1 /* 2 * Copyright (C) 2008 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package org.conscrypt; 18 19 import java.io.FileDescriptor; 20 import java.io.IOException; 21 import java.io.OutputStream; 22 import java.net.SocketTimeoutException; 23 import java.nio.Buffer; 24 import java.security.InvalidAlgorithmParameterException; 25 import java.security.InvalidKeyException; 26 import java.security.MessageDigest; 27 import java.security.NoSuchAlgorithmException; 28 import java.security.PrivateKey; 29 import java.security.SignatureException; 30 import java.security.cert.CertificateEncodingException; 31 import java.security.cert.CertificateException; 32 import java.security.cert.CertificateParsingException; 33 import java.util.ArrayList; 34 import java.util.Calendar; 35 import java.util.HashSet; 36 import java.util.List; 37 import java.util.Set; 38 import javax.crypto.BadPaddingException; 39 import javax.crypto.IllegalBlockSizeException; 40 import javax.net.ssl.SSLException; 41 import javax.security.auth.x500.X500Principal; 42 import org.conscrypt.OpenSSLX509CertificateFactory.ParsingException; 43 44 /** 45 * Provides the Java side of our JNI glue for OpenSSL. 46 * 47 * @hide 48 */ 49 @Internal 50 public final class NativeCrypto { 51 // --- OpenSSL library initialization -------------------------------------- 52 static { NativeCryptoJni.init()53 NativeCryptoJni.init(); clinit()54 clinit(); 55 } 56 clinit()57 private native static void clinit(); 58 59 /** 60 * Does nothing. Just for forcing static initialization. 61 */ checkAvailability()62 static void checkAvailability() { 63 } 64 65 // --- DSA/RSA public/private key handling functions ----------------------- 66 EVP_PKEY_new_RSA(byte[] n, byte[] e, byte[] d, byte[] p, byte[] q, byte[] dmp1, byte[] dmq1, byte[] iqmp)67 static native long EVP_PKEY_new_RSA(byte[] n, byte[] e, byte[] d, byte[] p, byte[] q, 68 byte[] dmp1, byte[] dmq1, byte[] iqmp); 69 EVP_PKEY_type(NativeRef.EVP_PKEY pkey)70 static native int EVP_PKEY_type(NativeRef.EVP_PKEY pkey); 71 EVP_PKEY_print_public(NativeRef.EVP_PKEY pkeyRef)72 static native String EVP_PKEY_print_public(NativeRef.EVP_PKEY pkeyRef); 73 EVP_PKEY_print_params(NativeRef.EVP_PKEY pkeyRef)74 static native String EVP_PKEY_print_params(NativeRef.EVP_PKEY pkeyRef); 75 EVP_PKEY_free(long pkey)76 static native void EVP_PKEY_free(long pkey); 77 EVP_PKEY_cmp(NativeRef.EVP_PKEY pkey1, NativeRef.EVP_PKEY pkey2)78 static native int EVP_PKEY_cmp(NativeRef.EVP_PKEY pkey1, NativeRef.EVP_PKEY pkey2); 79 EVP_marshal_private_key(NativeRef.EVP_PKEY pkey)80 static native byte[] EVP_marshal_private_key(NativeRef.EVP_PKEY pkey); 81 EVP_parse_private_key(byte[] data)82 static native long EVP_parse_private_key(byte[] data); 83 EVP_marshal_public_key(NativeRef.EVP_PKEY pkey)84 static native byte[] EVP_marshal_public_key(NativeRef.EVP_PKEY pkey); 85 EVP_parse_public_key(byte[] data)86 static native long EVP_parse_public_key(byte[] data); 87 PEM_read_bio_PUBKEY(long bioCtx)88 static native long PEM_read_bio_PUBKEY(long bioCtx); 89 PEM_read_bio_PrivateKey(long bioCtx)90 static native long PEM_read_bio_PrivateKey(long bioCtx); 91 getRSAPrivateKeyWrapper(PrivateKey key, byte[] modulus)92 static native long getRSAPrivateKeyWrapper(PrivateKey key, byte[] modulus); 93 getECPrivateKeyWrapper(PrivateKey key, NativeRef.EC_GROUP ecGroupRef)94 static native long getECPrivateKeyWrapper(PrivateKey key, NativeRef.EC_GROUP ecGroupRef); 95 RSA_generate_key_ex(int modulusBits, byte[] publicExponent)96 static native long RSA_generate_key_ex(int modulusBits, byte[] publicExponent); 97 RSA_size(NativeRef.EVP_PKEY pkey)98 static native int RSA_size(NativeRef.EVP_PKEY pkey); 99 RSA_private_encrypt( int flen, byte[] from, byte[] to, NativeRef.EVP_PKEY pkey, int padding)100 static native int RSA_private_encrypt( 101 int flen, byte[] from, byte[] to, NativeRef.EVP_PKEY pkey, int padding); 102 RSA_public_decrypt(int flen, byte[] from, byte[] to, NativeRef.EVP_PKEY pkey, int padding)103 static native int RSA_public_decrypt(int flen, byte[] from, byte[] to, NativeRef.EVP_PKEY pkey, 104 int padding) throws BadPaddingException, SignatureException; 105 RSA_public_encrypt( int flen, byte[] from, byte[] to, NativeRef.EVP_PKEY pkey, int padding)106 static native int RSA_public_encrypt( 107 int flen, byte[] from, byte[] to, NativeRef.EVP_PKEY pkey, int padding); 108 RSA_private_decrypt(int flen, byte[] from, byte[] to, NativeRef.EVP_PKEY pkey, int padding)109 static native int RSA_private_decrypt(int flen, byte[] from, byte[] to, NativeRef.EVP_PKEY pkey, 110 int padding) throws BadPaddingException, SignatureException; 111 112 /** 113 * @return array of {n, e} 114 */ get_RSA_public_params(NativeRef.EVP_PKEY rsa)115 static native byte[][] get_RSA_public_params(NativeRef.EVP_PKEY rsa); 116 117 /** 118 * @return array of {n, e, d, p, q, dmp1, dmq1, iqmp} 119 */ get_RSA_private_params(NativeRef.EVP_PKEY rsa)120 static native byte[][] get_RSA_private_params(NativeRef.EVP_PKEY rsa); 121 122 // --- EC functions -------------------------- 123 EVP_PKEY_new_EC_KEY( NativeRef.EC_GROUP groupRef, NativeRef.EC_POINT pubkeyRef, byte[] privkey)124 static native long EVP_PKEY_new_EC_KEY( 125 NativeRef.EC_GROUP groupRef, NativeRef.EC_POINT pubkeyRef, byte[] privkey); 126 EC_GROUP_new_by_curve_name(String curveName)127 static native long EC_GROUP_new_by_curve_name(String curveName); 128 EC_GROUP_new_arbitrary( byte[] p, byte[] a, byte[] b, byte[] x, byte[] y, byte[] order, int cofactor)129 static native long EC_GROUP_new_arbitrary( 130 byte[] p, byte[] a, byte[] b, byte[] x, byte[] y, byte[] order, int cofactor); 131 EC_GROUP_get_curve_name(NativeRef.EC_GROUP groupRef)132 static native String EC_GROUP_get_curve_name(NativeRef.EC_GROUP groupRef); 133 EC_GROUP_get_curve(NativeRef.EC_GROUP groupRef)134 static native byte[][] EC_GROUP_get_curve(NativeRef.EC_GROUP groupRef); 135 EC_GROUP_clear_free(long groupRef)136 static native void EC_GROUP_clear_free(long groupRef); 137 EC_GROUP_get_generator(NativeRef.EC_GROUP groupRef)138 static native long EC_GROUP_get_generator(NativeRef.EC_GROUP groupRef); 139 EC_GROUP_get_order(NativeRef.EC_GROUP groupRef)140 static native byte[] EC_GROUP_get_order(NativeRef.EC_GROUP groupRef); 141 EC_GROUP_get_degree(NativeRef.EC_GROUP groupRef)142 static native int EC_GROUP_get_degree(NativeRef.EC_GROUP groupRef); 143 EC_GROUP_get_cofactor(NativeRef.EC_GROUP groupRef)144 static native byte[] EC_GROUP_get_cofactor(NativeRef.EC_GROUP groupRef); 145 EC_POINT_new(NativeRef.EC_GROUP groupRef)146 static native long EC_POINT_new(NativeRef.EC_GROUP groupRef); 147 EC_POINT_clear_free(long pointRef)148 static native void EC_POINT_clear_free(long pointRef); 149 EC_POINT_get_affine_coordinates( NativeRef.EC_GROUP groupRef, NativeRef.EC_POINT pointRef)150 static native byte[][] EC_POINT_get_affine_coordinates( 151 NativeRef.EC_GROUP groupRef, NativeRef.EC_POINT pointRef); 152 EC_POINT_set_affine_coordinates( NativeRef.EC_GROUP groupRef, NativeRef.EC_POINT pointRef, byte[] x, byte[] y)153 static native void EC_POINT_set_affine_coordinates( 154 NativeRef.EC_GROUP groupRef, NativeRef.EC_POINT pointRef, byte[] x, byte[] y); 155 EC_KEY_generate_key(NativeRef.EC_GROUP groupRef)156 static native long EC_KEY_generate_key(NativeRef.EC_GROUP groupRef); 157 EC_KEY_get1_group(NativeRef.EVP_PKEY pkeyRef)158 static native long EC_KEY_get1_group(NativeRef.EVP_PKEY pkeyRef); 159 EC_KEY_get_private_key(NativeRef.EVP_PKEY keyRef)160 static native byte[] EC_KEY_get_private_key(NativeRef.EVP_PKEY keyRef); 161 EC_KEY_get_public_key(NativeRef.EVP_PKEY keyRef)162 static native long EC_KEY_get_public_key(NativeRef.EVP_PKEY keyRef); 163 ECDH_compute_key(byte[] out, int outOffset, NativeRef.EVP_PKEY publicKeyRef, NativeRef.EVP_PKEY privateKeyRef)164 static native int ECDH_compute_key(byte[] out, int outOffset, NativeRef.EVP_PKEY publicKeyRef, 165 NativeRef.EVP_PKEY privateKeyRef) throws InvalidKeyException; 166 ECDSA_size(NativeRef.EVP_PKEY pkey)167 static native int ECDSA_size(NativeRef.EVP_PKEY pkey); 168 ECDSA_sign(byte[] data, byte[] sig, NativeRef.EVP_PKEY pkey)169 static native int ECDSA_sign(byte[] data, byte[] sig, NativeRef.EVP_PKEY pkey); 170 ECDSA_verify(byte[] data, byte[] sig, NativeRef.EVP_PKEY pkey)171 static native int