| 72e44404c32a98e7675a6e7cfbf856adb499a434 |
|
09-Oct-2012 |
Brian Carlstrom <bdc@google.com> |
Change OpenSSLCipherRSA.{engineGetBlockSize,engineGetOutputSize} to return result based on key size
Includes cherry-pick of 847f22adbd0e829b84491d7202dcbed5bf67a98c
Bug: 7192453
Change-Id: Ib5fa1e313d942d2c1034e8e7831af285ad24d71d
|
| f3862a786823c304a0f36f11266c66a55a68a5cf |
|
06-Oct-2012 |
Kenny Root <kroot@google.com> |
NativeCrypto: clear errors for key verification
It appears that OpenSSL has a bug where any DSA key verification
operation that fails will push an error on the OpenSSL error stack. This
change will clear the error state whenever a key verification is
performed.
(cherry picked from commit 912d5102b2986e3cdedb311784a43c7fe68db790)
Bug: 7302619
Change-Id: I16d1afad20f2d3934a01963ab62eea45b6caa6a1
|
| 51de62cf77a070e2a45ae397c391832b9a781d91 |
|
30-Sep-2012 |
Brian Carlstrom <bdc@google.com> |
Fix flaky NativeCryptoTest.test_SSL_do_handshake_client_timeout
Fix similar issue in test_SSL_do_handshake_server_timeout
Bug: 6229479
Change-Id: If2cf7d7dfe468843285a531f4b8b42941996a3ed
|
| db611c5813f623ee0403aedd156bb15780ed6e69 |
|
30-Sep-2012 |
Brian Carlstrom <bdc@google.com> |
NativeCryptoTest#test_SSL_do_handshake_clientCertificateRequested_throws_after_renegotiate failure
Bug: 6964910
Change-Id: I13bed4e5ed104241025fbb1d5e28427ec16d7a80
|
| 615225a35dbd838210270b282d1196deff643b51 |
|
22-Sep-2012 |
Brian Carlstrom <bdc@google.com> |
Add OpenSSLSocketImpl.setSoWriteTimeout to allow SO_SNDTIMEO to be specified
Bug: 6693087
Change-Id: Ie6903168ca0ada4516c55dfab5f7194baf965b4c
|
| 0a156e0126e8015f2791e9a7dd48bbdaeae0c335 |
|
12-Sep-2012 |
Brian Carlstrom <bdc@google.com> |
Add OpenSSLProvider support for Cipher.RSA/None/PKCS1Padding
Summary:
- Add OpenSSLProvider support for Cipher.RSA/None/PKCS1Padding
Added NativeCrypto.RSA_private_decrypt and NativeCrypto.RSA_public_encrypt
- Changed OpenSSLSignatureRawRSA to use new Cipher.RSA/None/PKCS1Padding
Removed now obsoleted NativeCrypto APIs for
RSA_padding_add_PKCS1_type_1 and RSA_padding_check_PKCS1_type_1
- added wrap/unwrap support OpenSSLCipherRSA
Needed for SSLEngine (and fallback SSLSocket implementation)
which are now picking up the new Cipher.RSA/None/PKCS1Padding
- expanded CipherTest to sanity test all algorithms and PKCS1 padding
Change-Id: I03566cc86ffce07d44d5e0094fa82c9c24587c26
|
| c44b3f5d857d0d3f4d3668de905cdac5080ede3b |
|
01-Sep-2012 |
Kenny Root <kroot@google.com> |
Better OpenSSL key comparison
Use native code to compare OpenSSL keys instead of converting them to
Java BigIntegers first.
Change-Id: If795c9c26e41174755cdab34ff70e01c7487c9bd
|
| 8b43d6de8df989711dd0779d689e1a1c1f9df68e |
|
31-Aug-2012 |
Brian Carlstrom <bdc@google.com> |
Fix NativeCrypto.d2i_SSL_SESSION to initialize SSL_SESSION's cipher field
Bug: 7091840
Change-Id: I9dee0e39bae6aba28c7ea768242e64c9443d9e49
|
| 7695a9b3261bfee3a810e0829bd8082fe1fcb6a4 |
|
30-Aug-2012 |
Brian Carlstrom <bdc@google.com> |
Disable SSL compression
Bug: 7079965
Change-Id: I8e060a827613e212bbcced66507fbf124bb04543
|
| 882ff343913f54cd02478fed2e9c41dfccd78a45 |
|
11-Jun-2012 |
Edwin Vane <edwin.vane@intel.com> |
Avoid variable-length non-POD element array
Clang doesn't like variable-length arrays of non-POD types. Added new
X509Vector to hold the OpenSSL X509* references and preserve the RAII
style.
Change-Id: I85d61d6c26ff06fb7da8091376394b8438fb1fea
Reviewed-by: Kevin P Schoedel <kevin.p.schoedel@intel.com>
Author: Edwin Vane <edwin.vane@intel.com>
|
| 4efbf2b6dfcbdacbc580ebbf35d39883bd7ec562 |
|
17-Aug-2012 |
Kenny Root <kroot@google.com> |
Clear errors after failed ENGINE_add
Change-Id: I2f9c39717db9419c7924031fc30b7cc069c19d2e
|
| 106a8928fb4249f2f3d4dba1dddbe73ca5cb3d61 |
|
16-Aug-2012 |
Kenny Root <kroot@google.com> |
Call ENGINE_add to prevent ENGINEs from unloading
The only user of the OpenSSLEngine interface is a dynamic engine (loaded
from eng_dyn.c), so it will unload the .so when references to it
decrease to zero.
Calling ENGINE_add will add the loaded engine to the list of loaded
engines. The next time ENGINE_by_id is called, it will just use the one
from the list instead of loading the .so again.
You can still control whether the engine is ref-counted or copied with
ENGINE_set_flags(ret, ENGINE_FLAGS_BY_ID_COPY) in the engine
initialization method.
Change-Id: Ic005e9ea22a3c6027e3a5aab2adf41fb7995c1f0
|
| 694677f69b14ed61ca62473a04d52ac1659b8dd2 |
|
08-Aug-2012 |
Kenny Root <kroot@google.com> |
Exit early from client_cert_cb when appropriate
Under error conditions, return -1 from client_cert_cb to cause the SSL
connection to exit early. If there is a pending Java exception that needs
to percolate up to the JVM, this should be brought up as soon as
possible.
(cherry-picked from 914e7c1a4c7fd45d7398f43cf28e5689d1422936)
Change-Id: Ie7b7865a8025e90b54ee16525e5856a6ca598d6d
|
| 914e7c1a4c7fd45d7398f43cf28e5689d1422936 |
|
08-Aug-2012 |
Kenny Root <kroot@google.com> |
Exit early from client_cert_cb when appropriate
Under error conditions, return -1 from client_cert_cb to cause the SSL
connection to exit early. If there is a pending Java exception that needs
to percolate up to the JVM, this should be brought up as soon as
possible.
