenSSL.
- Added error handling of all uses of sk_*_push which can fail due to out of memory
- Fixed compile warning due to missing JNI_TRACE argument
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/native/NativeCrypto.cpp
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Pass this into chooseServerAlias call as well in significantly revamped choseClientAlias
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Minor code cleanup while reviewing diff between checkClientTrusted and checkServerTrusted
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
Improvements to SSL test support to go along with client
certificate and certificate chain changes. TestSSLContext now has
separate contexts for the client and server (as well as seperate
key stores information). TestKeyStore now is more realistic by
default, creating a CA, intermediate CA, and separate client and
server certificates, as well as a client keystore that simply
contains the CA and no certificates.
support/src/test/java/javax/net/ssl/TestKeyStore.java
support/src/test/java/javax/net/ssl/TestSSLContext.java
Tests tracking API changes. Tests involving cert chains now now
updated to use TestKeyStore.assertChainLength to avoid hardwiring
expected chain length in tests. These tests also now use
TestSSLContext.assertClientCertificateChain to validate that the
chain is properly constructed and trusted by a trust manager.
luni/src/test/java/java/net/URLConnectionTest.java
luni/src/test/java/javax/net/ssl/SSLContextTest.java
luni/src/test/java/javax/net/ssl/SSLEngineTest.java
luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java
luni/src/test/java/javax/net/ssl/SSLSessionTest.java
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
support/src/test/java/java/security/StandardNames.java
support/src/test/java/javax/net/ssl/TestSSLEnginePair.java
support/src/test/java/javax/net/ssl/TestSSLSocketPair.java
frameworks/base
Tracking change of SSLContextImpl to OpenSSLContextImpl
core/java/android/net/SSLCertificateSocketFactory.java
core/java/android/net/http/HttpsConnection.java
tests/CoreTests/android/core/SSLPerformanceTest.java
tests/CoreTests/android/core/SSLSocketTest.java
Tracking changes to TestSSLContext
core/tests/coretests/src/android/net/http/HttpsThroughHttpProxyTest.java
Change-Id: I792921617164a98467c500d7fe53dbd738adfa02
/external/openssl/include/openssl/ssl.h
|
| ad880030f0e8576c14b4ca332fe8b4f23257bc6d |
|
14-May-2010 |
Brian Carlstrom <bdc@google.com> |
Adding SSL_set_cipher_lists and turning on elliptic curve
Summary:
- adding SSL_set_cipher_lists for JSSE support
- enabling elliptic curve for new JSSE cipher suites
Details:
Adding SSL_set_cipher_lists that allows setting of SSL ciphers (and
indirectly ciphers_by_id). This allows us to explicitly set a desired
cipher suite lists with our own ordering for JSSE support.
patches/jsse.patch
Enabling EC, ECDH, and ECDSA which are needed for RI 6 elliptic curve cipher suites.
- EC = Elliptic Curve
- ECDH = Elliptic Curve Diffie-Hellman
- ECDSA = Elliptic Curve Digital Signature Algorithm
android-config.mk
patches/apps_Android.mk
patches/crypto_Android.mk
openssl.config
Remove warning from openssl output to remove testssl warnings
patches/progs.patch
openssl.config
Misc
Update clean, build, and test instructions
README.android
Fixing whitespace inconsistency noted when updating clean target
patches/ssl_Android.mk
Generated files
Copied from patches:
apps/Android.mk
crypto/Android.mk
ssl/Android.mk
Newly imported EC files from openssl-1.0.0.tar.gz
Interestingly most of the needed files were already present, if not compiled.
crypto/ec/ec_ameth.c
crypto/ec/ec_pmeth.c
crypto/ec/eck_prn.c
SSL_set_cipher_lists
include/openssl/ssl.h
ssl/ssl.h
ssl/ssl_lib.c
Disabled warning
apps/openssl.c
Change-Id: I9edc9da2ea65d7d8e55257300a5978638a3e472d
/external/openssl/include/openssl/ssl.h
|
| e296ea5cc0cd651d068eaf59a1552d07ea18b7c0 |
|
24-Apr-2010 |
Brian Carlstrom <bdc@google.com> |
Adding SSL_set_session_creation_enabled for SSLSocket.setEnableSessionCreation(false) support
SSL_set_session_creation_enabled implementation
Add session_creation_enabled to ssl_st (aka SSL)
Add SSL_set_session_creation_enabled(SSL*, int) declaration
Add SSL_R_SESSION_MAY_NOT_BE_CREATED error reason
include/openssl/ssl.h
ssl/ssl.h
Before creating session, check if session_creation_enabled.
If not, error out, sending alert when possible in SSL3+ cases.
ssl/d1_clnt.c
ssl/s23_clnt.c
ssl/s3_clnt.c
ssl/s3_srvr.c
Add error message for SSL_R_SESSION_MAY_NOT_BE_CREATED
ssl/ssl_err.c
Initialize session_creation_enabled to 1 in SSL_new
ssl/ssl_lib.c
Definition of SSL_set_session_creation_enabled. Add lower level
check for session_creation_enabled in ssl_get_new_session in case
it is not caught by higher levels.
ssl/ssl_sess.c
Patch details
Added jsse.patch to list and add list of patched files.
