Export from Google3

android/src/main/AndroidManifest.xml

@@ -1,3 +1,7 @@
-<manifest xmlns:android="http://schemas.android.com/apk/res/android">
-    <application/>
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="org.conscrypt">
+
+    <uses-sdk android:minSdkVersion="24" android:targetSdkVersion="30" />
+
 </manifest>

android/src/main/java/org/conscrypt/Platform.java

@@ -23,18 +23,8 @@
 import android.os.SystemClock;
 import android.system.Os;
 import android.util.Log;
-
 import dalvik.system.BlockGuard;
 import dalvik.system.CloseGuard;
-
-import org.conscrypt.NativeCrypto;
-import org.conscrypt.ct.CertificateTransparency;
-import org.conscrypt.metrics.CertificateTransparencyVerificationReason;
-import org.conscrypt.metrics.NoopStatsLog;
-import org.conscrypt.metrics.Source;
-import org.conscrypt.metrics.StatsLog;
-import org.conscrypt.metrics.StatsLogImpl;
-
 import java.io.FileDescriptor;
 import java.io.IOException;
 import java.lang.reflect.Constructor;
@@ -50,7 +40,6 @@
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
 import java.security.Security;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
@@ -61,7 +50,6 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
-
 import javax.net.ssl.SNIHostName;
 import javax.net.ssl.SNIMatcher;
 import javax.net.ssl.SNIServerName;
@@ -71,11 +59,16 @@
 import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.StandardConstants;
 import javax.net.ssl.X509TrustManager;
+import org.conscrypt.ct.CertificateTransparency;
+import org.conscrypt.metrics.CertificateTransparencyVerificationReason;
+import org.conscrypt.metrics.NoopStatsLog;
+import org.conscrypt.metrics.Source;
+import org.conscrypt.metrics.StatsLog;
+import org.conscrypt.metrics.StatsLogImpl;
 
-/**
- * Platform-specific methods for unbundled Android.
- */
+/** Platform-specific methods for unbundled Android. */
 @Internal
+@SuppressLint("DiscouragedPrivateApi")
 final public class Platform {
     private static final String TAG = "Conscrypt";
     private static boolean DEPRECATED_TLS_V1 = true;
@@ -332,8 +325,7 @@ private static void getSSLParametersFromImpl(SSLParameters params, SSLParameters
         m_setUseCipherSuitesOrder.invoke(params, impl.getUseCipherSuitesOrder());
 
         try {
-            Method setNamedGroupsMethod =
-                    params.getClass().getMethod("setNamedGroups", String[].class);
+      Method setNamedGroupsMethod = params.getClass().getMethod("setNamedGroups", String[].class);
             setNamedGroupsMethod.invoke(params, (Object) impl.getNamedGroups());
         } catch (NoSuchMethodException | IllegalArgumentException e) {
             // Do nothing.
@@ -787,7 +779,8 @@ public static SSLSession wrapSSLSession(ExternalSession sslSession) {
         return sslSession;
     }
 
-    public static String getOriginalHostNameFromInetAddress(InetAddress addr) {
+  @SuppressWarnings("SoonBlockedPrivateApi")
+  public static String getOriginalHostNameFromInetAddress(InetAddress addr) {
         if (Build.VERSION.SDK_INT > 27) {
             try {
                 Method getHolder = InetAddress.class.getDeclaredMethod("holder");

common/src/main/java/org/conscrypt/ConscryptEngineSocket.java

@@ -16,18 +16,15 @@
 
 package org.conscrypt;
 
+import static javax.net.ssl.SSLEngineResult.Status.CLOSED;
+import static javax.net.ssl.SSLEngineResult.Status.OK;
 import static org.conscrypt.SSLUtils.EngineStates.STATE_CLOSED;
 import static org.conscrypt.SSLUtils.EngineStates.STATE_HANDSHAKE_COMPLETED;
 import static org.conscrypt.SSLUtils.EngineStates.STATE_HANDSHAKE_STARTED;
 import static org.conscrypt.SSLUtils.EngineStates.STATE_NEW;
 import static org.conscrypt.SSLUtils.EngineStates.STATE_READY;
 import static org.conscrypt.SSLUtils.EngineStates.STATE_READY_HANDSHAKE_CUT_THROUGH;
 