Change-Id: Ifb3f908b027f80507ba549757f0cd6e1891d8bdd
|
| 7501e29e0182accf28cc317870a3bbe1e25f4bfa |
|
31-Jul-2012 |
Kenny Root <kroot@google.com> |
Add raw RSA signature support
With the new Keystore changes, this is the only way you can get raw RSA
signatures which a lot of native code expects to be able to do.
(cherry-picked from c531f5f402b4cedcc35a0b7f0b540dc84c545106)
Bug: 6787078
Change-Id: I1c5ddd5287be1ab71347eedc864a41c24e156cb4
|
| c531f5f402b4cedcc35a0b7f0b540dc84c545106 |
|
31-Jul-2012 |
Kenny Root <kroot@google.com> |
Add raw RSA signature support
With the new Keystore changes, this is the only way you can get raw RSA
signatures which a lot of native code expects to be able to do.
Bug: 6787078
Change-Id: I1c5ddd5287be1ab71347eedc864a41c24e156cb4
|
| a40fcc07b281313cb0ad125d8a1a2d6adec8e867 |
|
19-Jul-2012 |
Narayan Kamath <narayan@google.com> |
Add NPN related logging to native crypto
Also fixes a compilation error when logging macros
are expanded.
(cherry-picked from 8a545afcbad15fdd805b9b7790d3d1aa6323fd9e)
Change-Id: I1e422917cdb6fec56398344ee096eb50ab519668
|
| 46aabcb28b0e3b807f6db8c33173962d6f2cb71f |
|
12-Jun-2012 |
Kenny Root <kroot@google.com> |
Add OpenSSL provider for SHA1PRNG
(cherry-pick of 4718b07e482ccb083ce3dfff228d0615b96a8dd2 and 84fb77d814b0ad04d70addb04847797925acf805.)
Change-Id: Ib45c646a8596bf5ea0629408d6057d3828a1ac94
|
| f4439e56aa3c88da66d2c6c969f9cb6b73cfa0ec |
|
01-Aug-2012 |
Brian Carlstrom <bdc@google.com> |
Increment OpenSSLKey EVP_PKEY reference when it is selected for use with SSL_use_PrivateKey
Bug: 6866852
Bug: http://code.google.com/p/android/issues/detail?id=35326
(cherry-picked from 1f9fe21b93f1d1ee44a325629a05ee4f476e5f6a)
Change-Id: I4e995de38414a7841bca0e0bba7d15b01c3bffd9
|
| 1f9fe21b93f1d1ee44a325629a05ee4f476e5f6a |
|
01-Aug-2012 |
Brian Carlstrom <bdc@google.com> |
Increment OpenSSLKey EVP_PKEY reference when it is selected for use with SSL_use_PrivateKey
Bug: 6866852
Bug: http://code.google.com/p/android/issues/detail?id=35326
Change-Id: If14b9866dc15fe284130393534ae3ed66977d72f
|
| df9f5967a3b8dc2f61183d155791393b67980511 |
|
24-Jul-2012 |
Brian Carlstrom <bdc@google.com> |
Fix OpenSSLSocketImpl.close race
Move the NativeCrypto.SSL_interrupt call within the close
synchronization. Otherwise there can be problems if
NativeCrypto_SSL_interrupt tries to use the SSL* and another thread
has called NativeCrypto_SSL_free.
Bug: 6707288
Change-Id: Id8b0311b10124f2a08f8e0f24595a6ee46805c33
|
| 8a545afcbad15fdd805b9b7790d3d1aa6323fd9e |
|
19-Jul-2012 |
Narayan Kamath <narayan@google.com> |
Add NPN related logging to native crypto
Also fixes a compilation error when logging macros
are expanded.
Change-Id: I1e422917cdb6fec56398344ee096eb50ab519668
|
| 4718b07e482ccb083ce3dfff228d0615b96a8dd2 |
|
12-Jun-2012 |
Kenny Root <kroot@google.com> |
Add OpenSSL provider for SHA1PRNG
Change-Id: I45a3c1c0089aa439629e4645f15b16bd35aa6f55
|
| 679ac55c3c037887edfc6ce6f42a23cd7c11cd12 |
|
12-May-2012 |
Jesse Wilson <jessewilson@google.com> |
Only use SSL CUTTHROUGH (False Start) if the server supports NPN.
We enable cutthrough on the client if the server supports NPN.
We never enable cutthrough on the server because most relevant
protocols (ie. HTTP) are client-speaks-first and those don't
benefit from cutthrough on the server.
I verified this by enabling NPN on both client and server and
checking that the client's Application Data was sent before the
server's Change Cipher Spec. To increase the likelihood of this
otherwise racy situation I put the server in SSL debug mode
after it receiving next_protos_advertised_callback. OpenSSL's
debug mode adds a 1-second sleep before each read and write.
Bug: http://b/6331035
Change-Id: I879b5fb26dc237392a36fe0585c8a6519c0e5220
|
| 7cd6760f7045d771faae8080a8c6150bf678f679 |
|
04-May-2012 |
Elliott Hughes <enh@google.com> |
Make libjavacore independent of libnativehelper for the PDK.
Bug: 6369821
Change-Id: Ie038571a5dac1f301c0c3c6fb84df432e67b62c0
|
| 88f3ec9ebfd60998eb321f8c182009dace9bf983 |
|
01-May-2012 |
Brian Carlstrom <bdc@google.com> |
NativeCrypto should honor timeout less than one second
Bug: http://code.google.com/p/android/issues/detail?id=29680
Change-Id: I4507a1e9fe37b1c095f7bb4d3e3a55d6d738f7ad
|
| ebe87d125b8cc83238914f84f5f7aa799c0d83bd |
|
15-Apr-2012 |
Brian Carlstrom <bdc@google.com> |
Use SSL_CTX_set_session_id_context in ServerSessionContext
Without this, OpenSSL with fail when SSLSessions are reused on an
SSLServerSocket when client certificates are requested.
Bug: 6329719
Change-Id: I9b14b32cccee1e5aba1215cebf81eb05a788d63b
|
| beac31ef5949d994a7096f20f12fcf929b06884d |
|
26-Mar-2012 |
Kenny Root <kroot@google.com> |
More support for ENGINE-based keys
Tweak some of the parameters for RSA and DSA keys to allow ENGINE-based
keys to exist without needing to define private key material.
Change-Id: Ide2884d6d97636ae2178f8e789eaeec1babd9650
|
| 600dc4949de6bf5608e5f5a5214cde59299b683a |
|
26-Mar-2012 |
Jesse Wilson <jessewilson@google.com> |
Don't use the SSL_CTX prefix for a method that takes an SSL.
The implementation is asymmetric: enabling NPN is per-context, but
actually looking up the negotiated protocol is per-SSL. This caused
me to screw up in following the SSL_CTX naming scheme; I applied it
in too many places.
