- 20 Jan, 2016 4 commits
-
-
Chad Brubaker authored
am: 1a86d309 * commit '1a86d309': Prevent duplicate certificates in TrustedCertificateIndex
-
Chad Brubaker authored
am: 2138a380 * commit '2138a380': Cache intermediate CA separately
-
Chad Brubaker authored
am: 4c9f9c22 * commit '4c9f9c22': Prevent duplicate certificates in TrustedCertificateIndex
-
Chad Brubaker authored
am: c4ab1b95 * commit 'c4ab1b95': Cache intermediate CA separately
-
- 19 Jan, 2016 2 commits
-
-
Chad Brubaker authored
With the separate caching of intermediate certificates in TrustManagerImpl a given intermediate may be passed into .index multiple times. Avoid adding the certificate to the list each time. (cherry-picked from commit d080e064) Bug: 26232830 Change-Id: I6bed2c65d9e42e052b9b1b129200a997e7dca745
-
Chad Brubaker authored
Intermediate CAs are cached in order to support servers that fail to sent a complete chain to a root. These certificates should be cached to support these servers but these certificates must not be trusted as trust anchors. Store them separately to prevent confusion between trusted roots and cached intermediates. (cherry-picked from commit 198aca1f) Bug: 26232830 Change-Id: I520f50729b55fc7412c7d133335bc9e3c190bbf6
-
- 02 Jun, 2015 2 commits
-
-
Kenny Root authored
* commit 'fae34604': OpenSSLX509Certificate: mark mContext as transient
-
Kenny Root authored
* commit 'de55e62f': OpenSSLX509Certificate: mark mContext as transient
-
- 28 May, 2015 1 commit
-
-
Kenny Root authored
Since mContext should not participate in the serialization process, hide it with the transient qualifier. This will prevent the field from initialization during the unserialization of this class. Then of course the instance will be in a valid state. (cherry picked from commit 8d57b9db) Bug: 21437603 Change-Id: Ie9453c16d11820a91caff92c3f7b326d12f8a8f4
-
- 07 Apr, 2015 1 commit
-
-
Chad Brubaker authored
This wraps the conscrypt OpenSSLSocketImpl with an adapter that is a subclass of the platform's OpenSSLSocketImpl in order to support old code that does casts to the platform OpenSSLSocketImpl in order to set things like SNI. Until KK the platform OpenSSLSocketImpl was org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl, in KK it became com.android.org.conscrypt.OpenSSLSocketImpl. As of L MR1 the platform HTTP stack no longer casts to the platform OpenSSLSocketImpl and this work around is not needed on those devices. Change-Id: I196ad957eabfc70246d9c01aa12855a8eab036f0
-
- 17 Mar, 2015 1 commit
-
-
Kenny Root authored
Change-Id: Iaec7f66305c3a5cef706593f84a7a075924ec89b
-
- 13 Mar, 2015 1 commit
-
-
Alex Klyubin authored
-
- 12 Mar, 2015 2 commits
-
-
Alex Klyubin authored
When RSA/ECB/PKCS1Padding is not supported, CryptoUpcalls.rawCipherWithPrivateKey throws a NullPointerException instead of returning null. This CL fixes the issue. Change-Id: I46a389f22e40084950b80b9825644f2e1ffcff90
-
Alex Klyubin authored
These are minor code structure clean ups based on comments from https://android-review.googlesource.com/#/c/130311/. Change-Id: I66c2cbdb489db47167ae6cfb4df7b82b3f621e2d
-
- 11 Mar, 2015 3 commits
-
-
Kenny Root authored
OpenSSL flavor of Conscrypt still uses the dynamic engine, so don't directly depend on the library since it will be in the SSL ENGINE directory in /system/lib{64,}/ssl/engines Bug: 19698929 Change-Id: Id7e3f6ffaca2073a016db546e1014d50ef4ad0db
-
Kenny Root authored
-
Kenny Root authored
To help with testing, make some of the methods public so we can call them from tests in a different ClassLoader. Bug: 19657440 Change-Id: Ib5cb0629ffb52ac57ff24d9d5c4df1509897bd05
-
- 27 Feb, 2015 4 commits
-
-
Adam Langley authored
* commit '811e7ae4': BoringSSL PKCS#7 PEM and CRL support.
-
Adam Langley authored
Based on recent additions to BoringSSL itself, this change adds PKCS#7 PEM and CRL support for conscrypt with BoringSSL. Change-Id: Icef9d017dce54c3070b605a70773c60bb1b8cfa2
-
Adam Langley authored
* commit '2e68e229': Add back d2i_PKCS7_bio and PEM_read_bio_PKCS7.
-
Adam Langley authored
For the moment, the BoringSSL version is going to be broken until I get the needed changes into BoringSSL to support this. Change-Id: Id2c3f179c6f9fc4f4385d2274884e69530fabff0
-
- 26 Feb, 2015 2 commits
-
-
Adam Langley authored
* commit '0ccc17a0': external/conscrypt: a couple more BoringSSL build fixes.
