Project import generated by Copybara.

PiperOrigin-RevId: 858143213

Author: miguelaranda0

android/lint.xml

@@ -28,4 +28,10 @@
     <issue id="Assert">
         <ignore path="**/common/src/main/java/org/conscrypt/OpenSSLCipherChaCha20.java" />
     </issue>
+
+    <!-- Workaround for "Unexpected failure during lint analysis". -->
+    <issue id="LintError">
+        <ignore regexp=".*module-info\.class.*"/>
+    </issue>
+
 </lint>

android/src/main/java/org/conscrypt/ConscryptNetworkSecurityPolicy.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2025 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.conscrypt;
+
+import org.conscrypt.metrics.CertificateTransparencyVerificationReason;
+
+/**
+ * A default NetworkSecurityPolicy for unbundled Android.
+ */
+@Internal
+public class ConscryptNetworkSecurityPolicy implements NetworkSecurityPolicy {
+    public static ConscryptNetworkSecurityPolicy getDefault() {
+        return new ConscryptNetworkSecurityPolicy();
+    }
+
+    @Override
+    public boolean isCertificateTransparencyVerificationRequired(String hostname) {
+        return false;
+    }
+
+    @Override
+    public CertificateTransparencyVerificationReason getCertificateTransparencyVerificationReason(
+            String hostname) {
+        return CertificateTransparencyVerificationReason.UNKNOWN;
+    }
+
+    @Override
+    public DomainEncryptionMode getDomainEncryptionMode(String hostname) {
+        return DomainEncryptionMode.UNKNOWN;
+    }
+}

android/src/main/java/org/conscrypt/Platform.java

@@ -59,11 +59,13 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
+import java.util.function.Supplier;
 
 import javax.net.ssl.SNIHostName;
 import javax.net.ssl.SNIMatcher;
 import javax.net.ssl.SNIServerName;
 import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSocketFactory;
@@ -257,7 +259,8 @@ private static void setSSLParametersOnImpl(SSLParameters params, SSLParametersIm
         try {
             Method getNamedGroupsMethod = params.getClass().getMethod("getNamedGroups");
             impl.setNamedGroups((String[]) getNamedGroupsMethod.invoke(params));
-        } catch (NoSuchMethodException | IllegalArgumentException e) {
+        } catch (NoSuchMethodException | IllegalArgumentException
+                | IllegalAccessException | InvocationTargetException e) {
             // Do nothing.
         }
     }
@@ -334,7 +337,8 @@ private static void getSSLParametersFromImpl(SSLParameters params, SSLParameters
             Method setNamedGroupsMethod =
                     params.getClass().getMethod("setNamedGroups", String[].class);
             setNamedGroupsMethod.invoke(params, (Object) impl.getNamedGroups());
-        } catch (NoSuchMethodException | IllegalArgumentException e) {
+        } catch (NoSuchMethodException | IllegalArgumentException
+                | IllegalAccessException | InvocationTargetException e) {
             // Do nothing.
         }
     }
@@ -839,59 +843,8 @@ static boolean supportsX509ExtendedTrustManager() {
         return Build.VERSION.SDK_INT > 23;
     }
 
-    /**
-     * Check if SCT verification is required for a given hostname.
-     *
-     * SCT Verification is enabled using {@code Security} properties.
-     * The "conscrypt.ct.enable" property must be true, as well as a per domain property.
-     * The reverse notation of the domain name, prefixed with "conscrypt.ct.enforce."
-     * is used as the property name.
-     * Basic globbing is also supported.
-     *
-     * For example, for the domain foo.bar.com, the following properties will be
-     * looked up, in order of precedence.
-     * - conscrypt.ct.enforce.com.bar.foo
-     * - conscrypt.ct.enforce.com.bar.*
-     * - conscrypt.ct.enforce.com.*
-     * - conscrypt.ct.enforce.*
-     */
-    public static boolean isCTVerificationRequired(String hostname) {
-        if (hostname == null) {
-            return false;
-        }
-        // TODO: Use the platform version on platforms that support it
-
-        String property = Security.getProperty("conscrypt.ct.enable");
-        if (property == null || !Boolean.parseBoolean(property)) {
-            return false;
-        }
-
-        List<String> parts = Arrays.asList(hostname.split("\\."));
-        Collections.reverse(parts);
-
-        boolean enable = false;
-        String propertyName = "conscrypt.ct.enforce";
-        // The loop keeps going on even once we've found a match
-        // This allows for finer grained settings on subdomains
-        for (String part : parts) {
-            property = Security.getProperty(propertyName + ".*");
-            if (property != null) {
-                enable = Boolean.parseBoolean(property);
-            }
-
-            propertyName = propertyName + "." + part;
-        }
-
-        property = Security.getProperty(propertyName);
-        if (property != null) {
-            enable = Boolean.parseBoolean(property);
-        }
-        return enable;
-    }
-
-    public static CertificateTransparencyVerificationReason reasonCTVerificationRequired(
-            String hostname) {
-        return CertificateTransparencyVerificationReason.UNKNOWN;
+    static SSLException wrapInvalidEchDataException(SSLException e) {
+        return e;
     }
 