Change-Id: I5bd1be334d513f220086c901527d0b8416f2ba3f
|
| 0348f58cf3bd2c3cbac65f785df1197fc626f6fa |
|
26-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
Fix phone boot
(cherry picked from commit a8ef467e8e6be1681d63fe692ecce3b301801faa)
Change-Id: I650d1fc98277b64f127204cae408acb69db354e9
|
| 25977e422febea04dac9fb9c35d7271d55d3b6b8 |
|
23-Mar-2012 |
Jesse Wilson <jessewilson@google.com> |
Expose NPN in OpenSSL.
This is derived from costin's change Ib18da136cb628515d6909c438cd0809452d7058a.
It moves the protocols data to the AppData's callbacks so the memory can be
released when the handshake completes.
Change-Id: Id61feaa6f28250e393f5c8093688b099e92dce9c
|
| 3e6dd45baa0d7f9b4fa06f4ade76e088b59cc7bf |
|
16-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
Tracking openssl-1.0.1
Bug: 6168278
Change-Id: I240d2cbc91f616fd486efc5203e2221c9896d90f
|
| 41e34229c07e8d05090560ff80558fa222623769 |
|
09-Mar-2012 |
Kenny Root <kroot@google.com> |
Add support for OpenSSL engines
This allows OpenSSL ENGINE to be used for RSA and DSA private key
operations.
Also add in support for directly passing an OpenSSLKey to the
OpenSSLSocketImpl in case we are using ENGINEs.
Change-Id: Ia31735109052a13e421900b69ba5de13bbce0f6f
|
| 5313aaf64335ca4e9768c66de697f0ce8f7e2227 |
|
16-Feb-2012 |
Kenny Root <kroot@google.com> |
Fix JNI yet again to have same return types
Newer compiler complains on return type mismatch. Change the error
return from NULL -> 0 to please the compiler.
Change-Id: Ib3e5f4a0e3e2507009cb309bb7965efbb968b7cb
|
| 68dc9c0f9ea2913a627aa3df81f4956efa48a980 |
|
06-Feb-2012 |
Kenny Root <kroot@google.com> |
OpenSSL block ciphers, part 1
This implements the NativeCrypto piece necessary to do basic block
cipher operations. More work will need to be done to enable useful
modes.
This gives us the ability to replace BouncyCastle's ECB mode that it
bases the higher level CBC, CTR, etc modes on. However, calling through
JNI to OpenSSL for 16-byte blocks for AES ends up being the same speed
as the Java implementation.
Further enhancements to use large blocks during the JNI call should show
marked improvements in speed.
Change-Id: I594a6d13ce5101a1ef2877b84edaa5e5b65e1e71
|
| 82ad6d54c7c1ccc03aed976cbf3ad19fa208564f |
|
04-Feb-2012 |
Kenny Root <kroot@google.com> |
Change return type to match function
Change-Id: Ie4edc0ecc45cef924743e6c1b2f66832a2cf71c7
|
| e50519aa549f6032b61e7d5b03f26510b10a8350 |
|
03-Feb-2012 |
Kenny Root <kroot@google.com> |
Fix up some JNI nits
Some of the existing JNI functions were implicitly casting jint to
pointers. Explicitly do this.
Also make sure we're checking for errors when we should.
Unique_... classes don't throw a NPE, so we have to throw exceptions
when they end up being NULL when we don't expect them to.
Change-Id: I12044446777eb02e407a03b0f0ecad5189c17602
|
| 0e1edea41b8747edd1a3e3237e82d1e48c31ae58 |
|
03-Feb-2012 |
Kenny Root <kroot@google.com> |
Fix return types so the compiler is happy
The newer compiler is throwing errors of the type:
error: converting to non-pointer type 'int' from NULL [-Werror=conversion-null]
Change-Id: I5bea50f760a1a9d747b39f9459dab2fbe7fdf7a7
|
| 746a236e2be5dee62c482e27f4c682496d071d8b |
|
01-Feb-2012 |
Kenny Root <kroot@google.com> |
Add OpenSSL KeyPairGenerator and KeyFactory
Refactor the way OpenSSL keys are handled so we can generate OpenSSL
keys with the KeyPairGenerator and KeyFactory and pass them around
without keeping the context in the OpenSSLSignature where it originated.
Change-Id: Ib66bd1914e241a240cd97b1ea37e8526998107d9
|
| 1dfb8aa653d52268087f450e9b5a865e08b56d98 |
|
31-Jan-2012 |
Kenny Root <kroot@google.com> |
Add signature generation to OpenSSLSignature
Change-Id: I1203516d95a937edb48959146bbec64b338e4f1e
|
| 679cf68b607e9b4a3beb8bcdee06868ae583386f |
|
08-Jan-2012 |
Steve Block <steveblock@google.com> |
Rename (IF_)LOGE(_IF) to (IF_)ALOGE(_IF) DO NOT MERGE
See https://android-git.corp.google.com/g/#/c/157220
Bug: 5449033
Change-Id: I3deb0b1b71cf4ec6d82921a2e0015c3a7b397cbf
|
| ce1396eb6e63e3dd785f5052dd77aab1a2d4af7c |
|
20-Dec-2011 |
Steve Block <steveblock@google.com> |
Rename (IF_)LOGD(_IF) to (IF_)ALOGD(_IF) DO NOT MERGE
See https://android-git.corp.google.com/g/156016
Bug: 5449033
Change-Id: If68c0a933417163908aa05cebffd2863b581d7c8
|
| f3c9acbc3ebd72090221f1781f7f48c0390c1c44 |
|
20-Oct-2011 |
Steve Block <steveblock@google.com> |
Rename LOGV(_IF) to ALOGV(_IF) DO NOT MERGE
See https://android-git.corp.google.com/g/#/c/143865
Bug: 5449033
Change-Id: Ifc8ada20e2b316bb24aa4ba3483e2fcbb9439669
|
| 487c58a9ff0cb4c6e074b2f5d99a0c3efa54fa37 |
|
16-Jul-2011 |
Brian Carlstrom <bdc@google.com> |
Replace NativeCrypto.verifySignature with OpenSSLSignature
Bug: http://code.google.com/p/android/issues/detail?id=18458
Bug: 5037994
Change-Id: Ie9521df80b3b50e69b5cf9e6f8eb861845b4d30e
|
| 638000042da777f6d628d88dadde957c52597710 |
|
29-Jun-2011 |
Brian Carlstrom <bdc@google.com> |
Add ExceptionCheck after all places we setCallbackState
Also remove byte versions of SSL_read and SSL_write matching rest of
libcore to avoid making the change in even more places.
Note that testing this change required improving SSL_renegotiate which
is only used for testing.
Change-Id: If425764da3a36508a6c65d90eb3d36c5a018fd18
|
| f08498e4998c3b7197cb31a9fc44910bfd4eeecc |
|
25-Jun-2011 |
Doug Kwan <dougkwan@google.com> |
Fix gcc-4.6 compiler warnings about conversion between pointer and integer.
