Filter protocols when creating SSLParameterImpl

Change-Id: I5a61dc708eda9c6176970136c52088c9c5505829 Test: atest CtsLibcoreTestCases
author: Miguel Aranda <miguelaranda@google.com> 2024-04-16 16:50:35 +0000
committer: Miguel Aranda <miguelaranda@google.com> 2024-04-16 16:50:35 +0000
commit: 724185f1ac34f0e7285d79ddbc8812e246a907a3 (patch)
tree: ed0f07cac83beed6c6bf4b829ed8d20ec6353040
parent: 83f9e27dd8340517d29933bb0a0d5879da0888ee (diff)
download: conscrypt-724185f1ac34f0e7285d79ddbc8812e246a907a3.tar.gz
6 files changed, 50 insertions, 4 deletions
diff --git a/common/src/main/java/org/conscrypt/SSLParametersImpl.java b/common/src/main/java/org/conscrypt/SSLParametersImpl.java
index 76fb7ca8..d7e16192 100644
--- a/common/src/main/java/org/conscrypt/SSLParametersImpl.java
+++ b/common/src/main/java/org/conscrypt/SSLParametersImpl.java
@@ -145,8 +145,19 @@ final class SSLParametersImpl implements Cloneable {
         }
 
         // initialize the list of cipher suites and protocols enabled by default
-        enabledProtocols = NativeCrypto.checkEnabledProtocols(
-                protocols == null ? NativeCrypto.getDefaultProtocols() : protocols).clone();
+        if (protocols == null) {
+          enabledProtocols = NativeCrypto.getDefaultProtocols().clone();
+        } else {
+            String[] filteredProtocols =
+                    filterFromProtocols(protocols, Arrays.asList(Platform.isTlsV1Supported()
+                        ? new String[0]
+                        : new String[] {
+                            NativeCrypto.DEPRECATED_PROTOCOL_TLSV1,
+                            NativeCrypto.DEPRECATED_PROTOCOL_TLSV1_1,
+                        }));
+            isEnabledProtocolsFiltered = protocols.length != filteredProtocols.length;
+            enabledProtocols = NativeCrypto.checkEnabledProtocols(filteredProtocols).clone();
+        }
         boolean x509CipherSuitesNeeded = (x509KeyManager != null) || (x509TrustManager != null);
         boolean pskCipherSuitesNeeded = pskKeyManager != null;
         enabledCipherSuites = getDefaultCipherSuites(
diff --git a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLContextTest.java b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLContextTest.java
index 40acd1b4..f24d8648 100644
--- a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLContextTest.java
+++ b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLContextTest.java
@@ -119,6 +119,16 @@ public class SSLContextTest {
     }
 
     @Test
+    public void test_SSLContext_allProtocols() throws Exception {
+        SSLConfigurationAsserts.assertSSLContextDefaultConfiguration(SSLContext.getDefault());
+
+        for (String protocol : StandardNames.SSL_CONTEXT_PROTOCOLS_ALL) {
+            SSLContext sslContext = SSLContext.getInstance(protocol);
+            sslContext.init(null, null, null);
+        }
+    }
+
+    @Test
     public void test_SSLContext_pskOnlyConfiguration_defaultProviderOnly() throws Exception {
         // Test the scenario where only a PSKKeyManager is provided and no TrustManagers are
         // provided.
diff --git a/repackaged/common/src/main/java/com/android/org/conscrypt/SSLParametersImpl.java b/repackaged/common/src/main/java/com/android/org/conscrypt/SSLParametersImpl.java
index 93bdc4f8..9130380f 100644
--- a/repackaged/common/src/main/java/com/android/org/conscrypt/SSLParametersImpl.java
+++ b/repackaged/common/src/main/java/com/android/org/conscrypt/SSLParametersImpl.java
@@ -146,8 +146,19 @@ final class SSLParametersImpl implements Cloneable {
         }
 
