GitLab

Merge commit 8b188b864302f5ea9df17636b378938a15b4605a was incomplete
because some conscrypt files have been moved into a separate repo.

There have been various changes in conscrypt which renders changes to:

crypto/src/main/java/org/conscrypt/OpenSSLServerSocketImpl.java
crypto/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
crypto/src/test/java/org/conscrypt/CipherSuiteTest.java

unnecessary.

This is effectively the same change as conscrypt
commit 8d7e23e1.

Change-Id: I0f8199f3bf39a035ad5453be6fea92f511dcf548

We only need to catch BadPaddingException right now. Let the other
non-RuntimeException exceptions pass.

(cherry picked from commit 7c3263f1)

Bug: 13746671
Change-Id: I5b6878250d428b1ee953092967b7418003ee9216

The constants for handshake cutthrough and CBC record splitting were changed
during the upgrade to OpenSSL 1.0.1f. This changes NativeCrypto.java to track them.

Change-Id: I9e385c323d5557c5d50cffe3ce797dcf89667ad9

Fixing some mistakes in the JNI signatures: some pointers were passed
via jint rather than jlong.

Change-Id: I6120cc5742c8429a9e0fddda715b5169d820d31a
Signed-off-by: Marcus Oakland <marcus.oakland@arm.com>

Although HMAC-MD5 is not yet broken, the foundations are shaky --
see http://tools.ietf.org/html/rfc6151.

Scans show that disabling these TLS/SSL cipher suites currently
causes handshake issues with 0.4% of the ecosystem.

Bug: 11220570
Change-Id: I1970d2ecbdf3c0d26e45d439047b1d3884ade2ec

The documentation for the list of TLS/SSL cipher suites used by
default states that cipher suites offering Forward Secrecy are
preferred. This CL adjusts the list to conform: FS cipher suites
that use RC4_128 bulk encryption algorithm were not preferred
over non-FS cipher suites that use AES.

Bug: 11220570
Change-Id: Ic9019306898600086920874474764186b710c3ef

The effective key length for 3DES_EDE bulk encryption algorithm
is only 112 bits. We're now aiming for 128 and higher.

Scans show that removing these cipher suites from the default list
causes handshake issues only with 0.15% of the ecosystem.

Bug: 11220570
Change-Id: Ie01ebe8134d08a36b276295b804540157963be8f

These cipher suites use a static key for ECDH on the server side.
When client certificates are used, a static key is also used on the
client side, leading to the same premaster secret for all connections
between a particular client and server. Also, these cipher suites do
not provide forward secrecy.

Scans show that removing these cipher suites from the default list
does not affect connectivity to servers and is thus safe.

Bug: 11220570
Change-Id: If34f4a3888ed9972c39d171656a85c61dfa98ea1

AES-GCM is preferred to AES-CBC whose MAC-pad-then-encrypt approach
has issues (e.g., Lucky 13 attack).

Bug: 11220570
Change-Id: Ib007bc89ccf08358ed3f093f630350fa859e7c35

This adds support for AES-GCM and AES-CBC with MACs based on SHA256
and SHA384.

Bug: 11220570
Change-Id: I56e7e25c5cd65a4c7662da6d4bbe5720f427e677

TLSv1.1 and TLSv1.2 offer built-in protection against BEAST attack
and support for GCM cipher suites.

This change causes TLS/SSL handshake failures with a small fraction
of servers, load balancers and TLS/SSL accelerators with broken
TLS/SSL implementations.

Scans demonstrate that the number is around 0.6%. Breaking
connectivity (using platform default settings) to a tiny minority of
the ecosystem is acceptable because this inconvenience is outweighed
by the added safety for the overwheling majority of the ecosystem.

App developers affected by this issue should consider asking such
servers to be fixed or explicitly disabling TLSv1.1 and TLSv1.2 in
their apps.

Bug: 11220570
Change-Id: Ice9e8ce550401ba5e3385fd369c40f01c06ac7fd

This is in preparation for removing Harmony-backed TLS/SSL
implementations.

Change-Id: Ic108e16d086fb99b69f0a4e4faeb816dc50a7643

Although HMAC-MD5 is not yet broken, the foundations are now much
more shaky that those of HMAC-SHA.
See http://tools.ietf.org/html/rfc6151.

This CL also adds a comment about the key rules governing the
preference order of cipher suites used by default.

Bug: 11220570
Change-Id: I2a2fe4d427650081637efc14fd7c427a33cbea7e

This modifies the list of TLS/SSL cipher suites used by default to
prefer those offering Forward Secrecy (FS) -- ECDHE and DHE.

Bug: 11220570
Change-Id: I20f635d11e937d64de4f4e2fea34e1c5ea7a67ac

Now that BEAST and Lucky13 mitigations are enabled, it is prudent to
prefer AES CBC cipher suites over RC4 ones
(see http://www.isg.rhul.ac.uk/tls/).

Bug: 11220570
Change-Id: I52b9724700fd8eaeebbadcfa518a96823a1410b8

This enables 1/n-1 record splitting for SSLSocket instances backed by
OpenSSL.

OpenSSL change: https://android-review.googlesource.com/#/c/69253/

Bug: 11514124
Change-Id: I3fef273edd417c51c5723d290656d2e03331d68a

This removes TLS/SSL cipher suites with bulk cipher secret keys
shorter than 80 bits from the list of cipher suites used by default:
* export-strength cipher suites, and
* cipher suites using DES (but not 3DES) as their bulk cipher.

Bug: 11220570
Change-Id: I04e30f6d634801b36018fecc8f2b257fc6b7adfc

This reverts commit 07ff5de463a219d97b5ea7abfaa42bf3ae55fb57 and
commit 42567acf03ad437efd20e70790ae0f708dda15bc.