     static boolean supportsConscryptCertStore() {
@@ -920,7 +873,8 @@ static CertBlocklist newDefaultBlocklist() {
         return null;
     }
 
-    static CertificateTransparency newDefaultCertificateTransparency() {
+    static CertificateTransparency newDefaultCertificateTransparency(
+            Supplier<NetworkSecurityPolicy> policySupplier) {
         return null;
     }
 

common/src/jni/main/cpp/conscrypt/jniutil.cc

@@ -116,36 +116,34 @@ void init(JavaVM* vm, JNIEnv* env) {
     sslHandshakeCallbacks_verifyCertificateChain =
 	    getMethodRef(env, sslHandshakeCallbacksClass, "verifyCertificateChain", "([[BLjava/lang/String;)V");
     sslHandshakeCallbacks_onSSLStateChange =
-	    getMethodRef(env, sslHandshakeCallbacksClass, "onSSLStateChange", "(II)V");
-    sslHandshakeCallbacks_clientCertificateRequested =
-	    getMethodRef(env, sslHandshakeCallbacksClass, "clientCertificateRequested", "([B[I[[B)V");
+            getMethodRef(env, sslHandshakeCallbacksClass, "onSSLStateChange", "(II)V");
+    sslHandshakeCallbacks_clientCertificateRequested = getMethodRef(
+            env, sslHandshakeCallbacksClass, "clientCertificateRequested", "([B[I[[B)V");
     sslHandshakeCallbacks_serverCertificateRequested =
-	    getMethodRef(env, sslHandshakeCallbacksClass, "serverCertificateRequested", "()V");
-    sslHandshakeCallbacks_clientPSKKeyRequested =
-	    getMethodRef(env, sslHandshakeCallbacksClass, "clientPSKKeyRequested", "(Ljava/lang/String;[B[B)I");
+            getMethodRef(env, sslHandshakeCallbacksClass, "serverCertificateRequested", "()V");
+    sslHandshakeCallbacks_clientPSKKeyRequested = getMethodRef(
+            env, sslHandshakeCallbacksClass, "clientPSKKeyRequested", "(Ljava/lang/String;[B[B)I");
     sslHandshakeCallbacks_serverPSKKeyRequested =
-	    getMethodRef(env, sslHandshakeCallbacksClass, "serverPSKKeyRequested", "(Ljava/lang/String;Ljava/lang/String;[B)I");
+            getMethodRef(env, sslHandshakeCallbacksClass, "serverPSKKeyRequested",
+                         "(Ljava/lang/String;Ljava/lang/String;[B)I");
     sslHandshakeCallbacks_onNewSessionEstablished =
-	    getMethodRef(env, sslHandshakeCallbacksClass, "onNewSessionEstablished", "(J)V");
+            getMethodRef(env, sslHandshakeCallbacksClass, "onNewSessionEstablished", "(J)V");
     sslHandshakeCallbacks_serverSessionRequested =
-	    getMethodRef(env, sslHandshakeCallbacksClass, "serverSessionRequested", "([B)J");
+            getMethodRef(env, sslHandshakeCallbacksClass, "serverSessionRequested", "([B)J");
     sslHandshakeCallbacks_selectApplicationProtocol =
-	    getMethodRef(env, sslHandshakeCallbacksClass, "selectApplicationProtocol", "([B)I");
-    cryptoUpcallsClass_rawSignMethod = env->GetStaticMethodID(cryptoUpcallsClass,
-                                                     "ecSignDigestWithPrivateKey",
-                                                     "(Ljava/security/PrivateKey;[B)[B");
+            getMethodRef(env, sslHandshakeCallbacksClass, "selectApplicationProtocol", "([B)I");
+    cryptoUpcallsClass_rawSignMethod = env->GetStaticMethodID(
+            cryptoUpcallsClass, "ecSignDigestWithPrivateKey", "(Ljava/security/PrivateKey;[B)[B");
     if (cryptoUpcallsClass_rawSignMethod == nullptr) {
         env->FatalError("Could not find ecSignDigestWithPrivateKey");
     }
-    cryptoUpcallsClass_rsaSignMethod = env->GetStaticMethodID(cryptoUpcallsClass,
-                                                     "rsaSignDigestWithPrivateKey",
-                                                     "(Ljava/security/PrivateKey;I[B)[B");
+    cryptoUpcallsClass_rsaSignMethod = env->GetStaticMethodID(
+            cryptoUpcallsClass, "rsaSignDigestWithPrivateKey", "(Ljava/security/PrivateKey;I[B)[B");
     if (cryptoUpcallsClass_rsaSignMethod == nullptr) {
         env->FatalError("Could not find rsaSignDigestWithPrivateKey");
     }
-    cryptoUpcallsClass_rsaDecryptMethod = env->GetStaticMethodID(cryptoUpcallsClass,
-						     "rsaDecryptWithPrivateKey",
-						     "(Ljava/security/PrivateKey;I[B)[B");
+    cryptoUpcallsClass_rsaDecryptMethod = env->GetStaticMethodID(
+            cryptoUpcallsClass, "rsaDecryptWithPrivateKey", "(Ljava/security/PrivateKey;I[B)[B");
     if (cryptoUpcallsClass_rsaDecryptMethod == nullptr) {
         env->FatalError("Could not find rsaDecryptWithPrivateKey");
     }

