xref: /external/chromium_org/third_party/openssl

Name: openssl
URL: http://openssl.org/source/
Version: 1.0.1e
License: BSDish
License File: openssl/NOTICE
License Android Compatible: yes
Security Critical: yes

Description:
This is OpenSSL, the standard SSL/TLS library, which is used *only* in
the following cases:

 - For Chrome/Chromium, only on Android to implement SSL/TLS support
   (while certificate validation is performed through the platform APIs),
   instead of using NSS as on other Linux-based operating systems.

   Note that there is no plans to support OpenSSL in Chromium on other
   platforms. For more context, please read:

     https://groups.google.com/a/chromium.org/d/msg/chromium-dev/gmO3U9HLY3Y/RPGNiQ-NL-YJ

 - To implement net/tools/flip_server, a host-side tool. Read more about
   it at the following page:

     http://dev.chromium.org/spdy/running_flipinmemserver   

This means that the library must be built for these systems:

  Android/ARM
  Android/x86
  Linux/x86
  Linux/x86_64
  Darwin/x86
  Darwin/x86_64

Whenever you change it, try to rebuild Chromium for all these systems.

**************************************************************************
Automatic generation of source tree.

Most of the sources in this directory are auto-generated and come from
the Android version of the OpenSSL sources, with a few Chromium-specific
patches applied.

Said Android sources are themselves a patched subset of the official
OpenSSL release sources, generated by a special import script.

To update the sources for Chromium, one has to modify
openssl-chromium.config or the content of patches.chromium/ then run:

  ./import_from_android.sh

Before doing that, you should understand how everything works:

  1) Android-specific files are taken from a given commit from the
     AOSP git servers. See how 'openssl-chromium.config' defines the
     following variables:

       ANDROID_OPENSSL_GIT_SOURCE  -> point to source git server.
       ANDROID_OPENSSL_GIT_COMMIT  -> point to git commit

  2) All downloaded Android-specific files are placed under the openssl/
     sub-directory. The most important files are the following:

      openssl/openssl.version
          Configuration file telling which upstream version of
          OpenSSL sources to use.

      openssl/patches/
          Directory containing several Android-specific patches to
          apply to the official OpenSSL sources to create the
          Android ones. See openssl/patches/README for a description
          of what each of these patches do.

      openssl/openssl.config
          Configuration file describing which build-time options
          to enable, what patches to apply, which source files to compile
          (including CPU architecture-specific variants), and which
          sources to keep in the final source directory.

      openssl/import_openssl.sh
          Import script used to regenerate all other Android-specific
          source files, based on the configuration files above
          and a tarball of the official OpenSSL source release.

     For example, to rebuild the full Android source tree (without any
     Chromium patches), one would do something like:

        cd openssl/
        ./import_openssl.sh import /path/to/openssl-<version>.tar.gz

     where <version> matches the definition found in 'openssl.version'.

  3) Chromium adds a few of its own files:

    openssl-chromium.config
        Configuration file which indicates:
          - The reference Android OpenSSL git repository and commit.
          - The download location of official OpenSSL source tarballs.
          - The corresponding SHA-1 sum, for sanity checking.

    patches.chromium/
        A set of additional patches to apply to the openssl/ tree
        after it has been downloaded from the Android git repository.

        These patches are applied _before_ import_openssl.sh is run to
        re-generate the final set of sources. This allows modifying the
        content of any Android configuration file easily.

    openssl.gyp
        A gyp build file for the library. Manually maintained, this file
        includes openssl.gypi below.

    openssl.gypi
        An *auto-generated* gyp include file that contains the required
        definitions used to describe the library's sources to the
        Chromium build system. Its content mirrors openssl/openssl.config
        in a gyp-compatible way.

    config/x64/openssl/opensslconf.h
        Another *auto-generated* file used for 64-bit builds of the library
        only. This is required for correctness because the Android sources
        only come with a single generic header which is tailored for
        32-bit builds. Using the latter results either in a broken build,
        or even worse, in a library that doesn't work correctly.

        The content of this file is a simple copy of
        openssl/include/openssl/opensslconf.h, with a few lines
        altered to reflect that the target has 64-bit types.

    import_from_android.sh
        The top-level script that will automatically perform the full
        Chromium download + patching + import + auto-generation process.


