From 8816adb42aceb7b54b4fa900d214583298e420b4 Mon Sep 17 00:00:00 2001 From: Miguel Date: Tue, 3 Dec 2024 17:11:31 +0000 Subject: [PATCH 1/5] Re-add stats-log class for conscrypt metrics This class is created by codegen in the gmscore version of conscrypt and so we need the logging path to go through it in order for it to be replaced in gmscore --- .../conscrypt/metrics/ConscryptStatsLog.java | 76 +++++++++++++++++++ .../org/conscrypt/metrics/StatsLogImpl.java | 19 ++--- 2 files changed, 81 insertions(+), 14 deletions(-) create mode 100644 common/src/main/java/org/conscrypt/metrics/ConscryptStatsLog.java diff --git a/common/src/main/java/org/conscrypt/metrics/ConscryptStatsLog.java b/common/src/main/java/org/conscrypt/metrics/ConscryptStatsLog.java new file mode 100644 index 000000000..b4b9b906b --- /dev/null +++ b/common/src/main/java/org/conscrypt/metrics/ConscryptStatsLog.java @@ -0,0 +1,76 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.conscrypt.metrics; + +import org.conscrypt.Internal; +import java.util.concurrent.ArrayBlockingQueue; +import java.util.concurrent.Executors; +import java.util.concurrent.ExecutorService; +import java.util.concurrent.ThreadPoolExecutor; +import java.util.concurrent.ThreadFactory; +import java.util.concurrent.TimeUnit; +import java.lang.Thread.UncaughtExceptionHandler; + +/** + * Reimplement with reflection calls the logging class, + * generated by frameworks/statsd. + *

+ * In case atom is changed, generate new wrapper with stats-log-api-gen + * tool as shown below and add corresponding methods to ReflexiveStatsEvent's + * newEvent() method. + *

+ * $ stats-log-api-gen \ + * --java "common/src/main/java/org/conscrypt/metrics/ConscryptStatsLog.java" \ + * --module conscrypt \ + * --javaPackage org.conscrypt.metrics \ + * --javaClass ConscryptStatsLog + **/ +@Internal +public final class ConscryptStatsLog { + public static final int TLS_HANDSHAKE_REPORTED = 317; + + private ConscryptStatsLog() {} + + public static void write(int atomId, boolean success, int protocol, int cipherSuite, + int duration, Source source, int[] uids) { + ReflexiveStatsEvent event = ReflexiveStatsEvent.buildEvent( + atomId, success, protocol, cipherSuite, duration, source.ordinal(), uids); + + ReflexiveStatsLog.write(event); + } + + public static void write( + int atomId, boolean success, int protocol, int cipherSuite, int duration, Source source, + int uids[]) { + ReflexiveStatsEvent event = ReflexiveStatsEvent.buildEvent( + atomId, success, protocol, cipherSuite, duration, source.ordinal(), uids); + + ReflexiveStatsLog.write(event); + } + + public static void write(int atomId, int status, int loadedCompatVersion, + int minCompatVersionAvailable, int majorVersion, int minorVersion) { + ReflexiveStatsEvent.Builder builder = ReflexiveStatsEvent.newBuilder(); + builder.setAtomId(atomId); + builder.writeInt(status); + builder.writeInt(loadedCompatVersion); + builder.writeInt(minCompatVersionAvailable); + builder.writeInt(majorVersion); + builder.writeInt(minorVersion); + builder.usePooledBuffer(); + ReflexiveStatsLog.write(builder.build()); + } +} diff --git a/common/src/main/java/org/conscrypt/metrics/StatsLogImpl.java b/common/src/main/java/org/conscrypt/metrics/StatsLogImpl.java index a47bac9d6..0cc6dd99c 100644 --- a/common/src/main/java/org/conscrypt/metrics/StatsLogImpl.java +++ b/common/src/main/java/org/conscrypt/metrics/StatsLogImpl.java @@ -85,7 +85,7 @@ public void countTlsHandshake( CipherSuite suite = CipherSuite.forName(cipherSuite); write(TLS_HANDSHAKE_REPORTED, success, proto.getId(), suite.getId(), (int) duration, - Platform.getStatsSource().ordinal(), Platform.getUids()); + Platform.getStatsSource(), Platform.getUids()); } private static int logStoreStateToMetricsState(LogStore.State state) { @@ -123,14 +123,12 @@ public void updateCTLogListStatusChanged(LogStore logStore) { } private void write(int atomId, boolean success, int protocol, int cipherSuite, int duration, - int source, int[] uids) { + org.conscrypt.metrics.Source source, int[] uids) { e.execute(new Runnable() { @Override public void run() { - ReflexiveStatsEvent event = ReflexiveStatsEvent.buildEvent( + ConscryptStatsLog.write( atomId, success, protocol, cipherSuite, duration, source, uids); - - ReflexiveStatsLog.write(event); } }); } @@ -140,15 +138,8 @@ private void write(int atomId, int status, int loadedCompatVersion, e.execute(new Runnable() { @Override public void run() { - ReflexiveStatsEvent.Builder builder = ReflexiveStatsEvent.newBuilder(); - builder.setAtomId(atomId); - builder.writeInt(status); - builder.writeInt(loadedCompatVersion); - builder.writeInt(minCompatVersionAvailable); - builder.writeInt(majorVersion); - builder.writeInt(minorVersion); - builder.usePooledBuffer(); - ReflexiveStatsLog.write(builder.build()); + ConscryptStatsLog.write(atomId, status, loadedCompatVersion, + minCompatVersionAvailable, majorVersion, minorVersion); } }); } From 34840bd2763622d7fd512ead572251126ce88772 Mon Sep 17 00:00:00 2001 From: Miguel Date: Tue, 3 Dec 2024 17:11:31 +0000 Subject: [PATCH 2/5] Re-add stats-log class for conscrypt metrics This class is created by codegen in the gmscore version of conscrypt and so we need the logging path to go through it in order for it to be replaced in gmscore --- .../main/java/org/conscrypt/metrics/ConscryptStatsLog.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/common/src/main/java/org/conscrypt/metrics/ConscryptStatsLog.java b/common/src/main/java/org/conscrypt/metrics/ConscryptStatsLog.java index b4b9b906b..73ea27341 100644 --- a/common/src/main/java/org/conscrypt/metrics/ConscryptStatsLog.java +++ b/common/src/main/java/org/conscrypt/metrics/ConscryptStatsLog.java @@ -45,9 +45,9 @@ public final class ConscryptStatsLog { private ConscryptStatsLog() {} public static void write(int atomId, boolean success, int protocol, int cipherSuite, - int duration, Source source, int[] uids) { + int duration, Source source) { ReflexiveStatsEvent event = ReflexiveStatsEvent.buildEvent( - atomId, success, protocol, cipherSuite, duration, source.ordinal(), uids); + atomId, success, protocol, cipherSuite, duration, source.ordinal()); ReflexiveStatsLog.write(event); } From 8f4e2be393f901697b9edc99f5cae8d62230df3b Mon Sep 17 00:00:00 2001 From: Miguel Aranda Date: Thu, 21 Nov 2024 15:07:16 +0000 Subject: [PATCH 3/5] Revert^4 "Add support for enabling/disabling TLS v1.0 and 1.1 in Conscrypt." This reverts commit 5ae7b5c2f272365d13c9ff3ba0c7a682375dc1d8. Reason for revert: fixed the failures by checking that API levels are not higher than a 100, and bumped API level check to 36 because I noticed that this version of using reflection is more resilient than the previous one. Change-Id: I42fcb922e046072eea0fa5aee07c513233d2b1e9 --- .../src/main/java/org/conscrypt/Platform.java | 18 ++- .../main/java/org/conscrypt/Conscrypt.java | 17 ++- .../main/java/org/conscrypt/NativeCrypto.java | 59 +++++---- .../java/org/conscrypt/OpenSSLProvider.java | 18 ++- .../src/main/java/org/conscrypt/Platform.java | 19 ++- .../src/main/java/org/conscrypt/Platform.java | 46 ++++--- .../org/conscrypt/TlsDeprecationTest.java | 112 +++++++++++++++--- .../main/java/org/conscrypt/TestUtils.java | 19 ++- 8 files changed, 233 insertions(+), 75 deletions(-) diff --git a/android/src/main/java/org/conscrypt/Platform.java b/android/src/main/java/org/conscrypt/Platform.java index cc1e10148..3ebc1c217 100644 --- a/android/src/main/java/org/conscrypt/Platform.java +++ b/android/src/main/java/org/conscrypt/Platform.java @@ -69,6 +69,7 @@ import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.StandardConstants; import javax.net.ssl.X509TrustManager; +import org.conscrypt.NativeCrypto; /** * Platform-specific methods for unbundled Android. @@ -76,9 +77,13 @@ @Internal final public class Platform { private static final String TAG = "Conscrypt"; + static boolean DEPRECATED_TLS_V1 = true; + static boolean ENABLED_TLS_V1 = false; + private static boolean FILTERED_TLS_V1 = true; private static Method m_getCurveName; static { + NativeCrypto.setTlsV1DeprecationStatus(DEPRECATED_TLS_V1, ENABLED_TLS_V1); try { m_getCurveName = ECParameterSpec.class.getDeclaredMethod("getCurveName"); m_getCurveName.setAccessible(true); @@ -89,7 +94,12 @@ final public class Platform { private Platform() {} - public static void setup() {} + public static void setup(boolean deprecatedTlsV1, boolean enabledTlsV1) { + DEPRECATED_TLS_V1 = deprecatedTlsV1; + ENABLED_TLS_V1 = enabledTlsV1; + FILTERED_TLS_V1 = !enabledTlsV1; + NativeCrypto.setTlsV1DeprecationStatus(DEPRECATED_TLS_V1, ENABLED_TLS_V1); + } /** * Default name used in the {@link java.security.Security JCE system} by {@code OpenSSLProvider} @@ -955,14 +965,14 @@ public static boolean isJavaxCertificateSupported() { } public static boolean isTlsV1Deprecated() { - return true; + return DEPRECATED_TLS_V1; } public static boolean isTlsV1Filtered() { - return false; + return FILTERED_TLS_V1; } public static boolean isTlsV1Supported() { - return