diff options
| author | David Benjamin <davidben@google.com> | 2023-09-10 06:08:22 -0400 |
|---|---|---|
| committer | Pete Bentley <prb@google.com> | 2024-04-11 16:26:03 +0100 |
| commit | 54e1a8ba0f82c33d39797c8788b9b1529c128d58 (patch) | |
| tree | e0e71087db287a9d031c55c94d976860d789556a | |
| parent | d0aa57fc3bac8de75278baa9c062373afdba8179 (diff) | |
| download | conscrypt-54e1a8ba0f82c33d39797c8788b9b1529c128d58.tar.gz | |
Merge Conscrypt Upstream.
Re-cherry-picks CLs that were reverted as
collateral damage by https://r.android.com/2821976
Includes:
Rationalise test suite classes. (#1177)
Remove Platform.logEvent(). (#1169)
Remove Platform.wrapRsa(). (#1168)
Remove "extends TestCase" from TrustedCertificateStoreTest. (#1167)
Reset HMAC and CMAC contexts more efficiently (#1166)
Test: MTS
Change-Id: Ibcff07df6902d3cc6f927c6b8004587c20a44d37
26 files changed, 169 insertions, 614 deletions
diff --git a/android/src/main/java/org/conscrypt/Platform.java b/android/src/main/java/org/conscrypt/Platform.java index b24b1b98..1470070d 100644 --- a/android/src/main/java/org/conscrypt/Platform.java +++ b/android/src/main/java/org/conscrypt/Platform.java @@ -459,116 +459,6 @@ final class Platform { } } - /** - * Wraps an old AndroidOpenSSL key instance. This is not needed on platform - * builds since we didn't backport, so return null. This code is from - * Chromium's net/android/java/src/org/chromium/net/DefaultAndroidKeyStore.java - */ - @SuppressWarnings("LiteralClassName") - public static OpenSSLKey wrapRsaKey(PrivateKey javaKey) { - // This fixup only applies to pre-JB-MR1 - if (Build.VERSION.SDK_INT >= 17) { - return null; - } - - // First, check that this is a proper instance of OpenSSLRSAPrivateKey - // or one of its sub-classes. - Class<?> superClass; - try { - superClass = - Class.forName("org.apache.harmony.xnet.provider.jsse.OpenSSLRSAPrivateKey"); - } catch (Exception e) { - // This may happen if the target device has a completely different - // implementation of the java.security APIs, compared to vanilla - // Android. Highly unlikely, but still possible. - Log.e(TAG, "Cannot find system OpenSSLRSAPrivateKey class: " + e); - return null; - } - if (!superClass.isInstance(javaKey)) { - // This may happen if the PrivateKey was not created by the - // Conscrypt provider, which should be the default. That could happen if an - // OEM decided to implement a different default provider. Also highly unlikely. - Log.e(TAG, - "Private key is not an OpenSSLRSAPrivateKey instance, its class name is:" - + javaKey.getClass().getCanonicalName()); - return null; - } - - try { - // Use reflection to invoke the 'getOpenSSLKey()' method on - // the private key. This returns another Java object that wraps - // a native EVP_PKEY. Note that the method is final, so calling - // the superclass implementation is ok. - Method getKey = superClass.getDeclaredMethod("getOpenSSLKey"); - getKey.setAccessible(true); - Object opensslKey = null; - try { - opensslKey = getKey.invoke(javaKey); - } finally { - getKey.setAccessible(false); - } - if (opensslKey == null) { - // Bail when detecting OEM "enhancement". - Log.e(TAG, "Could not getOpenSSLKey on instance: " + javaKey.toString()); - return null; - } - - // Use reflection to invoke the 'getPkeyContext' method on the - // result of the getOpenSSLKey(). This is an 32-bit integer - // which is the address of an EVP_PKEY object. Note that this - // method these days returns a 64-bit long, but since this code - // path is used for older Android versions, it may still return - // a 32-bit int here. To be on the safe side, we cast the return - // value via Number rather than directly to Integer or Long. - Method getPkeyContext; - try { - getPkeyContext = opensslKey.getClass().getDeclaredMethod("getPkeyContext"); - } catch (Exception e) { - // Bail here too, something really not working as expected. - Log.e(TAG, "No getPkeyContext() method on OpenSSLKey member:" + e); - return null; - } - getPkeyContext.setAccessible(true); - long evp_pkey = 0; - try { - evp_pkey = ((Number) getPkeyContext.invoke(opensslKey)).longValue(); - } finally { - getPkeyContext.setAccessible(false); - } - if (evp_pkey == 0) { - // The PrivateKey is probably rotten for some reason. - Log.e(TAG, "getPkeyContext() returned null"); - return null; - } - return new OpenSSLKey(evp_pkey); - } catch (Exception e) { - Log.e(TAG, "Error during conversion of privatekey instance: " + javaKey.toString(), e); - return null; - } - } - - /** - * Logs to the system EventLog system. - */ - @SuppressWarnings("LiteralClassName") - public static void logEvent(String message) { - try { - Class<?> processClass = Class.forName("android.os.Process"); - Object processInstance = processClass.getDeclaredConstructor().newInstance(); - Method myUidMethod = processClass.getMethod("myUid", (Class[]) null); - int uid = (Integer) myUidMethod.invoke(processInstance); - - Class<?