| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
This is indended to make it easier to run on VMs that restrict the packages
from which application classes can be loaded. For example, on the RI you need
to use the bootclasspath to load these tests.
Change-Id: I52193f35c5fcca18b5a3e1d280505b1e29b388af
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Wrote an interoperability test between our OpenSSL and SSLEngine
based SSLSocket implementations. Used it to flush out problems between
the implementations, which mostly were in the non-native implementation.
Filling out the SSLEngine (and therefore non-native SSLSocket) support
led to the list of supported and default cipher suites now being the
same as out OpenSSL SSLSocket. Most of the work was making the the
NULL, RC4, and AES ciphers work with SSLEngine as well as some minor
bug fixes in related code.
Summary:
- changing test_SSLSocket_getSupportedCipherSuites_connect to try all
combinations of our two SSLContext/SSLSocket implementations
- fixed SSLEngine with *_WITH_NULL_* CipherSuites to use javax.crypto.NullCipher
- added *_AES_* cipher suites to SSLEngine (and therefore Java SSLSocketImpl)
- remove *_DH_* cipher suites which are not supported by the RI or our OpenSSL implementation
- fixed Java SSLSocket to not handshake on accept so will pass the basic SSLSocketTest
- added new KeyManagerFactoryTest while testing "DH_" cipher suite key types
This change depends on restoring bouncycastle's RC4 implementation (separate CL in external/bouncycastle)
Details:
Fixed SSLEngine with *_WITH_NULL_* CipherSuites by use javax.crypto.NullCipher
expectations/knownfailures.txt
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ConnectionStateSSLv3.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ConnectionStateTLS.java
Previously I had changed the string name of CipherSuites from
"TLS_..." to "SSL_..." where appropriate to match the RI. Since I was
doing maintenance on overall list, I renamed the CODE_TLS_... and
TLS_... static fields as well to match.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSessionImpl.java
Removed IDEA and RC2 CipherSuites to make it clear they are not
supported. While technically this happened as a side effect of the
assignment "supported = false" if the CipherSuite failed to load, we
truly intend not to support these. Also removed SSH_DH_* suites which
don't work with DSA keys and aren't supported by the RI or our OpenSSL
implementation.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
Old connection state code assumed that if a cipher was blocked, the
block size was 8 bytes. This is not true for the 16 byte AES ciphers.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ConnectionState.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ConnectionStateSSLv3.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ConnectionStateTLS.java
No wonder our OpenSSL implementation incorrect did a startHandshake
when accepting the socket... it got it from the Java implementation.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLServerSocketImpl.java
Test for KeyManagerFactory (and KeyManager). TestKeyStore now creates
KeyManagers and TrustManagers from the keystore as a convenience for
KeyManagerFactoryTest (instead of having the code in the
TestSSLContext where we didn't keep a pointer to the created values).
luni/src/test/java/javax/net/ssl/KeyManagerFactoryTest.java
support/src/test/java/java/security/StandardNames.java
support/src/test/java/java/security/TestKeyStore.java
support/src/test/java/javax/net/ssl/TestSSLContext.java
Remove CIPHER_SUITES_SSLENGINE now that its the same as CIPHER_SUITES
luni/src/test/java/javax/net/ssl/SSLEngineTest.java
support/src/test/java/java/security/StandardNames.java
test_SSLSocket_getSupportedCipherSuites_connect now does
interoperability testing not just between the default SSLContext's
SSLSockets but between the four combinations of our two SSLContext. It
also now sends some test data bi-directionally between the client and
server.
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Changed TestSSLContext.create to allow a different Provider for the
client and server SSLContexts.
luni/src/test/java/javax/net/ssl/SSLEngineTest.java
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
support/src/test/java/javax/net/ssl/TestSSLContext.java
RC4 is now available in bouncycastle for the non-OpenSSL SSLContext to
use for parity with the OpenSSL implementation.
support/src/test/java/java/security/StandardNames.java
Changed TestSSLSocketPair to use Futures like NativeCryptoTest so its
easier to choose between client and server errors while debuging.
support/src/test/java/javax/net/ssl/TestSSLSocketPair.java
Removed bogus import
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Change-Id: I080c0343a3f86f27b7c191a7b80b585b9ca52d93
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
- Added KeyStoreTest and fixed PKCS and BKS keystores to be fully functional
- KeyStore and KeyStoreImpl improvements in libcore and bouncycastle for more RI-like behavior
- SSL Renegotiation fix for new implementation
Details:
external/bouncycastle
TwoFish added back for BKS KeyStore. Like RC2, it not supported as
a general cipher, but instead used internally for KeyStore
implementation.
src/main/java/org/bouncycastle/crypto/engines/TwofishEngine.java
bouncycastle.config
Added back PBEWITHSHAANDTWOFISH, PBEWITHSHAANDTWOFISH-CBC,
PBEWITHSHA1ANDRC2-CBC, PBEWITHHMACSHA, PBEWITHHMACSHA1 to support
PKCS12 and BKS KeyStore implementations (as determined by new
KeyStoreTest)
src/main/java/org/bouncycastle/jce/provider/BouncyCastleProvider.java
src/main/java/org/bouncycastle/jce/provider/JCEBlockCipher.java
src/main/java/org/bouncycastle/jce/provider/JCEMac.java
src/main/java/org/bouncycastle/jce/provider/JCESecretKeyFactory.java
Don't throw an error when deleting a non-existing KeyStore entry. The
RI documentation (and behavior) says it throws an error when it fails
to remove an entry, not when the entry does not exist.
src/main/java/org/bouncycastle/jce/provider/JDKKeyStore.java
src/main/java/org/bouncycastle/jce/provider/JDKPKCS12KeyStore.java
Try to make BC's PKCS KeyStore have a more RI-like getCreationDate behavior
src/main/java/org/bouncycastle/jce/provider/JDKPKCS12KeyStore.java
Make BC's PKCS KeyStore failfast on setting non-supported key,
instead of failing later on get.
src/main/java/org/bouncycastle/jce/provider/JDKPKCS12KeyStore.java
Make BC's PKCS KeyStore handle setting a PrivateKey with an emtpy chain.
src/main/java/org/bouncycastle/jce/provider/JDKPKCS12KeyStore.java
Add more general avoidance of NullPointerExceptions on null aliases
src/main/java/org/bouncycastle/jce/provider/JDKPKCS12KeyStore.java
Added notes about changes improvements
patches/README
Regenerated patch with above changes
patches/android.patch
libcore
KeyStore improvements based on KeyStoreTest
- Fix UnrecoverableKeyException to be a subclass of
UnrecoverableEntryException, which was keeping the new
KeyStoreTest from compiling.
luni/src/main/java/java/security/UnrecoverableKeyException.java
- Fix to not convert UnrecoverableKeyException to KeyStoreException,
which was only being done because of the UnrecoverableKeyException
superclass bug.
luni/src/main/java/java/security/KeyStoreSpi.java
- Harmony KeyStore was being overly aggresive about throwing on null
alias arguments in cases where the RI was happy to pass them to the
KeyStoreSpi.
luni/src/main/java/java/security/KeyStore.java
- New test after PKCS12 regresion. It enumerates and excercises
all methods on all available KeyStore
implementations. Unfortunately, the main varieties of KeyStores
made this a lot more complicated than I was originally
expecting. It does clarifiy the differences between the RI and
BC KeyStore implementations, especially for PKCS12, where in
some ways the RI is more feature complete (setting key via
byte[]), but in other ways BC goes beyond some RI limitations
(allowing storage of certificates).
luni/src/test/java/java/security/KeyStoreTest.java
TestKeyStore improvements while writing KeyStoreTest
- Renamed "keyStorePassword" working usages to clarify if it really
means the "storePassword" on the whole KeyStore, or if it is a
"keyPassword" on individual keys.
