diff options
-rw-r--r-- | Android.bp | 86 | ||||
-rw-r--r-- | METADATA | 3 | ||||
-rw-r--r-- | OWNERS | 2 | ||||
-rw-r--r-- | okhttp-android-util-log/src/main/java/android/util/Log.java | 26 | ||||
-rw-r--r-- | okhttp-tests/src/test/java/com/squareup/okhttp/internal/tls/HostnameVerifierTest.java | 67 | ||||
-rw-r--r-- | okhttp/src/main/java/com/squareup/okhttp/internal/tls/OkHostnameVerifier.java | 31 | ||||
-rw-r--r-- | repackaged/okhttp/src/main/java/com/android/okhttp/internal/tls/OkHostnameVerifier.java | 31 |
7 files changed, 176 insertions, 70 deletions
@@ -50,37 +50,54 @@ java_library { sdk_version: "none", system_modules: "core-all-system-modules", libs: [ - "conscrypt.module.intra.core.api.stubs", + "conscrypt.module.intra.core.api", ], java_version: "1.7", } java_library { name: "okhttp", + host_supported: true, visibility: [ "//art/build/apex", + "//external/grpc-grpc-java/okhttp", "//external/robolectric-shadows", "//libcore", ], - srcs: [ - // Although some of the classes in the android/ directory are already in the correct - // package and do not need to be moved to another package they are transformed as they - // reference other classes that do require repackaging. - "repackaged/android/src/main/java/**/*.java", - "repackaged/okhttp/src/main/java/**/*.java", - "repackaged/okhttp-urlconnection/src/main/java/**/*.java", - "repackaged/okhttp-android-support/src/main/java/**/*.java", - "repackaged/okio/okio/src/main/java/**/*.java", - ], + target: { + android: { + srcs: [ + // Although some of the classes in the android/ directory are already in the correct + // package and do not need to be moved to another package they are transformed as they + // reference other classes that do require repackaging. + "repackaged/android/src/main/java/**/*.java", + "repackaged/okhttp/src/main/java/**/*.java", + "repackaged/okhttp-urlconnection/src/main/java/**/*.java", + "repackaged/okhttp-android-support/src/main/java/**/*.java", + "repackaged/okio/okio/src/main/java/**/*.java", + ], + libs: [ + "conscrypt.module.intra.core.api", + ], + }, + host: { + srcs: [ + "okhttp/src/main/java/**/*.java", + "okhttp-urlconnection/src/main/java/**/*.java", + "okio/okio/src/main/java/**/*.java", + ":okhttp_version.java", + ], + libs: [ + "okhttp-android-util-log", + ], + }, + }, hostdex: true, installable: true, - sdk_version: "none", system_modules: "core-all-system-modules", - libs: [ - "conscrypt.module.intra.core.api.stubs", - ], + sdk_version: "none", java_version: "1.7", apex_available: [ "com.android.art.debug", @@ -88,27 +105,26 @@ java_library { ], } -// A guaranteed unstripped version of okhttp. -// The build system may or may not strip the okhttp jar, but this one will -// not be stripped. See b/24535627. -java_library { - name: "okhttp-testdex", - visibility: [ - "//art:__subpackages__", +// Generate Version.java based on the version number from pom.xml. +genrule { + name: "okhttp_version.java", + srcs: [ + "okhttp/src/main/java-templates/com/squareup/okhttp/internal/Version.java", + "okhttp/pom.xml", ], - static_libs: ["okhttp"], - - installable: true, + out: ["com/squareup/okhttp/internal/Version.java"], + cmd: "grep \"<version>\" $(location okhttp/pom.xml) | head -1 |" + + " sed -e \"s/\\s*<version>\\(.*\\)<\\/version>/\\1/\" > $(genDir)/version && " + + "sed -e \"s/\\$${project.version}/$$(cat $(genDir)/version)/\" " + + " $(location okhttp/src/main/java-templates/com/squareup/okhttp/internal/Version.java) " + + "> $(out)", +} - sdk_version: "none", - system_modules: "core-all-system-modules", - libs: [ - "conscrypt.module.intra.core.api.stubs", - ], - dex_preopt: { - enabled: false, - }, - java_version: "1.7", +// A library to provide a stub android.util.Log symbol for +// okhttp/src/main/java/com/squareup/okhttp/internal/Platform.java +java_library_host { + name: "okhttp-android-util-log", + srcs: ["okhttp-android-util-log/src/main/java/**/*.java"], } java_library { @@ -134,7 +150,7 @@ java_library { libs: [ "okhttp-nojarjar", "junit", - "conscrypt.module.intra.core.api.stubs", + "conscrypt.module.intra.core.api", "bouncycastle-unbundled", ], diff --git a/METADATA b/METADATA new file mode 100644 index 0000000..d97975c --- /dev/null +++ b/METADATA @@ -0,0 +1,3 @@ +third_party { + license_type: NOTICE +} @@ -1,3 +1,3 @@ # Bug component: 24949 -tobiast@google.com +ngeoffray@google.com include platform/libcore:/OWNERS diff --git a/okhttp-android-util-log/src/main/java/android/util/Log.java b/okhttp-android-util-log/src/main/java/android/util/Log.java new file mode 100644 index 0000000..d2d4f55 --- /dev/null +++ b/okhttp-android-util-log/src/main/java/android/util/Log.java @@ -0,0 +1,26 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +package android.util; + +public final class Log { + +private Log() { throw new RuntimeException("Stub!"); } + +public static int d(java.lang.String tag, java.lang.String msg) { throw new RuntimeException("Stub!"); } +} + diff --git a/okhttp-tests/src/test/java/com/squareup/okhttp/internal/tls/HostnameVerifierTest.java b/okhttp-tests/src/test/java/com/squareup/okhttp/internal/tls/HostnameVerifierTest.java index 76897fc..0c3d16d 100644 --- a/okhttp-tests/src/test/java/com/squareup/okhttp/internal/tls/HostnameVerifierTest.java +++ b/okhttp-tests/src/test/java/com/squareup/okhttp/internal/tls/HostnameVerifierTest.java @@ -26,7 +26,6 @@ import java.util.Collection; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLSession; import javax.security.auth.x500.X500Principal; -import org.junit.Ignore; import org.junit.Test; import org.junit.runner.RunWith; import org.junit.runners.Parameterized; @@ -168,12 +167,7 @@ public final class HostnameVerifierTest { assertFalse(verifier.verify("a.bar.com", session)); } - /** - * Ignored due to incompatibilities between Android and Java on how non-ASCII - * subject alt names are parsed. Android fails to parse these, which means we - * fall back to the CN. The RI does parse them, so the CN is unused. - */ - @Test @Ignore public void verifyNonAsciiSubjectAlt() throws Exception { + @Test public void verifyNonAsciiSubjectAlt() throws Exception { // CN=foo.com, subjectAlt=bar.com, subjectAlt=花子.co.jp // (hanako.co.jp in kanji) SSLSession session = session("" @@ -203,16 +197,15 @@ public final class HostnameVerifierTest { + "sWIKHYrmhCIRshUNohGXv50m2o+1w9oWmQ6Dkq7lCjfXfUB4wIbggJjpyEtbNqBt\n" + "j4MC2x5rfsLKKqToKmNE7pFEgqwe8//Aar1b+Qj+\n" + "-----END CERTIFICATE-----\n"); - assertTrue(verifier.verify("foo.com", session)); + // Android-changed: Ignore common name in hostname verification. http://b/70278814 + // assertTrue(verifier.verify("foo.com", session)); + assertFalse(verifier.verify("foo.com", session)); assertFalse(verifier.verify("a.foo.com", session)); - // these checks test alternative subjects. The test data contains an - // alternative subject starting with a japanese kanji character. This is - // not supported by Android because the underlying implementation from - // harmony follows the definition from rfc 1034 page 10 for alternative - // subject names. This causes the code to drop all alternative subjects. - // assertTrue(verifier.verify("bar.com", session)); - // assertFalse(verifier.verify("a.bar.com", session)); - // assertFalse(verifier.verify("a.\u82b1\u5b50.co.jp", session)); + assertTrue(verifier.verify("bar.com", session)); + assertFalse(verifier.verify("a.bar.com", session)); + assertFalse(verifier.verify("a.