> eventLogClass = Class.forName("android.util.EventLog"); - Object eventLogInstance = eventLogClass.getDeclaredConstructor().newInstance(); - Method writeEventMethod = - eventLogClass.getMethod("writeEvent", Integer.TYPE, Object[].class); - writeEventMethod.invoke(eventLogInstance, 0x534e4554 /* SNET */, - new Object[] {"conscrypt", uid, message}); - } catch (Exception e) { - // Fail silently - } - } - static SSLEngine wrapEngine(ConscryptEngine engine) { // For now, don't wrap on Android. return engine; diff --git a/common/src/jni/main/cpp/conscrypt/native_crypto.cc b/common/src/jni/main/cpp/conscrypt/native_crypto.cc index 54625f5c..86336a95 100644 --- a/common/src/jni/main/cpp/conscrypt/native_crypto.cc +++ b/common/src/jni/main/cpp/conscrypt/native_crypto.cc @@ -4437,16 +4437,31 @@ static jbyteArray NativeCrypto_CMAC_Final(JNIEnv* env, jclass, jobject cmacCtxRe return resultArray.release(); } +static void NativeCrypto_CMAC_Reset(JNIEnv* env, jclass, jobject cmacCtxRef) { + CHECK_ERROR_QUEUE_ON_RETURN; + CMAC_CTX* cmacCtx = fromContextObject<CMAC_CTX>(env, cmacCtxRef); + JNI_TRACE("CMAC_Reset(%p)", cmacCtx); + + if (cmacCtx == nullptr) { + return; + } + + if (!CMAC_Reset(cmacCtx)) { + JNI_TRACE("CMAC_Reset(%p) => threw exception", cmacCtx); + conscrypt::jniutil::throwExceptionFromBoringSSLError(env, "CMAC_Reset"); + return; + } +} + static jlong NativeCrypto_HMAC_CTX_new(JNIEnv* env, jclass) { CHECK_ERROR_QUEUE_ON_RETURN; JNI_TRACE("HMAC_CTX_new"); - auto hmacCtx = new HMAC_CTX; + auto hmacCtx = HMAC_CTX_new(); if (hmacCtx == nullptr) { conscrypt::jniutil::throwOutOfMemory(env, "Unable to allocate HMAC_CTX"); return 0; } - HMAC_CTX_init(hmacCtx); return reinterpret_cast<jlong>(hmacCtx); } @@ -4458,8 +4473,7 @@ static void NativeCrypto_HMAC_CTX_free(JNIEnv* env, jclass, jlong hmacCtxRef) { conscrypt::jniutil::throwNullPointerException(env, "hmacCtx == null"); return; } - HMAC_CTX_cleanup(hmacCtx); - delete hmacCtx; + HMAC_CTX_free(hmacCtx); } static void NativeCrypto_HMAC_Init_ex(JNIEnv* env, jclass, jobject hmacCtxRef, jbyteArray keyArray, @@ -4566,6 +4580,24 @@ static jbyteArray NativeCrypto_HMAC_Final(JNIEnv* env, jclass, jobject hmacCtxRe return resultArray.release(); } +static void NativeCrypto_HMAC_Reset(JNIEnv* env, jclass, jobject hmacCtxRef) { + CHECK_ERROR_QUEUE_ON_RETURN; + HMAC_CTX* hmacCtx = fromContextObject<HMAC_CTX>(env, hmacCtxRef); + JNI_TRACE("HMAC_Reset(%p)", hmacCtx); + + if (hmacCtx == nullptr) { + return; + } + + // HMAC_Init_ex with all nulls will reuse the existing key. This is slightly + // more efficient than re-initializing the context with the key again. + if (!HMAC_Init_ex(hmacCtx, /*key=*/nullptr, /*key_len=*/0, /*md=*/nullptr, /*impl=*/nullptr)) { + JNI_TRACE("HMAC_Reset(%p) => threw exception", hmacCtx); + conscrypt::jniutil::throwExceptionFromBoringSSLError(env, "HMAC_Init_ex"); + return; + } +} + static void NativeCrypto_RAND_bytes(JNIEnv* env, jclass, jbyteArray output) { CHECK_ERROR_QUEUE_ON_RETURN; JNI_TRACE("NativeCrypto_RAND_bytes(%p)", output); @@ -10989,6 +11021,7 @@ static JNINativeMethod sNativeCryptoMethods[] = { CONSCRYPT_NATIVE_METHOD(CMAC_Update, "(" REF_CMAC_CTX "[BII)V"), CONSCRYPT_NATIVE_METHOD(CMAC_UpdateDirect, "(" REF_CMAC_CTX "JI)V"), CONSCRYPT_NATIVE_METHOD(CMAC_Final, "(" REF_CMAC_CTX ")[B"), + CONSCRYPT_NATIVE_METHOD(CMAC_Reset, "(" REF_CMAC_CTX ")V"), CONSCRYPT_NATIVE_METHOD(EVP_PKEY_new_RSA, "([B[B[B[B[B[B[B[B)J"), CONSCRYPT_NATIVE_METHOD(EVP_PKEY_new_EC_KEY, "(" REF_EC_GROUP REF_EC_POINT "[B)J"), CONSCRYPT_NATIVE_METHOD(EVP_PKEY_type, "(" REF_EVP_PKEY ")I"), @@ -11109,6 +11142,7 @@ static JNINativeMethod sNativeCryptoMethods[] = { CONSCRYPT_NATIVE_METHOD(HMAC_Update, "(" REF_HMAC_CTX "[BII)V"), CONSCRYPT_NATIVE_METHOD(HMAC_UpdateDirect, "(" REF_HMAC_CTX "JI)V"), CONSCRYPT_NATIVE_METHOD(HMAC_Final, "(" REF_HMAC_CTX ")[B"), + CONSCRYPT_NATIVE_METHOD(HMAC_Reset, "(" REF_HMAC_CTX ")V"), CONSCRYPT_NATIVE_METHOD(RAND_bytes, "([B)V"), CONSCRYPT_NATIVE_METHOD(create_BIO_InputStream, ("(" REF_BIO_IN_STREAM "Z)J")), CONSCRYPT_NATIVE_METHOD(create_BIO_OutputStream, "(Ljava/io/OutputStream;)J"), diff --git a/common/src/main/java/org/conscrypt/ConscryptEngine.java b/common/src/main/java/org/conscrypt/ConscryptEngine.java index bf3d1c84..a58aa73c 100644 --- a/common/src/main/java/org/conscrypt/ConscryptEngine.java +++ b/common/src/main/java/org/conscrypt/ConscryptEngine.java @@ -441,13 +441,6 @@ final class ConscryptEngine extends AbstractConscryptEngine implements NativeCry handshake(); releaseResources = false; } catch (IOException e) { - // Write CCS errors to EventLog - String message = e.getMessage(); - // Must match error reason string of SSL_R_UNEXPECTED_CCS (in ssl/ssl_err.c) - if (message.contains("unexpected CCS")) { - String logMessage = String.format("ssl_unexpected_ccs: host=%s", getPeerHost()); - Platform.logEvent(logMessage); - } closeAll(); throw SSLUtils.toSSLHandshakeException(e); } finally { diff --git a/common/src/main/java/org/conscrypt/ConscryptFileDescriptorSocket.java b/common/src/main/java/org/conscrypt/ConscryptFileDescriptorSocket.java index be0ec974..eeba2bbe 100644 --- a/common/src/main/java/org/conscrypt/ConscryptFileDescriptorSocket.java +++ b/common/src/main/java/org/conscrypt/ConscryptFileDescriptorSocket.java @@ -246,16 +246,6 @@ class ConscryptFileDescriptorSocket extends OpenSSLSocketImpl return; } } - - // Write CCS errors to EventLog - String message = e.getMessage(); - // Must match error string of SSL_R_UNEXPECTED_CCS - if (message.contains("unexpected CCS")) { - String logMessage = - String.format("ssl_unexpected_ccs: host=%s", getHostnameOrIP()); - Platform.logEvent(logMessage); - } - throw e; } diff --git a/common/src/main/java/org/conscrypt/NativeCrypto.java b/common/src/main/java/org/conscrypt/NativeCrypto.java index ff8da46a..8c5e1d57 100644 --- a/common/src/main/java/org/conscrypt/NativeCrypto.java +++ b/common/src/main/java/org/conscrypt/NativeCrypto.java @@ -369,6 +369,8 @@ public final class NativeCrypto { static native byte[] CMAC_Final(NativeRef.CMAC_CTX ctx); + static native void CMAC_Reset(NativeRef.CMAC_CTX ctx); + // --- HMAC functions ------------------------------------------------------ static native long HMAC_CTX_new(); @@ -383,6 +385,8 @@ public final class NativeCrypto { static native byte[] HMAC_Final(NativeRef.HMAC_CTX