| 7695a9b3261bfee3a810e0829bd8082fe1fcb6a4 |
|
30-Aug-2012 |
Brian Carlstrom <bdc@google.com> |
Disable SSL compression
Bug: 7079965
Change-Id: I8e060a827613e212bbcced66507fbf124bb04543
|
| 3e6dd45baa0d7f9b4fa06f4ade76e088b59cc7bf |
|
16-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
Tracking openssl-1.0.1
Bug: 6168278
Change-Id: I240d2cbc91f616fd486efc5203e2221c9896d90f
|
| 32c2297a959b72abdb18743f0519e1d8b7c7ea88 |
|
17-Mar-2011 |
Elliott Hughes <enh@google.com> |
Remove bogus "super()" calls.
I've left one in java.util.concurrent, since we have an upstream there.
Change-Id: I60945e48a41433fc7eaef6086433ec4bf434097f
|
| ffeba5dd766602f6e2be9caa9081744348a53c04 |
|
01-Dec-2010 |
Brian Carlstrom <bdc@google.com> |
Add support for TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite
"TLS_EMPTY_RENEGOTIATION_INFO_SCSV" is RFC 5746's renegotiation
indication signaling cipher suite value. It is not a real cipher
suite. It is just an indication in the default and supported cipher
suite lists indicates that the implementation supports secure
renegotiation.
In the RI, its presence means that the SCSV is sent in the cipher
suite list to indicate secure renegotiation support and its absence
means to send an empty TLS renegotiation info extension instead.
However, OpenSSL doesn't provide an API to give this level of control,
instead always sending the SCSV and always including the empty
renegotiation info if TLS is used (as opposed to SSL). So we simply
allow TLS_EMPTY_RENEGOTIATION_INFO_SCSV to be passed for compatibility
as to provide the hint that we support secure renegotiation.
Change-Id: I0850bea47568edcfb1f7df99d4e8a747f938406d
|
| 4ae3fd787741bfe1b808f447dcb0785250024119 |
|
19-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Elliptic Crypto support for OpenSSLSocketImpl
Summary:
- Enable Elliptic Crypto support for OpenSSL based SSLSocket instances
- More RI compliant usage of key types, client auth types, and server auth types
- Steps toward TLS_EMPTY_RENEGOTIATION_INFO_SCSV support, currently test updates
Details:
Elliptic Curve changes
CipherSuite updates for EC
- Adding KEY_EXCHANGE_EC* and corresponding CipherSuites Updated
isAnonymous, getKeyType (now renamed getServerKeyType) to handle
new EC cases. Added new getAuthType for use by
checkServerTrusted callers.
- Restructured code to handle two SUITES_BY_CODE_* arrays
- Remove KEY_EXCHANGE_DH_* definitions which unused because the
corresponding CipherSuites were previously disabled.
- Changed AES CipherSuites definitions to use "_CBC" to match other definitions.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
openssl EC
- NativeCrypto now registers TLS_EC_* cipher suites and has update default list
- Improved auth type arguments to checkClientTrusted/checkServerTrusted
- NativeCrypto support for emphemeral EC keys
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
luni/src/main/native/NativeCrypto.cpp
non-openssl SSL/TLS cleanups
- cleanup around code trying to cope with DiffieHellman vs DH since either should work.
- changed client to use new CipherSuite.getAuthType shared with NativeCrypto implementation
- changed server to use CipherSuite.getKeyType
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/KeyManagerImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java
Consolidate CertificateRequestType code into CipherSuite so that its
shared between java and openssl implementations. This includes the
KEY_TYPE_ string constants, TLS_CT_* byte constants and the 'String
keyType(byte)' (now renamed getClientKeyType) code that depends on them.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CertificateRequest.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java
Tests
Differentiate between supported list of cipher suites openssl-based
SSLSocket and SSLEngine based, since the SSLEngine code does not support EC.
luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java
luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java
Added testing for expected default cipher suites. Before we just ensured the values were valid.
luni/src/test/java/libcore/javax/net/ssl/SSLSocketFactoryTest.java
support/src/test/java/libcore/java/security/StandardNames.java
Updated to handle new EC cipher suites codes. Added test for new getClientKeyType.