- Moved TestKeyStore from javax.net.ssl to java.security
luni/src/test/java/javax/net/ssl/SSLContextTest.java
luni/src/test/java/javax/net/ssl/SSLEngineTest.java
luni/src/test/java/javax/net/ssl/SSLSessionTest.java
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
support/src/test/java/java/security/StandardNames.java
support/src/test/java/java/security/TestKeyStore.java
support/src/test/java/javax/net/ssl/TestKeyStore.java
support/src/test/java/javax/net/ssl/TestSSLContext.java
Fixing up SSL renegotiation support. Now that we are not trying to
prevent renegotiation, make sure it is working correctly.
- Remove SSL_VERIFY_CLIENT_ONCE to take the default behavior of
re-requesting client certificate on renegotiation.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
- Updated comments to reflect renegotiation. Bug fix to not clear
out callback reference on handshake complete, since we need it for
renegotiation.
luni/src/main/native/NativeCrypto.cpp
Updated for PKCS12 KeyStore support
support/src/test/java/java/security/StandardNames.java
Added javadoc when writint KeyStoreTest
luni/src/test/java/java/security/ProviderTest.java
frameworks/base
Tracking changes to UnrecoverableKeyException superclass
api/8.xml
api/current.xml
Change-Id: I6349dbfc02896417595b52e364ade8000b567615
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
- openssl: add openssl support for specifying per key certificate chains
- libcore: properly implement client certificate request call back
- libcore: properly implement sending certificate chain
- libcore: properly implement retreiving local certificate chain
- libcore: added an SSLContext for non-OpenSSL SSLSocket creation
Details:
external/openssl
Improve patch generate support by applying all other patches to
baseline to remove cross polluting other patch changes into target
patch. Move cleanup of ./Configure output to import script from
openssl.config.
import_openssl.sh
openssl.config
Adding SSL_use_certificate_chain and SSL_get_certificate_chain to
continue to finish most of remaining JSSE issues.
include/openssl/ssl.h
ssl/s3_both.c
ssl/ssl.h
ssl/ssl_locl.h
ssl/ssl_rsa.c
Updated patch (and list of input files to patch)
patches/jsse.patch
openssl.config
libcore
Restoring SSLContextImpl as provider of non-OpenSSL SSLSocketImpl
instances for interoperability testing. OpenSSLContextImpl is the
new subclass that provides OpenSSLSocketImpl. JSSEProvider
provides the old style SSLContexts, OpenSSLProvider provides the
OpenSSL SSLContext, which includes the "default" context. Changed
to register SSLContexts without aliases to match the RI.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLProvider.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/DefaultSSLContextImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLContextImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java
Native interface updates to support OpenSSLSocketImpl improvements
- KEY_TYPES now expanded based on what we are being provided by OpenSSL.
keyType function now maps key type values received from
clientCertificateRequested callback.
- Removed remaining uses of string PEM encoding, now using ASN1 DER consistently
Includes SSL_SESSION_get_peer_cert_chain, verifyCertificateChain
- Fixed clientCertificateRequested to properly include all key
types supported by server, not just the one from the cipher
suite. We also now properly include the list of supported CAs to
help the client select a certificate to use.
- Fixed NativeCrypto.SSL_use_certificate implementation to use new
SSL_use_certificate_chain function from openssl to pass chain to
OpenSSL.
- Added error handling of all uses of sk_*_push which can fail due to out of memory
- Fixed compile warning due to missing JNI_TRACE argument
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/native/NativeCrypto.cpp
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Pass this into chooseServerAlias call as well in significantly revamped choseClientAlias
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Minor code cleanup while reviewing diff between checkClientTrusted and checkServerTrusted
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
Improvements to SSL test support to go along with client
certificate and certificate chain changes. TestSSLContext now has
separate contexts for the client and server (as well as seperate
key stores information). TestKeyStore now is more realistic by
default, creating a CA, intermediate CA, and separate client and
server certificates, as well as a client keystore that simply
contains the CA and no certificates.
support/src/test/java/javax/net/ssl/TestKeyStore.java
support/src/test/java/javax/net/ssl/TestSSLContext.java
Tests tracking API changes. Tests involving cert chains now now
updated to use TestKeyStore.assertChainLength to avoid hardwiring
expected chain length in tests. These tests also now use
TestSSLContext.assertClientCertificateChain to validate that the
chain is properly constructed and trusted by a trust manager.
luni/src/test/java/java/net/URLConnectionTest.java
luni/src/test/java/javax/net/ssl/SSLContextTest.java
luni/src/test/java/javax/net/ssl/SSLEngineTest.java
luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java
luni/src/test/java/javax/net/ssl/SSLSessionTest.java
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
support/src/test/java/java/security/StandardNames.java
support/src/test/java/javax/net/ssl/TestSSLEnginePair.java
support/src/test/java/javax/net/ssl/TestSSLSocketPair.java
frameworks/base
Tracking change of SSLContextImpl to OpenSSLContextImpl
core/java/android/net/SSLCertificateSocketFactory.java
core/java/android/net/http/HttpsConnection.java
tests/CoreTests/android/core/SSLPerformanceTest.java
tests/CoreTests/android/core/SSLSocketTest.java
Tracking changes to TestSSLContext
core/tests/coretests/src/android/net/http/HttpsThroughHttpProxyTest.java
Change-Id: Ie35ebce89966dfce62c316f7fe7252bf06935680
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
client and RSA server
Summary:
Goal here was to just make most tests faster by only having
TestKeyStore create RSA keys by default. However, when I did that
SSLEngineTest#test_SSLEngine_clientAuth started working, so I ended up
investigating a much deeper issue with DSA client authentication
against an RSA SSLEngine server.
Details:
Changed the TestKeyStore.get singleton to only contain RSA
keys. TestKeyStore.create now requires the caller enumerate what
keys they want if they need more than that or an alternative.
support/src/test/java/javax/net/ssl/TestKeyStore.java
Changed test_SSLSocket_getSupportedCipherSuites_connect to
explicitly request RSA and DSA keys since it needs both to try
connecting all possible cipher suites.
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Fixing SSLEngine client authentication when server uses RSA but client uses DSA
Fixed java.net.ssl.SSLEngineTest#test_SSLEngine_clientAuth
expectations/knownfailures.txt
Added CiperSuite.authType field which contains the algorithm name
such as RSA, DSA, DH, that the client will use to authenticate the
server. Like the cipherName, hmacName, and hashName, this is
logically derivable from the the CiperSuite.KEY_EXCHANGE_*, but we
remember it to avoid repeatedly doing large cascading "if" tests to
determine which key algorithm should be used for each
case.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
Fixed a number of client certificate authentication bugs in SSLEngine
- Changed ClientHandshakeImpl's in the SSL/Tls Certificate message
code to mirror ServerHandshakeImpl's implementation to properly
use chooseEngineClientAlias in the SSLEngine case.
- Changed to use the client certifcates key algorithm for computing
the signature for the SSL/TLS CertificateVerify
message. Previously we used the cipher suites negoitated key
exchange method, but if the client may select a certificate with
a different algorithm if the server provides a CA for another
algorithm.