-
Adam Langley authored
* commit '76986208': EC_GROUP_cmp in BoringSSL now matches OpenSSL.
-
- 25 Feb, 2015 2 commits
-
-
Adam Langley authored
I had these in my local client and didn't notice until now. Change-Id: I9c61447691d358acbaadb9b9a2f068b4106d266c
-
Adam Langley authored
I had removed the final argument because it was superfluous, but that was actually a mistake because EC_GROUP_cmp is used in more places than I expected. https://android-review.googlesource.com/#/c/135661 puts the argument back in BoringSSL and this change unforks the conscrypt code. Change-Id: I6f4f57f59378d081a3f166291fcd280ab769f09e
-
- 12 Feb, 2015 1 commit
-
-
Bowen Zhao authored
* commit 'a770db2d': change NativeCrypto_X509_CRL_get_ext return data type from int to long
-
- 11 Feb, 2015 1 commit
-
-
Bowen Zhao authored
root cause: NativeCrypto_X509_CRL_get_ext return the wrong data type. NativeCrypto_X509_CRL_get_ext return int data type will cut return value from 8 bytes to 4 bytes in 64 bit system. So change int to long. NativeCrypto_X509_REVOKED_get_ext may has the same problem. Change-Id: I97be716f82e846a5dfe3cef77b68faff79235d9b Signed-off-by:
Yong Yao <yong.yao@intel.com>
-
- 05 Feb, 2015 1 commit
-
-
Alex Klyubin authored
This declares constraints on which keys Cipher, KeyAgreement, Mac, and Signature instances provided by Conscrypt accept. Constraints are expressed using JCA's SupportedKeyClasses and SupportedKeyFormats attributes. Declaring these contraints will make JCA use other providers for keys not supported by Conscrypt. This in turn removes the need of users of JCA to explicitly specify which provider to use. This looks messy mostly because of how the JCA's constraining mechanism works. Some of the weirdness and messiness also comes from the inconsistencies in how Conscrypt handles different key types in different primitives. Once these inconsistencies are fixed, this change will become smaller and a bit nicer. See https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/HowToImplAProvider.html Bug: 19284418 Change-Id: I7e862a620d7279e4eaf6e42acd9072e7be665024
-
- 30 Jan, 2015 2 commits
-
-
Adam Langley authored
* commit '24144a80': Support external/boringssl for reading flavor.mk.
-
Adam Langley authored
Change-Id: I96a0ee6b51736aa842055dc17750c1d565f19174
-
- 23 Jan, 2015 1 commit
-
-
Adam Langley authored
* commit 'dd546216': Use an empty BIO memory buffer with BoringSSL.
-
- 22 Jan, 2015 2 commits
-
-
Alex Klyubin authored
* commit '0a4895dc': Time out TLS/SSL sessions after 8 hours by default.
-
Alex Klyubin authored
* commit '4314dcb6': Time out TLS/SSL sessions after 8 hours by default.
-
- 21 Jan, 2015 2 commits
-
-
Alex Klyubin authored
Prior to this change TLS/SSL sessions did not time out. (cherry picked from commit e5992c84) Bug: 18369043 Bug: 18370076 Change-Id: I596423b9c56bfc5f337a17aba02fbb9a9f2ded36
-
Adam Langley authored
de5225d1 mistakenly switched a BIO_s_null to an empty mem-BIO in order to allow BoringSSL to work. That worked for BoringSSL, but OpenSSL treats an empty mem-BIO as an error and so that was switched back in 2fe55c8f. This change uses an empty mem-BIO with BoringSSL again for the same reasons, but guards the change with the preprocessor so that it doesn't break OpenSSL. Change-Id: If90b7a151bf124722d91f150b441e0c9f5b96b03
-
- 08 Jan, 2015 5 commits
-
-
Narayan Kamath authored
* commit 'b908a622': Treat SSL_ERROR_ZERO_RETURN correctly.
-
Narayan Kamath authored
* commit '4497fdc7': Treat SSL_ERROR_ZERO_RETURN correctly.
-
Narayan Kamath authored
According to ssl_lib.c, this is returned whenever the socket is being closed (s->shutdown && SSL_RECEIVED_SHUTDOWN && s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY). (cherry picked from commit f6c8f8b4) Bug: 18758595 Change-Id: Ied7b3e18f11786351d42a770f4cad11ddae29ff3
-
Kenny Root authored
* commit 'f6bbb424': OpenSSLEngineImpl: return bytes consumed for unwrap
-
Narayan Kamath authored
am c8644769: (-s ours) am cc638d86: Merge "Call EVP_CIPHER_CTX_free instead of EVP_CIPHER_CTX_cleanup." into lmp-mr1-dev * commit 'c8644769': Call EVP_CIPHER_CTX_free instead of EVP_CIPHER_CTX_cleanup.
-