| 2e1be9d876e8c5554f91afee914641f323eebd4c |
|
27-Jun-2014 |
rich cannings <richc@google.com> |
Log CCS exceptions do not merge.
Unlike the previous CL, this uses reflection for android.os.Process and
android.util.EventLog throughout.
(cherry picked from commit 35b1f354ec2b647966a198ffed932d82eb8eeb5b)
Bug: 15452942
Change-Id: I34b9eaedf1f1e450b1f8004887bb0482601d789e
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| b860016f415dfc5655dcee45f70e8871a2e3edfe |
|
17-Jun-2014 |
Brian Carlstrom <bdc@google.com> |
Remove
Change-Id: Iea7c633eb68df576bf72314ff5ce31bc8094d9ce
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| 6456f02c68008928011daa0dbbbbebf882fad5c8 |
|
27-Jun-2014 |
Rich Cannings <richc@google.com> |
Revert "Log OpenSSL CCS errors"
This reverts commit b1599520cdcdda73babffc051590a2dd25cd50be.
Some build targets (e.g. git_dalvik-dev) do not have API-1 Android APIs available, like android.os.Process and android.util.EventLog. Investigating.
Change-Id: Iddce3f445be0502d1afa4f8244a7b8867721613e
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| b1599520cdcdda73babffc051590a2dd25cd50be |
|
19-Jun-2014 |
rich cannings <richc@google.com> |
Log OpenSSL CCS errors
Bug: 15452942
Change-Id: I49e7bad6a65c70e113324c02fc23315cff168f5b
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| ae2ecac00779167b0381c48da7c612567d1c646f |
|
30-May-2014 |
Alex Klyubin <klyubin@google.com> |
SSLParametersImpl is the source of enabled cipher suites and protocols.
An instance of SSLParametersImpl is associated with SSLContext and is
then cloned into any SSLSocketFactory, SSLServerSocketFactory,
SSLSocket, SSLServerSocket, and SSLEngine. This CL ensures that all
these primitives obtain their list of enabled cipher suites and
protocols from their instance of SSLParametersImpl.
Bug: 15073623
Change-Id: I40bf32e8654b299518ec0e77c3218a0790d9c4fd
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| 01cce891dd313a0fb9d4694283f2a13fb5c43afe |
|
09-May-2014 |
Alex Klyubin <klyubin@google.com> |
Expose support for TLS-PSK.
TLS-PSK (Pre-Shared Key) is a set of TLS/SSL cipher suites that use
symmetric (pre-shared) keys for mutual authentication of peers. These
cipher suites are in some scenarios more suitable than those based on
public key cryptography and X.509. See RFC 4279 (Pre-Shared Key
Ciphersuites for Transport Layer Security (TLS)) for more information.
OpenSSL currently supports only the following PSK cipher suites:
* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
* TLS_PSK_WITH_3DES_EDE_CBC_SHA
* TLS_PSK_WITH_AES_128_CBC_SHA
* TLS_PSK_WITH_AES_256_CBC_SHA
* TLS_PSK_WITH_RC4_128_SHA
The last four cipher suites mutually authenticate the peers and
secure the connection using a pre-shared symmetric key. These cipher
suites do not provide Forward Secrecy -- once the pre-shared key is
compromised, all previous communications secured with that key can be
decrypted. The first two cipher suites combine the pre-shared
symmetric key with an ephemeral key obtained from an ECDH key
exchange performed during the TLS/SSL handshake, thus providing
Forward Secrecy.
Users of TLS-PSK are expected to provide an implementation of
PSKKeyManager to SSLContext.init and then enable at least one PSK
cipher suite in SSLSocket/SSLEngine.
Bug: 15073623
Change-Id: I8e59264455f980f23a5e66099c27b5b4d932b9bb
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| 3e46e4ee56c8e37158f46941dedd5b436d724baa |
|
23-May-2014 |
Kenny Root <kroot@google.com> |
Unbundle: hacks to let Conscrypt compile standalone
This is the first pass at getting Conscrypt to compile standalone. It
works fine in apps currently. There are a few TODOs to fix.