- Also changed to use CipherSuite.isAnonymous in two places rather
than the inlined equivalent.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java
Fixed client authentication to use the client's certificate (not
the server's) to do verify the CertificateVerify message signature.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java
Fixed bug in DigitalSignature which did not Signature.update in
verifySignature, so it could never have properly authenticated DSA
signatures.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/DigitalSignature.java
Added CertificateMessage getAuthType convenience
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CertificateMessage.java
Made CertificateRequest certificate_authorities final, found we were double allocating it
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CertificateRequest.java
Cleaning up imports of HandshakeProtocol while working on its subclasses.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java
Cleaned up while looking at X509KeyManager implementations while debugging.
support/src/test/java/org/apache/harmony/xnet/tests/support/X509KeyManagerImpl.java
Change-Id: I74b98754c11000cbfea416f1571c380c9c67abf3
|
| |
|
|
|
|
| |
java.security
Change-Id: I7ef73ae164fa001f279e8229b4869e72fd5a3a7d
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
files.
I've deleted as many tests as possible that duplicated coverage in Harmony.
We're now running their tests directly against our codebase and having two
copies of every test is quite painful; particularly when the tests need
maintenance.
The AllTests files aren't necessary, our test harness can automatically find
tests and run them without external organization. This strategy is also more
reliable, since often the AllTests files are out of sync.
Change-Id: I3ee052f8839e9b146ba47f945812f5937d878110
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
- RI 6 support for javax.net.ssl
- SSLEngine fixes based on new SSLEngineTest
- fix Cipher.checkMode bug recently introduced in dalvik-dev
Details:
Fix Cipher.checkMode that was preventing most javax.net.ssl tests from working
luni/src/main/java/javax/crypto/Cipher.java
RI 6 has introduced the concept of a "Default" SSLContext. This is
accessed via SSLContext.getDefault() and also
SSLContext.getInstance("Default"). Harmony had its own
DefaultSSLContext but it was not created via an SSLContextSpi. It also
was a single shared instance whereas the new RI6 Default SSLContext
shares internal SSLSessionContext instances between different Default
SSLContexts.
Refactored the old code into an SSLContextImpl subclass that
allows it to be created via SSLContext.getInstance. SSLContextImpl
ensures that we only ever create one set of SSLSessionContext
instances for the Default context.
luni/src/main/java/javax/net/ssl/DefaultSSLContext.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/DefaultSSLContextImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java
Added SSLContext.getDefault and SSLContext.setDefault
luni/src/main/java/javax/net/ssl/SSLContext.java
Replace dependencies of old DefaultSSLContext with use of SSLContext.getDefault
luni/src/main/java/javax/net/ssl/SSLServerSocketFactory.java
luni/src/main/java/javax/net/ssl/SSLSocketFactory.java
Register "SSLContext.Default" as DefaultSSLContextImpl class for SSLContext.getInstance()
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java
Added constant for new "Default" standard name and added it to
SSL_CONTEXT_PROTOCOLS. New tests based on SSL_CONTEXT_PROTOCOLS
made it clear that neither Android or RI support SSLv2 so removed
it from SSL_CONTEXT_PROTOCOLS and SSL_SOCKET_PROTOCOLS. Added
constant for TLS as well which was previously scattered all over
tests. Remove SSLv2Hello from SSL_SOCKET_PROTOCOLS for Android
since with OpenSSL disablign SSLv2 means you can not use
SSLv2Hello either.
support/src/test/java/javax/net/ssl/StandardNames.java
Added tests for SSLContext.getDefault and
SSLContext.setDefault. Changed existing tests to work on all
protocols including new "Default".
luni/src/test/java/javax/net/ssl/SSLContextTest.java
RI 6 has introduced the notion of SSLParameters which encapsulate SSL
the handshake parameters of desired cipher suites, protocols, and
client authentication requirements.
The main new class SSLParameters is basically just a bag of fields
with accessors and a couple simple constructors. The only things
of note are that it clones all String arrays on input and output
and the setters for the two boolean fields ensure that only one is
true at a time.
luni/src/main/java/javax/net/ssl/SSLParameters.java
Added SSLContext.getDefaultSSLParameters and
SSLContext.getSupportedSSLParameters which simply delegate to the
SSLContextSpi.
luni/src/main/java/javax/net/ssl/SSLContext.java
Added abstract SSLContextSpi.engineGetDefaultSSLParameters and
SSLContext.engineGetSupportedSSLParameters.
luni/src/main/java/javax/net/ssl/SSLContextSpi.java
Added engineGetDefaultSSLParameters and
engineGetSupportedSSLParameters implementation. The RI documents
in SSLContextSpi that these are implemented by default by creating
a socket via the SSLContext's SocketFactory and asking for the
enabled/supported cipher suites and protocols respectively, so
that is what is done. The doc mentions throwing
UnsupportedOperationException if there is a problem, so we do that
as well.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java
Added {SSLEngine,SSLSocket}.{getSSLParameters,setSSLParameters}
which are analogous.
luni/src/main/java/javax/net/ssl/SSLEngine.java
luni/src/main/java/javax/net/ssl/SSLSocket.java
Added SSLParametersTest
luni/src/test/java/javax/net/ssl/SSLParametersTest.java
luni/src/test/java/javax/net/ssl/AllTests.java
Added SSLContext.get{Default,Supported}SSLParameters tests
luni/src/test/java/javax/net/ssl/SSLContextTest.java
Added SSLSocket.{getSSLParameters,setSSLParameters} tests and added
some extra asserts to test_SSLSocketPair_create based on experience
with test_SSLEnginePair_create.
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Dummy implementation of new SSLContextSpi for test classes.
support/src/test/java/org/apache/harmony/security/tests/support/MySSLContextSpi.java
support/src/test/java/org/apache/harmony/xnet/tests/support/MySSLContextSpi.java
Other minor RI 6 API changes:
RI 6 removed Serializable from HandshakeCompletedEvent and SSLSessionBindingEvent
luni/src/main/java/javax/net/ssl/HandshakeCompletedEvent.java
luni/src/main/java/javax/net/ssl/SSLSessionBindingEvent.java
RI 6 added generic types to the KeyStoreBuilderParameters List
constructor and accessor as well as to
SSLSessionContext.getIds. Fixed tests to compile with generic types.
luni/src/main/java/javax/net/ssl/KeyStoreBuilderParameters.java
luni/src/main/java/javax/net/ssl/SSLSessionContext.java
luni/src/test/java/tests/api/javax/net/ssl/KeyStoreBuilderParametersTest.java
SSLEngine improvements. Since I was changing SSLEngine, I wrote an
SSLEngineTest based on my SSLSocketTest to do some simply sanity
checking. It expose a number of issues. I've fixed the small ones,
marked the rest as known failures.
