efe5c66651fcd9b342d781cdfc02a1069a86e210 |
|
16-Jun-2015 |
Kenny Root <kroot@google.com> |
Update NativeCryptoTest Test both client and server. Also we expect a SSLHandshakeException instead of an SSLProtocolException in one case. Bug: 21207627 (cherry picked from commit 5429f72d9c1e7bc6379e917e9b9116f1b0292b28) Change-Id: If895b03e2cece3a1a8d2f074a557c68f55a7021e
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
f7ab43f5e5861ddcc2549eae1fcb38c4a7eed54f |
|
22-Jun-2015 |
Sergio Giro <sgiro@google.com> |
Merge "external/conscrypt: remove assertion SSL_OP_NO_SSLv2 is set" into mnc-dev
|
f940fc2d9e7d5af16734f442be5235f65c866668 |
|
19-Jun-2015 |
Sergio Giro <sgiro@google.com> |
external/conscrypt: remove assertion SSL_OP_NO_SSLv2 is set SSL_OP_NO_SSLv2 is not a flag anymore (defined as 0 in ssh.h) Bug: 21875962 (cherry picked from commit 97e54bdde00eae7ffe4eb382e3f2702af4a2197b) Change-Id: I52004b893768b087577c078dcd1ba0ae1bdea911
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
1d7e7b3c1d81c1d73451e20be8937da9e842ce6b |
|
16-Jun-2015 |
Sergio Giro <sgiro@google.com> |
conscrypt: change test of SSL_set_cipher_lists NativeCrypto.SSL_set_cipher_lists can accept the empty list as per c/154191 Bug: 21816861 (cherry picked from commit c0010ca585f9cdc1f09846e2d75a0a8f82420476) Change-Id: I6cf7563417d8b6fb9edbeade0947726275a76c18
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
d82dc06faee760a737da6f2755a9063637c206e3 |
|
19-May-2015 |
Adam Langley <agl@google.com> |
Add isFinite flag to OpenSSLBIOInputStream. The BIO created by OpenSSLBIOInputStream currently returns -1 and sets the retry flag when read() returns zero on the underlying InputStream. This is correct for “infinite” streams (like a socket), but isn't correct for streams that have a definitive EOF. This change adds a flag to OpenSSLBIOInputStream so that cases where the input is finite (i.e. when parsing a PKCS#7 or X.509 block) can correctly return 0 at EOF from |BIO_read|. (cherry picked from commit 66537ee0121bdd14737191d14927da223f0809ee) Bug: 21396526 Bug: 21209493 Change-Id: Iaad5845621ab8b89b42d5d3ca8e67e297278ca55
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
f79c90d56464e254ce8645f886ec0ca47573ced1 |
|
24-Apr-2015 |
Adam Langley <agl@google.com> |
external/conscrypt: add NativeConstants. NativeConstants.java is generated by a C program and thus the values will automatically be kept in sync with the contents of the OpenSSL headers. Bug: 20521989 Change-Id: Ib5a97bf6ace05988e3eef4a9c8e02d0f707d46ad
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
ddcacec3f4f08759f3652a2efebd8b696a87fc4d |
|
24-Apr-2015 |
Kenny Root <kroot@google.com> |
ECKeyPairGenerator: switch default curve to 256 bits Also add a test to make sure that we have only valid curves in our list. Change-Id: I3f63014c11e92c94bf6c9a20ea5fb8050581978c
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
796ed069bc90d1de9f45ea1f746edaeec8081ed3 |
|
18-Mar-2015 |
Sergio Giro <sgiro@google.com> |
conscrypt: throw exception for null references in NativeCrypto Adapted tests to use "null" instead of an Object with a null context, as null contexts are now rejected by constructors. bug: 19657430 Change-Id: I47ebfde7170e1818afd64a75a8e4bc1e1d588aea
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
7dc06b9e323ba7f227709b5941324f9c3a46fe4f |
|
26-Nov-2014 |
Kenny Root <kroot@google.com> |
Convert EC_GROUP and EC_POINT to new style Bug: 16656908 Change-Id: Ie912f376f69327ce634cac50763bf86b418049f5
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
4757cdbe3c9e06f243a8cb07086ced5537d69af2 |
|
26-Nov-2014 |
Kenny Root <kroot@google.com> |
Switch EVP_CIPHER_CTX to new style Bug: 16656908 Change-Id: Id519c20474a02c70e72d362bc84d26855a74fa33
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
