Index: README.chromium |
diff --git a/README.chromium b/README.chromium |
deleted file mode 100644 |
index 4aee197befc2c26b766b8d62cbcf56692c5bdd67..0000000000000000000000000000000000000000 |
--- a/README.chromium |
+++ /dev/null |
@@ -1,253 +0,0 @@ |
-Name: openssl |
-URL: http://openssl.org/source/ |
-Version: 1.0.1e |
-License: BSDish |
-License File: openssl/NOTICE |
-License Android Compatible: yes |
-Security Critical: yes |
- |
-Description: |
-This is OpenSSL, the standard SSL/TLS library, which is used *only* in |
-the following cases: |
- |
- - For Chrome/Chromium, only on Android to implement SSL/TLS support |
- (while certificate validation is performed through the platform APIs), |
- instead of using NSS as on other Linux-based operating systems. |
- |
- Note that there is no plans to support OpenSSL in Chromium on other |
- platforms. For more context, please read: |
- |
- https://groups.google.com/a/chromium.org/d/msg/chromium-dev/gmO3U9HLY3Y/RPGNiQ-NL-YJ |
- |
- - To implement net/tools/flip_server, a host-side tool. Read more about |
- it at the following page: |
- |
- http://dev.chromium.org/spdy/running_flipinmemserver |
- |
-This means that the library must be built for these systems: |
- |
- Android/ARM |
- Android/x86 |
- Linux/x86 |
- Linux/x86_64 |
- Darwin/x86 |
- Darwin/x86_64 |
- |
-Whenever you change it, try to rebuild Chromium for all these systems. |
- |
-************************************************************************** |
-Automatic generation of source tree. |
- |
-Most of the sources in this directory are auto-generated and come from |
-the Android version of the OpenSSL sources, with a few Chromium-specific |
-patches applied. |
- |
-Said Android sources are themselves a patched subset of the official |
-OpenSSL release sources, generated by a special import script. |
- |
-To update the sources for Chromium, one has to modify |
-openssl-chromium.config or the content of patches.chromium/ then run: |
- |
- ./import_from_android.sh |
- |
-Before doing that, you should understand how everything works: |
- |
- 1) Android-specific files are taken from a given commit from the |
- AOSP git servers. See how 'openssl-chromium.config' defines the |
- following variables: |
- |
- ANDROID_OPENSSL_GIT_SOURCE -> point to source git server. |
- ANDROID_OPENSSL_GIT_COMMIT -> point to git commit |
- |
- 2) All downloaded Android-specific files are placed under the openssl/ |
- sub-directory. The most important files are the following: |
- |
- openssl/openssl.version |
- Configuration file telling which upstream version of |
- OpenSSL sources to use. |
- |
- openssl/patches/ |
- Directory containing several Android-specific patches to |
- apply to the official OpenSSL sources to create the |
- Android ones. See openssl/patches/README for a description |
- of what each of these patches do. |
- |
- openssl/openssl.config |
- Configuration file describing which build-time options |
- to enable, what patches to apply, which source files to compile |
- (including CPU architecture-specific variants), and which |
- sources to keep in the final source directory. |
- |
- openssl/import_openssl.sh |
- Import script used to regenerate all other Android-specific |
- source files, based on the configuration files above |
- and a tarball of the official OpenSSL source release. |
- |
- For example, to rebuild the full Android source tree (without any |
- Chromium patches), one would do something like: |
- |
- cd openssl/ |
- ./import_openssl.sh import /path/to/openssl-<version>.tar.gz |
- |
- where <version> matches the definition found in 'openssl.version'. |
- |
- 3) Chromium adds a few of its own files: |
- |
- openssl-chromium.config |
- Configuration file which indicates: |
- - The reference Android OpenSSL git repository and commit. |
- - The download location of official OpenSSL source tarballs. |
- - The corresponding SHA-1 sum, for sanity checking. |
- |
- patches.chromium/ |
- A set of additional patches to apply to the openssl/ tree |
- after it has been downloaded from the Android git repository. |
- |
- These patches are applied _before_ import_openssl.sh is run to |
- re-generate the final set of sources. This allows modifying the |
- content of any Android configuration file easily. |
- |
- openssl.gyp |
- A gyp build file for the library. Manually maintained, this file |
- includes openssl.gypi below. |
- |
- openssl.gypi |
- An *auto-generated* gyp include file that contains the required |
- definitions used to describe the library's sources to the |
- Chromium build system. Its content mirrors openssl/openssl.config |
- in a gyp-compatible way. |
- |
- config/x64/openssl/opensslconf.h |
- Another *auto-generated* file used for 64-bit builds of the library |
- only. This is required for correctness because the Android sources |
- only come with a single generic header which is tailored for |
- 32-bit builds. Using the latter results either in a broken build, |
- or even worse, in a library that doesn't work correctly. |
- |
- The content of this file is a simple copy of |