ECDSA_verify(byte[] data, byte[] sig, NativeRef.EVP_PKEY pkey); 172 173 // --- Message digest functions -------------- 174 175 // These return const references EVP_get_digestbyname(String name)176 static native long EVP_get_digestbyname(String name); 177 EVP_MD_size(long evp_md_const)178 static native int EVP_MD_size(long evp_md_const); 179 180 // --- Message digest context functions -------------- 181 EVP_MD_CTX_create()182 static native long EVP_MD_CTX_create(); 183 EVP_MD_CTX_cleanup(NativeRef.EVP_MD_CTX ctx)184 static native void EVP_MD_CTX_cleanup(NativeRef.EVP_MD_CTX ctx); 185 EVP_MD_CTX_destroy(long ctx)186 static native void EVP_MD_CTX_destroy(long ctx); 187 EVP_MD_CTX_copy_ex( NativeRef.EVP_MD_CTX dst_ctx, NativeRef.EVP_MD_CTX src_ctx)188 static native int EVP_MD_CTX_copy_ex( 189 NativeRef.EVP_MD_CTX dst_ctx, NativeRef.EVP_MD_CTX src_ctx); 190 191 // --- Digest handling functions ------------------------------------------- 192 EVP_DigestInit_ex(NativeRef.EVP_MD_CTX ctx, long evp_md)193 static native int EVP_DigestInit_ex(NativeRef.EVP_MD_CTX ctx, long evp_md); 194 EVP_DigestUpdate( NativeRef.EVP_MD_CTX ctx, byte[] buffer, int offset, int length)195 static native void EVP_DigestUpdate( 196 NativeRef.EVP_MD_CTX ctx, byte[] buffer, int offset, int length); 197 EVP_DigestUpdateDirect(NativeRef.EVP_MD_CTX ctx, long ptr, int length)198 static native void EVP_DigestUpdateDirect(NativeRef.EVP_MD_CTX ctx, long ptr, int length); 199 EVP_DigestFinal_ex(NativeRef.EVP_MD_CTX ctx, byte[] hash, int offset)200 static native int EVP_DigestFinal_ex(NativeRef.EVP_MD_CTX ctx, byte[] hash, int offset); 201 202 // --- Signature handling functions ---------------------------------------- 203 EVP_DigestSignInit( NativeRef.EVP_MD_CTX ctx, long evpMdRef, NativeRef.EVP_PKEY key)204 static native long EVP_DigestSignInit( 205 NativeRef.EVP_MD_CTX ctx, long evpMdRef, NativeRef.EVP_PKEY key); 206 EVP_DigestVerifyInit( NativeRef.EVP_MD_CTX ctx, long evpMdRef, NativeRef.EVP_PKEY key)207 static native long EVP_DigestVerifyInit( 208 NativeRef.EVP_MD_CTX ctx, long evpMdRef, NativeRef.EVP_PKEY key); 209 EVP_DigestSignUpdate( NativeRef.EVP_MD_CTX ctx, byte[] buffer, int offset, int length)210 static native void EVP_DigestSignUpdate( 211 NativeRef.EVP_MD_CTX ctx, byte[] buffer, int offset, int length); 212 EVP_DigestSignUpdateDirect(NativeRef.EVP_MD_CTX ctx, long ptr, int length)213 static native void EVP_DigestSignUpdateDirect(NativeRef.EVP_MD_CTX ctx, long ptr, int length); 214 EVP_DigestVerifyUpdate( NativeRef.EVP_MD_CTX ctx, byte[] buffer, int offset, int length)215 static native void EVP_DigestVerifyUpdate( 216 NativeRef.EVP_MD_CTX ctx, byte[] buffer, int offset, int length); 217 EVP_DigestVerifyUpdateDirect(NativeRef.EVP_MD_CTX ctx, long ptr, int length)218 static native void EVP_DigestVerifyUpdateDirect(NativeRef.EVP_MD_CTX ctx, long ptr, int length); 219 EVP_DigestSignFinal(NativeRef.EVP_MD_CTX ctx)220 static native byte[] EVP_DigestSignFinal(NativeRef.EVP_MD_CTX ctx); 221 EVP_DigestVerifyFinal( NativeRef.EVP_MD_CTX ctx, byte[] signature, int offset, int length)222 static native boolean EVP_DigestVerifyFinal( 223 NativeRef.EVP_MD_CTX ctx, byte[] signature, int offset, int length); 224 EVP_PKEY_encrypt_init(NativeRef.EVP_PKEY pkey)225 static native long EVP_PKEY_encrypt_init(NativeRef.EVP_PKEY pkey); 226 EVP_PKEY_encrypt(NativeRef.EVP_PKEY_CTX ctx, byte[] out, int outOffset, byte[] input, int inOffset, int inLength)227 static native int EVP_PKEY_encrypt(NativeRef.EVP_PKEY_CTX ctx, byte[] out, int outOffset, 228 byte[] input, int inOffset, int inLength); 229 EVP_PKEY_decrypt_init(NativeRef.EVP_PKEY pkey)230 static native long EVP_PKEY_decrypt_init(NativeRef.EVP_PKEY pkey); 231 EVP_PKEY_decrypt(NativeRef.EVP_PKEY_CTX ctx, byte[] out, int outOffset, byte[] input, int inOffset, int inLength)232 static native int EVP_PKEY_decrypt(NativeRef.EVP_PKEY_CTX ctx, byte[] out, int outOffset, 233 byte[] input, int inOffset, int inLength); 234 EVP_PKEY_CTX_free(long pkeyCtx)235 static native void EVP_PKEY_CTX_free(long pkeyCtx); 236 EVP_PKEY_CTX_set_rsa_padding(long ctx, int pad)237 static native void EVP_PKEY_CTX_set_rsa_padding(long ctx, int pad) 238 throws InvalidAlgorithmParameterException; 239 EVP_PKEY_CTX_set_rsa_pss_saltlen(long ctx, int len)240 static native void EVP_PKEY_CTX_set_rsa_pss_saltlen(long ctx, int len) 241 throws InvalidAlgorithmParameterException; 242 EVP_PKEY_CTX_set_rsa_mgf1_md(long ctx, long evpMdRef)243 static native void EVP_PKEY_CTX_set_rsa_mgf1_md(long ctx, long evpMdRef) 244 throws InvalidAlgorithmParameterException; 245 EVP_PKEY_CTX_set_rsa_oaep_md(long ctx, long evpMdRef)246 static native void EVP_PKEY_CTX_set_rsa_oaep_md(long ctx, long evpMdRef) 247 throws InvalidAlgorithmParameterException; 248 EVP_PKEY_CTX_set_rsa_oaep_label(long ctx, byte[] label)249 static native void EVP_PKEY_CTX_set_rsa_oaep_label(long ctx, byte[] label) 250 throws InvalidAlgorithmParameterException; 251 252 // --- Block ciphers ------------------------------------------------------- 253 254 // These return const references EVP_get_cipherbyname(String string)255 static native long EVP_get_cipherbyname(String string); 256 EVP_CipherInit_ex(NativeRef.EVP_CIPHER_CTX ctx, long evpCipher, byte[] key, byte[] iv, boolean encrypting)257 static native void EVP_CipherInit_ex(NativeRef.EVP_CIPHER_CTX ctx, long evpCipher, byte[] key, 258 byte[] iv, boolean encrypting); 259 EVP_CipherUpdate(NativeRef.EVP_CIPHER_CTX ctx, byte[] out, int outOffset, byte[] in, int inOffset, int inLength)260 static native int EVP_CipherUpdate(NativeRef.EVP_CIPHER_CTX ctx, byte[] out, int outOffset, 261 byte[] in, int inOffset, int inLength); 262 EVP_CipherFinal_ex(NativeRef.EVP_CIPHER_CTX ctx, byte[] out, int outOffset)263 static native int EVP_CipherFinal_ex(NativeRef.EVP_CIPHER_CTX ctx, byte[] out, int outOffset) 264 throws BadPaddingException, IllegalBlockSizeException; 265 EVP_CIPHER_iv_length(long evpCipher)266 static native int EVP_CIPHER_iv_length(long evpCipher); 267 EVP_CIPHER_CTX_new()268 static native long EVP_CIPHER_CTX_new(); 269 EVP_CIPHER_CTX_block_size(NativeRef.EVP_CIPHER_CTX ctx)270 static native int EVP_CIPHER_CTX_block_size(NativeRef.EVP_CIPHER_CTX ctx); 271 get_EVP_CIPHER_CTX_buf_len(NativeRef.EVP_CIPHER_CTX ctx)272 static native int get_EVP_CIPHER_CTX_buf_len(NativeRef.EVP_CIPHER_CTX ctx); 273 get_EVP_CIPHER_CTX_final_used(NativeRef.EVP_CIPHER_CTX ctx)274 static native boolean get_EVP_CIPHER_CTX_final_used(NativeRef.EVP_CIPHER_CTX ctx); 275 EVP_CIPHER_CTX_set_padding( NativeRef.EVP_CIPHER_CTX ctx, boolean enablePadding)276 static native void EVP_CIPHER_CTX_set_padding( 277 NativeRef.EVP_CIPHER_CTX ctx, boolean enablePadding); 278 EVP_CIPHER_CTX_set_key_length(NativeRef.EVP_CIPHER_CTX ctx, int keyBitSize)279 static native void EVP_CIPHER_CTX_set_key_length(NativeRef.EVP_CIPHER_CTX ctx, int keyBitSize); 280 EVP_CIPHER_CTX_free(long ctx)281 static native void EVP_CIPHER_CTX_free(long ctx); 282 283 // --- AEAD ---------------------------------------------------------------- EVP_aead_aes_128_gcm()284 static native long EVP_aead_aes_128_gcm(); 285 EVP_aead_aes_256_gcm()286 static native long EVP_aead_aes_256_gcm(); 287 EVP_AEAD_max_overhead(long evpAead)288 static native int EVP_AEAD_max_overhead(long evpAead); 289 EVP_AEAD_nonce_length(long evpAead)290 static native int EVP_AEAD_nonce_length(long evpAead); 291 EVP_AEAD_CTX_seal(long evpAead, byte[] key, int tagLengthInBytes, byte[] out, int outOffset, byte[] nonce, byte[] in, int inOffset, int inLength, byte[] ad)292 static native int EVP_AEAD_CTX_seal(long evpAead, byte[] key, int tagLengthInBytes, byte[] out, 293 int outOffset, byte[] nonce, byte[] in, int inOffset, int inLength, byte[] ad) 294 throws BadPaddingException; 295 EVP_AEAD_CTX_open(long evpAead, byte[] key, int tagLengthInBytes, byte[] out, int outOffset, byte[] nonce, byte[] in, int inOffset, int inLength, byte[] ad)296 static native int EVP_AEAD_CTX_open(long evpAead, byte[] key, int tagLengthInBytes, byte[] out, 297 int outOffset, byte[] nonce, byte[] in, int inOffset, int inLength, byte[] ad) 298 throws BadPaddingException; 299 300 // --- HMAC functions ------------------------------------------------------ 301 HMAC_CTX_new()302 static native long HMAC_CTX_new(); 303 