GitLab

Merge commit 8b188b864302f5ea9df17636b378938a15b4605a was incomplete
because some conscrypt files have been moved into a separate repo.

There have been various changes in conscrypt which renders changes to:

crypto/src/main/java/org/conscrypt/OpenSSLServerSocketImpl.java
crypto/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
crypto/src/test/java/org/conscrypt/CipherSuiteTest.java

unnecessary.

This is effectively the same change as conscrypt
commit 8d7e23e1.

Change-Id: I0f8199f3bf39a035ad5453be6fea92f511dcf548

The tests were calling finish when it meant free. This caused tests to
segmentation fault next time the ENGINE was looked up in the dynamic
engine list.

(cherry picked from commit 984b7ec6)

Bug: 14994037
Change-Id: If7379fee26f7e79fa0b43104ac9d13b4ffb62ba8

We were returning SSL_TLSEXT_ERR_OK even if we did not select any
NPN/ALPN support.

(cherry picked from commit fc7924bc)

Bug: https://code.google.com/p/android/issues/detail?id=66562
Change-Id: I79ea821512f03f1391247d3bcfc7ac7d042ecb41

We only need to catch BadPaddingException right now. Let the other
non-RuntimeException exceptions pass.

(cherry picked from commit 7c3263f1)

Bug: 13746671
Change-Id: I5b6878250d428b1ee953092967b7418003ee9216

Some DSA tests were calling with bignum arrays that had the high bit set
indicating a negative number.

Also an empty array was being passed as another part of the test. This
was working, but it was reading one byte past the end of the buffer.

(cherry picked from commit 5b1934c7)

Bug: 13789608

Change-Id: Ibd5a0dce61703ea569fd483f8acf66fd149703f8

Java BigInteger is in two's complement, so it needs conversion for
negative numbers. We were mishandling it before and the previous change
just hacked around it. Actually convert to two's complement instead.

(cherry picked from commit 1744cf2b)

Bug: 13789608

Change-Id: I6bfe9577f0936678476193b55433b7d7dbc04400

ENGINE-backed keys can't be encoded, so check their status before trying
to return anything in getEncoded or getFormat.

(cherry picked from commit ba1ea0ca)

Bug: 12877721
Change-Id: I47a2ee14e9e0198ebdf47bdf5199f6f44bf7153b

* commit 'cea9ec15':
  X509Certificate: SignatureException for verify

* commit '0a97d659':
  OpenSSLX509Certificate: negative serial numbers

Any verification error can throw random things like BadPaddingException.
Swallow it and catch Exception for all these cases and rethrow as a
SignatureException to avoid acting as any kind of oracle.

Change-Id: I6b515148f86529fbe0895c9fdb0954306724ae54

The constructor BigInteger(byte[]) expects two's complement encoding,
but that's not what OpenSSL bn2bin returns.

Bug: 12761797
Change-Id: I6c71f6fb88c2b1df7c372bf697728dac26571634

* commit 'caff440a':
  TrustedCertificateStoreTest: add message to assert

Add the target filename to the assert so that a testing issue can be
debugged. Currently a file is failing to delete during a CTS run, but
can't be reproduced during a targeted test run of just the
TrustedCertificateStoreTest.

Change-Id: I217d6b92868880ab4456500b290b5c6ac9c45c2c

* commit 'f33b51ba':
  Track update to OpenSSL 1.0.1f

The constants for handshake cutthrough and CBC record splitting were changed
during the upgrade to OpenSSL 1.0.1f. This changes NativeCrypto.java to track them.

Change-Id: I9e385c323d5557c5d50cffe3ce797dcf89667ad9

* commit '64a1e90e':
  Fix breakage in CipherSuiteTest due to TLSv1.2 cipher suites.

The test was accidentally broken when support for TLSv1.2 cipher
suites was added. The CipherSuite class is only used by the SSLEngine
implementation which does not support TLSv1.2 cipher suites (or
TLSv1.2 for that matter).

Bug: 11220570
Change-Id: I8f5571ea76279161d25a6525a71cf49bfe7e6079

* commit '19b7c5fe':
  Lazily read CertPin data

This delays reading the CertPin data until it is needed. This also
avoids touching the disk until necessary since CertPinManager may be
loaded by any number of actions such as instantiating an
SSLSocketFactory as in this chain of dependencies:

  SSLSocketFactory -> HttpsURLConnection -> OpenSSLSocketFactoryImpl ->
      SSLParametersImpl -> TrustManagerImpl -> CertPingManager

Bug: https://code.google.com/p/android/issues/detail?id=64654
Change-Id: I11e1b44c7a7e001b33bc591efefe35653829a472

* commit '7dd8d0b4':
  AArch64: Use long for pointers in Java sources.

