History log of /external/conscrypt/src/main/java/org/conscrypt/SSLParametersImpl.java
Revision Date Author Comments (<<< Hide modified files) (Show modified files >>>)
dac92c69d3a147ea57bc7bd28c96b6365c1988e2 14-Nov-2014 Kenny Root <kroot@google.com> Squashed commit of changes from lmp-ub-dev

Contains the following changes:

commit e31d982cdb0f8e6ef05d1e412576888015e1da17
Merge: eaebc54 b73be72
Author: Neil Fuller <nfuller@google.com>
Date: Wed Oct 22 10:34:23 2014 +0000

am b73be72e: am 3e21a289: (-s ours) TLS_FALLBACK_SCSV CTS fix for klp-modular-dev

* commit 'b73be72ed97da8f36450d95d52f485cc6f451c61':
TLS_FALLBACK_SCSV CTS fix for klp-modular-dev

commit eaebc544f3a10c53d7d2f908514122caba569e14
Merge: 223b5da cd50afa
Author: Kenny Root <kroot@google.com>
Date: Tue Oct 14 17:30:19 2014 +0000

Merge "Fix SSLEngine to support session resumption." into lmp-ub-dev

commit 223b5da5d70e47b1a497e86474493925b568f6d7
Merge: 8737796 cb7a360
Author: Neil Fuller <nfuller@google.com>
Date: Thu Oct 9 14:52:00 2014 +0000

am cb7a3605: am ea961ada: Apply conscrypt changes from merge commit

* commit 'cb7a36050f34d3c16be00d532411820761eeb276':
Apply conscrypt changes from merge commit

commit cd50afad1567b1311e6e979e94a7167b7bf69c94
Author: Doug Steedman <dougsteed@google.com>
Date: Mon Oct 6 13:16:15 2014 -0700

Fix SSLEngine to support session resumption.

Bug: 17877118
Change-Id: I388b59cde58fdc506ecac9f536e4bbd9161df6ad

commit 8737796a646eaec94df32827752a71aee74bd46f
Merge: 9564a5f 8d7e23e
Author: Kenny Root <kroot@google.com>
Date: Mon Oct 6 22:34:20 2014 +0000

am 8d7e23e1: Add support for TLS_FALLBACK_SCSV

* commit '8d7e23e117da591a8d48e6bcda9ed6f58ff1a375':
Add support for TLS_FALLBACK_SCSV

commit 9564a5fb9ed2eecf6299788db35213cb08397212
Merge: 4f58feb 7640613
Author: Kenny Root <kroot@google.com>
Date: Fri Sep 12 17:27:23 2014 +0000

am 76406135: am 6dcb23fe: am f427ec90: Fix the ENGINE_finish/ENGINE_free mixup

* commit '76406135cf3a3b88afc979fe8e847b9c3d8b93c1':
Fix the ENGINE_finish/ENGINE_free mixup

commit 4f58feb0ea49dc089a95efba196032ef3c960a39
Merge: ddac5c6 984b7ec
Author: Kenny Root <kroot@google.com>
Date: Wed Sep 10 07:07:16 2014 +0000

am 984b7ec6: Fix the ENGINE_finish/ENGINE_free mixup

* commit '984b7ec6f5aab314117949a48e448ff4f6b65f16':
Fix the ENGINE_finish/ENGINE_free mixup

commit ddac5c6d7e413b0d68b388fbdf70dbeb3eeae865
Merge: 5a8ca5b 36ba60b
Author: Kenny Root <kroot@google.com>
Date: Thu Sep 4 22:41:38 2014 +0000

Merge "Reset lmp-ub-dev to lmp-dev-plus-aosp" into lmp-ub-dev

commit 36ba60b039f1f30ab1ea8f0e2a4da8ae4e3906e5
Author: Kenny Root <kroot@google.com>
Date: Wed Aug 27 12:07:07 2014 -0700

Reset lmp-ub-dev to lmp-dev-plus-aosp

Bug: 17059757
Change-Id: I581963360da47b574e1e2e20c2851485c36fa62c

commit 6a4f2ef9e4ea3ebb321d45ca39b30d634ea3b4ad
Merge: 9b187af f67d784
Author: Kenny Root <kroot@google.com>
Date: Tue Aug 26 04:17:38 2014 +0000

am f67d784a: Add pre-Honeycomb literal IP matching

* commit 'f67d784abe5cef700240be02c68cecd899cd8e6d':
Add pre-Honeycomb literal IP matching

commit 9b187af33dcd97915a0371d64fe1ee4aba20d0ba
Merge: 714ebea 966ae8a
Author: Kenny Root <kroot@google.com>
Date: Tue Aug 26 04:17:37 2014 +0000

am 966ae8a6: Read property to enable SNI

* commit '966ae8a6e12f3235b1cb041e687bda11b41fe4eb':
Read property to enable SNI

commit 714ebeabcb5e35c6df6a5c21f549cdb6130368c4
Merge: 7724204 54a1ba4
Author: Kenny Root <kroot@google.com>
Date: Tue Aug 26 04:06:54 2014 +0000

Merge "resolved conflicts for merge of 342097db to lmp-dev-plus-aosp" into lmp-dev-plus-aosp

commit 54a1ba421d23bb6d988688c2662715e509172447
Merge: a20d871 342097d
Author: Kenny Root <kroot@google.com>
Date: Mon Aug 25 21:03:51 2014 -0700

resolved conflicts for merge of 342097db to lmp-dev-plus-aosp

Change-Id: I853c6b0d3725dafbdc84c4d6d6d1b90529bd949d

commit 7724204abf4431d35787c44c4a22cda5489d4e37
Merge: 20f60ac afb3403
Author: Kenny Root <kroot@google.com>
Date: Tue Aug 26 00:09:27 2014 +0000

am afb34034: Implement write socket timeouts for unbundled apps

* commit 'afb340348bfc54dbc46964e159fe803f9c93a4dd':
Implement write socket timeouts for unbundled apps

commit f67d784abe5cef700240be02c68cecd899cd8e6d
Author: Kenny Root <kroot@google.com>
Date: Wed Aug 20 14:14:26 2014 -0700

Add pre-Honeycomb literal IP matching

This will allow us to run this code on Gingerbread devices and others
that don't have the InetAddress#isNumeric API.

