GitLab

Test both client and server. Also we expect a SSLHandshakeException
instead of an SSLProtocolException in one case.

Bug: 21207627
(cherry picked from commit 5429f72d)

Change-Id: If895b03e2cece3a1a8d2f074a557c68f55a7021e

BoringSSL will push the BAD_SIGNATURE error onto the stack for every
signature error. In Java it just returns false from the Signature#verify
call when the signature is incorrect.  However, we still want to throw
an exception for raw RSA when the number of signature bytes is larger
than the modulus can express.

Bug: 21209646
(cherry picked from commit 089b4018)

Change-Id: I96ada8762817a99df11da2f7e7b7310bb31d5cba

SSL_OP_NO_SSLv2 is not a flag anymore (defined as 0 in ssh.h)

Bug: 21875962
(cherry picked from commit 97e54bdd)

Change-Id: I52004b893768b087577c078dcd1ba0ae1bdea911

NativeCrypto.SSL_set_cipher_lists can accept the empty list as
per c/154191

Bug: 21816861

(cherry picked from commit c0010ca5)

Change-Id: I6cf7563417d8b6fb9edbeade0947726275a76c18

(cherry picked from commit d9a48aa4)

Bug: 21034231
Change-Id: I1efd062a6608111e6ab468f4e362291895dd166d

When an error condition is encountered in BoringSSL, sometimes it
deliberately does not put something on the ERR stack to prevent abuse of
that knowledge. Instead we need to throw an exception explicitly when no
error is pushed onto the stack.

(cherry picked from commit 79f05f46)

Bug: 21034231
Change-Id: Ia06347c5653672c982ecff2c26be9b091d03009f

(cherry picked from commit edc4f273)

Bug: 21762837
Change-Id: I11042be8fe1e046ac96759b4554ce9229e1cf6f3

- Consider the |final| buffer when computing the expected length
- Should not expect an extra block when using padding in decrypting
mode

Bug: 19186852
Change-Id: I8c51b309ca98030ab1eda5b2a0201a97a5758072

(cherry-pick from 8fa4acdc)

Upstream BoringSSL has dropped |SSL_ST_BEFORE| (which appears to have been
unused) and all the |*_LOCK_*| symbols. The latter are replaced with
|*_up_ref|, with #if's so that it continues to work with OpenSSL.

(cherry picked from commit ba3f063e)

Change-Id: Ib609c83d428b7624e24e3b96c93afc2e482e6a6d

When using an opaque key, try to honor the system's preferred provider
which is selected via late binding. If it's not found, try to find the
first provider that initializes correctly with the given key.

(cherry picked from commit c590a930)

Bug: 21737886
Change-Id: I17483136aa5c1c5e474109525aefac9facaf7379

When BoringSSL/OpenSSL TLS/SSL stack operates on opaque private keys
(those that don't expose their key material) it upcalls (via
Conscrypt's NativeCrypto) into corresponding JCA Signature and Cipher
primitives.

This fixes a crash in the ECDSA upcall when Conscrypt is used with
BoringSSL.

(cherry-picked from commit 61c66eb9)

Bug: 21738458
Change-Id: I6def1bce62f20b2ec39fe88251975458e8813362

When BoringSSL/OpenSSL TLS/SSL stack operates on opaque private keys
(those that don't expose their key material) it upcalls (via
Conscrypt's NativeCrypto) into corresponding JCA Signature and Cipher
primitives.

This CL fixes two issues with RSA-related upcalls, which prevented
the use of opaque RSA private keys for TLS/SSL with Conscrypt backed
by BoringSSL:
* RSA sign was upcalled into RSA Cipher decrypt using private key.
  In JCA, the correct upcall is RSA Signature sign. This is now
  invoked instead of RSA Cipher decrypt.
* RSA decrypt was not implemented. It's now implemented.

As part of implementing RSA decrypt upcall from BoringSSL, it
transpired that BoringSSL requests no padding as opposed to OpenSSL
which requests PKCS#1 padding. As a result, this CL modifies the
decrypt upcall to take a padding parameter. The implementation of
the upcall (see CryptoUpcalls.java) now supports PKCS#1 padding
scheme, OAEP padding scheme, and no padding.

This CL also drops the encrypt/decrypt flag from the RSA
encrypt/decrypt upcall and simplies it into an RSA decrypt upcall. RSA
encrypt upcall is not needed at all.

(cherry-picked from commit 279e9845)

Bug: 21738458
Change-Id: I075aa74e4cd89dd3ceab99f728ce371c7bc89cf0

For the Java language, setting an empty cipher list is not an error but
it's an error in OpenSSL. However, the underlying API actually updates
the cipher list to an empty string as intended. So we need to handle
this special case by clearing the error stack and making sure that our
expectation is satisfied.