Change-Id: I2b8827d5110144a972eb9f3bf1e1f4621afef683
|
| 1a577c958a277329ab2eeb23903d9f8b08e1d35e |
|
07-Jun-2011 |
Elliott Hughes <enh@google.com> |
Check that the result of UniquePtr::release is always used.
(And silence the warnings in those cases where it isn't because we're working
around OpenSSL API lossage.)
Change-Id: Ibc7958373e7a899a6cd03a0177f97bf3a73c0e15
|
| 5c42f5792a0ad4159d30e7fd18958a21bf8b327f |
|
01-Apr-2011 |
Brian Carlstrom <bdc@google.com> |
Cleanup diagnosing HandshakeCompletedEventTest.testClientAuth
Change-Id: I9f71a2578c6e9d01e1b8cffcfc344f5116ad5db5
|
| 57d0a10f4fa6cae6d5c63b4f799e048e83c5d11e |
|
03-Mar-2011 |
Elliott Hughes <enh@google.com> |
Make all filenames match their classes.
Change-Id: I2c9f95a27ee3881fc609e3e4f1468205c701215d
|
| 12cd1f00c2fa1a7f37bf644cecdf7588bdc0b0a9 |
|
23-Jun-2010 |
Brian Carlstrom <bdc@google.com> |
Remove libcore's dependency on bouncycastle
external/bouncycastle
- Change to be the primary build for bouncycastle sources (as opposed to part of libcore)
- Moved OpenSSLMessageDigest from libcore to OpenSSLDigest
It uses NativeCrypto API from core, but implements a bouncycastle specific interface
- restored registration of bouncycastle MessageDigests for SHA-1, SHA-256, MD5
OpenSSLProvider versions take precedence, but explicit provider of "BC" allows choice
- enabled native versions of SHA-384 and SHA-512
- pruned MD4 implementation
frameworks/base
- frameworks and CoreTests modules now depend on bouncycastle
- update preloades classes for NativeBN package change
- moved CryptoTest to libcore
libcore
- core now builds without bouncycastle sources
- core-tests, core-tests-support, core-tests-supportlib now depend on bouncycastle
- removed libcore/openssl directory, moving NativeBN to java/math
- minor cleanup of Provider, Security, Services style while working on ProviderTest
- added new OpenSSLProvider registered as first provider to have
priority over the others to ensure our native implementations are used
- moved BouncyCastle to have priority as a provider over Harmony
- JarVerifier and JarUtils now implicitly use OpenSSLMessageDigest
- Cleanedup OpenSSLSignature, implementation needs to be finished to move to OpenSSLProvider
- To avoid using PEMWriter from BouncyCastle, NativeCrypto now takes binary encoded certs and keys
This is more efficient as well avoiding the base64 decode/encode of the binary data
- removed SHA-224 to match the RI
packages/apps/CertInstaller
- CertificateInstaller module now depends on bouncycastle
this is the only app to depend on bouncycastle
system/core
- updated BOOTCLASSPATH
Change-Id: I6205366b12baec4331b4a76e2c85d8324bf64b2c
|
| a9f5c16a864ff63ba63f810410f8a27c086d5d52 |
|
17-Jun-2010 |
Elliott Hughes <enh@google.com> |
Remove dynamic calls to FindClass.
Initially, I was just fixing a threading bug in NativeDecimalFormat.cpp where
we were bypassing GCC's built-in static initializer thread safety. This led me
to the question of how expensive FindClass is, which led me to creating a new
canonical cache of jclasses.
Here's the motivating benchmark, showing the cost of calling an empty regular
(non-native) method, an empty native method, a native method that calls
FindClass, a native method that calls FindClass and GetFieldID, and a native
method that calls FindClass and GetMethodID:
benchmark ns logarithmic runtime
NoArgsRegular 74 ||||||||||||||
NoArgsNative 428 XX|||||||||||||||||||
FindClass 3064 XXXXXXXXXXXXXXXX|||||||||||
FindClassGetField 3654 XXXXXXXXXXXXXXXXXXX|||||||||
FindClassGetMethod 5634 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Change-Id: I41ab2b347895f043a7e21d8fa19e4541e198c3fc
|
| 05960876dff6a5b686821eed8f7ae7cef5af4f50 |
|
27-May-2010 |
Elliott Hughes <enh@google.com> |
Enhance ScopedUtfChars to include the null check most callers were missing.
Also switch most non-users over to ScopedUtfChars.
Also ensure all users check that ScopedUtfChars was successful in getting the
chars.
Also rewrite ObjectInputStream and ObjectOutputStream without duplication.
Change-Id: I929d00fe3ff50b303cba4a2cf2269355e9fef5f9
|
| 0c131a2ca38465b7d1df4eaee63ac73ce4d5986d |
|
21-May-2010 |
Brian Carlstrom <bdc@google.com> |
RI 6 support for javax.net.ssl
Summary:
- RI 6 support for javax.net.ssl
- SSLEngine fixes based on new SSLEngineTest
- fix Cipher.checkMode bug recently introduced in dalvik-dev
Details:
Fix Cipher.checkMode that was preventing most javax.net.ssl tests from working
luni/src/main/java/javax/crypto/Cipher.java
RI 6 has introduced the concept of a "Default" SSLContext. This is
accessed via SSLContext.getDefault() and also
SSLContext.getInstance("Default"). Harmony had its own
DefaultSSLContext but it was not created via an SSLContextSpi. It also
was a single shared instance whereas the new RI6 Default SSLContext
shares internal SSLSessionContext instances between different Default
SSLContexts.
Refactored the old code into an SSLContextImpl subclass that
allows it to be created via SSLContext.getInstance. SSLContextImpl
ensures that we only ever create one set of SSLSessionContext
instances for the Default context.
luni/src/main/java/javax/net/ssl/DefaultSSLContext.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/DefaultSSLContextImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java
Added SSLContext.getDefault and SSLContext.setDefault
luni/src/main/java/javax/net/ssl/SSLContext.java
Replace dependencies of old DefaultSSLContext with use of SSLContext.getDefault
luni/src/main/java/javax/net/ssl/SSLServerSocketFactory.java
luni/src/main/java/javax/net/ssl/SSLSocketFactory.java
Register "SSLContext.Default" as DefaultSSLContextImpl class for SSLContext.getInstance()
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java
Added constant for new "Default" standard name and added it to
SSL_CONTEXT_PROTOCOLS. New tests based on SSL_CONTEXT_PROTOCOLS
made it clear that neither Android or RI support SSLv2 so removed
it from SSL_CONTEXT_PROTOCOLS and SSL_SOCKET_PROTOCOLS. Added
constant for TLS as well which was previously scattered all over
tests. Remove SSLv2Hello from SSL_SOCKET_PROTOCOLS for Android
since with OpenSSL disablign SSLv2 means you can not use
SSLv2Hello either.
support/src/test/java/javax/net/ssl/StandardNames.java
Added tests for SSLContext.getDefault and
SSLContext.setDefault. Changed existing tests to work on all
protocols including new "Default".
luni/src/test/java/javax/net/ssl/SSLContextTest.java
RI 6 has introduced the notion of SSLParameters which encapsulate SSL
the handshake parameters of desired cipher suites, protocols, and
client authentication requirements.
