GitLab

TLS Channel ID requires ECDHE-based key exchange.

Change-Id: I722135c96a3ce700dcdf1646d2a71654923bb85c

Change-Id: Ie0d9f83e366c0b99994eb861ae567d454cbbea5b

Change-Id: I7ff48af2991fc03811c7874a974b9052934d27ae

This is mostly useful for unbundled Conscrypt currently when working
with KeyChain-based keys, but could be good for use with PKCS11-like
keys in other JSSE providers.

Bug: 15469749
Change-Id: I56bf2eaf3228bdf42d671437f4fffdafb8b47b12

Change-Id: I96ae5539b6195ccbeb92af1beb7e78660ef757a1

Change-Id: I282c701b191d68bc4dcfa390505968f97a5c7d3c

When JNI registration fails, we should log it immediately to help
with debugging. Otherwise, it will tell you that you called a JNI
function with an exception pending.

Change-Id: I7cbba4d6639265a79a9d043d120f1a2bf72a85f7

Switch host build to clang as conscrypt uses C++11 and not all GCC
host compilers support it.

Bug: 13751317
Change-Id: I74ffdda695e47967b61a133c8b6fc52f6547a3a0

Allows overriding the defaults in misc/keychain/ with different
defaults, for example when the whole process uses another directory
and this needs to be reflected in every new TrustedCertificateStore
that is created.

Change-Id: I22db18178600668053a17517e9b47eef7b9be5ed

To aid in building Conscrypt with gradle, move the platform-only files
out to a separate directory.

Change-Id: I8f07959055261f6b9f2a0ac26dea2f6431d9edbe

* commit '4ccb72fd':
  Unbundle conscrypt

Don't build the host JNI library in an unbundled build since it's only
needed for testing currently.

Change-Id: I6b6003e86d9f6ff2d87431f156f4984f56592791

* commit 'c0eda49f':
  Add script to create prebuilts

This allows us to create a gradle library that people can include.

Change-Id: I7f845ae0738b8d414781a34fef6bc28bebebb994

* commit '01cce891':
  Expose support for TLS-PSK.

* commit '1cfba2bc':
  Revert "Speed up conscrypt compile a bit"

TLS-PSK (Pre-Shared Key) is a set of TLS/SSL cipher suites that use
symmetric (pre-shared) keys for mutual authentication of peers. These
cipher suites are in some scenarios more suitable than those based on
public key cryptography and X.509. See RFC 4279 (Pre-Shared Key
Ciphersuites for Transport Layer Security (TLS)) for more information.

OpenSSL currently supports only the following PSK cipher suites:
* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
* TLS_PSK_WITH_3DES_EDE_CBC_SHA
* TLS_PSK_WITH_AES_128_CBC_SHA
* TLS_PSK_WITH_AES_256_CBC_SHA
* TLS_PSK_WITH_RC4_128_SHA

The last four cipher suites mutually authenticate the peers and
secure the connection using a pre-shared symmetric key. These cipher
suites do not provide Forward Secrecy -- once the pre-shared key is
compromised, all previous communications secured with that key can be
decrypted. The first two cipher suites combine the pre-shared
symmetric key with an ephemeral key obtained from an ECDH key
exchange performed during the TLS/SSL handshake, thus providing
Forward Secrecy.

Users of TLS-PSK are expected to provide an implementation of
PSKKeyManager to SSLContext.init and then enable at least one PSK
cipher suite in SSLSocket/SSLEngine.

Bug: 15073623
Change-Id: I8e59264455f980f23a5e66099c27b5b4d932b9bb

* commit 'ec9c6dc1':
  Speed up conscrypt compile a bit

* commit '3e46e4ee':
  Unbundle: hacks to let Conscrypt compile standalone

This reverts commit ec9c6dc1.

Change-Id: Icfdeec757357a7449640198548963d2095d8cf92

Re-arrange Java library compilation to allow reuse of previous
compilations which speeds up the overall compilation by a bit.

Change-Id: I7ec172dd8ca2450d26ecec2a5dae13de5c00299b

This is the first pass at getting Conscrypt to compile standalone. It
works fine in apps currently. There are a few TODOs to fix.

Change-Id: I9b43ba12c55e04c8897ccacf38979ca671a55a26

* commit 'f6aeba08':
  X509Certificate: add some context to thrown exceptions

* commit '81c66678':
  NativeCryptoTest: fix shutdown test

These weren't actually testing that the exceptions were thrown before.
Since we actually throw now, make sure we're throwing the expected
exception type.

Change-Id: I57b11492118dd7c04faa57c58de7b023294b179c

Bug: 14648280
Change-Id: I7bbf76e0d383d34fc5e5a49a8d45384e47f43f3a

* commit '38d5f3d7':
  OpenSSLMessageDigestJDK: support clone

* commit '3f8d6407':
  Fix of native crash in the evpUpdate method

The org.apache.harmony.security.tests.java.security.MessageDigest1Test
CTS test class's testSHAProvider method was causing a SIGSEGV when
"md.update(bytes, 1, -1);" was called, as the evpUpdate method was not
checking for the inLength parameter being negative. This has been
rectified and the test now passes.

Bug: 14821275
Change-Id: I94489a518f7a2d4a6e84e58f91d8eee6f0ceb045
Signed-off-by: Marcus Oakland <marcus.oakland@arm.com>

Add the ability to clone the MessageDigest state.

Bug: 14821275
Change-Id: Ifa1b48db708448b971afe1e7360876f3fbe47588

* commit 'e526e75c':
  DH keys: derive public key if not available

* commit '767fda1e':
  Get rid of some warnings.

Also make the params mutex when we're inflating from a serial object
since it will be null otherwise.

Change-Id: I36641725161c0a708ba303500acca368b0511abe

Change-Id: I87f3ad5374d89e8acfdd78fe5af4b02be483cd3d