Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Spake #1275

Closed
wants to merge 7 commits into from
Closed

Spake #1275

Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Revert^4 "Add support for enabling/disabling TLS v1.0 and 1.1 in Cons…
…crypt."

This reverts commit 5ae7b5c2f272365d13c9ff3ba0c7a682375dc1d8.

Reason for revert: fixed the failures by checking that API levels are not higher than a 100, and bumped API level check to 36 because I noticed that this version of using reflection is more resilient than the previous one.

Change-Id: I42fcb922e046072eea0fa5aee07c513233d2b1e9
miguelaranda0 committed Dec 10, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
commit 8f4e2be393f901697b9edc99f5cae8d62230df3b
18 changes: 14 additions & 4 deletions android/src/main/java/org/conscrypt/Platform.java
Original file line number Diff line number Diff line change
@@ -69,16 +69,21 @@
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.StandardConstants;
import javax.net.ssl.X509TrustManager;
import org.conscrypt.NativeCrypto;

/**
* Platform-specific methods for unbundled Android.
*/
@Internal
final public class Platform {
private static final String TAG = "Conscrypt";
static boolean DEPRECATED_TLS_V1 = true;
static boolean ENABLED_TLS_V1 = false;
private static boolean FILTERED_TLS_V1 = true;

private static Method m_getCurveName;
static {
NativeCrypto.setTlsV1DeprecationStatus(DEPRECATED_TLS_V1, ENABLED_TLS_V1);
try {
m_getCurveName = ECParameterSpec.class.getDeclaredMethod("getCurveName");
m_getCurveName.setAccessible(true);
@@ -89,7 +94,12 @@ final public class Platform {

private Platform() {}

public static void setup() {}
public static void setup(boolean deprecatedTlsV1, boolean enabledTlsV1) {
DEPRECATED_TLS_V1 = deprecatedTlsV1;
ENABLED_TLS_V1 = enabledTlsV1;
FILTERED_TLS_V1 = !enabledTlsV1;
NativeCrypto.setTlsV1DeprecationStatus(DEPRECATED_TLS_V1, ENABLED_TLS_V1);
}

/**
* Default name used in the {@link java.security.Security JCE system} by {@code OpenSSLProvider}
@@ -955,14 +965,14 @@ public static boolean isJavaxCertificateSupported() {
}

public static boolean isTlsV1Deprecated() {
return true;
return DEPRECATED_TLS_V1;
}

public static boolean isTlsV1Filtered() {
return false;
return FILTERED_TLS_V1;
}

public static boolean isTlsV1Supported() {
return false;
return ENABLED_TLS_V1;
}
}
17 changes: 16 additions & 1 deletion common/src/main/java/org/conscrypt/Conscrypt.java
Original file line number Diff line number Diff line change
@@ -160,6 +160,8 @@ public static class ProviderBuilder {
private String name = Platform.getDefaultProviderName();
private boolean provideTrustManager = Platform.provideTrustManagerByDefault();
private String defaultTlsProtocol = NativeCrypto.SUPPORTED_PROTOCOL_TLSV1_3;
private boolean deprecatedTlsV1 = true;
private boolean enabledTlsV1 = false;

private ProviderBuilder() {}

@@ -200,8 +202,21 @@ public ProviderBuilder defaultTlsProtocol(String defaultTlsProtocol) {
return this;
}

/** Specifies whether TLS v1.0 and 1.1 should be deprecated */
public ProviderBuilder isTlsV1Deprecated(boolean deprecatedTlsV1) {
this.deprecatedTlsV1 = deprecatedTlsV1;
return this;
}

/** Specifies whether TLS v1.0 and 1.1 should be enabled */
public ProviderBuilder isTlsV1Enabled(boolean enabledTlsV1) {
this.enabledTlsV1 = enabledTlsV1;
return this;
}

public Provider build() {
return new OpenSSLProvider(name, provideTrustManager, defaultTlsProtocol);
return new OpenSSLProvider(name, provideTrustManager,
defaultTlsProtocol, deprecatedTlsV1, enabledTlsV1);
}
}

59 changes: 35 additions & 24 deletions common/src/main/java/org/conscrypt/NativeCrypto.java
Original file line number Diff line number Diff line change
@@ -1025,29 +1025,48 @@ static native void SSL_set_client_CA_list(long ssl, NativeSsl ssl_holder, byte[]

static native void set_SSL_psk_server_callback_enabled(long ssl, NativeSsl ssl_holder, boolean enabled);

private static final String[] ENABLED_PROTOCOLS_TLSV1 = Platform.isTlsV1Deprecated()
? new String[0]
: new String[] {
public static void setTlsV1DeprecationStatus(boolean deprecated, boolean supported) {
if (deprecated) {
TLSV12_PROTOCOLS = new String[] {
SUPPORTED_PROTOCOL_TLSV1_2,
};
TLSV13_PROTOCOLS = new String[] {
SUPPORTED_PROTOCOL_TLSV1_2,
SUPPORTED_PROTOCOL_TLSV1_3,
};
} else {
TLSV12_PROTOCOLS = new String[] {
DEPRECATED_PROTOCOL_TLSV1,
DEPRECATED_PROTOCOL_TLSV1_1,
SUPPORTED_PROTOCOL_TLSV1_2,
};

