1 diff -urN android-openssl.orig/openssl.config android-openssl/openssl.config 2 --- android-openssl.orig/openssl.config 2013-10-28 13:39:11.618121779 -0400 3 +++ android-openssl/openssl.config 2013-10-28 14:40:32.642178484 -0400 4 @@ -992,6 +992,7 @@ 5 handshake_cutthrough.patch \ 6 jsse.patch \ 7 channelid.patch \ 8 +channelidchromium.patch \ 9 eng_dyn_dirs.patch \ 10 fix_clang_build.patch \ 11 x509_hash_name_algorithm_change.patch \ 12 diff -urN android-openssl.orig/patches/channelidchromium.patch android-openssl/patches/channelidchromium.patch 13 --- android-openssl.orig/patches/channelidchromium.patch 1969-12-31 19:00:00.000000000 -0500 14 +++ android-openssl/patches/channelidchromium.patch 2013-10-28 14:34:42.945588394 -0400 15 @@ -0,0 +1,264 @@ 16 +diff -burN android-openssl.orig/crypto/bio/bio.h android-openssl/crypto/bio/bio.h 17 +--- android-openssl.orig/crypto/bio/bio.h 2013-02-11 16:26:04.000000000 +0100 18 ++++ android-openssl/crypto/bio/bio.h 2013-10-22 18:22:42.080337200 +0200 19 +@@ -266,6 +266,9 @@ 20 + #define BIO_RR_CONNECT 0x02 21 + /* Returned from the accept BIO when an accept would have blocked */ 22 + #define BIO_RR_ACCEPT 0x03 23 ++/* Returned from the SSL bio when the channel id retrieval code cannot find the 24 ++ * private key. */ 25 ++#define BIO_RR_SSL_CHANNEL_ID_LOOKUP 0x04 26 + 27 + /* These are passed by the BIO callback */ 28 + #define BIO_CB_FREE 0x01 29 +diff -burN android-openssl.orig/include/openssl/bio.h android-openssl/include/openssl/bio.h 30 +--- android-openssl.orig/include/openssl/bio.h 2013-10-22 18:20:42.249270230 +0200 31 ++++ android-openssl/include/openssl/bio.h 2013-10-22 18:22:42.080337200 +0200 32 +@@ -266,6 +266,9 @@ 33 + #define BIO_RR_CONNECT 0x02 34 + /* Returned from the accept BIO when an accept would have blocked */ 35 + #define BIO_RR_ACCEPT 0x03 36 ++/* Returned from the SSL bio when the channel id retrieval code cannot find the 37 ++ * private key. */ 38 ++#define BIO_RR_SSL_CHANNEL_ID_LOOKUP 0x04 39 + 40 + /* These are passed by the BIO callback */ 41 + #define BIO_CB_FREE 0x01 42 +diff -burN android-openssl.orig/include/openssl/ssl.h android-openssl/include/openssl/ssl.h 43 +--- android-openssl.orig/include/openssl/ssl.h 2013-10-22 18:20:42.259270320 +0200 44 ++++ android-openssl/include/openssl/ssl.h 2013-10-22 18:24:14.771162612 +0200 45 +@@ -848,6 +848,9 @@ 46 + /* get client cert callback */ 47 + int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey); 48 + 49 ++ /* get channel id callback */ 50 ++ void (*channel_id_cb)(SSL *ssl, EVP_PKEY **pkey); 51 ++ 52 + /* cookie generate callback */ 53 + int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, 54 + unsigned int *cookie_len); 55 +@@ -1043,6 +1046,8 @@ 56 + void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val); 57 + void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)); 58 + int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey); 59 ++void SSL_CTX_set_channel_id_cb(SSL_CTX *ctx, void (*channel_id_cb)(SSL *ssl, EVP_PKEY **pkey)); 60 ++void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(SSL *ssl, EVP_PKEY **pkey); 61 + #ifndef OPENSSL_NO_ENGINE 62 + int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e); 63 + #endif 64 +@@ -1104,12 +1109,14 @@ 65 + #define SSL_WRITING 2 66 + #define SSL_READING 3 67 + #define SSL_X509_LOOKUP 4 68 ++#define SSL_CHANNEL_ID_LOOKUP 5 69 + 70 + /* These will only be used when doing non-blocking IO */ 71 + #define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING) 72 + #define SSL_want_read(s) (SSL_want(s) == SSL_READING) 73 + #define SSL_want_write(s) (SSL_want(s) == SSL_WRITING) 74 + #define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP) 75 ++#define SSL_want_channel_id_lookup(s) (SSL_want(s) == SSL_CHANNEL_ID_LOOKUP) 76 + 77 + #define SSL_MAC_FLAG_READ_MAC_STREAM 1 78 + #define SSL_MAC_FLAG_WRITE_MAC_STREAM 2 79 +@@ -1535,6 +1542,7 @@ 80 + #define SSL_ERROR_ZERO_RETURN 6 81 + #define SSL_ERROR_WANT_CONNECT 7 82 + #define SSL_ERROR_WANT_ACCEPT 8 83 ++#define SSL_ERROR_WANT_CHANNEL_ID_LOOKUP 9 84 + 85 + #define SSL_CTRL_NEED_TMP_RSA 1 86 + #define SSL_CTRL_SET_TMP_RSA 2 87 +@@ -1672,10 +1680,11 @@ 88 + #define SSL_set_tmp_ecdh(ssl,ecdh) \ 89 + SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh) 90 + 91 +-/* SSL_enable_tls_channel_id configures a TLS server to accept TLS client 92 +- * IDs from clients. Returns 1 on success. */ 93 +-#define SSL_enable_tls_channel_id(ctx) \ 94 +- SSL_ctrl(ctx,SSL_CTRL_CHANNEL_ID,0,NULL) 95 ++/* SSL_enable_tls_channel_id either configures a TLS server to accept TLS client 96 ++ * IDs from clients, or configure a client to send TLS client IDs to server. 97 ++ * Returns 1 on success. */ 98 ++#define SSL_enable_tls_channel_id(s) \ 99 ++ SSL_ctrl(s,SSL_CTRL_CHANNEL_ID,0,NULL) 100 + /* SSL_set1_tls_channel_id configures a TLS client to send a TLS Channel ID to 101 + * compatible servers. private_key must be a P-256 EVP_PKEY*. Returns 1 on 102 + * success. */ 103 +diff -burN android-openssl.orig/ssl/bio_ssl.c android-openssl/ssl/bio_ssl.c 104 +--- android-openssl.orig/ssl/bio_ssl.c 2013-02-11 16:26:04.000000000 +0100 105 ++++ android-openssl/ssl/bio_ssl.c 2013-10-22 18:22:42.090337290 +0200 106 +@@ -206,6 +206,10 @@ 107 + BIO_set_retry_special(b); 108 + retry_reason=BIO_RR_SSL_X509_LOOKUP; 109 + break; 110 ++ case SSL_ERROR_WANT_CHANNEL_ID_LOOKUP: 111 ++ BIO_set_retry_special(b); 112 ++ retry_reason=BIO_RR_SSL_CHANNEL_ID_LOOKUP; 113 ++ break; 114 + case SSL_ERROR_WANT_ACCEPT: 115 + BIO_set_retry_special(b); 116 + retry_reason=BIO_RR_ACCEPT; 117 +@@ -280,6 +284,10 @@ 118 + BIO_set_retry_special(b); 119 + retry_reason=BIO_RR_SSL_X509_LOOKUP; 120 + break; 121 ++ case SSL_ERROR_WANT_CHANNEL_ID_LOOKUP: 122 ++ BIO_set_retry_special(b); 123 ++ retry_reason=BIO_RR_SSL_CHANNEL_ID_LOOKUP; 124 ++ break; 125 + case SSL_ERROR_WANT_CONNECT: 126 + BIO_set_retry_special(b); 127 + retry_reason=BIO_RR_CONNECT; 128 +diff -burN android-openssl.orig/ssl/s3_clnt.c