GitLab

BoringSSL disables server-initiated renegotiations by default. However,
it's unclear what the impact of this will be. On the other hand,
rejecting renegotiations certainly makes things simplier.

(cherry picked from commit ed628f94)

Bug: 23189319
Change-Id: I0cd3f04838c0afea665a88d4f0cd0a16c1e811de

Test both client and server. Also we expect a SSLHandshakeException
instead of an SSLProtocolException in one case.

Bug: 21207627
(cherry picked from commit 5429f72d)

Change-Id: If895b03e2cece3a1a8d2f074a557c68f55a7021e

BoringSSL will push the BAD_SIGNATURE error onto the stack for every
signature error. In Java it just returns false from the Signature#verify
call when the signature is incorrect.  However, we still want to throw
an exception for raw RSA when the number of signature bytes is larger
than the modulus can express.

Bug: 21209646
(cherry picked from commit 089b4018)

Change-Id: I96ada8762817a99df11da2f7e7b7310bb31d5cba

SSL_OP_NO_SSLv2 is not a flag anymore (defined as 0 in ssh.h)

Bug: 21875962
(cherry picked from commit 97e54bdd)

Change-Id: I52004b893768b087577c078dcd1ba0ae1bdea911

NativeCrypto.SSL_set_cipher_lists can accept the empty list as
per c/154191

Bug: 21816861

(cherry picked from commit c0010ca5)

Change-Id: I6cf7563417d8b6fb9edbeade0947726275a76c18

(cherry picked from commit d9a48aa4)

Bug: 21034231
Change-Id: I1efd062a6608111e6ab468f4e362291895dd166d

When an error condition is encountered in BoringSSL, sometimes it
deliberately does not put something on the ERR stack to prevent abuse of
that knowledge. Instead we need to throw an exception explicitly when no
error is pushed onto the stack.

(cherry picked from commit 79f05f46)

Bug: 21034231
Change-Id: Ia06347c5653672c982ecff2c26be9b091d03009f

(cherry picked from commit d9a48aa4)

Bug: 21034231
Change-Id: I1efd062a6608111e6ab468f4e362291895dd166d

When an error condition is encountered in BoringSSL, sometimes it
deliberately does not put something on the ERR stack to prevent abuse of
that knowledge. Instead we need to throw an exception explicitly when no
error is pushed onto the stack.

(cherry picked from commit 79f05f46)

Bug: 21034231
Change-Id: Ia06347c5653672c982ecff2c26be9b091d03009f

(cherry picked from commit edc4f273)

Bug: 21762837
Change-Id: I11042be8fe1e046ac96759b4554ce9229e1cf6f3

- Consider the |final| buffer when computing the expected length
- Should not expect an extra block when using padding in decrypting
mode

Bug: 19186852
Change-Id: I8c51b309ca98030ab1eda5b2a0201a97a5758072

(cherry-pick from 8fa4acdc)

Upstream BoringSSL has dropped |SSL_ST_BEFORE| (which appears to have been
unused) and all the |*_LOCK_*| symbols. The latter are replaced with
|*_up_ref|, with #if's so that it continues to work with OpenSSL.

(cherry picked from commit ba3f063e)

Change-Id: Ib609c83d428b7624e24e3b96c93afc2e482e6a6d

When using an opaque key, try to honor the system's preferred provider
which is selected via late binding. If it's not found, try to find the
first provider that initializes correctly with the given key.

(cherry picked from commit c590a930)

Bug: 21737886
Change-Id: I17483136aa5c1c5e474109525aefac9facaf7379

When BoringSSL/OpenSSL TLS/SSL stack operates on opaque private keys
(those that don't expose their key material) it upcalls (via
Conscrypt's NativeCrypto) into corresponding JCA Signature and Cipher
primitives.

This fixes a crash in the ECDSA upcall when Conscrypt is used with
BoringSSL.