Change-Id: I05712ea94f0b11cc5963af58fb5081e65c79c3f0

Missed this during the git reset -p

Change-Id: I6c089d2fb5192d43934d55949b261b05cb8d67da

Some other classes are using this. Restore this until they can be
removed.

Change-Id: Ibf188b7c4915865e20cc4ca51c73f26314df7828

Instead of marshalling and unmarshalling to ASN.1 DER, just use
references to OpenSSL X509 objects everywhere applicable.

Change-Id: I1a28ae9232091ee199a9d4c7cd3c7bbd1efa1ca4

To make the situation with testing a little better and enable building
core libraries totally independent of conscrypt, move the native
registration to a JNI_OnLoad scheme. Also, since we want to separate the
testing, make conscrypt build its own tests library.

Change-Id: I9f2831839059c1c012ec7bdeab2f90b4e2f44bfd

This adds the ability to use Application-Layer Protocol Negotiation
(ALPN) as both a client and a server. ALPN is essentially like Next
Protocol Negotiation (NPN) but negotiation is done in the clear. This
allows the use of other protocols on the same port (e.g., SPDY instead
of HTTP on port 80).

Although previously clients using NPN were able to use cut-through, the
new ALPN API does not provide for a way for a client to enable that
during a callback. So the only difference is that NPN clients can enable
SSL False Start while ALPN clients cannot currently.

Change-Id: I42ff70f3711e9cccaf754d189f76eeaa9db5f981

Remove lots of empty javadoc tags that were unused or invalid.
Remove some unused imports.
Mark a few input streams as intentionally unclosed.

Change-Id: I04d8642abd2b0f2e9be02e227658a1b9bd192d24

Remove dependency on libcore by inlining a copy of Memory#peekInt

Change-Id: Ided7a6bf111ca507df985c45f4c2cf43bca0e471

Change-Id: I61339e0250ce949c633545d509a4991cc97e2c7a

Change-Id: I954932e45877cca073b71f33b4ccd4eacae8f510

Key type conversion in native code is from the legacy period before the
OpenSSLKey class existed. Use that to hold PKEY reference instead of
converting it in native code.

Change-Id: I84e9a6e1f2e0f95d2f44c18fa9f65cd15e039d63

Move the encoding method for X.509 out of NativeCrypto to the class that
uses it.

Change-Id: I57198101553f309c04b5e757716d1d807eb99a90

Change-Id: I678f5c1b985d72ab1d41ae22dfcae35814c44e85

To help with shipping the JSSE with apps that want to bundle it, move
it to a new package so that the tangles in other parts of the library
can be untangled.

Change-Id: I810b6861388635301e28aee5b9b47b8e6b35b430

OpenSSL checks KeyUsage for "Certificate Signing" when checking for a
CA, but Java just specifies that the getBasicConstraints call only looks
at the BasicConstraints itself.

(cherry picked from commit cd59afd3e34cb6b3645babdace22c03882e0ec19)

Bug: 8488314
Change-Id: I72f8d6679169480960630bd73745ebf4c55b383c

OpenSSL checks KeyUsage for "Certificate Signing" when checking for a
CA, but Java just specifies that the getBasicConstraints call only looks
at the BasicConstraints itself.

Bug: 8488314
Change-Id: I072cd2e9f1a9295a717f7587817149200113c65f

OpenSSL KeyFactory.translateKey encapsulates all the functionality
for translating arbitrary Key instances to OpenSSL-backed Key
instances. Thus, there's no need to replicate that functionality
elsewhere.

(cherry picked from commit 0469e3a6a9b5e854b8b985039de8ba4f6e6037bd)

Change-Id: I4caa0021e51a83be6932617117275fd033b6d5f7

OpenSSL KeyFactory.translateKey encapsulates all the functionality
for translating arbitrary Key instances to OpenSSL-backed Key
instances. Thus, there's no need to replicate that functionality
elsewhere.

Change-Id: I4caa0021e51a83be6932617117275fd033b6d5f7

When we receive an invalid DNS alt name (e.g., contains characters
outside of the ASCII printable range), we should throw an exception to
match the previous behavior. This is not validated this against the RI
since the tests currently don't work, but it brings the behavior back to
what it was previously.

Also amend the previous ASN.1 string check to use
ASN1_PRINTABLE_type(...) which actually scans the string to check its
contents. This is what was meant in the last patch.

Bug: 8398461
Change-Id: I260f045a2e144fb9ded7e1d3aa46592da8f63272

This is to accept both the "transparent" and "opaque" ECC private
keys. "Transparent" keys provide structured access to their key
material -- these are instances of ECPrivateKey. "Opaque" private
keys are not required to provide structured (or even any) access to
their key material -- these are instances of PrivateKey.

Change-Id: I3fdc4c46675bde48c72424f1cc8f59c3d6b89f0e

Change-Id: I07d369de0199505d22f2809c815cc2852388a7b7

Set the default encoding to be PkiPath to conform to other
implementations. This now passes all the tests.

Change-Id: I8475e328e8440aa3ecccd88c34e2aba6bc169be5

Add support for generating CertPath with the
OpenSSLX509CertificateFactory implementation.

This only will encode withrPKCS7 currently. This means it fails the
CertPath serialization test because the serialization and
de-serialization code only uses a provider's default serialization
format. Since this provider is not the default provider and the
default provider uses PkiPath as its default format, the
OpenSSLX509CertPath still fails the tests.

This seems like a problem with the way CertPath is serialized. The
impact of this seems to be that a CertPath implementation must have
"PkiPath" as its default encoding.

Change-Id: Ie0e3577746345108301b02e7a1d4e8ea189f2bda