android-openssl/ssl/s3_clnt.c 129 +--- android-openssl.orig/ssl/s3_clnt.c 2013-10-22 18:20:40.289252781 +0200 130 ++++ android-openssl/ssl/s3_clnt.c 2013-10-22 18:22:42.090337290 +0200 131 +@@ -3414,6 +3414,22 @@ 132 + if (s->state != SSL3_ST_CW_CHANNEL_ID_A) 133 + return ssl3_do_write(s, SSL3_RT_HANDSHAKE); 134 + 135 ++ if (!s->tlsext_channel_id_private && s->ctx->channel_id_cb) 136 ++ { 137 ++ EVP_PKEY *key = NULL; 138 ++ s->ctx->channel_id_cb(s, &key); 139 ++ if (key != NULL) 140 ++ { 141 ++ s->tlsext_channel_id_private = key; 142 ++ } 143 ++ } 144 ++ if (!s->tlsext_channel_id_private) 145 ++ { 146 ++ s->rwstate=SSL_CHANNEL_ID_LOOKUP; 147 ++ return (-1); 148 ++ } 149 ++ s->rwstate=SSL_NOTHING; 150 ++ 151 + d = (unsigned char *)s->init_buf->data; 152 + *(d++)=SSL3_MT_ENCRYPTED_EXTENSIONS; 153 + l2n3(2 + 2 + TLSEXT_CHANNEL_ID_SIZE, d); 154 +diff -burN android-openssl.orig/ssl/s3_lib.c android-openssl/ssl/s3_lib.c 155 +--- android-openssl.orig/ssl/s3_lib.c 2013-10-22 18:20:40.289252781 +0200 156 ++++ android-openssl/ssl/s3_lib.c 2013-10-22 18:22:42.090337290 +0200 157 +@@ -3358,8 +3358,6 @@ 158 + break; 159 + #endif 160 + case SSL_CTRL_CHANNEL_ID: 161 +- if (!s->server) 162 +- break; 163 + s->tlsext_channel_id_enabled = 1; 164 + ret = 1; 165 + break; 166 +@@ -3375,7 +3373,7 @@ 167 + } 168 + if (s->tlsext_channel_id_private) 169 + EVP_PKEY_free(s->tlsext_channel_id_private); 170 +- s->tlsext_channel_id_private = (EVP_PKEY*) parg; 171 ++ s->tlsext_channel_id_private = EVP_PKEY_dup((EVP_PKEY*) parg); 172 + ret = 1; 173 + break; 174 + 175 +@@ -3690,7 +3688,7 @@ 176 + } 177 + if (ctx->tlsext_channel_id_private) 178 + EVP_PKEY_free(ctx->tlsext_channel_id_private); 179 +- ctx->tlsext_channel_id_private = (EVP_PKEY*) parg; 180 ++ ctx->tlsext_channel_id_private = EVP_PKEY_dup((EVP_PKEY*) parg); 181 + break; 182 + 183 + default: 184 +diff -burN android-openssl.orig/ssl/ssl.h android-openssl/ssl/ssl.h 185 +--- android-openssl.orig/ssl/ssl.h 2013-10-22 18:20:40.299252871 +0200 186 ++++ android-openssl/ssl/ssl.h 2013-10-22 18:24:24.121245879 +0200 187 +@@ -848,6 +848,9 @@ 188 + /* get client cert callback */ 189 + int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey); 190 + 191 ++ /* get channel id callback */ 192 ++ void (*channel_id_cb)(SSL *ssl, EVP_PKEY **pkey); 193 ++ 194 + /* cookie generate callback */ 195 + int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, 196 + unsigned int *cookie_len); 197 +@@ -1043,6 +1046,8 @@ 198 + void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val); 199 + void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)); 200 + int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey); 201 ++void SSL_CTX_set_channel_id_cb(SSL_CTX *ctx, void (*channel_id_cb)(SSL *ssl, EVP_PKEY **pkey)); 202 ++void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(SSL *ssl, EVP_PKEY **pkey); 203 + #ifndef OPENSSL_NO_ENGINE 204 + int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e); 205 + #endif 