-import static javax.net.ssl.SSLEngineResult.Status.CLOSED;
-import static javax.net.ssl.SSLEngineResult.Status.OK;
-
-import org.conscrypt.metrics.StatsLog;
-
 import java.io.EOFException;
 import java.io.IOException;
 import java.io.InputStream;
@@ -39,7 +36,6 @@
 import java.security.PrivateKey;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
-
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLEngineResult;
 import javax.net.ssl.SSLEngineResult.HandshakeStatus;
@@ -50,6 +46,7 @@
 import javax.net.ssl.X509KeyManager;
 import javax.net.ssl.X509TrustManager;
 import javax.security.auth.x500.X500Principal;
+import org.conscrypt.metrics.StatsLog;
 
 /**
  * Implements crypto handling by delegating to {@link ConscryptEngine}.
@@ -138,12 +135,13 @@ public void onHandshakeFinished() {
         return engine;
     }
 
-    // Returns a trust manager that delegates to the given trust manager, but maps SSLEngine
-    // references to the given ConscryptEngineSocket.  Our internal engine will call
-    // the SSLEngine-receiving methods, but our callers expect the SSLSocket-receiving
-    // methods to get called.
-    private static X509TrustManager getDelegatingTrustManager(final X509TrustManager delegate,
-        final ConscryptEngineSocket socket) {
+  // Returns a trust manager that delegates to the given trust manager, but maps SSLEngine
+  // references to the given ConscryptEngineSocket.  Our internal engine will call
+  // the SSLEngine-receiving methods, but our callers expect the SSLSocket-receiving
+  // methods to get called.
+  @SuppressWarnings("CustomX509TrustManager")
+  private static X509TrustManager getDelegatingTrustManager(
+      final X509TrustManager delegate, final ConscryptEngineSocket socket) {
         if (delegate instanceof X509ExtendedTrustManager) {
             final X509ExtendedTrustManager extendedDelegate = (X509ExtendedTrustManager) delegate;
             return new X509ExtendedTrustManager() {
@@ -511,8 +509,6 @@ public final void setWantClientAuth(boolean want) {
     @Override
     @SuppressWarnings("UnsynchronizedOverridesSynchronized")
     public final void close() throws IOException {
-        // TODO: Close SSL sockets using a background thread so they close gracefully.
-
         if (stateLock == null) {
             // Constructor failed, e.g. superclass constructor called close()
             return;
@@ -544,6 +540,9 @@ public final void close() throws IOException {
                 if (in != null) {
                     in.release();
                 }
+                if (out != null) {
+                    out.release();
+                }
             }
         }
     }
@@ -625,7 +624,7 @@ private void waitForHandshake() throws IOException {
 
     private void drainOutgoingQueue() {
         try {
-            while (engine.pendingOutboundEncryptedBytes() > 0) {
+            while (engine.pendingOutboundEncryptedBytes() > 0 && out != null) {
                 out.writeInternal(EMPTY_BUFFER);
                 // Always flush handshake frames immediately.
                 out.flushInternal();
@@ -661,10 +660,18 @@ private final class SSLOutputStream extends OutputStream {
         private final Object writeLock = new Object();
         private final ByteBuffer target;
         private final int targetArrayOffset;
+        private final AllocatedBuffer allocatedTargetBuffer;
         private OutputStream socketOutputStream;
 
         SSLOutputStream() {
-            target = ByteBuffer.allocate(engine.getSession().getPacketBufferSize());
+            if (bufferAllocator != null) {
+                allocatedTargetBuffer = bufferAllocator.allocateHeapBuffer(
+                        engine.getSession().getPacketBufferSize());
+                target = allocatedTargetBuffer.nioBuffer();
+            } else {
+                allocatedTargetBuffer = null;
+                target = ByteBuffer.allocate(engine.getSession().getPacketBufferSize());
+            }
             targetArrayOffset = target.arrayOffset();
         }
 
