Snap for 7080740 from 8b23422c810260d58c9fda403201b1d732278077 to mainline-tethering-releaseandroid-mainline-11.0.0_r43android-mainline-11.0.0_r24android11-mainline-tethering-release

Change-Id: I88153ac410fb455500990384887791759e51f89e

7 files changed, 176 insertions, 70 deletions

diff --git a/Android.bp b/Android.bp
index 18fbd41..1b54ffe 100644
--- a/Android.bp
+++ b/Android.bp
@@ -50,37 +50,54 @@ java_library {
     sdk_version: "none",
     system_modules: "core-all-system-modules",
     libs: [
-        "conscrypt.module.intra.core.api.stubs",
+        "conscrypt.module.intra.core.api",
     ],
     java_version: "1.7",
 }
 
 java_library {
     name: "okhttp",
+    host_supported: true,
     visibility: [
         "//art/build/apex",
+        "//external/grpc-grpc-java/okhttp",
         "//external/robolectric-shadows",
         "//libcore",
     ],
-    srcs: [
-        // Although some of the classes in the android/ directory are already in the correct
-        // package and do not need to be moved to another package they are transformed as they
-        // reference other classes that do require repackaging.
-        "repackaged/android/src/main/java/**/*.java",
-        "repackaged/okhttp/src/main/java/**/*.java",
-        "repackaged/okhttp-urlconnection/src/main/java/**/*.java",
-        "repackaged/okhttp-android-support/src/main/java/**/*.java",
-        "repackaged/okio/okio/src/main/java/**/*.java",
-    ],
+    target: {
+        android: {
+            srcs: [
+                // Although some of the classes in the android/ directory are already in the correct
+                // package and do not need to be moved to another package they are transformed as they
+                // reference other classes that do require repackaging.
+                "repackaged/android/src/main/java/**/*.java",
+                "repackaged/okhttp/src/main/java/**/*.java",
+                "repackaged/okhttp-urlconnection/src/main/java/**/*.java",
+                "repackaged/okhttp-android-support/src/main/java/**/*.java",
+                "repackaged/okio/okio/src/main/java/**/*.java",
+            ],
+            libs: [
+                "conscrypt.module.intra.core.api",
+            ],
+        },
+        host: {
+            srcs: [
+                "okhttp/src/main/java/**/*.java",
+                "okhttp-urlconnection/src/main/java/**/*.java",
+                "okio/okio/src/main/java/**/*.java",
+                ":okhttp_version.java",
+            ],
+            libs: [
+                "okhttp-android-util-log",
+            ],
+        },
+    },
 
     hostdex: true,
     installable: true,
 
-    sdk_version: "none",
     system_modules: "core-all-system-modules",
-    libs: [
-        "conscrypt.module.intra.core.api.stubs",
-    ],
+    sdk_version: "none",
     java_version: "1.7",
     apex_available: [
         "com.android.art.debug",
@@ -88,27 +105,26 @@ java_library {
     ],
 }
 
-// A guaranteed unstripped version of okhttp.
-// The build system may or may not strip the okhttp jar, but this one will
-// not be stripped. See b/24535627.
-java_library {
-    name: "okhttp-testdex",
-    visibility: [
-        "//art:__subpackages__",
+// Generate Version.java based on the version number from pom.xml.
+genrule {
+    name: "okhttp_version.java",
+    srcs: [
+        "okhttp/src/main/java-templates/com/squareup/okhttp/internal/Version.java",
+        "okhttp/pom.xml",
     ],
-    static_libs: ["okhttp"],
-
-    installable: true,
+    out: ["com/squareup/okhttp/internal/Version.java"],
+    cmd: "grep \"<version>\" $(location okhttp/pom.xml) | head -1 |" +
+        " sed -e \"s/\\s*<version>\\(.*\\)<\\/version>/\\1/\" > $(genDir)/version && " +
+        "sed -e \"s/\\$${project.version}/$$(cat $(genDir)/version)/\" " +
+        " $(location okhttp/src/main/java-templates/com/squareup/okhttp/internal/Version.java) " +
+        "> $(out)",
+}
 