Bug: 16658420
Bug: 17059757
Change-Id: I597d539979d58eeaa2677d6f99e911313a550cc1

commit 966ae8a6e12f3235b1cb041e687bda11b41fe4eb
Author: Kenny Root <kroot@google.com>
Date: Mon Aug 18 10:12:20 2014 -0700

Read property to enable SNI

Read the system property "jsse.enableSNIExtension" on whether to enable
Server Name Indication (SNI) extension. For unbundled builds, this will
be enabled by default. For platform builds, this will be disabled by
default.

Bug: 16658420
Bug: 17059757
Change-Id: I774f5406bf3fe601a42c4ef5e708b31800147eb9

commit 342097db97a9b2736531033b2c4b4d8ce4998c67
Author: Kenny Root <kroot@google.com>
Date: Wed Aug 20 12:14:52 2014 -0700

Validate hostname is usable for SNI

According to RFC 6066 section 3, the hostname listed in the Server Name
Indication (SNI) field is a fully qualified domain name and IP
addresses are not permitted.

Bug: 16658420
Bug: 17059757
Change-Id: I804e46b6e66599b2770f0f4f0534467987e51208

commit afb340348bfc54dbc46964e159fe803f9c93a4dd
Author: Kenny Root <kroot@google.com>
Date: Tue Aug 19 16:33:07 2014 -0700

Implement write socket timeouts for unbundled apps

Change-Id: I4fd604f057ba4288d4f31bf6b3b93307376023d5

commit 20f60acea153dfdf0c8f75a53d7bd9edb4c7614c
Author: Kenny Root <kroot@google.com>
Date: Mon Aug 25 11:52:05 2014 -0700

Tracking change from AOSP

Change-Id: I889af3f7c1de9ef34d9328339e1b421651055ad4

commit 68056b7c9db8a9fb384bbadfc5287730f996896d
Merge: 8239dfd cc2ef2e
Author: Kenny Root <kroot@google.com>
Date: Mon Aug 25 18:03:27 2014 +0000

am cc2ef2e2: Rename hostname fields and methods to reflect usage

* commit 'cc2ef2e2e9ee64f2e0ac2abc7fdf636e2f81fa5e':
Rename hostname fields and methods to reflect usage

commit 8239dfdcc40a69255d7b2feced960d574ea36321
Merge: e9cf759 076138f
Author: Kenny Root <kroot@google.com>
Date: Thu Aug 21 16:36:24 2014 +0000

am 076138ff: Use consistent naming for SSLSocket arguments

* commit '076138ff29d805ec5a32d6ad96a18ef08c7f1b11':
Use consistent naming for SSLSocket arguments

commit cc2ef2e2e9ee64f2e0ac2abc7fdf636e2f81fa5e
Author: Kenny Root <kroot@google.com>
Date: Wed Aug 20 11:26:33 2014 -0700

Rename hostname fields and methods to reflect usage

The hostname that was supplied when the socket was created is stored as
the "peerHostname" This is the only one that should be used for Server
Name Indication (SNI) purposes.

The "peerHostname" or the resolved IP address may be used for
certificate validation, so keep the use of "getHostname()" for
cerificate validation.

Bug: 16658420
Bug: 17059757
Change-Id: Ifd87dead44fb2f00bbfd5eac7e69fb3fc98e94b4

commit 076138ff29d805ec5a32d6ad96a18ef08c7f1b11
Author: Kenny Root <kroot@google.com>
Date: Wed Aug 20 11:24:41 2014 -0700

Use consistent naming for SSLSocket arguments

This changes all the 'host' to be 'hostname' and anything that takes an
'InetAddress' will have the name of 'address' to avoid confusing it with
a hostname.

Bug: 16658420
Bug: 17059757
Change-Id: Iac0628d2d156023dbb80c2e636af6bfe63f46650

commit e9cf759ac89fb053c01f1db19931beb14a823618
Merge: ababdd1 7ed0fae
Author: Kenny Root <kroot@google.com>
Date: Tue Aug 19 19:32:43 2014 +0000

am 7ed0fae1: OpenSSLEngineImpl: reduce number of copies needed

* commit '7ed0fae1906061766d0042e69ccba20e4a702bbe':
OpenSSLEngineImpl: reduce number of copies needed

commit 7ed0fae1906061766d0042e69ccba20e4a702bbe
Author: Kenny Root <kroot@google.com>
Date: Tue Jul 22 13:03:09 2014 -0700

OpenSSLEngineImpl: reduce number of copies needed

When the ByteBuffer didn't line up exactly with the backing array, it
would allocate a new buffer to write into. Instead, add the ability for
OpenSSL to read at an offset in the given array so a copy isn't needed.

