Under some circumstances, certain TLS connections are dropped by certain

remote servers when the TLS ClientHello record exceeds 256 bytes.

This patch changes the number of ECC formats advertised in the ClientHello
to exactly match the same formats advertised by the desktop version of
Chromium during TLS negotiation, netting a savings of approximately 50
bytes in the ClientHello record. This effectively eliminates the occurrence
of the issue.

Patch is named with a 'z' to ensure it is applied after the other patches
in the folder when import_from_android.sh is run, since that script processes
patches in alphabetical order.

R=digit@chromium.org,wtc@chromium.org
BUG:chromium:245500
TEST: 
1. With V25, Visit http://campusstatebank.com 
2. Enter a fictitious username and click "Submit"
3. The "processing login" page appears.
4. Nothing happens. In some cases, the logo will fail to show.
5. With the proposed patch applied, visit http://campusstatebank.com 
6. Enter a fictitious username and click "Submit"
7. The "processing login" page appears.
8. The browser is redirected to a page where the password can be entered.

Contributed by mckev@amazon.com

Review URL: https://chromiumcodereview.appspot.com/17425002

git-svn-id: http://src.chromium.org/svn/trunk/deps/third_party/openssl@207965 4ff67af0-8c30-449e-8e8b-ad334ec8d88c

5 files changed, 169 insertions, 27 deletions

diff --git a/README.chromium b/README.chromium
index 36b1480..6e49163 100644
--- a/README.chromium
+++ b/README.chromium
@@ -176,6 +176,10 @@ located in patches.chromium/. Currently this consists of:
     Exclude the source files bn_asm.c and rc4_skey.c for x86_64 because
     they are replaced by x86_64-gcc.c and rc4-x86_64.S.
 
+  z_reduce_client_hello_size.patch
+    Advertise support of only the NIST curves P-521, P-384, and P-256,
+    as well as only uncompressed points, to keep ClientHello small.
+
 **************************************************************************
 Adding new Chromium patches:
 
diff --git a/openssl/openssl.config b/openssl/openssl.config
index 78dac05..7519558 100644
--- a/openssl/openssl.config
+++ b/openssl/openssl.config
@@ -995,6 +995,7 @@ channelid.patch \
 eng_dyn_dirs.patch \
 fix_clang_build.patch \
 x509_hash_name_algorithm_change.patch \
+reduce_client_hello_size.patch \
 "
 
 OPENSSL_PATCHES_progs_SOURCES="\
@@ -1054,3 +1055,7 @@ crypto/x509v3/v3_utl.c \
 OPENSSL_PATCHES_x509_hash_name_algorithm_change_SOURCES="\
 crypto/x509/by_dir.c \
 "
+
+OPENSSL_PATCHES_reduce_client_hello_size_SOURCES="\
+ssl/t1_lib.c \
+"
diff --git a/openssl/patches/reduce_client_hello_size.patch b/openssl/patches/reduce_client_hello_size.patch
new file mode 100644
index 0000000..b4e3c23
--- /dev/null
+++ b/openssl/patches/reduce_client_hello_size.patch
@@ -0,0 +1,64 @@
+diff -burN android-openssl.orig/ssl/t1_lib.c android-openssl/ssl/t1_lib.c
+--- android-openssl.orig/ssl/t1_lib.c	2013-06-21 14:24:45.338681810 -0700
++++ android-openssl/ssl/t1_lib.c	2013-06-21 14:34:07.977205221 -0700
+@@ -202,33 +202,14 @@
+ 		NID_secp521r1  /* secp521r1 (25) */	
+ 	};
+ 
++/* We support only the elliptic curves that are also supported by NSS
++ * to improve compatibility with sites that don't accept large ClientHellos.
++ */
+ static int pref_list[] =
+ 	{
+-		NID_sect571r1, /* sect571r1 (14) */ 
+-		NID_sect571k1, /* sect571k1 (13) */ 
+ 		NID_secp521r1, /* secp521r1 (25) */	
+-		NID_sect409k1, /* sect409k1 (11) */ 
+-		NID_sect409r1, /* sect409r1 (12) */
+ 		NID_secp384r1, /* secp384r1 (24) */
+-		NID_sect283k1, /* sect283k1 (9) */
+-		NID_sect283r1, /* sect283r1 (10) */ 
+-		NID_secp256k1, /* secp256k1 (22) */ 
+ 		NID_X9_62_prime256v1, /* secp256r1 (23) */ 
+-		NID_sect239k1, /* sect239k1 (8) */ 
+-		NID_sect233k1, /* sect233k1 (6) */
+-		NID_sect233r1, /* sect233r1 (7) */ 
+-		NID_secp224k1, /* secp224k1 (20) */ 
+-		NID_secp224r1, /* secp224r1 (21) */
+-		NID_sect193r1, /* sect193r1 (4) */ 
+-		NID_sect193r2, /* sect193r2 (5) */ 
+-		NID_secp192k1, /* secp192k1 (18) */
+-		NID_X9_62_prime192v1, /* secp192r1 (19) */ 
+-		NID_sect163k1, /* sect163k1 (1) */
+-		NID_sect163r1, /* sect163r1 (2) */
+-		NID_sect163r2, /* sect163r2 (3) */
+-		NID_secp160k1, /* secp160k1 (15) */
+-		NID_secp160r1, /* secp160r1 (16) */ 
+-		NID_secp160r2, /* secp160r2 (17) */ 
+ 	};
+ 
+ int tls1_ec_curve_id2nid(int curve_id)
+@@ -1703,17 +1684,18 @@
+ 	if (using_ecc)
+ 		{
+ 		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
+-		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
++		/* To save an additional 2 bytes in the ClientHello, we only advertise support
++		 * for the only EC Point Format that NSS supports (instead of all 3).
++		 */
++		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(1)) == NULL)
+ 			{
+ 			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
+ 			return -1;
+ 			}
+-		s->tlsext_ecpointformatlist_length = 3;
++		s->tlsext_ecpointformatlist_length = 1;
+ 		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
+-		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
+-		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
+ 
+-		/* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
++		/* we only advertise support for elliptic curves in NSA Suite B */
+ 		if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
+ 		s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
+ 		if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
diff --git a/openssl/ssl/t1_lib.c b/openssl/ssl/t1_lib.c
index 28d45b3..f447f22 100644
--- a/openssl/ssl/t1_lib.c
+++ b/openssl/ssl/t1_lib.c
@@ -202,33 +202,14 @@ static int nid_list[] =
 		NID_secp521r1  /* secp521r1 (25) */	
 	};
 
+/* We support only the elliptic curves that are also supported by NSS
+ * to improve compatibility with sites that don't accept large ClientHellos.
+ */
 static int pref_list[] =
 	{
-		NID_sect571r1, /* sect571r1 (14) */ 
-		NID_sect571k1, /* sect571k1 (13) */ 
 		NID_secp521r1, /* secp521r1 (25) */	
-		NID_sect409k1, /* sect409k1 (11) */ 
-		NID_sect409r1, /* sect409r1 (12) */
 		NID_secp384r1, /* secp384r1 (24) */
-		NID_sect283k1, /* sect283k1 (9) */
-		NID_sect283r1, /* sect283r1 (10) */ 
-		NID_secp256k1, /* secp256k1 (22) */ 
 		NID_X9_62_prime256v1, /* secp256r1 (23) */ 
-		NID_sect239k1, /* sect239k1 (8) */ 
-		NID_sect233k1, /* sect233k1 (6) */
-		NID_sect233r1, /* sect233r1 (7) */ 
-		NID_secp224k1, /* secp224k1 (20) */ 
-		NID_secp224r1, /* secp224r1 (21) */
-		NID_sect193r1, /* sect193r1 (4) */ 
-		NID_sect193r2, /* sect193r2 (5) */ 
-		NID_secp192k1, /* secp192k1 (18) */
-		NID_X9_62_prime192v1, /* secp192r1 (19) */ 
-		NID_sect163k1, /* sect163k1 (1) */
-		NID_sect163r1, /* sect163r1 (2) */
-		NID_sect163r2, /* sect163r2 (3) */
-		NID_secp160k1, /* secp160k1 (15) */
-		NID_secp160r1, /* secp160r1 (16) */ 
-		NID_secp160r2, /* secp160r2 (17) */ 
 	};
 
 int tls1_ec_curve_id2nid(int curve_id)
@@ -1703,17 +1684,18 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
 	if (using_ecc)
 		{
 		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
-		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
+		/* To save an additional 2 bytes in the ClientHello, we only advertise support
+		 * for the only EC Point Format that NSS supports (instead of all 3).
+		 */
+		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(1)) == NULL)
 			{
 			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
 			return -1;
 			}
-		s->tlsext_ecpointformatlist_length = 3;
+		s->tlsext_ecpointformatlist_length = 1;
 		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
-		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
-		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
 
-		/* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
+		/* we only advertise support for elliptic curves in NSA Suite B */
 		if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
 		s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
 		if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
diff --git a/patches.chromium/z_reduce_client_hello_size.patch b/patches.chromium/z_reduce_client_hello_size.patch
new file mode 100644
index 0000000..1bac5cc
--- /dev/null
+++ b/patches.chromium/z_reduce_client_hello_size.patch
@@ -0,0 +1,87 @@
+diff -burN android-openssl.orig/openssl.config android-openssl/openssl.config
+--- android-openssl.orig/openssl.config	2013-06-21 14:24:36.298545589 -0700
++++ android-openssl/openssl.config	2013-06-21 14:30:36.253997113 -0700
+@@ -995,6 +995,7 @@
+ eng_dyn_dirs.patch \
+ fix_clang_build.patch \
+ x509_hash_name_algorithm_change.patch \
++reduce_client_hello_size.patch \
+ "
+ 
+ OPENSSL_PATCHES_progs_SOURCES="\
+@@ -1054,3 +1055,7 @@
+ OPENSSL_PATCHES_x509_hash_name_algorithm_change_SOURCES="\
+ crypto/x509/by_dir.c \
+ "
++
++OPENSSL_PATCHES_reduce_client_hello_size_SOURCES="\
++ssl/t1_lib.c \
++"
+diff -burN android-openssl.orig/patches/reduce_client_hello_size.patch android-openssl/patches/reduce_client_hello_size.patch
+--- android-openssl.orig/patches/reduce_client_hello_size.patch	1969-12-31 16:00:00.000000000 -0800
++++ android-openssl/patches/reduce_client_hello_size.patch	2013-06-21 14:35:14.508212895 -0700
+@@ -0,0 +1,64 @@
++diff -burN android-openssl.orig/ssl/t1_lib.c android-openssl/ssl/t1_lib.c
++--- android-openssl.orig/ssl/t1_lib.c	2013-06-21 14:24:45.338681810 -0700
+++++ android-openssl/ssl/t1_lib.c	2013-06-21 14:34:07.977205221 -0700
++@@ -202,33 +202,14 @@
++ 		NID_secp521r1  /* secp521r1 (25) */	
++ 	};
++ 
+++/* We support only the elliptic curves that are also supported by NSS
+++ * to improve compatibility with sites that don't accept large ClientHellos.
+++ */
++ static int pref_list[] =
++ 	{
++-		NID_sect571r1, /* sect571r1 (14) */ 
++-		NID_sect571k1, /* sect571k1 (13) */ 
++ 		NID_secp521r1, /* secp521r1 (25) */	
++-		NID_sect409k1, /* sect409k1 (11) */ 
++-		NID_sect409r1, /* sect409r1 (12) */
++ 		NID_secp384r1, /* secp384r1 (24) */
++-		NID_sect283k1, /* sect283k1 (9) */
++-		NID_sect283r1, /* sect283r1 (10) */ 
++-		NID_secp256k1, /* secp256k1 (22) */ 
++ 		NID_X9_62_prime256v1, /* secp256r1 (23) */ 
++-		NID_sect239k1, /* sect239k1 (8) */ 
++-		NID_sect233k1, /* sect233k1 (6) */
++-		NID_sect233r1, /* sect233r1 (7) */ 
++-		NID_secp224k1, /* secp224k1 (20) */ 
++-		NID_secp224r1, /* secp224r1 (21) */
++-		NID_sect193r1, /* sect193r1 (4) */ 
++-		NID_sect193r2, /* sect193r2 (5) */ 
++-		NID_secp192k1, /* secp192k1 (18) */
++-		NID_X9_62_prime192v1, /* secp192r1 (19) */ 
++-		NID_sect163k1, /* sect163k1 (1) */
++-		NID_sect163r1, /* sect163r1 (2) */
++-		NID_sect163r2, /* sect163r2 (3) */
++-		NID_secp160k1, /* secp160k1 (15) */
++-		NID_secp160r1, /* secp160r1 (16) */ 
++-		NID_secp160r2, /* secp160r2 (17) */ 
++ 	};
++ 
++ int tls1_ec_curve_id2nid(int curve_id)
++@@ -1703,17 +1684,18 @@
++ 	if (using_ecc)
++ 		{
++ 		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
++-		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
+++		/* To save an additional 2 bytes in the ClientHello, we only advertise support
+++		 * for the only EC Point Format that NSS supports (instead of all 3).
+++		 */
+++		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(1)) == NULL)
++ 			{
++ 			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
++ 			return -1;
++ 			}
++-		s->tlsext_ecpointformatlist_length = 3;
+++		s->tlsext_ecpointformatlist_length = 1;
++ 		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
++-		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
++-		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
++ 
++-		/* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
+++		/* we only advertise support for elliptic curves in NSA Suite B */
++ 		if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
++ 		s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
++ 		if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)