-    sdk_version: "none",
-    system_modules: "core-all-system-modules",
-    libs: [
-        "conscrypt.module.intra.core.api.stubs",
-    ],
-    dex_preopt: {
-        enabled: false,
-    },
-    java_version: "1.7",
+// A library to provide a stub android.util.Log symbol for
+// okhttp/src/main/java/com/squareup/okhttp/internal/Platform.java
+java_library_host {
+    name: "okhttp-android-util-log",
+    srcs: ["okhttp-android-util-log/src/main/java/**/*.java"],
 }
 
 java_library {
@@ -134,7 +150,7 @@ java_library {
     libs: [
         "okhttp-nojarjar",
         "junit",
-        "conscrypt.module.intra.core.api.stubs",
+        "conscrypt.module.intra.core.api",
         "bouncycastle-unbundled",
     ],
 
diff --git a/METADATA b/METADATA
new file mode 100644
index 0000000..d97975c
--- /dev/null
+++ b/METADATA
@@ -0,0 +1,3 @@
+third_party {
+  license_type: NOTICE
+}
diff --git a/OWNERS b/OWNERS
index 9cd1768..dc99a81 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,3 +1,3 @@
 # Bug component: 24949
-tobiast@google.com
+ngeoffray@google.com
 include platform/libcore:/OWNERS
diff --git a/okhttp-android-util-log/src/main/java/android/util/Log.java b/okhttp-android-util-log/src/main/java/android/util/Log.java
new file mode 100644
index 0000000..d2d4f55
--- /dev/null
+++ b/okhttp-android-util-log/src/main/java/android/util/Log.java
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+package android.util;
+
+public final class Log {
+
+private Log() { throw new RuntimeException("Stub!"); }
+
+public static int d(java.lang.String tag, java.lang.String msg) { throw new RuntimeException("Stub!"); }
+}
+
diff --git a/okhttp-tests/src/test/java/com/squareup/okhttp/internal/tls/HostnameVerifierTest.java b/okhttp-tests/src/test/java/com/squareup/okhttp/internal/tls/HostnameVerifierTest.java
index 76897fc..0c3d16d 100644
--- a/okhttp-tests/src/test/java/com/squareup/okhttp/internal/tls/HostnameVerifierTest.java
+++ b/okhttp-tests/src/test/java/com/squareup/okhttp/internal/tls/HostnameVerifierTest.java
@@ -26,7 +26,6 @@ import java.util.Collection;
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLSession;
 import javax.security.auth.x500.X500Principal;
-import org.junit.Ignore;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized;
@@ -168,12 +167,7 @@ public final class HostnameVerifierTest {
     assertFalse(verifier.verify("a.bar.com", session));
   }
 
-  /**
-   * Ignored due to incompatibilities between Android and Java on how non-ASCII
-   * subject alt names are parsed. Android fails to parse these, which means we
-   * fall back to the CN. The RI does parse them, so the CN is unused.
-   */
-  @Test @Ignore public void verifyNonAsciiSubjectAlt() throws Exception {
+  @Test public void verifyNonAsciiSubjectAlt() throws Exception {
     // CN=foo.com, subjectAlt=bar.com, subjectAlt=&#x82b1;&#x5b50;.co.jp
     // (hanako.co.jp in kanji)
     SSLSession session = session(""
@@ -203,16 +197,15 @@ public final class HostnameVerifierTest {
         + "sWIKHYrmhCIRshUNohGXv50m2o+1w9oWmQ6Dkq7lCjfXfUB4wIbggJjpyEtbNqBt\n"
         + "j4MC2x5rfsLKKqToKmNE7pFEgqwe8//Aar1b+Qj+\n"
         + "-----END CERTIFICATE-----\n");
-    assertTrue(verifier.verify("foo.com", session));
+    // Android-changed: Ignore common name in hostname verification. http://b/70278814
+    // assertTrue(verifier.verify("foo.com", session));
+    assertFalse(verifier.verify("foo.com", session));
     assertFalse(verifier.verify("a.foo.com", session));
-    // these checks test alternative subjects. The test data contains an
-    // alternative subject starting with a japanese kanji character. This is
-    // not supported by Android because the underlying implementation from
-    // harmony follows the definition from rfc 1034 page 10 for alternative
-    // subject names. This causes the code to drop all alternative subjects.
-    // assertTrue(verifier.verify("bar.com", session));
-    // assertFalse(verifier.verify("a.bar.com", session));
-    // assertFalse(verifier.verify("a.\u82b1\u5b50.co.jp", session));
+    assertTrue(verifier.verify("bar.com", session));
+    assertFalse(verifier.verify("a.bar.com", session));
+    assertFalse(verifier.verify("a.\u82b1\u5b50.co.jp", session));
+    // Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069
+    assertFalse(verifier.verify("\u82b1\u5b50.co.jp", session));
   }
 