Renamed some TLS_ cipher suites to SSL_ to match JSSE standard
names. These were all old suites no longer supported by RI or
OpenSSL which is why they were missed in an earlier cleanup of this
type in this class. Also fixed SSLEngine supported cipher suites
list not to include SSL_NULL_WITH_NULL_NULL which is not a valid
suite to negotiate.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
SSLEngine instances can have null host values, which caused a
NullPointerException in the ClientSessionContext implementation.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
SSLEngine tests were failing because SSLParameters was throwing
NullPointerException instead of IllegalArgument exception on null
element values. Fixed null pointer message style while I was here.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java
Fixed SSLEngine instances to default to server mode like RI
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java
Fixed KEY_TYPES based on SSLEngine implementation. Removed dead
code NativeCrypto.getEnabledProtocols which was recently made
obsolete. Cleaned up null exception messages to follow our convention.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
Added SSLEngineTest which parallels SSLSocketTest in its
coverage. Similarly added TestSSLEnginePair which loosely parallels
TestSSLSocketPair.
luni/src/test/java/javax/net/ssl/SSLEngineTest.java
luni/src/test/java/javax/net/ssl/AllTests.java
support/src/test/java/javax/net/ssl/TestSSLEnginePair.java
SSLEngineTest betters exposed the differences between SSLSocket and
SSLEngine supported cipher suites. StandardNames now has an
CIPHER_SUITES_SSLENGINE definition which denotes what is missing
and what is extra and why in the SSLEngine implementation.
support/src/test/java/javax/net/ssl/StandardNames.java
Created StandardNames.assert{Valid,Supported}{CipherSuites,Protocols}
to factor out some code test code that is also used by new tests.
support/src/test/java/javax/net/ssl/StandardNames.java
luni/src/test/java/javax/net/ssl/SSLSocketFactoryTest.java
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Remove SSLSocketTest known failure and add new SSLEngineTest known failures
expectations/knownfailures.txt
SSL_OP_NO_TICKET change was recently merged from master which required some fixes.
For the moment, sslServerSocketSupportsSessionTickets always returns false.
support/src/test/java/javax/net/ssl/TestSSLContext.java
Fixed flakey test_SSLSocket_HandshakeCompletedListener which had a
race because the client thread look in the server session context
for an session by id potentially before the server thread had a
chance to store its session. Made noticable because of
SSL_OP_NO_TICKET recently merged from master (before this code
path was host only, not device)
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Fix checkjni issue where we need to check for pending exception in
OpenSSL callback. Possibly introduced by recent merge of
SSL_OP_NO_TICKET from master.
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Expectation updates
Remove SSLSocketTest known failure and add new SSLEngineTest known failures
expectations/knownfailures.txt
Tag test_SSLSocket_getSupportedCipherSuites_connect as large
expectations/taggedtests.txt
Misc changes:
opening brace on wrong line
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java
Long line cleanup while debugging
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketFactoryImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketFactoryImpl.java
support/src/test/java/javax/net/ssl/TestKeyStore.java
Removed bogus import
luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java
Comment clarify while debugging
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Ctor -> Constructor in comment
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLEngineImpl.java
Fixed naming of SocketTest_Test_create to TestSocketPair_Create to match renamed classes
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Change-Id: I99505e97d6047eeabe4a0b93202075a0b2d486ec
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
move to UniquePtr)
Summary:
Used SSL_CTX_set_tmp_rsa_callback to provide a callback for supplying
ephemeral RSA key for export cipher SSL_RSA_EXPORT_WITH_RC4_40_MD5
(aka EXP-RC4-MD5)
As part of this added rsaGenerateKey and while doing that started
adding UniquePtr deleters for BN and RSA and then just decided to do
the rest of the file.
Details:
Added tmp_rsa_callback to provide emphemeral RSA keys
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Removed last KnownFailure in my JSSE tests.
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Switching to UniquePtr to manage SSL types.
Found a couple places not error checking along the way.
Removed LOGE from throw* methods since jniThrowException does that.
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Change-Id: I27413c0073cd2cc405c83d35a0772c7901ce25c6
|
| |
|
|
| |
Change-Id: Iee93ceed527ce7f5430cb2ef19bed846e847fb83
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
protocol error
Added throwSSLProtocolExceptionStr and used it in the SSL_ERROR_SSL case.
Also replaced 0 with SSL_ERROR_NONE in throwSSLExceptionWithSslErrors calls for clarity.
Improved throwSSLExceptionWithSslErrors to show ERR_get_error information in SSL_ERROR_NONE case.
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Removed penultimate KnownFailure. Updated comment to use more official Kerberos reference URL.
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Change-Id: I2fb847ba92a3464029d1103fadf05ec16126bda9
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
supporting private keys
Make CipherSuite static fields final (noticed because I tried to use some in a switch statement).
Also renamed "cuites*" to "suites*" and fixed UNKNOUN to UNKNOWN
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
SSLServerSocket now matches the RI behavior of throwing an
SSLException for missing keys for non-anonymous cipher suites.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
Fixed one KnownFailure
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Change-Id: I1ccbf93cfc5aa5951b1f33881446d93c380b6e68
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSLSession.getPeerPort is supposed to return -1 when the port is
undefined so now we initialize it to that value.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
Avoid creating InetAddress to store the OpenSSLSessionImplWrapper host
and port arguments since it was causing an exception on an port value
of -1 and was just used to go back to the original host and port when
creating the SSLSession, which is allowed to return a port value of -1.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Remove last of KnownFailures for SSLSocketFactory
luni/src/test/java/javax/net/ssl/SSLSocketFactoryTest.java
Update classpath for newly seperated out junit jars
run-core-tests
Change-Id: I646a8f23c3d6ae01f1dd38e40bc9c32d436e6254
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Client certificates should only be set into the SSL* when requested by
the server so that after the handshake is completed the client can
inspect its SSLSession to see what certificate if any was
requested. Previously the value was always non-null even if the server
didn't request the certificate.
- Created RAND_seed and RAND_load_file out of the NativeCrypto.SSL_new
- NativeCrypto.SSL_new now simply performs SSL_new and does not
deal with certificates, private keys, or random seeds.
- Removed helper version of NativeCrypto.SSL_new
Moved code to OpenSSLSocketImpl.setCertificate
- Created SSL_use_certificate, SSL_use_PrivateKey, SSL_check_private_key from SSL_new.
These are used not just on server handshake but also via clientCertificateRequested callback.
- Merged CertificateChainVerifier and HandshakeCompletedCallback into new SSLHandshakeCallbacks
while adding new clientCertificateRequested callback from OpenSSL C code to Java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
In addition to supporting NativeCrypto.java changes, also changed
to_SSL_CTX and to_SSL_SESSION to allow null checking and throwing
NullPointerException. Changed these and to_SSL to log exception on
JNITrace, taking these logs out of individual functions. There
were a lot of null checks missing previously, mostly in
to_SSL_SESSION cases.
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
All KnownFailures now fixed.
luni/src/test/java/javax/net/ssl/SSLSessionTest.java
Three more KnownFailures now fixed.
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Change-Id: Iddcd5512e8395d947d3b894f03e3a059e63afe8a
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change text names of Harmony CipherSuite's (used by SSLEngine and some
places with OpenSSL code) to match JSSE names.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
Added StandardName constant for SSL_NULL_WITH_NULL_NULL
support/src/test/java/javax/net/ssl/StandardNames.java
Marked test as working with above fix, changed to use newly defined constant.
luni/src/test/java/javax/net/ssl/SSLSessionTest.java
Change-Id: Id48d2adcbbff71306296f1fdf8ff970c618fdcc6
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added new test_SSLSocket_getSupportedCipherSuites_connect to make sure
all cipher suites we claim work actually do. It clearly exposed that
although a large number of cipher suites are supported by libssl.so,
they are not properly wired up into the OpenSSL JSSE
implementation. In particular Elliptic Curve has been disabled in our
version Bouncy Castle does not work. In addition Diffie-Hellman does
not work because we need to further integration work with OpenSSL via
SSL_set_tmp_dh_callback or SSL_set_tmp_dh. Finally,
SSL_RSA_EXPORT_WITH_RC4_40_MD5 doesn't work but that is being left as
KnownFailure for more immediate cleanup based on ServerHandshakeImpl's
handling of KeyExchange_RSA_EXPORT as part of having OpenSSL call us
back for certificates dynamically.