Change-Id: I9b43ba12c55e04c8897ccacf38979ca671a55a26
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| d985f665de7a6b0a92f36dd7d6e5550b6f98946e |
|
28-Apr-2014 |
Elliott Hughes <enh@google.com> |
Finish switching to android.system.Os.
Looks like I missed one last time...
Change-Id: Ib009e87493b36fc815166c44ce3c3a532aa5cd82
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| bcad63e381c5326a526a078ac17b8580874495b0 |
|
24-Apr-2014 |
Elliott Hughes <enh@google.com> |
Track libcore.os' move towards the light.
Change-Id: Id41fb809eb764ce60f6d3cecf5715a57af432027
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| 0dd7db8b85dfd8ad5d16d239432b9852450dc78f |
|
22-Apr-2014 |
Kenny Root <kroot@google.com> |
Add back missing sslSession
Accidentally removed during refactor.
Change-Id: I4295af935b269ec7ea91f1d1d140f32188e15e64
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| f878e438660d93f8689b864165230492e7a412d4 |
|
08-Nov-2013 |
Kenny Root <kroot@google.com> |
Add OpenSSLEngineImpl
Add support for SSLEngine via OpenSSL APIs. Currently this supports just
the basic SSLEngine functionality. It can be improved in efficiency and
performance, but it appears not to leak anything and be correct
according to our test suites.
Change-Id: Iea2dc3922e7c30e26daca38361877bd2f88ae668
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| 3c072fb087eaa1a363fc673c60f5ef65390e356f |
|
07-Nov-2013 |
Kenny Root <kroot@google.com> |
Refactor OpenSSLSocketImpl
Move functionality that will be shared with OpenSSL's SSLEngine
implementation out of OpenSSLSocketImpl and into the (soon-to-be) shared
SSLParametersImpl.
The functionality should stay the same.
Change-Id: If8faa3ad2c9c73c0a0cd4b9716639b362b2b26a1
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| f111f6235d016ce54ab95a2c634a400efe29f24b |
|
31-Mar-2014 |
Kenny Root <kroot@google.com> |
Remove SSLEngineImpl
This is replaced by OpenSSL-backed SSLEngineImpl.
Change-Id: I7b51f6fa772e431c6283008535bfec90821d0bef
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| f8a9b546d57c4731805e73e1e96ff2fb3e77d6e0 |
|
31-Mar-2014 |
Kenny Root <kroot@google.com> |
ALPN: change socket calls to SSL_set_alpn_protos
Calling SSL_CTX_set_alpn_protos appears to be detrimental to thread
safety since the implementation of it resets the values. It's not
idempotent to call it multiple times like SSL_CTX_enable_npn.
Bug: https://code.google.com/p/android/issues/detail?id=67940
Change-Id: I09ed9e75d08528300b86201c3e847b26702d4284
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| d2cced8b10f5e4f600a5eb9464eba0da7c8f09de |
|
20-Mar-2014 |
Kenny Root <kroot@google.com> |
Use the new endpointVerificationAlgorithm API
Use the new X509ExtendedTrustManager and use the new
getEndpointVerificationAlgorithm to check the hostname during the
handshake.
Bug: 13103812
Change-Id: Id0a74d4ef21a7d7c90357a111f99b09971e535d0
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| 02fb0575e69baf7e1bf58508e6a01a202f6d0524 |
|
21-Mar-2014 |
Kenny Root <kroot@google.com> |
Allow verification failures to send SSL alert
Before we were relying on our pending exception to abort the SSL
handshake, but the SSL alert was not sent to the server. This enables
peer verification in the OpenSSL to send the alerts and cut the
handshake off earlier.