Fix whitespace to be tabs for consistency.
openssl.config
Add description of jsse.patch
patches/README
The patch itself, containing the above described changes
patches/jsse.patch
Testing
Updated with note to run javax.net.ssl tests now that they are working reliably.
README.android
Change-Id: Ic46b257a459d21b013396d7a17321fb550f2c1b0
/external/openssl/include/openssl/ssl.h
|
| 248a4c78a25b81a72352125142f3fc04493f428b |
|
22-Apr-2010 |
Huahui Wu <hwu@google.com> |
Re-enable SSL's cut-through feature in Master over openSSL 1.0.0.
It was pulled because of b/2586347 but it turns out to be a problem in
the tests. The tests were fixed in Change Id8472487, and the feature
is re-enabled here.
Bug id: 2614118
Change-Id: I09caeb80eceb5cc5e1677947f54ced8ccc1677cd
/external/openssl/include/openssl/ssl.h
|
| 674ff29eb647c577ba1ef822c373ead69dc386cf |
|
15-Apr-2010 |
Brian Carlstrom <bdc@google.com> |
openssl-1.0.0 upgrade
external/openssl
Updated version to 1.0.0
openssl.version
Updated small records patch for 1.0.0. This is probably the most significant change.
patches/small_records.patch
Removed bad_version.patch since fix is included in 0.9.8n and beyond
patches/README
patches/bad_version.patch
openssl.config
Changed import_openssl.sh to generate armv4 asm with the 1.0.0
scripts, not our backported 0.9.9-dev backported version in
patches/arm-asm.patch.
import_openssl.sh
openssl.config
patches/README
patches/arm-asm.patch
Added -DOPENSSL_NO_STORE to match ./Configure output
Added -DOPENSSL_NO_WHIRLPOOL (no-whrlpool) to skip new optional cipher
android-config.mk
openssl.config
Fixed import to remove include directory during import like other
imported directories (apps, ssl, crypto)
import_openssl.sh
Updated UNNEEDED_SOURCES. Pruned Makefiles which we don't use.
openssl.config
Updated to build newly required files
patches/apps_Android.mk
patches/crypto_Android.mk
Disable some new openssl tools
patches/progs.patch
Updated upgrade testing notes to include running BigInteger tests
README.android
Automatically imported
android.testssl/
apps/
crypto/
e_os.h
e_os2.h
include/
ssl/
dalvik
Change makeCipherList to skip SSLv2 ciphers that 1.0.0 now returns
so there are not duplicate ciphersuite names in getEnabledCipherSuites.
libcore/x-net/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Updated OpenSSLSocketImpl_cipherauthenticationmethod for new
SSL_CIPHER algorithms -> algorithm_auth (and const-ness)
libcore/x-net/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Update to const SSL_CIPHER in OpenSSLSessionImpl_getCipherSuite (and cipherauthenticationmethod)
libcore/x-net/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
test_EnabledCipherSuites on both SSLSocketTest and
SSLServerSocketTest caught the makeCipherList problem. However the
asserts where a bit out of sync and didn't give good messages
because they didn't actually show what was going on. As part of
debugging the issue they found, I tried to make align the asserts
and improve their output for the future.
libcore/x-net/src/test/java/tests/api/javax/net/ssl/SSLServerSocketTest.java
libcore/x-net/src/test/java/tests/api/javax/net/ssl/SSLSocketTest.java
vendor/google
Add const to X509V3_EXT_METHOD* for 1.0.0 compatibility
libraries/libjingle/talk/base/openssladapter.cc
Change-Id: I608dbb2ecf4b7a15e13b3f3dcea7c0443ff01e32
/external/openssl/include/openssl/ssl.h
|
| 7f9d8bc8c32fa4196cff8a8f1c64c5183eefad9e |
|
14-Apr-2010 |
Brian Carlstrom <bdc@google.com> |
disable handshake_cutthrough.patch
CTS tests exposed compatability problems for SSLSocket applications
with handshake cutthrough enabled. Disabling until they can be
resolved. b/2586347
Change-Id: If2e43f50712780e1905c86b64ac2f89e95e7cc95
/external/openssl/include/openssl/ssl.h
|
| 5f06f48e30a40f86ee704147d46e5e37383122fd |
|
30-Mar-2010 |
Huahui Wu <hwu@google.com> |
Re-enable the cut-through (a.k.a false start) feature in openSSL.
This will save one RTT for SSL handshake.
b/2511073 explains the details.