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Refactored TestSSLContext.createKeyStore to create TestKeyStore which
now factors out TestSSLContext.createKeys from the old createKeyStore
method, which allows createKeys to be called multiple times for
different key algorithms (for example DSA in addition to RSA). Also
added a reusable singleton instance to cut down on test execution
time.
support/src/test/java/javax/net/ssl/TestKeyStore.java
Removed publicAlias/privateAlias from TestSSLContext since we now
include both RSA and DSA key pairs in they KeyStore by default. Added
TestSSLContext.assertCertificateInKeyStore methods to help tests the
previously used the alias fields fields. TestSSLContext.create API
changed as well since the alias names are no longer
required. TestSSLContext.createClient now needs to iterate over all
server certificates when setting up its TrustManager instead of just
grabbing one by alias name.
support/src/test/java/javax/net/ssl/TestSSLContext.java
luni/src/test/java/javax/net/ssl/SSLContextTest.java
luni/src/test/java/javax/net/ssl/SSLSessionTest.java
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
TestSSLSocketPair.connect now allows optional inclusion of server
cipher suite list.
support/src/test/java/javax/net/ssl/TestSSLSocketPair.java
luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java
Turning off Elliptic Curve and Diffie-Hellman which are not currently
working. Updating test expectations to match.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
support/src/test/java/javax/net/ssl/StandardNames.java
Turn on registration of ECDSA and DSA since this part is currently
functional (and excercised by TestKeyStore.create())
luni/src/main/java/org/bouncycastle/x509/X509Util.java
Improve logging by including SSL pointer in error messages, which
makes it easier to relate these errors to JNI_TRACE messages.
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Change-Id: I014d001a6a21a46c360678a346d3a3c8232f4d53
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
- Switch to using JSSE cipher suite names
- SSLSessionContext implementation cleanup
- Updated tests
Details:
Switch to using JSSE cipher suite names
- We maintain backward compatability for enabling cipher suites using
OpenSSL names for old code that did so without checking for the
presence of the names in the supported list.
- We now have a well defined list of the supported cipher suites which
are sorted in priority order as specified in JSSE documentation so
that callers doing:
s.setEnabledCipherSuites(s.getSupportedCipherSuites())
will get something reasonable.
- We now have a default cipher suite list that is chose to match RI
behavior and priority, not based on OpenSSLs default and priorities.
Details:
- Added NativeCrypto OPENSSL_TO_STANDARD and STANDARD_TO_OPENSSL
mapping between naming conventions. STANDARD_TO_OPENSSL is a
LinkedHashMap so enumerating it gives the proper order for
SUPPORTED_CIPHER_SUITES.
- SSL_get_ciphers and SSL_set_cipher_list are removed, we now use
our own SSL_set_cipher_lists (defined seperately in
external/openssl/patches/jsse.patch) to set the set and order of
cipher suites. SSL_CTX_get_ciphers is also removed because we no
longer rely on the OpenSSL for the default cipher suites
behavior.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Add cipherSuite and protocol field caches for native values,
mapping the cipherSuite to a JSSE name from the OpenSSL name
returned by SSL_SESSION_cipher.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
Fixed a long standing bug where we reused sessions found in the
client host/port cache even if the old protocol and cipher suite
where no longer compatible with what was specified by
setEnabledCipherSuites and setProtocols. Also fixed a recently
introduced bug where lastAccessedTime was being set on a cached
session even if it was not reused, found by fixed the above.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Move most of SSLSessionContext implementation from subclasses to
AbstractSessionContext. This was primarily to align the
implementations of how different sessions id for the same host and
port were handled for RI compatability. client subclasses now focuses
on handling its host/port based cache and both deal with their own
persistent cache details.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/AbstractSessionContext.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java
Tests
Added some variants of assertSSLSessionContextSize to simplify tests code.
Broke test_SSLSessionContext_setSessionCacheSize_oneConnect out of
test_SSLSessionContext_setSessionCacheSize_dynamic. Renamed
test_SSLSessionContext_setSessionCacheSize_basic to
test_SSLSessionContext_setSessionCacheSize_noConnect to match name
of _oneConnect. _dynamic was cleaned up a bit as getting it working
was the only goal of this change list. Fixed to filter
SSL_RSA_EXPORT_ ciphers since our test certificate key length is
too long for those. Lower test requirement to 3 unique cipher suites.
luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java
Added checks that cipher suites and protocols have standard names.
luni/src/test/java/javax/net/ssl/SSLSessionTest.java
Removing known failures related to cipher suite naming. Fixed bug
of using assertNotNull instead of assertTrue. Added extra
size/length check which would have found the
assertNotNull/assertTrue issue.
luni/src/test/java/javax/net/ssl/SSLSocketFactoryTest.java
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Fixing test the explicitly worked around broken cipher suite naming.
luni/src/test/java/tests/api/javax/net/ssl/SSLSessionTest.java
Updated standard cipher suites to RI 6 list, which also now
specifies ordering, which we now align with.
support/src/test/java/javax/net/ssl/StandardNames.java
Unrelated
Remove more now obsolete jars from the test classpath
run-core-tests
Change-Id: I45c274a9327c9a1aeeccb39ecaf5a3fbe2903c8f
|
| |
|
|
|
|
| |
Gentlemen, you may now set your editors to "strip trailing whitespace"...
Change-Id: I85b2f6c80e5fbef1af6cab11789790b078c11b1b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add an explicit null check to ensure failure on a null argument to getSession to match the RI
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java
Remove KnownFailures resolved by above fix as well as clarifiying SSL
session cache expections on Android vs the RI. The KnownFailures were
also hiding some latent issues to do SSL session tickets, so fixed
those up as well.
luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java
Added constants for expected SSL session cache behavior for RI vs Android
support/src/test/java/javax/net/ssl/TestSSLContext.java
Change-Id: Ic6285192cf76c0a5c3fa45a24eaa504ed0babff5
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
before SSLContext.init
Moved initialization of SSLContextImpl clientSessionContext and
serverSessionContext from engineInit time (in SSLParameters
constructor) to constructor time, making them final. This is to
fix javax.net.ssl.SSLContextTest which was failing because it
tried to access this before init was called, which worked fine on
the RI. The SSLParameters now simply takes the preallocated
session contexts as arguments. SSLParameters.getDefault() now
needs to create its own session contexts when an SSLContext is not
used, which is how Harmony does it.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java
Removed KnownFailure from SSLContextTest as its 100% working.
luni/src/test/java/javax/net/ssl/SSLContextTest.java
Changed persistentCache fields of ClientSessionContext and
ServerSessionContext from final to private and added a public
setter. This replaces passing the persistentCache implementation
in via the constructor. For momentarily backward compatibility
with frameworks/base, the now deprecated 5 argument engineInit
method now uses these setters for backward compatability. The
SSLParameters previously took these persistent caches as arguments
in order to pass them to the session context contructors, but as
SSLParameters no longer creates these, they are no longer relevant.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java
While moving the call of the AbstractSessionContext constructor
from SSLParameters to SSLContextImpl after removing the persistent
cache arguments, I realized there was no longer any reason to take
any arguments. I pushed the initization of sslCtxNativePointer to
the point of declaration.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/AbstractSessionContext.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java
Change-Id: Ied2903a2f369bf4e521e702bf58f32f21cb97d17
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Following up on feedback from earlier change https://android-git.corp.google.com/g/50435
Added new test_SSLSocket_startHandshake_noClientCertificate to
make sure handshaking works when no client certificates are
present after issues raised by hwu during code review.
