GitLab

On some platforms there are multiple classes defining the
PSKKeyManager interface. At the moment, SSLContext.init does not
handle this situation.

This CL makes SSLContext.init treat KeyManager instances which expose
all the methods of PSKKeyManager interface as implementing this
interface. This duck-typing is achieved via Reflection.

Change-Id: I8a3146a9cabb3f951c95ca6d86d72589e0344fc1

Read the system property "jsse.enableSNIExtension" on whether to enable
Server Name Indication (SNI) extension. For unbundled builds, this will
be enabled by default. For platform builds, this will be disabled by
default.

Bug: 16658420
Bug: 17059757
Change-Id: I774f5406bf3fe601a42c4ef5e708b31800147eb9

According to RFC 6066 section 3, the hostname listed in the Server Name
Indication (SNI) field is a fully qualified domain name and IP
addresses are not permitted.

Bug: 16658420
Bug: 17059757
Change-Id: I804e46b6e66599b2770f0f4f0534467987e51208

The hostname that was supplied when the socket was created is stored as
the "peerHostname"  This is the only one that should be used for Server
Name Indication (SNI) purposes.

The "peerHostname" or the resolved IP address may be used for
certificate validation, so keep the use of "getHostname()" for
cerificate validation.

Bug: 16658420
Bug: 17059757
Change-Id: Ifd87dead44fb2f00bbfd5eac7e69fb3fc98e94b4

If a key is a wrapped platform key, we must relax the check. The reason
is that we may not have the public values we need to pass the
EVP_PKEY_cmp checks that this does.

Change-Id: I7ab2be51b0968a9cf771edea01d33fe2367c8185

This enables TLS-PSK cipher suites by default iff SSLContext is
initialized with a PSKKeyManager. For consistency, X.509 based
cipher suites are no longer enabled by default at all times -- they
are now only enabled by default iff SSLContext is initialized with a
X509KeyManager or a X509TrustManager.

When both X.509 and PSK cipher suites need to be enabled, PSK cipher
suites are given higher priority in the resulting list of cipher
suites. This is based on the assumption that in most cases users of
TLS/SSL who enable TLS-PSK would prefer TLS-PSK to be used when the
peer supports TLS-PSK.

Bug: 15073623

(cherry picked from commit 8f9ac1af)

Change-Id: Icd7fe066147a6b2fc64d807204cc99f6af821313

This enables TLS-PSK cipher suites by default iff SSLContext is
initialized with a PSKKeyManager. For consistency, X.509 based
cipher suites are no longer enabled by default at all times -- they
are now only enabled by default iff SSLContext is initialized with a
X509KeyManager or a X509TrustManager.

When both X.509 and PSK cipher suites need to be enabled, PSK cipher
suites are given higher priority in the resulting list of cipher
suites. This is based on the assumption that in most cases users of
TLS/SSL who enable TLS-PSK would prefer TLS-PSK to be used when the
peer supports TLS-PSK.

Bug: 15073623
Change-Id: I8e2bc3e7a1ea8a986e468973b6bad19dc6b7bc3c

(cherry picked from commit b860016f)

Change-Id: I4302ea4e0200ac80a0b9f3b953d58270b65b3d0c

Change-Id: Iea7c633eb68df576bf72314ff5ce31bc8094d9ce

SSLSocket, SSLServerSocket, and SSLEngine offer setEnabledProtocols
and setEnabledCipherSuites methods which take an array of protocols
or cipher suites as input. If these methods store references to the
input arrays, then the internal state (lists of enabled protocols and
cipher suites) of SSLSocket, SSLServerSocket, and SSLEngine could be
modified without going through the setter methods of these classes.

Bug: 15753142
Change-Id: Ia5248050d81320ed1da99892278bd60872605f52

This is a follow-up cleanup requested during the code review of
ae2ecac0.

Change-Id: I6c8ac2392c5f88ee732f5aa204e20cc1ee7e32d8

An instance of SSLParametersImpl is associated with SSLContext and is
then cloned into any SSLSocketFactory, SSLServerSocketFactory,
SSLSocket, SSLServerSocket, and SSLEngine. This CL ensures that all
these primitives obtain their list of enabled cipher suites and
protocols from their instance of SSLParametersImpl.

