diff options
| author | android-build-team Robot <android-build-team-robot@google.com> | 2020-12-15 21:47:45 +0000 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2020-12-15 21:47:45 +0000 |
| commit | 858f04de5a7987352574e294d54f318dcfbe6c41 (patch) | |
| tree | 2ad7b0e2387008893154a5e24071debcf5864131 | |
| parent | 341ce1f2003d79a27333c4ee27b3797560bf8e8b (diff) | |
| parent | ddc934efe3ed06ce34f3724d41cfbdcd7e7358fc (diff) | |
| download | okhttp-android11-qpr1-release.tar.gz | |
Merge cherrypicks of [13231586, 13231437, 13231588, 13230397, 13230399, 13231350, 13231351, 13231354, 13231356, 13231439, 13231441, 13231358, 13231443, 13231360, 13231030, 13231457, 13230243, 13231032, 13231725, 13230838, 13231034, 13230840, 13230842, 13231361, 13231363, 13231745, 13231458, 13231747, 13231749, 13231751, 13229580, 13229582, 13231589, 13231591, 13231764, 13230400, 13230402, 13231784, 13231786, 13231788, 13231790] into rvc-qpr1-releaseandroid-11.0.0_r29android11-qpr1-release
Change-Id: I60f4f34f6066d5e036bb2e054e5ec5f7cf3230c9
3 files changed, 95 insertions, 34 deletions
diff --git a/okhttp-tests/src/test/java/com/squareup/okhttp/internal/tls/HostnameVerifierTest.java b/okhttp-tests/src/test/java/com/squareup/okhttp/internal/tls/HostnameVerifierTest.java index 76897fc..0c3d16d 100644 --- a/okhttp-tests/src/test/java/com/squareup/okhttp/internal/tls/HostnameVerifierTest.java +++ b/okhttp-tests/src/test/java/com/squareup/okhttp/internal/tls/HostnameVerifierTest.java @@ -26,7 +26,6 @@ import java.util.Collection; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLSession; import javax.security.auth.x500.X500Principal; -import org.junit.Ignore; import org.junit.Test; import org.junit.runner.RunWith; import org.junit.runners.Parameterized; @@ -168,12 +167,7 @@ public final class HostnameVerifierTest { assertFalse(verifier.verify("a.bar.com", session)); } - /** - * Ignored due to incompatibilities between Android and Java on how non-ASCII - * subject alt names are parsed. Android fails to parse these, which means we - * fall back to the CN. The RI does parse them, so the CN is unused. - */ - @Test @Ignore public void verifyNonAsciiSubjectAlt() throws Exception { + @Test public void verifyNonAsciiSubjectAlt() throws Exception { // CN=foo.com, subjectAlt=bar.com, subjectAlt=花子.co.jp // (hanako.co.jp in kanji) SSLSession session = session("" @@ -203,16 +197,15 @@ public final class HostnameVerifierTest { + "sWIKHYrmhCIRshUNohGXv50m2o+1w9oWmQ6Dkq7lCjfXfUB4wIbggJjpyEtbNqBt\n" + "j4MC2x5rfsLKKqToKmNE7pFEgqwe8//Aar1b+Qj+\n" + "-----END CERTIFICATE-----\n"); - assertTrue(verifier.verify("foo.com", session)); + // Android-changed: Ignore common name in hostname verification. http://b/70278814 + // assertTrue(verifier.verify("foo.com", session)); + assertFalse(verifier.verify("foo.com", session)); assertFalse(verifier.verify("a.foo.com", session)); - // these checks test alternative subjects. The test data contains an - // alternative subject starting with a japanese kanji character. This is - // not supported by Android because the underlying implementation from - // harmony follows the definition from rfc 1034 page 10 for alternative - // subject names. This causes the code to drop all alternative subjects. - // assertTrue(verifier.verify("bar.com", session)); - // assertFalse(verifier.verify("a.bar.com", session)); - // assertFalse(verifier.verify("a.\u82b1\u5b50.co.jp", session)); + assertTrue(verifier.verify("bar.com", session)); + assertFalse(verifier.verify("a.bar.com", session)); + assertFalse(verifier.verify("a.