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Improve TestSSLContext.create* options
- added javadoc comments to help distinguish different versions
- fixed bug of not passing in keyStorePassword in create()
- added new createClient(server) method to create a TestSSLContext
that trusts the provided server TestSSLContext's certificate for
use by test_SSLSocket_startHandshake_noClientCertificate
- made createKeyStore optionally create a more minimal keystore if
aliases are not present
support/src/test/java/javax/net/ssl/TestSSLContext.java
Fixed argument names in SSL_*_mode methods names as pointed out by hwu
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
Added comment to explain purpose of OpenSSLSessionImpl.resetId.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
Two changes to OpenSocketImpl
- Added logging on runtime exception catch around
HandshakeCompletedListener execution to closely mirror RI
behavior.
- Cleaned up peerCertificate check to not just be on the client path.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Addressed enh's comments about using clearEnv and when to delete AppData
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Change-Id: I34f54e3e41a5d53d81fdc22aa34ca4de4ee9826f
|
| |
|
|
|
|
| |
tries to handshake
Change-Id: I1188c34901b4c2c42d6b88e798e2eda24b0bfc4c
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
- SSLSocket.startHandshake now generalized to handle both client and
server handshaking as well as client/server role reversal
- handshake_cutthrough.patch is properly integrated with support
delayed handshake completion now integrated with delayed updates to
session cache and callbacks to HandshakeCompletedListeners
- Many fixes to SSLSession, which is the end product of the handshake
- Generally more RI and SSLEngine compliant behavior.
- More native code deletion through unification of client/server
handshake, unification of client/server certificate chain
verification, etc. More native code moved from various OpenSSL
classes to cleaner NativeCrypto interfaces that more directly mirror
the OpenSSL interfaces.
Details:
Delay SSL_new call until handshake time when we know for sure whether
the OpenSSLSocket will be used in client or server mode and we can
allocate the SSL_new from the apppriate client or server SSL_CTX used
for session caching.
Now that no SSL is allocated for an OpenSSLServerSocketImpl,
store enabledProtocols and enabledCipherSuites in instance String
arrays. Use new NativeCrypto.checkEnabled* methdods for argument
validation. OpenSSLServerSocketImpl passes these enabled arrays to
a new OpenSSLSocket constructor during accept(). Removed finalizer
from OpenSSLServerSocketImpl since it no longer has any native
storage and socket is already closed by PlainSocketImpl finalizer.
X-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
OpenSSLSocket major overhaul to properly implement handshaking
including switching client and server roles and session ID caching
with handshake_cutthrough.patch.
- now implements NativeCrypto.HandshakeCompletedListeners for
properly timed callback when handshake_cutthrough.patch delays
handshake completion until first SSLSocket.getInputStream()
read.
- similar enabledProtocols/enabledCipherSuites changes as
OpenSSLServerSocketImpl since we need to store the state
somewhere other than an openssl SSL struct until we are sure if
we are doing a client or server handshake.
- added handshake completed field so that startHandshake can tell
if handshake was completed during SSL_do_handshake or will be
completed later by a call to HandshakeCompletedCallback.handshakeCompleted.
- removed nativegetsession as the equivalent value is now returned by SSL_do_handshake
- removed nativecipherauthenticationmethod as the value is now passed to verifyCertificateChain
- startHandshake is now a wrapper that forces a fully synchronous handshake
- startHandshake(boolean) is the the most changed method in this
changelist, combinding both the old startHandshake logic, but
also the OpenSSLSocketImpl.accept code as well. Notable
differences from the old code:
* now responsible for SSL_new
* single code path for client/server handshaking dealing with SSLSession caching
* now handles server certificate requests previously in
OpenSSLServerSocketImpl, since a client can request to act
like a server and therefore need to be able to make suck
demands on its peer.
* supports turning off handshake_cutthrough at a callers request
via explicit call to startHandshake()
* certificate verification happens during an upcall from openssl
during SSL_do_handshake to verifyCertificateChain for both
client and server cases. previously there was not quite right
upcall support on the server side and post-handshake checking
on the client, which did not allow for a proper alert to be
sent to the peer informing them of the issue, which the RI and
SSLEngine code do.
* Similarly, setEnableSessionCreation(false) did not send an
alert to the peer as the RI and SSLEngine code in the client
case. In the server case, nothing was previously done.
* The use of local certificates was not determined from
introspecting the SSL struct post-handshake. This is now
partially implemented and will be completed in a later change.
- SSLSocket.{shutdownInput,shutdownOutput} are now restored to the
proper behavior of throwing UnsupportedOperationException.
- Gutted OpenSSLSocketImpl finalizer. The comment explains in
detail the trouble of having the finalizer do anything more than
touch its the instances own state due to unpredictable order of
finalization and the future possability of parallel
finalization.
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
SSLSession fixes
- Made OpenSSLSessionImpl.sessionContext non-final so it could be
nulled by SSLSession.invalidate to match RI behavior.
- As noted in AbstractSessionContext discussion, removed
OpenSSLSessionImpl constructor that took SSLParameters, instead
we take the possibly null localCertificates
directly. OpenSSLSessionImpl.getLocalCertificates now simply
returns the localCertificates member variable instead of
incorrectly trying to query the KeyManager for certificates that
may not have been used.
- OpenSSLSessionImpl now caches its native ID to avoid numerious
native calls but also now provides as resetId which will update
the cache when a delayed handshake happens due to the
handshake_cutthrough.patch
- Fixed bug in getPeerPrincipal that it wasn't calling
getPeerCertificates to initialize peerCertificates field.
- freeImpl is now 'public static' in preparation for move to NativeCrypto.
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
The old SSLSessionImpl class that is still used for representing
the invalid session now returns
isValid => false
and
getProtocol => "NONE"
to match the RI.
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSessionImpl.java
NativeCrypto improvements
- Adding NativeCrypto.SSL_{get,set,clear}_mode similar to
NativeCrypto.SSL_{get,set,clear}_options along with
SSL_MODE_HANDSHAKE_CUTTHROUGH constant which is used to
explicitly disable/enable the Android handshake_cutthrough.patch
behavior.
- Added missing NativeCrypto.SSL_clear_options and used to properly
implement NativeCrypto.setEnabledProtocols.
- Added NativeCrypto.checkEnabledProtocols and
NativeCrypto.checkEnabledCipherSuites helpers to implement
exception compatability with the RI. While some of this code is
refactored from existing NativeCrypto code, it is now also used
by OpenSSLServerSocketImpl and OpenSSLSocketImpl which maintain
their own String[]s of what is enabled until startHandshake time. (see below)
- Changed NativeCrypto.findSuite to use foreach style loop for clarity.