false; + return ENABLED_TLS_V1; } } diff --git a/common/src/main/java/org/conscrypt/Conscrypt.java b/common/src/main/java/org/conscrypt/Conscrypt.java index c48f8f036..53bc16e7a 100644 --- a/common/src/main/java/org/conscrypt/Conscrypt.java +++ b/common/src/main/java/org/conscrypt/Conscrypt.java @@ -160,6 +160,8 @@ public static class ProviderBuilder { private String name = Platform.getDefaultProviderName(); private boolean provideTrustManager = Platform.provideTrustManagerByDefault(); private String defaultTlsProtocol = NativeCrypto.SUPPORTED_PROTOCOL_TLSV1_3; + private boolean deprecatedTlsV1 = true; + private boolean enabledTlsV1 = false; private ProviderBuilder() {} @@ -200,8 +202,21 @@ public ProviderBuilder defaultTlsProtocol(String defaultTlsProtocol) { return this; } + /** Specifies whether TLS v1.0 and 1.1 should be deprecated */ + public ProviderBuilder isTlsV1Deprecated(boolean deprecatedTlsV1) { + this.deprecatedTlsV1 = deprecatedTlsV1; + return this; + } + + /** Specifies whether TLS v1.0 and 1.1 should be enabled */ + public ProviderBuilder isTlsV1Enabled(boolean enabledTlsV1) { + this.enabledTlsV1 = enabledTlsV1; + return this; + } + public Provider build() { - return new OpenSSLProvider(name, provideTrustManager, defaultTlsProtocol); + return new OpenSSLProvider(name, provideTrustManager, + defaultTlsProtocol, deprecatedTlsV1, enabledTlsV1); } } diff --git a/common/src/main/java/org/conscrypt/NativeCrypto.java b/common/src/main/java/org/conscrypt/NativeCrypto.java index 445ac0de8..29c48f3e3 100644 --- a/common/src/main/java/org/conscrypt/NativeCrypto.java +++ b/common/src/main/java/org/conscrypt/NativeCrypto.java @@ -1025,29 +1025,48 @@ static native void SSL_set_client_CA_list(long ssl, NativeSsl ssl_holder, byte[] static native void set_SSL_psk_server_callback_enabled(long ssl, NativeSsl ssl_holder, boolean enabled); - private static final String[] ENABLED_PROTOCOLS_TLSV1 = Platform.isTlsV1Deprecated() - ? new String[0] - : new String[] { + public static void setTlsV1DeprecationStatus(boolean deprecated, boolean supported) { + if (deprecated) { + TLSV12_PROTOCOLS = new String[] { + SUPPORTED_PROTOCOL_TLSV1_2, + }; + TLSV13_PROTOCOLS = new String[] { + SUPPORTED_PROTOCOL_TLSV1_2, + SUPPORTED_PROTOCOL_TLSV1_3, + }; + } else { + TLSV12_PROTOCOLS = new String[] { DEPRECATED_PROTOCOL_TLSV1, DEPRECATED_PROTOCOL_TLSV1_1, + SUPPORTED_PROTOCOL_TLSV1_2, }; - - private static final String[] SUPPORTED_PROTOCOLS_TLSV1 = Platform.isTlsV1Supported() - ? new String[] { + TLSV13_PROTOCOLS = new String[] { DEPRECATED_PROTOCOL_TLSV1, DEPRECATED_PROTOCOL_TLSV1_1, - } : new String[0]; + SUPPORTED_PROTOCOL_TLSV1_2, + SUPPORTED_PROTOCOL_TLSV1_3, + }; + } + if (supported) { + SUPPORTED_PROTOCOLS = new String[] { + DEPRECATED_PROTOCOL_TLSV1, + DEPRECATED_PROTOCOL_TLSV1_1, + SUPPORTED_PROTOCOL_TLSV1_2, + SUPPORTED_PROTOCOL_TLSV1_3, + }; + } else { + SUPPORTED_PROTOCOLS = new String[] { + SUPPORTED_PROTOCOL_TLSV1_2, + SUPPORTED_PROTOCOL_TLSV1_3, + }; + } + } /** Protocols to enable by default when "TLSv1.3" is requested. */ - static final String[] TLSV13_PROTOCOLS = ArrayUtils.concatValues( - ENABLED_PROTOCOLS_TLSV1, - SUPPORTED_PROTOCOL_TLSV1_2, - SUPPORTED_PROTOCOL_TLSV1_3); + static String[] TLSV13_PROTOCOLS; /** Protocols to enable by default when "TLSv1.2" is requested. */ - static final String[] TLSV12_PROTOCOLS = ArrayUtils.concatValues( - ENABLED_PROTOCOLS_TLSV1, - SUPPORTED_PROTOCOL_TLSV1_2); + static String[] TLSV12_PROTOCOLS; /** Protocols to enable by default when "TLSv1.1" is requested. */ static final String[] TLSV11_PROTOCOLS = new String[] { @@ -1059,20 +1078,12 @@ static native void SSL_set_client_CA_list(long ssl, NativeSsl ssl_holder, byte[] /** Protocols to enable by default when "TLSv1" is requested. */ static final String[] TLSV1_PROTOCOLS = TLSV11_PROTOCOLS; - static final String[] DEFAULT_PROTOCOLS = TLSV13_PROTOCOLS; - // If we ever get a new protocol go look for tests which are skipped using // assumeTlsV11Enabled() - private static final String[] SUPPORTED_PROTOCOLS = ArrayUtils.concatValues( - SUPPORTED_PROTOCOLS_TLSV1, - SUPPORTED_PROTOCOL_TLSV1_2, - SUPPORTED_PROTOCOL_TLSV1_3); + private static String[] SUPPORTED_PROTOCOLS; public static String[] getDefaultProtocols() { - if (Platform.isTlsV1Deprecated()) { - return DEFAULT_PROTOCOLS.clone(); - } - return SUPPORTED_PROTOCOLS.clone(); + return TLSV13_PROTOCOLS.clone(); } static String[] getSupportedProtocols() { diff --git a/common/src/main/java/org/conscrypt/OpenSSLProvider.java