37e58bbef60b18389074d8ef8a8c470e47f3d7ee |
|
25-Nov-2014 |
Kenny Root <kroot@google.com> |
Convert EVP_PKEY to new style To avoid conflicts in the language spec and how Conscrypt does native calls, we need to wrap all native references in a Java object reference. Calling NativeCrypto's static native methods with a raw pointer doesn't guarantee that the calling object won't be finalized during the method running. This pass fixes EVP_PKEY references, but more passes are needed. Bug: 16656908 Change-Id: I5925da40cb37cd328b3a126404944f771732a43e
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
4bff0a15ae03c8a3e1ae95590cc8c4240837bff6 |
|
25-Nov-2014 |
Kenny Root <kroot@google.com> |
Convert EVP_MD_CTX to new style To avoid conflicts in the language spec and how Conscrypt does native calls, we need to wrap all native references in a Java object reference. Calling NativeCrypto's static native methods with a raw pointer doesn't guarantee that the calling object won't be finalized during the method running. Bug: 16656908 Change-Id: I165e041a8fe056770d6ce6d6cd064c411575b7c4
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
e84805ba493b27958637b4d079751f10a4d0fc6f |
|
25-Nov-2014 |
Kenny Root <kroot@google.com> |
Remove Conscrypt support for DSA BoringSSL removes support for DSA, so there's no point in maintaining this now. There have been virtually zero SSL certificates issued using DSA for many years as well. Change-Id: Id940643b85ba39b03038aabc6da9ec0285db66c4
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
de5225d1ebe7b3a5f3565539685fcd95348ae815 |
|
07-Oct-2014 |
Adam Langley <agl@google.com> |
Allow conscrypt to work with BoringSSL. This is quite a substantial change because of the changes to ENGINEs in BoringSSL. For the most part, #ifs are used to allow the code to work with either OpenSSL or BoringSSL. However, in several places, support for things that BoringSSL is dropping have been removed, even when OpenSSL is used. This includes DSA keys and tests for the ENGINE bits that are going away because it's unclear how to skip compiling those tests. Change-Id: I941a5ed232391f84b45e070c19d2ffb7ad162b7b
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
e53baea9221be7f9828d0f338ede284e22f55722 |
|
13-Nov-2014 |
Alex Klyubin <klyubin@google.com> |
Remove support for DSS TLS/SSL cipher suites. This is in preparation for migration from OpenSSL to BoringSSL. BoringSSL does not support DSS. DSS cipher suites are used by a vanishingly tiny fraction of the Android ecosystem. In all cases, the server's SSL certificate is self-signed (rather than CA issued), making it easy to switch to a new self-signed certificate which is based on RSA or ECDSA. Bug: 17409664 Change-Id: I91067ca9df764edd2b7820e5dec995f24f3910a1
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
b9bfe69f1c205ab67a03e10a01e2cc90871a0879 |
|
18-Nov-2014 |
Alex Klyubin <klyubin@google.com> |
Fix null elements in X509KeyManager.chooseClientAlias keyTypes. This fixes an issue where client certificate types requested by the server from the client, but not known by the client, manifest themselves as null elements in X509KeyManager.chooseClientAlias keyTypes argument. The root cause was that for each element in the CertificateRequest.certificate_types array an element was output into the keyTypes array. For unknown values of certificate_type, a null was output. This CL fixes the issue by ignoring unknown values in certificate_types array. Bug: 18414726 Change-Id: I8565e19a610c0ecfb7cab1b7707c335e0eeb8d89
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
9a4f1dfbeea80ec52c0d551afceb68435798c1a8 |
|
10-Sep-2014 |
Kenny Root <kroot@google.com> |