@@ -673,6 +680,14 @@ public void close() throws IOException {
             ConscryptEngineSocket.this.close();
         }
 
+        void release() {
+            synchronized (writeLock) {
+                if (allocatedTargetBuffer != null) {
+                    allocatedTargetBuffer.release();
+                }
+            }
+        }
+
         @Override
         public void write(int b) throws IOException {
             waitForHandshake();
@@ -770,6 +785,7 @@ private final class SSLInputStream extends InputStream {
         private final ByteBuffer fromSocket;
         private final int fromSocketArrayOffset;
         private final AllocatedBuffer allocatedBuffer;
+        private final AllocatedBuffer allocatedSocketBuffer;
         private InputStream socketInputStream;
 
         SSLInputStream() {
@@ -783,7 +799,15 @@ private final class SSLInputStream extends InputStream {
             }
             // Initially fromEngine.remaining() == 0.
             fromEngine.flip();
-            fromSocket = ByteBuffer.allocate(engine.getSession().getPacketBufferSize());
+
+            if (bufferAllocator != null) {
+                allocatedSocketBuffer = bufferAllocator.allocateHeapBuffer(
+                        engine.getSession().getPacketBufferSize());
+                fromSocket = allocatedSocketBuffer.nioBuffer();
+            } else {
+                allocatedSocketBuffer = null;
+                fromSocket = ByteBuffer.allocate(engine.getSession().getPacketBufferSize());
+            }
             fromSocketArrayOffset = fromSocket.arrayOffset();
         }
 
@@ -797,6 +821,9 @@ void release() {
                 if (allocatedBuffer != null) {
                     allocatedBuffer.release();
                 }
+                if (allocatedSocketBuffer != null) {
+                    allocatedSocketBuffer.release();
+                }
             }
         }
 

common/src/main/java/org/conscrypt/TrustManagerImpl.java

@@ -62,7 +62,6 @@
 import java.util.List;
 import java.util.Set;
 import java.util.logging.Logger;
-
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
@@ -71,14 +70,14 @@
 import javax.net.ssl.X509ExtendedTrustManager;
 
 /**
- *
- * TrustManager implementation. The implementation is based on CertPathValidator
- * PKIX and CertificateFactory X509 implementations. This implementations should
- * be provided by some certification provider.
+ * TrustManager implementation. The implementation is based on CertPathValidator PKIX and
+ * CertificateFactory X509 implementations. This implementations should be provided by some
+ * certification provider.
  *
  * @see javax.net.ssl.X509ExtendedTrustManager
  */
 @Internal
+@SuppressWarnings("CustomX509TrustManager")
 public final class TrustManagerImpl extends X509ExtendedTrustManager {
 
     private static final Logger logger = Logger.getLogger(TrustManagerImpl.class.getName());
@@ -431,7 +430,8 @@ private byte[] getTlsSctDataFromSession(SSLSession session) {
 
         byte[] data = null;
         try {
-            Method m_getTlsSctData = session.getClass().getDeclaredMethod("getPeerSignedCertificateTimestamp");
+      Method m_getTlsSctData =
+          session.getClass().getDeclaredMethod("getPeerSignedCertificateTimestamp");
             m_getTlsSctData.setAccessible(true);
             Object rawData = m_getTlsSctData.invoke(session);
             if (rawData instanceof byte[]) {

common/src/test/java/org/conscrypt/HostnameVerifierTest.java

@@ -31,7 +31,7 @@
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
 import javax.security.auth.x500.X500Principal;
-import org.junit.Ignore;
+// g3-add: import org.junit.Ignore;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized;