More specifically, calling 'import_from_android.sh' will do the following:

  1) Download a specific Android commit from AOSP git servers to openssl/
  2) Download the corresponding official OpenSSL release tarball.
  3) Sainty check its SHA-1 against a hard-coded value.
  4) Apply chromium-specific patches.
  5) Re-run the Android 'import_openssl.sh' script.
  6) Auto-generate config/x64/openssl/opensslconf.h
  7) Auto-generate openssl.gypi

Once the script is done, all you need to do is launch gyp again, rebuild
and run unit tests. Use the --verbose option to see what the script does,
or --help to see a detailed scription and a list of valid options.

**************************************************************************
Chromium-specific patches:

The list of Chromium-specific patches to apply to the Android tree is
located in patches.chromium/. Currently this consists of:

  x509_hash_name_algorithm_change.patch
    Ensure the library can find the right files under /etc/ssl/certs when
    running on older systems.

    There are many symbolic links under /etc/ssl/certs created by using
    hash of the PEM certificates in order for OpenSSL to find those
    certificates. Openssl has a tool to help you create hash symbolic
    links (tools/c_rehash).  However newer versions of the library changed
    the hash algorithm, which makes it unable to run properly on systems
    that use the old /etc/ssl/certs layout (e.g. Ubuntu Lucid).

    This patch gives a way to find a certificate according to its hash by
    using both the old and new algorithms. http://crbug.com/111045 is used
    to track this issue.

  enable-dtls1.patch:
    Enable DTLSv1, which is disabled by default in the Android platform
    configuration.

  x86_64_source_excludes.patch
    Exclude the source files bn_asm.c and rc4_skey.c for x86_64 because
    they are replaced by x86_64-gcc.c and rc4-x86_64.S.

  z_reduce_client_hello_size.patch
    Advertise support of only the NIST curves P-521, P-384, and P-256,
    as well as only uncompressed points, to keep ClientHello small.

  channelid.patch
    Add API so that channel ID private key can be set only after verifying the
    remote server supports channel IDs.

  fix_lhash_iteration.patch
    Fix a crash that happens when OpenSSL tries to delete items from a lhash
    table that is being iterated over. This happens in certain rare cases
    when SSL_CTX_flush_sessions() is called. See http://crbug.com/298606

  chacha.patch
    Add support for ChaCha20+Poly1305 cipher suites.

  paddingext.patch
  paddingext2.patch
    Add ClientHello padding to workaround bug in F5 terminators.

  stricter_cutthrough.patch
    Requires NPN and a PFS cipher suite to enable cut-through (false start) on
    the client.

  mac_osx32_assembly.patch
    Add support for 32 bit OS X with assembly optimization.

  fix_limit_checks.patch
    Fix limit checks in writing extensions. BUF_MEM_grow allocates 4/3 the size
    requested, so it doesn't overflow the actual allocation.

  reorder_extensions.patch
    Move the ECC extensions to the end of the ClientHello to work around a
    server bug. Some servers are intolerant to the last extension being empty.
    See https://crbug.com/363583

  export_certificate_types.patch
    Export the certificate_types field in CertificateRequest.

  send_client_verify_cleanup.patch
    Clean up ssl3_send_client_verify so the various cases (TLS 1.2, pre-TLS-1.2
    cases for each cipher suite) are less intertwined.

**************************************************************************
Adding new Chromium patches:

In the event you need to add a new Chromium-specific patch, follow this
procedure:

  1) Use the --temp-dir option to download everything to a known directory
     (by default, import_from_android.sh downloads everything into a
     temporary directory that is erased when the script exits, even in
     case of error).

       ./import_from_android.sh --temp-dir=/tmp/aaa

  2) Save the "original" Android sources:

       cp -rp /tmp/aaa/build/android-openssl /tmp/aaa/build/android-openssl.orig

  3) Modify the content of /tmp/aaa/build/android-openssl appropriately.
     You do *not* have to run 'import_openssl.sh'

  4) Create new patch:

     (cd /tmp/aaa/build && diff -burN android-openssl.orig android-openssl) > patches.chromium/my-new-change.patch

  5) Re-run the script:

      ./import_from_android.sh

Generally speaking, consider sending your patch directly to the Android
open-source review servers too. Once submitted there, you can update
the git commit in openssl-chromium.org and remove your local patch in
one new CL.