Fix the ENGINE_finish/ENGINE_free mixup The tests were calling finish when it meant free. This caused tests to segmentation fault next time the ENGINE was looked up in the dynamic engine list. (cherry picked from commit 984b7ec6f5aab314117949a48e448ff4f6b65f16) Bug: 14994037 Change-Id: If7379fee26f7e79fa0b43104ac9d13b4ffb62ba8
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
978e2e1e44570bdbac7b3538c5e198d8ff645202 |
|
17-Jun-2014 |
Alex Klyubin <klyubin@google.com> |
Assert that the padding extension is enabled by default. Change-Id: I1c8aa589e3274bfd3a5fc66c3e948828903c1966
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
ea7cf2a1bacb8293947ad5168bc41bdb39e6a3f0 |
|
13-Jun-2014 |
Alex Klyubin <klyubin@google.com> |
Make TLS Channel ID tests use ECDHE_RSA key exchange. TLS Channel ID requires ECDHE-based key exchange. Change-Id: I722135c96a3ce700dcdf1646d2a71654923bb85c
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
01cce891dd313a0fb9d4694283f2a13fb5c43afe |
|
09-May-2014 |
Alex Klyubin <klyubin@google.com> |
Expose support for TLS-PSK. TLS-PSK (Pre-Shared Key) is a set of TLS/SSL cipher suites that use symmetric (pre-shared) keys for mutual authentication of peers. These cipher suites are in some scenarios more suitable than those based on public key cryptography and X.509. See RFC 4279 (Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)) for more information. OpenSSL currently supports only the following PSK cipher suites: * TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 * TLS_PSK_WITH_3DES_EDE_CBC_SHA * TLS_PSK_WITH_AES_128_CBC_SHA * TLS_PSK_WITH_AES_256_CBC_SHA * TLS_PSK_WITH_RC4_128_SHA The last four cipher suites mutually authenticate the peers and secure the connection using a pre-shared symmetric key. These cipher suites do not provide Forward Secrecy -- once the pre-shared key is compromised, all previous communications secured with that key can be decrypted. The first two cipher suites combine the pre-shared symmetric key with an ephemeral key obtained from an ECDH key exchange performed during the TLS/SSL handshake, thus providing Forward Secrecy. Users of TLS-PSK are expected to provide an implementation of PSKKeyManager to SSLContext.init and then enable at least one PSK cipher suite in SSLSocket/SSLEngine. Bug: 15073623 Change-Id: I8e59264455f980f23a5e66099c27b5b4d932b9bb
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
81c666781f8e24242e997e2666b656b240c5a145 |
|
19-May-2014 |
Kenny Root <kroot@google.com> |
NativeCryptoTest: fix shutdown test These weren't actually testing that the exceptions were thrown before. Since we actually throw now, make sure we're throwing the expected exception type. Change-Id: I57b11492118dd7c04faa57c58de7b023294b179c
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
767fda1ec66f2e2bf8a8f5fe17841906338b9471 |
|
13-May-2014 |
Alex Klyubin <klyubin@google.com> |
Get rid of some warnings. Change-Id: I87f3ad5374d89e8acfdd78fe5af4b02be483cd3d
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
68a3f229cd71c1367173ebc31e5363293b9b5dbc |
|
13-May-2014 |
Kenny Root <kroot@google.com> |
SSL: also allow calls to read/write after cutthrough Also add test to make sure this works. Bug: 14832989 Change-Id: I046111cdcc4086a7104d462696078a767e86b12c
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
a132fc92896da9372f9a34ab1d6dca52c467d2f6 |
|
12-May-2014 |
Kenny Root <kroot@google.com> |
Turn off verify peer for servers with no client auth Since the default is now SSL_VERIFY_PEER, as a server we need to explicitly set that we don't want a client certificate by setting SSL_VERIFY_NONE. Change-Id: I740389cc59ef8cb444a0e504838a1c0591df2bf9
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
f878e438660d93f8689b864165230492e7a412d4 |
|
08-Nov-2013 |
Kenny Root <kroot@google.com> |
Add OpenSSLEngineImpl Add support for SSLEngine via OpenSSL APIs. Currently this supports just the basic SSLEngine functionality. It can be improved in efficiency and performance, but it appears not to leak anything and be correct according to our test suites. Change-Id: Iea2dc3922e7c30e26daca38361877bd2f88ae668
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
3c072fb087eaa1a363fc673c60f5ef65390e356f |
|
07-Nov-2013 |
Kenny Root <kroot@google.com> |
Refactor OpenSSLSocketImpl Move functionality that will be shared with OpenSSL's SSLEngine implementation out of OpenSSLSocketImpl and into the (soon-to-be) shared SSLParametersImpl. The functionality should stay the same. Change-Id: If8faa3ad2c9c73c0a0cd4b9716639b362b2b26a1
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
ad73400e9d5c7048fcf2980b75ea45e2aac8fb39 |
|
07-Apr-2014 |
Kenny Root <kroot@google.com> |
NativeCryptoTest: use correct digest name Change-Id: Ib216b04f302d6bfaf72f8e4aae42de8cccd89384
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
19fdf1af6bada9ebf4820839780d8713ac3824fa |
|
10-Apr-2014 |
Kenny Root <kroot@google.com> |
Convert calls to BIO_free to BIO_free_all If we have a chain of BIO, we want to free the entire chain. Otherwise, we might accidentally leave references sitting around. This shouldn't matter for our current use-case, but might help in the future. Change-Id: I586937629e1e4f2e80b5feefe2f49a85e8a31d31
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
f8a9b546d57c4731805e73e1e96ff2fb3e77d6e0 |
|
31-Mar-2014 |
Kenny Root <kroot@google.com> |
ALPN: change socket calls to SSL_set_alpn_protos Calling SSL_CTX_set_alpn_protos appears to be detrimental to thread safety since the implementation of it resets the values. It's not idempotent to call it multiple times like SSL_CTX_enable_npn. Bug: https://code.google.com/p/android/issues/detail?id=67940 Change-Id: I09ed9e75d08528300b86201c3e847b26702d4284
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
d2cced8b10f5e4f600a5eb9464eba0da7c8f09de |
|
20-Mar-2014 |
Kenny Root <kroot@google.com> |
Use the new endpointVerificationAlgorithm API Use the new X509ExtendedTrustManager and use the new getEndpointVerificationAlgorithm to check the hostname during the handshake. Bug: 13103812 Change-Id: Id0a74d4ef21a7d7c90357a111f99b09971e535d0
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
652ff53bd48ed61389337a42d8e50cdb7ace0fec |
|
24-Feb-2014 |
Kenny Root <kroot@google.com> |
Fix up concurrent use of APIs Code that is incorrectly using MessageDigest, Signature, or Mac in multiple threads simultaneously could cause a SEGV if OpenSSL is clearing out the MD_CTX at the same time another thread is trying to write to it. Make sure we initialize a new MD_CTX after each run to avoid crashing. The program using the instances concurrently is still wrong and will most likely get inconsistent results. Switch to using a context object instance to make sure we can hold a reference to the object during the native call. Bug: 8787753 Change-Id: I2518613a47cf03c811a29d17040804fc708394dd
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
60f83802801e224b51afac6c27c19e7c3d65ddc3 |
|
04-Feb-2014 |
Alex Klyubin <klyubin@google.com> |
Harden (EC)DSA signatures against weak nonces. Private key information is leaked by (EC)DSA signatures when nonces are produced by a weak RNG. This CL enables a mitigation provided by OpenSSL: mix in private key and message being signed into randomly generated nonce. Provided private key was generated by strong RNG, this should mitigate the weakness. NOTE: This mitigation is not implemented for signatures which use hardware-backed private keys (AndroidKeyStore). Change-Id: I60dbf57bff3cfcdcbbeb18be5d9dfba523cc6bb8
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
7c2b4ae9455185974ffe5ec1804c8980fe429635 |
|
13-Feb-2014 |
Alex Klyubin <klyubin@google.com> |
Throw instead of segfaulting when NULL EVP_PKEY encountered. Change-Id: Idba6702dd43e541b51c990fc3440a17351e6def9
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
5b1934c717914323ddb0395f549ae11075a587da |
|
01-Feb-2014 |
Kenny Root <kroot@google.com> |
NativeCrypto: Handle 0-byte bignum arrays Some DSA tests were calling with bignum arrays that had the high bit set indicating a negative number. Also an empty array was being passed as another part of the test. This was working, but it was reading one byte past the end of the buffer. Change-Id: Ibd5a0dce61703ea569fd483f8acf66fd149703f8
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
2d089e18deae231149737cad6ce00f1e137a7199 |
|
21-Nov-2013 |
Alex Klyubin <klyubin@google.com> |
Stop depending on CipherSuite in OpenSSL-backed sockets. This is in preparation for removing Harmony-backed TLS/SSL implementations. Change-Id: Ic108e16d086fb99b69f0a4e4faeb816dc50a7643
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
f087968310bb5233b76ad42841eb07e3c327f40f |
|
05-Nov-2013 |
Alex Klyubin <klyubin@google.com> |
BEAST attack mitigation for OpenSSL-backed SSLSockets. This enables 1/n-1 record splitting for SSLSocket instances backed by OpenSSL. OpenSSL change: https://android-review.googlesource.com/#/c/69253/ Bug: 11514124 Change-Id: I3fef273edd417c51c5723d290656d2e03331d68a
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
0e9746b7b132058651155b33f219c7789997985b |
|
13-Sep-2013 |
Kenny Root <kroot@google.com> |
Conscrypt: use certificate references in SSL code Instead of marshalling and unmarshalling to ASN.1 DER, just use references to OpenSSL X509 objects everywhere applicable. Change-Id: I1a28ae9232091ee199a9d4c7cd3c7bbd1efa1ca4
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
97d151b258d226b3afc1b3588171b283ec3f8046 |
|
06-Sep-2013 |
Kenny Root <kroot@google.com> |
Make sure ChannelID key is initialized This test used the test ChannelID key, but it didn't make sure it was initialized first. This made it appear sometimes depending on the order the tests were executed. (cherry picked from commit debfff83084b79b65c092cfe72ebea9d9a9548d6) Bug: 10210673 Change-Id: I5212e265611208ecb641a7d6b403985df603cb03
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
6fcf0cbeec79d1f2491d8d0774fdb314fc419ba3 |
|
25-Jun-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: Add ALPN support This adds the ability to use Application-Layer Protocol Negotiation (ALPN) as both a client and a server. ALPN is essentially like Next Protocol Negotiation (NPN) but negotiation is done in the clear. This allows the use of other protocols on the same port (e.g., SPDY instead of HTTP on port 80). Although previously clients using NPN were able to use cut-through, the new ALPN API does not provide for a way for a client to enable that during a callback. So the only difference is that NPN clients can enable SSL False Start while ALPN clients cannot currently. Change-Id: I42ff70f3711e9cccaf754d189f76eeaa9db5f981
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
1ecc0481f90d32b89b3b051cad70efe07468acd0 |
|
03-May-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: move key conversion to Java Key type conversion in native code is from the legacy period before the OpenSSLKey class existed. Use that to hold PKEY reference instead of converting it in native code. Change-Id: I84e9a6e1f2e0f95d2f44c18fa9f65cd15e039d63
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|
860d2707ce126ef8f66e3eac7ceeab6d24218cd8 |
|
24-Apr-2013 |
Kenny Root <kroot@google.com> |
Move JSSE to new package To help with shipping the JSSE with apps that want to bundle it, move it to a new package so that the tangles in other parts of the library can be untangled. Change-Id: I810b6861388635301e28aee5b9b47b8e6b35b430
/external/conscrypt/src/test/java/org/conscrypt/NativeCryptoTest.java
|