\u82b1\u5b50.co.jp", session)); + // Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 + assertFalse(verifier.verify("\u82b1\u5b50.co.jp", session)); } @Test public void verifySubjectAltOnly() throws Exception { @@ -358,17 +351,12 @@ public final class HostnameVerifierTest { // Android-changed: Ignore common name in hostname verification. http://b/70278814 // assertTrue(verifier.verify("foo.co.jp", session)); assertFalse(verifier.verify("foo.co.jp", session)); - // Android-changed: Ignore common name in hostname verification. http://b/70278814 + // Android-changed: Reject non-ASCII hostnames and SANs. http://b/171980069 // assertTrue(verifier.verify("\u82b1\u5b50.co.jp", session)); assertFalse(verifier.verify("\u82b1\u5b50.co.jp", session)); } - /** - * Ignored due to incompatibilities between Android and Java on how non-ASCII - * subject alt names are parsed. Android fails to parse these, which means we - * fall back to the CN. The RI does parse them, so the CN is unused. - */ - @Test @Ignore public void testWilcardNonAsciiSubjectAlt() throws Exception { + @Test public void testWilcardNonAsciiSubjectAlt() throws Exception { // CN=*.foo.com, subjectAlt=*.bar.com, subjectAlt=*.花子.co.jp // (*.hanako.co.jp in kanji) SSLSession session = session("" @@ -399,19 +387,22 @@ public final class HostnameVerifierTest { + "pgJsDbJtZfHnV1nd3M6zOtQPm1TIQpNmMMMd/DPrGcUQerD3\n" + "-----END CERTIFICATE-----\n"); // try the foo.com variations - assertTrue(verifier.verify("foo.com", session)); - assertTrue(verifier.verify("www.foo.com", session)); - assertTrue(verifier.verify("\u82b1\u5b50.foo.com", session)); + // BEGIN Android-changed: Ignore common name in hostname verification. http://b/70278814 + // assertTrue(verifier.verify("foo.com", session)); + // assertTrue(verifier.verify("www.foo.com", session)); + // assertTrue(verifier.verify("\u82b1\u5b50.foo.com", session)); + assertFalse(verifier.verify("foo.com", session)); + assertFalse(verifier.verify("www.foo.com", session)); + assertFalse(verifier.verify("\u82b1\u5b50.foo.com", session)); + // END Android-changed: Ignore common name in hostname verification. http://b/70278814 assertFalse(verifier.verify("a.b.foo.com", session)); - // these checks test alternative subjects. The test data contains an - // alternative subject starting with a japanese kanji character. This is - // not supported by Android because the underlying implementation from - // harmony follows the definition from rfc 1034 page 10 for alternative - // subject names. This causes the code to drop all alternative subjects. - // assertFalse(verifier.verify("bar.com", session)); - // assertTrue(verifier.verify("www.bar.com", session)); + // these checks test alternative subjects. + assertFalse(verifier.verify("bar.com", session)); + assertTrue(verifier.verify("www.bar.com", session)); + // Android-changed: Reject non-ASCII hostnames and SANs. http://b/171980069 // assertTrue(verifier.verify("\u82b1\u5b50.bar.com", session)); - // assertTrue(verifier.verify("a.b.bar.com", session)); + assertFalse(verifier.verify("\u82b1\u5b50.bar.com", session)); + assertFalse(verifier.verify("a.b.bar.com", session)); } @Test public void subjectAltUsesLocalDomainAndIp() throws Exception { @@ -605,6 +596,14 @@ public final class HostnameVerifierTest { assertFalse(OkHostnameVerifier.verifyAsIpAddress("www.nintendo.co.jp")); } + @Test public void isPrintableAscii() { + assertTrue(OkHostnameVerifier.isPrintableAscii("foo-bar_baz.com")); + assertTrue(OkHostnameVerifier.isPrintableAscii("FoO-bAr_BaZ.cOm")); + assertFalse(OkHostnameVerifier.isPrintableAscii("Føø-bAr_BaZ.cøm")); + // Char 0xc0 (capital A with grave accent in ISO 8859-1) fits in 8 bits but not 7. + assertFalse(OkHostnameVerifier.isPrintableAscii("\u00c0.com")); + } + private X509Certificate certificate(String certificate) throws Exception { return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate( new ByteArrayInputStream(certificate.getBytes(Util.UTF_8))); diff --git a/okhttp/src/main/java/com/squareup/okhttp/internal/tls/OkHostnameVerifier.java b/okhttp/src/main/java/com/squareup/okhttp/internal/tls/OkHostnameVerifier.java index d560c62..71d2f8e 100644 --- a/okhttp/src/main/java/com/squareup/okhttp/internal/tls/OkHostnameVerifier.java +++ b/okhttp/src/main/java/com/squareup/okhttp/internal/tls/OkHostnameVerifier.java @@ -107,6 +107,11 @@ public final class OkHostnameVerifier implements HostnameVerifier { * Returns true if {@code certificate} matches {@code hostName}. */ private boolean verifyHostName(String hostName, X509Certificate certificate) { + // BEGIN Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 + if (!isPrintableAscii(hostName)) { + return false; + } + // END Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 hostName = hostName.toLowerCase(Locale.US); boolean hasDns = false; List<String> altNames = getSubjectAltNames(certificate, ALT_DNS_NAME); @@ -209,6 +214,11 @@ public final class OkHostnameVerifier implements HostnameVerifier { } // hostName and pattern are now absolute domain names. + // BEGIN Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 + if (!isPrintableAscii(pattern)) { + return false; + } + // END Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 pattern = pattern.toLowerCase(Locale.US); // hostName and pattern are now in lower case -- domain names are case-insensitive. @@ -279,4 +289,25 @@ public final class OkHostnameVerifier implements HostnameVerifier { // hostName matches pattern return true; } + + // BEGIN Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 + /** + * Returns true if the input string contains only printable 7-bit ASCII + * characters, otherwise false. + */ + private static final char DEL = 127; + static boolean isPrintableAscii(String input) { + if (input == null) { + return false; + } + for (char c : input.toCharArray()) { + // Space is illegal in a DNS name. DEL and anything less than space is non-printing so + // also illegal. Anything greater than DEL is not 7-bit. + if (c <= ' ' || c >= DEL) { + return false; + } + } + return true; + } + // END Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 } diff --git a/repackaged/okhttp/src/main/java/com/android/okhttp/internal/tls/OkHostnameVerifier.java b/repackaged/okhttp/src/main/java/com/android/okhttp/internal/tls/OkHostnameVerifier.java index d37902f..22daecd 100644 --- a/repackaged/okhttp/src/main/java/com/android/okhttp/internal/tls/OkHostnameVerifier.java +++ b/repackaged/okhttp/src/main/java/com/android/okhttp/internal/tls/OkHostnameVerifier.java @@ -109,6 +109,11 @@ public final class OkHostnameVerifier implements HostnameVerifier { * Returns true if {@code certificate} matches {@code hostName}. */ private boolean verifyHostName(String hostName, X509Certificate certificate) { + // BEGIN Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 + if (!isPrintableAscii(hostName)) { + return false; + } + // END Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 hostName = hostName.toLowerCase(Locale.US); boolean hasDns = false; List<String> altNames = getSubjectAltNames(certificate, ALT_DNS_NAME); @@ -211,6 +216,11 @@ public final class OkHostnameVerifier implements HostnameVerifier { } // hostName and pattern are now absolute domain names. + // BEGIN Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 + if (!isPrintableAscii(pattern)) { + return false; + } + // END Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 pattern = pattern.toLowerCase(Locale.US); // hostName and pattern are now in lower case -- domain names are case-insensitive. @@ -281,4 +291,25 @@ public final class OkHostnameVerifier implements HostnameVerifier { // hostName matches pattern return true; } + + // BEGIN Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 + /** + * Returns true if the input string contains only printable 7-bit ASCII + * characters, otherwise false. + */ + private static final char DEL = 127; + static boolean isPrintableAscii(String input) { + if (input == null) { + return false; + } + for (char c : input.toCharArray()) { + // Space is illegal in a DNS name. DEL and anything less than space is non-printing so + // also illegal. Anything greater than DEL is not 7-bit. + if (c <= ' ' || c >= DEL) { + return false; + } + } + return true; + } + // END Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 } |