HMAC_CTX_free(long ctx)304 static native void HMAC_CTX_free(long ctx); 305 HMAC_Init_ex(NativeRef.HMAC_CTX ctx, byte[] key, long evp_md)306 static native void HMAC_Init_ex(NativeRef.HMAC_CTX ctx, byte[] key, long evp_md); 307 HMAC_Update(NativeRef.HMAC_CTX ctx, byte[] in, int inOffset, int inLength)308 static native void HMAC_Update(NativeRef.HMAC_CTX ctx, byte[] in, int inOffset, int inLength); 309 HMAC_UpdateDirect(NativeRef.HMAC_CTX ctx, long inPtr, int inLength)310 static native void HMAC_UpdateDirect(NativeRef.HMAC_CTX ctx, long inPtr, int inLength); 311 HMAC_Final(NativeRef.HMAC_CTX ctx)312 static native byte[] HMAC_Final(NativeRef.HMAC_CTX ctx); 313 314 // --- RAND ---------------------------------------------------------------- 315 RAND_bytes(byte[] output)316 static native void RAND_bytes(byte[] output); 317 318 // --- X509_NAME ----------------------------------------------------------- 319 X509_NAME_hash(X500Principal principal)320 static int X509_NAME_hash(X500Principal principal) { 321 return X509_NAME_hash(principal, "SHA1"); 322 } 323 X509_NAME_hash_old(X500Principal principal)324 public static int X509_NAME_hash_old(X500Principal principal) { 325 return X509_NAME_hash(principal, "MD5"); 326 } X509_NAME_hash(X500Principal principal, String algorithm)327 private static int X509_NAME_hash(X500Principal principal, String algorithm) { 328 try { 329 byte[] digest = MessageDigest.getInstance(algorithm).digest(principal.getEncoded()); 330 int offset = 0; 331 return (((digest[offset++] & 0xff) << 0) | ((digest[offset++] & 0xff) << 8) 332 | ((digest[offset++] & 0xff) << 16) | ((digest[offset] & 0xff) << 24)); 333 } catch (NoSuchAlgorithmException e) { 334 throw new AssertionError(e); 335 } 336 } 337 338 // --- X509 ---------------------------------------------------------------- 339 340 /** Used to request get_X509_GENERAL_NAME_stack get the "altname" field. */ 341 static final int GN_STACK_SUBJECT_ALT_NAME = 1; 342 343 /** 344 * Used to request get_X509_GENERAL_NAME_stack get the issuerAlternativeName 345 * extension. 346 */ 347 static final int GN_STACK_ISSUER_ALT_NAME = 2; 348 349 /** 350 * Used to request only non-critical types in get_X509*_ext_oids. 351 */ 352 static final int EXTENSION_TYPE_NON_CRITICAL = 0; 353 354 /** 355 * Used to request only critical types in get_X509*_ext_oids. 356 */ 357 static final int EXTENSION_TYPE_CRITICAL = 1; 358 d2i_X509_bio(long bioCtx)359 static native long d2i_X509_bio(long bioCtx); 360 d2i_X509(byte[] encoded)361 static native long d2i_X509(byte[] encoded) throws ParsingException; 362 PEM_read_bio_X509(long bioCtx)363 static native long PEM_read_bio_X509(long bioCtx); 364 i2d_X509(long x509ctx)365 static native byte[] i2d_X509(long x509ctx); 366 367 /** Takes an X509 context not an X509_PUBKEY context. */ i2d_X509_PUBKEY(long x509ctx)368 static native byte[] i2d_X509_PUBKEY(long x509ctx); 369 ASN1_seq_pack_X509(long[] x509CertRefs)370 static native byte[] ASN1_seq_pack_X509(long[] x509CertRefs); 371 ASN1_seq_unpack_X509_bio(long bioRef)372 static native long[] ASN1_seq_unpack_X509_bio(long bioRef); 373 X509_free(long x509ctx)374 static native void X509_free(long x509ctx); 375 X509_dup(long x509ctx)376 static native long X509_dup(long x509ctx); 377 X509_cmp(long x509ctx1, long x509ctx2)378 static native int X509_cmp(long x509ctx1, long x509ctx2); 379 X509_print_ex(long bioCtx, long x509ctx, long nmflag, long certflag)380 static native void X509_print_ex(long bioCtx, long x509ctx, long nmflag, long certflag); 381 X509_get_issuer_name(long x509ctx)382 static native byte[] X509_get_issuer_name(long x509ctx); 383 X509_get_subject_name(long x509ctx)384 static native byte[] X509_get_subject_name(long x509ctx); 385 get_X509_sig_alg_oid(long x509ctx)386 static native String get_X509_sig_alg_oid(long x509ctx); 387 get_X509_sig_alg_parameter(long x509ctx)388 static native byte[] get_X509_sig_alg_parameter(long x509ctx); 389 get_X509_issuerUID(long x509ctx)390 static native boolean[] get_X509_issuerUID(long x509ctx); 391 get_X509_subjectUID(long x509ctx)392 static native boolean[] get_X509_subjectUID(long x509ctx); 393 X509_get_pubkey(long x509ctx)394 static native long X509_get_pubkey(long x509ctx) 395 throws NoSuchAlgorithmException, InvalidKeyException; 396 get_X509_pubkey_oid(long x509ctx)397 static native String get_X509_pubkey_oid(long x509ctx); 398 X509_get_ext_oid(long x509ctx, String oid)399 static native byte[] X509_get_ext_oid(long x509ctx, String oid); 400 get_X509_ext_oids(long x509ctx, int critical)401 static native String[] get_X509_ext_oids(long x509ctx, int critical); 402 get_X509_GENERAL_NAME_stack(long x509ctx, int type)403 static native Object[][] get_X509_GENERAL_NAME_stack(long x509ctx, int type) 404 throws CertificateParsingException; 405 get_X509_ex_kusage(long x509ctx)406 static native boolean[] get_X509_ex_kusage(long x509ctx); 407 get_X509_ex_xkusage(long x509ctx)408 static native String[] get_X509_ex_xkusage(long x509ctx); 409 get_X509_ex_pathlen(long x509ctx)410 static native int get_X509_ex_pathlen(long x509ctx); 411 X509_get_notBefore(long x509ctx)412 static native long X509_get_notBefore(long x509ctx); 413 X509_get_notAfter(long x509ctx)414 static native long X509_get_notAfter(long x509ctx); 415 X509_get_version(long x509ctx)416 static native long X509_get_version(long x509ctx); 417 X509_get_serialNumber(long x509ctx)418 static native byte[] X509_get_serialNumber(long x509ctx); 419 X509_verify(long x509ctx, NativeRef.EVP_PKEY pkeyCtx)420 static native void X509_verify(long x509ctx, NativeRef.EVP_PKEY pkeyCtx) 421 throws BadPaddingException; 422 get_X509_cert_info_enc(long x509ctx)423 static native byte[] get_X509_cert_info_enc(long x509ctx); 424 get_X509_signature(long x509ctx)425 static native byte[] get_X509_signature(long x509ctx); 426 get_X509_ex_flags(long x509ctx)427 static native int get_X509_ex_flags(long x509ctx); 428 X509_check_issued(long ctx, long ctx2)429 static native int X509_check_issued(long ctx, long ctx2); 430 431 // --- PKCS7 --------------------------------------------------------------- 432 433 /** Used as the "which" field in d2i_PKCS7_bio and PEM_read_bio_PKCS7. */ 434 static final int PKCS7_CERTS = 1; 435 436 /** Used as the "which" field in d2i_PKCS7_bio and PEM_read_bio_PKCS7. */ 437 static final int PKCS7_CRLS = 2; 438 439 /** Returns an array of X509 or X509_CRL pointers. */ d2i_PKCS7_bio(long bioCtx, int which)440 static native long[] d2i_PKCS7_bio(long bioCtx, int which); 441 442 /** Returns an array of X509 or X509_CRL pointers. */ i2d_PKCS7(long[] certs)443 static native byte[] i2d_PKCS7(long[] certs); 444 445 /** Returns an array of X509 or X509_CRL pointers. */ PEM_read_bio_PKCS7(long bioCtx, int which)446 static native long[] PEM_read_bio_PKCS7(long bioCtx, int which); 447 448 // --- X509_CRL ------------------------------------------------------------ 449 d2i_X509_CRL_bio(long bioCtx)450 static native long d2i_X509_CRL_bio(long bioCtx); 451 PEM_read_bio_X509_CRL(long bioCtx)452 static native long PEM_read_bio_X509_CRL(long bioCtx); 453 i2d_X509_CRL(long x509CrlCtx)454 static native byte[] i2d_X509_CRL(long x509CrlCtx); 455 X509_CRL_free(long x509CrlCtx)456 static native void X509_CRL_free(long x509CrlCtx); 457 X509_CRL_print(long bioCtx, long x509CrlCtx)458 static native void X509_CRL_print(long bioCtx, long x509CrlCtx); 459 get_X509_CRL_sig_alg_oid(long x509CrlCtx)460 static native String get_X509_CRL_sig_alg_oid(long x509CrlCtx); 461 get_X509_CRL_sig_alg_parameter(long x509CrlCtx)462 static native byte[] get_X509_CRL_sig_alg_parameter(long x509CrlCtx); 463 X509_CRL_get_issuer_name(long x509CrlCtx)464 static native byte[] X509_CRL_get_issuer_name(long x509CrlCtx); 465 466 /** Returns X509_REVOKED reference that is not duplicated! */ X509_CRL_get0_by_cert(long x509CrlCtx, long x509Ctx)467 static native long X509_CRL_get0_by_cert(long x509CrlCtx, long x509Ctx); 468 469 /** Returns X509_REVOKED reference that is not duplicated! */ X509_CRL_get0_by_serial(long x509CrlCtx, byte[] serial)470 static native long X509_CRL_get0_by_serial(long x509CrlCtx, byte[] serial); 471 472 /** Returns an array of X509_REVOKED that are owned by the caller. */ X509_CRL_get_REVOKED(long x509CrlCtx)473 static native long[] X509_CRL_get_REVOKED(long