diff options
author | Miguel Aranda <miguelaranda@google.com> | 2024-04-17 09:14:35 +0000 |
---|---|---|
committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2024-04-17 09:14:35 +0000 |
commit | 50d7f73168635df36461762238df8e56fcaf6fc7 (patch) | |
tree | 49f1a015f063b9ffe75ff777e35f6a0127672675 | |
parent | 139b907d631ee3c9e1b9d55da12185bd6a49b7d4 (diff) | |
parent | 724185f1ac34f0e7285d79ddbc8812e246a907a3 (diff) | |
download | conscrypt-50d7f73168635df36461762238df8e56fcaf6fc7.tar.gz |
Merge "Filter protocols when creating SSLParameterImpl" into main
6 files changed, 50 insertions, 4 deletions
diff --git a/common/src/main/java/org/conscrypt/SSLParametersImpl.java b/common/src/main/java/org/conscrypt/SSLParametersImpl.java index 76fb7ca8..d7e16192 100644 --- a/common/src/main/java/org/conscrypt/SSLParametersImpl.java +++ b/common/src/main/java/org/conscrypt/SSLParametersImpl.java @@ -145,8 +145,19 @@ final class SSLParametersImpl implements Cloneable { } // initialize the list of cipher suites and protocols enabled by default - enabledProtocols = NativeCrypto.checkEnabledProtocols( - protocols == null ? NativeCrypto.getDefaultProtocols() : protocols).clone(); + if (protocols == null) { + enabledProtocols = NativeCrypto.getDefaultProtocols().clone(); + } else { + String[] filteredProtocols = + filterFromProtocols(protocols, Arrays.asList(Platform.isTlsV1Supported() + ? new String[0] + : new String[] { + NativeCrypto.DEPRECATED_PROTOCOL_TLSV1, + NativeCrypto.DEPRECATED_PROTOCOL_TLSV1_1, + })); + isEnabledProtocolsFiltered = protocols.length != filteredProtocols.length; + enabledProtocols = NativeCrypto.checkEnabledProtocols(filteredProtocols).clone(); + } boolean x509CipherSuitesNeeded = (x509KeyManager != null) || (x509TrustManager != null); boolean pskCipherSuitesNeeded = pskKeyManager != null; enabledCipherSuites = getDefaultCipherSuites( diff --git a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLContextTest.java b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLContextTest.java index 40acd1b4..f24d8648 100644 --- a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLContextTest.java +++ b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLContextTest.java @@ -119,6 +119,16 @@ public class SSLContextTest { } @Test + public void test_SSLContext_allProtocols() throws Exception { + SSLConfigurationAsserts.assertSSLContextDefaultConfiguration(SSLContext.getDefault()); + + for (String protocol : StandardNames.SSL_CONTEXT_PROTOCOLS_ALL) { + SSLContext sslContext = SSLContext.getInstance(protocol); + sslContext.init(null, null, null); + } + } + + @Test public void test_SSLContext_pskOnlyConfiguration_defaultProviderOnly() throws Exception { // Test the scenario where only a PSKKeyManager is provided and no TrustManagers are // provided. diff --git a/repackaged/common/src/main/java/com/android/org/conscrypt/SSLParametersImpl.java b/repackaged/common/src/main/java/com/android/org/conscrypt/SSLParametersImpl.java index 93bdc4f8..9130380f 100644 --- a/repackaged/common/src/main/java/com/android/org/conscrypt/SSLParametersImpl.java +++ b/repackaged/common/src/main/java/com/android/org/conscrypt/SSLParametersImpl.java @@ -146,8 +146,19 @@ final class SSLParametersImpl implements Cloneable { } // initialize the list of cipher suites and protocols enabled by default - enabledProtocols = NativeCrypto.checkEnabledProtocols( - protocols == null ? NativeCrypto.getDefaultProtocols() : protocols).clone(); + if (protocols == null) { + enabledProtocols = NativeCrypto.getDefaultProtocols().clone(); + } else { + String[] filteredProtocols = + filterFromProtocols(protocols, Arrays.asList(Platform.isTlsV1Supported() + ? new String[0] + : new String[] { + NativeCrypto.DEPRECATED_PROTOCOL_TLSV1, + NativeCrypto.DEPRECATED_PROTOCOL_TLSV1_1, + })); + isEnabledProtocolsFiltered = protocols.length != filteredProtocols.length; + enabledProtocols = NativeCrypto.checkEnabledProtocols(filteredProtocols).clone(); + } boolean x509CipherSuitesNeeded = (x509KeyManager != null) || (x509TrustManager != null); boolean pskCipherSuitesNeeded = pskKeyManager != null; enabledCipherSuites = getDefaultCipherSuites( diff --git a/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLContextTest.java b/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLContextTest.java index 5f382d19..fedae1f9 100644 --- a/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLContextTest.java +++ b/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLContextTest.java @@ -123,6 +123,16 @@ public class SSLContextTest { } @Test + public void test_SSLContext_allProtocols() throws Exception { + SSLConfigurationAsserts.assertSSLContextDefaultConfiguration(SSLContext.getDefault()); + + for (String protocol : StandardNames.SSL_CONTEXT_PROTOCOLS_ALL) { + SSLContext sslContext = SSLContext.getInstance(protocol); + sslContext.init(null, null, null); + } + } + + @Test public void test_SSLContext_pskOnlyConfiguration_defaultProviderOnly() throws Exception { // Test the scenario where only a PSKKeyManager is provided and no TrustManagers are // provided. diff --git a/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java b/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java index ca12b07b..235463ac 100644 --- a/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java +++ b/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java @@ -169,6 +169,8 @@ public final class StandardNames { } public static final String SSL_CONTEXT_PROTOCOLS_DEFAULT = "Default"; + public static final Set<String> SSL_CONTEXT_PROTOCOLS_ALL = new HashSet<String>( + Arrays.asList("TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3")); public static final Set<String> SSL_CONTEXT_PROTOCOLS = new HashSet<String>( Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1.2", "TLSv1.3")); public static final Set<String> SSL_CONTEXT_PROTOCOLS_WITH_DEFAULT_CONFIG = new HashSet<String>( diff --git a/testing/src/main/java/org/conscrypt/java/security/StandardNames.java b/testing/src/main/java/org/conscrypt/java/security/StandardNames.java index ca493e1a..4c37f5c0 100644 --- a/testing/src/main/java/org/conscrypt/java/security/StandardNames.java +++ b/testing/src/main/java/org/conscrypt/java/security/StandardNames.java @@ -168,6 +168,8 @@ public final class StandardNames { } public static final String SSL_CONTEXT_PROTOCOLS_DEFAULT = "Default"; + public static final Set<String> SSL_CONTEXT_ALL = new HashSet<String>( + Arrays.asList("TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3")); public static final Set<String> SSL_CONTEXT_PROTOCOLS = new HashSet<String>( Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1.2", "TLSv1.3")); public static final Set<String> SSL_CONTEXT_PROTOCOLS_WITH_DEFAULT_CONFIG = new HashSet<String>( |