- Moved OpenSSLServerSocketImpl nativesetclientauth and
SSL_VERIFY_* constants to NativeCrypto.SSL_set_verify
- Added NativeCrypto.SSL_set_session based on part of old OpenSSLSocketImpl.nativeconnect
- Added NativeCrypto.SSL_set_session_creation_enabled to properly implement
SSLSocket.setEnableSessionCreation(false) which uses new
external/openssl/patches/jsse.patch functionality.
- New NativeCrypto.SSL_do_handshake consolidates
OpenSSLSocketImpl.{nativeconnect, nativeaccept} while properly
implementing SSLSocket.setUseClientMode(false) for clients and
SSLSocket.setUseClientMode(true) for servers.
- New NativeCrypto.SSL_get_certificate is determine if local
certificate requested by peer. While functional, currently
NativeCrypto.SSL_new always sets a value via SSL_use_certificate
instead of relying on a callback set via SSL_CTX_set_client_cert_cb.
- Changed NativeCrypto.CertificateChainVerifier.verifyCertificateChain
to throw a checked CertificateException to match TrustManager.{checkServerTrusted,
checkClientTrusted}. It also takes an authMethod so avoid the need to call
the old OpenSSLSocketImpl.nativecipherauthenticationmethod.
- Added NativeCrypto.HandshakeCompletedCallback which has its
handshakeCompleted method called from OpenSSL when the now
delayed handshake_cutthrough.patch handshake is completed so
SSLSession caching can be delayed until a session ID is available
and to provide a better time for HandshakeCompletedListeners to
be notified.
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
x-net/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Some other changes specific to the naitve side of the code
- Added JNITRACE calls (enabled at compile time with JNI_TRACE)
for future debugging.
- throw SSLException subclass of IOException instead IOException
itself for better RI compatability
x-net/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
- changed from old struct app_data to new class AppData at enh's request
Remove dubious usage of SSLParameters within AbstractSessionContext
to pass through to OpenSSLSessionImpl constructor for use in
calling getLocalCertificates for sessions created from a byte array
with AbstractSessionContext.toSession. Our
AbstractSessionContext.toBytes doesn't currently include the local
certificates in its output, so it cannot be expected to have in toSession.
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/AbstractSessionContext.java
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java
Test maintenance
openssl 1.0.0 adds support for RFC 4507 session tickets which
remove the need for server side session state. These tests needed
to be updated for this new behavior. If IS_RI is true, they still
follow the old behavior.
luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java
luni/src/test/java/javax/net/ssl/SSLSessionTest.java
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Update KnownFailures and add specific comments at point of failure
about what remains to be fixed.
luni/src/test/java/javax/net/ssl/SSLSessionTest.java
Added tests to cover the use of standard cipher suite
names. Historically Android has used OpenSSL string constants for
cipher suite names, but JSSE actually specifies supported and
expected names.
luni/src/test/java/javax/net/ssl/SSLSocketFactoryTest.java
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Create new support/src/test/java/javax/net/ssl with old Helper
support code pulled from javax.net.ssl tests:
SSLContextTest.Helper -> TestSSLContext
SSLSocketTest.Helper -> TestSSLSocketPair
SSLSessionTest.Helper -> TestSSLSessions
Also added new StandardNames here, which contains a collection of
expected constants for test validation.
luni/src/test/java/javax/net/ssl/SSLContextTest.java
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
luni/src/test/java/javax/net/ssl/SSLSessionTest.java
support/src/test/java/javax/net/ssl/TestSSLContext.java
support/src/test/java/javax/net/ssl/TestSSLSocketPair.java
support/src/test/java/javax/net/ssl/TestSSLSessions.java
support/src/test/java/javax/net/ssl/StandardNames.java
Removed some now fixed KnownFailures and unneeded !IS_RI
code. Marked some [Un]KnownFailures where exceptions are thrown
and visible in the output but aren't correctly causing the test to
fail. Fixed assertNonNull to assertTrue in
test_SSLSocketTest_Test_create. Added
stress_test_SSLSocketTest_Test_create to track down test
flakiness, leading to rewrite of SSLSocket finalization.
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Reenable javax.net.ssl.AllTests now that it is does not hang
luni/src/test/java/tests/AllTests.java
Improve error messages while debugging overflow problem.
Added new assert when debugging new RFC 4507 behavior.
Removed KnownFailure annotation for now working test case.
x-net/src/test/java/tests/api/javax/net/ssl/SSLSessionTest.java
Client code changes
Now that startHandshake implies synchronous vs Android's default async handshake, remove unneeded explict calls to SSLSocket.startHandshake
luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/http/HttpConnection.java
Removed IBM 1.4.x codepath that involved startHandshake
x-net/src/main/java/javax/net/ssl/DefaultHostnameVerifier.java
Unrelated
Remove unneed SSLSocket.setUseClientMode while removing unneeded SSLSocket.startHandshake
luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/http/HttpConnection.java
Removed warnings due to now missing modules in classpath
run-core-tests
Change-Id: I6e149ae259b3feccdfb0673209c85cfeb60befc8
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
vogar wasn't working at checkin on the host so I couldn't easily
retest these changes that came from the code review. Sure enought
there were some problems.
SSLSocketTest now uses a condition variable to synchronize between
the HandshakeCompletedListener and the main thread since the RI
does the callback asynchronously.
Back to ussing Arrays.equals for comparing Session ID byte[] since
Object.equals does not work.
Change-Id: I667b60dc065438efe4e3728d7a44b446ebc15e64
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSLSessionContext
Summary:
b/1758225: Revisit OpenSSL locking
Removed the locking original put in to address b/1678800 which
had been causing problems for the HeapWorker thread which was
timing out waiting for the lock in the finalizers while other
threads were connecting.
b/1678800: Reliability tool: Crash in libcrypto @ https://opac.ntu.ac.uk
Properly fixed the native crash by avoid sharing SSL_SESSION objects
between SSL_CTX objects
Testing:
- adb shell run-core-tests --verbose tests.xnet.AllTests
- adb shell run-core-tests --verbose javax.net.ssl.AllTests
- Test app that reloads https://opac.ntu.ac.uk
Details:
Each AbstractSessionContext now has an associated SSL_CTX,
referenced through the sslCtxNativePointer. SSL_CTX on the native
side defines the scope of SSL_SESSION caching, and this brings the
Java SSLSessionContext caching into alignment with the native
code. OpenSSLSessionImpl now uses AbstractSessionContext instead
of SSLSessionContext for access to the underlying SSL_CTX.
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/AbstractSessionContext.java
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java
Added AbstractSessionContext.putSession so OpenSSLSocketImpl/OpenSSLSessionImpl can
directly assign to the current AbstractSessionContext (whether it
be a ClientSessionContext or a ServerSessionContext) without
casting.
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/AbstractSessionContext.java
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java
Cleaning up use of SSL_CTX and SSL instances in SSLSocket/SSLServerSocket implementation
The major change is that openssl SSL instances are allocated for
the life of the matching Java object, replacing the SSL_CTX and
the SSL objects that had previously been allocated only starting
at handshake time. We should never have been sharing SSL_SESSION
instances between SSL_CTX instances, which was the source of the
native crashes dating back to cupcake which the
OpenSSLSocket.class locking had been preventing.