Bug: 15073623
Change-Id: I40bf32e8654b299518ec0e77c3218a0790d9c4fd

TLS-PSK (Pre-Shared Key) is a set of TLS/SSL cipher suites that use
symmetric (pre-shared) keys for mutual authentication of peers. These
cipher suites are in some scenarios more suitable than those based on
public key cryptography and X.509. See RFC 4279 (Pre-Shared Key
Ciphersuites for Transport Layer Security (TLS)) for more information.

OpenSSL currently supports only the following PSK cipher suites:
* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
* TLS_PSK_WITH_3DES_EDE_CBC_SHA
* TLS_PSK_WITH_AES_128_CBC_SHA
* TLS_PSK_WITH_AES_256_CBC_SHA
* TLS_PSK_WITH_RC4_128_SHA

The last four cipher suites mutually authenticate the peers and
secure the connection using a pre-shared symmetric key. These cipher
suites do not provide Forward Secrecy -- once the pre-shared key is
compromised, all previous communications secured with that key can be
decrypted. The first two cipher suites combine the pre-shared
symmetric key with an ephemeral key obtained from an ECDH key
exchange performed during the TLS/SSL handshake, thus providing
Forward Secrecy.

Users of TLS-PSK are expected to provide an implementation of
PSKKeyManager to SSLContext.init and then enable at least one PSK
cipher suite in SSLSocket/SSLEngine.

Bug: 15073623
Change-Id: I8e59264455f980f23a5e66099c27b5b4d932b9bb

This is the first pass at getting Conscrypt to compile standalone. It
works fine in apps currently. There are a few TODOs to fix.

Change-Id: I9b43ba12c55e04c8897ccacf38979ca671a55a26

Change-Id: I87f3ad5374d89e8acfdd78fe5af4b02be483cd3d

Since the default is now SSL_VERIFY_PEER, as a server we need to
explicitly set that we don't want a client certificate by setting
SSL_VERIFY_NONE.

Change-Id: I740389cc59ef8cb444a0e504838a1c0591df2bf9

* commit '2a9ca52c':
  Call SSL_set_alpn_protos with right native pointer

This change was missed during rebase of the OpenSSLEngine code since
this used to be SSL_CTX_set_alpn_protos.

Bug: 14273022
Change-Id: Ib72b27c8d5a4ddfde4e0c0ee2ab97bfb039c7f56

Add support for SSLEngine via OpenSSL APIs. Currently this supports just
the basic SSLEngine functionality. It can be improved in efficiency and
performance, but it appears not to leak anything and be correct
according to our test suites.

Change-Id: Iea2dc3922e7c30e26daca38361877bd2f88ae668

Move functionality that will be shared with OpenSSL's SSLEngine
implementation out of OpenSSLSocketImpl and into the (soon-to-be) shared
SSLParametersImpl.

The functionality should stay the same.

Change-Id: If8faa3ad2c9c73c0a0cd4b9716639b362b2b26a1

This is replaced by OpenSSL-backed SSLEngineImpl.

Change-Id: I7b51f6fa772e431c6283008535bfec90821d0bef

The contract of SSLContext.init is that empty arrays of
KeyManager/TrustManager in its parameters are handled differently
from null arrays. This CL adjusts the behavaior to match the
contract. Namely, empty arrays mean that SSLContext is being
initialized without any KeyManagers/TrustManagers rather than with
default ones.

Bug: 13563675
Change-Id: I52adc5e7143d4f050be0b22b3b464c10bb97d102

Use the new X509ExtendedTrustManager and use the new
getEndpointVerificationAlgorithm to check the hostname during the
handshake.

Bug: 13103812
Change-Id: Id0a74d4ef21a7d7c90357a111f99b09971e535d0

I renamed this method from getDefaultTrustManager to
getDefaultX509TrustManager and erroneously made it private in
8d63ff13. I missed the fact that
it's being used from framework's
android.net.http.CertificateChainValidator.

This CL reverts this method to being public again.