   @Test public void verifySubjectAltOnly() throws Exception {
@@ -358,17 +351,12 @@ public final class HostnameVerifierTest {
     // Android-changed: Ignore common name in hostname verification. http://b/70278814
     // assertTrue(verifier.verify("foo.co.jp", session));
     assertFalse(verifier.verify("foo.co.jp", session));
-    // Android-changed: Ignore common name in hostname verification. http://b/70278814
+    // Android-changed: Reject non-ASCII hostnames and SANs. http://b/171980069
     // assertTrue(verifier.verify("\u82b1\u5b50.co.jp", session));
     assertFalse(verifier.verify("\u82b1\u5b50.co.jp", session));
   }
 
-  /**
-   * Ignored due to incompatibilities between Android and Java on how non-ASCII
-   * subject alt names are parsed. Android fails to parse these, which means we
-   * fall back to the CN. The RI does parse them, so the CN is unused.
-   */
-  @Test @Ignore public void testWilcardNonAsciiSubjectAlt() throws Exception {
+  @Test public void testWilcardNonAsciiSubjectAlt() throws Exception {
     // CN=*.foo.com, subjectAlt=*.bar.com, subjectAlt=*.&#x82b1;&#x5b50;.co.jp
     // (*.hanako.co.jp in kanji)
     SSLSession session = session(""
@@ -399,19 +387,22 @@ public final class HostnameVerifierTest {
         + "pgJsDbJtZfHnV1nd3M6zOtQPm1TIQpNmMMMd/DPrGcUQerD3\n"
         + "-----END CERTIFICATE-----\n");
     // try the foo.com variations
-    assertTrue(verifier.verify("foo.com", session));
-    assertTrue(verifier.verify("www.foo.com", session));
-    assertTrue(verifier.verify("\u82b1\u5b50.foo.com", session));
+    // BEGIN Android-changed: Ignore common name in hostname verification. http://b/70278814
+    // assertTrue(verifier.verify("foo.com", session));
+    // assertTrue(verifier.verify("www.foo.com", session));
+    // assertTrue(verifier.verify("\u82b1\u5b50.foo.com", session));
+    assertFalse(verifier.verify("foo.com", session));
+    assertFalse(verifier.verify("www.foo.com", session));
+    assertFalse(verifier.verify("\u82b1\u5b50.foo.com", session));
+    // END Android-changed: Ignore common name in hostname verification. http://b/70278814
     assertFalse(verifier.verify("a.b.foo.com", session));
-    // these checks test alternative subjects. The test data contains an
-    // alternative subject starting with a japanese kanji character. This is
-    // not supported by Android because the underlying implementation from
-    // harmony follows the definition from rfc 1034 page 10 for alternative
-    // subject names. This causes the code to drop all alternative subjects.
-    // assertFalse(verifier.verify("bar.com", session));
-    // assertTrue(verifier.verify("www.bar.com", session));
+    // these checks test alternative subjects.
+    assertFalse(verifier.verify("bar.com", session));
+    assertTrue(verifier.verify("www.bar.com", session));
+    // Android-changed: Reject non-ASCII hostnames and SANs. http://b/171980069
     // assertTrue(verifier.verify("\u82b1\u5b50.bar.com", session));
-    // assertTrue(verifier.verify("a.b.bar.com", session));
+    assertFalse(verifier.verify("\u82b1\u5b50.bar.com", session));
+    assertFalse(verifier.verify("a.b.bar.com", session));
   }
 
   @Test public void subjectAltUsesLocalDomainAndIp() throws Exception {
@@ -605,6 +596,14 @@ public final class HostnameVerifierTest {
     assertFalse(OkHostnameVerifier.verifyAsIpAddress("www.nintendo.co.jp"));
   }
 