x509CrlCtx); 474 get_X509_CRL_ext_oids(long x509ctx, int critical)475 static native String[] get_X509_CRL_ext_oids(long x509ctx, int critical); 476 X509_CRL_get_ext_oid(long x509CrlCtx, String oid)477 static native byte[] X509_CRL_get_ext_oid(long x509CrlCtx, String oid); 478 X509_delete_ext(long x509, String oid)479 static native void X509_delete_ext(long x509, String oid); 480 X509_CRL_get_version(long x509CrlCtx)481 static native long X509_CRL_get_version(long x509CrlCtx); 482 X509_CRL_get_ext(long x509CrlCtx, String oid)483 static native long X509_CRL_get_ext(long x509CrlCtx, String oid); 484 get_X509_CRL_signature(long x509ctx)485 static native byte[] get_X509_CRL_signature(long x509ctx); 486 X509_CRL_verify(long x509CrlCtx, NativeRef.EVP_PKEY pkeyCtx)487 static native void X509_CRL_verify(long x509CrlCtx, NativeRef.EVP_PKEY pkeyCtx); 488 get_X509_CRL_crl_enc(long x509CrlCtx)489 static native byte[] get_X509_CRL_crl_enc(long x509CrlCtx); 490 X509_CRL_get_lastUpdate(long x509CrlCtx)491 static native long X509_CRL_get_lastUpdate(long x509CrlCtx); 492 X509_CRL_get_nextUpdate(long x509CrlCtx)493 static native long X509_CRL_get_nextUpdate(long x509CrlCtx); 494 495 // --- X509_REVOKED -------------------------------------------------------- 496 X509_REVOKED_dup(long x509RevokedCtx)497 static native long X509_REVOKED_dup(long x509RevokedCtx); 498 i2d_X509_REVOKED(long x509RevokedCtx)499 static native byte[] i2d_X509_REVOKED(long x509RevokedCtx); 500 get_X509_REVOKED_ext_oids(long x509ctx, int critical)501 static native String[] get_X509_REVOKED_ext_oids(long x509ctx, int critical); 502 X509_REVOKED_get_ext_oid(long x509RevokedCtx, String oid)503 static native byte[] X509_REVOKED_get_ext_oid(long x509RevokedCtx, String oid); 504 X509_REVOKED_get_serialNumber(long x509RevokedCtx)505 static native byte[] X509_REVOKED_get_serialNumber(long x509RevokedCtx); 506 X509_REVOKED_get_ext(long x509RevokedCtx, String oid)507 static native long X509_REVOKED_get_ext(long x509RevokedCtx, String oid); 508 509 /** Returns ASN1_TIME reference. */ get_X509_REVOKED_revocationDate(long x509RevokedCtx)510 static native long get_X509_REVOKED_revocationDate(long x509RevokedCtx); 511 X509_REVOKED_print(long bioRef, long x509RevokedCtx)512 static native void X509_REVOKED_print(long bioRef, long x509RevokedCtx); 513 514 // --- X509_EXTENSION ------------------------------------------------------ 515 X509_supported_extension(long x509ExtensionRef)516 static native int X509_supported_extension(long x509ExtensionRef); 517 518 // --- ASN1_TIME ----------------------------------------------------------- 519 ASN1_TIME_to_Calendar(long asn1TimeCtx, Calendar cal)520 static native void ASN1_TIME_to_Calendar(long asn1TimeCtx, Calendar cal); 521 522 // --- ASN1 Encoding ------------------------------------------------------- 523 524 /** 525 * Allocates and returns an opaque reference to an object that can be used with other 526 * asn1_read_* functions to read the ASN.1-encoded data in val. The returned object must 527 * be freed after use by calling asn1_read_free. 528 */ asn1_read_init(byte[] val)529 static native long asn1_read_init(byte[] val); 530 531 /** 532 * Allocates and returns an opaque reference to an object that can be used with other 533 * asn1_read_* functions to read the ASN.1 sequence pointed to by cbsRef. The returned 534 * object must be freed after use by calling asn1_read_free. 535 */ asn1_read_sequence(long cbsRef)536 static native long asn1_read_sequence(long cbsRef) throws IOException; 537 538 /** 539 * Returns the contents of an ASN.1 octet string from the given reference. 540 */ asn1_read_octetstring(long cbsRef)541 static native byte[] asn1_read_octetstring(long cbsRef) throws IOException; 542 543 /** 544 * Returns an ASN.1 integer from the given reference. If the integer doesn't fit 545 * in a uint64, this method will throw an IOException. 546 */ asn1_read_uint64(long cbsRef)547 static native long asn1_read_uint64(long cbsRef) throws IOException; 548 549 /** 550 * Returns whether or not the given reference has been read completely. 551 */ asn1_read_is_empty(long cbsRef)552 static native boolean asn1_read_is_empty(long cbsRef); 553 554 /** 555 * Frees any resources associated with the given reference. After calling, the reference 556 * must not be used again. This may be called with a zero reference, in which case nothing 557 * will be done. 558 */ asn1_read_free(long cbsRef)559 static native void asn1_read_free(long cbsRef); 560 561 /** 562 * Allocates and returns an opaque reference to an object that can be used with other 563 * asn1_write_* functions to write ASN.1-encoded data. The returned object must be finalized 564 * after use by calling either asn1_write_finish or asn1_write_cleanup, and its resources 565 * must be freed by calling asn1_write_free. 566 */ asn1_write_init()567 static native long asn1_write_init() throws IOException; 568 569 /** 570 * Allocates and returns an opaque reference to an object that can be used with other 571 * asn1_write_* functions to write an ASN.1 sequence into the given reference. The returned 572 * reference may only be used until the next call on the parent reference. The returned 573 * object must be freed after use by calling asn1_write_free. 574 */ asn1_write_sequence(long cbbRef)575 static native long asn1_write_sequence(long cbbRef) throws IOException; 576 577 /** 578 * Writes the given data into the given reference as an ASN.1-encoded octet string. 579 */ asn1_write_octetstring(long cbbRef, byte[] data)580 static native void asn1_write_octetstring(long cbbRef, byte[] data) throws IOException; 581 582 /** 583 * Writes the given value into the given reference as an ASN.1-encoded integer. 584 */ asn1_write_uint64(long cbbRef, long value)585 static native void asn1_write_uint64(long cbbRef, long value) throws IOException; 586 587 /** 588 * Completes any in-progress operations and returns the ASN.1-encoded data. Either this 589 * or asn1_write_cleanup must be called on any reference returned from asn1_write_init 590 * before it is freed. 591 */ asn1_write_finish(long cbbRef)592 static native byte[] asn1_write_finish(long cbbRef) throws IOException; 593 594 /** 595 * Cleans up intermediate state in the given reference. Either this or asn1_write_finish 596 * must be called on any reference returned from asn1_write_init before it is freed. 597 */ asn1_write_cleanup(long cbbRef)598 static native void asn1_write_cleanup(long cbbRef); 599 600 /** 601 * Frees resources associated with the given reference. After calling, the reference 602 * must not be used again. This may be called with a zero reference, in which case nothing 603 * will be done. 604 */ asn1_write_free(long cbbRef)605 static native void asn1_write_free(long cbbRef); 606 607 // --- BIO stream creation ------------------------------------------------- 608 create_BIO_InputStream(OpenSSLBIOInputStream is, boolean isFinite)609 static native long create_BIO_InputStream(OpenSSLBIOInputStream is, boolean isFinite); 610 create_BIO_OutputStream(OutputStream os)611 static native long create_BIO_OutputStream(OutputStream os); 612 BIO_free_all(long bioRef)613 static native void BIO_free_all(long bioRef); 614 615 // --- SSL handling -------------------------------------------------------- 616 617 static final String OBSOLETE_PROTOCOL_SSLV3 = "SSLv3"; 618 private static final String SUPPORTED_PROTOCOL_TLSV1 = "TLSv1"; 619 private static final String SUPPORTED_PROTOCOL_TLSV1_1 = "TLSv1.1"; 620 private static final String SUPPORTED_PROTOCOL_TLSV1_2 = "TLSv1.2"; 621 622 // SUPPORTED_CIPHER_SUITES_SET contains all the supported cipher suites, using their Java names. 623 static final Set<String> SUPPORTED_CIPHER_SUITES_SET = new HashSet<String>(); 624 625 // SUPPORTED_LEGACY_CIPHER_SUITES_SET contains all the supported cipher suites using the legacy 626 // OpenSSL-style names. 627 static final Set<String> SUPPORTED_LEGACY_CIPHER_SUITES_SET = new HashSet<String>(); 628 629 /** 630 * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is RFC 5746's renegotiation 631 * indication signaling cipher suite value. It is not a real 632 * cipher suite. It is just an indication in the default and 633 * supported cipher suite lists indicates that the implementation 634 * supports secure renegotiation. 