OLD | NEW |
---|---|
(Empty) | |
1 diff -burN android-openssl.orig/openssl.config android-openssl/openssl.config | |
2 --- android-openssl.orig/openssl.config 2013-06-17 14:49:24.055615731 -0700 | |
3 +++ android-openssl/openssl.config 2013-06-17 17:01:55.691768262 -0700 | |
4 @@ -995,6 +995,7 @@ | |
5 eng_dyn_dirs.patch \ | |
6 fix_clang_build.patch \ | |
7 x509_hash_name_algorithm_change.patch \ | |
8 +reduce_client_hello_size.patch \ | |
9 " | |
10 | |
11 OPENSSL_PATCHES_progs_SOURCES="\ | |
12 diff -burN android-openssl.orig/patches/reduce_client_hello_size.patch android-o penssl/patches/reduce_client_hello_size.patch | |
13 --- android-openssl.orig/patches/reduce_client_hello_size.patch 1969-12-31 16:00 :00.000000000 -0800 | |
14 +++ android-openssl/patches/reduce_client_hello_size.patch 2013-06-17 15:34 :21.000000000 -0700 | |
15 @@ -0,0 +1,64 @@ | |
16 +diff -burN android-openssl.orig/ssl/t1_lib.c android-openssl/ssl/t1_lib.c | |
17 +--- android-openssl.orig/ssl/t1_lib.c 2013-06-17 15:31:59.055664742 -0700 | |
18 ++++ android-openssl/ssl/t1_lib.c 2013-06-17 15:33:33.015666544 -0700 | |
19 +@@ -202,33 +202,14 @@ | |
20 + NID_secp521r1 /* secp521r1 (25) */ | |
21 + }; | |
22 + | |
23 ++/* We support only the elliptic curves that are also supported by NSS | |
24 ++ * to improve compatibility with sites that don't accept large ClientHellos. | |
25 ++ */ | |
26 + static int pref_list[] = | |
27 + { | |
28 +- NID_sect571r1, /* sect571r1 (14) */ | |
29 +- NID_sect571k1, /* sect571k1 (13) */ | |
30 + NID_secp521r1, /* secp521r1 (25) */ | |
31 +- NID_sect409k1, /* sect409k1 (11) */ | |
32 +- NID_sect409r1, /* sect409r1 (12) */ | |
33 + NID_secp384r1, /* secp384r1 (24) */ | |
34 +- NID_sect283k1, /* sect283k1 (9) */ | |
35 +- NID_sect283r1, /* sect283r1 (10) */ | |
36 +- NID_secp256k1, /* secp256k1 (22) */ | |
37 + NID_X9_62_prime256v1, /* secp256r1 (23) */ | |
38 +- NID_sect239k1, /* sect239k1 (8) */ | |
39 +- NID_sect233k1, /* sect233k1 (6) */ | |
40 +- NID_sect233r1, /* sect233r1 (7) */ | |
41 +- NID_secp224k1, /* secp224k1 (20) */ | |
42 +- NID_secp224r1, /* secp224r1 (21) */ | |
43 +- NID_sect193r1, /* sect193r1 (4) */ | |
44 +- NID_sect193r2, /* sect193r2 (5) */ | |
45 +- NID_secp192k1, /* secp192k1 (18) */ | |
46 +- NID_X9_62_prime192v1, /* secp192r1 (19) */ | |
47 +- NID_sect163k1, /* sect163k1 (1) */ | |
48 +- NID_sect163r1, /* sect163r1 (2) */ | |
49 +- NID_sect163r2, /* sect163r2 (3) */ | |
50 +- NID_secp160k1, /* secp160k1 (15) */ | |
51 +- NID_secp160r1, /* secp160r1 (16) */ | |
52 +- NID_secp160r2, /* secp160r2 (17) */ | |
53 + }; | |
54 + | |
55 + int tls1_ec_curve_id2nid(int curve_id) | |
56 +@@ -1703,17 +1684,18 @@ | |
57 + if (using_ecc) | |
58 + { | |
59 + if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ ecpointformatlist); | |
60 +- if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) | |
61 ++ /* To save an additional 2 bytes in the ClientHello, we only adv ertise support | |
62 ++ * for the only EC Point Format that NSS supports (instead of al l 3). | |
63 ++ */ | |
64 ++ if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(1)) == NULL) | |
wtc
2013/06/21 17:57:53
Good. I missed the size argument passed to this OP
| |
65 + { | |
66 + SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC _FAILURE); | |
67 + return -1; | |
68 + } | |
69 +- s->tlsext_ecpointformatlist_length = 3; | |
70 ++ s->tlsext_ecpointformatlist_length = 1; | |
71 + s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompress ed; | |
72 +- s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_c ompressed_prime; | |
73 +- s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_c ompressed_char2; | |
74 + | |
75 +- /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */ | |
76 ++ /* we only support elliptic curves in NSA Suite B */ | |
wtc
2013/06/21 17:57:53
support => advertise support for
Nit: strictly sp
| |
77 + if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ ellipticcurvelist); | |
78 + s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pr ef_list[0]) * 2; | |
79 + if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_elli pticcurvelist_length)) == NULL) | |
OLD | NEW |