+  @Test public void isPrintableAscii() {
+    assertTrue(OkHostnameVerifier.isPrintableAscii("foo-bar_baz.com"));
+    assertTrue(OkHostnameVerifier.isPrintableAscii("FoO-bAr_BaZ.cOm"));
+    assertFalse(OkHostnameVerifier.isPrintableAscii("Føø-bAr_BaZ.cøm"));
+    // Char 0xc0 (capital A with grave accent in ISO 8859-1) fits in 8 bits but not 7.
+    assertFalse(OkHostnameVerifier.isPrintableAscii("\u00c0.com"));
+  }
+
   private X509Certificate certificate(String certificate) throws Exception {
     return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(
         new ByteArrayInputStream(certificate.getBytes(Util.UTF_8)));
diff --git a/okhttp/src/main/java/com/squareup/okhttp/internal/tls/OkHostnameVerifier.java b/okhttp/src/main/java/com/squareup/okhttp/internal/tls/OkHostnameVerifier.java
index d560c62..71d2f8e 100644
--- a/okhttp/src/main/java/com/squareup/okhttp/internal/tls/OkHostnameVerifier.java
+++ b/okhttp/src/main/java/com/squareup/okhttp/internal/tls/OkHostnameVerifier.java
@@ -107,6 +107,11 @@ public final class OkHostnameVerifier implements HostnameVerifier {
    * Returns true if {@code certificate} matches {@code hostName}.
    */
   private boolean verifyHostName(String hostName, X509Certificate certificate) {
+    // BEGIN Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069
+    if (!isPrintableAscii(hostName)) {
+      return false;
+    }
+    // END Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069
     hostName = hostName.toLowerCase(Locale.US);
     boolean hasDns = false;
     List<String> altNames = getSubjectAltNames(certificate, ALT_DNS_NAME);
@@ -209,6 +214,11 @@ public final class OkHostnameVerifier implements HostnameVerifier {
     }
     // hostName and pattern are now absolute domain names.
 
+    // BEGIN Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069
+    if (!isPrintableAscii(pattern)) {
+      return false;
+    }
+    // END Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069
     pattern = pattern.toLowerCase(Locale.US);
     // hostName and pattern are now in lower case -- domain names are case-insensitive.
 
@@ -279,4 +289,25 @@ public final class OkHostnameVerifier implements HostnameVerifier {
     // hostName matches pattern
     return true;
   }
+
+  // BEGIN Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069
+  /**
+   * Returns true if the  input string contains only printable 7-bit ASCII
+   * characters, otherwise false.
+   */
+  private static final char DEL = 127;
+  static boolean isPrintableAscii(String input) {
+    if (input == null) {
+      return false;
+    }
+    for (char c : input.toCharArray()) {
+      // Space is illegal in a DNS name. DEL and anything less than space is non-printing so
+      // also illegal. Anything greater than DEL is not 7-bit.
+      if (c <= ' ' || c >= DEL) {
+        return false;
+      }
+    }
+    return true;
+  }
+  // END Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069
 }
diff --git a/repackaged/okhttp/src/main/java/com/android/okhttp/internal/tls/OkHostnameVerifier.java b/repackaged/okhttp/src/main/java/com/android/okhttp/internal/tls/OkHostnameVerifier.java
index d37902f..22daecd 100644
--- a/repackaged/okhttp/src/main/java/com/android/okhttp/internal/tls/OkHostnameVerifier.java
+++ b/repackaged/okhttp/src/main/java/com/android/okhttp/internal/tls/OkHostnameVerifier.java
@@ -109,6 +109,11 @@ public final class OkHostnameVerifier implements HostnameVerifier {
    * Returns true if {@code certificate} matches {@code hostName}.
    */
   private boolean verifyHostName(String hostName, X509Certificate certificate) {
+    // BEGIN Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069
+    if (!isPrintableAscii(hostName)) {
+      return false;
+    }
+    // END Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069
     hostName = hostName.toLowerCase(Locale.US);
     boolean hasDns = false;
     List<String> altNames = getSubjectAltNames(certificate, ALT_DNS_NAME);
@@ -211,6 +216,11 @@ public final class OkHostnameVerifier implements HostnameVerifier {
     }
     // hostName and pattern are now absolute domain names.
 
+    // BEGIN Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069
+    if (!isPrintableAscii(pattern)) {
+      return false;
+    }
+    // END Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069
     pattern = pattern.toLowerCase(Locale.US);
     // hostName and pattern are now in lower case -- domain names are case-insensitive.
 
@@ -281,4 +291,25 @@ public final class OkHostnameVerifier implements HostnameVerifier {
     // hostName matches pattern
     return true;
   }
+
+  // BEGIN Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069
+  /**
+   * Returns true if the  input string contains only printable 7-bit ASCII
+   * characters, otherwise false.
+   */
+  private static final char DEL = 127;
+  static boolean isPrintableAscii(String input) {
+    if (input == null) {
+      return false;
+    }
+    for (char c : input.toCharArray()) {
+      // Space is illegal in a DNS name. DEL and anything less than space is non-printing so
+      // also illegal. Anything greater than DEL is not 7-bit.
+      if (c <= ' ' || c >= DEL) {
+        return false;
+      }
+    }
+    return true;
+  }
+  // END Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069
 }