Skip to content

Commit d38fadf

Browse files
committed
Project import generated by Copybara.
PiperOrigin-RevId: 874491703
1 parent 827d29f commit d38fadf

File tree

84 files changed

+2097
-663
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

84 files changed

+2097
-663
lines changed

android/lint.xml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,4 +28,10 @@
2828
<issue id="Assert">
2929
<ignore path="**/common/src/main/java/org/conscrypt/OpenSSLCipherChaCha20.java" />
3030
</issue>
31+
32+
<!-- Workaround for "Unexpected failure during lint analysis". -->
33+
<issue id="LintError">
34+
<ignore regexp=".*module-info\.class.*"/>
35+
</issue>
36+
3137
</lint>
Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
/*
2+
* Copyright (C) 2025 The Android Open Source Project
3+
*
4+
* Licensed under the Apache License, Version 2.0 (the "License");
5+
* you may not use this file except in compliance with the License.
6+
* You may obtain a copy of the License at
7+
*
8+
* http://www.apache.org/licenses/LICENSE-2.0
9+
*
10+
* Unless required by applicable law or agreed to in writing, software
11+
* distributed under the License is distributed on an "AS IS" BASIS,
12+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
* See the License for the specific language governing permissions and
14+
* limitations under the License.
15+
*/
16+
17+
package org.conscrypt;
18+
19+
import org.conscrypt.metrics.CertificateTransparencyVerificationReason;
20+
21+
/**
22+
* A default NetworkSecurityPolicy for unbundled Android.
23+
*/
24+
@Internal
25+
public class ConscryptNetworkSecurityPolicy implements NetworkSecurityPolicy {
26+
public static ConscryptNetworkSecurityPolicy getDefault() {
27+
return new ConscryptNetworkSecurityPolicy();
28+
}
29+
30+
@Override
31+
public boolean isCertificateTransparencyVerificationRequired(String hostname) {
32+
return false;
33+
}
34+
35+
@Override
36+
public CertificateTransparencyVerificationReason getCertificateTransparencyVerificationReason(
37+
String hostname) {
38+
return CertificateTransparencyVerificationReason.UNKNOWN;
39+
}
40+
41+
@Override
42+
public DomainEncryptionMode getDomainEncryptionMode(String hostname) {
43+
return DomainEncryptionMode.UNKNOWN;
44+
}
45+
}

android/src/main/java/org/conscrypt/Platform.java

Lines changed: 6 additions & 54 deletions
Original file line numberDiff line numberDiff line change
@@ -59,11 +59,13 @@
5959
import java.util.Collection;
6060
import java.util.Collections;
6161
import java.util.List;
62+
import java.util.function.Supplier;
6263

6364
import javax.net.ssl.SNIHostName;
6465
import javax.net.ssl.SNIMatcher;
6566
import javax.net.ssl.SNIServerName;
6667
import javax.net.ssl.SSLEngine;
68+
import javax.net.ssl.SSLException;
6769
import javax.net.ssl.SSLParameters;
6870
import javax.net.ssl.SSLSession;
6971
import javax.net.ssl.SSLSocketFactory;
@@ -859,59 +861,8 @@ static boolean supportsX509ExtendedTrustManager() {
859861
return Build.VERSION.SDK_INT > 23;
860862
}
861863

862-
/**
863-
* Check if SCT verification is required for a given hostname.
864-
*
865-
* SCT Verification is enabled using {@code Security} properties.
866-
* The "conscrypt.ct.enable" property must be true, as well as a per domain property.
867-
* The reverse notation of the domain name, prefixed with "conscrypt.ct.enforce."
868-
* is used as the property name.
869-
* Basic globbing is also supported.
870-
*
871-
* For example, for the domain foo.bar.com, the following properties will be
872-
* looked up, in order of precedence.
873-
* - conscrypt.ct.enforce.com.bar.foo
874-
* - conscrypt.ct.enforce.com.bar.*
875-
* - conscrypt.ct.enforce.com.*
876-
* - conscrypt.ct.enforce.*
877-
*/
878-
public static boolean isCTVerificationRequired(String hostname) {
879-
if (hostname == null) {
880-
return false;
881-
}
882-
// TODO: Use the platform version on platforms that support it
883-
884-
String property = Security.getProperty("conscrypt.ct.enable");
885-
if (property == null || !Boolean.parseBoolean(property)) {
886-
return false;
887-
}
888-
889-
List<String> parts = Arrays.asList(hostname.split("\\."));
890-
Collections.reverse(parts);
891-
892-
boolean enable = false;
893-
String propertyName = "conscrypt.ct.enforce";
894-
// The loop keeps going on even once we've found a match
895-
// This allows for finer grained settings on subdomains
896-
for (String part : parts) {
897-
property = Security.getProperty(propertyName + ".*");
898-
if (property != null) {
899-
enable = Boolean.parseBoolean(property);
900-
}
901-
902-
propertyName = propertyName + "." + part;
903-
}
904-
905-
property = Security.getProperty(propertyName);
906-
if (property != null) {
907-
enable = Boolean.parseBoolean(property);
908-
}
909-
return enable;
910-
}
911-
912-
public static CertificateTransparencyVerificationReason reasonCTVerificationRequired(
913-
String hostname) {
914-
return CertificateTransparencyVerificationReason.UNKNOWN;
864+
static SSLException wrapInvalidEchDataException(SSLException e) {
865+
return e;
915866
}
916867

