diff options
author | Miguel Aranda <miguelaranda@google.com> | 2024-04-16 16:50:35 +0000 |
---|---|---|
committer | Miguel Aranda <miguelaranda@google.com> | 2024-04-16 16:50:35 +0000 |
commit | 724185f1ac34f0e7285d79ddbc8812e246a907a3 (patch) | |
tree | ed0f07cac83beed6c6bf4b829ed8d20ec6353040 | |
parent | 83f9e27dd8340517d29933bb0a0d5879da0888ee (diff) | |
download | conscrypt-724185f1ac34f0e7285d79ddbc8812e246a907a3.tar.gz |
Filter protocols when creating SSLParameterImpl
Change-Id: I5a61dc708eda9c6176970136c52088c9c5505829
Test: atest CtsLibcoreTestCases
6 files changed, 50 insertions, 4 deletions
diff --git a/common/src/main/java/org/conscrypt/SSLParametersImpl.java b/common/src/main/java/org/conscrypt/SSLParametersImpl.java index 76fb7ca8..d7e16192 100644 --- a/common/src/main/java/org/conscrypt/SSLParametersImpl.java +++ b/common/src/main/java/org/conscrypt/SSLParametersImpl.java @@ -145,8 +145,19 @@ final class SSLParametersImpl implements Cloneable { } // initialize the list of cipher suites and protocols enabled by default - enabledProtocols = NativeCrypto.checkEnabledProtocols( - protocols == null ? NativeCrypto.getDefaultProtocols() : protocols).clone(); + if (protocols == null) { + enabledProtocols = NativeCrypto.getDefaultProtocols().clone(); + } else { + String[] filteredProtocols = + filterFromProtocols(protocols, Arrays.asList(Platform.isTlsV1Supported() + ? new String[0] + : new String[] { + NativeCrypto.DEPRECATED_PROTOCOL_TLSV1, + NativeCrypto.DEPRECATED_PROTOCOL_TLSV1_1, + })); + isEnabledProtocolsFiltered = protocols.length != filteredProtocols.length; + enabledProtocols = NativeCrypto.checkEnabledProtocols(filteredProtocols).clone(); + } boolean x509CipherSuitesNeeded = (x509KeyManager != null) || (x509TrustManager != null); boolean pskCipherSuitesNeeded = pskKeyManager != null; enabledCipherSuites = getDefaultCipherSuites( diff --git a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLContextTest.java b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLContextTest.java index 40acd1b4..f24d8648 100644 --- a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLContextTest.java +++ b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLContextTest.java @@ -119,6 +119,16 @@ public class SSLContextTest { } @Test + public void test_SSLContext_allProtocols() throws Exception { + SSLConfigurationAsserts.assertSSLContextDefaultConfiguration(SSLContext.getDefault()); + + for (String protocol : StandardNames.SSL_CONTEXT_PROTOCOLS_ALL) { + SSLContext sslContext = SSLContext.getInstance(protocol); + sslContext.init(null, null, null); + } + } + + @Test public void test_SSLContext_pskOnlyConfiguration_defaultProviderOnly() throws Exception { // Test the scenario where only a PSKKeyManager is provided and no TrustManagers are // provided. diff --git a/repackaged/common/src/main/java/com/android/org/conscrypt/SSLParametersImpl.java b/repackaged/common/src/main/java/com/android/org/conscrypt/SSLParametersImpl.java index 93bdc4f8..9130380f 100644 --- a/repackaged/common/src/main/java/com/android/org/conscrypt/SSLParametersImpl.java +++ b/repackaged/common/src/main/java/com/android/org/conscrypt/SSLParametersImpl.java @@ -146,8 +146,19 @@ final class SSLParametersImpl implements Cloneable { } // initialize the list of cipher suites and protocols enabled by default - enabledProtocols = NativeCrypto.checkEnabledProtocols( - protocols == null ? NativeCrypto.getDefaultProtocols() : protocols).clone(); + if (protocols == null) { + enabledProtocols = NativeCrypto.getDefaultProtocols().clone(); + } else { + String[] filteredProtocols = + filterFromProtocols(protocols, Arrays.asList(Platform.isTlsV1Supported() + ? new String[0] + : new String[] { + NativeCrypto.DEPRECATED_PROTOCOL_TLSV1, + NativeCrypto.DEPRECATED_PROTOCOL_TLSV1_1, + })); + isEnabledProtocolsFiltered = protocols.length != filteredProtocols.length; + enabledProtocols = NativeCrypto.checkEnabledProtocols(filteredProtocols).clone(); + } boolean x509CipherSuitesNeeded = (x509KeyManager != null) || (x509TrustManager != null); boolean pskCipherSuitesNeeded = pskKeyManager != null; enabledCipherSuites = getDefaultCipherSuites( diff --git a/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLContextTest.java b/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLContextTest.java index 5f382d19..fedae1f9 100644 --- a/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLContextTest.java +++ b/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLContextTest.java @@ -123,6 +123,16 @@ public class SSLContextTest { } @Test + public void test_SSLContext_allProtocols() throws Exception { + SSLConfigurationAsserts.assertSSLContextDefaultConfiguration(SSLContext.getDefault()); + + for (String protocol : StandardNames.SSL_CONTEXT_PROTOCOLS_ALL) { + SSLContext sslContext = SSLContext.getInstance(protocol); + sslContext.init(null, null, null); + } + } + + @Test public void test_SSLContext_pskOnlyConfiguration_defaultProviderOnly() throws Exception { // Test the scenario where only a PSKKeyManager is provided and no TrustManagers are // provided. diff --git a/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java b/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java index ca12b07b..235463ac 100644 --- a/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java +++ b/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java @@ -169,6 +169,8 @@ public final class StandardNames { } public static final String SSL_CONTEXT_PROTOCOLS_DEFAULT = "Default"; + public static final Set<String> SSL_CONTEXT_PROTOCOLS_ALL = new HashSet<String>( + Arrays.asList("TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3")); public static final Set<String> SSL_CONTEXT_PROTOCOLS = new HashSet<String>( Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1.2", "TLSv1.3")); public static final Set<String> SSL_CONTEXT_PROTOCOLS_WITH_DEFAULT_CONFIG = new HashSet<String>( diff --git a/testing/src/main/java/org/conscrypt/java/security/StandardNames.java b/testing/src/main/java/org/conscrypt/java/security/StandardNames.java index ca493e1a..4c37f5c0 100644 --- a/testing/src/main/java/org/conscrypt/java/security/StandardNames.java +++ b/testing/src/main/java/org/conscrypt/java/security/StandardNames.java @@ -168,6 +168,8 @@ public final class StandardNames { } public static final String SSL_CONTEXT_PROTOCOLS_DEFAULT = "Default"; + public static final Set<String> SSL_CONTEXT_ALL = new HashSet<String>( + Arrays.asList("TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3")); public static final Set<String> SSL_CONTEXT_PROTOCOLS = new HashSet<String>( Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1.2", "TLSv1.3")); public static final Set<String> SSL_CONTEXT_PROTOCOLS_WITH_DEFAULT_CONFIG = new HashSet<String>( |