ctx); + static native void HMAC_Reset(NativeRef.HMAC_CTX ctx); + // --- HPKE functions ------------------------------------------------------ static native byte[] EVP_HPKE_CTX_export( NativeRef.EVP_HPKE_CTX ctx, byte[] exporterCtx, int length); diff --git a/common/src/main/java/org/conscrypt/OpenSSLKey.java b/common/src/main/java/org/conscrypt/OpenSSLKey.java index 6eb94f47..e5e81f7c 100644 --- a/common/src/main/java/org/conscrypt/OpenSSLKey.java +++ b/common/src/main/java/org/conscrypt/OpenSSLKey.java @@ -178,11 +178,6 @@ final class OpenSSLKey { if (key instanceof OpenSSLKeyHolder) { return ((OpenSSLKeyHolder) key).getOpenSSLKey(); } - - if ("RSA".equals(key.getAlgorithm())) { - return Platform.wrapRsaKey(key); - } - return null; } diff --git a/common/src/main/java/org/conscrypt/OpenSSLMac.java b/common/src/main/java/org/conscrypt/OpenSSLMac.java index 1bef88f4..b8f52963 100644 --- a/common/src/main/java/org/conscrypt/OpenSSLMac.java +++ b/common/src/main/java/org/conscrypt/OpenSSLMac.java @@ -20,7 +20,6 @@ import java.nio.ByteBuffer; import java.security.InvalidAlgorithmParameterException; import java.security.InvalidKeyException; import java.security.Key; -import java.security.NoSuchAlgorithmException; import java.security.spec.AlgorithmParameterSpec; import javax.crypto.MacSpi; import javax.crypto.SecretKey; @@ -31,11 +30,6 @@ import javax.crypto.SecretKey; @Internal public abstract class OpenSSLMac extends MacSpi { /** - * The secret key used in this keyed MAC. - */ - protected byte[] keyBytes; - - /** * Holds the output size of the message digest. */ private final int size; @@ -53,6 +47,11 @@ public abstract class OpenSSLMac extends MacSpi { /** * Creates and initializes the relevant BoringSSL *MAC context. */ + protected abstract void initContext(byte[] keyBytes); + + /** + * Resets the context for a new operation with the same key. + */ protected abstract void resetContext(); /** @@ -76,13 +75,13 @@ public abstract class OpenSSLMac extends MacSpi { throw new InvalidAlgorithmParameterException("unknown parameter type"); } - keyBytes = key.getEncoded(); + byte[] keyBytes = key.getEncoded(); if (keyBytes == null) { throw new InvalidKeyException("key cannot be encoded"); } try { - resetContext(); + initContext(keyBytes); } catch (RuntimeException e) { throw new InvalidKeyException("invalid key", e); } @@ -164,15 +163,19 @@ public abstract class OpenSSLMac extends MacSpi { } @Override - protected void resetContext() { + protected void initContext(byte[] keyBytes) { NativeRef.HMAC_CTX ctxLocal = new NativeRef.HMAC_CTX(NativeCrypto.HMAC_CTX_new()); - if (keyBytes != null) { - NativeCrypto.HMAC_Init_ex(ctxLocal, keyBytes, evpMd); - } + NativeCrypto.HMAC_Init_ex(ctxLocal, keyBytes, evpMd); this.ctx = ctxLocal; } @Override + protected void resetContext() { + final NativeRef.HMAC_CTX ctxLocal = ctx; + NativeCrypto.HMAC_Reset(ctxLocal); + } + + @Override protected void engineUpdate(byte[] input, int offset, int len) { final NativeRef.HMAC_CTX ctxLocal = ctx; NativeCrypto.HMAC_Update(ctxLocal, input, offset, len); @@ -236,15 +239,19 @@ public abstract class OpenSSLMac extends MacSpi { } @Override - protected void resetContext() { + protected void initContext(byte[] keyBytes) { NativeRef.CMAC_CTX ctxLocal = new NativeRef.CMAC_CTX(NativeCrypto.CMAC_CTX_new()); - if (keyBytes != null) { - NativeCrypto.CMAC_Init(ctxLocal, keyBytes); - } + NativeCrypto.CMAC_Init(ctxLocal, keyBytes); this.ctx = ctxLocal; } @Override + protected void resetContext() { + final NativeRef.CMAC_CTX ctxLocal = ctx; + NativeCrypto.CMAC_Reset(ctxLocal); + } + + @Override protected void updateDirect(long ptr, int len) { final NativeRef.CMAC_CTX ctxLocal = ctx; NativeCrypto.CMAC_UpdateDirect(ctxLocal, ptr, len); diff --git a/common/src/main/java/org/conscrypt/OpenSSLRSAPrivateKey.java b/common/src/main/java/org/conscrypt/OpenSSLRSAPrivateKey.java index 6371bbbf..c7e09feb 100644 --- a/common/src/main/java/org/conscrypt/OpenSSLRSAPrivateKey.java +++ b/common/src/main/java/org/conscrypt/OpenSSLRSAPrivateKey.java @@ -96,12 +96,7 @@ class OpenSSLRSAPrivateKey implements RSAPrivateKey, OpenSSLKeyHolder { return new OpenSSLRSAPrivateKey(key, params); } - static OpenSSLKey wrapPlatformKey(RSAPrivateKey rsaPrivateKey) - throws InvalidKeyException { - OpenSSLKey wrapper = Platform.wrapRsaKey(rsaPrivateKey); - if (wrapper != null) { - return wrapper; - } + static OpenSSLKey wrapPlatformKey(RSAPrivateKey rsaPrivateKey) { return new OpenSSLKey(NativeCrypto.getRSAPrivateKeyWrapper(rsaPrivateKey, rsaPrivateKey .getModulus().toByteArray()), true); } diff --git a/common/src/test/java/org/conscrypt/ConscryptJava7Suite.java b/common/src/test/java/org/conscrypt/ConscryptJava7Suite.java deleted file mode 100644 index a400599c..00000000 --- a/common/src/test/java/org/conscrypt/ConscryptJava7Suite.java +++ /dev/null @@ -1,137 +0,0 @@ -/* - * Copyright (C) 2018 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.conscrypt; - -import static org.conscrypt.TestUtils.installConscryptAsDefaultProvider; - -import org.conscrypt.ct.CTVerifierTest; -import org.conscrypt.ct.SerializationTest; -import org.conscrypt.java.security.AlgorithmParameterGeneratorTestDH; -import org.conscrypt.java.security.AlgorithmParameterGeneratorTestDSA; -import org.conscrypt.java.security.AlgorithmParametersPSSTest; -import org.conscrypt.java.security.AlgorithmParametersTestAES; -import org.conscrypt.java.security.AlgorithmParametersTestDES; -import org.conscrypt.java.security.AlgorithmParametersTestDESede; -import org.conscrypt.java.security.AlgorithmParametersTestDH; -import org.conscrypt.java.security.AlgorithmParametersTestDSA; -import