GitLab

Bug: 26390415
Change-Id: I0cdcb75ba1459c747e5c88452d41a573aada4c7e

This allows to specify that a server's cipher suite list order should be
respected and preserved over the client's cipher suite list order.

Change-Id: I7f760e9b5fbc8ab6e4c9d29221c64b510498e95f

This adds support for retrieving SNI name as a server and setting SNI name
as a client. It currently doesn't implement use of the SNIMatcher API.

Change-Id: I4f76fcbd96bd7c3398532f3858bbdd0d06103082

If the X.509 certificate's signature algorithm OID is not satisfied by
any provider registered, a NoSuchAlgorithmException should be thrown.
The previous behavior was an unchecked NullPointerException was thrown
during the attempt to set up the (actually null) signature instance.

Bug: 26954162
Change-Id: Iac3e27c823580738a54d75a45d39411456934dd5

This enables the new API to specify when a host should be verified by
hostname. Before there was no public API that was capable of indicating
to the TrustManager which DNS hostname you were intending to connect
with.

Change-Id: Ic5845d1e93f02b54d971673a280d0a3571739fbf

Newer Android versions have implemented getFileDescriptor$ to fix a bug
in Conscrypt since libcore commit
5d3f5200f3511c9a7107bcc0a996c7afa1b39aaf which has continued to do the
right thing. Use this method instead since newer versions don't
necessarily set the "impl" field on Socket instances.

Bug: 25857624
Change-Id: I64fbda844ea3b632023822f1436bd674852e327a

This reverts commit 132c311d.

Some stubs were neded to allow building on unbundled builds.

Change-Id: I713d00923eecac7e323d53e561cf509794cc4fd4

This reverts commit 38d12ed4.

This breaks the unbundled build because of OpenSSLExtendedSessionImpl.

Change-Id: I73951a6f1d5cb14c70cd807c2c895bbbdc4c8e40

In order to support SNI certificate selection of the server-side and
enhanced certificate verification on the client side, we add
ExtendedSSLSession and the getHandshakeSession support.

This is just to set up for future implementations of SNI and
ExtendedX509TrustManager and doesn't actually implement the logic needed
to fully support the new features.

Change-Id: I300d3134d8ab9c184d6473183612dc53658a8221

Change-Id: Idc143d37c63cf3436ccdddc22abcb11802fc6615

PublicKey.equals is not required to return true on the same public key
but from different providers, this causes incorrect lookup failures when
the key comes from keystore.

Change-Id: Iaedaa91c64eeede1d5021430c015aac746afbc97

Use super.hashCode to make sure that hashCode matches the RI. Since the
underlying certificate (and therefore the hashcode) is immutable the
value is cached after the first call to avoid needlessly recomputing the
hash.

Bug:26386620
Change-Id: Ic480b48e57144ac730a33dcc313cdff57fe71157

This was only a hack to support old Harmony code, so we don't need it
anymore. Remove the direct references to AlgNameMapper and use
reflection for compatibility in unbundled code.

Change-Id: I7ec14f19e5098ffe12592b79b2b163b41031b6e6

The TrustManagerFactory is returning a RootTrustManager now instead of a TrustManagerImpl,
thus breaking the test.

Bug: 25992791
Change-Id: I5924b684a9c3f8c49818ceefb038886035a17f68

Note the null check was in fromEncoding(InputStream, String)
already.

Bug: 25926066
Change-Id: Ic4a0d514c6b8e6d8af349a8202f26854f6975cd6

This change sorts the list using sort(1).

Change-Id: Ief0c407969c92405464b9b2e9ebc694f98260263

In preparation for a new BoringSSL import, this change adds the strings
for the ChaCha20-Poly1305-based cipher suites, as specified in
draft-ietf-tls-chacha20-poly1305-04.

This change will cause the ciphers to be advertised via
|getSupportedCipherSuites| even though BoringSSL hasn't been
updated yet. This will be a transient flaw.

Change-Id: If633ebb10f74d9f5706ad87d49b40ee5183dae8f

get_SSL_CIPHER_algorithm_mkey and get_SSL_CIPHER_algorithm_auth are never used.
There are also some struct accesses that have public API variants. Finally,
requiring ssl->server be set to 0 before SSL_set1_tls_channel_id was a bug that
has been fixed in BoringSSL. (See
https://boringssl.googlesource.com/boringssl/+/a3d9de05fb6df2c0dffab83717139e6c71d3d329/ssl/s3_lib.c#337)

Change-Id: If68efce2901f3ef89bdf5bb47cbc7d5fddaa6ef6

This is in preparation for https://boringssl-review.googlesource.com/#/c/6550/.