\u82b1\u5b50.co.jp", session)); + // Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 + assertFalse(verifier.verify("\u82b1\u5b50.co.jp", session)); } @Test public void verifySubjectAltOnly() throws Exception { @@ -358,17 +351,12 @@ public final class HostnameVerifierTest { // Android-changed: Ignore common name in hostname verification. http://b/70278814 // assertTrue(verifier.verify("foo.co.jp", session)); assertFalse(verifier.verify("foo.co.jp", session)); - // Android-changed: Ignore common name in hostname verification. http://b/70278814 + // Android-changed: Reject non-ASCII hostnames and SANs. http://b/171980069 // assertTrue(verifier.verify("\u82b1\u5b50.co.jp", session)); assertFalse(verifier.verify("\u82b1\u5b50.co.jp", session)); } - /** - * Ignored due to incompatibilities between Android and Java on how non-ASCII - * subject alt names are parsed. Android fails to parse these, which means we - * fall back to the CN. The RI does parse them, so the CN is unused. - */ - @Test @Ignore public void testWilcardNonAsciiSubjectAlt() throws Exception { + @Test public void testWilcardNonAsciiSubjectAlt() throws Exception { // CN=*.foo.com, subjectAlt=*.bar.com, subjectAlt=*.花子.co.jp // (*.hanako.co.jp in kanji) SSLSession session = session("" @@ -399,19 +387,22 @@ public final class HostnameVerifierTest { + "pgJsDbJtZfHnV1nd3M6zOtQPm1TIQpNmMMMd/DPrGcUQerD3\n" + "-----END CERTIFICATE-----\n"); // try the foo.com variations - assertTrue(verifier.verify("foo.com", session)); - assertTrue(verifier.verify("www.foo.com", session)); - assertTrue(verifier.verify("\u82b1\u5b50.foo.com", session)); + // BEGIN Android-changed: Ignore common name in hostname verification. http://b/70278814 + // assertTrue(verifier.verify("foo.com", session)); + // assertTrue(verifier.verify("www.foo.com", session)); + // assertTrue(verifier.verify("\u82b1\u5b50.foo.com", session)); + assertFalse(verifier.verify("foo.com", session)); + assertFalse(verifier.verify("www.foo.com", session)); + assertFalse(verifier.verify("\u82b1\u5b50.foo.com", session)); + // END Android-changed: Ignore common name in hostname verification. http://b/70278814 assertFalse(verifier.verify("a.b.foo.com", session)); - // these checks test alternative subjects. The test data contains an - // alternative subject starting with a japanese kanji character. This is - // not supported by Android because the underlying implementation from - // harmony follows the definition from rfc 1034 page 10 for alternative - // subject names. This causes the code to drop all alternative subjects. - // assertFalse(verifier.verify("bar.com", session)); - // assertTrue(verifier.verify("www.bar.com", session)); + // these checks test alternative subjects. + assertFalse(verifier.verify("bar.com", session)); + assertTrue(verifier.verify("www.bar.com", session)); + // Android-changed: Reject non-ASCII hostnames and SANs. http://b/171980069 // assertTrue(verifier.verify("\u82b1\u5b50.bar.com", session)); - // assertTrue(verifier.verify("a.b.bar.com", session)); + assertFalse(verifier.verify("\u82b1\u5b50.bar.com", session)); + assertFalse(verifier.verify("a.b.bar.com", session)); } @Test public void subjectAltUsesLocalDomainAndIp() throws Exception { @@ -605,6 +596,14 @@ public final class HostnameVerifierTest { assertFalse(OkHostnameVerifier.verifyAsIpAddress("www.nintendo.co.jp")); } + @Test public void isPrintableAscii() { + assertTrue(OkHostnameVerifier.isPrintableAscii("foo-bar_baz.com")); + assertTrue(OkHostnameVerifier.isPrintableAscii("FoO-bAr_BaZ.cOm")); + assertFalse(OkHostnameVerifier.isPrintableAscii("Føø-bAr_BaZ.cøm")); + // Char 0xc0 (capital A with grave accent in ISO 8859-1) fits in 8 bits but not 7. + assertFalse(OkHostnameVerifier.isPrintableAscii("\u00c0.com")); + } + private X509Certificate certificate(String certificate) throws Exception { return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate( new ByteArrayInputStream(certificate.getBytes(Util.UTF_8))); diff --git a/okhttp/src/main/java/com/squareup/okhttp/internal/tls/OkHostnameVerifier.java b/okhttp/src/main/java/com/squareup/okhttp/internal/tls/OkHostnameVerifier.java index d560c62..71d2f8e 100644 --- a/okhttp/src/main/java/com/squareup/okhttp/internal/tls/OkHostnameVerifier.java +++ b/okhttp/src/main/java/com/squareup/okhttp/internal/tls/OkHostnameVerifier.java @@ -107,6 +107,11 @@ public final class