(cherry picked from commit 5b6a5ecc)

Bug: 21195269
Change-Id: Id21792215513f4e0d6e051160f69e5f830d39015

am 6d395955: am 3898f6c9: am f6822ebc: am fae34604: am de55e62f: OpenSSLX509Certificate: mark mContext as transient

* commit '6d395955':
  OpenSSLX509Certificate: mark mContext as transient

am 3898f6c9: am f6822ebc: am fae34604: am de55e62f: OpenSSLX509Certificate: mark mContext as transient

* commit '3898f6c9':
  OpenSSLX509Certificate: mark mContext as transient

* commit 'f6822ebc':
  OpenSSLX509Certificate: mark mContext as transient

* commit 'fae34604':
  OpenSSLX509Certificate: mark mContext as transient

* commit 'de55e62f':
  OpenSSLX509Certificate: mark mContext as transient

We need to check the ERR stack on a return code of 0. Previously there
was a comment indicating the weird behavior about DSA keys throwing
after a check for a return value of -1, but this API is never supposed
to return anything other than 1 for success or 0 for failure.

(cherry picked from commit 49854878)

Bug: 18869265
Change-Id: Ic871c63b6d65949053819950ed8053f47501bd60

When an invalid key is passed in we may throw NoSuchAlgorithmException
if it's a key we don't support, but we should convert this to the
correct exception for this API.

(cherry picked from commit ed396e93)

Bug: 21209493
Change-Id: I55123035295203f2676538ac89ba4eb91141b273

A -1 error code should have an error on the stack that explains what the
problem was, but if we call through to an ENGINE that fails we seem to
end up with no error on the stack. Ensure we throw BadPaddingException
in that case.

(cherry picked from commit 6a1e7070)

Bug: 19863798
Change-Id: Idecd9072c1e6636351bc90f16037852bdc55e4a0

Since mContext should not participate in the serialization process,
hide it with the transient qualifier. This will prevent the field from
initialization during the unserialization of this class. Then of course
the instance will be in a valid state.

(cherry picked from commit 8d57b9db)

Bug: 21437603
Change-Id: Ie9453c16d11820a91caff92c3f7b326d12f8a8f4

Since mContext should not participate in the serialization process,
hide it with the transient qualifier. This will prevent the field from
initialization during the unserialization of this class. Then of course
the instance will be in a valid state.

Bug: 21437603
Change-Id: Id5b8a83b6000c2219f3246f93aff7a9c6453f639

This reverts commit 998fbfcd. Missing the test class.

Change-Id: I426680f74c4f3ebeb42abd80ebfdba469247c348

Since mContext should not participate in the serialization process,
hide it with the transient qualifier. This will prevent the field from
initialization during the unserialization of this class. Then of course
the instance will be in a valid state.

Bug: 21437603
Change-Id: Ie9453c16d11820a91caff92c3f7b326d12f8a8f4

Previously the code read the whole of the BIO and parsed any PKCS#7
blobs that were found. However, X509CertificateTest specifically tests
that trailing data is retained when parsing PKCS#7 so this change makes
it so.

This depends on https://android-review.googlesource.com/#/c/151205/.

(cherry picked from commit 0f84dc61)

Bug: 21396526
Bug: 21209493
Change-Id: I4e07cebf599f52aedbea9b0a3f66d9a052c86aaa

The BIO created by OpenSSLBIOInputStream currently returns -1 and sets
the retry flag when read() returns zero on the underlying InputStream.
This is correct for “infinite” streams (like a socket), but isn't
correct for streams that have a definitive EOF.

This change adds a flag to OpenSSLBIOInputStream so that cases where the
input is finite (i.e. when parsing a PKCS#7 or X.509 block) can
correctly return 0 at EOF from |BIO_read|.

(cherry picked from commit 66537ee0)

Bug: 21396526
Bug: 21209493
Change-Id: Iaad5845621ab8b89b42d5d3ca8e67e297278ca55

During the switch to BoringSSL this function was rewritten and it
requested DH public key with RSA signature for a lot of things.

(cherry picked from commit d8606d56)

Bug: 20641394
Change-Id: Id3880b01ed1810c5d7af9996c48ce45fdf4850f8

Toucing NativeCrypto causes System.loadLibrary(...) to be called which
causes classloader initialization to fail during compile time. To allow
more to be initialized, move this to NativeConstants.

(cherry picked from commit f5b4518e)

Bug: 21036900
Change-Id: I07f0f5be9559a9fa9a652d1bcd82a9f88640653e

This includes AES/GCM/NoPadding support, changes for the latest
BoringSSL revision, and some fixes while compiling with debugging
flags fixes.

Bug: 21085702
Change-Id: I0de7b15a32f532e625d74729fc6ff20809af6c78

* commit '57ad13fd':
  Silence unused result warnings in conscrypt.

The Java provider mechanism doesn't really let us fallback to another
provider based on whether certain ECC groups are supported or not. Since
I expect that some people will be trying to do Bitcoin on Android, this
should keep them happy.

Change-Id: I1db48b104e12a6e7dae21df9c31c21bff0d62a9b

* commit '8d18c8a7':
  external/conscrypt: fix WITH_JNI_TRACE in light of BoringSSL update.