917868
static boolean supportsConscryptCertStore() {
@@ -940,7 +891,8 @@ static CertBlocklist newDefaultBlocklist() {
940891
return null;
941892
}
942893

943-
static CertificateTransparency newDefaultCertificateTransparency() {
894+
static CertificateTransparency newDefaultCertificateTransparency(
895+
Supplier<NetworkSecurityPolicy> policySupplier) {
944896
return null;
945897
}
946898

common/src/jni/main/cpp/conscrypt/native_crypto.cc

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,8 @@
5858
#include <type_traits>
5959
#include <vector>
6060

61+
#include "jni.h"
62+
6163
using conscrypt::AppData;
6264
using conscrypt::BioInputStream;
6365
using conscrypt::BioOutputStream;
@@ -8419,8 +8421,7 @@ static SSL_SESSION* server_session_requested_callback(SSL* ssl, const uint8_t* i
84198421
return ssl_session_ptr;
84208422
}
84218423

8422-
static jint NativeCrypto_EVP_has_aes_hardware(JNIEnv* env, jclass) {
8423-
CHECK_ERROR_QUEUE_ON_RETURN;
8424+
static jint NativeCrypto_EVP_has_aes_hardware(CRITICAL_JNI_PARAMS) {
84248425
int ret = 0;
84258426
ret = EVP_has_aes_hardware();
84268427
JNI_TRACE("EVP_has_aes_hardware => %d", ret);
@@ -10714,9 +10715,8 @@ static jlong NativeCrypto_SSL_get_timeout(JNIEnv* env, jclass, jlong ssl_address
1071410715
return result;
1071510716
}
1071610717

10717-
static jint NativeCrypto_SSL_get_signature_algorithm_key_type(JNIEnv* env, jclass,
10718-
jint signatureAlg) {
10719-
CHECK_ERROR_QUEUE_ON_RETURN;
10718+
static jint NativeCrypto_SSL_get_signature_algorithm_key_type(
10719+
CRITICAL_JNI_PARAMS_COMMA jint signatureAlg) {
1072010720
return SSL_get_signature_algorithm_key_type(signatureAlg);
1072110721
}
1072210722

@@ -11189,7 +11189,7 @@ static jint NativeCrypto_SSL_get_error(JNIEnv* env, jclass, jlong ssl_address,
1118911189
return SSL_get_error(ssl, ret);
1119011190
}
1119111191

11192-
static void NativeCrypto_SSL_clear_error(JNIEnv*, jclass) {
11192+
static void NativeCrypto_SSL_clear_error(CRITICAL_JNI_PARAMS) {
1119311193
ERR_clear_error();
1119411194
}
1119511195

common/src/jni/main/include/conscrypt/jniutil.h

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,14 @@
2626
namespace conscrypt {
2727
namespace jniutil {
2828

29+
#ifdef __ANDROID__
30+
#define CRITICAL_JNI_PARAMS
31+
#define CRITICAL_JNI_PARAMS_COMMA
32+
#else
33+
#define CRITICAL_JNI_PARAMS JNIEnv*, jclass
34+
#define CRITICAL_JNI_PARAMS_COMMA JNIEnv*, jclass,
35+
#endif
36+
2937
extern JavaVM* gJavaVM;
3038
extern jclass cryptoUpcallsClass;
3139
extern jclass openSslInputStreamClass;

common/src/main/java/org/conscrypt/AbstractConscryptEngine.java

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -135,6 +135,13 @@ public abstract SSLEngineResult wrap(ByteBuffer[] srcs, int srcsOffset, int srcs
135135
*/
136136
abstract void setUseSessionTickets(boolean useSessionTickets);
137137

138+
/**
139+
* This method sets the ECH config data to be used in the TLS handshake.
140+
*
141+
* @param echConfigList the ECH config data to be used in the TLS handshake
142+
*/
143+
abstract void setEchConfigList(byte[] echConfigList);
144+
138145
/**
139146
* Sets the list of ALPN protocols.
140147
*

common/src/main/java/org/conscrypt/AbstractConscryptSocket.java

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -627,6 +627,13 @@ private boolean isDelegating() {
627627
*/
628628
abstract void setUseSessionTickets(boolean useSessionTickets);
629629

