blob: d49796a2194e537ff281bcddddde012416ed119e [file] [log] [blame]
Name: openssl
Version: 1.0.1r
License: BSDish
License File: openssl/LICENSE
License Android Compatible: yes
Security Critical: yes
This is OpenSSL, the standard SSL/TLS library, which is used *only* in
the following cases:
- For Chrome/Chromium, only on Android to implement SSL/TLS support
(while certificate validation is performed through the platform APIs),
instead of using NSS as on other Linux-based operating systems.
Note that there is no plans to support OpenSSL in Chromium on other
platforms. For more context, please read:
- To implement net/tools/flip_server, a host-side tool. Read more about
it at the following page:
This means that the library must be built, at a minimum, for Android, Linux
and Darwin systems.
Android/ARM Android/x86 Linux/x86 Linux/x86_64 Darwin/x86 Darwin/x86_64
This source shall track the state of the Android platform's openssl version
of the library, with some important details listed here:
- The Android version lives under $ANDROID/external/openssl, while
the Chromum version (these files) live under
- The Android version corresponds to the upstream original sources with
the patches under $ANDROID/external/openssl/patches applied. It also
does not include many files and directories that are not necessary for
the Android build.
- The Chromium version corresponds to the upstream original sources with
the patches under $CHROMIUM/src/third_party/openssl/patches/ applied.
Most of these patches come from the Android tree, with a few additional
The file patches/README lists the purpose of each Android patch.
Additional Chromium-specific patches also exist and are described
at the end of this document.
- The Chromium openssl.gyp tries to match the when it comes
to listing all source files. There is no direct mapping due to many
differences in their structure. To make this slightly easier, this file
doesn't use the convention of listing *all* source files under openssl,
then conditionally removing them for an Android build.
Instead, only the files needed for the build are listed in 'sources'.
Given that there is a very large number of files that are not used in
the build, this simplified the task of keeping both files in sync.
- The Android tree also includes auto-generated assembly files for
ARM, x86 and MIPS, used to speed up some crypto computations. They
are generated by the $ANDROID/external/openssl/
script (which itself invokes a bunch of Perl generations scripts)
and have a file extension of .s
These files are also copied into the Chromium tree, with an .S file
extension, because they require being sent to the C preprocessor
before the assembler.
The original uses a feature not supported by gyp, which is:
LOCAL_AS_FLAGS := -x assembler-with-cpp
It tells the build system to apply the '-x assembler-with-cpp' flag
only to assembler files.
By using .S instead, the build 'just works' on Chromium.
- The Android build holds all configuration in
external/openssl/ which is a Makefile fragment used
to define compiler flags that define configuration macros, to be used
when building *and* using the library.
The Chromium version uses config/<name>/openssl/opensslconf.h instead,
where name can be 'android', 'piii' or 'k8', corresponding to the
Android, Posix/ia32 or Posix/x64 builds.
These headers hold the definition of these configuration variables.
Their parent directory must appear *before* openssl/include when
building and using the library. This is taken care of by openssl.gyp
Due to this, the Chromium tree also does not include obsolete copies
of opensslconf.h which appear in the Android source tree (and do not
seem to be really included during the build).
The following patches are needed to compile this openssl on Chromium and
pass the related net unit tests. They are applied on top of the
Android-specific patches described under patches/README:
There are many symbolic links under /etc/ssl/certs created by using hash
of the PEM certificates in order for OpenSSL to find those certificates.
Openssl has a tool to help you create hash symbolic links (tools/c_rehash).
However the new openssl changed the hash algorithm. Unless you
compile/install the latest openssl library and re-create all related
symbolic links, the new openssl can not find some certificates because
the links of those certificates were created by using old hash algorithm,
which causes some tests failed. This patch gives a way to find a
certificate according to its hash by using both new algorithm and old
algorithm. is used to track this issue.
Small patch to fix various minor issues which prevent building the library
with Clang.