20484654bc7c2407da40226d5188acfc37ee1c2b |
|
09-Aug-2011 |
Elliott Hughes <enh@google.com> |
Remove more cruft. Unused imports and bogus comments. (cherry-pick of 9af8c0318fac8bf03ee145da01b0c38a503791fc.) Change-Id: I2bddb32028b71964407e86c4dbef5516673c27eb
|
7c935d4e4ca990334200cf5eb4fbcfac718c6b45 |
|
04-Jun-2012 |
gcollins <gcollins@antennasoftware.com> |
CertificateRequest should handle case where certificate is requested but none is available. Android SSL client was not handling a CertificateRequest where there was no cert to send. It had a problem because it was assuming that if the CertificateMessage response is not null, it means there is a cert included, which is not true (if it has no cert to send an empty CertificateMessage is sent to the server). So I updated the CertificateVerify creation check to also check whether the CertificateMessage contained any certs (ClientHandshakeImpl.java). In testing I found that the same error was in the server code so I made the same change there (ServerHandshakeImpl.java). I added two test cases to SSLEngineTest - one to directly test the scenario (test_SSLEngine_clientAuthWantedNoClientCert) and one to just double-check that the server would not allow the connection if setNeedClientAuth (test_SSLEngine_clientAuthNeededNoClientCert). Bug: http://code.google.com/p/android/issues/detail?id=31903 Change-Id: Ideb57d6ccbcdd54ca24dc3063e60aba2653c8414
|
b9f9831a0800adbb6b67ab5bdc62292aa034992b |
|
28-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
Use WRAP/UNWRAP for key exchange Bug: http://code.google.com/p/android/issues/detail?id=12955 Change-Id: I1a2be021e0a22ec6a00ba354fb3f19a78c601be9
|
3e6dd45baa0d7f9b4fa06f4ade76e088b59cc7bf |
|
16-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
Tracking openssl-1.0.1 Bug: 6168278 Change-Id: I240d2cbc91f616fd486efc5203e2221c9896d90f
|
90b140190f219fd63ede200a63da40bf9e6ca98d |
|
06-Jun-2011 |
Elliott Hughes <enh@google.com> |
Remove some unnecessary cruft. Change-Id: I8d83954d42f3511a24a44a33c3b28f04af6d3b82
|
fb0ec0e650bf8be35acb0d47da0311a7c446aa33 |
|
14-Jan-2011 |
Elliott Hughes <enh@google.com> |
Remove useless android-changed comments. I've changed useful ones to regular comments or TODOs, as appropriate. I've left ones in code like java.util.concurrent where we really are tracking an upstream source, making the change markers useful. I've left a handful of others where I intend to actually investigate the implied TODOs before deciding how to resolve them. Change-Id: Iaf71059b818596351cf8ee5a3cf3c85586051fa6
|
4ae3fd787741bfe1b808f447dcb0785250024119 |
|
19-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Elliptic Crypto support for OpenSSLSocketImpl Summary: - Enable Elliptic Crypto support for OpenSSL based SSLSocket instances - More RI compliant usage of key types, client auth types, and server auth types - Steps toward TLS_EMPTY_RENEGOTIATION_INFO_SCSV support, currently test updates Details: Elliptic Curve changes CipherSuite updates for EC - Adding KEY_EXCHANGE_EC* and corresponding CipherSuites Updated isAnonymous, getKeyType (now renamed getServerKeyType) to handle new EC cases. Added new getAuthType for use by checkServerTrusted callers. - Restructured code to handle two SUITES_BY_CODE_* arrays - Remove KEY_EXCHANGE_DH_* definitions which unused because the corresponding CipherSuites were previously disabled. - Changed AES CipherSuites definitions to use "_CBC" to match other definitions. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java openssl EC - NativeCrypto now registers TLS_EC_* cipher suites and has update default list - Improved auth type arguments to checkClientTrusted/checkServerTrusted - NativeCrypto support for emphemeral EC keys luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java luni/src/main/native/NativeCrypto.cpp non-openssl SSL/TLS cleanups - cleanup around code trying to cope with DiffieHellman vs DH since either should work. - changed client to use new CipherSuite.getAuthType shared with NativeCrypto implementation - changed server to use CipherSuite.getKeyType luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/KeyManagerImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java Consolidate CertificateRequestType code into CipherSuite so that its shared between java and openssl implementations. This includes the KEY_TYPE_ string constants, TLS_CT_* byte constants and the 'String keyType(byte)' (now renamed getClientKeyType) code that depends on them. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CertificateRequest.