Change-Id: I149d3f94e4b5cbdc010df80439ae3300cbdc87a5

commit ababdd1ae1272eac174e3a449a413ab35afbc435
Merge: 66c31e0 4b050b6
Author: Kenny Root <kroot@google.com>
Date: Fri Aug 15 16:23:14 2014 +0000

am 4b050b6f: OpenSSLSocketImpl: Move state checks inside mutex

* commit '4b050b6fb06fbb804557eecc72cc4ff0e0277525':
OpenSSLSocketImpl: Move state checks inside mutex

commit 66c31e0b613ceefc167a2e1fb226a14c78f84537
Merge: f4b895a 0931d51
Author: Kenny Root <kroot@google.com>
Date: Thu Aug 14 20:46:43 2014 +0000

am 0931d51c: OpenSSLSocketImpl: Move state checks inside mutex

* commit '0931d51c58b2dc2f612298f99fbf0fa6ed4c3706':
OpenSSLSocketImpl: Move state checks inside mutex

commit 0931d51c58b2dc2f612298f99fbf0fa6ed4c3706
Author: Kenny Root <kroot@google.com>
Date: Tue Aug 5 15:45:32 2014 -0700

OpenSSLSocketImpl: Move state checks inside mutex

Checking the state of the connection is unreliable if SSL_read and
SSL_write are happening in another thread. Move the state checks inside
our application mutex so we don't run into another thread mutating the
state at the same time.

Bug: 15606096
Change-Id: I5ecdeb1551a13098d1b66c5e4009607c9951fa38

commit f4b895ae9c424b5c2d49c744131606adccbc49d7
Merge: a35c400 a260ee6
Author: Kenny Root <kroot@google.com>
Date: Wed Aug 13 15:35:28 2014 +0000

am a260ee6d: Revert "Revert "Automatic management of OpenSSL error stack""

* commit 'a260ee6d0caea43f8010f158a4a35fb712935ae3':
Revert "Revert "Automatic management of OpenSSL error stack""

commit a35c40017c8690f821351d6460dfeaa2738b884c
Merge: 0edc483 30550a8
Author: Kenny Root <kroot@google.com>
Date: Wed Aug 13 15:35:27 2014 +0000

am 30550a8b: Fix debugging with unbundled conscrypt

* commit '30550a8b64bbcd6ca537680a17b8726932a29937':
Fix debugging with unbundled conscrypt

commit a260ee6d0caea43f8010f158a4a35fb712935ae3
Author: Kenny Root <kroot@google.com>
Date: Tue Aug 12 15:38:10 2014 -0700

Revert "Revert "Automatic management of OpenSSL error stack""

The "else" statement in OpenSslError::reset wasn't properly resetting
the error state which made a second call into sslRead jump into
sslSelect when it should have just returned immediately.

Change-Id: I22e8025c0497a04e78daa07cef78191a6ca1a70c

commit 30550a8b64bbcd6ca537680a17b8726932a29937
Author: Kenny Root <kroot@google.com>
Date: Tue Aug 12 15:13:33 2014 -0700

Fix debugging with unbundled conscrypt

When JNI_TRACE was enabled, there were missing defines for the debugging
code since no platform code is included.

Also clang complains about more of the debugging statement formats, so
we have to move some things around to get it to be happy.

Change-Id: I1a6695c2ef2639cc01cfc3d3a8603f010c659844

commit 0edc4833091846d6cb45961fc9458df842fbbad9
Merge: 107a8fb 2411b8b
Author: Kenny Root <kroot@android.com>
Date: Tue Aug 12 21:46:12 2014 +0000

am 2411b8bd: Merge "Revert "Automatic management of OpenSSL error stack""

* commit '2411b8bdcde72c956f4150e9a5909b7501f50bad':
Revert "Automatic management of OpenSSL error stack"

commit 2411b8bdcde72c956f4150e9a5909b7501f50bad
Merge: 3262a8c b514d72
Author: Kenny Root <kroot@android.com>
Date: Tue Aug 12 21:39:32 2014 +0000

Merge "Revert "Automatic management of OpenSSL error stack""

commit b514d72b93c3996d97e38eca6db1ad684965fd9b
Author: Kenny Root <kroot@android.com>
Date: Tue Aug 12 21:39:17 2014 +0000

Revert "Automatic management of OpenSSL error stack"

This reverts commit 35666e4cb0fcd063a21d17eebbb571b4e4e822b8.

Change-Id: I926d159c4c4b99250caef750732976c1e601e9ef

commit 107a8fba8be5be57933f2638b76ac1243b578b9e
Merge: 1de007f 3262a8c
Author: Kenny Root <kroot@google.com>
Date: Tue Aug 12 15:50:14 2014 +0000

am 3262a8c2: Merge "Automatic management of OpenSSL error stack"

* commit '3262a8c2741b95103149bcdefe2409c24bfddee9':
Automatic management of OpenSSL error stack

commit 1de007f9f01be8f07a56235dd924c897088a03cb
Merge: 94890ae d1bbcd0
Author: Kenny Root <kroot@google.com>
Date: Tue Aug 12 15:50:14 2014 +0000

am d1bbcd0e: Relax checks for key vs cert for wrapped keys

* commit 'd1bbcd0ec973e1b8465c204c13b4925fd86e6484':
Relax checks for key vs cert for wrapped keys

commit 3262a8c2741b95103149bcdefe2409c24bfddee9
Merge: d1bbcd0 35666e4
Author: Kenny Root <kroot@google.com>
Date: Tue Aug 12 15:31:02 2014 +0000

Merge "Automatic management of OpenSSL error stack"

commit d1bbcd0ec973e1b8465c204c13b4925fd86e6484
Author: Kenny Root <kroot@google.com>
Date: Mon Aug 11 14:56:58 2014 -0700

Relax checks for key vs cert for wrapped keys

If a key is a wrapped platform key, we must relax the check. The reason
is that we may not have the public values we need to pass the
EVP_PKEY_cmp checks that this does.

