GitLab

When this Signature scheme was added to Conscrypt, we went with the
Bouncycastle name of "ECDSA." However, the Standard Names documentation
that "ECDSA" should not be used due to its ambiguity.

(cherry picked from commit b825b833)

Bug: 27753949
Change-Id: I20196550aa3cc70afaff1930d5e90e1c3a59ea82

am: 3b3bf012

* commit '3b3bf012':
  Fix updateAAD when offset is not 0

Change-Id: I4158a70440836495aa0f383b6975a2edaa7bf0a1

am: 3467d643

* commit '3467d643':
  OpenSSLCipher: reset AAD when necessary

am: 5ad20a9d

* commit '5ad20a9d':
  Fix updateAAD when offset is not 0

am: 9345629a

* commit '9345629a':
  OpenSSLCipher: multiple calls to updateAAD were ignored

am: b9d2def2

* commit 'b9d2def2':
  OpenSSLCipher: reset AAD when necessary

ChaCha20-Poly1305 is more efficient in software, but many modern CPUs
have acceleration for AES which makes AES-GCM the more preferable choice
in terms of throughput and battery consumption (i.e., less CPU cycles
per byte).

Use the CPU features as reported by BoringSSL to determine when to
prioritize AES-GCM over ChaCha20-Poly1305. This should be good enough to
say when the trade-off should be made.

(cherry picked from commit 4209803a)

Bug: 26945889
Change-Id: I7ae2f3e422e30e83324c08514509cb3e9a506d97

Due to AAD data not being reset when a Cipher instance was re-used, this
bug was never uncovered by tests that actually exercise this case.

(cherry picked from commit 95cf7b9b)

Bug: 27696681
Bug: 27324690
Change-Id: Iae9b5794f212a8fc4eeff2a651332e7490f5cada

Due to AAD data not being reset when a Cipher instance was re-used, this
bug was never uncovered by tests that actually exercise this case.

Bug: 27696681
Bug: 27324690
Change-Id: Iae9b5794f212a8fc4eeff2a651332e7490f5cada

Update d2i_SSL_SESSION to only throw IOException and change tests to
expect that to happen. Since IOException is declared as a thrown
exception, non-test code should already be expecting this.

(cherry picked from commit c12c046e)

Bug: 27526112
Change-Id: Ic8c1a47debce9cb76221150d050be86d010c6ec3

In an effort to not use reverse DNS, we no longer return hostnames from
sockets created via IP addresses. However, this also made the SSLSession
return null when a Socket is created to an IP address instead of an
FQDN.

While being careful not to trigger another DNS lookup, simply return a
textual representation of the IP address connected when the SSLSocket has
no knowledge of what the actual FQDN is supposed to be.

Bug: 27123298
Change-Id: Ie37e214f91e4f005f90da0d4a2aba1cd604d60b7

Update d2i_SSL_SESSION to only throw IOException and change tests to
expect that to happen. Since IOException is declared as a thrown
exception, non-test code should already be expecting this.

(cherry picked from commit c12c046e)

Bug: 27526112
Change-Id: Ic8c1a47debce9cb76221150d050be86d010c6ec3

In an effort to not use reverse DNS, we no longer return hostnames from
sockets created via IP addresses. However, this also made the SSLSession
return null when a Socket is created to an IP address instead of an
FQDN.

While being careful not to trigger another DNS lookup, simply return a
textual representation of the IP address connected when the SSLSocket has
no knowledge of what the actual FQDN is supposed to be.

Bug: 27123298
Change-Id: Ie37e214f91e4f005f90da0d4a2aba1cd604d60b7

Java 7 added a new method to InetSocketAddress called getHostString()
which returns the unresolved host for a given address. This should be
suitable for use with SNI as long as it isn't an IP address.

This also helps with testing because we can use serialization tricks to
rewrite the "hostname" field of an already-serialized loopback address.

(cherry picked from commit bc8a290f)

Bug: 27271561
Change-Id: I9845e57d505712cdfee87d18246a1a3b021deea3

Do to a missing assignment statement, only the first call to updateAAD
was honored and the rest were discarded.

(cherry picked from commit a23b05b3)

Bug: 27371173
Change-Id: I77ad7800b0905f72d5abe76b56352a94056ceb9c

AAD was not being reset correctly during init or doFinal calls thus
leading to incorrect output.