OkHostnameVerifier implements HostnameVerifier { * Returns true if {@code certificate} matches {@code hostName}. */ private boolean verifyHostName(String hostName, X509Certificate certificate) { + // BEGIN Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 + if (!isPrintableAscii(hostName)) { + return false; + } + // END Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 hostName = hostName.toLowerCase(Locale.US); boolean hasDns = false; List<String> altNames = getSubjectAltNames(certificate, ALT_DNS_NAME); @@ -209,6 +214,11 @@ public final class OkHostnameVerifier implements HostnameVerifier { } // hostName and pattern are now absolute domain names. + // BEGIN Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 + if (!isPrintableAscii(pattern)) { + return false; + } + // END Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 pattern = pattern.toLowerCase(Locale.US); // hostName and pattern are now in lower case -- domain names are case-insensitive. @@ -279,4 +289,25 @@ public final class OkHostnameVerifier implements HostnameVerifier { // hostName matches pattern return true; } + + // BEGIN Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 + /** + * Returns true if the input string contains only printable 7-bit ASCII + * characters, otherwise false. + */ + private static final char DEL = 127; + static boolean isPrintableAscii(String input) { + if (input == null) { + return false; + } + for (char c : input.toCharArray()) { + // Space is illegal in a DNS name. DEL and anything less than space is non-printing so + // also illegal. Anything greater than DEL is not 7-bit. + if (c <= ' ' || c >= DEL) { + return false; + } + } + return true; + } + // END Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 } diff --git a/repackaged/okhttp/src/main/java/com/android/okhttp/internal/tls/OkHostnameVerifier.java b/repackaged/okhttp/src/main/java/com/android/okhttp/internal/tls/OkHostnameVerifier.java index d37902f..22daecd 100644 --- a/repackaged/okhttp/src/main/java/com/android/okhttp/internal/tls/OkHostnameVerifier.java +++ b/repackaged/okhttp/src/main/java/com/android/okhttp/internal/tls/OkHostnameVerifier.java @@ -109,6 +109,11 @@ public final class OkHostnameVerifier implements HostnameVerifier { * Returns true if {@code certificate} matches {@code hostName}. */ private boolean verifyHostName(String hostName, X509Certificate certificate) { + // BEGIN Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 + if (!isPrintableAscii(hostName)) { + return false; + } + // END Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 hostName = hostName.toLowerCase(Locale.US); boolean hasDns = false; List<String> altNames = getSubjectAltNames(certificate, ALT_DNS_NAME); @@ -211,6 +216,11 @@ public final class OkHostnameVerifier implements HostnameVerifier { } // hostName and pattern are now absolute domain names. + // BEGIN Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 + if (!isPrintableAscii(pattern)) { + return false; + } + // END Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 pattern = pattern.toLowerCase(Locale.US); // hostName and pattern are now in lower case -- domain names are case-insensitive. @@ -281,4 +291,25 @@ public final class OkHostnameVerifier implements HostnameVerifier { // hostName matches pattern return true; } + + // BEGIN Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 + /** + * Returns true if the input string contains only printable 7-bit ASCII + * characters, otherwise false. + */ + private static final char DEL = 127; + static boolean isPrintableAscii(String input) { + if (input == null) { + return false; + } + for (char c : input.toCharArray()) { + // Space is illegal in a DNS name. DEL and anything less than space is non-printing so + // also illegal. Anything greater than DEL is not 7-bit. + if (c <= ' ' || c >= DEL) { + return false; + } + } + return true; + } + // END Android-added: Reject non-ASCII hostnames and SANs. http://b/171980069 } |