Change-Id: I7ab2be51b0968a9cf771edea01d33fe2367c8185

commit 35666e4cb0fcd063a21d17eebbb571b4e4e822b8
Author: Kenny Root <kroot@google.com>
Date: Tue Aug 5 11:05:00 2014 -0700

Automatic management of OpenSSL error stack

This removes some complexity in remembering to free the OpenSSL error
stack. If you forget, the error will stick around until you make another
call.

Change-Id: I245a525dcc93077b2bf9909a14a0ef469a2daca4

commit 94890aec5735cde2ea5170fb76cd1b847ea66af8
Merge: 8360485 977f087
Author: Kenny Root <kroot@google.com>
Date: Tue Aug 5 16:44:42 2014 +0000

am 977f0877: Fix some JNI_TRACE lines

* commit '977f08774c628b4640d5454cde050259856965f8':
Fix some JNI_TRACE lines

commit 977f08774c628b4640d5454cde050259856965f8
Author: Kenny Root <kroot@google.com>
Date: Mon Aug 4 12:15:04 2014 -0700

Fix some JNI_TRACE lines

During debugging these would be enabled, but they were copy-pasta'd to
with the wrong args.

Change-Id: I23f39ff4807e3fa71f3220912aec3c99db6b9454

commit 83604854c5160304cafefc9bd40a72c5ee8506eb
Merge: 7db3524 1ffe43e
Author: Zoltan Szatmary-Ban <szatmz@google.com>
Date: Thu Jul 31 13:28:57 2014 +0000

am 1ffe43e8: Merge "Add possibility to get deleted system Certificate Aliases" into lmp-dev

* commit '1ffe43e8277e883c6663c1fb7cfc5e18ba552c40':
Add possibility to get deleted system Certificate Aliases

commit 7db3524880092126962b7f502af76b4c84da7350
Merge: 5767d63 ad0cd83
Author: Prameet Shah <phshah@google.com>
Date: Wed Jul 30 17:04:13 2014 +0000

am ad0cd830: Added CLOSED_INBOUND and CLOSED_OUTBOUND states to OpenSSLEngineImpl#getHandshakeStatus()

* commit 'ad0cd83024f38011043d28d70370a8638b88cd72':
Added CLOSED_INBOUND and CLOSED_OUTBOUND states to OpenSSLEngineImpl#getHandshakeStatus()

commit 5767d63d22e87becab387b3bd6597fe41eb34d7e
Merge: b389e17 26163c2
Author: Prameet Shah <phshah@google.com>
Date: Wed Jul 30 16:31:08 2014 +0000

am 26163c26: Added CLOSED_INBOUND and CLOSED_OUTBOUND states to OpenSSLEngineImpl#getHandshakeStatus()

* commit '26163c268a6d2625384b87e907afad8ef19f9a47':
Added CLOSED_INBOUND and CLOSED_OUTBOUND states to OpenSSLEngineImpl#getHandshakeStatus()

commit 26163c268a6d2625384b87e907afad8ef19f9a47
Author: Prameet Shah <phshah@google.com>
Date: Tue Jul 29 16:45:31 2014 -0700

Added CLOSED_INBOUND and CLOSED_OUTBOUND states to OpenSSLEngineImpl#getHandshakeStatus()

Bug: https://code.google.com/p/android/issues/detail?id=73745
Change-Id: I5bcaf3ee8910ff75e785baed4c4604fee6c5e700

commit b389e1779651f2c58454a5f98acebd3dd7bc0061
Merge: 5f03b4d e427972
Author: Prameet Shah <phshah@google.com>
Date: Thu Jul 24 19:46:28 2014 +0000

am e427972e: OpenSSLEngineImpl: fix unwrap behavior with array

* commit 'e427972eb6141cd67e6d4c9607863a8d990e6be6':
OpenSSLEngineImpl: fix unwrap behavior with array

commit 5f03b4d63c7632581b032879de791dc82f05ffa0
Merge: 3d935ee 41eb5b6
Author: Prameet Shah <phshah@google.com>
Date: Tue Jul 22 19:26:41 2014 +0000

am 41eb5b65: OpenSSLEngineImpl: fix unwrap behavior with array

* commit '41eb5b65e524d01e28da474bd37e4349b12fb494':
OpenSSLEngineImpl: fix unwrap behavior with array

commit 41eb5b65e524d01e28da474bd37e4349b12fb494
Author: Prameet Shah <phshah@google.com>
Date: Tue Jul 22 11:50:18 2014 -0700

OpenSSLEngineImpl: fix unwrap behavior with array

The decrypted bytes should written sequentially into each buffer of
the destination array until it's full before moving to the next
buffer.

Change-Id: I2454249c167deafde6c12134d3c8cd658cd7c21b

commit 3d935eeca25e00b56cfd8d37a657c7b2986889b3
Merge: 0a36f6c affd45a
Author: Alex Klyubin <klyubin@google.com>
Date: Fri Jul 18 00:32:14 2014 +0000

am affd45a4: Merge "Improve the Javadoc of PSKKeyManager." into lmp-dev

* commit 'affd45a413cf844dad797ad4972074efb9de43d8':
Improve the Javadoc of PSKKeyManager.

commit 0a36f6c1f8b2e195c2dd5aea1a386df090c6d470
Merge: 6492180 af4fa68
Author: rich cannings <richc@google.com>
Date: Thu Jul 17 23:47:33 2014 +0000

am af4fa685: Merge "Log CCS exceptions do not merge." into lmp-dev

* commit 'af4fa685f246aaa80c93af62faadbc2fe87dc034':
Log CCS exceptions do not merge.

commit 6492180ce17a3b5ff822cff1783f00e7a4176491
Merge: aac4168 3b7268c
Author: Alex Klyubin <klyubin@google.com>
Date: Thu Jul 17 18:27:39 2014 +0000

am 3b7268cd: Merge "Improve the Javadoc of PSKKeyManager."

