diff options
Diffstat (limited to 'ics-openvpn-stripped/main/openssl/patches')
-rw-r--r-- | ics-openvpn-stripped/main/openssl/patches/README | 82 | ||||
-rwxr-xr-x | ics-openvpn-stripped/main/openssl/patches/testssl.sh | 77 |
2 files changed, 159 insertions, 0 deletions
diff --git a/ics-openvpn-stripped/main/openssl/patches/README b/ics-openvpn-stripped/main/openssl/patches/README new file mode 100644 index 00000000..53444701 --- /dev/null +++ b/ics-openvpn-stripped/main/openssl/patches/README @@ -0,0 +1,82 @@ +progs.patch: + +Fixup sources under the apps/ directory that are not built under the android environment. + + +handshake_cutthrough.patch + +Enables SSL3+ clients to send application data immediately following the +Finished message even when negotiating full-handshakes. With this patch, +clients can negotiate SSL connections in 1-RTT even when performing +full-handshakes. + +jsse.patch + +Support for JSSE implementation based on OpenSSL. + +channelid.patch + +Implements TLS Channel ID support as both a client and a server. +See http://tools.ietf.org/html/draft-balfanz-tls-channelid-00. + +eng_dyn_dirs.patch + +Fixes the case of having multiple DIR_ADD commands sent to eng_dyn + +fix_clang_build.patch + +Fixes the Clang based build. + +tls12_digests.patch + +Fixes a bug with handling TLS 1.2 and digest functions for DSA and ECDSA +keys. + +alpn.patch + +This change adds support for ALPN in OpenSSL. ALPN is the IETF +blessed version of NPN and we'll be supporting both ALPN and NPN for +some time yet. + +cbc_record_splitting.patch + +BEAST attack client-side mitigation. Removes 0/n record splitting, adds 1/n-1 +record splitting. Record splitting is disabled by default. + +dsa_nonce.patch + +Adds an option to mix in hash of message and private key into (EC)DSA nonces to +make (EC)DSA more resilient to weaknesses in RNGs used for nonces. The feature +is disabled by default. + +ecdhe_psk.patch + +Adds support for ECDHE Pre-Shared Key (PSK) TLS cipher suites. + +ecdhe_psk_part2.patch + +Removes ECHDE-PSK cipher suites with SHA-2 because they cannot be used with +SSLv3 (and there's no way to express that in OpenSSL's configuration). Adds +SHA-1 based ECDHE-PSK AES-CBC cipher suites instead. + +arm_asm.patch + +Adds newer ARM assembly pack with BSAES for ARMv7 and acceleration for ARMv8 +Based on branch available at: +https://git.linaro.org/people/ard.biesheuvel/openssl.git/shortlog/refs/heads/openssl-1.0.1f-with-arm-patches +c7b582ef23eb6f4386664e841e6e406d984c38d3^..cb8b1ab03e5c179a719afe83f03fecb1c2c78730 + +tls_psk_hint.patch + +Fixes issues with TLS-PSK identity hint implementation where +per-connection/session and per-context hints were being mixed up. + +psk_client_callback_128_byte_id_bug.patch + +Fixes the issue where it was impossible to return a 128 byte long PSK identity +(the maximum supported length) from psk_client_callback. + +tls_fallback_scsv.patch + +Adds the signalling cipher suite value (SCSV) from +https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 diff --git a/ics-openvpn-stripped/main/openssl/patches/testssl.sh b/ics-openvpn-stripped/main/openssl/patches/testssl.sh new file mode 100755 index 00000000..cd560928 --- /dev/null +++ b/ics-openvpn-stripped/main/openssl/patches/testssl.sh @@ -0,0 +1,77 @@ +#!/bin/bash +# +# Copyright (C) 2010 The Android Open Source Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# +# Android testssl.sh driver script for openssl's testssl +# +# based on openssl's test/testss script and test/Makefile's test_ssl target +# + +set -e +trap "echo Exiting on unexpected error." ERR + +device=/sdcard/android.testssl + +digest='-sha1' +reqcmd="adb shell /system/bin/openssl req" +x509cmd="adb shell /system/bin/openssl x509 $digest" + +CAkey="$device/keyCA.ss" +CAcert="$device/certCA.ss" +CAreq="$device/reqCA.ss" +CAconf="$device/CAss.cnf" + +Uconf="$device/Uss.cnf" +Ureq="$device/reqU.ss" +Ukey="$device/keyU.ss" +Ucert="$device/certU.ss" + +echo +echo "setting up" +adb remount +adb shell rm -r $device +adb shell mkdir $device + +echo +echo "pushing test files to device" +adb push . $device + +echo +echo "make a certificate request using 'req'" +adb shell "echo \"string to make the random number generator think it has entropy\" >> $device/.rnd" +req_new='-new' +$reqcmd -config $CAconf -out $CAreq -keyout $CAkey $req_new + +echo +echo "convert the certificate request into a self signed certificate using 'x509'" +$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey -extfile $CAconf -extensions v3_ca + +echo +echo "make a user certificate request using 'req'" +$reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new + +echo +echo "sign user certificate request with the just created CA via 'x509'" +$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -extfile $Uconf -extensions v3_ee + +echo +echo "running testssl" +./testssl $Ukey $Ucert $CAcert + +echo +echo "cleaning up" +adb shell rm -r $device |