Bug: 13563574
Change-Id: I601c651d631f5a2e4a04d21941186553988e5286

This makes TLS/SSL primitives operate as expected when no
X509TrustManager or X509KeyManager is provided. Instead of blowing up
with KeyManagementException or NullPointerException (or similar) when
X509TrustManager or X509KeyManager is not provided, this CL makes
SSLContext.init accept such setup, and makes SSLSocket and SSLEngine
reject certificate chains, select no private keys/aliases, and accept
no certificate issuers.

Bug: 13563574
Change-Id: I8de58377a09025258357dd4da9f6cb1b6f2dab80

To help with shipping the JSSE with apps that want to bundle it, move
it to a new package so that the tangles in other parts of the library
can be untangled.

Change-Id: I810b6861388635301e28aee5b9b47b8e6b35b430

Before the code would squash excecptions into null values, then turn
the values back into KeyManagementException. Now the code preservers
the underlying exception as the cause of the KeyManagementException.

(cherry picked from commit b6d100ca03dd4c576c6735ce510cecc70d2e6617)

Change-Id: Ia833145839578760ed9b49c626e8d4ab86ceacbe

Change-Id: Idaaa1952d1b6148c51b3da5d1771105e8bde8a03

frameworks/base

   Remove getCaCertificates and findIssuer from IKeyChainService,
   these are now done via libcore's TrustedCertificateStore (as part
   of the default TrustManager implementation)

	keystore/java/android/security/IKeyChainService.aidl

   Simplify KeyChain API. Now that the CA certificates are visible
   through the default TrustManager, the KeyChain is solely focused on
   retrieving PrivateKeys and their associated certificates. The
   calling API for KeyChain to simply a single KeyChain.get() call
   that returns a KeyChainResult, removing the need for a KeyChain
   instance that needs to be closed.

	keystore/java/android/security/KeyChain.java
	keystore/java/android/security/KeyChainResult.java

master/libcore

    Remove getDefaultIndexedPKIXParameters and
    getIndexedPKIXParameters which was used as part of the prototype
    of looking up CAs via the KeyChain but is obsoleted by the new
    default TrustManager implementation.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java

packages/apps/KeyChain

    Tracking simplified IKeyChainService, removing now unneeded
    implementation, updating tests.

	src/com/android/keychain/KeyChainService.java
	tests/src/com/android/keychain/tests/KeyChainServiceTest.java
	tests/src/com/android/keychain/tests/KeyChainTestActivity.java

Change-Id: I5c0df3b67248bb8014c85a5997098d5e70fbc505

Allow access to default IndexedPKIXParameters, similar to access to
default TrustManager. Needed to allow framework to add/remove trusted
CAs at runtime.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java

Add test support for looking up a cert by an issuer for use in key chain tests.

	support/src/test/java/libcore/java/security/TestKeyStore.java

Add test support SSLSocketFactory that sets desired client auth on
each created socket. For use with MockWebServer for key chain testing.

	support/src/test/java/libcore/javax/net/ssl/TestSSLContext.java

Change-Id: Iecdbd40c67f1673bda25a52b4e229156c805d564

I've changed useful ones to regular comments or TODOs, as appropriate.

I've left ones in code like java.util.concurrent where we really are
tracking an upstream source, making the change markers useful.

I've left a handful of others where I intend to actually investigate
the implied TODOs before deciding how to resolve them.

Change-Id: Iaf71059b818596351cf8ee5a3cf3c85586051fa6

Overhaul of TrustManagerImpl
- PKIXParameters can now be final in TrustManagerImpl because we
  always immediately create an IndexedPKIXParameters instead of only
  doing it in SSLParametersImpl.createDefaultTrustManager.
- Use new KeyStore constructor for IndexedPKIXParameters to remove
  duplicate logic for creating set of TrustAnchors from a KeyStore.
- Improved checkTrusted/cleanupCertChain to remove special cases for
  directly trusting the end cert or pruning only self signed certs. To
  support b/2530852, we need to stop prune the chain as soon as we
  find any trust anchor (using newly improved
  TrustManagerImpl.isTrustAnchor), which could be at the beginning,
  middle, or end. That means cleanupCertChain can return an empty
  chain if everything was trusted directly. (and we don't need to do
  extra checks on exception cases to see if the problem was just that
  the trust anchor was in the chain)
- isDirectlyTrusted -> isTrustAnchor here as well, using new
  IndexedPKIXParameters.isTrustAnchor APIs
- Fix incorrect assumption in getAcceptedIssuers that all TrustAnchor
  instances have non-null results for getTrustedCert.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java