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/CipherSuiteTest.java
Better use of "standard names" particularly to correctly deal with
the subtle differences between key types, client auth types, and
server auth types. TestKeyManager and TestTrustManager now verify
the values they are passed are acceptable.
support/src/test/java/libcore/java/security/StandardNames.java
support/src/test/java/libcore/javax/net/ssl/TestKeyManager.java
support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java
Changed to timeout after 30 seconds and to log to reveal both client and server issues.
support/src/test/java/libcore/javax/net/ssl/TestSSLSocketPair.java
Bug: 3058375
Change-Id: I14d1d0285d591c99cc211324f3595a5be682cab1
|
| 6c78b7b94c232063ec559436b48b33751373ecf1 |
|
19-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Toward EC TLS support
Summary:
- javax.net.ssl tests are now working on the RI
- KeyManager can now handle EC_EC and EC_RSA
- OpenSSLSocketImpl.startHandshake now works if KeyManager contains EC certificates
Details:
Add CipherSuite.getKeyType to provide X509KeyManager key type strings,
refactored from OpenSSLServerSocketImpl.checkEnabledCipherSuites.
getKeyType is now also used in OpenSSLSocketImpl.startHandshake to
avoid calling setCertificate for unnecessary key types.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
New CipherSuiteTest to cover new getKeyType as well as existing functionality
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/CipherSuiteTest.java
Add support to KeyManager implementation for key types of the form
EC_EC and EC_RSA. The first part implies the KeyPair algorithm (EC in
these new key types) with a potentially different signature algorithm
(EC vs RSA in these)
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/KeyManagerImpl.java
Update NativeCrypto.keyType to support EC_EC and EC_RSA in addition to
EC which was added earlier. Change from array of KEY_TYPES to named
KEY_TYPE_* constants.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
Overhauled KeyManagerFactoryTest to cover EC, EC_EC, EC_RSA cases
luni/src/test/java/libcore/javax/net/ssl/KeyManagerFactoryTest.java
support/src/test/java/libcore/java/security/StandardNames.java
Changed TestKeyStore.createKeyStore from always using BKS to now use
JKS on the RI between BC EC Keys and RI X509 certificates. Because JKS
requires a password, we now default "password" on the RI.
support/src/test/java/libcore/java/security/TestKeyStore.java
luni/src/test/java/libcore/javax/net/ssl/SSLContextTest.java
support/src/test/java/libcore/java/security/StandardNames.java
TestKeyStore.create now accepts key types like EC_RSA. Changed
TestKeyStore.createKeys to allow a PrivateKeyEntry to be specified for
signing to enable creation of EC_RSA test certificate. Added
getRootCertificate/rootCertificate to allow lookup of PrivateKeyEntry
for signing. Changed TestKeyStore.getPrivateKey to take explicit
signature algorithm to retrieve EC_EC vs EC_RSA entries.
support/src/test/java/libcore/java/security/TestKeyStore.java
luni/src/test/java/libcore/java/security/KeyStoreTest.java
luni/src/test/java/libcore/javax/net/ssl/KeyManagerFactoryTest.java
luni/src/test/java/libcore/java/security/cert/PKIXParametersTest.java
luni/src/test/java/libcore/javax/net/ssl/TrustManagerFactoryTest.java
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
support/src/test/java/libcore/java/security/StandardNames.java
Added support for EC cipher suites on the RI. Also test with and
without new TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite which is
used to specify the new TLS secure renegotiation.
luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java
luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java
support/src/test/java/libcore/java/security/StandardNames.java
New TestKeyManager and additional logging in TestTrustManager. Logging
in both is disabled by default using DevNullPrintStream.
support/src/test/java/libcore/javax/net/ssl/TestKeyManager.java
support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java
support/src/test/java/libcore/java/io/DevNullPrintStream.java
Bug: 3058375
Change-Id: Ia5e2a00a025858e10d1076b900886994b481e05a
|
| 6812a2e8bb43d9a875633a9ba255d9882c63e327 |
|
14-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
Rename internal SSLParameters to SSLParametersImpl to avoid collision with new javax.net.ssl.SSLParameters
Bug: 2672817
Change-Id: Iadf21b848eaf8850fce22721b9ba3739ab2e9fca
|
| 4559b1d37edcb5d7f1da086cf2e3290388d74f46 |
|
23-Jul-2010 |
Brian Carlstrom <bdc@google.com> |
Support for TLS Extensions enabled SSLSockets with fallback to vanila SSL
See also b/1569612
Summary:
- OpenSSlSocket support for SNI, session tickets, compression
- URLConnection mimics Chrome behavior of trying connection with these enabled,
falling back to SSL w/o encryption on failure
Details:
libcore
URLConnection https retry
Change HttpConnection.getSecureSocket to enable non-standard features on first
connection attempt. On second attempt, we back off to SSLv3 from
TLSv1, mimicking Chrome's behavior.
luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/http/HttpConnection.java
Change HttpsEngine.connect to implement SSL reconnect
luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/https/HttpsURLConnectionImpl.java
OpenSSL SSLSocket implementation
OpenSSLSocketImpl and OpenSSLServerSocketImpl now have an array of
enabled compression methods interface and implementation to
parallel that of procotols and ciphersuites.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
OpenSSLSessionImpl now has a cache of the native
compressionMethod. Also replaced "gives" javadoc working with
"returns".