common/src/jni/main/cpp/conscrypt/native_crypto.cc

@@ -58,6 +58,8 @@
 #include <type_traits>
 #include <vector>
 
+#include "jni.h"
+
 using conscrypt::AppData;
 using conscrypt::BioInputStream;
 using conscrypt::BioOutputStream;
@@ -543,8 +545,7 @@ static jbyteArray ecSignDigestWithPrivateKey(JNIEnv* env, jobject privateKey, co
 
     return reinterpret_cast<jbyteArray>(env->CallStaticObjectMethod(
             conscrypt::jniutil::cryptoUpcallsClass,
-            conscrypt::jniutil::cryptoUpcallsClass_rawSignMethod,
-            privateKey, messageArray.get()));
+            conscrypt::jniutil::cryptoUpcallsClass_rawSignMethod, privateKey, messageArray.get()));
 }
 
 static jbyteArray rsaSignDigestWithPrivateKey(JNIEnv* env, jobject privateKey, jint padding,
@@ -571,10 +572,9 @@ static jbyteArray rsaSignDigestWithPrivateKey(JNIEnv* env, jobject privateKey, j
     }
 
     return reinterpret_cast<jbyteArray>(
-            env->CallStaticObjectMethod(
-                conscrypt::jniutil::cryptoUpcallsClass,
-                conscrypt::jniutil::cryptoUpcallsClass_rsaSignMethod,
-                privateKey, padding, messageArray.get()));
+            env->CallStaticObjectMethod(conscrypt::jniutil::cryptoUpcallsClass,
+                                        conscrypt::jniutil::cryptoUpcallsClass_rsaSignMethod,
+                                        privateKey, padding, messageArray.get()));
 }
 
 // rsaDecryptWithPrivateKey uses privateKey to decrypt |ciphertext_len| bytes
@@ -605,10 +605,9 @@ static jbyteArray rsaDecryptWithPrivateKey(JNIEnv* env, jobject privateKey, jint
     }
 
     return reinterpret_cast<jbyteArray>(
-            env->CallStaticObjectMethod(
-                conscrypt::jniutil::cryptoUpcallsClass,
-                conscrypt::jniutil::cryptoUpcallsClass_rsaDecryptMethod,
-                privateKey, padding, ciphertextArray.get()));
+            env->CallStaticObjectMethod(conscrypt::jniutil::cryptoUpcallsClass,
+                                        conscrypt::jniutil::cryptoUpcallsClass_rsaDecryptMethod,
+                                        privateKey, padding, ciphertextArray.get()));
 }
 
 // *********************************************
@@ -8101,7 +8100,7 @@ static void info_callback(const SSL* ssl, int type, int value) {
 