b/common/src/main/java/org/conscrypt/OpenSSLProvider.java index d0e7fd5c5..7c52c9b1b 100644 --- a/common/src/main/java/org/conscrypt/OpenSSLProvider.java +++ b/common/src/main/java/org/conscrypt/OpenSSLProvider.java @@ -51,17 +51,29 @@ public OpenSSLProvider() { @SuppressWarnings("deprecation") public OpenSSLProvider(String providerName) { - this(providerName, Platform.provideTrustManagerByDefault(), "TLSv1.3"); + this(providerName, Platform.provideTrustManagerByDefault(), "TLSv1.3", + Platform.DEPRECATED_TLS_V1, Platform.ENABLED_TLS_V1); } - OpenSSLProvider(String providerName, boolean includeTrustManager, String defaultTlsProtocol) { + OpenSSLProvider(String providerName, boolean includeTrustManager, + String defaultTlsProtocol) { + this(providerName, includeTrustManager, defaultTlsProtocol, + Platform.DEPRECATED_TLS_V1, Platform.ENABLED_TLS_V1); + } + + OpenSSLProvider(String providerName, boolean includeTrustManager, + String defaultTlsProtocol, boolean deprecatedTlsV1, + boolean enabledTlsV1) { super(providerName, 1.0, "Android's OpenSSL-backed security provider"); // Ensure that the native library has been loaded. NativeCrypto.checkAvailability(); + if (!deprecatedTlsV1 && !enabledTlsV1) { + throw new IllegalArgumentException("TLSv1 is not deprecated and cannot be disabled."); + } // Make sure the platform is initialized. - Platform.setup(); + Platform.setup(deprecatedTlsV1, enabledTlsV1); /* === SSL Contexts === */ String classOpenSSLContextImpl = PREFIX + "OpenSSLContextImpl"; diff --git a/openjdk/src/main/java/org/conscrypt/Platform.java b/openjdk/src/main/java/org/conscrypt/Platform.java index a651d4788..55f871c03 100644 --- a/openjdk/src/main/java/org/conscrypt/Platform.java +++ b/openjdk/src/main/java/org/conscrypt/Platform.java @@ -84,6 +84,7 @@ import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509ExtendedTrustManager; import javax.net.ssl.X509TrustManager; +import org.conscrypt.NativeCrypto; /** * Platform-specific methods for OpenJDK. @@ -94,9 +95,12 @@ final public class Platform { private static final int JAVA_VERSION = javaVersion0(); private static final Method GET_CURVE_NAME_METHOD; + static boolean DEPRECATED_TLS_V1 = true; + static boolean ENABLED_TLS_V1 = false; + private static boolean FILTERED_TLS_V1 = true; static { - + NativeCrypto.setTlsV1DeprecationStatus(DEPRECATED_TLS_V1, ENABLED_TLS_V1); Method getCurveNameMethod = null; try { getCurveNameMethod = ECParameterSpec.class.getDeclaredMethod("getCurveName"); @@ -109,7 +113,12 @@ final public class Platform { private Platform() {} - static void setup() {} + public static void setup(boolean deprecatedTlsV1, boolean enabledTlsV1) { + DEPRECATED_TLS_V1 = deprecatedTlsV1; + ENABLED_TLS_V1 = enabledTlsV1; + FILTERED_TLS_V1 = !enabledTlsV1; + NativeCrypto.setTlsV1DeprecationStatus(DEPRECATED_TLS_V1, ENABLED_TLS_V1); + } /** @@ -839,14 +848,14 @@ public static boolean isJavaxCertificateSupported() { } public static boolean isTlsV1Deprecated() { - return true; + return DEPRECATED_TLS_V1; } public static boolean isTlsV1Filtered() { - return false; + return FILTERED_TLS_V1; } public static boolean isTlsV1Supported() { - return true; + return ENABLED_TLS_V1; } } diff --git a/platform/src/main/java/org/conscrypt/Platform.java b/platform/src/main/java/org/conscrypt/Platform.java index 9691c3de9..2c5301c05 100644 --- a/platform/src/main/java/org/conscrypt/Platform.java +++ b/platform/src/main/java/org/conscrypt/Platform.java @@ -75,18 +75,30 @@ import javax.net.ssl.StandardConstants; import javax.net.ssl.X509ExtendedTrustManager; import javax.net.ssl.X509TrustManager; - +import libcore.net.NetworkSecurityPolicy; +import org.conscrypt.NativeCrypto; import sun.security.x509.AlgorithmId; @Internal final public class Platform { private static class NoPreloadHolder { public static final Platform MAPPER = new Platform(); } + static boolean DEPRECATED_TLS_V1 = true; + static boolean ENABLED_TLS_V1 = false; + private static boolean FILTERED_TLS_V1 = true; + + static { + NativeCrypto.setTlsV1DeprecationStatus(DEPRECATED_TLS_V1, ENABLED_TLS_V1); + } /** * Runs all the setup for the platform that only needs to run once. */ - public static void setup() { + public static void setup(boolean deprecatedTlsV1, boolean enabledTlsV1) { + DEPRECATED_TLS_V1 = deprecatedTlsV1; + ENABLED_TLS_V1 = enabledTlsV1; + FILTERED_TLS_V1 = !enabledTlsV1; NoPreloadHolder.MAPPER.ping(); + NativeCrypto.setTlsV1DeprecationStatus(DEPRECATED_TLS_V1, ENABLED_TLS_V1); } /** @@ -552,34 +564,34 @@ public static boolean isJavaxCertificateSupported() { } public static boolean isTlsV1Deprecated() { - return true; + return DEPRECATED_TLS_V1; } public static boolean isTlsV1Filtered() { Object targetSdkVersion = getTargetSdkVersion(); - if ((targetSdkVersion != null) && ((int) targetSdkVersion > 34)) + if ((targetSdkVersion != null) && ((int) targetSdkVersion > 35) + && ((int) targetSdkVersion < 100)) return false; - return true; + return FILTERED_TLS_V1; } public static boolean isTlsV1Supported() { - return false; + return ENABLED_TLS_V1; } static Object getTargetSdkVersion() { try { - Class vmRuntime = Class.forName("dalvik.system.VMRuntime"); - if (vmRuntime == null) { - return null; - } - OptionalMethod getSdkVersion = - new OptionalMethod(vmRuntime, - "getTargetSdkVersion"); - return getSdkVersion.invokeStatic(); - } catch (ClassNotFoundException e) { - return null; - } catch (NullPointerException e) { + Class vmRuntimeClass = Class.forName("dalvik.system.VMRuntime"); + Method getRuntimeMethod = vmRuntimeClass.getDeclaredMethod("getRuntime"); + Method getTargetSdkVersionMethod = + vmRuntimeClass.getDeclaredMethod("getTargetSdkVersion"); + Object vmRuntime = getRuntimeMethod.invoke(null); + return getTargetSdkVersionMethod.invoke(vmRuntime); + } catch (IllegalAccessException | + NullPointerException | InvocationTargetException e) { return null; + } catch (Exception e) { + throw new RuntimeException(e); } } } diff --git a/platform/src/test/java/org/conscrypt/TlsDeprecationTest.java b/platform/src/test/java/org/conscrypt/TlsDeprecationTest.java index 9894fbf3c..ca36e0ad7 100644 --- a/platform/src/test/java/org/conscrypt/TlsDeprecationTest.java +++ b/platform/src/test/java/org/conscrypt/TlsDeprecationTest.java @@ -16,28 +16,34 @@ package org.conscrypt; -import static org.conscrypt.TestUtils.isTlsV1Filtered; - import libcore.junit.util.SwitchTargetSdkVersionRule; import libcore.junit.util.SwitchTargetSdkVersionRule.TargetSdkVersion; +import java.security.Provider; import javax.net.ssl.SSLSocket; import org.junit.Test; import org.junit.runner.RunWith; +import org.junit.rules.TestRule; +import org.junit.Rule; import org.junit.runners.JUnit4; import org.conscrypt.javax.net.ssl.TestSSLContext; +import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; import static org.junit.Assert.assertThrows; import static org.junit.Assert.fail; import static org.junit.Assume.assumeFalse; @RunWith(JUnit4.class) public class TlsDeprecationTest { - @TargetSdkVersion(35) + @Rule + public final TestRule switchTargetSdkVersionRule = SwitchTargetSdkVersionRule.getInstance(); + @Test - public void test_SSLSocket_SSLv3Unsupported_35() throws Exception { - assumeFalse(isTlsV1Filtered()); + @SwitchTargetSdkVersionRule.TargetSdkVersion(36) + public void test_SSLSocket_SSLv3Unsupported_36() throws Exception { + assertFalse(TestUtils.isTlsV1Filtered()); TestSSLContext context = TestSSLContext.create(); final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket(); @@ -45,26 +51,23 @@ public void test_SSLSocket_SSLv3Unsupported_35() throws Exception { assertThrows(IllegalArgumentException.class, () -> client.setEnabledProtocols(new String[] {"SSL"})); } - @TargetSdkVersion(34) @Test + @SwitchTargetSdkVersionRule.TargetSdkVersion(34) public void test_SSLSocket_SSLv3Unsupported_34() throws Exception { + assertTrue(TestUtils.isTlsV1Filtered()); TestSSLContext context = TestSSLContext.create(); final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket(); // For app compatibility, SSLv3 is stripped out when setting only. client.setEnabledProtocols(new String[] {"SSLv3"}); assertEquals(0, client.getEnabledProtocols().length); - try { - client.setEnabledProtocols(new String[] {"SSL"}); - fail("SSLSocket should not support SSL protocol"); - } catch (IllegalArgumentException expected) { - // Ignored. - } + assertThrows(IllegalArgumentException.class, () -> client.setEnabledProtocols(new String[] {"SSL"})); } - @TargetSdkVersion(34) @Test + @SwitchTargetSdkVersionRule.TargetSdkVersion(34) public void test_TLSv1Filtered_34() throws Exception { + assertTrue(TestUtils.isTlsV1Filtered()); TestSSLContext context = TestSSLContext.create(); final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket(); @@ -73,14 +76,91 @@ public void test_TLSv1Filtered_34() throws Exception { assertEquals("TLSv1.2", client.getEnabledProtocols()[0]); } - @TargetSdkVersion(35) @Test - public void test_TLSv1Filtered_35() throws Exception { - assumeFalse(isTlsV1Filtered()); + @SwitchTargetSdkVersionRule.TargetSdkVersion(34) + public void test_TLSv1FilteredEmpty_34() throws Exception { + assertTrue(TestUtils.isTlsV1Filtered()); + TestSSLContext context = TestSSLContext.create(); + final SSLSocket client = + (SSLSocket) context.clientContext.getSocketFactory().createSocket(); + client.setEnabledProtocols(new String[] {"TLSv1", "TLSv1.1"}); + assertEquals(0, client.getEnabledProtocols().length); + } + + @Test + @SwitchTargetSdkVersionRule.TargetSdkVersion(36) + public void test_TLSv1Filtered_36() throws Exception { + assertFalse(TestUtils.isTlsV1Filtered()); TestSSLContext context = TestSSLContext.create(); final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket(); assertThrows(IllegalArgumentException.class, () -> client.setEnabledProtocols(new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"})); } + + @Test + @SwitchTargetSdkVersionRule.TargetSdkVersion(34) + public void testInitializeDeprecatedEnabled_34() { + Provider conscryptProvider = TestUtils.getConscryptProvider(true, true); + assertTrue(TestUtils.isTlsV1Deprecated()); + assertFalse(TestUtils.isTlsV1Filtered()); + assertTrue(TestUtils.isTlsV1Supported()); + } + + @Test + @SwitchTargetSdkVersionRule.TargetSdkVersion(36) + public void testInitializeDeprecatedEnabled_36() { + Provider conscryptProvider = TestUtils.getConscryptProvider(true, true); + assertTrue(TestUtils.isTlsV1Deprecated()); + assertFalse(TestUtils.isTlsV1Filtered()); + assertTrue(TestUtils.isTlsV1Supported()); + } + + @Test + @SwitchTargetSdkVersionRule.TargetSdkVersion(34) + public void testInitializeDeprecatedDisabled_34() { + Provider conscryptProvider = TestUtils.getConscryptProvider(true, false); + assertTrue(TestUtils.isTlsV1Deprecated()); + assertTrue(TestUtils.isTlsV1Filtered()); + assertFalse(TestUtils.isTlsV1Supported()); + } + + @Test + @SwitchTargetSdkVersionRule.TargetSdkVersion(36) + public void testInitializeDeprecatedDisabled_36() { + Provider conscryptProvider = TestUtils.getConscryptProvider(true, false); + assertTrue(TestUtils.isTlsV1Deprecated()); + assertFalse(TestUtils.isTlsV1Filtered()); + assertFalse(TestUtils.isTlsV1Supported()); + } + + @Test + @SwitchTargetSdkVersionRule.TargetSdkVersion(34) + public void testInitializeUndeprecatedEnabled_34() { + Provider conscryptProvider = TestUtils.getConscryptProvider(false, true); + assertFalse(TestUtils.isTlsV1Deprecated()); + assertFalse(TestUtils.isTlsV1Filtered()); + assertTrue(TestUtils.isTlsV1Supported()); + } + + @Test + @SwitchTargetSdkVersionRule.TargetSdkVersion(36) + public void testInitializeUndeprecatedEnabled_36() { + Provider conscryptProvider = TestUtils.getConscryptProvider(false, true); + assertFalse(TestUtils.isTlsV1Deprecated()); + assertFalse(TestUtils.isTlsV1Filtered()); + assertTrue(TestUtils.isTlsV1Supported()); + } + + @Test + @SwitchTargetSdkVersionRule.TargetSdkVersion(34) + public void testInitializeUndeprecatedDisabled_34() { + assertThrows(RuntimeException.class, () -> TestUtils.getConscryptProvider(false, false)); + } + + @Test + @SwitchTargetSdkVersionRule.TargetSdkVersion(36) + public void testInitializeUndeprecatedDisabled_36() { + assertThrows(RuntimeException.class, () -> TestUtils.getConscryptProvider(false, false)); + } } \ No newline at end of file diff --git a/testing/src/main/java/org/conscrypt/TestUtils.java b/testing/src/main/java/org/conscrypt/TestUtils.java index c6e6e22ff..86967a004 100644 --- a/testing/src/main/java/org/conscrypt/TestUtils.java +++ b/testing/src/main/java/org/conscrypt/TestUtils.java @@ -234,24 +234,33 @@ public static InetAddress getLoopbackAddress() { } } - public static Provider getConscryptProvider() { + public static Provider getConscryptProvider(boolean isTlsV1Deprecated, + boolean isTlsV1Enabled) { try { String defaultName = (String) conscryptClass("Platform") .getDeclaredMethod("getDefaultProviderName") .invoke(null); - Constructor c = conscryptClass("OpenSSLProvider") - .getDeclaredConstructor(String.class, Boolean.TYPE, String.class); + Constructor c = + conscryptClass("OpenSSLProvider") + .getDeclaredConstructor(String.class, Boolean.TYPE, + String.class, Boolean.TYPE, Boolean.TYPE); if (!isClassAvailable("javax.net.ssl.X509ExtendedTrustManager")) { - return (Provider) c.newInstance(defaultName, false, "TLSv1.3"); + return (Provider) c.newInstance(defaultName, false, "TLSv1.3", + isTlsV1Deprecated, isTlsV1Enabled); } else { - return (Provider) c.newInstance(defaultName, true, "TLSv1.3"); + return (Provider) c.newInstance(defaultName, true, "TLSv1.3", + isTlsV1Deprecated, isTlsV1Enabled); } } catch (Exception e) { throw new RuntimeException(e); } } + public static Provider getConscryptProvider() { + return getConscryptProvider(true, false); + } + public static synchronized void installConscryptAsDefaultProvider() { Provider conscryptProvider = getConscryptProvider(); Provider[] providers = Security.getProviders(); From 7a1f5e58a8da53752f0a1db56830664fca4d7468 Mon Sep 17 00:00:00 2001 From: Miguel Aranda Date: Thu, 21 Nov 2024 15:07:16 +0000 Subject: [PATCH 4/5] Revert^4 "Add support for enabling/disabling TLS v1.0 and 1.1 in Conscrypt." This reverts commit 5ae7b5c2f272365d13c9ff3ba0c7a682375dc1d8. Reason for revert: fixed the failures by checking that API levels are not higher than a 100, and bumped API level check to 36 because I noticed that this version of using reflection is more resilient than the previous one. Change-Id: I42fcb922e046072eea0fa5aee07c513233d2b1e9 --- .../SSLSocketVersionCompatibilityTest.java | 30 ------------------- .../org/conscrypt/TlsDeprecationTest.java | 30 +++++++++---------- 2 files changed, 14 insertions(+), 46 deletions(-) diff --git a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketVersionCompatibilityTest.java b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketVersionCompatibilityTest.java index a05746f40..84d4af44c 100644 --- a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketVersionCompatibilityTest.java +++ b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketVersionCompatibilityTest.java @@ -1837,22 +1837,6 @@ public void test_SSLSocket_TLSv1Supported() throws Exception { } } -// @TargetSdkVersion(35) - @Test - public void test_SSLSocket_SSLv3Unsupported_35() throws Exception { - assumeFalse(isTlsV1Filtered()); - TestSSLContext context = new TestSSLContext.Builder() - .clientProtocol(clientVersion) - .serverProtocol(serverVersion) - .build(); - final SSLSocket client = - (SSLSocket) context.clientContext.getSocketFactory().createSocket(); - assertThrows(IllegalArgumentException.class, - () -> client.setEnabledProtocols(new String[] {"SSLv3"})); - assertThrows(IllegalArgumentException.class, - () -> client.setEnabledProtocols(new String[] {"SSL"})); - } - // @TargetSdkVersion(34) @Test @Ignore("For platform CTS only") @@ -1889,20 +1873,6 @@ public void test_TLSv1Filtered_34() throws Exception { assertEquals("TLSv1.2", client.getEnabledProtocols()[0]); } -// @TargetSdkVersion(35) - @Test - public void test_TLSv1Filtered_35() throws Exception { - assumeTrue(isTlsV1Filtered()); - TestSSLContext context = new TestSSLContext.Builder() - .clientProtocol(clientVersion) - .serverProtocol(serverVersion) - .build(); - final SSLSocket client = - (SSLSocket) context.clientContext.getSocketFactory().createSocket(); - assertThrows(IllegalArgumentException.class, () -> - client.setEnabledProtocols(new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"})); - } - @Test public void test_TLSv1Unsupported_notEnabled() { assumeTrue(!isTlsV1Supported()); diff --git a/platform/src/test/java/org/conscrypt/TlsDeprecationTest.java b/platform/src/test/java/org/conscrypt/TlsDeprecationTest.java index ca36e0ad7..a04788625 100644 --- a/platform/src/test/java/org/conscrypt/TlsDeprecationTest.java +++ b/platform/src/test/java/org/conscrypt/TlsDeprecationTest.java @@ -37,11 +37,9 @@ @RunWith(JUnit4.class) public class TlsDeprecationTest { - @Rule - public final TestRule switchTargetSdkVersionRule = SwitchTargetSdkVersionRule.getInstance(); @Test - @SwitchTargetSdkVersionRule.TargetSdkVersion(36) + @TargetSdkVersion(36) public void test_SSLSocket_SSLv3Unsupported_36() throws Exception { assertFalse(TestUtils.isTlsV1Filtered()); TestSSLContext context = TestSSLContext.create(); @@ -52,7 +50,7 @@ public void test_SSLSocket_SSLv3Unsupported_36() throws Exception { } @Test - @SwitchTargetSdkVersionRule.TargetSdkVersion(34) + @TargetSdkVersion(34) public void test_SSLSocket_SSLv3Unsupported_34() throws Exception { assertTrue(TestUtils.isTlsV1Filtered()); TestSSLContext context = TestSSLContext.create(); @@ -65,7 +63,7 @@ public void test_SSLSocket_SSLv3Unsupported_34() throws Exception { } @Test - @SwitchTargetSdkVersionRule.TargetSdkVersion(34) + @TargetSdkVersion(34) public void test_TLSv1Filtered_34() throws Exception { assertTrue(TestUtils.isTlsV1Filtered()); TestSSLContext context = TestSSLContext.create(); @@ -77,7 +75,7 @@ public void test_TLSv1Filtered_34() throws Exception { } @Test - @SwitchTargetSdkVersionRule.TargetSdkVersion(34) + @TargetSdkVersion(34) public void test_TLSv1FilteredEmpty_34() throws Exception { assertTrue(TestUtils.isTlsV1Filtered()); TestSSLContext context = TestSSLContext.create(); @@ -88,7 +86,7 @@ public void test_TLSv1FilteredEmpty_34() throws Exception { } @Test - @SwitchTargetSdkVersionRule.TargetSdkVersion(36) + @TargetSdkVersion(36) public void test_TLSv1Filtered_36() throws Exception { assertFalse(TestUtils.isTlsV1Filtered()); TestSSLContext context = TestSSLContext.create(); @@ -99,7 +97,7 @@ public void test_TLSv1Filtered_36() throws Exception { } @Test - @SwitchTargetSdkVersionRule.TargetSdkVersion(34) + @TargetSdkVersion(34) public void testInitializeDeprecatedEnabled_34() { Provider conscryptProvider = TestUtils.getConscryptProvider(true, true); assertTrue(TestUtils.isTlsV1Deprecated()); @@ -108,7 +106,7 @@ public void testInitializeDeprecatedEnabled_34() { } @Test - @SwitchTargetSdkVersionRule.TargetSdkVersion(36) + @TargetSdkVersion(36) public void testInitializeDeprecatedEnabled_36() { Provider conscryptProvider = TestUtils.getConscryptProvider(true, true); assertTrue(TestUtils.isTlsV1Deprecated()); @@ -117,7 +115,7 @@ public void testInitializeDeprecatedEnabled_36() { } @Test - @SwitchTargetSdkVersionRule.TargetSdkVersion(34) + @TargetSdkVersion(34) public void testInitializeDeprecatedDisabled_34() { Provider conscryptProvider = TestUtils.getConscryptProvider(true, false); assertTrue(TestUtils.isTlsV1Deprecated()); @@ -126,7 +124,7 @@ public void testInitializeDeprecatedDisabled_34() { } @Test - @SwitchTargetSdkVersionRule.TargetSdkVersion(36) + @TargetSdkVersion(36) public void testInitializeDeprecatedDisabled_36() { Provider conscryptProvider = TestUtils.getConscryptProvider(true, false); assertTrue(TestUtils.isTlsV1Deprecated()); @@ -135,7 +133,7 @@ public void testInitializeDeprecatedDisabled_36() { } @Test - @SwitchTargetSdkVersionRule.TargetSdkVersion(34) + @TargetSdkVersion(34) public void testInitializeUndeprecatedEnabled_34() { Provider conscryptProvider = TestUtils.getConscryptProvider(false, true); assertFalse(TestUtils.isTlsV1Deprecated()); @@ -144,7 +142,7 @@ public void testInitializeUndeprecatedEnabled_34() { } @Test - @SwitchTargetSdkVersionRule.TargetSdkVersion(36) + @TargetSdkVersion(36) public void testInitializeUndeprecatedEnabled_36() { Provider conscryptProvider = TestUtils.getConscryptProvider(false, true); assertFalse(TestUtils.isTlsV1Deprecated()); @@ -153,14 +151,14 @@ public void testInitializeUndeprecatedEnabled_36() { } @Test - @SwitchTargetSdkVersionRule.TargetSdkVersion(34) + @TargetSdkVersion(34) public void testInitializeUndeprecatedDisabled_34() { assertThrows(RuntimeException.class, () -> TestUtils.getConscryptProvider(false, false)); } @Test - @SwitchTargetSdkVersionRule.TargetSdkVersion(36) + @TargetSdkVersion(36) public void testInitializeUndeprecatedDisabled_36() { assertThrows(RuntimeException.class, () -> TestUtils.getConscryptProvider(false, false)); } -} \ No newline at end of file +} From c00a3a145382f4d782d8bb6f6f47a50926e468dd Mon Sep 17 00:00:00 2001 From: Miguel Aranda Date: Thu, 21 Nov 2024 15:07:16 +0000 Subject: [PATCH 5/5] Revert^4 "Add support for enabling/disabling TLS v1.0 and 1.1 in Conscrypt." This reverts commit 5ae7b5c2f272365d13c9ff3ba0c7a682375dc1d8. Reason for revert: fixed the failures by checking that API levels are not higher than a 100, and bumped API level check to 36 because I noticed that this version of using reflection is more resilient than the previous one. Change-Id: I42fcb922e046072eea0fa5aee07c513233d2b1e9 --- openjdk/src/test/java/org/conscrypt/ConscryptSocketTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openjdk/src/test/java/org/conscrypt/ConscryptSocketTest.java b/openjdk/src/test/java/org/conscrypt/ConscryptSocketTest.java index fbd041dee..cd83a8435 100644 --- a/openjdk/src/test/java/org/conscrypt/ConscryptSocketTest.java +++ b/openjdk/src/test/java/org/conscrypt/ConscryptSocketTest.java @@ -663,7 +663,7 @@ public AbstractConscryptSocket createSocket(ServerSocket listener) throws IOExce + ": " + connection.clientException.getMessage(), connection.clientException instanceof SSLHandshakeException); assertTrue( - connection.clientException.getMessage().contains("SSLv3 is no longer supported")); + connection.clientException.getMessage().contains("SSLv3")); assertTrue("Expected SSLHandshakeException, but got " + connection.serverException.getClass().getSimpleName() + ": " + connection.serverException.getMessage(),