* commit '3b7268cde4a4fc59591da8a93691927ebf3add57':
Improve the Javadoc of PSKKeyManager.

commit aac4168d8baef7e12d6fa959c6d6ded9892e9651
Merge: 8573ad0 a749c0d
Author: Kenny Root <kroot@google.com>
Date: Thu Jul 17 17:07:05 2014 +0000

am a749c0d3: Keep enough state to completely reset cipher instances

* commit 'a749c0d351216be38879600ee8ed01c6793aa256':
Keep enough state to completely reset cipher instances

commit 8573ad0ddcf7e2f8b2e5ac84c34b7ffab303155c
Merge: 4ca5b06 70fdb6d
Author: Koushik Dutta <koushd@gmail.com>
Date: Thu Jul 17 17:06:36 2014 +0000

am 70fdb6d2: OpenSSLEngine Impl: Fix bug where SSL Handshake never completes when using NPN.

* commit '70fdb6d2bfa0c313fe389827f0025288f6aeb947':
OpenSSLEngine Impl: Fix bug where SSL Handshake never completes when using NPN.

commit 4ca5b0625e3f5a15ae8adf833ab5a69f9d7d517f
Merge: 119abfb ded66f5
Author: Koushik Dutta <koushd@gmail.com>
Date: Thu Jul 17 17:06:35 2014 +0000

am ded66f5f: Various fixes in OpenSSLEngineImpl.

* commit 'ded66f5f696994ce7620552e16a4e9124e69e052':
Various fixes in OpenSSLEngineImpl.

commit 119abfba1fcd9c9cfbd15d0a4ca9ed2188fdfab0
Merge: 5713cdf cbe1f28
Author: Kenny Root <kroot@google.com>
Date: Thu Jul 17 15:56:57 2014 +0000

am cbe1f28a: Merge "Keep enough state to completely reset cipher instances"

* commit 'cbe1f28adf64396561a3b65bf1452dfa9b6e35ae':
Keep enough state to completely reset cipher instances

commit cbe1f28adf64396561a3b65bf1452dfa9b6e35ae
Merge: e08f238 084e308
Author: Kenny Root <kroot@google.com>
Date: Thu Jul 17 15:48:58 2014 +0000

Merge "Keep enough state to completely reset cipher instances"

commit 3b7268cde4a4fc59591da8a93691927ebf3add57
Merge: cbe1f28 7ac13e0
Author: Alex Klyubin <klyubin@google.com>
Date: Thu Jul 17 18:20:43 2014 +0000

Merge "Improve the Javadoc of PSKKeyManager."

commit 5713cdf71c5c6e5179e8369263c702e9512afdd0
Merge: cf55719 e08f238
Author: Koushik Dutta <koushd@gmail.com>
Date: Wed Jul 16 22:05:17 2014 +0000

am e08f2385: OpenSSLEngine Impl: Fix bug where SSL Handshake never completes when using NPN.

* commit 'e08f238580e8ee471012bef8240c8d3397c7b780':
OpenSSLEngine Impl: Fix bug where SSL Handshake never completes when using NPN.

commit cf557195a9b60d7f51a48500afde38481ddbc91c
Merge: cbbd7d1 986aeb7
Author: Kenny Root <kroot@android.com>
Date: Wed Jul 16 21:41:12 2014 +0000

am 986aeb78: Merge "Various fixes in OpenSSLEngineImpl."

* commit '986aeb78e533540463daf1753e24840f75b25ce6':
Various fixes in OpenSSLEngineImpl.

commit e08f238580e8ee471012bef8240c8d3397c7b780
Author: Koushik Dutta <koushd@gmail.com>
Date: Tue Jul 15 22:40:23 2014 -0700

OpenSSLEngine Impl: Fix bug where SSL Handshake never completes when using NPN.

Change-Id: Idc78204b7077fb367b64e1867c807cd39f596f98

commit 7ac13e03a79d0c99d181b1a28b1b3699ba3d5739
Author: Alex Klyubin <klyubin@google.com>
Date: Wed Jul 16 08:33:02 2014 -0700

Improve the Javadoc of PSKKeyManager.

This clarifies several points and adds sample code.

Bug: 15073623
Change-Id: I6e8aadc52277e238a998d6cee36795dab1151d58

commit 986aeb78e533540463daf1753e24840f75b25ce6
Merge: 8f9ac1a bdfcc18
Author: Kenny Root <kroot@android.com>
Date: Wed Jul 16 21:15:30 2014 +0000

Merge "Various fixes in OpenSSLEngineImpl."

commit bdfcc189efe41a3f812aeb55ea634bace67d159a
Author: Koushik Dutta <koushd@gmail.com>
Date: Sat Jun 28 19:19:21 2014 -0700

Various fixes in OpenSSLEngineImpl.

Fix "Buffers were not large enough" exception by directly using the
destination buffers.

Corrections around bytesProduced and bytesConsumed behavior.

Return BUFFER_OVERFLOW if a zero length destination is provided to
unwrap.