     JNI_TRACE("ssl=%p info_callback calling onSSLStateChange", ssl);
     env->CallVoidMethod(sslHandshakeCallbacks,
-        conscrypt::jniutil::sslHandshakeCallbacks_onSSLStateChange, type, value);
+                        conscrypt::jniutil::sslHandshakeCallbacks_onSSLStateChange, type, value);
 
     if (env->ExceptionCheck()) {
         JNI_TRACE("ssl=%p info_callback exception", ssl);
@@ -8422,8 +8421,7 @@ static SSL_SESSION* server_session_requested_callback(SSL* ssl, const uint8_t* i
     return ssl_session_ptr;
 }
 
-static jint NativeCrypto_EVP_has_aes_hardware(JNIEnv* env, jclass) {
-    CHECK_ERROR_QUEUE_ON_RETURN;
+static jint NativeCrypto_EVP_has_aes_hardware(CRITICAL_JNI_PARAMS) {
     int ret = 0;
     ret = EVP_has_aes_hardware();
     JNI_TRACE("EVP_has_aes_hardware => %d", ret);
@@ -10715,9 +10713,8 @@ static jlong NativeCrypto_SSL_get_timeout(JNIEnv* env, jclass, jlong ssl_address
     return result;
 }
 
-static jint NativeCrypto_SSL_get_signature_algorithm_key_type(JNIEnv* env, jclass,
+static jint NativeCrypto_SSL_get_signature_algorithm_key_type(CRITICAL_JNI_PARAMS_COMMA
                                                               jint signatureAlg) {
-    CHECK_ERROR_QUEUE_ON_RETURN;
     return SSL_get_signature_algorithm_key_type(signatureAlg);
 }
 
@@ -11190,7 +11187,7 @@ static jint NativeCrypto_SSL_get_error(JNIEnv* env, jclass, jlong ssl_address,
     return SSL_get_error(ssl, ret);
 }
 
-static void NativeCrypto_SSL_clear_error(JNIEnv*, jclass) {
+static void NativeCrypto_SSL_clear_error(CRITICAL_JNI_PARAMS) {
     ERR_clear_error();
 }
 

common/src/jni/main/include/conscrypt/jniutil.h

@@ -27,6 +27,14 @@
 namespace conscrypt {
 namespace jniutil {
 
+#ifdef __ANDROID__
+    #define CRITICAL_JNI_PARAMS
+    #define CRITICAL_JNI_PARAMS_COMMA
+#else
+    #define CRITICAL_JNI_PARAMS JNIEnv*, jclass
+    #define CRITICAL_JNI_PARAMS_COMMA JNIEnv*, jclass,
+#endif
+
 extern JavaVM* gJavaVM;
 extern jclass cryptoUpcallsClass;
 extern jclass openSslInputStreamClass;

common/src/main/java/org/conscrypt/AbstractConscryptEngine.java

@@ -134,6 +134,13 @@ public abstract SSLEngineResult wrap(
      */
     abstract void setUseSessionTickets(boolean useSessionTickets);
 
+    /**
+     * This method sets the ECH config data to be used in the TLS handshake.
+     *
+     * @param echConfigList the ECH config data to be used in the TLS handshake
+     */
+    abstract void setEchConfigList(byte[] echConfigList);
+
     /**
      * Sets the list of ALPN protocols.
      *

common/src/main/java/org/conscrypt/AbstractConscryptSocket.java

@@ -626,6 +626,13 @@ private boolean isDelegating() {
      */
     abstract void setUseSessionTickets(boolean useSessionTickets);
 
+    /**
+     * This method sets the ECH config data to be used in the TLS handshake.
+     *
+     * @param echConfigList the ECH config data to be used in the TLS handshake
+     */
+    abstract void setEchConfigList(byte[] echConfigList);
+
     /**
      * Enables/disables TLS Channel ID for this server socket.
      *

common/src/main/java/org/conscrypt/ArrayUtils.java

@@ -29,7 +29,7 @@ private ArrayUtils() {}
      * Checks that the range described by {@code offset} and {@code count}
      * doesn't exceed {@code arrayLength}.
      */
-    static void checkOffsetAndCount(int arrayLength, int offset, int count) {
+    public static void checkOffsetAndCount(int arrayLength, int offset, int count) {
         if ((offset | count) < 0 || offset > arrayLength || arrayLength - offset < count) {
             throw new ArrayIndexOutOfBoundsException("length=" + arrayLength + "; regionStart="
                     + offset + "; regionLength=" + count);