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
OpenSSLSocketImpl session caching now needs to skip cached
sessions with mismatched compression requirements.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
OpenSSLSocketImpl.startHandshake now uses NativeCrypto to support
our non-standard extensions.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
NativeCrypto changes
- Added declaration of SSL options for tickets and compression.
- Added general "compression methods" interface
paralleling "cipher suites" and "protocols" interfaces.
- Added SSL_set_tlsext_host_name to set SNI (Server Name Indication) value
- Added SSL_get_servername to read SNI (Server Name Indication) value
- Added SSL_SESSION_compress_meth read negotiated compression method
- SSL_new makes sure to default compression to off for compatibility
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/native/NativeCrypto.cpp
Testing
Added URLConnectionTest.testConnectViaHttpsWithSSLFallback to make
sure we properly retry an https connection if the server
terminates unexpectedly. Fixed up
URLConnectionTest.testHttpsWithCustomTrustManager with new
expected certificate chain. Fixed a few mistaken
TestSSLContext.serverContext uses to clientContext
luni/src/test/java/java/net/URLConnectionTest.java
Added test_SSL_set_tlsext_host_name, test_SSL_get_servername,
test_SSL_SESSION_compress_meth. Added a number of missing fail()
calls in expected exception cases which caught one test with
mistaken expectations. Removed some unnecessary scopes. Fixed some
badly scoped catch blocks.
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Changed MockWebServer to support a new MockResponse propery of
disconnectAtStart, which immediately terminates the connection
support/src/test/java/tests/http/MockResponse.java
support/src/test/java/tests/http/MockWebServer.java
external/openssl
Restore -ZLIB to OpenSSL build. Note that NativeCrypto.SSL_new
disables compression by for default SSLSocket for compatibility.
android-config.mk
Force clean build with new CFLAGS
CleanSpec.mk
Change-Id: Iba6268f9096f2be43f0d30de151dd3fd0aea4a81
|
| aacf6f9741dea0f12fbff5e7696e53f251177280 |
|
20-May-2010 |
Brian Carlstrom <bdc@google.com> |
Enable Diffie-Hellman cipher suites
Enable Diffie-Hellman cipher suites in NativeCrypto (and in
StandardNames to match for testing). This means we now have the same
default cipher suite list as RI 5.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
support/src/test/java/javax/net/ssl/StandardNames.java
Enabling DH made it obvious that the RI check for enable cipher suites
on SSLServerSocket.accept was not as stringent as first
thought. Apparently they don't care if all enabled cipher suites have
certificates/keys, just that at least one of them will work, even if
its anonymous. Factored out the logic to check this into
checkEnabledCipherSuites for clarity along with the supporting
checkForPrivateKey. Also only check if the socket is in server mode,
since its fine to have nothing configured for server acting as a
client for handshake purposes.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
The real work to enable Diffie-Hellman was to use
SSL_CTX_set_tmp_dh_callback to set a callback to get DH
parameters. There are two ways to create the parameters. The first is
to use DH_generate_parameters_ex which is very slow (minutes) as is
recommended as install time option. The second is to use
DSA_generate_parameters_ex followed by DSA_dup_DH, which is faster for
a single call, but must be done every time, so slower overall. We
currently take the second approach to just have DH working.
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Changed ephemeral RSA keys to be stored per SSL in AppData, not in a static global.
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Fix LS_ to TLS_ typo in commented out constant. Removed easy to miss wrapping in array definition.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
Renamed CipherSuites defaultPretendant to defaultCipherSuites which
led to renaming the CipherSuites constants to follow the coding style.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/DigitalSignature.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerKeyExchange.java
Change-Id: Ia38de48cabb699b24fe6e341ba79f34e3da8b543
|
| 8f78381c9c7a64f7c703913d702f2a8895207877 |
|
19-May-2010 |
Brian Carlstrom <bdc@google.com> |
SSLServerSocket accept should make sure enabled cipher suites have supporting private keys
Make CipherSuite static fields final (noticed because I tried to use some in a switch statement).
Also renamed "cuites*" to "suites*" and fixed UNKNOUN to UNKNOWN
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
SSLServerSocket now matches the RI behavior of throwing an
SSLException for missing keys for non-anonymous cipher suites.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
Fixed one KnownFailure
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Change-Id: I1ccbf93cfc5aa5951b1f33881446d93c380b6e68
|
| 6b811c5daec1b28e6f63b57f98a032236f2c3cf7 |
|
03-May-2010 |
Peter Hallam <peterhal@google.com> |
Merge awt-kernel, icu, luni-kernel, prefs, security-kernel, x-net into luni
Merge xml except xmlpull and kxml into luni
|