org.conscrypt.java.security.AlgorithmParametersTestEC; -import org.conscrypt.java.security.AlgorithmParametersTestGCM; -import org.conscrypt.java.security.AlgorithmParametersTestOAEP; -import org.conscrypt.java.security.KeyFactoryTestDH; -import org.conscrypt.java.security.KeyFactoryTestDSA; -import org.conscrypt.java.security.KeyFactoryTestEC; -import org.conscrypt.java.security.KeyFactoryTestRSA; -import org.conscrypt.java.security.KeyPairGeneratorTest; -import org.conscrypt.java.security.KeyPairGeneratorTestDH; -import org.conscrypt.java.security.KeyPairGeneratorTestDSA; -import org.conscrypt.java.security.KeyPairGeneratorTestRSA; -import org.conscrypt.java.security.MessageDigestTest; -import org.conscrypt.java.security.SignatureTest; -import org.conscrypt.java.security.cert.CertificateFactoryTest; -import org.conscrypt.java.security.cert.X509CRLTest; -import org.conscrypt.java.security.cert.X509CertificateTest; -import org.conscrypt.javax.crypto.AeadCipherTest; -import org.conscrypt.javax.crypto.CipherBasicsTest; -import org.conscrypt.javax.crypto.KeyGeneratorTest; -import org.conscrypt.javax.net.ssl.HttpsURLConnectionTest; -import org.conscrypt.javax.net.ssl.KeyManagerFactoryTest; -import org.conscrypt.javax.net.ssl.KeyStoreBuilderParametersTest; -import org.conscrypt.javax.net.ssl.SNIHostNameTest; -import org.conscrypt.javax.net.ssl.SSLContextTest; -import org.conscrypt.javax.net.ssl.SSLEngineTest; -import org.conscrypt.javax.net.ssl.SSLEngineVersionCompatibilityTest; -import org.conscrypt.javax.net.ssl.SSLParametersTest; -import org.conscrypt.javax.net.ssl.SSLServerSocketFactoryTest; -import org.conscrypt.javax.net.ssl.SSLServerSocketTest; -import org.conscrypt.javax.net.ssl.SSLSessionContextTest; -import org.conscrypt.javax.net.ssl.SSLSessionTest; -import org.conscrypt.javax.net.ssl.SSLSocketFactoryTest; -import org.conscrypt.javax.net.ssl.SSLSocketTest; -import org.conscrypt.javax.net.ssl.SSLSocketVersionCompatibilityTest; -import org.conscrypt.javax.net.ssl.TrustManagerFactoryTest; -import org.conscrypt.javax.net.ssl.X509KeyManagerTest; -import org.junit.BeforeClass; -import org.junit.runner.RunWith; -import org.junit.runners.Suite; - -@RunWith(Suite.class) -@Suite.SuiteClasses({ - // org.conscrypt tests - CertPinManagerTest.class, - ChainStrengthAnalyzerTest.class, - TrustManagerImplTest.class, - // org.conscrypt.ct tests - CTVerifierTest.class, - SerializationTest.class, - // java.security tests - CertificateFactoryTest.class, - X509CertificateTest.class, - X509CRLTest.class, - AlgorithmParameterGeneratorTestDH.class, - AlgorithmParameterGeneratorTestDSA.class, - AlgorithmParametersPSSTest.class, - AlgorithmParametersTestAES.class, - AlgorithmParametersTestDES.class, - AlgorithmParametersTestDESede.class, - AlgorithmParametersTestDH.class, - AlgorithmParametersTestDSA.class, - AlgorithmParametersTestEC.class, - AlgorithmParametersTestGCM.class, - AlgorithmParametersTestOAEP.class, - KeyFactoryTestDH.class, - KeyFactoryTestDSA.class, - KeyFactoryTestEC.class, - KeyFactoryTestRSA.class, - KeyPairGeneratorTest.class, - KeyPairGeneratorTestDH.class, - KeyPairGeneratorTestDSA.class, - KeyPairGeneratorTestRSA.class, - MessageDigestTest.class, - SignatureTest.class, - // javax.crypto tests - AeadCipherTest.class, - CipherBasicsTest.class, - // CipherTest.class, // Lots of weird, broken behaviors in Sun* providers on OpenJDK 7 - // ECDHKeyAgreementTest.class, // EC keys are broken on OpenJDK 7 - KeyGeneratorTest.class, - // javax.net.ssl tests - HttpsURLConnectionTest.class, - KeyManagerFactoryTest.class, - KeyStoreBuilderParametersTest.class, - SNIHostNameTest.class, - SSLContextTest.class, - SSLEngineTest.class, - SSLEngineVersionCompatibilityTest.class, - SSLParametersTest.class, - SSLServerSocketFactoryTest.class, - SSLServerSocketTest.class, - SSLSessionContextTest.class, - SSLSessionTest.class, - SSLSocketFactoryTest.class, - SSLSocketTest.class, - SSLSocketVersionCompatibilityTest.class, - TrustManagerFactoryTest.class, - X509KeyManagerTest.class, -}) -public class ConscryptJava7Suite { - - @BeforeClass - public static void setupStatic() { - installConscryptAsDefaultProvider(); - } - -} diff --git a/common/src/test/java/org/conscrypt/ConscryptSuite.java b/common/src/test/java/org/conscrypt/ConscryptSuite.java deleted file mode 100644 index c0950f26..00000000 --- a/common/src/test/java/org/conscrypt/ConscryptSuite.java +++ /dev/null @@ -1,165 +0,0 @@ -/* - * Copyright (C) 2017 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.conscrypt; - -import static org.conscrypt.TestUtils.installConscryptAsDefaultProvider; - -import org.conscrypt.ct.CTVerifierTest; -import org.conscrypt.ct.SerializationTest; -import org.conscrypt.java.security.AlgorithmParameterGeneratorTestDH; -import org.conscrypt.java.security.AlgorithmParameterGeneratorTestDSA; -import org.conscrypt.java.security.AlgorithmParametersPSSTest; -import org.conscrypt.java.security.AlgorithmParametersTestAES; -import org.conscrypt.java.security.AlgorithmParametersTestDES; -import org.conscrypt.java.security.AlgorithmParametersTestDESede; -import org.conscrypt.java.security.AlgorithmParametersTestDH; -import org.conscrypt.java.security.AlgorithmParametersTestDSA; -import org.conscrypt.java.security.AlgorithmParametersTestEC; -import org.conscrypt.java.security.AlgorithmParametersTestGCM; -import org.conscrypt.java.security.AlgorithmParametersTestOAEP; -import org.conscrypt.java.security.KeyFactoryTestDH; -import org.conscrypt.java.security.KeyFactoryTestDSA; -import org.conscrypt.java.security.KeyFactoryTestEC; -import org.conscrypt.java.security.KeyFactoryTestRSA; -import