The main new class SSLParameters is basically just a bag of fields
with accessors and a couple simple constructors. The only things
of note are that it clones all String arrays on input and output
and the setters for the two boolean fields ensure that only one is
true at a time.
luni/src/main/java/javax/net/ssl/SSLParameters.java
Added SSLContext.getDefaultSSLParameters and
SSLContext.getSupportedSSLParameters which simply delegate to the
SSLContextSpi.
luni/src/main/java/javax/net/ssl/SSLContext.java
Added abstract SSLContextSpi.engineGetDefaultSSLParameters and
SSLContext.engineGetSupportedSSLParameters.
luni/src/main/java/javax/net/ssl/SSLContextSpi.java
Added engineGetDefaultSSLParameters and
engineGetSupportedSSLParameters implementation. The RI documents
in SSLContextSpi that these are implemented by default by creating
a socket via the SSLContext's SocketFactory and asking for the
enabled/supported cipher suites and protocols respectively, so
that is what is done. The doc mentions throwing
UnsupportedOperationException if there is a problem, so we do that
as well.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java
Added {SSLEngine,SSLSocket}.{getSSLParameters,setSSLParameters}
which are analogous.
luni/src/main/java/javax/net/ssl/SSLEngine.java
luni/src/main/java/javax/net/ssl/SSLSocket.java
Added SSLParametersTest
luni/src/test/java/javax/net/ssl/SSLParametersTest.java
luni/src/test/java/javax/net/ssl/AllTests.java
Added SSLContext.get{Default,Supported}SSLParameters tests
luni/src/test/java/javax/net/ssl/SSLContextTest.java
Added SSLSocket.{getSSLParameters,setSSLParameters} tests and added
some extra asserts to test_SSLSocketPair_create based on experience
with test_SSLEnginePair_create.
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Dummy implementation of new SSLContextSpi for test classes.
support/src/test/java/org/apache/harmony/security/tests/support/MySSLContextSpi.java
support/src/test/java/org/apache/harmony/xnet/tests/support/MySSLContextSpi.java
Other minor RI 6 API changes:
RI 6 removed Serializable from HandshakeCompletedEvent and SSLSessionBindingEvent
luni/src/main/java/javax/net/ssl/HandshakeCompletedEvent.java
luni/src/main/java/javax/net/ssl/SSLSessionBindingEvent.java
RI 6 added generic types to the KeyStoreBuilderParameters List
constructor and accessor as well as to
SSLSessionContext.getIds. Fixed tests to compile with generic types.
luni/src/main/java/javax/net/ssl/KeyStoreBuilderParameters.java
luni/src/main/java/javax/net/ssl/SSLSessionContext.java
luni/src/test/java/tests/api/javax/net/ssl/KeyStoreBuilderParametersTest.java
SSLEngine improvements. Since I was changing SSLEngine, I wrote an
SSLEngineTest based on my SSLSocketTest to do some simply sanity
checking. It expose a number of issues. I've fixed the small ones,
marked the rest as known failures.
Renamed some TLS_ cipher suites to SSL_ to match JSSE standard
names. These were all old suites no longer supported by RI or
OpenSSL which is why they were missed in an earlier cleanup of this
type in this class. Also fixed SSLEngine supported cipher suites
list not to include SSL_NULL_WITH_NULL_NULL which is not a valid
suite to negotiate.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
SSLEngine instances can have null host values, which caused a
NullPointerException in the ClientSessionContext implementation.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
SSLEngine tests were failing because SSLParameters was throwing
NullPointerException instead of IllegalArgument exception on null
element values. Fixed null pointer message style while I was here.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java
Fixed SSLEngine instances to default to server mode like RI
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java
Fixed KEY_TYPES based on SSLEngine implementation. Removed dead
code NativeCrypto.getEnabledProtocols which was recently made
obsolete. Cleaned up null exception messages to follow our convention.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
Added SSLEngineTest which parallels SSLSocketTest in its
coverage. Similarly added TestSSLEnginePair which loosely parallels
TestSSLSocketPair.
luni/src/test/java/javax/net/ssl/SSLEngineTest.java
luni/src/test/java/javax/net/ssl/AllTests.java
support/src/test/java/javax/net/ssl/TestSSLEnginePair.java
SSLEngineTest betters exposed the differences between SSLSocket and
SSLEngine supported cipher suites. StandardNames now has an
CIPHER_SUITES_SSLENGINE definition which denotes what is missing
and what is extra and why in the SSLEngine implementation.
support/src/test/java/javax/net/ssl/StandardNames.java
Created StandardNames.assert{Valid,Supported}{CipherSuites,Protocols}
to factor out some code test code that is also used by new tests.
support/src/test/java/javax/net/ssl/StandardNames.java
luni/src/test/java/javax/net/ssl/SSLSocketFactoryTest.java
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Remove SSLSocketTest known failure and add new SSLEngineTest known failures
expectations/knownfailures.txt
SSL_OP_NO_TICKET change was recently merged from master which required some fixes.
For the moment, sslServerSocketSupportsSessionTickets always returns false.
support/src/test/java/javax/net/ssl/TestSSLContext.java
Fixed flakey test_SSLSocket_HandshakeCompletedListener which had a
race because the client thread look in the server session context
for an session by id potentially before the server thread had a
chance to store its session. Made noticable because of
SSL_OP_NO_TICKET recently merged from master (before this code
path was host only, not device)
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Fix checkjni issue where we need to check for pending exception in
OpenSSL callback. Possibly introduced by recent merge of
SSL_OP_NO_TICKET from master.
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Expectation updates
Remove SSLSocketTest known failure and add new SSLEngineTest known failures
expectations/knownfailures.txt
Tag test_SSLSocket_getSupportedCipherSuites_connect as large
expectations/taggedtests.txt
Misc changes:
opening brace on wrong line
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java
Long line cleanup while debugging
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketFactoryImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketFactoryImpl.java
support/src/test/java/javax/net/ssl/TestKeyStore.java
Removed bogus import
luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java
Comment clarify while debugging
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Ctor -> Constructor in comment
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLEngineImpl.java
Fixed naming of SocketTest_Test_create to TestSocketPair_Create to match renamed classes
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Change-Id: I99505e97d6047eeabe4a0b93202075a0b2d486ec
|
| f7b8b35bcc93523ef224039b009608b1ea3b81f3 |
|
22-May-2010 |
Brian Carlstrom <bdc@google.com> |
Manual recreation of dalvik change 720d1e962e248a30f81c1493081ff4c01e35c839 in libcore
Disable SSL Session Ticket extension for OpenSSLSocket
Due to compatability issues with some sites, disable this SSL extension which wasn't present in Eclair. See also:
b/2682876 Some ssl sites cause "A secure connection could not be established" error
Change-Id: Ife94f65a063011f09553877a9fb71f42ecc76f5e
|
| ebca53a204302c5e559b5c2c9014b48048faf4d4 |
|
21-May-2010 |
Elliott Hughes <enh@google.com> |
Add write-back ScopedPrimitiveArrays (and use them).