private static final String[] SUPPORTED_PROTOCOLS_TLSV1 = Platform.isTlsV1Supported()
? new String[] {
TLSV13_PROTOCOLS = new String[] {
DEPRECATED_PROTOCOL_TLSV1,
DEPRECATED_PROTOCOL_TLSV1_1,
} : new String[0];
SUPPORTED_PROTOCOL_TLSV1_2,
SUPPORTED_PROTOCOL_TLSV1_3,
};
}
if (supported) {
SUPPORTED_PROTOCOLS = new String[] {
DEPRECATED_PROTOCOL_TLSV1,
DEPRECATED_PROTOCOL_TLSV1_1,
SUPPORTED_PROTOCOL_TLSV1_2,
SUPPORTED_PROTOCOL_TLSV1_3,
};
} else {
SUPPORTED_PROTOCOLS = new String[] {
SUPPORTED_PROTOCOL_TLSV1_2,
SUPPORTED_PROTOCOL_TLSV1_3,
};
}
}

/** Protocols to enable by default when "TLSv1.3" is requested. */
static final String[] TLSV13_PROTOCOLS = ArrayUtils.concatValues(
ENABLED_PROTOCOLS_TLSV1,
SUPPORTED_PROTOCOL_TLSV1_2,
SUPPORTED_PROTOCOL_TLSV1_3);
static String[] TLSV13_PROTOCOLS;

/** Protocols to enable by default when "TLSv1.2" is requested. */
static final String[] TLSV12_PROTOCOLS = ArrayUtils.concatValues(
ENABLED_PROTOCOLS_TLSV1,
SUPPORTED_PROTOCOL_TLSV1_2);
static String[] TLSV12_PROTOCOLS;

/** Protocols to enable by default when "TLSv1.1" is requested. */
static final String[] TLSV11_PROTOCOLS = new String[] {
@@ -1059,20 +1078,12 @@ static native void SSL_set_client_CA_list(long ssl, NativeSsl ssl_holder, byte[]
/** Protocols to enable by default when "TLSv1" is requested. */
static final String[] TLSV1_PROTOCOLS = TLSV11_PROTOCOLS;

static final String[] DEFAULT_PROTOCOLS = TLSV13_PROTOCOLS;

// If we ever get a new protocol go look for tests which are skipped using
// assumeTlsV11Enabled()
private static final String[] SUPPORTED_PROTOCOLS = ArrayUtils.concatValues(
SUPPORTED_PROTOCOLS_TLSV1,
SUPPORTED_PROTOCOL_TLSV1_2,
SUPPORTED_PROTOCOL_TLSV1_3);
private static String[] SUPPORTED_PROTOCOLS;

public static String[] getDefaultProtocols() {
if (Platform.isTlsV1Deprecated()) {
return DEFAULT_PROTOCOLS.clone();
}
return SUPPORTED_PROTOCOLS.clone();
return TLSV13_PROTOCOLS.clone();
}

static String[] getSupportedProtocols() {
18 changes: 15 additions & 3 deletions common/src/main/java/org/conscrypt/OpenSSLProvider.java
Original file line number Diff line number Diff line change
@@ -51,17 +51,29 @@ public OpenSSLProvider() {

@SuppressWarnings("deprecation")
public OpenSSLProvider(String providerName) {
this(providerName, Platform.provideTrustManagerByDefault(), "TLSv1.3");
this(providerName, Platform.provideTrustManagerByDefault(), "TLSv1.3",
Platform.DEPRECATED_TLS_V1, Platform.ENABLED_TLS_V1);
}

OpenSSLProvider(String providerName, boolean includeTrustManager, String defaultTlsProtocol) {
OpenSSLProvider(String providerName, boolean includeTrustManager,
String defaultTlsProtocol) {
this(providerName, includeTrustManager, defaultTlsProtocol,
Platform.DEPRECATED_TLS_V1, Platform.ENABLED_TLS_V1);
}

OpenSSLProvider(String providerName, boolean includeTrustManager,
String defaultTlsProtocol, boolean deprecatedTlsV1,
boolean enabledTlsV1) {
super(providerName, 1.0, "Android's OpenSSL-backed security provider");

// Ensure that the native library has been loaded.
NativeCrypto.checkAvailability();

if (!deprecatedTlsV1 && !enabledTlsV1) {
throw new IllegalArgumentException("TLSv1 is not deprecated and cannot be disabled.");
}
// Make sure the platform is initialized.
Platform.setup();
Platform.setup(deprecatedTlsV1, enabledTlsV1);