org.conscrypt.java.security.KeyFactoryTestRSACrt; -import org.conscrypt.java.security.KeyFactoryTestRSACustom; -import org.conscrypt.java.security.KeyFactoryTestXDH; -import org.conscrypt.java.security.KeyPairGeneratorTest; -import org.conscrypt.java.security.KeyPairGeneratorTestDH; -import org.conscrypt.java.security.KeyPairGeneratorTestDSA; -import org.conscrypt.java.security.KeyPairGeneratorTestRSA; -import org.conscrypt.java.security.KeyPairGeneratorTestXDH; -import org.conscrypt.java.security.MessageDigestTest; -import org.conscrypt.java.security.SignatureTest; -import org.conscrypt.java.security.cert.CertificateFactoryTest; -import org.conscrypt.java.security.cert.X509CRLTest; -import org.conscrypt.java.security.cert.X509CertificateTest; -import org.conscrypt.javax.crypto.AeadCipherTest; -import org.conscrypt.javax.crypto.CipherBasicsTest; -import org.conscrypt.javax.crypto.CipherTest; -import org.conscrypt.javax.crypto.ECDHKeyAgreementTest; -import org.conscrypt.javax.crypto.KeyGeneratorTest; -import org.conscrypt.javax.crypto.XDHKeyAgreementTest; -import org.conscrypt.javax.net.ssl.HttpsURLConnectionTest; -import org.conscrypt.javax.net.ssl.KeyManagerFactoryTest; -import org.conscrypt.javax.net.ssl.KeyStoreBuilderParametersTest; -import org.conscrypt.javax.net.ssl.SNIHostNameTest; -import org.conscrypt.javax.net.ssl.SSLContextTest; -import org.conscrypt.javax.net.ssl.SSLEngineTest; -import org.conscrypt.javax.net.ssl.SSLEngineVersionCompatibilityTest; -import org.conscrypt.javax.net.ssl.SSLParametersTest; -import org.conscrypt.javax.net.ssl.SSLServerSocketFactoryTest; -import org.conscrypt.javax.net.ssl.SSLServerSocketTest; -import org.conscrypt.javax.net.ssl.SSLSessionContextTest; -import org.conscrypt.javax.net.ssl.SSLSessionTest; -import org.conscrypt.javax.net.ssl.SSLSocketFactoryTest; -import org.conscrypt.javax.net.ssl.SSLSocketTest; -import org.conscrypt.javax.net.ssl.SSLSocketVersionCompatibilityTest; -import org.conscrypt.javax.net.ssl.TrustManagerFactoryTest; -import org.conscrypt.javax.net.ssl.X509KeyManagerTest; -import org.conscrypt.metrics.CipherSuiteTest; -import org.conscrypt.metrics.OptionalMethodTest; -import org.conscrypt.metrics.ProtocolTest; -import org.junit.BeforeClass; -import org.junit.runner.RunWith; -import org.junit.runners.Suite; - -@RunWith(Suite.class) -@Suite.SuiteClasses({ - // org.conscrypt tests - CertPinManagerTest.class, - ChainStrengthAnalyzerTest.class, - HostnameVerifierTest.class, - HpkeContextRecipientTest.class, - HpkeContextSenderTest.class, - HpkeContextTest.class, - HpkeSuiteTest.class, - HpkeTestVectorsTest.class, - NativeCryptoArgTest.class, - TrustManagerImplTest.class, - // org.conscrypt.ct tests - CTVerifierTest.class, - SerializationTest.class, - // java.security tests - CertificateFactoryTest.class, - X509CertificateTest.class, - X509CRLTest.class, - AlgorithmParameterGeneratorTestDH.class, - AlgorithmParameterGeneratorTestDSA.class, - AlgorithmParametersPSSTest.class, - AlgorithmParametersTestAES.class, - AlgorithmParametersTestDES.class, - AlgorithmParametersTestDESede.class, - AlgorithmParametersTestDH.class, - AlgorithmParametersTestDSA.class, - AlgorithmParametersTestEC.class, - AlgorithmParametersTestGCM.class, - AlgorithmParametersTestOAEP.class, - BufferUtilsTest.class, - CipherSuiteTest.class, - KeyFactoryTestDH.class, - KeyFactoryTestDSA.class, - KeyFactoryTestEC.class, - KeyFactoryTestRSA.class, - KeyFactoryTestRSACrt.class, - KeyFactoryTestRSACustom.class, - KeyFactoryTestXDH.class, - KeyPairGeneratorTest.class, - KeyPairGeneratorTestDH.class, - KeyPairGeneratorTestDSA.class, - KeyPairGeneratorTestRSA.class, - KeyPairGeneratorTestXDH.class, - MessageDigestTest.class, - SignatureTest.class, - // javax.crypto tests - AeadCipherTest.class, - CipherBasicsTest.class, - CipherTest.class, - MacTest.class, - ECDHKeyAgreementTest.class, - KeyGeneratorTest.class, - XDHKeyAgreementTest.class, - // javax.net.ssl tests - HttpsURLConnectionTest.class, - KeyManagerFactoryTest.class, - KeyStoreBuilderParametersTest.class, - OptionalMethodTest.class, - ProtocolTest.class, - SNIHostNameTest.class, - SSLContextTest.class, - SSLEngineTest.class, - SSLEngineVersionCompatibilityTest.class, - SSLParametersTest.class, - SSLServerSocketFactoryTest.class, - SSLServerSocketTest.class, - SSLSessionContextTest.class, - SSLSessionTest.class, - SSLSocketFactoryTest.class, - SSLSocketTest.class, - SSLSocketVersionCompatibilityTest.class, - TrustManagerFactoryTest.class, - VeryBasicHttpServerTest.class, - X509KeyManagerTest.class, -}) -public class ConscryptSuite { - - @BeforeClass - public static void setupStatic() { - installConscryptAsDefaultProvider(); - } - -} diff --git a/common/src/test/java/org/conscrypt/MacTest.java b/common/src/test/java/org/conscrypt/MacTest.java index 1fadbd63..b258563e 100644 --- a/common/src/test/java/org/conscrypt/MacTest.java +++ b/common/src/test/java/org/conscrypt/MacTest.java @@ -127,6 +127,11 @@ public class MacTest { macBytes = generateReusingMac(algorithm, keyBytes, msgBytes); assertArrayEquals(failMessage("Re-use Mac", baseFailMsg, macBytes), expectedBytes, macBytes); + + // Calculated using a pre-loved Mac with the same key + macBytes = generateReusingMacSameKey(algorithm, secretKey, msgBytes); + assertArrayEquals(failMessage("Re-use Mac same key", baseFailMsg, macBytes), + expectedBytes, macBytes); } } @@ -382,6 +387,19 @@ public class MacTest { return mac.doFinal(); } + private byte[] generateReusingMacSameKey(String algorithm, SecretKeySpec key, byte[] message) + throws Exception { + Mac mac = getConscryptMac(algorithm, key); + + // Calculate