    Removed indexing in createDefaultTrustManager since we always index now

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java

Overhaul of IndexedPKIXParameters
- Single map from subject X500Principal to TrustAnchors
  instead of two different X500Principal keyed maps to check
- Removed map based on encoded cert. For b/2530852, we want to treat
  certs as equal if they have the same name and public key, not
  byte-for-byte equality, which can be done with the remaining map.
  Revamped isDirectlyTrusted into isTrustAnchor(cert) to perform this
  new name/key based comparison.
- Added helper isTrustAnchor(cert, anchors) to reuse code in
  non-IndexedPKIXParameters case in TrustManagerImpl.
- Added constructor from KeyStore
- Moved anchor indexing code to index() from old constructor

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/IndexedPKIXParameters.java

TestKeyStore.getPrivateKey allowed some existing test simplification.

	luni/src/test/java/libcore/java/security/KeyStoreTest.java
	luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
	support/src/test/java/libcore/java/security/TestKeyStore.java

Added missing "fail()" before catching expected exceptions.

	luni/src/test/java/libcore/java/security/KeyStoreTest.java

Expanded KeyManagerFactoryTest to excercise ManagerFactoryParameters b/1628001

	luni/src/test/java/libcore/javax/net/ssl/KeyManagerFactoryTest.java

Added KeyStoreBuilderParametersTest because I thought I saw a bug in
KeyStoreBuilderParameters, but this convinced me otherwise.

	luni/src/test/java/libcore/javax/net/ssl/KeyStoreBuilderParametersTest.java

New TrustManagerFactory test modeled on expanded KeyManagerFactoryTest.
test_TrustManagerFactory_intermediate specifically is targeting the
new functionality of b/2530852 to handling trust anchors within the
chain.

	luni/src/test/java/libcore/javax/net/ssl/TrustManagerFactoryTest.java
	support/src/test/java/libcore/java/security/StandardNames.java

Some initial on tests for Elliptic Curve (b/3058375) after the RI
started reporting it was supported. Removed old @KnownFailure
tags. Skipped a test on the RI that it can't handle. Improved some
assert messages.

	luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java
	luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java
	support/src/test/java/libcore/java/security/StandardNames.java
	support/src/test/java/libcore/java/security/TestKeyStore.java

Removed unneeded bytes->javax->bytes->java case of which can just go bytes->java directly.
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java

Removed super()
	luni/src/main/java/javax/net/ssl/KeyStoreBuilderParameters.java

Made Security.secprops final
	luni/src/main/java/java/security/Security.java

Pulled SamplingProfiler fix from dalvik-dev branch
    git cherry-pick --no-commit f9dc3450e8f23cab91efc9df99bb860221ac3d6c
	dalvik/src/main/java/dalvik/system/SamplingProfiler.java

Bug: 2530852
Change-Id: I95e0c7ee6a2f66b6986b3a9da9583d1ae52f94dd

Change-Id: Id5a042873acc0a8185567ca18ce009c06e54f38d

Make SSLParametersImpl's defaultKeyManager, defaultTrustManager,
defaultSecureRandom, and defaultParameters all use the single check
idiom for initialization. Move such initialization for
defaultKeyManager and defaultTrustManager out of SSLParametersImpl
constructor into static functions, replacing original
getDefaultTrustManager simple accessor with code that performs lazy
initialization.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java

dirrect -> direct
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketImpl.java

hanshake -> handshake
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLRecordProtocol.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketImpl.java

Bug: 2954292
Change-Id: I19bae541613666903b57fccf3e8bfef65b74d6cf

Rename internal SSLParameters to SSLParametersImpl to avoid collision with new javax.net.ssl.SSLParameters

Bug: 2672817
Change-Id: Iadf21b848eaf8850fce22721b9ba3739ab2e9fca

Summary:
- RI 6 support for javax.net.ssl
- SSLEngine fixes based on new SSLEngineTest
- fix Cipher.checkMode bug recently introduced in dalvik-dev

Details:

Fix Cipher.checkMode that was preventing most javax.net.ssl tests from working

	luni/src/main/java/javax/crypto/Cipher.java

RI 6 has introduced the concept of a "Default" SSLContext. This is
accessed via SSLContext.getDefault() and also
SSLContext.getInstance("Default"). Harmony had its own
DefaultSSLContext but it was not created via an SSLContextSpi. It also
was a single shared instance whereas the new RI6 Default SSLContext
shares internal SSLSessionContext instances between different Default
SSLContexts.