(cherry-picked from commit 61c66eb9)

Bug: 21738458
Change-Id: I6def1bce62f20b2ec39fe88251975458e8813362

When BoringSSL/OpenSSL TLS/SSL stack operates on opaque private keys
(those that don't expose their key material) it upcalls (via
Conscrypt's NativeCrypto) into corresponding JCA Signature and Cipher
primitives.

This CL fixes two issues with RSA-related upcalls, which prevented
the use of opaque RSA private keys for TLS/SSL with Conscrypt backed
by BoringSSL:
* RSA sign was upcalled into RSA Cipher decrypt using private key.
  In JCA, the correct upcall is RSA Signature sign. This is now
  invoked instead of RSA Cipher decrypt.
* RSA decrypt was not implemented. It's now implemented.

As part of implementing RSA decrypt upcall from BoringSSL, it
transpired that BoringSSL requests no padding as opposed to OpenSSL
which requests PKCS#1 padding. As a result, this CL modifies the
decrypt upcall to take a padding parameter. The implementation of
the upcall (see CryptoUpcalls.java) now supports PKCS#1 padding
scheme, OAEP padding scheme, and no padding.

This CL also drops the encrypt/decrypt flag from the RSA
encrypt/decrypt upcall and simplies it into an RSA decrypt upcall. RSA
encrypt upcall is not needed at all.

(cherry-picked from commit 279e9845)

Bug: 21738458
Change-Id: I075aa74e4cd89dd3ceab99f728ce371c7bc89cf0

For the Java language, setting an empty cipher list is not an error but
it's an error in OpenSSL. However, the underlying API actually updates
the cipher list to an empty string as intended. So we need to handle
this special case by clearing the error stack and making sure that our
expectation is satisfied.

(cherry picked from commit 5b6a5ecc)

Bug: 21195269
Change-Id: Id21792215513f4e0d6e051160f69e5f830d39015

For the Java language, setting an empty cipher list is not an error but
it's an error in OpenSSL. However, the underlying API actually updates
the cipher list to an empty string as intended. So we need to handle
this special case by clearing the error stack and making sure that our
expectation is satisfied.

(cherry picked from commit 5b6a5ecc)

Bug: 21195269
Change-Id: Id21792215513f4e0d6e051160f69e5f830d39015

am 6d395955: am 3898f6c9: am f6822ebc: am fae34604: am de55e62f: OpenSSLX509Certificate: mark mContext as transient

* commit '6d395955':
  OpenSSLX509Certificate: mark mContext as transient

am 3898f6c9: am f6822ebc: am fae34604: am de55e62f: OpenSSLX509Certificate: mark mContext as transient

* commit '3898f6c9':
  OpenSSLX509Certificate: mark mContext as transient

* commit 'f6822ebc':
  OpenSSLX509Certificate: mark mContext as transient

* commit 'fae34604':
  OpenSSLX509Certificate: mark mContext as transient

* commit 'de55e62f':
  OpenSSLX509Certificate: mark mContext as transient

When an invalid key is passed in we may throw NoSuchAlgorithmException
if it's a key we don't support, but we should convert this to the
correct exception for this API.

(cherry picked from commit ed396e93)

Bug: 21209493
Change-Id: I55123035295203f2676538ac89ba4eb91141b273

We need to check the ERR stack on a return code of 0. Previously there
was a comment indicating the weird behavior about DSA keys throwing
after a check for a return value of -1, but this API is never supposed
to return anything other than 1 for success or 0 for failure.

(cherry picked from commit 49854878)

Bug: 18869265
Change-Id: Ic871c63b6d65949053819950ed8053f47501bd60

When an invalid key is passed in we may throw NoSuchAlgorithmException
if it's a key we don't support, but we should convert this to the
correct exception for this API.

(cherry picked from commit ed396e93)

Bug: 21209493
Change-Id: I55123035295203f2676538ac89ba4eb91141b273