GitLab

SSLSocket, SSLServerSocket, and SSLEngine offer setEnabledProtocols
and setEnabledCipherSuites methods which take an array of protocols
or cipher suites as input. If these methods store references to the
input arrays, then the internal state (lists of enabled protocols and
cipher suites) of SSLSocket, SSLServerSocket, and SSLEngine could be
modified without going through the setter methods of these classes.

Bug: 15753142
Change-Id: Ia5248050d81320ed1da99892278bd60872605f52

This is a follow-up cleanup requested during the code review of
ae2ecac0.

Change-Id: I6c8ac2392c5f88ee732f5aa204e20cc1ee7e32d8

Change-Id: I1c8aa589e3274bfd3a5fc66c3e948828903c1966

Bug: 14298175
Change-Id: I5035075f2453b692f86fff8fe852c954698e40ed

The SHA-2 based cipher suites cannot be used with SSLv3 but there is
no way to express that in OpenSSL's configuration. This CL thus
adjusts the list of supported cipher suites accordingly.

Bug: 15073623
Change-Id: I427c99f4c1c72690d95e5a3c63763631c41ddae2

Bug: 14083889
Change-Id: I5fe0a1558184d44eb8a24bd92c0e7517937f3a5c

TLS Channel ID requires ECDHE-based key exchange.

Change-Id: I722135c96a3ce700dcdf1646d2a71654923bb85c

Change-Id: Ie0d9f83e366c0b99994eb861ae567d454cbbea5b

Change-Id: I7ff48af2991fc03811c7874a974b9052934d27ae

This is mostly useful for unbundled Conscrypt currently when working
with KeyChain-based keys, but could be good for use with PKCS11-like
keys in other JSSE providers.

Bug: 15469749
Change-Id: I56bf2eaf3228bdf42d671437f4fffdafb8b47b12

Change-Id: I96ae5539b6195ccbeb92af1beb7e78660ef757a1

Change-Id: I282c701b191d68bc4dcfa390505968f97a5c7d3c

When JNI registration fails, we should log it immediately to help
with debugging. Otherwise, it will tell you that you called a JNI
function with an exception pending.

Change-Id: I7cbba4d6639265a79a9d043d120f1a2bf72a85f7

Switch host build to clang as conscrypt uses C++11 and not all GCC
host compilers support it.

Bug: 13751317
Change-Id: I74ffdda695e47967b61a133c8b6fc52f6547a3a0

Allows overriding the defaults in misc/keychain/ with different
defaults, for example when the whole process uses another directory
and this needs to be reflected in every new TrustedCertificateStore
that is created.

Change-Id: I22db18178600668053a17517e9b47eef7b9be5ed

To aid in building Conscrypt with gradle, move the platform-only files
out to a separate directory.

Change-Id: I8f07959055261f6b9f2a0ac26dea2f6431d9edbe

* commit '4ccb72fd':
  Unbundle conscrypt

Don't build the host JNI library in an unbundled build since it's only
needed for testing currently.

Change-Id: I6b6003e86d9f6ff2d87431f156f4984f56592791

An instance of SSLParametersImpl is associated with SSLContext and is
then cloned into any SSLSocketFactory, SSLServerSocketFactory,
SSLSocket, SSLServerSocket, and SSLEngine. This CL ensures that all
these primitives obtain their list of enabled cipher suites and
protocols from their instance of SSLParametersImpl.

Bug: 15073623
Change-Id: I40bf32e8654b299518ec0e77c3218a0790d9c4fd

* commit 'c0eda49f':
  Add script to create prebuilts

This allows us to create a gradle library that people can include.

Change-Id: I7f845ae0738b8d414781a34fef6bc28bebebb994

* commit '01cce891':
  Expose support for TLS-PSK.

* commit '1cfba2bc':
  Revert "Speed up conscrypt compile a bit"

TLS-PSK (Pre-Shared Key) is a set of TLS/SSL cipher suites that use
symmetric (pre-shared) keys for mutual authentication of peers. These
cipher suites are in some scenarios more suitable than those based on
public key cryptography and X.509. See RFC 4279 (Pre-Shared Key
Ciphersuites for Transport Layer Security (TLS)) for more information.

OpenSSL currently supports only the following PSK cipher suites:
* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
* TLS_PSK_WITH_3DES_EDE_CBC_SHA
* TLS_PSK_WITH_AES_128_CBC_SHA
* TLS_PSK_WITH_AES_256_CBC_SHA
* TLS_PSK_WITH_RC4_128_SHA

The last four cipher suites mutually authenticate the peers and
secure the connection using a pre-shared symmetric key. These cipher
suites do not provide Forward Secrecy -- once the pre-shared key is
compromised, all previous communications secured with that key can be
decrypted. The first two cipher suites combine the pre-shared
symmetric key with an ephemeral key obtained from an ECDH key
exchange performed during the TLS/SSL handshake, thus providing
Forward Secrecy.

Users of TLS-PSK are expected to provide an implementation of
PSKKeyManager to SSLContext.init and then enable at least one PSK
cipher suite in SSLSocket/SSLEngine.

Bug: 15073623
Change-Id: I8e59264455f980f23a5e66099c27b5b4d932b9bb

* commit 'ec9c6dc1':
  Speed up conscrypt compile a bit

* commit '3e46e4ee':
  Unbundle: hacks to let Conscrypt compile standalone

This reverts commit ec9c6dc1.

Change-Id: Icfdeec757357a7449640198548963d2095d8cf92

Re-arrange Java library compilation to allow reuse of previous
compilations which speeds up the overall compilation by a bit.

Change-Id: I7ec172dd8ca2450d26ecec2a5dae13de5c00299b

This is the first pass at getting Conscrypt to compile standalone. It
works fine in apps currently. There are a few TODOs to fix.

Change-Id: I9b43ba12c55e04c8897ccacf38979ca671a55a26

* commit 'f6aeba08':
  X509Certificate: add some context to thrown exceptions

* commit '81c66678':
  NativeCryptoTest: fix shutdown test

These weren't actually testing that the exceptions were thrown before.
Since we actually throw now, make sure we're throwing the expected
exception type.

Change-Id: I57b11492118dd7c04faa57c58de7b023294b179c