1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
diff -burN android-openssl.orig/openssl.config android-openssl/openssl.config
--- android-openssl.orig/openssl.config 2013-06-21 14:24:36.298545589 -0700
+++ android-openssl/openssl.config 2013-06-21 14:30:36.253997113 -0700
@@ -995,6 +995,7 @@
eng_dyn_dirs.patch \
fix_clang_build.patch \
x509_hash_name_algorithm_change.patch \
+reduce_client_hello_size.patch \
"
OPENSSL_PATCHES_progs_SOURCES="\
@@ -1054,3 +1055,7 @@
OPENSSL_PATCHES_x509_hash_name_algorithm_change_SOURCES="\
crypto/x509/by_dir.c \
"
+
+OPENSSL_PATCHES_reduce_client_hello_size_SOURCES="\
+ssl/t1_lib.c \
+"
diff -burN android-openssl.orig/patches/reduce_client_hello_size.patch android-openssl/patches/reduce_client_hello_size.patch
--- android-openssl.orig/patches/reduce_client_hello_size.patch 1969-12-31 16:00:00.000000000 -0800
+++ android-openssl/patches/reduce_client_hello_size.patch 2013-06-21 14:35:14.508212895 -0700
@@ -0,0 +1,64 @@
+diff -burN android-openssl.orig/ssl/t1_lib.c android-openssl/ssl/t1_lib.c
+--- android-openssl.orig/ssl/t1_lib.c 2013-06-21 14:24:45.338681810 -0700
++++ android-openssl/ssl/t1_lib.c 2013-06-21 14:34:07.977205221 -0700
+@@ -202,33 +202,14 @@
+ NID_secp521r1 /* secp521r1 (25) */
+ };
+
++/* We support only the elliptic curves that are also supported by NSS
++ * to improve compatibility with sites that don't accept large ClientHellos.
++ */
+ static int pref_list[] =
+ {
+- NID_sect571r1, /* sect571r1 (14) */
+- NID_sect571k1, /* sect571k1 (13) */
+ NID_secp521r1, /* secp521r1 (25) */
+- NID_sect409k1, /* sect409k1 (11) */
+- NID_sect409r1, /* sect409r1 (12) */
+ NID_secp384r1, /* secp384r1 (24) */
+- NID_sect283k1, /* sect283k1 (9) */
+- NID_sect283r1, /* sect283r1 (10) */
+- NID_secp256k1, /* secp256k1 (22) */
+ NID_X9_62_prime256v1, /* secp256r1 (23) */
+- NID_sect239k1, /* sect239k1 (8) */
+- NID_sect233k1, /* sect233k1 (6) */
+- NID_sect233r1, /* sect233r1 (7) */
+- NID_secp224k1, /* secp224k1 (20) */
+- NID_secp224r1, /* secp224r1 (21) */
+- NID_sect193r1, /* sect193r1 (4) */
+- NID_sect193r2, /* sect193r2 (5) */
+- NID_secp192k1, /* secp192k1 (18) */
+- NID_X9_62_prime192v1, /* secp192r1 (19) */
+- NID_sect163k1, /* sect163k1 (1) */
+- NID_sect163r1, /* sect163r1 (2) */
+- NID_sect163r2, /* sect163r2 (3) */
+- NID_secp160k1, /* secp160k1 (15) */
+- NID_secp160r1, /* secp160r1 (16) */
+- NID_secp160r2, /* secp160r2 (17) */
+ };
+
+ int tls1_ec_curve_id2nid(int curve_id)
+@@ -1703,17 +1684,18 @@
+ if (using_ecc)
+ {
+ if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
+- if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
++ /* To save an additional 2 bytes in the ClientHello, we only advertise support
++ * for the only EC Point Format that NSS supports (instead of all 3).
++ */
++ if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(1)) == NULL)
+ {
+ SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
+ return -1;
+ }
+- s->tlsext_ecpointformatlist_length = 3;
++ s->tlsext_ecpointformatlist_length = 1;
+ s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
+- s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
+- s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
+
+- /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
++ /* we only advertise support for elliptic curves in NSA Suite B */
+ if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
+ s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
+ if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
|