- NativeCrypto now has better defined and independant wrappers on
openssl functionality. A followon checkin should move the
remaining openssl JNI code here with the intent of being able to
write and end-to-end test of the openssl code using NativeCrypto
without the JSSE implementation classes. The following gives a
list of the new native functions with a mapping to the old
implementation code. The new code has a more functional style
where SSL_CTX and SSL instances are passed and returned as
arguments, not extracted from Java instances
SSL_CTX_new OpenSSLSocketImpl.nativeinit, OpenSSLServerSocketImpl.nativeinit, SSLParameters.nativeinitsslctx
SSL_CTX_get_ciphers_list OpenSSLSocketImpl.nativeGetEnabledCipherSuites
SSL_CTX_free OpenSSLSocketImpl.nativefree, OpenSSLServerSocketImpl.nativefree
SSL_new OpenSSLSocketImpl.nativeinit, OpenSSLSocketImpl.init, OpenSSLServerSocketImpl.nativeinit, OpenSSLServerSocketImpl.init
SSL_get_options OpenSSLSocketImpl.nativesetenabledprotocols
SSL_set_options OpenSSLSocketImpl.nativesetenabledprotocols
SSL_get_ciphers OpenSSLSocketImpl.nativeGetEnabledCipherSuites
SSL_set_cipher_list OpenSSLSocketImpl.nativeSetEnabledCipherSuites
SSL_free OpenSSLSocketImpl.nativefree, OpenSSLServerSocketImpl.nativefree
- While the focus in NativeCrypto is on native code, it also
contains some helpers/wrappers especially for code that doesn't
depend on specific SSL_CTX, SSL instances or that needs to do
massaging of data formats between Java and OpenSSL. Some of
these had previously been duplicated in the client and server
versions of the code. For example:
getSupportedCipherSuites OpenSSLSocketImpl.nativegetsupportedciphersuites, OpenSSLServerSocketImpl.nativegetsupportedciphersuites
getSupportedProtocols OpenSSLSocketImpl.getSupportedProtocols, OpenSSLServerSocketImpl.getSupportedProtocols
getEnabledProtocols OpenSSLSocketImpl.getEnabledProtocols,OpenSSLServerSocketImpl.getEnabledProtocols
setEnabledProtocols OpenSSLSocketImpl.setEnabledProtocols
setEnabledCipherSuites OpenSSLSocketImpl.setEnabledCipherSuites
- Moved JNI initialization from OpenSSLSocketImpl to NativeCrypto
which is the future home of all the openssl related native code.
clinit OpenSSLSocketImpl.nativeinitstatic
- NativeCrypto.CertificateChainVerifier is a new interface to
decouple callbacks from openssl from a specific dependence on a
OpenSSLSocketImpl.verify_callback method. Changed to return
boolean instead of int.
- Renamed OpenSSLSocketImpl.ssl to OpenSSLSocketImpl.sslNativePointer for consistency
- Changed OpenSSLSocketImpl nativeconnect, nativegetsslsession,
nativecipherauthenticationmethod, nativeaccept, nativeread,
nativewrite, nativeinterrupt, nativeclose, nativefree to take
arguments instead of inspect object state in preparation for
moving to NativeCrypto
- other notable NativeCrypto changes included
* adding SSL_SESSION_get_peer_cert_chain,
SSL_SESSION_get_version, and SSL_get_version (and
get_ssl_version) which are "missing methods" in openssl
* ssl_msg_callback_LOG callback and get_content_type for handshake debugging
* removing jfieldID's for our classes now that we pass in values in arguments
* changed aliveAndKicking to be volative since we poll on it to communicate between threads
* changed from C style declarations at beginning of block to C++ at first use on methods with major changes
* stop freeing SSL instances on error, only SSL_clear it
* improved session reuse logging when reproducing b/1678800
* change verify_callback to return verifyCertificateChain result
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
x-net/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketFactoryImpl.java
When we accept a server socket, we pass the existing SSL state
instance from the server socket to the newly accepted socket via
the constructor where it is copied with SSL_dup, instead of
through both the constructor and later the accept method.
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
Cleaned up nativesetclientauth from using SSL_CTX to SSL, passing
ssl as argument in preparation for future movement to
NativeCrypto.
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
Removed ssl_op_no cache for rarely used enabled protocol methods
so that code could more easily be shared in NativeCrypto between
client and server.
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Changed public getId, getCreationTime, getPeerCertificates,
getCipherSuite, getProtocol from being instance methods that
looked at the OpenSSLSessionImpl object state to be static mthods
that take the native pointers as arguments in preparation for
moving to NativeCrypto. Rename session -> sslSessionNativePointer
for consistency. Inlined initializeNative, which wasn't really
the native code.
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
Removed lock on OpenSSLSocketImpl.class lock from around
OpenSSLSocketImpl's use of nativeconnect, nativegetsslsession, and
nativecipherauthenticationmethod as well as OpenSSLSessionImpl's
use of freeImpl, fixing b/1758225: Revisit OpenSSL locking
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
Unrelated changes
Removed unused ssl_ctx, nativeinitsslctx, getSSLCTX
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java
Fix bug in both putSession implementations where we cached
sessions with zero length id. Also change indexById to pass in id
in client implementation.
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java
Make sure we clone SSLParameters passed to the SSLSocketFactory
and SSLServerSocketFactory so that muting the client instance does
not change the server instance and vice versa. Explicitly set
setUseClientMode(false) on the server SSLParameters. These changes
are to bring things more into alignment with the original harmony
classes which properly support client/server role switching during
handshaking.
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketFactoryImpl.java
Make locks object fields final
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Moved updateInstanceCount(1) logic and sslParameters assignment to init method
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Changed getCachedClientSession to respect getUseClientMode
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Spelling of listensers to listeners in javadoc
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Spelling SSLInputStream to SSLOutputStream in comment
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Changed shutdownInput and shutdownOutput to call to the underlying socket
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Set sslNativePointer to 0 when freeing underlying SSL object
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Removed IOException logging in getSession, which is expected to
simply return SSL_NULL_WITH_NULL_NULL when there are problems.
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Disabled "Using factory" message on successful creation of
SocketFactory which was a bit noisy running tests. However, added
logging in failure case including the related exception:
x-net/src/main/java/javax/net/ssl/SSLSocketFactory.java
Disabled logging of OpenSSL session deallocation
x-net/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Register SSLContextImpl as a source of SSL and SSL3 SSLContexts,
not just TLS and TLSv1.
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java
Fix whitespace in comment
x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/CertificateRequest.java
Change-Id: I99975ae22599c7df0d249fa013ae7ea7c9c08051
|
| |
|
|
| |
Change-Id: Ie4cbad9335e37f785edab9a76c42c229a1d40f57
|
|
|
These new tests focusi on areas where I am making OpenSSL
implementation chages, where I found differences from the RI when
working on that code, and places where we were missing functionality
compared to the spec. They all work on the RI, many fail on Dalvik
luni/src/test/java/javax/net/ssl/AllTests.java
luni/src/test/java/javax/net/ssl/SSLContextTest.java
luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java
luni/src/test/java/javax/net/ssl/SSLSessionTest.java
luni/src/test/java/javax/net/ssl/SSLSocketFactoryTest.java
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Adding my javax.net.ssl.AllTests to the main list
luni/src/test/java/tests/AllTests.java
Adding Bouncy Castle provider /usr/share/java/bcprov.jar to host
classpath for testing with --java-home /usr/lib/jvm/java-6-openjdk
tools/runner/java/dalvik/runner/JavaVm.java
Fix usage comment to reboot to bootloader
run-core-tests
Change-Id: I7a7998fc7bedc7a00b1836517d043c6a27c8bd4d
|