I've left the remaining Get/Release Critical calls in "NativeConverter.cpp"
for the next patch, even though getting into position to fix them is part of
the point of this patch.
Change-Id: I99e15a3cf3919008343ae4dc856c86ced233e07a
|
| aacf6f9741dea0f12fbff5e7696e53f251177280 |
|
20-May-2010 |
Brian Carlstrom <bdc@google.com> |
Enable Diffie-Hellman cipher suites
Enable Diffie-Hellman cipher suites in NativeCrypto (and in
StandardNames to match for testing). This means we now have the same
default cipher suite list as RI 5.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
support/src/test/java/javax/net/ssl/StandardNames.java
Enabling DH made it obvious that the RI check for enable cipher suites
on SSLServerSocket.accept was not as stringent as first
thought. Apparently they don't care if all enabled cipher suites have
certificates/keys, just that at least one of them will work, even if
its anonymous. Factored out the logic to check this into
checkEnabledCipherSuites for clarity along with the supporting
checkForPrivateKey. Also only check if the socket is in server mode,
since its fine to have nothing configured for server acting as a
client for handshake purposes.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
The real work to enable Diffie-Hellman was to use
SSL_CTX_set_tmp_dh_callback to set a callback to get DH
parameters. There are two ways to create the parameters. The first is
to use DH_generate_parameters_ex which is very slow (minutes) as is
recommended as install time option. The second is to use
DSA_generate_parameters_ex followed by DSA_dup_DH, which is faster for
a single call, but must be done every time, so slower overall. We
currently take the second approach to just have DH working.
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Changed ephemeral RSA keys to be stored per SSL in AppData, not in a static global.
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Fix LS_ to TLS_ typo in commented out constant. Removed easy to miss wrapping in array definition.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
Renamed CipherSuites defaultPretendant to defaultCipherSuites which
led to renaming the CipherSuites constants to follow the coding style.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/DigitalSignature.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerKeyExchange.java
Change-Id: Ia38de48cabb699b24fe6e341ba79f34e3da8b543
|
| b5b39e448a80d3bfacbc56afd769855e77f0fb7f |
|
20-May-2010 |
Brian Carlstrom <bdc@google.com> |
Add RSA ephemeral callback for SSL_RSA_EXPORT_WITH_RC4_40_MD5 support (and move to UniquePtr)
Summary:
Used SSL_CTX_set_tmp_rsa_callback to provide a callback for supplying
ephemeral RSA key for export cipher SSL_RSA_EXPORT_WITH_RC4_40_MD5
(aka EXP-RC4-MD5)
As part of this added rsaGenerateKey and while doing that started
adding UniquePtr deleters for BN and RSA and then just decided to do
the rest of the file.
Details:
Added tmp_rsa_callback to provide emphemeral RSA keys
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Removed last KnownFailure in my JSSE tests.
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Switching to UniquePtr to manage SSL types.
Found a couple places not error checking along the way.
Removed LOGE from throw* methods since jniThrowException does that.
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Change-Id: I27413c0073cd2cc405c83d35a0772c7901ce25c6
|
| f3f7cc7cb8650bed3b3e6c94104c79e20ef565dd |
|
19-May-2010 |
Brian Carlstrom <bdc@google.com> |
SSLSocket.startHandshake should throw SSLProtocolException on handshake protocol error
Added throwSSLProtocolExceptionStr and used it in the SSL_ERROR_SSL case.
Also replaced 0 with SSL_ERROR_NONE in throwSSLExceptionWithSslErrors calls for clarity.
Improved throwSSLExceptionWithSslErrors to show ERR_get_error information in SSL_ERROR_NONE case.
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Removed penultimate KnownFailure. Updated comment to use more official Kerberos reference URL.
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Change-Id: I2fb847ba92a3464029d1103fadf05ec16126bda9
|
| 6df6339ecd4662d351c622a59533cbbe9f275ffd |
|
18-May-2010 |
Brian Carlstrom <bdc@google.com> |
Client certificates should only be set on request from server
Client certificates should only be set into the SSL* when requested by
the server so that after the handshake is completed the client can
inspect its SSLSession to see what certificate if any was
requested. Previously the value was always non-null even if the server
didn't request the certificate.
- Created RAND_seed and RAND_load_file out of the NativeCrypto.SSL_new
- NativeCrypto.SSL_new now simply performs SSL_new and does not
deal with certificates, private keys, or random seeds.
- Removed helper version of NativeCrypto.SSL_new
Moved code to OpenSSLSocketImpl.setCertificate
- Created SSL_use_certificate, SSL_use_PrivateKey, SSL_check_private_key from SSL_new.
These are used not just on server handshake but also via clientCertificateRequested callback.
- Merged CertificateChainVerifier and HandshakeCompletedCallback into new SSLHandshakeCallbacks
while adding new clientCertificateRequested callback from OpenSSL C code to Java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
In addition to supporting NativeCrypto.java changes, also changed
to_SSL_CTX and to_SSL_SESSION to allow null checking and throwing
NullPointerException. Changed these and to_SSL to log exception on
JNITrace, taking these logs out of individual functions. There
were a lot of null checks missing previously, mostly in
to_SSL_SESSION cases.
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
All KnownFailures now fixed.
luni/src/test/java/javax/net/ssl/SSLSessionTest.java
Three more KnownFailures now fixed.
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Change-Id: Iddcd5512e8395d947d3b894f03e3a059e63afe8a
|
| 8044bf6b446c93cd29c5753544246316f269064f |
|
18-May-2010 |
Elliott Hughes <enh@google.com> |
Make ScopedLocalRef more convenient, and use it more widely.
Even though every reference type is a jobject, it's useful to be able to use
more specific types.
Change-Id: Id8056d0e18380675c90f08c4173a8b34b4d5d983
|
| 99c59bfa432e36933a7a5033fba8b89209f737bc |
|
18-May-2010 |
Elliott Hughes <enh@google.com> |
Expand upon the old ScopedByteArray, and start removing some of the Get/ReleaseCritical calls.
This adds Scoped*Array classes for all primitive types, and switches all
read-only users of arrays over. At the same time, all read-only users of
Get/ReleaseCritical get switched to non-critical access.
Bug: 2663177
Change-Id: I5542cea3e24faa987ced463fcb695b9598da94af
|
| 204cab3c22b4d75c866c95e2d2eec42e14cbd924 |
|
18-May-2010 |
Brian Carlstrom <bdc@google.com> |
Supported cipher suites improvements
Added new test_SSLSocket_getSupportedCipherSuites_connect to make sure
all cipher suites we claim work actually do. It clearly exposed that
although a large number of cipher suites are supported by libssl.so,
they are not properly wired up into the OpenSSL JSSE
implementation. In particular Elliptic Curve has been disabled in our
version Bouncy Castle does not work. In addition Diffie-Hellman does
not work because we need to further integration work with OpenSSL via
SSL_set_tmp_dh_callback or SSL_set_tmp_dh. Finally,
SSL_RSA_EXPORT_WITH_RC4_40_MD5 doesn't work but that is being left as
KnownFailure for more immediate cleanup based on ServerHandshakeImpl's
handling of KeyExchange_RSA_EXPORT as part of having OpenSSL call us
back for certificates dynamically.