635 * <p> 636 * In the RI, its presence means that the SCSV is sent in the 637 * cipher suite list to indicate secure renegotiation support and 638 * its absense means to send an empty TLS renegotiation info 639 * extension instead. 640 * <p> 641 * However, OpenSSL doesn't provide an API to give this level of 642 * control, instead always sending the SCSV and always including 643 * the empty renegotiation info if TLS is used (as opposed to 644 * SSL). So we simply allow TLS_EMPTY_RENEGOTIATION_INFO_SCSV to 645 * be passed for compatibility as to provide the hint that we 646 * support secure renegotiation. 647 */ 648 static final String TLS_EMPTY_RENEGOTIATION_INFO_SCSV = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"; 649 cipherSuiteToJava(String cipherSuite)650 static String cipherSuiteToJava(String cipherSuite) { 651 // For historical reasons, Java uses a different name for TLS_RSA_WITH_3DES_EDE_CBC_SHA. 652 if ("TLS_RSA_WITH_3DES_EDE_CBC_SHA".equals(cipherSuite)) { 653 return "SSL_RSA_WITH_3DES_EDE_CBC_SHA"; 654 } 655 return cipherSuite; 656 } 657 cipherSuiteFromJava(String javaCipherSuite)658 static String cipherSuiteFromJava(String javaCipherSuite) { 659 if ("SSL_RSA_WITH_3DES_EDE_CBC_SHA".equals(javaCipherSuite)) { 660 return "TLS_RSA_WITH_3DES_EDE_CBC_SHA"; 661 } 662 return javaCipherSuite; 663 } 664 665 /** 666 * TLS_FALLBACK_SCSV is from 667 * https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 668 * to indicate to the server that this is a fallback protocol 669 * request. 670 */ 671 static final String TLS_FALLBACK_SCSV = "TLS_FALLBACK_SCSV"; 672 673 private static final String[] SUPPORTED_CIPHER_SUITES; 674 static { 675 String[] allCipherSuites = get_cipher_names("ALL:!DHE"); 676 677 // get_cipher_names returns an array where even indices are the standard name and odd 678 // indices are the OpenSSL name. 679 int size = allCipherSuites.length; 680 if (size % 2 != 0) { 681 throw new IllegalArgumentException("Invalid cipher list returned by get_cipher_names"); 682 } 683 SUPPORTED_CIPHER_SUITES = new String[size / 2 + 2]; 684 for (int i = 0; i < size; i += 2) { 685 String cipherSuite = cipherSuiteToJava(allCipherSuites[i]); 686 SUPPORTED_CIPHER_SUITES[i / 2] = cipherSuite; 687 SUPPORTED_CIPHER_SUITES_SET.add(cipherSuite); 688 689 SUPPORTED_LEGACY_CIPHER_SUITES_SET.add(allCipherSuites[i + 1]); 690 } 691 SUPPORTED_CIPHER_SUITES[size / 2] = TLS_EMPTY_RENEGOTIATION_INFO_SCSV; 692 SUPPORTED_CIPHER_SUITES[size / 2 + 1] = TLS_FALLBACK_SCSV; 693 } 694 695 /** 696 * Returns 1 if the BoringSSL believes the CPU has AES accelerated hardware 697 * instructions. Used to determine cipher suite ordering. 698 */ EVP_has_aes_hardware()699 static native int EVP_has_aes_hardware(); 700 SSL_CTX_new()701 static native long SSL_CTX_new(); 702 703 // IMPLEMENTATION NOTE: The default list of cipher suites is a trade-off between what we'd like 704 // to use and what servers currently support. We strive to be secure enough by default. We thus 705 // avoid unacceptably weak suites (e.g., those with bulk cipher secret key shorter than 128 706 // bits), while maintaining the capability to connect to the majority of servers. 707 // 708 // Cipher suites are listed in preference order (favorite choice first) of the client. However, 709 // servers are not required to honor the order. The key rules governing the preference order 710 // are: 711 // * Prefer Forward Secrecy (i.e., cipher suites that use ECDHE and DHE for key agreement). 712 // * Prefer ChaCha20-Poly1305 to AES-GCM unless hardware support for AES is available. 713 // * Prefer AES-GCM to AES-CBC whose MAC-pad-then-encrypt approach leads to weaknesses (e.g., 714 // Lucky 13). 715 // * Prefer 128-bit bulk encryption to 256-bit one, because 128-bit is safe enough while 716 // consuming less CPU/time/energy. 717 // 718 // NOTE: Removing cipher suites from this list needs to be done with caution, because this may 719 // prevent apps from connecting to servers they were previously able to connect to. 720 721 /** X.509 based cipher suites enabled by default (if requested), in preference order. */ 722 static final boolean HAS_AES_HARDWARE = EVP_has_aes_hardware() == 1; 723 static final String[] DEFAULT_X509_CIPHER_SUITES = HAS_AES_HARDWARE ? 724 new String[] { 725 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 726 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", 727 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", 728 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 729 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", 730 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", 731 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", 732 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", 733 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", 734 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", 735 "TLS_RSA_WITH_AES_128_GCM_SHA256", 736 "TLS_RSA_WITH_AES_256_GCM_SHA384", 737 "TLS_RSA_WITH_AES_128_CBC_SHA", 738 "TLS_RSA_WITH_AES_256_CBC_SHA", 739 } : 740 new String[] { 741 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", 742 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 743 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", 744 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", 745 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 746 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", 747 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", 748 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", 749 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", 750 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", 751 "TLS_RSA_WITH_AES_128_GCM_SHA256", 752 "TLS_RSA_WITH_AES_256_GCM_SHA384", 753 "TLS_RSA_WITH_AES_128_CBC_SHA", 754 "TLS_RSA_WITH_AES_256_CBC_SHA", 755 }; 756 757 /** TLS-PSK cipher suites enabled by default (if requested), in preference order. */ 758 static final String[] DEFAULT_PSK_CIPHER_SUITES = new String[] { 759 "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256", 760 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", 761 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", 762 "TLS_PSK_WITH_AES_128_CBC_SHA", 763 "TLS_PSK_WITH_AES_256_CBC_SHA", 764 }; 765 getSupportedCipherSuites()766 static String[] getSupportedCipherSuites() { 767 return SUPPORTED_CIPHER_SUITES.clone(); 768 } 769 SSL_CTX_free(long ssl_ctx)770 static native void SSL_CTX_free(long ssl_ctx); 771 SSL_CTX_set_session_id_context(long ssl_ctx, byte[] sid_ctx)772 static native void SSL_CTX_set_session_id_context(long ssl_ctx, byte[] sid_ctx); 773 SSL_CTX_set_timeout(long ssl_ctx, long seconds)774 static native long SSL_CTX_set_timeout(long ssl_ctx, long seconds); 775 SSL_new(long ssl_ctx)776 static native long SSL_new(long ssl_ctx) throws SSLException; 777 SSL_enable_tls_channel_id(long ssl)778 static native void SSL_enable_tls_channel_id(long ssl) throws SSLException; 779 SSL_get_tls_channel_id(long ssl)780 static native byte[] SSL_get_tls_channel_id(long ssl) throws SSLException; 781 SSL_set1_tls_channel_id(long ssl, NativeRef.EVP_PKEY pkey)782 static native void SSL_set1_tls_channel_id(long ssl, NativeRef.EVP_PKEY pkey); 783 SSL_use_certificate(long ssl, long[] x509refs)784 static native void SSL_use_certificate(long ssl, long[] x509refs); 785 SSL_use_PrivateKey(long ssl, NativeRef.EVP_PKEY pkey)786 static native void SSL_use_PrivateKey(long ssl, NativeRef.EVP_PKEY pkey); 787 SSL_check_private_key(long ssl)788 static native void SSL_check_private_key(long ssl) throws SSLException; 789 SSL_set_client_CA_list(long ssl, byte[][] asn1DerEncodedX500Principals)790 static native void SSL_set_client_CA_list(long ssl, byte[][] asn1DerEncodedX500Principals); 791 SSL_set_mode(long ssl, long mode)792 static native long SSL_set_mode(long ssl, long mode); 793 SSL_set_options(long ssl, long options)794 static native long SSL_set_options(long ssl, long options); 795 SSL_clear_options(long ssl, long options)796 static native long SSL_clear_options(long ssl, long options); 797 SSL_enable_signed_cert_timestamps(long ssl)798 static native void SSL_enable_signed_cert_timestamps(long ssl); 799 SSL_get_signed_cert_timestamp_list(long ssl)800 static native byte[] SSL_get_signed_cert_timestamp_list(long