Change-Id: I9fd64d0e2c583aa346f21b7a49b1f95e68b99b14

This fixes the sanity checks around access to memory backing direct
BytBuffer instances. The previous checks would've erronously failed
if pointers crossed the 2^63 boundary. There is no need for check for
pointer overflow.

Bug: 24674857
Change-Id: Ic8b5a651418c401d32eb0c8053217988963cd326

Unbreak the build by filtering it out temporarily until it can be placed
in the correct dircectory.

(cherry picked from commit a2a0e05c)

Change-Id: I8fb43bd92d62ef640f94152612cefceeba475e98

bug: 25838479

(cherry picked from commit 0f0237f1)

Change-Id: Ic98725c5b90af62a16b630676cf36bda0fa7be6e

org.apache.harmony.security is no more, AlgNameMapper
implementation from compat has to be used in all builds.

(cherry picked from commit 1bfaa14a)

Change-Id: Ib2b9a95fd68beb0ea0dece70ff8ad9bda5bbd559

java.lang.IntegralToString is going away, replaced
its usage by small helper class, Hex.
+
Fixes the "Illegal class access" exception from
TrustedCertificateStoreTest & TrustManagerImplTest.

(cherry-picked from 61e984f441b9194f0ae907e6fc28502858df6852 +
61e984f441b9194f0ae907e6fc28502858df6852)

Bug: 24932279

(cherry picked from commit e279a985)

Change-Id: Id48cd9c2dfade328f01c669afa20fe2e7a630fc2

(cherry picked from commit 69766952)

Change-Id: I584aa770a496f433f1d5fbba579ca477bfa2ef19

Bug: 26186727
Change-Id: Id74b0d89742dd23f506c6f0165c1dfc49bd586a6

Sanitization currently makes this library reference symbols which
cannot be resolved at runtime without additional magic when starting
the JVM.

Disable this until we can find a fix. This currently fails with:
libconscrypt_openjdk_jni.so: undefined symbol: __asan_option_detect_stack_use_after_return
	at java.lang.ClassLoader$NativeLibrary.load(Native Method)
	at java.lang.ClassLoader.loadLibrary1(ClassLoader.java:1965)
	at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1890)
	at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1880)
	at java.lang.Runtime.loadLibrary0(Runtime.java:849)
	at java.lang.System.loadLibrary(System.java:1088)
	at org.conscrypt.NativeCryptoJni.init(NativeCryptoJni.java:25)
	at org.conscrypt.NativeCrypto.<clinit>(NativeCrypto.java:54)
	at org.conscrypt.OpenSSLBIOInputStream.<init>(OpenSSLBIOInputStream.java:34)
	at org.conscrypt.OpenSSLX509Certificate.fromX509PemInputStream(OpenSSLX509Certificate.java:119)
	at org.conscrypt.OpenSSLX509CertificateFactory$1.fromX509PemInputStream(OpenSSLX509CertificateFactory.java:220)
	at org.conscrypt.OpenSSLX509CertificateFactory$1.fromX509PemInputStream(OpenSSLX509CertificateFactory.java:216)
	at org.conscrypt.OpenSSLX509CertificateFactory$Parser.generateItem(OpenSSLX509CertificateFactory.java:94)
	at org.conscrypt.OpenSSLX509CertificateFactory.engineGenerateCertificate(OpenSSLX509CertificateFactory.java:272)
	at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
	at com.android.signapk.SignApk.readPublicKey(SignApk.java:161)
	at com.android.signapk.SignApk.main(SignApk.java:933)

Bug: 26160319
Change-Id: Icd5ffb49eb5610552af0dd049db99a0b9f181cba

In BoringSSL, the SSL_MODE_ENABLE_FALSE_START (aka
SSL_MODE_HANDSHAKE_CUTTHROUGH) is unconditionally enabled because
BoringSSL does the appropriate checks internally. Make sure our tests
also reflect this fact by testing the appropriate settings.

Bug: 26139262
Bug: 26139500
Change-Id: I125aa440cdb76d2efbfee2be7387b47d22446950

This statically links in BoringSSL and libc++ into Conscrypt's JNI
OpenJDK shared library for host. The goal is to make the library as
self-contained as feasible to avoid issues with shared library search
path when the library is used outside of the Android source tree.

Bug: 26097626
Change-Id: I3d1b521ad11a0f88ec46d8a7382c14ffdfd44e2e

Previously this file was used from the main Android.mk, but that's not
true anymore. Simply remove it.

Change-Id: I16740ee73f91399b837794a625ea84c6281d73da

This change adds support for creating EC KeyPairGenerator and
KeyFactory via EC public key OID 1.2.840.10045.2.1.

Bug: 26097626
Change-Id: Iedc0b74e201b115750f38eabc9e91d08a884dadd