    Refactored the old code into an SSLContextImpl subclass that
    allows it to be created via SSLContext.getInstance. SSLContextImpl
    ensures that we only ever create one set of SSLSessionContext
    instances for the Default context.

	luni/src/main/java/javax/net/ssl/DefaultSSLContext.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/DefaultSSLContextImpl.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java

    Added SSLContext.getDefault and SSLContext.setDefault

	luni/src/main/java/javax/net/ssl/SSLContext.java

    Replace dependencies of old DefaultSSLContext with use of SSLContext.getDefault

	luni/src/main/java/javax/net/ssl/SSLServerSocketFactory.java
	luni/src/main/java/javax/net/ssl/SSLSocketFactory.java

    Register "SSLContext.Default" as DefaultSSLContextImpl class for SSLContext.getInstance()

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java

    Added constant for new "Default" standard name and added it to
    SSL_CONTEXT_PROTOCOLS. New tests based on SSL_CONTEXT_PROTOCOLS
    made it clear that neither Android or RI support SSLv2 so removed
    it from SSL_CONTEXT_PROTOCOLS and SSL_SOCKET_PROTOCOLS. Added
    constant for TLS as well which was previously scattered all over
    tests. Remove SSLv2Hello from SSL_SOCKET_PROTOCOLS for Android
    since with OpenSSL disablign SSLv2 means you can not use
    SSLv2Hello either.

	support/src/test/java/javax/net/ssl/StandardNames.java

    Added tests for SSLContext.getDefault and
    SSLContext.setDefault. Changed existing tests to work on all
    protocols including new "Default".

	luni/src/test/java/javax/net/ssl/SSLContextTest.java

RI 6 has introduced the notion of SSLParameters which encapsulate SSL
the handshake parameters of desired cipher suites, protocols, and
client authentication requirements.

    The main new class SSLParameters is basically just a bag of fields
    with accessors and a couple simple constructors. The only things
    of note are that it clones all String arrays on input and output
    and the setters for the two boolean fields ensure that only one is
    true at a time.

	luni/src/main/java/javax/net/ssl/SSLParameters.java

    Added SSLContext.getDefaultSSLParameters and
    SSLContext.getSupportedSSLParameters which simply delegate to the
    SSLContextSpi.

	luni/src/main/java/javax/net/ssl/SSLContext.java

    Added abstract SSLContextSpi.engineGetDefaultSSLParameters and
    SSLContext.engineGetSupportedSSLParameters.

	luni/src/main/java/javax/net/ssl/SSLContextSpi.java

    Added engineGetDefaultSSLParameters and
    engineGetSupportedSSLParameters implementation. The RI documents
    in SSLContextSpi that these are implemented by default by creating
    a socket via the SSLContext's SocketFactory and asking for the
    enabled/supported cipher suites and protocols respectively, so
    that is what is done. The doc mentions throwing
    UnsupportedOperationException if there is a problem, so we do that
    as well.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java

    Added {SSLEngine,SSLSocket}.{getSSLParameters,setSSLParameters}
    which are analogous.

	luni/src/main/java/javax/net/ssl/SSLEngine.java
	luni/src/main/java/javax/net/ssl/SSLSocket.java

   Added SSLParametersTest

	luni/src/test/java/javax/net/ssl/SSLParametersTest.java
	luni/src/test/java/javax/net/ssl/AllTests.java

   Added SSLContext.get{Default,Supported}SSLParameters tests

	luni/src/test/java/javax/net/ssl/SSLContextTest.java

   Added SSLSocket.{getSSLParameters,setSSLParameters} tests and added
   some extra asserts to test_SSLSocketPair_create based on experience
   with test_SSLEnginePair_create.

