GitLab

The returned session_id could be exactly the same in the case of TLS
session tickets, so use the SSL_session_reused API to determine exactly
when a session was reused.

(cherry picked from commit 1115fa0f)

Bug: 28751153
Change-Id: Ie82e4d1bb326d7e7deb7981a1e57df393f6c0e1f
(cherry picked from commit 0b905f8e)

Due to AAD data not being reset when a Cipher instance was re-used, this
bug was never uncovered by tests that actually exercise this case.

(cherry picked from commit 95cf7b9b)

Bug: 27696681
Bug: 27324690
Change-Id: Iae9b5794f212a8fc4eeff2a651332e7490f5cada

Do to a missing assignment statement, only the first call to updateAAD
was honored and the rest were discarded.

(cherry picked from commit a23b05b3)

Bug: 27371173
Change-Id: I77ad7800b0905f72d5abe76b56352a94056ceb9c

AAD was not being reset correctly during init or doFinal calls thus
leading to incorrect output.

(cherry picked from commit 0bab7f3b)

Bug: 27324690
Change-Id: If7806a9d7847814b60719637abceb94d8fbc8831

With the separate caching of intermediate certificates in
TrustManagerImpl a given intermediate may be passed into .index multiple
times. Avoid adding the certificate to the list each time.

(cherry-picked from commit d080e064)
Bug: 26232830
Change-Id: I6bed2c65d9e42e052b9b1b129200a997e7dca745

Intermediate CAs are cached in order to support servers that fail to
sent a complete chain to a root. These certificates should be cached to
support these servers but these certificates must not be trusted as
trust anchors. Store them separately to prevent confusion between
trusted roots and cached intermediates.

(cherry-picked from commit 198aca1f)
Bug: 26232830
Change-Id: I520f50729b55fc7412c7d133335bc9e3c190bbf6

BoringSSL disables server-initiated renegotiations by default. However,
it's unclear what the impact of this will be. On the other hand,
rejecting renegotiations certainly makes things simplier.

(cherry picked from commit ed628f94)

Bug: 23189319
Change-Id: I0cd3f04838c0afea665a88d4f0cd0a16c1e811de

Test both client and server. Also we expect a SSLHandshakeException
instead of an SSLProtocolException in one case.

Bug: 21207627
(cherry picked from commit 5429f72d)

Change-Id: If895b03e2cece3a1a8d2f074a557c68f55a7021e

BoringSSL will push the BAD_SIGNATURE error onto the stack for every
signature error. In Java it just returns false from the Signature#verify
call when the signature is incorrect.  However, we still want to throw
an exception for raw RSA when the number of signature bytes is larger
than the modulus can express.

Bug: 21209646
(cherry picked from commit 089b4018)

Change-Id: I96ada8762817a99df11da2f7e7b7310bb31d5cba

SSL_OP_NO_SSLv2 is not a flag anymore (defined as 0 in ssh.h)

Bug: 21875962
(cherry picked from commit 97e54bdd)

Change-Id: I52004b893768b087577c078dcd1ba0ae1bdea911

NativeCrypto.SSL_set_cipher_lists can accept the empty list as
per c/154191

Bug: 21816861

(cherry picked from commit c0010ca5)

Change-Id: I6cf7563417d8b6fb9edbeade0947726275a76c18

(cherry picked from commit d9a48aa4)

Bug: 21034231
Change-Id: I1efd062a6608111e6ab468f4e362291895dd166d

When an error condition is encountered in BoringSSL, sometimes it
deliberately does not put something on the ERR stack to prevent abuse of
that knowledge. Instead we need to throw an exception explicitly when no
error is pushed onto the stack.

(cherry picked from commit 79f05f46)

Bug: 21034231
Change-Id: Ia06347c5653672c982ecff2c26be9b091d03009f

(cherry picked from commit edc4f273)

Bug: 21762837
Change-Id: I11042be8fe1e046ac96759b4554ce9229e1cf6f3

- Consider the |final| buffer when computing the expected length
- Should not expect an extra block when using padding in decrypting
mode

Bug: 19186852
Change-Id: I8c51b309ca98030ab1eda5b2a0201a97a5758072

(cherry-pick from 8fa4acdc)

Upstream BoringSSL has dropped |SSL_ST_BEFORE| (which appears to have been
unused) and all the |*_LOCK_*| symbols. The latter are replaced with
|*_up_ref|, with #if's so that it continues to work with OpenSSL.

(cherry picked from commit ba3f063e)

Change-Id: Ib609c83d428b7624e24e3b96c93afc2e482e6a6d

When using an opaque key, try to honor the system's preferred provider
which is selected via late binding. If it's not found, try to find the
first provider that initializes correctly with the given key.

(cherry picked from commit c590a930)

Bug: 21737886
Change-Id: I17483136aa5c1c5e474109525aefac9facaf7379

When BoringSSL/OpenSSL TLS/SSL stack operates on opaque private keys
(those that don't expose their key material) it upcalls (via
Conscrypt's NativeCrypto) into corresponding JCA Signature and Cipher
primitives.