ssl); 801 SSL_set_signed_cert_timestamp_list(long ssl, byte[] list)802 static native void SSL_set_signed_cert_timestamp_list(long ssl, byte[] list); 803 SSL_enable_ocsp_stapling(long ssl)804 static native void SSL_enable_ocsp_stapling(long ssl); 805 SSL_get_ocsp_response(long ssl)806 static native byte[] SSL_get_ocsp_response(long ssl); 807 SSL_set_ocsp_response(long ssl, byte[] response)808 static native void SSL_set_ocsp_response(long ssl, byte[] response); 809 SSL_use_psk_identity_hint(long ssl, String identityHint)810 static native void SSL_use_psk_identity_hint(long ssl, String identityHint) throws SSLException; 811 set_SSL_psk_client_callback_enabled(long ssl, boolean enabled)812 static native void set_SSL_psk_client_callback_enabled(long ssl, boolean enabled); 813 set_SSL_psk_server_callback_enabled(long ssl, boolean enabled)814 static native void set_SSL_psk_server_callback_enabled(long ssl, boolean enabled); 815 816 /** Protocols to enable by default when "TLSv1.2" is requested. */ 817 static final String[] TLSV12_PROTOCOLS = new String[] { 818 SUPPORTED_PROTOCOL_TLSV1, 819 SUPPORTED_PROTOCOL_TLSV1_1, 820 SUPPORTED_PROTOCOL_TLSV1_2, 821 }; 822 823 /** Protocols to enable by default when "TLSv1.1" is requested. */ 824 static final String[] TLSV11_PROTOCOLS = new String[] { 825 SUPPORTED_PROTOCOL_TLSV1, 826 SUPPORTED_PROTOCOL_TLSV1_1, 827 SUPPORTED_PROTOCOL_TLSV1_2, 828 }; 829 830 /** Protocols to enable by default when "TLSv1" is requested. */ 831 static final String[] TLSV1_PROTOCOLS = new String[] { 832 SUPPORTED_PROTOCOL_TLSV1, 833 SUPPORTED_PROTOCOL_TLSV1_1, 834 SUPPORTED_PROTOCOL_TLSV1_2, 835 }; 836 837 static final String[] DEFAULT_PROTOCOLS = TLSV12_PROTOCOLS; 838 getSupportedProtocols()839 static String[] getSupportedProtocols() { 840 return TLSV12_PROTOCOLS.clone(); 841 } 842 setEnabledProtocols(long ssl, String[] protocols)843 static void setEnabledProtocols(long ssl, String[] protocols) { 844 checkEnabledProtocols(protocols); 845 // openssl uses negative logic letting you disable protocols. 846 // so first, assume we need to set all (disable all) and clear none (enable none). 847 // in the loop, selectively move bits from set to clear (from disable to enable) 848 long optionsToSet = (NativeConstants.SSL_OP_NO_SSLv3 | NativeConstants.SSL_OP_NO_TLSv1 849 | NativeConstants.SSL_OP_NO_TLSv1_1 | NativeConstants.SSL_OP_NO_TLSv1_2); 850 long optionsToClear = 0; 851 for (String protocol : protocols) { 852 if (protocol.equals(SUPPORTED_PROTOCOL_TLSV1)) { 853 optionsToSet &= ~NativeConstants.SSL_OP_NO_TLSv1; 854 optionsToClear |= NativeConstants.SSL_OP_NO_TLSv1; 855 } else if (protocol.equals(SUPPORTED_PROTOCOL_TLSV1_1)) { 856 optionsToSet &= ~NativeConstants.SSL_OP_NO_TLSv1_1; 857 optionsToClear |= NativeConstants.SSL_OP_NO_TLSv1_1; 858 } else if (protocol.equals(SUPPORTED_PROTOCOL_TLSV1_2)) { 859 optionsToSet &= ~NativeConstants.SSL_OP_NO_TLSv1_2; 860 optionsToClear |= NativeConstants.SSL_OP_NO_TLSv1_2; 861 } else if (protocol.equals(OBSOLETE_PROTOCOL_SSLV3)) { 862 // Do nothing since we no longer support this protocol, but 863 // allow it in the list of protocols so we can give an error 864 // message about it if the handshake fails. 865 } else { 866 // error checked by checkEnabledProtocols 867 throw new IllegalStateException(); 868 } 869 } 870 871 SSL_set_options(ssl, optionsToSet); 872 SSL_clear_options(ssl, optionsToClear); 873 } 874 checkEnabledProtocols(String[] protocols)875 static String[] checkEnabledProtocols(String[] protocols) { 876 if (protocols == null) { 877 throw new IllegalArgumentException("protocols == null"); 878 } 879 for (String protocol : protocols) { 880 if (protocol == null) { 881 throw new IllegalArgumentException("protocols contains null"); 882 } 883 if (!protocol.equals(SUPPORTED_PROTOCOL_TLSV1) 884 && !protocol.equals(SUPPORTED_PROTOCOL_TLSV1_1) 885 && !protocol.equals(SUPPORTED_PROTOCOL_TLSV1_2) 886 && !protocol.equals(OBSOLETE_PROTOCOL_SSLV3)) { 887 throw new IllegalArgumentException("protocol " + protocol + " is not supported"); 888 } 889 } 890 return protocols; 891 } 892 SSL_set_cipher_lists(long ssl, String[] ciphers)893 static native void SSL_set_cipher_lists(long ssl, String[] ciphers); 894 895 /** 896 * Gets the list of cipher suites enabled for the provided {@code SSL} instance. 897 * 898 * @return array of {@code SSL_CIPHER} references. 899 */ SSL_get_ciphers(long ssl)900 static native long[] SSL_get_ciphers(long ssl); 901 setEnabledCipherSuites(long ssl, String[] cipherSuites)902 static void setEnabledCipherSuites(long ssl, String[] cipherSuites) { 903 checkEnabledCipherSuites(cipherSuites); 904 List<String> opensslSuites = new ArrayList<String>(); 905 for (int i = 0; i < cipherSuites.length; i++) { 906 String cipherSuite = cipherSuites[i]; 907 if (cipherSuite.equals(TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) { 908 continue; 909 } 910 if (cipherSuite.equals(TLS_FALLBACK_SCSV)) { 911 SSL_set_mode(ssl, NativeConstants.SSL_MODE_SEND_FALLBACK_SCSV); 912 continue; 913 } 914 opensslSuites.add(cipherSuiteFromJava(cipherSuite)); 915 } 916 SSL_set_cipher_lists(ssl, opensslSuites.toArray(new String[opensslSuites.size()])); 917 } 918 checkEnabledCipherSuites(String[] cipherSuites)919 static String[] checkEnabledCipherSuites(String[] cipherSuites) { 920 if (cipherSuites == null) { 921 throw new IllegalArgumentException("cipherSuites == null"); 922 } 923 // makes sure all suites are valid, throwing on error 924 for (int i = 0; i < cipherSuites.length; i++) { 925 if (cipherSuites[i] == null) { 926 throw new IllegalArgumentException("cipherSuites[" + i + "] == null"); 927 } 928 if (cipherSuites[i].equals(TLS_EMPTY_RENEGOTIATION_INFO_SCSV) 929 || cipherSuites[i].equals(TLS_FALLBACK_SCSV)) { 930 continue; 931 } 932 if (SUPPORTED_CIPHER_SUITES_SET.contains(cipherSuites[i])) { 933 continue; 934 } 935 936 // For backwards compatibility, it's allowed for |cipherSuite| to 937 // be an OpenSSL-style cipher-suite name. 938 if (SUPPORTED_LEGACY_CIPHER_SUITES_SET.contains(cipherSuites[i])) { 939 // TODO log warning about using backward compatability 940 continue; 941 } 942 throw new IllegalArgumentException("cipherSuite " + cipherSuites[i] + " is not supported."); 943 } 944 return cipherSuites; 945 } 946 947 /* 948 * See the OpenSSL ssl.h header file for more information. 949 */ 950 // TODO(nathanmittler): Should these move to NativeConstants.java? 951 static final int SSL_VERIFY_NONE = 0x00; 952 static final int SSL_VERIFY_PEER = 0x01; 953 static final int SSL_VERIFY_FAIL_IF_NO_PEER_CERT = 0x02; 954 SSL_set_accept_state(long sslNativePointer)955 static native void SSL_set_accept_state(long sslNativePointer); 956 SSL_set_connect_state(long sslNativePointer)957 static native void SSL_set_connect_state(long sslNativePointer); 958 SSL_set_verify(long sslNativePointer, int mode)959 static native void SSL_set_verify(long sslNativePointer, int mode); 960 SSL_set_session(long sslNativePointer, long sslSessionNativePointer)961 static native void SSL_set_session(long sslNativePointer, long sslSessionNativePointer) 962 throws SSLException; 963 SSL_set_session_creation_enabled( long sslNativePointer, boolean creationEnabled)964 static native void SSL_set_session_creation_enabled( 965 long sslNativePointer, boolean creationEnabled) throws SSLException; 966 SSL_session_reused(long sslNativePointer)967 static native boolean SSL_session_reused(long sslNativePointer); 968 SSL_accept_renegotiations(long sslNativePointer)969 static native void SSL_accept_renegotiations(long sslNativePointer) throws SSLException; 970 SSL_set_tlsext_host_name(long sslNativePointer, String hostname)971 static native void SSL_set_tlsext_host_name(long sslNativePointer, String hostname) 972 throws SSLException; SSL_get_servername(long sslNativePointer)973 static native String SSL_get_servername(long sslNativePointer); 974 975 /** 976 * Returns the selected ALPN protocol. If the server did not select a 977 * protocol, {@code null} will be returned. 