206 +@@ -1104,12 +1109,14 @@ 207 + #define SSL_WRITING 2 208 + #define SSL_READING 3 209 + #define SSL_X509_LOOKUP 4 210 ++#define SSL_CHANNEL_ID_LOOKUP 5 211 + 212 + /* These will only be used when doing non-blocking IO */ 213 + #define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING) 214 + #define SSL_want_read(s) (SSL_want(s) == SSL_READING) 215 + #define SSL_want_write(s) (SSL_want(s) == SSL_WRITING) 216 + #define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP) 217 ++#define SSL_want_channel_id_lookup(s) (SSL_want(s) == SSL_CHANNEL_ID_LOOKUP) 218 + 219 + #define SSL_MAC_FLAG_READ_MAC_STREAM 1 220 + #define SSL_MAC_FLAG_WRITE_MAC_STREAM 2 221 +@@ -1535,6 +1542,7 @@ 222 + #define SSL_ERROR_ZERO_RETURN 6 223 + #define SSL_ERROR_WANT_CONNECT 7 224 + #define SSL_ERROR_WANT_ACCEPT 8 225 ++#define SSL_ERROR_WANT_CHANNEL_ID_LOOKUP 9 226 + 227 + #define SSL_CTRL_NEED_TMP_RSA 1 228 + #define SSL_CTRL_SET_TMP_RSA 2 229 +@@ -1672,10 +1680,11 @@ 230 + #define SSL_set_tmp_ecdh(ssl,ecdh) \ 231 + SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh) 232 + 233 +-/* SSL_enable_tls_channel_id configures a TLS server to accept TLS client 234 +- * IDs from clients. Returns 1 on success. */ 235 +-#define SSL_enable_tls_channel_id(ctx) \ 236 +- SSL_ctrl(ctx,SSL_CTRL_CHANNEL_ID,0,NULL) 237 ++/* SSL_enable_tls_channel_id either configures a TLS server to accept TLS client 238 ++ * IDs from clients, or configure a client to send TLS client IDs to server. 239 ++ * Returns 1 on success. */ 240 ++#define SSL_enable_tls_channel_id(s) \ 241 ++ SSL_ctrl(s,SSL_CTRL_CHANNEL_ID,0,NULL) 242 + /* SSL_set1_tls_channel_id configures a TLS client to send a TLS Channel ID to 243 + * compatible servers. private_key must be a P-256 EVP_PKEY*. Returns 1 on 244 + * success. */ 245 +diff -burN android-openssl.orig/ssl/ssl_lib.c android-openssl/ssl/ssl_lib.c 246 +--- android-openssl.orig/ssl/ssl_lib.c 2013-10-22 18:20:40.299252871 +0200 247 ++++ android-openssl/ssl/ssl_lib.c 2013-10-22 18:22:42.090337290 +0200 248 +@@ -2561,6 +2561,10 @@ 249 + { 250 + return(SSL_ERROR_WANT_X509_LOOKUP); 251 + } 252 ++ if ((i < 0) && SSL_want_channel_id_lookup(s)) 253 ++ { 254 ++ return(SSL_ERROR_WANT_CHANNEL_ID_LOOKUP); 255 ++ } 256 + 257 + if (i == 0) 258 + { 259 +diff -burN android-openssl.orig/ssl/ssl_sess.c android-openssl/ssl/ssl_sess.c 260 +--- android-openssl.orig/ssl/ssl_sess.c 2013-10-22 18:20:40.289252781 +0200 261 ++++ android-openssl/ssl/ssl_sess.c 2013-10-22 18:22:42.090337290 +0200 262 +@@ -1132,6 +1132,17 @@ 263 + return ctx->client_cert_cb; 264 + } 265 + 266 ++void SSL_CTX_set_channel_id_cb(SSL_CTX *ctx, 267 ++ void (*cb)(SSL *ssl, EVP_PKEY **pkey)) 268 ++ { 269 ++ ctx->channel_id_cb=cb; 270 ++ } 271 ++ 272 ++void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(SSL * ssl, EVP_PKEY **pkey) 273 ++ { 274 ++ return ctx->channel_id_cb; 275 ++ } 276 ++ 277 + #ifndef OPENSSL_NO_ENGINE 278 + int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e) 279 + { 280