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Refactored TestSSLContext.createKeyStore to create TestKeyStore which
now factors out TestSSLContext.createKeys from the old createKeyStore
method, which allows createKeys to be called multiple times for
different key algorithms (for example DSA in addition to RSA). Also
added a reusable singleton instance to cut down on test execution
time.
support/src/test/java/javax/net/ssl/TestKeyStore.java
Removed publicAlias/privateAlias from TestSSLContext since we now
include both RSA and DSA key pairs in they KeyStore by default. Added
TestSSLContext.assertCertificateInKeyStore methods to help tests the
previously used the alias fields fields. TestSSLContext.create API
changed as well since the alias names are no longer
required. TestSSLContext.createClient now needs to iterate over all
server certificates when setting up its TrustManager instead of just
grabbing one by alias name.
support/src/test/java/javax/net/ssl/TestSSLContext.java
luni/src/test/java/javax/net/ssl/SSLContextTest.java
luni/src/test/java/javax/net/ssl/SSLSessionTest.java
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
TestSSLSocketPair.connect now allows optional inclusion of server
cipher suite list.
support/src/test/java/javax/net/ssl/TestSSLSocketPair.java
luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java
Turning off Elliptic Curve and Diffie-Hellman which are not currently
working. Updating test expectations to match.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
support/src/test/java/javax/net/ssl/StandardNames.java
Turn on registration of ECDSA and DSA since this part is currently
functional (and excercised by TestKeyStore.create())
luni/src/main/java/org/bouncycastle/x509/X509Util.java
Improve logging by including SSL pointer in error messages, which
makes it easier to relate these errors to JNI_TRACE messages.
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Change-Id: I014d001a6a21a46c360678a346d3a3c8232f4d53
|
| 3534c7cb3d4c67e3a4f2925fc7ecec43aeed879a |
|
15-May-2010 |
Brian Carlstrom <bdc@google.com> |
Remove ScopedGlobalRef (and other cleanups)
ScopedGlobalRef caused more trouble that it was worth. Rather than
trying to fix it to require updating of the JNIEnv, remove it to
remove the temptation for others to use it.
Also update SSL_set_ciphers_lists to use ScopedLocalRef and add HTML
anchors to Standard names javadoc JSEE references.
Change-Id: Ic3ed1bae3f29ee971d4461de31395b78c4949090
|
| 9acacc36bafda869c6e9cc63786cdddd995ca96a |
|
14-May-2010 |
Brian Carlstrom <bdc@google.com> |
Use JSSE cipher suite names and restore JSSE SSLSessionContext semantics
Summary:
- Switch to using JSSE cipher suite names
- SSLSessionContext implementation cleanup
- Updated tests
Details:
Switch to using JSSE cipher suite names
- We maintain backward compatability for enabling cipher suites using
OpenSSL names for old code that did so without checking for the
presence of the names in the supported list.
- We now have a well defined list of the supported cipher suites which
are sorted in priority order as specified in JSSE documentation so
that callers doing:
s.setEnabledCipherSuites(s.getSupportedCipherSuites())
will get something reasonable.
- We now have a default cipher suite list that is chose to match RI
behavior and priority, not based on OpenSSLs default and priorities.
Details:
- Added NativeCrypto OPENSSL_TO_STANDARD and STANDARD_TO_OPENSSL
mapping between naming conventions. STANDARD_TO_OPENSSL is a
LinkedHashMap so enumerating it gives the proper order for
SUPPORTED_CIPHER_SUITES.
- SSL_get_ciphers and SSL_set_cipher_list are removed, we now use
our own SSL_set_cipher_lists (defined seperately in
external/openssl/patches/jsse.patch) to set the set and order of
cipher suites. SSL_CTX_get_ciphers is also removed because we no
longer rely on the OpenSSL for the default cipher suites
behavior.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Add cipherSuite and protocol field caches for native values,
mapping the cipherSuite to a JSSE name from the OpenSSL name
returned by SSL_SESSION_cipher.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
Fixed a long standing bug where we reused sessions found in the
client host/port cache even if the old protocol and cipher suite
where no longer compatible with what was specified by
setEnabledCipherSuites and setProtocols. Also fixed a recently
introduced bug where lastAccessedTime was being set on a cached
session even if it was not reused, found by fixed the above.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Move most of SSLSessionContext implementation from subclasses to
AbstractSessionContext. This was primarily to align the
implementations of how different sessions id for the same host and
port were handled for RI compatability. client subclasses now focuses
on handling its host/port based cache and both deal with their own
persistent cache details.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/AbstractSessionContext.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java
Tests
Added some variants of assertSSLSessionContextSize to simplify tests code.
Broke test_SSLSessionContext_setSessionCacheSize_oneConnect out of
test_SSLSessionContext_setSessionCacheSize_dynamic. Renamed
test_SSLSessionContext_setSessionCacheSize_basic to
test_SSLSessionContext_setSessionCacheSize_noConnect to match name
of _oneConnect. _dynamic was cleaned up a bit as getting it working
was the only goal of this change list. Fixed to filter
SSL_RSA_EXPORT_ ciphers since our test certificate key length is
too long for those. Lower test requirement to 3 unique cipher suites.
luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java
Added checks that cipher suites and protocols have standard names.
luni/src/test/java/javax/net/ssl/SSLSessionTest.java
Removing known failures related to cipher suite naming. Fixed bug
of using assertNotNull instead of assertTrue. Added extra
size/length check which would have found the
assertNotNull/assertTrue issue.
luni/src/test/java/javax/net/ssl/SSLSocketFactoryTest.java
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Fixing test the explicitly worked around broken cipher suite naming.
luni/src/test/java/tests/api/javax/net/ssl/SSLSessionTest.java
Updated standard cipher suites to RI 6 list, which also now
specifies ordering, which we now align with.