Change-Id: I1f1e9b72cd6968ed4f3c3c0edccbccebc33d6790

commit cbbd7d10e8e484c44a78e5b27e8fecda195f1692
Merge: ec7f8e6 fdb7d8c
Author: Alex Klyubin <klyubin@google.com>
Date: Tue Jul 15 18:49:14 2014 +0000

am fdb7d8c5: Enable PSK cipher suites when PSKKeyManager is provided.

* commit 'fdb7d8c53dabac5551e2499d045ba6829bcfc0a0':
Enable PSK cipher suites when PSKKeyManager is provided.

commit ec7f8e6b27330160f88540f4f2ace7bc2a0720a3
Merge: 5b8ccf1 8f9ac1a
Author: Alex Klyubin <klyubin@google.com>
Date: Tue Jul 15 15:53:46 2014 +0000

am 8f9ac1af: Enable PSK cipher suites when PSKKeyManager is provided.

* commit '8f9ac1af0cbdf00e5e47aee32c132522ebc3bd17':
Enable PSK cipher suites when PSKKeyManager is provided.

commit 5b8ccf1b09df6f35c1709bfc8fd727a291094a5b
Merge: 69a2e46 6e2315f
Author: Ed Heyl <edheyl@google.com>
Date: Tue Jul 15 13:34:25 2014 +0000

am 6e2315fd: reconcile aosp (e79c25bf33e10da41e489c537823f678e1a1169c) after branching. Please do not merge.

* commit '6e2315fd96c3c4a47450c1a437babacc94bc31a6':
reconcile aosp (e79c25bf33e10da41e489c537823f678e1a1169c) after branching. Please do not merge.

commit 084e3086be1d7a6b9280b64c7c8cdb7b41a13bea
Author: Kenny Root <kroot@google.com>
Date: Mon Jul 14 13:25:32 2014 -0700

Keep enough state to completely reset cipher instances

OpenSSL's RC4 mutates the given key. AES/CTR mutates the IV. We must
store these values locally to enable "doFinal" to cause the Cipher
instance to be reset to what it was right after "init".

Note that resetting and encrypting with the same key or IV breaks
semantic security.

Bug: 16298401
Bug: https://code.google.com/p/android/issues/detail?id=73339
Change-Id: Ie7e4dcb6cf6cc33ddad31d6b47066dc1b34e6894

commit 69a2e460cc0a40e1b951e400589b9932609079ec
Merge: 8b7bb32 bca895f
Author: David Benjamin <davidben@chromium.org>
Date: Mon Jul 14 18:17:28 2014 +0000

am bca895f8: Pass output buffer length into EVP_DigestSignFinal.

* commit 'bca895f809dd2cef7a0834f0bfeb2a06e42b277d':
Pass output buffer length into EVP_DigestSignFinal.

commit 8b7bb32af09a01e80442b70dd23e6997a937f103
Merge: a2404c9 e79c25b
Author: Kenny Root <kroot@google.com>
Date: Mon Jul 14 18:17:28 2014 +0000

am e79c25bf: Merge "DHKeyPairGenerator: use provided params"

* commit 'e79c25bf33e10da41e489c537823f678e1a1169c':
DHKeyPairGenerator: use provided params

commit 8f9ac1af0cbdf00e5e47aee32c132522ebc3bd17
Author: Alex Klyubin <klyubin@google.com>
Date: Thu Jun 19 13:37:24 2014 -0700

Enable PSK cipher suites when PSKKeyManager is provided.

This enables TLS-PSK cipher suites by default iff SSLContext is
initialized with a PSKKeyManager. For consistency, X.509 based
cipher suites are no longer enabled by default at all times -- they
are now only enabled by default iff SSLContext is initialized with a
X509KeyManager or a X509TrustManager.

When both X.509 and PSK cipher suites need to be enabled, PSK cipher
suites are given higher priority in the resulting list of cipher
suites. This is based on the assumption that in most cases users of
TLS/SSL who enable TLS-PSK would prefer TLS-PSK to be used when the
peer supports TLS-PSK.

Bug: 15073623
Change-Id: I8e2bc3e7a1ea8a986e468973b6bad19dc6b7bc3c

commit bca895f809dd2cef7a0834f0bfeb2a06e42b277d
Author: David Benjamin <davidben@chromium.org>
Date: Thu Jul 10 18:12:08 2014 -0400

Pass output buffer length into EVP_DigestSignFinal.

EVP_DigestSignFinal expects the input buffer length as *siglen on input. In
addition, if sigret is NULL, it returns the buffer size needed. Use this rather
than making assumptions about the EVP_PKEY used to initialize the EVP_MD_CTX.

commit e79c25bf33e10da41e489c537823f678e1a1169c
Merge: a328492 9b226f9
Author: Kenny Root <kroot@google.com>
Date: Fri Jul 11 16:46:23 2014 +0000

Merge "DHKeyPairGenerator: use provided params"

commit 9b226f90a992a4a2267b7a813e3b869851945c4d
Author: Kenny Root <kroot@google.com>
Date: Thu Jul 10 14:50:48 2014 -0700

DHKeyPairGenerator: use provided params

If the prime is provided in the DHParameterSpec, then use it to generate
the key.

Bug: 16188130
Change-Id: I42de02c71a58d691ef7ba6e2252367105687b758

Bug: 18388980

Change-Id: I853b02a32db113a5af3f6166e7d61fab58c3ff73
/external/conscrypt/src/main/java/org/conscrypt/SSLParametersImpl.java
fdb7d8c53dabac5551e2499d045ba6829bcfc0a0 19-Jun-2014 Alex Klyubin <klyubin@google.com> Enable PSK cipher suites when PSKKeyManager is provided.