- openssl/include/openssl/opensslconf.h, with a few lines |
- altered to reflect that the target has 64-bit types. |
- |
- import_from_android.sh |
- The top-level script that will automatically perform the full |
- Chromium download + patching + import + auto-generation process. |
- |
- |
-More specifically, calling 'import_from_android.sh' will do the following: |
- |
- 1) Download a specific Android commit from AOSP git servers to openssl/ |
- 2) Download the corresponding official OpenSSL release tarball. |
- 3) Sainty check its SHA-1 against a hard-coded value. |
- 4) Apply chromium-specific patches. |
- 5) Re-run the Android 'import_openssl.sh' script. |
- 6) Auto-generate config/x64/openssl/opensslconf.h |
- 7) Auto-generate openssl.gypi |
- |
-Once the script is done, all you need to do is launch gyp again, rebuild |
-and run unit tests. Use the --verbose option to see what the script does, |
-or --help to see a detailed scription and a list of valid options. |
- |
-************************************************************************** |
-Chromium-specific patches: |
- |
-The list of Chromium-specific patches to apply to the Android tree is |
-located in patches.chromium/. Currently this consists of: |
- |
- x509_hash_name_algorithm_change.patch |
- Ensure the library can find the right files under /etc/ssl/certs when |
- running on older systems. |
- |
- There are many symbolic links under /etc/ssl/certs created by using |
- hash of the PEM certificates in order for OpenSSL to find those |
- certificates. Openssl has a tool to help you create hash symbolic |
- links (tools/c_rehash). However newer versions of the library changed |
- the hash algorithm, which makes it unable to run properly on systems |
- that use the old /etc/ssl/certs layout (e.g. Ubuntu Lucid). |
- |
- This patch gives a way to find a certificate according to its hash by |
- using both the old and new algorithms. http://crbug.com/111045 is used |
- to track this issue. |
- |
- enable-dtls1.patch: |
- Enable DTLSv1, which is disabled by default in the Android platform |
- configuration. |
- |
- x86_64_source_excludes.patch |
- Exclude the source files bn_asm.c and rc4_skey.c for x86_64 because |
- they are replaced by x86_64-gcc.c and rc4-x86_64.S. |
- |
- z_reduce_client_hello_size.patch |
- Advertise support of only the NIST curves P-521, P-384, and P-256, |
- as well as only uncompressed points, to keep ClientHello small. |
- |
- channelid.patch |
- Add API so that channel ID private key can be set only after verifying the |
- remote server supports channel IDs. |
- |
- fix_lhash_iteration.patch |
- Fix a crash that happens when OpenSSL tries to delete items from a lhash |
- table that is being iterated over. This happens in certain rare cases |
- when SSL_CTX_flush_sessions() is called. See http://crbug.com/298606 |
- |
- chacha.patch |
- Add support for ChaCha20+Poly1305 cipher suites. |
- |
- paddingext.patch |
- paddingext2.patch |
- Add ClientHello padding to workaround bug in F5 terminators. |
- |
- stricter_cutthrough.patch |
- Requires NPN and a PFS cipher suite to enable cut-through (false start) on |
- the client. |
- |
- mac_osx32_assembly.patch |
- Add support for 32 bit OS X with assembly optimization. |
- |
- fix_limit_checks.patch |
- Fix limit checks in writing extensions. BUF_MEM_grow allocates 4/3 the size |
- requested, so it doesn't overflow the actual allocation. |
- |
- reorder_extensions.patch |
- Move the ECC extensions to the end of the ClientHello to work around a |
- server bug. Some servers are intolerant to the last extension being empty. |
- See https://crbug.com/363583 |
- |
- export_certificate_types.patch |
- Export the certificate_types field in CertificateRequest. |
- |
- send_client_verify_cleanup.patch |
- Clean up ssl3_send_client_verify so the various cases (TLS 1.2, pre-TLS-1.2 |
- cases for each cipher suite) are less intertwined. |
- |
-************************************************************************** |
-Adding new Chromium patches: |
- |
-In the event you need to add a new Chromium-specific patch, follow this |
-procedure: |
- |
- 1) Use the --temp-dir option to download everything to a known directory |
- (by default, import_from_android.sh downloads everything into a |
- temporary directory that is erased when the script exits, even in |
- case of error). |
- |
- ./import_from_android.sh --temp-dir=/tmp/aaa |
- |
- 2) Save the "original" Android sources: |
- |
- cp -rp /tmp/aaa/build/android-openssl /tmp/aaa/build/android-openssl.orig |
- |
- 3) Modify the content of /tmp/aaa/build/android-openssl appropriately. |
- You do *not* have to run 'import_openssl.sh' |
- |
- 4) Create new patch: |
- |
- (cd /tmp/aaa/build && diff -burN android-openssl.orig android-openssl) > patches.chromium/my-new-change.patch |
- |
- 5) Re-run the script: |
- |
- ./import_from_android.sh |
- |
-Generally speaking, consider sending your patch directly to the Android |
-open-source review servers too. Once submitted there, you can update |
-the git commit in openssl-chromium.org and remove your local patch in |
-one new CL. |