/* === SSL Contexts === */
String classOpenSSLContextImpl = PREFIX + "OpenSSLContextImpl";
19 changes: 14 additions & 5 deletions openjdk/src/main/java/org/conscrypt/Platform.java
Original file line number Diff line number Diff line change
@@ -84,6 +84,7 @@
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import org.conscrypt.NativeCrypto;

/**
* Platform-specific methods for OpenJDK.
@@ -94,9 +95,12 @@
final public class Platform {
private static final int JAVA_VERSION = javaVersion0();
private static final Method GET_CURVE_NAME_METHOD;
static boolean DEPRECATED_TLS_V1 = true;
static boolean ENABLED_TLS_V1 = false;
private static boolean FILTERED_TLS_V1 = true;

static {

NativeCrypto.setTlsV1DeprecationStatus(DEPRECATED_TLS_V1, ENABLED_TLS_V1);
Method getCurveNameMethod = null;
try {
getCurveNameMethod = ECParameterSpec.class.getDeclaredMethod("getCurveName");
@@ -109,7 +113,12 @@ final public class Platform {

private Platform() {}

static void setup() {}
public static void setup(boolean deprecatedTlsV1, boolean enabledTlsV1) {
DEPRECATED_TLS_V1 = deprecatedTlsV1;
ENABLED_TLS_V1 = enabledTlsV1;
FILTERED_TLS_V1 = !enabledTlsV1;
NativeCrypto.setTlsV1DeprecationStatus(DEPRECATED_TLS_V1, ENABLED_TLS_V1);
}


/**
@@ -839,14 +848,14 @@ public static boolean isJavaxCertificateSupported() {
}

public static boolean isTlsV1Deprecated() {
return true;
return DEPRECATED_TLS_V1;
}

public static boolean isTlsV1Filtered() {
return false;
return FILTERED_TLS_V1;
}

public static boolean isTlsV1Supported() {
return true;
return ENABLED_TLS_V1;
}
}
46 changes: 29 additions & 17 deletions platform/src/main/java/org/conscrypt/Platform.java
Original file line number Diff line number Diff line change
@@ -75,18 +75,30 @@
import javax.net.ssl.StandardConstants;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;

import libcore.net.NetworkSecurityPolicy;
import org.conscrypt.NativeCrypto;
import sun.security.x509.AlgorithmId;

@Internal
final public class Platform {
private static class NoPreloadHolder { public static final Platform MAPPER = new Platform(); }
static boolean DEPRECATED_TLS_V1 = true;
static boolean ENABLED_TLS_V1 = false;
private static boolean FILTERED_TLS_V1 = true;

static {
NativeCrypto.setTlsV1DeprecationStatus(DEPRECATED_TLS_V1, ENABLED_TLS_V1);
}

/**
* Runs all the setup for the platform that only needs to run once.
*/
public static void setup() {
public static void setup(boolean deprecatedTlsV1, boolean enabledTlsV1) {
DEPRECATED_TLS_V1 = deprecatedTlsV1;
ENABLED_TLS_V1 = enabledTlsV1;
FILTERED_TLS_V1 = !enabledTlsV1;
NoPreloadHolder.MAPPER.ping();
NativeCrypto.setTlsV1DeprecationStatus(DEPRECATED_TLS_V1, ENABLED_TLS_V1);
}

/**
@@ -552,34 +564,34 @@ public static boolean isJavaxCertificateSupported() {
}

public static boolean isTlsV1Deprecated() {
return true;
return DEPRECATED_TLS_V1;
}

public static boolean isTlsV1Filtered() {
Object targetSdkVersion = getTargetSdkVersion();
if ((targetSdkVersion != null) && ((int) targetSdkVersion > 34))
if ((targetSdkVersion != null) && ((int) targetSdkVersion > 35)
&& ((int) targetSdkVersion < 100))
return false;
return true;
return FILTERED_TLS_V1;
}

public static boolean isTlsV1Supported() {
return false;
return ENABLED_TLS_V1;
}

static Object getTargetSdkVersion() {
try {
Class<?> vmRuntime = Class.forName("dalvik.system.VMRuntime");
if (vmRuntime == null) {
return null;
}
OptionalMethod getSdkVersion =
new OptionalMethod(vmRuntime,
"getTargetSdkVersion");
return getSdkVersion.invokeStatic();
} catch (ClassNotFoundException e) {
return null;
} catch (NullPointerException e) {
Class<?> vmRuntimeClass = Class.forName("dalvik.system.VMRuntime");
Method getRuntimeMethod = vmRuntimeClass.getDeclaredMethod("getRuntime");
Method getTargetSdkVersionMethod =
vmRuntimeClass.getDeclaredMethod("getTargetSdkVersion");
Object vmRuntime = getRuntimeMethod.invoke(null);
return getTargetSdkVersionMethod.invoke(vmRuntime);
} catch (IllegalAccessException |
NullPointerException | InvocationTargetException e) {
return null;
} catch (Exception e) {
throw new RuntimeException(e);
}
}
}
Loading