a MAC over some other message. + byte[] otherMessage = new byte[message.length]; + mac.doFinal(otherMessage); + + // The MAC should now have been reset to compute a new MAC with the same + // key. + return mac.doFinal(message); + } + private Mac getConscryptMac(String algorithm) throws Exception { return getConscryptMac(algorithm, null); } diff --git a/openjdk/build.gradle b/openjdk/build.gradle index 2c0adb18..af31b634 100644 --- a/openjdk/build.gradle +++ b/openjdk/build.gradle @@ -315,28 +315,12 @@ def addNativeJar(NativeBuildInfo nativeBuild) { publishing.publications.maven.artifact jarTask.get() } - -// TODO(prb) Still provide a mechanism for testing on Java 7? -// Check which version -//def javaError = new ByteArrayOutputStream() -//exec { -// executable test.executable -// System.out.println("Running tests with java executable: " + test.executable + ".") -// args = ['-version'] -// ignoreExitValue true -// errorOutput = javaError -//} -// -//def suiteClass = (javaError.toString() =~ /"1[.]7[.].*"/) ? -// "org/conscrypt/ConscryptJava7Suite.class" : "org/conscrypt/ConscryptSuite.class"; -def suiteClass = "org/conscrypt/ConscryptSuite.class"; - test { - include suiteClass, "org/conscrypt/ConscryptOpenJdkSuite.class" + include "org/conscrypt/ConscryptOpenJdkSuite.class" } def testFdSocket = tasks.register("testFdSocket", Test) { - include suiteClass, "org/conscrypt/ConscryptOpenJdkSuite.class" + include "org/conscrypt/ConscryptOpenJdkSuite.class" InvokerHelper.setProperties(testLogging, test.testLogging.properties) systemProperties = test.systemProperties systemProperty "org.conscrypt.useEngineSocketByDefault", false diff --git a/openjdk/src/main/java/org/conscrypt/Platform.java b/openjdk/src/main/java/org/conscrypt/Platform.java index c02c2456..8303a111 100644 --- a/openjdk/src/main/java/org/conscrypt/Platform.java +++ b/openjdk/src/main/java/org/conscrypt/Platform.java @@ -344,20 +344,6 @@ final class Platform { } /** - * Wraps an old AndroidOpenSSL key instance. This is not needed on RI. - */ - @SuppressWarnings("unused") - static OpenSSLKey wrapRsaKey(@SuppressWarnings("unused") PrivateKey javaKey) { - return null; - } - - /** - * Logs to the system EventLog system. - */ - @SuppressWarnings("unused") - static void logEvent(@SuppressWarnings("unused") String message) {} - - /** * For unbundled versions, SNI is always enabled by default. */ @SuppressWarnings("unused") diff --git a/openjdk/src/test/java/org/conscrypt/ConscryptOpenJdkSuite.java b/openjdk/src/test/java/org/conscrypt/ConscryptOpenJdkSuite.java index ef8bb1e3..d5401e36 100644 --- a/openjdk/src/test/java/org/conscrypt/ConscryptOpenJdkSuite.java +++ b/openjdk/src/test/java/org/conscrypt/ConscryptOpenJdkSuite.java @@ -1,3 +1,19 @@ +/* + * Copyright (C) 2023 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + package org.conscrypt; import static org.conscrypt.TestUtils.installConscryptAsDefaultProvider; @@ -160,10 +176,8 @@ import org.junit.runners.Suite; X509KeyManagerTest.class, }) public class ConscryptOpenJdkSuite { - - @BeforeClass - public static void setupStatic() { - installConscryptAsDefaultProvider(); - } - + @BeforeClass + public static void setupStatic() { + installConscryptAsDefaultProvider(); + } } diff --git a/platform/src/main/java/org/conscrypt/Platform.java b/platform/src/main/java/org/conscrypt/Platform.java index e99e431e..7d8c7673 100644 --- a/platform/src/main/java/org/conscrypt/Platform.java +++ b/platform/src/main/java/org/conscrypt/Platform.java @@ -264,35 +264,6 @@ final class Platform { } } - /** - * Wraps an old AndroidOpenSSL key instance. This is not needed on platform - * builds since we didn't backport, so return null. - */ - static OpenSSLKey wrapRsaKey(PrivateKey key) { - return null; - } - - /** - * Logs to the system EventLog system. - */ - static void logEvent(String message) { - try { - Class processClass = Class.forName("android.os.Process"); - Object processInstance = processClass.newInstance(); - Method myUidMethod = processClass.getMethod("myUid", (Class[]) null); - int uid = (Integer) myUidMethod.invoke(processInstance); - - Class eventLogClass = Class.forName("android.util.EventLog"); - Object eventLogInstance = eventLogClass.newInstance(); - Method writeEventMethod = eventLogClass.getMethod( - "writeEvent", new Class[] {Integer.TYPE, Object[].class}); - writeEventMethod.invoke(eventLogInstance, 0x534e4554 /* SNET */, - new Object[] {"conscrypt", uid, message}); - } catch (Exception e) { - // Do not log and fail silently - } - } - static SSLEngine wrapEngine(ConscryptEngine engine) { return new Java8EngineWrapper(engine); } diff --git a/repackaged/common/src/main/java/com/android/org/conscrypt/ConscryptEngine.java b/repackaged/common/src/main/java/com/android/org/conscrypt/ConscryptEngine.java index d1152b2b..46c03a9d 100644 --- a/repackaged/common/src/main/java/com/android/org/conscrypt/ConscryptEngine.java +++ b/repackaged/common/src/main/java/com/android/org/conscrypt/ConscryptEngine.java @@ -441,13 +441,6 @@ final class ConscryptEngine extends AbstractConscryptEngine implements NativeCry handshake(); releaseResources = false; } catch (IOException e) { - // Write CCS errors to EventLog - String message = e.getMessage(); - // Must match error reason string of SSL_R_UNEXPECTED_CCS (in ssl/ssl_err.c) - if (message.contains("unexpected CCS")) { - String logMessage = String.format("ssl_unexpected_ccs: host=%s", getPeerHost()); - Platform.logEvent(logMessage); - } closeAll(); throw SSLUtils.toSSLHandshakeException(e); } finally { diff --git a/repackaged/common/src/main/java/com/android/org/conscrypt/ConscryptFileDescriptorSocket.java