support/src/test/java/javax/net/ssl/StandardNames.java
Unrelated
Remove more now obsolete jars from the test classpath
run-core-tests
Change-Id: I45c274a9327c9a1aeeccb39ecaf5a3fbe2903c8f
|
| 44e0e560c92338110953ce806df475fedcdf926e |
|
07-May-2010 |
Brian Carlstrom <bdc@google.com> |
Enable -Wall -Wextra for libcore and cleanup all but one warning
Change-Id: Ied76662c470ba878cec61189acf29f5cbbd4ccd4
|
| 3e24c53ecc31b840e51869c295785d5a2f8b31eb |
|
06-May-2010 |
Brian Carlstrom <bdc@google.com> |
Moving OpenSSLSocketImpl native code to NativeCrypto (and other clearnup)
Summary:
- Finished consolidating OpenSSL native code into NativeCrypto
- fixing local vs global ref bug with AppData
Added new ScopedGlobalRef as part of this fix
- fixed many historical memory leaks identified during code review
- fixed lack of error checking on allcoation with OpenSSL *_new routines
- Added to_SSL_CTX and to_SSL_SESSION to match to_SSL (renamed from getSslPointer)
- Replaced most uses of GetByteArrayElements with ScopedByteArray
(including cases where we we using ReleaseByteArrayElements(..,...,0) instead of JNI_ABORT)
- Replaced uses of GetStringUTFChars with ScopedUtfChars
Details:
Finished consolidating OpenSSL native code into NativeCrypto
OpenSSLSocketImpl NativeCrypto
---------------------------------------
nativeread SSL_read_byte
nativeread SSL_read
nativewrite SSL_write_byte
nativewrite SSL_write
nativeinterrupt SSL_interrupt
nativeclose SSL_shutdown
nativeverifysignature verifysignature
Also removed dead code that was wrapping SSL_get1_session
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Fixed NativeCrypto_SSL_write and NativeCrypto_d2i_SSL_SESSION to use
JNI_ABORT on release to avoid copy back of unchanged data (via ScopedByteArray).
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
While running the usual tests:
adb shell run-core-tests tests.xnet.AllTests javax.net.ssl.AllTests
there was an abort from the JNI checking because in the recent
handshaking change, local refs were kept in AppData and then reused in
later calls. Added new ScopedGlobalRef to handle the book keeping of this.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
include/ScopedGlobalRef.h
Fixed various leaks on old error paths spotted by reviewer.
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Tracking move of verifySignature, a non-SSL bit of code that was lurking in OpenSSLSocketImpl
luni/src/main/java/org/apache/harmony/security/provider/cert/X509CertImpl.java
Change-Id: If1e409782bc99dc684039cfe3f53f8244e29346e
|
| f002bdddce924e2145a4a2b60592b7a40f4112f6 |
|
05-May-2010 |
Brian Carlstrom <bdc@google.com> |
Moving OpenSSLSessionImpl native code to NativeCrypto
OpenSSLSessionImpl NativeCrypto
-------------------------------------------------------
getId SSL_SESSION_session_id
getPeerCertificatesImpl SSL_SESSION_get_peer_cert_chain
getCreationTime SSL_SESSION_get_time
getProtocol SSL_SESSION_get_version
getCipherSuite SSL_SESSION_cipher
freeImpl SSL_SESSION_free
getEncoded i2d_SSL_SESSION
initializeNativeImpl d2i_SSL_SESSION
Change-Id: I4538df52280266711986a577b14868af3ea0ed62
|
| 02d23a69dfd7d425153293d7d3ac64b5a611ba72 |
|
05-May-2010 |
Brian Carlstrom <bdc@google.com> |
Remove unnecessary NativeCrypto "OpenSSL error" warning
The following errors were noticed running tests.AllTests:
D/NativeCrypto( 507): OpenSSL error 168235011: error:0A071003:dsa routines:DSA_do_verify:BN lib
D/NativeCrypto( 507): OpenSSL error 168235011: error:0A071003:dsa routines:DSA_do_verify:BN lib
D/NativeCrypto( 507): OpenSSL error 168235011: error:0A071003:dsa routines:DSA_do_verify:BN lib
D/NativeCrypto( 507): OpenSSL error 168235011: error:0A071003:dsa routines:DSA_do_verify:BN lib
D/NativeCrypto( 507): OpenSSL error 168235011: error:0A071003:dsa routines:DSA_do_verify:BN lib
D/NativeCrypto( 507): OpenSSL error 168235011: error:0A071003:dsa routines:DSA_do_verify:BN lib
D/NativeCrypto( 507): OpenSSL error 168235011: error:0A071003:dsa routines:DSA_do_verify:BN lib
I tracked these down to the following tests respectively:
org.apache.harmony.archive.tests.java.util.jar.JarFileTest.test_JarFile_Modified_SF_EntryAttributes
org.apache.harmony.archive.tests.java.util.jar.JarFileTest.test_JarFile_Modified_SF_EntryAttributes
org.apache.harmony.archive.tests.java.util.jar.JarFileTest.test_JarFile_Modified_SF_EntryAttributes
org.apache.harmony.archive.tests.java.util.jar.JarFileTest.test_JarFile_Modified_SF_EntryAttributes
org.apache.harmony.archive.tests.java.util.jar.JarFileTest.test_JarFile_Modified_SF_EntryAttributes
org.apache.harmony.archive.tests.java.util.jar.JarInputStreamTest.test_JarInputStream_Modified_SF_EntryAttributes_getNextEntry
org.apache.harmony.archive.tests.java.util.jar.JarInputStreamTest.test_JarInputStream_Modified_SF_EntryAttributes_read
However, these errors are just because of expected SecurityException
because jar files are being modified and the signatures are no longer
valid.
Commented out the warning, leaving it for future debugging if
needed. In addition passed context in for use in message for
disambiguating source of error.
libcore/luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Change-Id: I3e41994a30c19a859a1eaed4ef80eb25b9670f52
|
| e688a4123f165ed2905878e312b074b8c825d119 |
|
05-May-2010 |
Brian Carlstrom <bdc@google.com> |
Addressing post-submit comments regarding OpenSSL handhake changes
Following up on feedback from earlier change https://android-git.corp.google.com/g/50435
Added new test_SSLSocket_startHandshake_noClientCertificate to
make sure handshaking works when no client certificates are
present after issues raised by hwu during code review.
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Improve TestSSLContext.create* options
- added javadoc comments to help distinguish different versions
- fixed bug of not passing in keyStorePassword in create()
- added new createClient(server) method to create a TestSSLContext
that trusts the provided server TestSSLContext's certificate for
use by test_SSLSocket_startHandshake_noClientCertificate
- made createKeyStore optionally create a more minimal keystore if
aliases are not present
support/src/test/java/javax/net/ssl/TestSSLContext.java
Fixed argument names in SSL_*_mode methods names as pointed out by hwu
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
Added comment to explain purpose of OpenSSLSessionImpl.resetId.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
Two changes to OpenSocketImpl
- Added logging on runtime exception catch around
HandshakeCompletedListener execution to closely mirror RI
behavior.
- Cleaned up peerCertificate check to not just be on the client path.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Addressed enh's comments about using clearEnv and when to delete AppData
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Change-Id: I34f54e3e41a5d53d81fdc22aa34ca4de4ee9826f
|
| 6b811c5daec1b28e6f63b57f98a032236f2c3cf7 |
|
03-May-2010 |
Peter Hallam <peterhal@google.com> |
Merge awt-kernel, icu, luni-kernel, prefs, security-kernel, x-net into luni
Merge xml except xmlpull and kxml into luni
|