This enables TLS-PSK cipher suites by default iff SSLContext is
initialized with a PSKKeyManager. For consistency, X.509 based
cipher suites are no longer enabled by default at all times -- they
are now only enabled by default iff SSLContext is initialized with a
X509KeyManager or a X509TrustManager.

When both X.509 and PSK cipher suites need to be enabled, PSK cipher
suites are given higher priority in the resulting list of cipher
suites. This is based on the assumption that in most cases users of
TLS/SSL who enable TLS-PSK would prefer TLS-PSK to be used when the
peer supports TLS-PSK.

Bug: 15073623

(cherry picked from commit 8f9ac1af0cbdf00e5e47aee32c132522ebc3bd17)

Change-Id: Icd7fe066147a6b2fc64d807204cc99f6af821313
/external/conscrypt/src/main/java/org/conscrypt/SSLParametersImpl.java
b860016f415dfc5655dcee45f70e8871a2e3edfe 17-Jun-2014 Brian Carlstrom <bdc@google.com> Remove

Change-Id: Iea7c633eb68df576bf72314ff5ce31bc8094d9ce
/external/conscrypt/src/main/java/org/conscrypt/SSLParametersImpl.java
35f7742cbada75ba2ba2c57ef7014392eea3839d 19-Jun-2014 Alex Klyubin <klyubin@google.com> Make setEnabledProtocols/CipherSuites copy their inputs.

SSLSocket, SSLServerSocket, and SSLEngine offer setEnabledProtocols
and setEnabledCipherSuites methods which take an array of protocols
or cipher suites as input. If these methods store references to the
input arrays, then the internal state (lists of enabled protocols and
cipher suites) of SSLSocket, SSLServerSocket, and SSLEngine could be
modified without going through the setter methods of these classes.

Bug: 15753142
Change-Id: Ia5248050d81320ed1da99892278bd60872605f52
/external/conscrypt/src/main/java/org/conscrypt/SSLParametersImpl.java
f17361e797e5538e5c17b2ef6ef0f992bbc493fe 19-Jun-2014 Alex Klyubin <klyubin@google.com> Remove unnecessary comments in SSLParametersImpl.

This is a follow-up cleanup requested during the code review of
ae2ecac00779167b0381c48da7c612567d1c646f.

Change-Id: I6c8ac2392c5f88ee732f5aa204e20cc1ee7e32d8
/external/conscrypt/src/main/java/org/conscrypt/SSLParametersImpl.java
ae2ecac00779167b0381c48da7c612567d1c646f 30-May-2014 Alex Klyubin <klyubin@google.com> SSLParametersImpl is the source of enabled cipher suites and protocols.

An instance of SSLParametersImpl is associated with SSLContext and is
then cloned into any SSLSocketFactory, SSLServerSocketFactory,
SSLSocket, SSLServerSocket, and SSLEngine. This CL ensures that all
these primitives obtain their list of enabled cipher suites and
protocols from their instance of SSLParametersImpl.

Bug: 15073623
Change-Id: I40bf32e8654b299518ec0e77c3218a0790d9c4fd
/external/conscrypt/src/main/java/org/conscrypt/SSLParametersImpl.java
01cce891dd313a0fb9d4694283f2a13fb5c43afe 09-May-2014 Alex Klyubin <klyubin@google.com> Expose support for TLS-PSK.

TLS-PSK (Pre-Shared Key) is a set of TLS/SSL cipher suites that use
symmetric (pre-shared) keys for mutual authentication of peers. These
cipher suites are in some scenarios more suitable than those based on
public key cryptography and X.509. See RFC 4279 (Pre-Shared Key
Ciphersuites for Transport Layer Security (TLS)) for more information.

OpenSSL currently supports only the following PSK cipher suites:
* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
* TLS_PSK_WITH_3DES_EDE_CBC_SHA
* TLS_PSK_WITH_AES_128_CBC_SHA
* TLS_PSK_WITH_AES_256_CBC_SHA
* TLS_PSK_WITH_RC4_128_SHA

The last four cipher suites mutually authenticate the peers and
secure the connection using a pre-shared symmetric key. These cipher
suites do not provide Forward Secrecy -- once the pre-shared key is
compromised, all previous communications secured with that key can be
decrypted. The first two cipher suites combine the pre-shared
symmetric key with an ephemeral key obtained from an ECDH key
exchange performed during the TLS/SSL handshake, thus providing
Forward Secrecy.

Users of TLS-PSK are expected to provide an implementation of
PSKKeyManager to SSLContext.init and then enable at least one PSK
cipher suite in SSLSocket/SSLEngine.

Bug: 15073623
Change-Id: I8e59264455f980f23a5e66099c27b5b4d932b9bb
/external/conscrypt/src/main/java/org/conscrypt/SSLParametersImpl.java
3e46e4ee56c8e37158f46941dedd5b436d724baa 23-May-2014 Kenny Root <kroot@google.com> Unbundle: hacks to let Conscrypt compile standalone

This is the first pass at getting Conscrypt to compile standalone. It
works fine in apps currently. There are a few TODOs to fix.

Change-Id: I9b43ba12c55e04c8897ccacf38979ca671a55a26
/external/conscrypt/src/main/java/org/conscrypt/SSLParametersImpl.java
767fda1ec66f2e2bf8a8f5fe17841906338b9471 13-May-2014 Alex Klyubin <klyubin@google.com> Get rid of some warnings.