         // initialize the list of cipher suites and protocols enabled by default
-        enabledProtocols = NativeCrypto.checkEnabledProtocols(
-                protocols == null ? NativeCrypto.getDefaultProtocols() : protocols).clone();
+        if (protocols == null) {
+          enabledProtocols = NativeCrypto.getDefaultProtocols().clone();
+        } else {
+            String[] filteredProtocols =
+                    filterFromProtocols(protocols, Arrays.asList(Platform.isTlsV1Supported()
+                        ? new String[0]
+                        : new String[] {
+                            NativeCrypto.DEPRECATED_PROTOCOL_TLSV1,
+                            NativeCrypto.DEPRECATED_PROTOCOL_TLSV1_1,
+                        }));
+            isEnabledProtocolsFiltered = protocols.length != filteredProtocols.length;
+            enabledProtocols = NativeCrypto.checkEnabledProtocols(filteredProtocols).clone();
+        }
         boolean x509CipherSuitesNeeded = (x509KeyManager != null) || (x509TrustManager != null);
         boolean pskCipherSuitesNeeded = pskKeyManager != null;
         enabledCipherSuites = getDefaultCipherSuites(
diff --git a/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLContextTest.java b/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLContextTest.java
index 5f382d19..fedae1f9 100644
--- a/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLContextTest.java
+++ b/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLContextTest.java
@@ -123,6 +123,16 @@ public class SSLContextTest {
     }
 
     @Test
+    public void test_SSLContext_allProtocols() throws Exception {
+        SSLConfigurationAsserts.assertSSLContextDefaultConfiguration(SSLContext.getDefault());
+
+        for (String protocol : StandardNames.SSL_CONTEXT_PROTOCOLS_ALL) {
+            SSLContext sslContext = SSLContext.getInstance(protocol);
+            sslContext.init(null, null, null);
+        }
+    }
+
+    @Test
     public void test_SSLContext_pskOnlyConfiguration_defaultProviderOnly() throws Exception {
         // Test the scenario where only a PSKKeyManager is provided and no TrustManagers are
         // provided.
diff --git a/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java b/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java
index ca12b07b..235463ac 100644
--- a/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java
+++ b/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java
@@ -169,6 +169,8 @@ public final class StandardNames {
     }
 
     public static final String SSL_CONTEXT_PROTOCOLS_DEFAULT = "Default";
+    public static final Set<String> SSL_CONTEXT_PROTOCOLS_ALL = new HashSet<String>(
+            Arrays.asList("TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"));
     public static final Set<String> SSL_CONTEXT_PROTOCOLS = new HashSet<String>(
             Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1.2", "TLSv1.3"));
     public static final Set<String> SSL_CONTEXT_PROTOCOLS_WITH_DEFAULT_CONFIG = new HashSet<String>(
diff --git a/testing/src/main/java/org/conscrypt/java/security/StandardNames.java b/testing/src/main/java/org/conscrypt/java/security/StandardNames.java
index ca493e1a..4c37f5c0 100644
--- a/testing/src/main/java/org/conscrypt/java/security/StandardNames.java
+++ b/testing/src/main/java/org/conscrypt/java/security/StandardNames.java
@@ -168,6 +168,8 @@ public final class StandardNames {
     }
 
     public static final String SSL_CONTEXT_PROTOCOLS_DEFAULT = "Default";
+    public static final Set<String> SSL_CONTEXT_ALL = new HashSet<String>(
+            Arrays.asList("TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"));
     public static final Set<String> SSL_CONTEXT_PROTOCOLS = new HashSet<String>(
             Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1.2", "TLSv1.3"));
     public static final Set<String> SSL_CONTEXT_PROTOCOLS_WITH_DEFAULT_CONFIG = new HashSet<String>(
author	Miguel Aranda <miguelaranda@google.com>	2024-04-16 16:50:35 +0000
committer	Miguel Aranda <miguelaranda@google.com>	2024-04-16 16:50:35 +0000
commit	724185f1ac34f0e7285d79ddbc8812e246a907a3 (patch)
tree	ed0f07cac83beed6c6bf4b829ed8d20ec6353040
parent	83f9e27dd8340517d29933bb0a0d5879da0888ee (diff)
download	conscrypt-724185f1ac34f0e7285d79ddbc8812e246a907a3.tar.gz