This fixes a crash in the ECDSA upcall when Conscrypt is used with
BoringSSL.

(cherry-picked from commit 61c66eb9)

Bug: 21738458
Change-Id: I6def1bce62f20b2ec39fe88251975458e8813362

When BoringSSL/OpenSSL TLS/SSL stack operates on opaque private keys
(those that don't expose their key material) it upcalls (via
Conscrypt's NativeCrypto) into corresponding JCA Signature and Cipher
primitives.

This CL fixes two issues with RSA-related upcalls, which prevented
the use of opaque RSA private keys for TLS/SSL with Conscrypt backed
by BoringSSL:
* RSA sign was upcalled into RSA Cipher decrypt using private key.
  In JCA, the correct upcall is RSA Signature sign. This is now
  invoked instead of RSA Cipher decrypt.
* RSA decrypt was not implemented. It's now implemented.

As part of implementing RSA decrypt upcall from BoringSSL, it
transpired that BoringSSL requests no padding as opposed to OpenSSL
which requests PKCS#1 padding. As a result, this CL modifies the
decrypt upcall to take a padding parameter. The implementation of
the upcall (see CryptoUpcalls.java) now supports PKCS#1 padding
scheme, OAEP padding scheme, and no padding.

This CL also drops the encrypt/decrypt flag from the RSA
encrypt/decrypt upcall and simplies it into an RSA decrypt upcall. RSA
encrypt upcall is not needed at all.

(cherry-picked from commit 279e9845)

Bug: 21738458
Change-Id: I075aa74e4cd89dd3ceab99f728ce371c7bc89cf0

For the Java language, setting an empty cipher list is not an error but
it's an error in OpenSSL. However, the underlying API actually updates
the cipher list to an empty string as intended. So we need to handle
this special case by clearing the error stack and making sure that our
expectation is satisfied.

(cherry picked from commit 5b6a5ecc)

Bug: 21195269
Change-Id: Id21792215513f4e0d6e051160f69e5f830d39015

am 6d395955: am 3898f6c9: am f6822ebc: am fae34604: am de55e62f: OpenSSLX509Certificate: mark mContext as transient

* commit '6d395955':
  OpenSSLX509Certificate: mark mContext as transient

am 3898f6c9: am f6822ebc: am fae34604: am de55e62f: OpenSSLX509Certificate: mark mContext as transient

* commit '3898f6c9':
  OpenSSLX509Certificate: mark mContext as transient

* commit 'f6822ebc':
  OpenSSLX509Certificate: mark mContext as transient

* commit 'fae34604':
  OpenSSLX509Certificate: mark mContext as transient

* commit 'de55e62f':
  OpenSSLX509Certificate: mark mContext as transient

We need to check the ERR stack on a return code of 0. Previously there
was a comment indicating the weird behavior about DSA keys throwing
after a check for a return value of -1, but this API is never supposed
to return anything other than 1 for success or 0 for failure.

(cherry picked from commit 49854878)

Bug: 18869265
Change-Id: Ic871c63b6d65949053819950ed8053f47501bd60

When an invalid key is passed in we may throw NoSuchAlgorithmException
if it's a key we don't support, but we should convert this to the
correct exception for this API.

(cherry picked from commit ed396e93)

Bug: 21209493
Change-Id: I55123035295203f2676538ac89ba4eb91141b273

A -1 error code should have an error on the stack that explains what the
problem was, but if we call through to an ENGINE that fails we seem to
end up with no error on the stack. Ensure we throw BadPaddingException
in that case.

(cherry picked from commit 6a1e7070)

Bug: 19863798
Change-Id: Idecd9072c1e6636351bc90f16037852bdc55e4a0

Since mContext should not participate in the serialization process,
hide it with the transient qualifier. This will prevent the field from
initialization during the unserialization of this class. Then of course
the instance will be in a valid state.

(cherry picked from commit 8d57b9db)

Bug: 21437603
Change-Id: Ie9453c16d11820a91caff92c3f7b326d12f8a8f4

Since mContext should not participate in the serialization process,
hide it with the transient qualifier. This will prevent the field from
initialization during the unserialization of this class. Then of course
the instance will be in a valid state.

Bug: 21437603
Change-Id: Id5b8a83b6000c2219f3246f93aff7a9c6453f639

This reverts commit 998fbfcd. Missing the test class.

Change-Id: I426680f74c4f3ebeb42abd80ebfdba469247c348

Since mContext should not participate in the serialization process,
hide it with the transient qualifier. This will prevent the field from
initialization during the unserialization of this class. Then of course
the instance will be in a valid state.

Bug: 21437603
Change-Id: Ie9453c16d11820a91caff92c3f7b326d12f8a8f4

Previously the code read the whole of the BIO and parsed any PKCS#7
blobs that were found. However, X509CertificateTest specifically tests
that trailing data is retained when parsing PKCS#7 so this change makes
it so.

This depends on https://android-review.googlesource.com/#/c/151205/.

(cherry picked from commit 0f84dc61)

Bug: 21396526
Bug: 21209493
Change-Id: I4e07cebf599f52aedbea9b0a3f66d9a052c86aaa