common/src/test/java/org/conscrypt/java/security/MessageDigestTest.java

@@ -169,13 +169,15 @@ private static Map<String, byte[]> getExpectations(String algorithm) throws Exce
             TestUtils.decodeHex(
                 "a69f73cca23a9ac5c8b567dc185a756e97c982164fe25859e0d1dcc1475c80a6"
                     + "15b2123af1f5f94c11e3e9402c3ac558f500199d95b6d3e301758586281dcd26"));
-        putExpectation("SHAKE128-256", INPUT_EMPTY,
-                TestUtils.decodeHex(
-                        "7f9c2ba4e88f827d616045507605853ed73b8093f6efbc88eb1a6eacfa66ef26"));
-        putExpectation("SHAKE256-512", INPUT_EMPTY,
-                TestUtils.decodeHex(
-                        "46b9dd2b0ba88d13233b3feb743eeb243fcd52ea62b81b82b50c27646ed5762f"
-                        + "d75dc4ddd8c0f200cb05019d67b592f6fc821c49479ab48640292eacb3b7c4be"));
+        putExpectation("SHAKE128-256",
+            INPUT_EMPTY,
+            TestUtils.decodeHex(
+                "7f9c2ba4e88f827d616045507605853ed73b8093f6efbc88eb1a6eacfa66ef26"));
+        putExpectation("SHAKE256-512",
+            INPUT_EMPTY,
+            TestUtils.decodeHex(
+                "46b9dd2b0ba88d13233b3feb743eeb243fcd52ea62b81b82b50c27646ed5762f"
+                    + "d75dc4ddd8c0f200cb05019d67b592f6fc821c49479ab48640292eacb3b7c4be"));
 
         // Regression test for a SHA-1 problem with inputs larger than 256 MiB. http://b/4501620
         // In mid-2013 this takes 3 minutes even on the host, so let's not run it on devices.

common/src/test/java/org/conscrypt/javax/crypto/XdhKeyFactoryTest.java

@@ -30,7 +30,7 @@
 import org.conscrypt.OpenSSLX25519PublicKey;
 import org.conscrypt.TestUtils;
 import org.conscrypt.XdhKeySpec;
-import org.junit.Ignore;
+// g3-add: import org.junit.Ignore;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.JUnit4;

common/src/test/java/org/conscrypt/javax/net/ssl/HttpsURLConnectionTest.java

@@ -122,7 +122,8 @@ public void failedUrlConnect() throws Exception {
         Future<Void> future = executor.submit(server.run(op));
 
         HttpsURLConnection connection = server.tlsConnection("/file");
-        // g3-add: broken HTTPS hostname verification
+        // google3-added: broken HTTPS hostname verification: b/266061083
+        connection.setHostnameVerifier(new FakeHostnameVerifier());
         int response = connection.getResponseCode();
         assertEquals(404, response);
 
@@ -138,7 +139,8 @@ public void successfulUrlConnect() throws Exception {
         Future<Void> future = executor.submit(server.run(op));
 
         HttpsURLConnection connection = server.tlsConnection("/file");
-        // g3-add: broken HTTPS hostname verification
+        // google3-added: broken HTTPS hostname verification: b/266061083
+        connection.setHostnameVerifier(new FakeHostnameVerifier());
         int response = connection.getResponseCode();
         assertEquals(200, response);
 
@@ -193,7 +195,14 @@ public void urlConnectTimeout() throws Exception {
             }
             return null;
         });
-        future.get(2 * timeoutMillis, TimeUnit.MILLISECONDS);
+        try {
+            future.get(2 * timeoutMillis, TimeUnit.MILLISECONDS);
+        } catch (ExecutionException e) {
+            // google3 changed, DO NOT UPSTREAM: Currently no way to reliably generate a connection
+            // timeout on Forge, so just skip this test if we get a SocketException for now.
+            assumeFalse(e.getCause() instanceof SocketException);
+            throw e.getCause();
+        }
     }
 
     @Test

common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketVersionCompatibilityTest.java

@@ -52,7 +52,7 @@
 import org.conscrypt.tlswire.record.TlsRecord;
 import org.junit.After;
 import org.junit.Before;
-import org.junit.Ignore;
+// g3-add: import org.junit.Ignore;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized;