| 27312c09f4968974b780741f11d7222e8a536065 |
|
18-May-2017 |
Nathan Mittler <nathanmittler@google.com> |
Fix unwrap bug for large messages. (#189)
If you write a record and don't have enough destination buffer space to read all the plaintext, the plaintext gets left in the plaintext buffer and the next record you write ends up in the ciphertext buffer (and you read the leftover plaintext from the last record), and you continue to have a record sitting in the ciphertext buffer until you get two records that don't fit in the buffer together, at which point you get the short write and subsequent exception.
Also added a test to verify the bug.
Fix length checks for signed vs unsigned
(Squash commit of 3264c8c17ddd7981aad0e8e7ea932efca1002dcb and
101b17c9e94b77c77b2981269c46bb2441dff332)
Test: cts-tradefed run cts -m CtsLibcoreOkHttpTestCases -a arm64-v8a
Test: cts-tradefed run cts -m CtsLibcoreTestCases -a arm64-v8a
Bug: 38228478
Change-Id: I698b89e6d97223ead980108416f1a203d181d35f
/external/conscrypt/common/src/jni/main/cpp/NativeCrypto.cpp
|
| de343bb1ee01e6a866ffd484ecd897d0cac19014 |
|
02-Mar-2017 |
David Benjamin <davidben@google.com> |
Configure OCSP and SCTs on the SSL, not SSL_CTX.
As Conscrypt is currently set up, one SSL_CTX (owned, ultimately, by the
SSLContext) may correspond to multiple SSLParameters which, in the Java
API, are configured on the SSLSocket or SSLEngine directly. Thus we
should use the SSL versions of the APIs which now exist. This avoids
mutating an SSL_CTX which may be shared by multiple SSLs with different
configurations.
Change-Id: I19485c316087004c6050d85520b0169f2ca0d493
/external/conscrypt/common/src/jni/main/cpp/NativeCrypto.cpp
|
| 5efa30bb44aaa6fad687d7670e83097f92b9e81f |
|
03-Mar-2017 |
Nathan Mittler <nathanmittler@google.com> |
Exposing SSL_max_seal_overhead (#135)
Also adding a method to calculate the maximum buffer size required for a wrap operation.
/external/conscrypt/common/src/jni/main/cpp/NativeCrypto.cpp
|
| e56553fdded69eab40c8a67ddf606a00c477b9df |
|
01-Mar-2017 |
Ben Sidhom <sidhom@google.com> |
Relax socket timeout for NativeCrypto.SSL_read
The timeout logic is overly strict, causing excessive timeouts.
/external/conscrypt/common/src/jni/main/cpp/NativeCrypto.cpp
|
| bdd8a19b0f32868c3ce58b6db6833cd494ef1f69 |
|
23-Feb-2017 |
Adam Vartanian <flooey@google.com> |
Don't throw away all altnames when a bad one is seen
Conscrypt is strict in following RFC 5280's requirement that DNS
alternative names listed in X.509 certificates must be IA5Strings (aka
7-bit ASCII), with international domain names encoded in Punycode,
but the existing implementation throws an exception when it encounters
a nonconforming name, which results in the entire list of altnames
being discarded whenever any of them are invalid.
This change makes it so that only the nonconforming name is ignored,
returning any other conforming names.
/external/conscrypt/common/src/jni/main/cpp/NativeCrypto.cpp
|
| bfab4d650d92fc8075a19fc73489641fcf91946a |
|
23-Feb-2017 |
Robert Sloan <varomodt@google.com> |
Remove DHE
/external/conscrypt/common/src/jni/main/cpp/NativeCrypto.cpp
|
| 43ca6ce6b7a5520a6ecde192ccac4e5de3d709ce |
|
22-Feb-2017 |
Ben Sidhom <bsidhom@gmail.com> |
Minimize buffer copy penalty in SSL read/write. (#93)
* Minimize buffer copy penalty in SSL read/write.
This change is an attempt to address performance issues in
NativeCrypto.SSL_read and SSL_write when large buffer sizes are used.
It attempts to guess whether Get/ReleaseByteArrayElements will result in
copies between native code and the JVM. If so, Get/SetByteArrayRegion is
used instead, operating on small chunks of the target buffer and
ensuring that at most one copy per region crosses the JNI boundary.
This uses the same strategy as the cipher streaming code here:
https://github.com/google/conscrypt/blob/196ca9aad6223e2962e1330cff9e885c569c20ca/common/src/jni/main/cpp/NativeCrypto.cpp#L2410.
See https://github.com/google/conscrypt/pull/89 for additional context.
* Clear exception if bytes are available.
If an FD-closed exception is encountered after bytes have been
successfully read, clear the exception and attempt to return the partial
result. Rely on subsequent calls to sslRead regenerating the exception.
/external/conscrypt/common/src/jni/main/cpp/NativeCrypto.cpp
|
| 196ca9aad6223e2962e1330cff9e885c569c20ca |
|
08-Feb-2017 |
David Benjamin <davidben@davidben.net> |
Don't call SSL_get_state. (#77)
SSL_state_string_long provides a string which is more readable for
humans. We plan to unexport the numerical value to prevent code from
depending on implementation details of the state machine. The
string-based APIs will probably stay for debugging as they're much less
likely to be acted on programmatically.
/external/conscrypt/common/src/jni/main/cpp/NativeCrypto.cpp
|
| d5de6e4adf5bf6016c4f397c4d12e09a9ab1a4ab |
|
02-Feb-2017 |
Kenny Root <kenny@the-b.org> |
Less warnings on Windows (#74)
Add some warning suppressions and some MS VC++ compatibility with the code annotations.
/external/conscrypt/common/src/jni/main/cpp/NativeCrypto.cpp
|
| 3f7489ffe806d7fb8653d94b7a702ffb0088cad2 |
|
27-Jan-2017 |
David Benjamin <davidben@davidben.net> |
Use SSL_get_peer_full_cert_chain. (#68)
This is a recently-added BoringSSL API which avoids the mess around
client and server distinctions.
Change-Id: I81ac63c9301aa3a611c369b12731137683e9a3d2
/external/conscrypt/common/src/jni/main/cpp/NativeCrypto.cpp
|
| 160e730a8666ecd1cd362ed6cb5e9c032ed2bff0 |
|
23-Jan-2017 |
Nathan Mittler <nathanmittler@google.com> |
Adding support for Java 8 static linking. (#50)
* Adding support for Java 8 static linking.
I'm not really sure of an easy way to test this ATM, since the library would have to be statically linked with the JVM. I think for now, we should just get this in and cross the testing bridge when we get there.
Fixes #33
/external/conscrypt/common/src/jni/main/cpp/NativeCrypto.cpp
|