978 */ SSL_get0_alpn_selected(long sslPointer)979 static native byte[] SSL_get0_alpn_selected(long sslPointer); SSL_do_handshake( long sslNativePointer, FileDescriptor fd, SSLHandshakeCallbacks shc, int timeoutMillis)980 static native void SSL_do_handshake( 981 long sslNativePointer, FileDescriptor fd, SSLHandshakeCallbacks shc, int timeoutMillis) 982 throws SSLException, SocketTimeoutException, CertificateException; 983 SSL_get_current_cipher(long sslNativePointer)984 public static native String SSL_get_current_cipher(long sslNativePointer); 985 SSL_get_version(long sslNativePointer)986 public static native String SSL_get_version(long sslNativePointer); 987 988 /** 989 * Returns the local X509 certificate references. Must X509_free when done. 990 */ SSL_get_certificate(long sslNativePointer)991 static native long[] SSL_get_certificate(long sslNativePointer); 992 993 /** 994 * Returns the peer X509 certificate references. Must X509_free when done. 995 */ SSL_get_peer_cert_chain(long sslNativePointer)996 static native long[] SSL_get_peer_cert_chain(long sslNativePointer); 997 998 /** 999 * Reads with the native SSL_read function from the encrypted data stream 1000 * @return -1 if error or the end of the stream is reached. 1001 */ SSL_read(long sslNativePointer, FileDescriptor fd, SSLHandshakeCallbacks shc, byte[] b, int off, int len, int readTimeoutMillis)1002 static native int SSL_read(long sslNativePointer, FileDescriptor fd, SSLHandshakeCallbacks shc, 1003 byte[] b, int off, int len, int readTimeoutMillis) throws IOException; 1004 1005 /** 1006 * Writes with the native SSL_write function to the encrypted data stream. 1007 */ SSL_write(long sslNativePointer, FileDescriptor fd, SSLHandshakeCallbacks shc, byte[] b, int off, int len, int writeTimeoutMillis)1008 static native void SSL_write(long sslNativePointer, FileDescriptor fd, 1009 SSLHandshakeCallbacks shc, byte[] b, int off, int len, int writeTimeoutMillis) 1010 throws IOException; 1011 SSL_interrupt(long sslNativePointer)1012 static native void SSL_interrupt(long sslNativePointer); SSL_shutdown( long sslNativePointer, FileDescriptor fd, SSLHandshakeCallbacks shc)1013 static native void SSL_shutdown( 1014 long sslNativePointer, FileDescriptor fd, SSLHandshakeCallbacks shc) throws IOException; 1015 SSL_shutdown_BIO(long sslNativePointer, long sourceBioRef, long sinkBioRef, SSLHandshakeCallbacks shc)1016 static native void SSL_shutdown_BIO(long sslNativePointer, long sourceBioRef, long sinkBioRef, 1017 SSLHandshakeCallbacks shc) throws IOException; 1018 SSL_get_shutdown(long sslNativePointer)1019 static native int SSL_get_shutdown(long sslNativePointer); 1020 SSL_free(long sslNativePointer)1021 static native void SSL_free(long sslNativePointer); 1022 SSL_SESSION_session_id(long sslSessionNativePointer)1023 static native byte[] SSL_SESSION_session_id(long sslSessionNativePointer); 1024 SSL_SESSION_get_time(long sslSessionNativePointer)1025 static native long SSL_SESSION_get_time(long sslSessionNativePointer); 1026 SSL_get_time(long sslNativePointer)1027 static native long SSL_get_time(long sslNativePointer); 1028 SSL_set_timeout(long sslNativePointer, long millis)1029 static native long SSL_set_timeout(long sslNativePointer, long millis); 1030 SSL_get_timeout(long sslNativePointer)1031 static native long SSL_get_timeout(long sslNativePointer); 1032 SSL_SESSION_get_timeout(long sslSessionNativePointer)1033 static native long SSL_SESSION_get_timeout(long sslSessionNativePointer); 1034 SSL_session_id(long sslNativePointer)1035 static native byte[] SSL_session_id(long sslNativePointer); 1036 SSL_SESSION_get_version(long sslSessionNativePointer)1037 static native String SSL_SESSION_get_version(long sslSessionNativePointer); 1038 SSL_SESSION_cipher(long sslSessionNativePointer)1039 static native String SSL_SESSION_cipher(long sslSessionNativePointer); 1040 SSL_SESSION_up_ref(long sslSessionNativePointer)1041 static native void SSL_SESSION_up_ref(long sslSessionNativePointer); 1042 SSL_SESSION_free(long sslSessionNativePointer)1043 static native void SSL_SESSION_free(long sslSessionNativePointer); 1044 i2d_SSL_SESSION(long sslSessionNativePointer)1045 static native byte[] i2d_SSL_SESSION(long sslSessionNativePointer); 1046 d2i_SSL_SESSION(byte[] data)1047 static native long d2i_SSL_SESSION(byte[] data) throws IOException; 1048 1049 /** 1050 * A collection of callbacks from the native OpenSSL code that are 1051 * related to the SSL handshake initiated by SSL_do_handshake. 1052 */ 1053 interface SSLHandshakeCallbacks { 1054 /** 1055 * Verify that we trust the certificate chain is trusted. 1056 * 1057 * @param certificateChainRefs chain of X.509 certificate references 1058 * @param authMethod auth algorithm name 1059 * 1060 * @throws CertificateException if the certificate is untrusted 1061 */ verifyCertificateChain(long[] certificateChainRefs, String authMethod)1062 void verifyCertificateChain(long[] certificateChainRefs, String authMethod) 1063 throws CertificateException; 1064 1065 /** 1066 * Called on an SSL client when the server requests (or 1067 * requires a certificate). The client can respond by using 1068 * SSL_use_certificate and SSL_use_PrivateKey to set a 1069 * certificate if has an appropriate one available, similar to 1070 * how the server provides its certificate. 1071 * 1072 * @param keyTypes key types supported by the server, 1073 * convertible to strings with #keyType 1074 * @param asn1DerEncodedX500Principals CAs known to the server 1075 */ clientCertificateRequested(byte[] keyTypes, byte[][] asn1DerEncodedX500Principals)1076 void clientCertificateRequested(byte[] keyTypes, byte[][] asn1DerEncodedX500Principals) 1077 throws CertificateEncodingException, SSLException; 1078 1079 /** 1080 * Gets the key to be used in client mode for this connection in Pre-Shared Key (PSK) key 1081 * exchange. 1082 * 1083 * @param identityHint PSK identity hint provided by the server or {@code null} if no hint 1084 * provided. 1085 * @param identity buffer to be populated with PSK identity (NULL-terminated modified UTF-8) 1086 * by this method. This identity will be provided to the server. 1087 * @param key buffer to be populated with key material by this method. 1088 * 1089 * @return number of bytes this method stored in the {@code key} buffer or {@code 0} if an 1090 * error occurred in which case the handshake will be aborted. 1091 */ clientPSKKeyRequested(String identityHint, byte[] identity, byte[] key)1092 int clientPSKKeyRequested(String identityHint, byte[] identity, byte[] key); 1093 1094 /** 1095 * Gets the key to be used in server mode for this connection in Pre-Shared Key (PSK) key 1096 * exchange. 1097 * 1098 * @param identityHint PSK identity hint provided by this server to the client or 1099 * {@code null} if no hint was provided. 1100 * @param identity PSK identity provided by the client. 1101 * @param key buffer to be populated with key material by this method. 1102 * 1103 * @return number of bytes this method stored in the {@code key} buffer or {@code 0} if an 1104 * error occurred in which case the handshake will be aborted. 1105 */ serverPSKKeyRequested(String identityHint, String identity, byte[] key)1106 int serverPSKKeyRequested(String identityHint, String identity, byte[] key); 1107 1108 /** 1109 * Called when SSL state changes. This could be handshake completion. 1110 */ onSSLStateChange(int type, int val)1111 void onSSLStateChange(int type, int val); 1112 1113 /** 1114 * Called when a new session has been established and may be added to the session cache. 1115 * The callee is responsible for incrementing the reference count on the returned session. 1116 */ onNewSessionEstablished(long sslSessionNativePtr)1117 void onNewSessionEstablished(long sslSessionNativePtr); 1118 1119 /** 1120 * Called for servers where TLS < 1.3 (TLS 1.3 uses session tickets rather than 1121 * application session caches). 1122 * 1123 * <p/>Looks up the session by ID in the application's session cache. If a valid session 1124 * is returned, this callback is responsible for incrementing the reference count (and any 1125 * required synchronization). 