b/repackaged/common/src/main/java/com/android/org/conscrypt/ConscryptFileDescriptorSocket.java index 1724e480..72b98ef5 100644 --- a/repackaged/common/src/main/java/com/android/org/conscrypt/ConscryptFileDescriptorSocket.java +++ b/repackaged/common/src/main/java/com/android/org/conscrypt/ConscryptFileDescriptorSocket.java @@ -246,16 +246,6 @@ class ConscryptFileDescriptorSocket extends OpenSSLSocketImpl return; } } - - // Write CCS errors to EventLog - String message = e.getMessage(); - // Must match error string of SSL_R_UNEXPECTED_CCS - if (message.contains("unexpected CCS")) { - String logMessage = - String.format("ssl_unexpected_ccs: host=%s", getHostnameOrIP()); - Platform.logEvent(logMessage); - } - throw e; } diff --git a/repackaged/common/src/main/java/com/android/org/conscrypt/NativeCrypto.java b/repackaged/common/src/main/java/com/android/org/conscrypt/NativeCrypto.java index 12d0f267..81906bd9 100644 --- a/repackaged/common/src/main/java/com/android/org/conscrypt/NativeCrypto.java +++ b/repackaged/common/src/main/java/com/android/org/conscrypt/NativeCrypto.java @@ -380,6 +380,8 @@ public final class NativeCrypto { static native byte[] CMAC_Final(NativeRef.CMAC_CTX ctx); + static native void CMAC_Reset(NativeRef.CMAC_CTX ctx); + // --- HMAC functions ------------------------------------------------------ static native long HMAC_CTX_new(); @@ -394,6 +396,8 @@ public final class NativeCrypto { static native byte[] HMAC_Final(NativeRef.HMAC_CTX ctx); + static native void HMAC_Reset(NativeRef.HMAC_CTX ctx); + // --- HPKE functions ------------------------------------------------------ static native byte[] EVP_HPKE_CTX_export( NativeRef.EVP_HPKE_CTX ctx, byte[] exporterCtx, int length); diff --git a/repackaged/common/src/main/java/com/android/org/conscrypt/OpenSSLKey.java b/repackaged/common/src/main/java/com/android/org/conscrypt/OpenSSLKey.java index bc09c818..9034c31c 100644 --- a/repackaged/common/src/main/java/com/android/org/conscrypt/OpenSSLKey.java +++ b/repackaged/common/src/main/java/com/android/org/conscrypt/OpenSSLKey.java @@ -182,11 +182,6 @@ final class OpenSSLKey { if (key instanceof OpenSSLKeyHolder) { return ((OpenSSLKeyHolder) key).getOpenSSLKey(); } - - if ("RSA".equals(key.getAlgorithm())) { - return Platform.wrapRsaKey(key); - } - return null; } diff --git a/repackaged/common/src/main/java/com/android/org/conscrypt/OpenSSLMac.java b/repackaged/common/src/main/java/com/android/org/conscrypt/OpenSSLMac.java index 7b3ee3b2..974f08f7 100644 --- a/repackaged/common/src/main/java/com/android/org/conscrypt/OpenSSLMac.java +++ b/repackaged/common/src/main/java/com/android/org/conscrypt/OpenSSLMac.java @@ -21,7 +21,6 @@ import java.nio.ByteBuffer; import java.security.InvalidAlgorithmParameterException; import java.security.InvalidKeyException; import java.security.Key; -import java.security.NoSuchAlgorithmException; import java.security.spec.AlgorithmParameterSpec; import javax.crypto.MacSpi; import javax.crypto.SecretKey; @@ -33,11 +32,6 @@ import javax.crypto.SecretKey; @Internal public abstract class OpenSSLMac extends MacSpi { /** - * The secret key used in this keyed MAC. - */ - protected byte[] keyBytes; - - /** * Holds the output size of the message digest. */ private final int size; @@ -55,6 +49,11 @@ public abstract class OpenSSLMac extends MacSpi { /** * Creates and initializes the relevant BoringSSL *MAC context. */ + protected abstract void initContext(byte[] keyBytes); + + /** + * Resets the context for a new operation with the same key. + */ protected abstract void resetContext(); /** @@ -78,13 +77,13 @@ public abstract class OpenSSLMac extends MacSpi { throw new InvalidAlgorithmParameterException("unknown parameter type"); } - keyBytes = key.getEncoded(); + byte[] keyBytes = key.getEncoded(); if (keyBytes == null) { throw new InvalidKeyException("key cannot be encoded"); } try { - resetContext(); + initContext(keyBytes); } catch (RuntimeException e) { throw new InvalidKeyException("invalid key", e); } @@ -169,15 +168,19 @@ public abstract class OpenSSLMac extends MacSpi { } @Override - protected void resetContext() { + protected void initContext(byte[] keyBytes) { NativeRef.HMAC_CTX ctxLocal = new NativeRef.HMAC_CTX(NativeCrypto.HMAC_CTX_new()); - if (keyBytes != null) { - NativeCrypto.HMAC_Init_ex(ctxLocal, keyBytes, evpMd); - } + NativeCrypto.HMAC_Init_ex(ctxLocal, keyBytes, evpMd); this.ctx = ctxLocal; } @Override + protected void resetContext() { + final NativeRef.HMAC_CTX ctxLocal = ctx; + NativeCrypto.HMAC_Reset(ctxLocal); + } + + @Override protected void engineUpdate(byte[] input, int offset, int len) { final NativeRef.HMAC_CTX ctxLocal = ctx; NativeCrypto.HMAC_Update(ctxLocal, input, offset, len); @@ -261,15 +264,19 @@ public abstract class OpenSSLMac extends MacSpi { } @Override - protected void resetContext() { + protected void initContext(byte[] keyBytes) { NativeRef.CMAC_CTX ctxLocal = new NativeRef.CMAC_CTX(NativeCrypto.CMAC_CTX_new()); - if (keyBytes != null) { - NativeCrypto.CMAC_Init(ctxLocal, keyBytes); - } + NativeCrypto.CMAC_Init(ctxLocal, keyBytes); this.ctx = ctxLocal; } @Override + protected void resetContext() { + final NativeRef.CMAC_CTX ctxLocal = ctx; + NativeCrypto.CMAC_Reset(ctxLocal); + } + + @Override protected void updateDirect(long ptr, int len) { final NativeRef.CMAC_CTX ctxLocal = ctx; NativeCrypto.CMAC_UpdateDirect(ctxLocal, ptr, len); diff --git a/repackaged/common/src/main/java/com/android/org/conscrypt/OpenSSLRSAPrivateKey.java b/repackaged/common/src/main/java/com/android/org/conscrypt/OpenSSLRSAPrivateKey.java index 0170d1b1..d74c0bde 100644 --- a/repackaged/common/src/main/java/com/android/org/conscrypt/OpenSSLRSAPrivateKey.java +++ b/repackaged/common/src/main/java/com/android/org/conscrypt/OpenSSLRSAPrivateKey.java @@ -97,12 +97,7 @@ class OpenSSLRSAPrivateKey implements RSAPrivateKey, OpenSSLKeyHolder { return new OpenSSLRSAPrivateKey(key, params); } - static OpenSSLKey wrapPlatformKey(RSAPrivateKey rsaPrivateKey) - throws InvalidKeyException { - OpenSSLKey wrapper = Platform.wrapRsaKey(rsaPrivateKey); - if (wrapper != null) { - return wrapper; - } + static OpenSSLKey wrapPlatformKey(RSAPrivateKey rsaPrivateKey) { return new OpenSSLKey(NativeCrypto.getRSAPrivateKeyWrapper(rsaPrivateKey, rsaPrivateKey .getModulus().toByteArray()), true); } diff --git a/repackaged/common/src/test/java/com/android/org/conscrypt/MacTest.java b/repackaged/common/src/test/java/com/android/org/conscrypt/MacTest.java index d0a1c644..899343f1 100644 --- a/repackaged/common/src/test/java/com/android/org/conscrypt/MacTest.java +++ b/repackaged/common/src/test/java/com/android/org/conscrypt/MacTest.java @@ -131,6 +131,11 @@ public class MacTest { macBytes = generateReusingMac(algorithm, keyBytes, msgBytes); assertArrayEquals(failMessage("Re-use Mac", baseFailMsg, macBytes), expectedBytes, macBytes); + + // Calculated using a pre-loved Mac with the same key + macBytes = generateReusingMacSameKey(algorithm, secretKey, msgBytes); + assertArrayEquals(failMessage("Re-use Mac same key", baseFailMsg, macBytes), + expectedBytes, macBytes); } } @@ -391,6 +396,19 @@ public class MacTest { return mac.doFinal(); } + private byte[] generateReusingMacSameKey(String algorithm, SecretKeySpec key, byte[] message) + throws Exception { + Mac mac = getConscryptMac(algorithm, key); + + // Calculate a MAC over some other message. + byte[] otherMessage = new byte[message.length]; + mac.doFinal(otherMessage); + + // The MAC should now have been reset to compute a new MAC with the same + // key. + return mac.doFinal(message); + } + private Mac getConscryptMac(String algorithm) throws Exception { return getConscryptMac(algorithm, null); } diff --git a/repackaged/openjdk/src/main/java/com/android/org/conscrypt/Platform.java b/repackaged/openjdk/src/main/java/com/android/org/conscrypt/Platform.java index d76d7e68..9882c9d0 100644 --- a/repackaged/openjdk/src/main/java/com/android/org/conscrypt/Platform.java +++ b/repackaged/openjdk/src/main/java/com/android/org/conscrypt/Platform.java @@ -345,20 +345,6 @@ final class Platform { } /** - * Wraps an old AndroidOpenSSL key instance. This is not needed on RI. - */ - @SuppressWarnings("unused") - static OpenSSLKey wrapRsaKey(@SuppressWarnings("unused") PrivateKey javaKey) { - return null; - } - - /** - * Logs to the system EventLog system. - */ - @SuppressWarnings("unused") - static void logEvent(@SuppressWarnings("unused") String message) {} - - /** * For unbundled versions, SNI is always enabled by default. */ @SuppressWarnings("unused") diff --git a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptOpenJdkSuite.java b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptOpenJdkSuite.java index 8b0b91d5..eba53b37 100644 --- a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptOpenJdkSuite.java +++ b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptOpenJdkSuite.java @@ -1,4 +1,20 @@ /* GENERATED SOURCE. DO NOT MODIFY. */ +/* + * Copyright (C) 2023 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + package com.android.org.conscrypt; import static com.android.org.conscrypt.TestUtils.installConscryptAsDefaultProvider; diff --git a/repackaged/platform/src/main/java/com/android/org/conscrypt/Platform.java b/repackaged/platform/src/main/java/com/android/org/conscrypt/Platform.java index 63af3e38..a24312c4 100644 --- a/repackaged/platform/src/main/java/com/android/org/conscrypt/Platform.java +++ b/repackaged/platform/src/main/java/com/android/org/conscrypt/Platform.java @@ -265,35 +265,6 @@ final class Platform { } } - /** - * Wraps an old AndroidOpenSSL key instance. This is not needed on platform - * builds since we didn't backport, so return null. - */ - static OpenSSLKey wrapRsaKey(PrivateKey key) { - return null; - } - - /** - * Logs to the system EventLog system. - */ - static void logEvent(String message) { - try { - Class processClass = Class.forName("android.os.Process"); - Object processInstance = processClass.newInstance(); - Method myUidMethod = processClass.getMethod("myUid", (Class[]) null); - int uid = (Integer) myUidMethod.invoke(processInstance); - - Class eventLogClass = Class.forName("android.util.EventLog"); - Object eventLogInstance = eventLogClass.newInstance(); - Method writeEventMethod = eventLogClass.getMethod( - "writeEvent", new Class[] {Integer.TYPE, Object[].class}); - writeEventMethod.invoke(eventLogInstance, 0x534e4554 /* SNET */, - new Object[] {"conscrypt", uid, message}); - } catch (Exception e) { - // Do not log and fail silently - } - } - static SSLEngine wrapEngine(ConscryptEngine engine) { return new Java8EngineWrapper(engine); } diff --git a/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java b/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java index 2c3f66dd..ca12b07b 100644 --- a/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java +++ b/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java @@ -152,6 +152,7 @@ public final class StandardNames { if (!IS_RI) { provideCipherPaddings("AES", new String[] {"PKCS7Padding"}); } + if (TestUtils.isTlsV1Supported()) { provideSslContextEnabledProtocols("TLS", TLSVersion.TLSv1, TLSVersion.TLSv13); provideSslContextEnabledProtocols("TLSv1", TLSVersion.TLSv1, TLSVersion.TLSv12); |