630+
/**
631+
* This method sets the ECH config data to be used in the TLS handshake.
632+
*
633+
* @param echConfigList the ECH config data to be used in the TLS handshake
634+
*/
635+
abstract void setEchConfigList(byte[] echConfigList);
636+
630637
/**
631638
* Enables/disables TLS Channel ID for this server socket.
632639
*

common/src/main/java/org/conscrypt/BufferUtils.java

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -22,13 +22,18 @@
2222

2323
import java.nio.ByteBuffer;
2424

25-
final class BufferUtils {
25+
/**
26+
* Utility methods for dealing with arrays of ByteBuffers.
27+
*
28+
* @hide This class is not part of the Android public SDK API
29+
*/
30+
public final class BufferUtils {
2631
private BufferUtils() {}
2732

2833
/**
2934
* Throws {@link IllegalArgumentException} if any of the buffers in the array are null.
3035
*/
31-
static void checkNotNull(ByteBuffer[] buffers) {
36+
public static void checkNotNull(ByteBuffer[] buffers) {
3237
for (ByteBuffer buffer : buffers) {
3338
if (buffer == null) {
3439
throw new IllegalArgumentException("Null buffer in array");
@@ -39,7 +44,7 @@ static void checkNotNull(ByteBuffer[] buffers) {
3944
/**
4045
* Returns the total number of bytes remaining in the buffer array.
4146
*/
42-
static long remaining(ByteBuffer[] buffers) {
47+
public static long remaining(ByteBuffer[] buffers) {
4348
long size = 0;
4449
for (ByteBuffer buffer : buffers) {
4550
size += buffer.remaining();
@@ -52,7 +57,7 @@ static long remaining(ByteBuffer[] buffers) {
5257
*
5358
* @throws IllegalArgumentException if there are fewer than {@code toConsume} bytes remaining
5459
*/
55-
static void consume(ByteBuffer[] sourceBuffers, int toConsume) {
60+
public static void consume(ByteBuffer[] sourceBuffers, int toConsume) {
5661
for (ByteBuffer sourceBuffer : sourceBuffers) {
5762
int amount = min(sourceBuffer.remaining(), toConsume);
5863
if (amount > 0) {
@@ -72,7 +77,7 @@ static void consume(ByteBuffer[] sourceBuffers, int toConsume) {
7277
* Looks for a buffer in the buffer array which EITHER is larger than {@code minSize} AND
7378
* has no preceding non-empty buffers OR is the only non-empty buffer in the array.
7479
*/
75-
static ByteBuffer getBufferLargerThan(ByteBuffer[] buffers, int minSize) {
80+
public static ByteBuffer getBufferLargerThan(ByteBuffer[] buffers, int minSize) {
7681
int length = buffers.length;
7782
for (int i = 0; i < length; i++) {
7883
ByteBuffer buffer = buffers[i];

common/src/main/java/org/conscrypt/CertBlocklist.java

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,12 +16,15 @@
1616

1717
package org.conscrypt;
1818

19+
import org.conscrypt.Internal;
20+
1921
import java.math.BigInteger;
2022
import java.security.PublicKey;
2123

2224
/**
2325
* A set of certificates that are blacklisted from trust.
2426
*/
27+
@Internal
2528
public interface CertBlocklist {
2629
/**
2730
* Returns whether the given public key is in the blacklist.
Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
/*
2+
* Copyright 2025 The Android Open Source Project
3+
*
4+
* Licensed under the Apache License, Version 2.0 (the "License");
5+
* you may not use this file except in compliance with the License.
6+
* You may obtain a copy of the License at
7+
*
8+
* http://www.apache.org/licenses/LICENSE-2.0
9+
*
10+
* Unless required by applicable law or agreed to in writing, software
11+
* distributed under the License is distributed on an "AS IS" BASIS,
12+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
* See the License for the specific language governing permissions and
14+
* limitations under the License.
15+
*/
16+
17+
package org.conscrypt;
18+
19+
import org.conscrypt.Internal;
20+
21+
/**
22+
* An entry in the blocklist, for the purpose of reporting.
23+
*/
24+
@Internal
25+
public interface CertBlocklistEntry {
26+
enum Origin { SHA1_TEST, SHA1_BUILT_IN, SHA1_FILE, SHA256_TEST, SHA256_BUILT_IN, SHA256_FILE }
27+
28+
/**
29+
* Returns the origin of this entry.
30+
*/
31+
Origin getOrigin();
32+
33+
/**
34+
* Returns the index of this entry in its blocklist.
35+
*/
36+
int getIndex();
37+
}

0 commit comments

Comments
 (0)