Change-Id: I87f3ad5374d89e8acfdd78fe5af4b02be483cd3d
/external/conscrypt/src/main/java/org/conscrypt/SSLParametersImpl.java
a132fc92896da9372f9a34ab1d6dca52c467d2f6 12-May-2014 Kenny Root <kroot@google.com> Turn off verify peer for servers with no client auth

Since the default is now SSL_VERIFY_PEER, as a server we need to
explicitly set that we don't want a client certificate by setting
SSL_VERIFY_NONE.

Change-Id: I740389cc59ef8cb444a0e504838a1c0591df2bf9
/external/conscrypt/src/main/java/org/conscrypt/SSLParametersImpl.java
2a9ca52cd6a26a5db6df8148e4a1bcdf3d4d0aac 01-May-2014 Kenny Root <kroot@google.com> Call SSL_set_alpn_protos with right native pointer

This change was missed during rebase of the OpenSSLEngine code since
this used to be SSL_CTX_set_alpn_protos.

Bug: 14273022
Change-Id: Ib72b27c8d5a4ddfde4e0c0ee2ab97bfb039c7f56
/external/conscrypt/src/main/java/org/conscrypt/SSLParametersImpl.java
f878e438660d93f8689b864165230492e7a412d4 08-Nov-2013 Kenny Root <kroot@google.com> Add OpenSSLEngineImpl

Add support for SSLEngine via OpenSSL APIs. Currently this supports just
the basic SSLEngine functionality. It can be improved in efficiency and
performance, but it appears not to leak anything and be correct
according to our test suites.

Change-Id: Iea2dc3922e7c30e26daca38361877bd2f88ae668
/external/conscrypt/src/main/java/org/conscrypt/SSLParametersImpl.java
3c072fb087eaa1a363fc673c60f5ef65390e356f 07-Nov-2013 Kenny Root <kroot@google.com> Refactor OpenSSLSocketImpl

Move functionality that will be shared with OpenSSL's SSLEngine
implementation out of OpenSSLSocketImpl and into the (soon-to-be) shared
SSLParametersImpl.

The functionality should stay the same.

Change-Id: If8faa3ad2c9c73c0a0cd4b9716639b362b2b26a1
/external/conscrypt/src/main/java/org/conscrypt/SSLParametersImpl.java
f111f6235d016ce54ab95a2c634a400efe29f24b 31-Mar-2014 Kenny Root <kroot@google.com> Remove SSLEngineImpl

This is replaced by OpenSSL-backed SSLEngineImpl.

Change-Id: I7b51f6fa772e431c6283008535bfec90821d0bef
/external/conscrypt/src/main/java/org/conscrypt/SSLParametersImpl.java
b3c6484a539961803e2709c9e3859d241ae00b12 24-Mar-2014 Alex Klyubin <klyubin@google.com> Correctly handle empty arrays in SSLContext.init.

The contract of SSLContext.init is that empty arrays of
KeyManager/TrustManager in its parameters are handled differently
from null arrays. This CL adjusts the behavaior to match the
contract. Namely, empty arrays mean that SSLContext is being
initialized without any KeyManagers/TrustManagers rather than with
default ones.

Bug: 13563675
Change-Id: I52adc5e7143d4f050be0b22b3b464c10bb97d102
/external/conscrypt/src/main/java/org/conscrypt/SSLParametersImpl.java
d2cced8b10f5e4f600a5eb9464eba0da7c8f09de 20-Mar-2014 Kenny Root <kroot@google.com> Use the new endpointVerificationAlgorithm API

Use the new X509ExtendedTrustManager and use the new
getEndpointVerificationAlgorithm to check the hostname during the
handshake.

Bug: 13103812
Change-Id: Id0a74d4ef21a7d7c90357a111f99b09971e535d0
/external/conscrypt/src/main/java/org/conscrypt/SSLParametersImpl.java
4a4a74e84ee407eb49a01cf2325ea34fc92ed1a4 21-Mar-2014 Alex Klyubin <klyubin@google.com> Leave SSLParametersImpl.getDefaultX509TrustManager public.

I renamed this method from getDefaultTrustManager to
getDefaultX509TrustManager and erroneously made it private in
8d63ff1384e46407a7618df2b79b2b455795c396. I missed the fact that
it's being used from framework's
android.net.http.CertificateChainValidator.

This CL reverts this method to being public again.

Bug: 13563574
Change-Id: I601c651d631f5a2e4a04d21941186553988e5286
/external/conscrypt/src/main/java/org/conscrypt/SSLParametersImpl.java
8d63ff1384e46407a7618df2b79b2b455795c396 19-Mar-2014 Alex Klyubin <klyubin@google.com> Support TLS/SSL without X509TrustManager or X509KeyManager.

This makes TLS/SSL primitives operate as expected when no
X509TrustManager or X509KeyManager is provided. Instead of blowing up
with KeyManagementException or NullPointerException (or similar) when
X509TrustManager or X509KeyManager is not provided, this CL makes
SSLContext.init accept such setup, and makes SSLSocket and SSLEngine
reject certificate chains, select no private keys/aliases, and accept
no certificate issuers.

Bug: 13563574
Change-Id: I8de58377a09025258357dd4da9f6cb1b6f2dab80
/external/conscrypt/src/main/java/org/conscrypt/SSLParametersImpl.java
860d2707ce126ef8f66e3eac7ceeab6d24218cd8 24-Apr-2013 Kenny Root <kroot@google.com> Move JSSE to new package

To help with shipping the JSSE with apps that want to bundle it, move
it to a new package so that the tangles in other parts of the library
can be untangled.

Change-Id: I810b6861388635301e28aee5b9b47b8e6b35b430
/external/conscrypt/src/main/java/org/conscrypt/SSLParametersImpl.java