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java Tests Differentiate between supported list of cipher suites openssl-based SSLSocket and SSLEngine based, since the SSLEngine code does not support EC. luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java Added testing for expected default cipher suites. Before we just ensured the values were valid. luni/src/test/java/libcore/javax/net/ssl/SSLSocketFactoryTest.java support/src/test/java/libcore/java/security/StandardNames.java Updated to handle new EC cipher suites codes. Added test for new getClientKeyType. luni/src/test/java/org/apache/harmony/xnet/provider/jsse/CipherSuiteTest.java Better use of "standard names" particularly to correctly deal with the subtle differences between key types, client auth types, and server auth types. TestKeyManager and TestTrustManager now verify the values they are passed are acceptable. support/src/test/java/libcore/java/security/StandardNames.java support/src/test/java/libcore/javax/net/ssl/TestKeyManager.java support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java Changed to timeout after 30 seconds and to log to reveal both client and server issues. support/src/test/java/libcore/javax/net/ssl/TestSSLSocketPair.java Bug: 3058375 Change-Id: I14d1d0285d591c99cc211324f3595a5be682cab1
|
57f2cc03ff2cf5d2f6413c5410680b4908d7301d |
|
05-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Test updates for Elliptic Curve Updated with Elliptic Curve (EC) (and SunPKCS11-NSS) names for use by ProviderTest support/src/test/java/libcore/java/security/StandardNames.java Enhance test_KeyStore_cacerts_bks to verify PublicKey can be retreived. Before this the test would pass even though an ECPublicKey could not be accessed. With EC support in external/bouncycastle, this test now passes. luni/src/test/java/libcore/java/security/KeyStoreTest.java New SignatureTest to cover ECDSA, replaces the old one that required a subclass per tested algorithm. luni/src/test/java/libcore/java/security/SignatureTest.java support/src/test/java/tests/security/SignatureTest.java luni/src/test/java/tests/targets/security/SignatureTestMD5withRSA.java luni/src/test/java/tests/targets/security/SignatureTestNONEwithDSA.java luni/src/test/java/tests/targets/security/SignatureTestSHA1withDSA.java luni/src/test/java/tests/targets/security/SignatureTestSHA1withRSA.java luni/src/test/java/tests/targets/security/SignatureTestSHA256withRSA.java luni/src/test/java/tests/targets/security/SignatureTestSHA384withRSA.java luni/src/test/java/tests/targets/security/SignatureTestSHA512withRSA.java luni/src/test/java/tests/targets/security/AllTests.java Improve ProviderTest logging while debugging SunPKCS11-NSS provider issues. Added some exceptions for RI missing classes. luni/src/test/java/libcore/java/security/ProviderTest.java Changed style slightly to match KeyPairGeneratorTest, where +N is used to indicated when multiples of a increments of a certain amount are required for valid key sizes. luni/src/test/java/libcore/javax/crypto/KeyGeneratorTest.java Fix test CloseGuard issues luni/src/test/java/libcore/java/security/KeyStoreTest.java Fix readability luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java Bug: 3058375 Change-Id: I99cd93ad66372e8512d993168550cc1d471d3248
|
7365de1056414750d0a7d1fdd26025fd247f0d04 |
|
12-Aug-2010 |
Jesse Wilson <jessewilson@google.com> |
Sorting imports. Change-Id: I8347bc625480a1c37a1ed9976193ddfedeb00bbc
|
6882e31b7ce2d04ebbc91c7a55d7840e8fdce8a5 |
|
20-Jul-2010 |
Brian Carlstrom <bdc@google.com> |
Bring SSLSocketImpl and SSLEngine in line with OpenSSLSocketImpl's cipher suites Wrote an interoperability test between our OpenSSL and SSLEngine based SSLSocket implementations. Used it to flush out problems between the implementations, which mostly were in the non-native implementation. Filling out the SSLEngine (and therefore non-native SSLSocket) support led to the list of supported and default cipher suites now being the same as out OpenSSL SSLSocket. Most of the work was making the the NULL, RC4, and AES ciphers work with SSLEngine as well as some minor bug fixes in related code. Summary: - changing test_SSLSocket_getSupportedCipherSuites_connect to try all combinations of our two SSLContext/SSLSocket implementations - fixed SSLEngine with *_WITH_NULL_* CipherSuites to use javax.crypto.NullCipher - added *_AES_* cipher suites to SSLEngine (and therefore Java SSLSocketImpl) - remove *_DH_* cipher suites which are not supported by the RI or our OpenSSL implementation - fixed Java SSLSocket to not handshake on accept so will pass the basic SSLSocketTest - added new KeyManagerFactoryTest while testing "DH_" cipher suite key types This change depends on restoring bouncycastle's RC4 implementation (separate CL in external/bouncycastle) Details: Fixed SSLEngine with *_WITH_NULL_* CipherSuites by use javax.crypto.NullCipher expectations/knownfailures.txt luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ConnectionStateSSLv3.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ConnectionStateTLS.java Previously I had changed the string name of CipherSuites from "TLS_..." to "SSL_..." where appropriate to match the RI. Since I was doing maintenance on overall list, I renamed the CODE_TLS_... and TLS_... static fields as well to match. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSessionImpl.java Removed IDEA and RC2 CipherSuites to make it clear they are not supported. While technically this happened as a side effect of the assignment "supported = false" if the CipherSuite failed to load, we truly intend not to support these. Also removed SSH_DH_* suites which don't work with DSA keys and aren't supported by the RI or our OpenSSL implementation. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java Old connection state code assumed that if a cipher was blocked, the block size was 8 bytes. This is not true for the 16 byte AES ciphers. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ConnectionState.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ConnectionStateSSLv3.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ConnectionStateTLS.java No wonder our OpenSSL implementation incorrect did a startHandshake when accepting the socket... it got it from the Java implementation. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLServerSocketImpl.java Test for KeyManagerFactory (and KeyManager). TestKeyStore now creates KeyManagers and TrustManagers from the keystore as a convenience for KeyManagerFactoryTest (instead of having the code in the TestSSLContext where we didn't keep a pointer to the created values). luni/src/test/java/javax/net/ssl/KeyManagerFactoryTest.java support/src/test/java/java/security/StandardNames.java support/src/test/java/java/security/TestKeyStore.java support/src/test/java/javax/net/ssl/TestSSLContext.java Remove CIPHER_SUITES_SSLENGINE now that its the same as CIPHER_SUITES luni/src/test/java/javax/net/ssl/SSLEngineTest.java support/src/test/java/java/security/StandardNames.java test_SSLSocket_getSupportedCipherSuites_connect now does interoperability testing not just between the default SSLContext's SSLSockets but between the four combinations of our two SSLContext. It also now sends some test data bi-directionally between the client and server. luni/src/test/java/javax/net/ssl/SSLSocketTest.java Changed TestSSLContext.create to allow a different Provider for the client and server SSLContexts. luni/src/test/java/javax/net/ssl/SSLEngineTest.java luni/src/test/java/javax/net/ssl/SSLSocketTest.java support/src/test/java/javax/net/ssl/TestSSLContext.java RC4 is now available in bouncycastle for the non-OpenSSL SSLContext to use for parity with the OpenSSL implementation. support/src/test/java/java/security/StandardNames.java Changed TestSSLSocketPair to use Futures like NativeCryptoTest so its easier to choose between client and server errors while debuging. support/src/test/java/javax/net/ssl/TestSSLSocketPair.java Removed bogus import luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java Change-Id: I080c0343a3f86f27b7c191a7b80b585b9ca52d93
|
b7eec62f6db198a76b67d7915b03e59189c6df4f |
|
02-Jul-2010 |
Brian Carlstrom <bdc@google.com> |
TestKeyStore only use RSA by default & fixing SSLEngine client auth with DSA client and RSA server Summary: Goal here was to just make most tests faster by only having TestKeyStore create RSA keys by default. However, when I did that SSLEngineTest#test_SSLEngine_clientAuth started working, so I ended up investigating a much deeper issue with DSA client authentication against an RSA SSLEngine server. Details: Changed the TestKeyStore.get singleton to only contain RSA keys. TestKeyStore.create now requires the caller enumerate what keys they want if they need more than that or an alternative. support/src/test/java/javax/net/ssl/TestKeyStore.java Changed test_SSLSocket_getSupportedCipherSuites_connect to explicitly request RSA and DSA keys since it needs both to try connecting all possible cipher suites. luni/src/test/java/javax/net/ssl/SSLSocketTest.java Fixing SSLEngine client authentication when server uses RSA but client uses DSA Fixed java.net.ssl.SSLEngineTest#test_SSLEngine_clientAuth expectations/knownfailures.txt Added CiperSuite.authType field which contains the algorithm name such as RSA, DSA, DH, that the client will use to authenticate the server. Like the cipherName, hmacName, and hashName, this is logically derivable from the the CiperSuite.KEY_EXCHANGE_*, but we remember it to avoid repeatedly doing large cascading "if" tests to determine which key algorithm should be used for each case. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java Fixed a number of client certificate authentication bugs in SSLEngine - Changed ClientHandshakeImpl's in the SSL/Tls Certificate message code to mirror ServerHandshakeImpl's implementation to properly use chooseEngineClientAlias in the SSLEngine case. - Changed to use the client certifcates key algorithm for computing the signature for the SSL/TLS CertificateVerify message. Previously we used the cipher suites negoitated key exchange method, but if the client may select a certificate with a different algorithm if the server provides a CA for another algorithm. - Also changed to use CipherSuite.isAnonymous in two places rather than the inlined equivalent. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java Fixed client authentication to use the client's certificate (not the server's) to do verify the CertificateVerify message signature. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java Fixed bug in DigitalSignature which did not Signature.update in verifySignature, so it could never have properly authenticated DSA signatures. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/DigitalSignature.java Added CertificateMessage getAuthType convenience luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CertificateMessage.java Made CertificateRequest certificate_authorities final, found we were double allocating it luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CertificateRequest.java Cleaning up imports of HandshakeProtocol while working on its subclasses. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java Cleaned up while looking at X509KeyManager implementations while debugging. support/src/test/java/org/apache/harmony/xnet/tests/support/X509KeyManagerImpl.java Change-Id: I74b98754c11000cbfea416f1571c380c9c67abf3
|
7329fa972d9c20777444e5e1b13169d700de6567 |
|
29-Jun-2010 |
Brian Carlstrom <bdc@google.com> |
Fixes to support new dalvik.googlecode.com benchmarks The following new benchmarks where tested with the below changes: - DigestBenchmark - MessageDigestBenchmark - SSLSocketBenchmark - SignatureBenchmark Fix package name of OpenSSLProvider luni/src/main/java/java/security/security.properties Restore Java (vs OpenSSL) SSLSocket wrappers on SSLEngine for benchmarking luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLServerSocketFactoryImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLServerSocketImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketFactoryImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketInputStream.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketOutputStream.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketWrapper.java Restore HandshakeProtocol.socketOwner code for SSLSocket to function luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java Remove unneeded OpenSSLMessageDigestJDK.getInstance since these are registered via OpenSSLProvider and SHA224 which is not part of the RI. We had already removed the BouncyCastle version of this. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLMessageDigestJDK.java luni/src/test/java/tests/targets/security/AllTests.java luni/src/test/java/tests/targets/security/MessageDigestTestSHA224.java luni/src/test/java/tests/targets/security/SignatureTestSHA224withRSA.java Change-Id: I7daae7f0d9f50acad6df9157eac1b0133af83062
|
aacf6f9741dea0f12fbff5e7696e53f251177280 |
|
20-May-2010 |
Brian Carlstrom <bdc@google.com> |
Enable Diffie-Hellman cipher suites Enable Diffie-Hellman cipher suites in NativeCrypto (and in StandardNames to match for testing). This means we now have the same default cipher suite list as RI 5. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java support/src/test/java/javax/net/ssl/StandardNames.java Enabling DH made it obvious that the RI check for enable cipher suites on SSLServerSocket.accept was not as stringent as first thought. Apparently they don't care if all enabled cipher suites have certificates/keys, just that at least one of them will work, even if its anonymous. Factored out the logic to check this into checkEnabledCipherSuites for clarity along with the supporting checkForPrivateKey. Also only check if the socket is in server mode, since its fine to have nothing configured for server acting as a client for handshake purposes. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java The real work to enable Diffie-Hellman was to use SSL_CTX_set_tmp_dh_callback to set a callback to get DH parameters. There are two ways to create the parameters. The first is to use DH_generate_parameters_ex which is very slow (minutes) as is recommended as install time option. The second is to use DSA_generate_parameters_ex followed by DSA_dup_DH, which is faster for a single call, but must be done every time, so slower overall. We currently take the second approach to just have DH working. luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp Changed ephemeral RSA keys to be stored per SSL in AppData, not in a static global. luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp Fix LS_ to TLS_ typo in commented out constant. Removed easy to miss wrapping in array definition. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java Renamed CipherSuites defaultPretendant to defaultCipherSuites which led to renaming the CipherSuites constants to follow the coding style. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/DigitalSignature.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerKeyExchange.java Change-Id: Ia38de48cabb699b24fe6e341ba79f34e3da8b543
|
f33eae7e84eb6d3b0f4e86b59605bb3de73009f3 |
|
13-May-2010 |
Elliott Hughes <enh@google.com> |
Remove all trailing whitespace from the dalvik team-maintained parts of libcore. Gentlemen, you may now set your editors to "strip trailing whitespace"... Change-Id: I85b2f6c80e5fbef1af6cab11789790b078c11b1b
|
6b811c5daec1b28e6f63b57f98a032236f2c3cf7 |
|
03-May-2010 |
Peter Hallam <peterhal@google.com> |
Merge awt-kernel, icu, luni-kernel, prefs, security-kernel, x-net into luni Merge xml except xmlpull and kxml into luni
|