Change-Id: I01cd02d2df375bc02eec12814308f0a6e63b8ae1
/external/openssl/include/openssl/ssl.h
|
| a69b00f3432cbf516436c5cecdd177d14f3c4a5a |
|
12-Mar-2010 |
Brian Carlstrom <bdc@google.com> |
b/2453395 cannot reach sslvpn.broadcom.com
Disabled handshake_cutthrough.patch in openssl.config
Change-Id: I4fe837876198dcf0593c5f5d32174d8af76f3f9f
/external/openssl/include/openssl/ssl.h
|
| 98d58bb80c64b02a33662f0ea80351d4a1535267 |
|
09-Mar-2010 |
Brian Carlstrom <bdc@google.com> |
Summary: upgrading to openssl-0.9.8m and adding new testssl.sh
Testing Summary:
- Passed new android.testssl/testssl.sh
- General testing with BrowserActivity based program
Details:
Expanded detail in README.android about how to build and test openssl
upgrades based on my first experience.
modified: README.android
Significant rework of import_openssl.sh script that does most of
the work of the upgrade. Most of the existing code became the main
and import functions. The newly regenerate code helps regenerate
patch files, building on the fact that import now keeps and
original unmodified read-only source tree for use for patch
generation. Patch generation relies on additions to openssl.config
for defining which patches include which files. Note that
sometimes a file may be patched multiple times, in that case
manual review is still necessary to prune the patch after
auto-regeneration. Other enhancements to import_openssl.sh include
generating android.testssl and printing Makefile defines for
android-config.mk review.
modified: import_openssl.sh
Test support files for openssl/
Add support for building /system/bin/ssltest as test executible for
use by testssl script. Need confirmation that this is the right way
to define such a test binary.
modified: patches/ssl_Android.mk
Driver script that generates user and CA keys and certs on the
device with /system/bin/openssl before running testssl. Based on
openssl/test/testss for generation and openssl/test/Makefile
test_ssl for test execution.
new file: patches/testssl.sh
Note all following android.testssl files are automatically
imported from openssl, although possible with modifications by
import_openssl.sh
testssl script imported from openssl/test that does the bulk of
the testing. Includes new tests patched in for our additions.
new file: android.testssl/testssl
CA and user certificate configuration files from openssl.
Automatically imported from openssl/test/
new file: android.testssl/CAss.cnf
new file: android.testssl/Uss.cnf
certificate and key test file imported from openssl/apps
new file: android.testssl/server2.pem
Actual 0.9.8m upgrade specific bits
Trying to bring ngm's small records support into 0.9.8m. Needs
signoff by ngm although it does pass testing.
modified: patches/small_records.patch
Update openssl.config for 0.9.8m. Expanded lists of undeeded
directories and files for easier update and review, adding new
excludes. Also added new definitions to support "import_openssl.sh
regenerate" for patch updating.
modified: openssl.config
Updated OPENSSL_VERSION to 0.9.8m
modified: openssl.version
Automatically imported/patched files. Seems like it could be
further pruned in by openssl.config UNNEEDED_SOURCES, but extra
stuff doesn't end up impacting device.
modified: apps/...
modified: crypto/...
modified: include/...
modified: ssl/...
Other Android build stuff.
Note for these patches/... is source, .../Android.mk is derived.
Split LOCAL_CFLAGS additions into lines based on openssl/Makefile
source for easier comparison when upgrading. I knowingly left the
lines long and unwrapped for easy vdiff with openssl/Makefile
modified: android-config.mk
Removed local -DOPENSSL_NO_ECDH already in android-config.mk.
modified: patches/apps_Android.mk
Sync up with changes that had crept into derived crypto/Android.mk
modified: patches/crypto_Android.mk
Change-Id: I73204c56cdaccfc45d03a9c8088a6a93003d7ce6
/external/openssl/include/openssl/ssl.h
|
| 1fada29eaaa2a758ba3f68ee9ede8b6715673146 |
|
01-Oct-2009 |
Nagendra Modadugu <ngm@google.com> |
Add small_records.patch and handshake_cutthrough.patch.
See patches/README for additional details.
/external/openssl/include/openssl/ssl.h
|
| e45f106cb6b47af1f21efe76e933bdea2f5dd1ca |
|
30-Sep-2009 |
Nagendra Modadugu <ngm@google.com> |
Upgrade to openssl-0.9.8k.
The source tree (and the size of the compiled library)
can be reduced further. This will be done in a future
commit.
/external/openssl/include/openssl/ssl.h
|
| 656d9c7f52f88b3a3daccafa7655dec086c4756e |
|
04-Mar-2009 |
The Android Open Source Project <initial-contribution@android.com> |
auto import from //depot/cupcake/@135843
/external/openssl/include/openssl/ssl.h
|
| d2cbe6ee0fd4269543a9a243f2b0963ce6f46280 |
|
04-Mar-2009 |
The Android Open Source Project <initial-contribution@android.com> |
auto import from //depot/cupcake/@135843
/external/openssl/include/openssl/ssl.h
|
| f48372ded3bb76c2598392aa58abe6e2eb7432d2 |
|
21-Oct-2008 |
The Android Open Source Project <initial-contribution@android.com> |
Initial Contribution
/external/openssl/include/openssl/ssl.h
|
| bdfb8ad83da0647e9b9a32792598e8ce7ba3ef4d |
|
12-Jan-1970 |
Upstream <upstream-import@none> |
external/openssl 0.9.8h
/external/openssl/include/openssl/ssl.h
|