	luni/src/test/java/javax/net/ssl/SSLSocketTest.java

   Dummy implementation of new SSLContextSpi for test classes.

	support/src/test/java/org/apache/harmony/security/tests/support/MySSLContextSpi.java
	support/src/test/java/org/apache/harmony/xnet/tests/support/MySSLContextSpi.java

Other minor RI 6 API changes:

    RI 6 removed Serializable from HandshakeCompletedEvent and SSLSessionBindingEvent

	luni/src/main/java/javax/net/ssl/HandshakeCompletedEvent.java
	luni/src/main/java/javax/net/ssl/SSLSessionBindingEvent.java

    RI 6 added generic types to the KeyStoreBuilderParameters List
    constructor and accessor as well as to
    SSLSessionContext.getIds. Fixed tests to compile with generic types.

	luni/src/main/java/javax/net/ssl/KeyStoreBuilderParameters.java
	luni/src/main/java/javax/net/ssl/SSLSessionContext.java
	luni/src/test/java/tests/api/javax/net/ssl/KeyStoreBuilderParametersTest.java

SSLEngine improvements. Since I was changing SSLEngine, I wrote an
SSLEngineTest based on my SSLSocketTest to do some simply sanity
checking. It expose a number of issues. I've fixed the small ones,
marked the rest as known failures.

   Renamed some TLS_ cipher suites to SSL_ to match JSSE standard
   names. These were all old suites no longer supported by RI or
   OpenSSL which is why they were missed in an earlier cleanup of this
   type in this class. Also fixed SSLEngine supported cipher suites
   list not to include SSL_NULL_WITH_NULL_NULL which is not a valid
   suite to negotiate.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java

   SSLEngine instances can have null host values, which caused a
   NullPointerException in the ClientSessionContext implementation.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java

   SSLEngine tests were failing because SSLParameters was throwing
   NullPointerException instead of IllegalArgument exception on null
   element values. Fixed null pointer message style while I was here.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java

    Fixed SSLEngine instances to default to server mode like RI

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java

   Fixed KEY_TYPES based on SSLEngine implementation. Removed dead
   code NativeCrypto.getEnabledProtocols which was recently made
   obsolete. Cleaned up null exception messages to follow our convention.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java

   Added SSLEngineTest which parallels SSLSocketTest in its
   coverage. Similarly added TestSSLEnginePair which loosely parallels
   TestSSLSocketPair.

	luni/src/test/java/javax/net/ssl/SSLEngineTest.java
	luni/src/test/java/javax/net/ssl/AllTests.java
	support/src/test/java/javax/net/ssl/TestSSLEnginePair.java

   SSLEngineTest betters exposed the differences between SSLSocket and
   SSLEngine supported cipher suites. StandardNames now has an
   CIPHER_SUITES_SSLENGINE definition which denotes what is missing
   and what is extra and why in the SSLEngine implementation.

	support/src/test/java/javax/net/ssl/StandardNames.java

    Created StandardNames.assert{Valid,Supported}{CipherSuites,Protocols}
    to factor out some code test code that is also used by new tests.

	support/src/test/java/javax/net/ssl/StandardNames.java
	luni/src/test/java/javax/net/ssl/SSLSocketFactoryTest.java
	luni/src/test/java/javax/net/ssl/SSLSocketTest.java

    Remove SSLSocketTest known failure and add new SSLEngineTest known failures

	expectations/knownfailures.txt

SSL_OP_NO_TICKET change was recently merged from master which required some fixes.

    For the moment, sslServerSocketSupportsSessionTickets always returns false.

	support/src/test/java/javax/net/ssl/TestSSLContext.java

    Fixed flakey test_SSLSocket_HandshakeCompletedListener which had a
    race because the client thread look in the server session context
    for an session by id potentially before the server thread had a
    chance to store its session. Made noticable because of
    SSL_OP_NO_TICKET recently merged from master (before this code
    path was host only, not device)

	luni/src/test/java/javax/net/ssl/SSLSocketTest.java

    Fix checkjni issue where we need to check for pending exception in
    OpenSSL callback.  Possibly introduced by recent merge of
    SSL_OP_NO_TICKET from master.

	luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp

Expectation updates

    Remove SSLSocketTest known failure and add new SSLEngineTest known failures

	expectations/knownfailures.txt

    Tag test_SSLSocket_getSupportedCipherSuites_connect as large

	expectations/taggedtests.txt

Misc changes:

   opening brace on wrong line

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java

   Long line cleanup while debugging

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketFactoryImpl.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketFactoryImpl.java
	support/src/test/java/javax/net/ssl/TestKeyStore.java

   Removed bogus import

	luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java

   Comment clarify while debugging

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java

   Ctor -> Constructor in comment

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLEngineImpl.java

   Fixed naming of SocketTest_Test_create to TestSocketPair_Create to match renamed classes

	luni/src/test/java/javax/net/ssl/SSLSocketTest.java

Change-Id: I99505e97d6047eeabe4a0b93202075a0b2d486ec

Enable Diffie-Hellman cipher suites in NativeCrypto (and in
StandardNames to match for testing). This means we now have the same
default cipher suite list as RI 5.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
	support/src/test/java/javax/net/ssl/StandardNames.java

Enabling DH made it obvious that the RI check for enable cipher suites
on SSLServerSocket.accept was not as stringent as first
thought. Apparently they don't care if all enabled cipher suites have
certificates/keys, just that at least one of them will work, even if
its anonymous. Factored out the logic to check this into
checkEnabledCipherSuites for clarity along with the supporting
checkForPrivateKey. Also only check if the socket is in server mode,
since its fine to have nothing configured for server acting as a
client for handshake purposes.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java

The real work to enable Diffie-Hellman was to use
SSL_CTX_set_tmp_dh_callback to set a callback to get DH
parameters. There are two ways to create the parameters. The first is
to use DH_generate_parameters_ex which is very slow (minutes) as is
recommended as install time option. The second is to use
DSA_generate_parameters_ex followed by DSA_dup_DH, which is faster for
a single call, but must be done every time, so slower overall. We
currently take the second approach to just have DH working.

	luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp

Changed ephemeral RSA keys to be stored per SSL in AppData, not in a static global.

	luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp

Fix LS_ to TLS_ typo in commented out constant. Removed easy to miss wrapping in array definition.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java

Renamed CipherSuites defaultPretendant to defaultCipherSuites which
led to renaming the CipherSuites constants to follow the coding style.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/DigitalSignature.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerKeyExchange.java

Change-Id: Ia38de48cabb699b24fe6e341ba79f34e3da8b543

Gentlemen, you may now set your editors to "strip trailing whitespace"...

Change-Id: I85b2f6c80e5fbef1af6cab11789790b078c11b1b

    Moved initialization of SSLContextImpl clientSessionContext and
    serverSessionContext from engineInit time (in SSLParameters
    constructor) to constructor time, making them final.  This is to
    fix javax.net.ssl.SSLContextTest which was failing because it
    tried to access this before init was called, which worked fine on
    the RI. The SSLParameters now simply takes the preallocated
    session contexts as arguments. SSLParameters.getDefault() now
    needs to create its own session contexts when an SSLContext is not
    used, which is how Harmony does it.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java

    Removed KnownFailure from SSLContextTest as its 100% working.

	luni/src/test/java/javax/net/ssl/SSLContextTest.java

    Changed persistentCache fields of ClientSessionContext and
    ServerSessionContext from final to private and added a public
    setter. This replaces passing the persistentCache implementation
    in via the constructor. For momentarily backward compatibility
    with frameworks/base, the now deprecated 5 argument engineInit
    method now uses these setters for backward compatability. The
    SSLParameters previously took these persistent caches as arguments
    in order to pass them to the session context contructors, but as
    SSLParameters no longer creates these, they are no longer relevant.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java

    While moving the call of the AbstractSessionContext constructor
    from SSLParameters to SSLContextImpl after removing the persistent
    cache arguments, I realized there was no longer any reason to take
    any arguments. I pushed the initization of sslCtxNativePointer to
    the point of declaration.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/AbstractSessionContext.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java

Change-Id: Ied2903a2f369bf4e521e702bf58f32f21cb97d17

Merge xml except xmlpull and kxml into luni