1126 * 1127 * @param id the ID of the session to find. 1128 * @return the cached session or {@code 0} if no session was found matching the given ID. 1129 */ serverSessionRequested(byte[] id)1130 long serverSessionRequested(byte[] id); 1131 } 1132 SSL_CIPHER_get_kx_name(long cipherAddress)1133 static native String SSL_CIPHER_get_kx_name(long cipherAddress); 1134 get_cipher_names(String selection)1135 static native String[] get_cipher_names(String selection); 1136 get_ocsp_single_extension( byte[] ocspResponse, String oid, long x509Ref, long issuerX509Ref)1137 static native byte[] get_ocsp_single_extension( 1138 byte[] ocspResponse, String oid, long x509Ref, long issuerX509Ref); 1139 1140 /** 1141 * Returns the starting address of the memory region referenced by the provided direct 1142 * {@link Buffer} or {@code 0} if the provided buffer is not direct or if such access to direct 1143 * buffers is not supported by the platform. 1144 * 1145 * <p>NOTE: This method ignores the buffer's current {@code position}. 1146 */ getDirectBufferAddress(Buffer buf)1147 static native long getDirectBufferAddress(Buffer buf); 1148 SSL_BIO_new(long ssl)1149 static native long SSL_BIO_new(long ssl) throws SSLException; 1150 SSL_get_last_error_number()1151 static native int SSL_get_last_error_number(); 1152 SSL_get_error(long ssl, int ret)1153 static native int SSL_get_error(long ssl, int ret); 1154 SSL_get_error_string(long errorNumber)1155 static native String SSL_get_error_string(long errorNumber); 1156 SSL_clear_error()1157 static native void SSL_clear_error(); 1158 SSL_pending_readable_bytes(long ssl)1159 static native int SSL_pending_readable_bytes(long ssl); 1160 SSL_pending_written_bytes_in_BIO(long bio)1161 static native int SSL_pending_written_bytes_in_BIO(long bio); 1162 1163 /** 1164 * Returns the maximum overhead, in bytes, of sealing a record with SSL. 1165 */ SSL_max_seal_overhead(long ssl)1166 static native int SSL_max_seal_overhead(long ssl); 1167 1168 /** 1169 * Sets the list of supported ALPN protocols in wire-format (length-prefixed 8-bit strings). 1170 */ SSL_configure_alpn( long sslNativePointer, boolean clientMode, byte[] alpnProtocols)1171 static native void SSL_configure_alpn( 1172 long sslNativePointer, boolean clientMode, byte[] alpnProtocols) throws IOException; 1173 1174 /** 1175 * Variant of the {@link #SSL_do_handshake} used by {@link ConscryptEngine}. This differs 1176 * slightly from the raw BoringSSL API in that it returns the SSL error code from the 1177 * operation, rather than the return value from {@code SSL_do_handshake}. This is done in 1178 * order to allow to properly handle SSL errors and propagate useful exceptions. 1179 * 1180 * @return Returns the SSL error code for the operation when the error was {@code 1181 * SSL_ERROR_NONE}, {@code SSL_ERROR_WANT_READ}, or {@code SSL_ERROR_WANT_WRITE}. 1182 * @throws IOException when the error code is anything except those returned by this method. 1183 */ ENGINE_SSL_do_handshake(long ssl, SSLHandshakeCallbacks shc)1184 static native int ENGINE_SSL_do_handshake(long ssl, SSLHandshakeCallbacks shc) 1185 throws IOException; 1186 1187 /** 1188 * Variant of the {@link #SSL_read} for a direct {@link java.nio.ByteBuffer} used by {@link 1189 * ConscryptEngine}. 1190 * 1191 * @return if positive, represents the number of bytes read into the given buffer. 1192 * Returns {@code -SSL_ERROR_WANT_READ} if more data is needed. Returns 1193 * {@code -SSL_ERROR_WANT_WRITE} if data needs to be written out to flush the BIO. 1194 * 1195 * @throws java.io.InterruptedIOException if the read was interrupted. 1196 * @throws java.io.EOFException if the end of stream has been reached. 1197 * @throws CertificateException if the application's certificate verification callback failed. 1198 * Only occurs during handshake processing. 1199 * @throws SSLException if any other error occurs. 1200 */ ENGINE_SSL_read_direct(long sslNativePointer, long address, int length, SSLHandshakeCallbacks shc)1201 static native int ENGINE_SSL_read_direct(long sslNativePointer, long address, int length, 1202 SSLHandshakeCallbacks shc) throws IOException, CertificateException; 1203 1204 /** 1205 * Variant of the {@link #SSL_read} for a heap {@link java.nio.ByteBuffer} used by {@link 1206 * ConscryptEngine}. 1207 * 1208 * @return if positive, represents the number of bytes read into the given buffer. 1209 * Returns {@code -SSL_ERROR_WANT_READ} if more data is needed. Returns 1210 * {@code -SSL_ERROR_WANT_WRITE} if data needs to be written out to flush the BIO. 1211 * 1212 * @throws java.io.InterruptedIOException if the read was interrupted. 1213 * @throws java.io.EOFException if the end of stream has been reached. 1214 * @throws CertificateException if the application's certificate verification callback failed. 1215 * Only occurs during handshake processing. 1216 * @throws SSLException if any other error occurs. 1217 */ ENGINE_SSL_read_heap(long sslNativePointer, byte[] destJava, int destOffset, int destLength, SSLHandshakeCallbacks shc)1218 static native int ENGINE_SSL_read_heap(long sslNativePointer, byte[] destJava, int destOffset, 1219 int destLength, SSLHandshakeCallbacks shc) throws IOException, CertificateException; 1220 1221 /** 1222 * Variant of the {@link #SSL_write} for a direct {@link java.nio.ByteBuffer} used by {@link 1223 * ConscryptEngine}. This version does not lock or and does no error pre-processing. 1224 */ ENGINE_SSL_write_direct(long sslNativePointer, long address, int length, SSLHandshakeCallbacks shc)1225 static native int ENGINE_SSL_write_direct(long sslNativePointer, long address, int length, 1226 SSLHandshakeCallbacks shc) throws IOException; 1227 1228 /** 1229 * Variant of the {@link #SSL_write} for a heap {@link java.nio.ByteBuffer} used by {@link 1230 * ConscryptEngine}. This version does not lock or and does no error pre-processing. 1231 */ ENGINE_SSL_write_heap(long sslNativePointer, byte[] sourceJava, int sourceOffset, int sourceLength, SSLHandshakeCallbacks shc)1232 static native int ENGINE_SSL_write_heap(long sslNativePointer, byte[] sourceJava, 1233 int sourceOffset, int sourceLength, SSLHandshakeCallbacks shc) throws IOException; 1234 1235 /** 1236 * Writes data from the given direct {@link java.nio.ByteBuffer} to the BIO. 1237 */ ENGINE_SSL_write_BIO_direct(long sslRef, long bioRef, long pos, int length, SSLHandshakeCallbacks shc)1238 static native int ENGINE_SSL_write_BIO_direct(long sslRef, long bioRef, long pos, int length, 1239 SSLHandshakeCallbacks shc) throws IOException; 1240 1241 /** 1242 * Writes data from the given array to the BIO. 1243 */ ENGINE_SSL_write_BIO_heap(long sslRef, long bioRef, byte[] sourceJava, int sourceOffset, int sourceLength, SSLHandshakeCallbacks shc)1244 static native int ENGINE_SSL_write_BIO_heap(long sslRef, long bioRef, byte[] sourceJava, 1245 int sourceOffset, int sourceLength, SSLHandshakeCallbacks shc) throws IOException; 1246 1247 /** 1248 * Reads data from the given BIO into a direct {@link java.nio.ByteBuffer}. 1249 */ ENGINE_SSL_read_BIO_direct(long sslRef, long bioRef, long address, int len, SSLHandshakeCallbacks shc)1250 static native int ENGINE_SSL_read_BIO_direct(long sslRef, long bioRef, long address, int len, 1251 SSLHandshakeCallbacks shc) throws IOException; 1252 1253 /** 1254 * Reads data from the given BIO into an array. 1255 */ ENGINE_SSL_read_BIO_heap(long sslRef, long bioRef, byte[] destJava, int destOffset, int destLength, SSLHandshakeCallbacks shc)1256 static native int ENGINE_SSL_read_BIO_heap(long sslRef, long bioRef, byte[] destJava, 1257 int destOffset, int destLength, SSLHandshakeCallbacks shc) throws IOException; 1258 1259 /** 1260 * Variant of the {@link #SSL_shutdown} used by {@link ConscryptEngine}. This version does not 1261 * lock. 1262 */ ENGINE_SSL_shutdown(long sslNativePointer, SSLHandshakeCallbacks shc)1263 static native void ENGINE_SSL_shutdown(long sslNativePointer, SSLHandshakeCallbacks shc) 1264 throws IOException; 1265 1266 /** 1267 * Used for testing only. 1268 */ BIO_read(long bioRef, byte[] buffer)1269 static native int BIO_read(long bioRef, byte[] buffer); BIO_write(long bioRef, byte[] buffer, int offset, int length)1270 static native void BIO_write(long bioRef, byte[] buffer, int offset, int length) 1271 throws IOException; ERR_peek_last_error()1272 static native long ERR_peek_last_error(); SSL_clear_mode(long ssl, long mode)1273 static native long SSL_clear_mode(long ssl, long mode); SSL_get_mode(long ssl)1274 static native long SSL_get_mode(long ssl); SSL_get_options(long ssl)1275 static native long SSL_get_options(long ssl); SSL_get1_session(long ssl)1276 static native long SSL_get1_session(long ssl); 1277 } 1278