Fix SSLEngine bug with multiple heap buffer inputs.

When the SSLEngine overload that accepts an array of ByteBuffers is
called with heap buffers for both the source and destination, those
heap buffers are converted to direct buffers for passing to JNI by way
of copying them to a single temporary direct buffer.  A bug in the
reading of the encrypted data out of BoringSSL resulted in the data
being placed at the wrong offset of the temporary buffer, meaning that
the output data was prefixed in the worst case by the plaintext.

Bug: 73251618
Test: cts -m CtsLibcoreTestCases -t
Change-Id: I9b1a167f9a5ccd36d6da5cd1a14a80fb3cc73a1f
(cherry picked from commit 4a85e8dc865973bb4d0f960b63f67a75f3f8229f)
1 file changed
tree: 72e2eca0d5299d9bab83a8ba8b6bc67f2ded2742
  1. android/
  2. android-stub/
  3. api-doclet/
  4. benchmark-base/
  5. benchmark-graphs/
  6. benchmark-jmh/
  7. common/
  8. constants/
  9. gradle/
  10. libcore-stub/
  11. licenses/
  12. openjdk/
  13. openjdk-integ-tests/
  14. openjdk-uber/
  15. platform/
  16. testing/
  17. .clang-format
  18. .gitignore
  19. .travis.yml
  20. Android.bp
  22. appveyor.yml
  23. build.gradle
  26. Dockerfile
  27. gradlew
  28. gradlew.bat
  29. jarjar-rules.txt
  32. NOTICE
  33. OWNERS
  34. PREUPLOAD.cfg
  37. settings.gradle

Conscrypt - A Java Security Provider

Conscrypt is a Java Security Provider (JSP) that implements parts of the Java Cryptography Extension (JCE) and Java Secure Socket Extension (JSSE). It uses BoringSSL to provide cryptographical primitives and Transport Layer Security (TLS) for Java applications on Android and OpenJDK.

The core SSL engine has borrowed liberally from the Netty project and their work on netty-tcnative, giving Conscrypt similar performance.


NOTE: This section is under construction! Artifacts have not yet been published to the public Maven repositories.

Download JARs

You can download the JARs directly from the Maven repositories.

OpenJDK (i.e. non-Android)

Native Classifiers

The OpenJDK artifacts are platform-dependent since each embeds a native library for a particular platform. We publish artifacts to Maven Central for the following platforms:

windows-x86_64Windows distribution
osx-x86_64Mac distribution
linux-x86_64Used for Linux

Use the os-maven-plugin to add the dependency:



Use the osdetector-gradle-plugin (which is a wrapper around the os-maven-plugin) to add the dependency:

buildscript {
  repositories {
  dependencies {
    classpath ''

// Use the osdetector-gradle-plugin
apply plugin: ""

dependencies {
  compile 'org.conscrypt:conscrypt-jdk:1.1.0-SNAPSHOT:' + osdetector.classifier
Uber JAR

For convenience, we also publish an Uber JAR to Maven Central that contains the shared libraries for all of the published platforms. While the overall size of the JAR is larger than depending on a platform-specific artifact, it greatly simplifies the task of dependency management for most platforms.

To depend on the uber jar, simply use the conscrypt-openjdk-uber artifacts.

dependencies {
  compile 'org.conscrypt:conscrypt-jdk-uber:1.1.0-SNAPSHOT'

How to Build

If you are making changes to Conscrypt, see the building instructions.

Source Overview

Here‘s a quick readers’ guide to the code to help folks get started. The high-level modules are Common, Android, OpenJDK, and Platform.


This contains the bulk of the code for both Java and C. This isn't an actual module and builds no artifacts. Rather, the other modules just point to this directory as source.


This module provides the Platform class for Android and also adds compatibility classes for supporting various versions of Android. This generates an aar library artifact.


These modules provide the Platform class for non-Android (OpenJDK-based) systems. It also provides a native library loader supports bundling the shared library with the JAR.


This is not an actual module and is not part of the default build. This is used for building Conscrypt as an embedded component of the Android platform.