In OpenSSL, the ssl/s3_clnt.c had code that only sent an alert if verify
mode was not SSL_VERIFY_NONE. Since we're handling all the verification
during the callback, we can special case anything we want to do for
anonymous ciphers in the callback.
Change-Id: I6c8fd0d0c6402e29ef3cb5fc5156eef2f4191ff0
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| 8d63ff1384e46407a7618df2b79b2b455795c396 |
|
19-Mar-2014 |
Alex Klyubin <klyubin@google.com> |
Support TLS/SSL without X509TrustManager or X509KeyManager.
This makes TLS/SSL primitives operate as expected when no
X509TrustManager or X509KeyManager is provided. Instead of blowing up
with KeyManagementException or NullPointerException (or similar) when
X509TrustManager or X509KeyManager is not provided, this CL makes
SSLContext.init accept such setup, and makes SSLSocket and SSLEngine
reject certificate chains, select no private keys/aliases, and accept
no certificate issuers.
Bug: 13563574
Change-Id: I8de58377a09025258357dd4da9f6cb1b6f2dab80
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| 7dd8d0b433cf8212538aaaf8726f5222abf035dd |
|
09-Dec-2013 |
Matteo Franchin <matteo.franchin@arm.com> |
AArch64: Use long for pointers in Java sources.
Fixing some mistakes in the JNI signatures: some pointers were passed
via jint rather than jlong.
Change-Id: I6120cc5742c8429a9e0fddda715b5169d820d31a
Signed-off-by: Marcus Oakland <marcus.oakland@arm.com>
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| 16c041fa20ef70221f487631f07eaf53d39ae51c |
|
06-Dec-2013 |
Kenny Root <kroot@google.com> |
Make some methods public for CTS
Some methods are called from CTS. The ClassLoaders are different, so we
need to make these public so we don't get any IllegalAccessError during
CTS tests.
Change-Id: I5ac7931694fb1eceb86ae306fca07fb314643fa9
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| 2d089e18deae231149737cad6ce00f1e137a7199 |
|
21-Nov-2013 |
Alex Klyubin <klyubin@google.com> |
Stop depending on CipherSuite in OpenSSL-backed sockets.
This is in preparation for removing Harmony-backed TLS/SSL
implementations.
Change-Id: Ic108e16d086fb99b69f0a4e4faeb816dc50a7643
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| 57ef6334828dfb4f7f6834ddddf5a0ac61f1a4d0 |
|
07-Nov-2013 |
Kenny Root <kroot@google.com> |
Use SNI hostname for session caching
The session caching wasn't paying attention to the requested SNI
hostname when finding cached sessions. This checks the requested SNI
hostname in an attempt to get the correct hostname from the cache.
Change-Id: If3dbc64f11377a615389de9774c4061d1c92b997
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| f06338c01394610174fe2b3532beac56d61d9e26 |
|
07-Nov-2013 |
Kenny Root <kroot@google.com> |
Random cleanups of old code style
Add @Override annotation, remove unused imports, and remove unnecessary
casts. Also make sure annotations are on a line by themselves.
Change-Id: I294b43353d7b1e77fd1c9d031af7b7062f024eee
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| f087968310bb5233b76ad42841eb07e3c327f40f |
|
05-Nov-2013 |
Alex Klyubin <klyubin@google.com> |
BEAST attack mitigation for OpenSSL-backed SSLSockets.
This enables 1/n-1 record splitting for SSLSocket instances backed by
OpenSSL.
OpenSSL change: https://android-review.googlesource.com/#/c/69253/
Bug: 11514124
Change-Id: I3fef273edd417c51c5723d290656d2e03331d68a
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| 8db22531f59b33539647ab95bb76354212d3866a |
|
18-Oct-2013 |
Narayan Kamath <narayan@google.com> |
Tidy up locking in OpenSSLSocketImpl.
We guard all state with a single lock "stateLock", which
replaces usages of "this" and "handshakeLock". We do not
perform any blocking operations while holding this lock.
In particular, startHandshake is no longer synchronized.
We use a single integer to keep track of handshake state
instead of a pair of booleans.
Also fix a bug in getSession, the previous implementation
wouldn't work in cut-through mode.
This fixes a deadlock in SSLSocketTest_interrupt.
Change-Id: I9aef991e0579d4094e287dde8e521d09d6468c51
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| 0e9746b7b132058651155b33f219c7789997985b |
|
13-Sep-2013 |
Kenny Root <kroot@google.com> |
Conscrypt: use certificate references in SSL code
Instead of marshalling and unmarshalling to ASN.1 DER, just use
references to OpenSSL X509 objects everywhere applicable.
Change-Id: I1a28ae9232091ee199a9d4c7cd3c7bbd1efa1ca4
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| 69c9293abd67eee175870a81f9ee24d7bd6acb50 |
|
10-Sep-2013 |
Brian Carlstrom <bdc@google.com> |
Some cleanup while investigating test_SSLSocket_interrupt
Bug: 10681815
Change-Id: If9a76f4c55b578c6f135befebcc443ab9aef3073
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| 8f367eb2a6725f13d4b88419450d58f989a29fa8 |
|
24-Jul-2013 |
Kenny Root <kroot@google.com> |
Delay SSLSocketImpl instantiation until needed
Class preloading will create an instance of objects if they are in
static fields, so put the ones we don't want instantiated into a holder
class that is not preloaded.
(cherry picked from commit da5b7116b58795b169961cbd63c2b21bac741d9a)
Bug: 9984058
Change-Id: If8cb4280cbee79cd4d479fbf6a5297c8e5569b6c
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| 8fa35332bfd0c9fe19d2b75622b56b25f62f7b2a |
|
17-Jul-2013 |
Brian Carlstrom <bdc@google.com> |
Call SSL_use_certificate before SSL_use_PrivateKey
Bug: https://code.google.com/p/android/issues/detail?id=54433
Change-Id: Icf39b98802e2c6128e79c44eaf2cabc7b4805cc5
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| 6fcf0cbeec79d1f2491d8d0774fdb314fc419ba3 |
|
25-Jun-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: Add ALPN support
This adds the ability to use Application-Layer Protocol Negotiation
(ALPN) as both a client and a server. ALPN is essentially like Next
Protocol Negotiation (NPN) but negotiation is done in the clear. This
allows the use of other protocols on the same port (e.g., SPDY instead
of HTTP on port 80).
Although previously clients using NPN were able to use cut-through, the
new ALPN API does not provide for a way for a client to enable that
during a callback. So the only difference is that NPN clients can enable
SSL False Start while ALPN clients cannot currently.
Change-Id: I42ff70f3711e9cccaf754d189f76eeaa9db5f981
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| 1ecc0481f90d32b89b3b051cad70efe07468acd0 |
|
03-May-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: move key conversion to Java
Key type conversion in native code is from the legacy period before the
OpenSSLKey class existed. Use that to hold PKEY reference instead of
converting it in native code.
Change-Id: I84e9a6e1f2e0f95d2f44c18fa9f65cd15e039d63
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| 3ff2b34d00ea89eec5b895d866fddf05942fd2a7 |
|
03-May-2013 |
Kenny Root <kroot@google.com> |
Move encoding method out of NativeCrypto
Move the encoding method for X.509 out of NativeCrypto to the class that
uses it.
Change-Id: I57198101553f309c04b5e757716d1d807eb99a90
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|
| 860d2707ce126ef8f66e3eac7ceeab6d24218cd8 |
|
24-Apr-2013 |
Kenny Root <kroot@google.com> |
Move JSSE to new package
To help with shipping the JSSE with apps that want to bundle it, move
it to a new package so that the tangles in other parts of the library
can be untangled.
Change-Id: I810b6861388635301e28aee5b9b47b8e6b35b430
/external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java
|