(cherry picked from commit 0bab7f3b)

Bug: 27324690
Change-Id: If7806a9d7847814b60719637abceb94d8fbc8831

Java 7 added a new method to InetSocketAddress called getHostString()
which returns the unresolved host for a given address. This should be
suitable for use with SNI as long as it isn't an IP address.

This also helps with testing because we can use serialization tricks to
rewrite the "hostname" field of an already-serialized loopback address.

(cherry picked from commit bc8a290f)

Bug: 27271561
Change-Id: I9845e57d505712cdfee87d18246a1a3b021deea3

RC4 has been deprecated for a while. It's now time to no longer use it
by default. Mozilla Firefox and Chrome web browsers have already made
the leap.

This is a follow-up to 751965bd
where TLS_RSA_WITH_RC4_128_SHA was disabled for the same reasons.

Bug: 24898327

(cherry picked from commit bbe63d5d)

Change-Id: Id13d3ba280139b25fdef057d9afb17ef3edf30cf

BoringSSL currently has no API to check which algorithms were sent in
the signature_algorithms extension, so just include the known signature
algorithms for BoringSSL plus the required signature algorithms for the
remote side. This may not be technically correct, but it's the best we
can do until we have an API in BoringSSL.

The previous behavior of throwing UnsupportedOperationException was not
very nice to users of this API.

(cherry picked from commit 2ff9e88c)

Bug: 27123298
Change-Id: Icf99a82abfe827584ab80f6a13398119b23d35d5

Frequently an old SSLSession cache from a different version of OpenSSL
or BoringSSL will cause the de-serialization of the SSLSession
information to fail. This will spam the logs and happens Frequently
when GmsCore's ProviderInstaller is used. For now try to extract a bit
more useful information from the error thrown by native code and don't
bother to print the stack trace since it's not fatal.

(cherry picked from commit de8236f4)

Bug: 25328662
Change-Id: I0a396a52418e7911b98133b45bbfafcc6651e863

BoringSSL currently has no API to check which algorithms were sent in
the signature_algorithms extension, so just include the known signature
algorithms for BoringSSL plus the required signature algorithms for the
remote side. This may not be technically correct, but it's the best we
can do until we have an API in BoringSSL.

The previous behavior of throwing UnsupportedOperationException was not
very nice to users of this API.

(cherry picked from commit 2ff9e88c)

Bug: 27123298
Change-Id: Icf99a82abfe827584ab80f6a13398119b23d35d5

* changes:
  OpenSSLCipher: multiple calls to updateAAD were ignored
  OpenSSLCipher: reset AAD when necessary

SSLSession should be wrapped so that cached sessions might have the
functionality that ExtendedSSLSession offers. This also made the
SSLSessionTest fail because the pre-cached instance would be
ExtendedSSLSession and the post-cached session would be a regular
SSLSession.

To keep compatibility with older versions of the platform, it was
impossible to directly switch OpenSSLSessionImpl over to
ExtendedSSLSession. So the use of a delegate in the case when the
platform does have ExtendedSSLSession was required. Since older platform
versions still use OpenSSLSessionImpl that extends SSLSession, we just
directly inflate the serialized sessions to that.

The SSLSessionTest was changed to accomodate the delegate scheme since
SSLSession does not have an equals method, the tests for SSLSessionTest
were directly comparing object instance equality which fails when the
sessions are wrapped in a delegate like this.

(cherry picked from commit 710c0817)

Bug: 27123298
Change-Id: Iefbea03a72dbcc76ae0b439cfdcecd817926b7d0

We don't call super.close() when we're wrapping a socket, so we'll
have to be careful not to call any superclass methods that might
end up creating a SocketImpl.

bug: 27250522

(cherry picked from commit edae6d2b)

Change-Id: Iabeade852e6a5c3bc923c7b3601f3edf3322fee2

Do to a missing assignment statement, only the first call to updateAAD
was honored and the rest were discarded.

Bug: 27371173
Change-Id: I77ad7800b0905f72d5abe76b56352a94056ceb9c

AAD was not being reset correctly during init or doFinal calls thus
leading to incorrect output.

Bug: 27324690
Change-Id: If7806a9d7847814b60719637abceb94d8fbc8831