Fixing some mistakes in the JNI signatures: some pointers were passed
via jint rather than jlong.

Change-Id: I6120cc5742c8429a9e0fddda715b5169d820d31a
Signed-off-by: Marcus Oakland <marcus.oakland@arm.com>

* commit '42bd279c':
  Disable MD5 cipher suites in SSLSocket and SSLEngine.

Although HMAC-MD5 is not yet broken, the foundations are shaky --
see http://tools.ietf.org/html/rfc6151.

Scans show that disabling these TLS/SSL cipher suites currently
causes handshake issues with 0.4% of the ecosystem.

Bug: 11220570
Change-Id: I1970d2ecbdf3c0d26e45d439047b1d3884ade2ec

* commit '5aa3d431':
  Actually prefer Forward Secrecy cipher suites.

The documentation for the list of TLS/SSL cipher suites used by
default states that cipher suites offering Forward Secrecy are
preferred. This CL adjusts the list to conform: FS cipher suites
that use RC4_128 bulk encryption algorithm were not preferred
over non-FS cipher suites that use AES.

Bug: 11220570
Change-Id: Ic9019306898600086920874474764186b710c3ef

* commit 'c1cc669c':
  Disable 3DES cipher suites in SSLSocket.

The effective key length for 3DES_EDE bulk encryption algorithm
is only 112 bits. We're now aiming for 128 and higher.

Scans show that removing these cipher suites from the default list
causes handshake issues only with 0.15% of the ecosystem.

Bug: 11220570
Change-Id: Ie01ebe8134d08a36b276295b804540157963be8f

* commit '30695d65':
  Disable static server key ECDH cipher suites in SSLSocket.

* commit '5add959a':
  Enable AES-GCM cipher suites by default in SSLSocket.

These cipher suites use a static key for ECDH on the server side.
When client certificates are used, a static key is also used on the
client side, leading to the same premaster secret for all connections
between a particular client and server. Also, these cipher suites do
not provide forward secrecy.

Scans show that removing these cipher suites from the default list
does not affect connectivity to servers and is thus safe.

Bug: 11220570
Change-Id: If34f4a3888ed9972c39d171656a85c61dfa98ea1

AES-GCM is preferred to AES-CBC whose MAC-pad-then-encrypt approach
has issues (e.g., Lucky 13 attack).

Bug: 11220570
Change-Id: Ib007bc89ccf08358ed3f093f630350fa859e7c35

* commit '336e8eb9':
  Enable support for TLSv1.2 cipher suites in SSLSocket.

This adds support for AES-GCM and AES-CBC with MACs based on SHA256
and SHA384.

Bug: 11220570
Change-Id: I56e7e25c5cd65a4c7662da6d4bbe5720f427e677

* commit '1f63d2c2':
  Enable TLSv1.1 and TLSv1.2 by default for SSLSocket.

TLSv1.1 and TLSv1.2 offer built-in protection against BEAST attack
and support for GCM cipher suites.

This change causes TLS/SSL handshake failures with a small fraction
of servers, load balancers and TLS/SSL accelerators with broken
TLS/SSL implementations.

Scans demonstrate that the number is around 0.6%. Breaking
connectivity (using platform default settings) to a tiny minority of
the ecosystem is acceptable because this inconvenience is outweighed
by the added safety for the overwheling majority of the ecosystem.

App developers affected by this issue should consider asking such
servers to be fixed or explicitly disabling TLSv1.1 and TLSv1.2 in
their apps.

Bug: 11220570
Change-Id: Ice9e8ce550401ba5e3385fd369c40f01c06ac7fd

* commit 'e1da091a':
  Remove HarmonyJSSE SSLContext, SSLSocket and SSLServerSocket.

HarmonyJSSE SSLEngine implementation is still in use and thus cannot be
removed.

Change-Id: I3c939e9275ba8f1d00342d1f83c6fdaf110f2317

* commit 'bf957a05':
  Make some methods public for CTS

* commit 'caceea78':
  Add const modifier to evp_md