Ensure TLSv1 is still enabled by default unless it's deprecated. am: 85189a80f5 am: a53d670ff0
Original change: https://android-review.googlesource.com/c/platform/external/conscrypt/+/2862205
Change-Id: Ibe323171551fae0a4fc4bbc54de0199502047e17
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/common/src/main/java/org/conscrypt/ArrayUtils.java b/common/src/main/java/org/conscrypt/ArrayUtils.java
index d254e2e..1bea6c9 100644
--- a/common/src/main/java/org/conscrypt/ArrayUtils.java
+++ b/common/src/main/java/org/conscrypt/ArrayUtils.java
@@ -32,4 +32,20 @@
+ offset + "; regionLength=" + count);
}
}
+
+ static String[] concatValues(String[] a1, String... values) {
+ return concat (a1, values);
+ }
+
+ static String[] concat(String[] a1, String[] a2) {
+ String[] result = new String[a1.length + a2.length];
+ int offset = 0;
+ for (int i = 0; i < a1.length; i++, offset++) {
+ result[offset] = a1[i];
+ }
+ for (int i = 0; i < a2.length; i++, offset++) {
+ result[offset] = a2[i];
+ }
+ return result;
+ }
}
diff --git a/common/src/main/java/org/conscrypt/NativeCrypto.java b/common/src/main/java/org/conscrypt/NativeCrypto.java
index bd1239f..4e77923 100644
--- a/common/src/main/java/org/conscrypt/NativeCrypto.java
+++ b/common/src/main/java/org/conscrypt/NativeCrypto.java
@@ -43,7 +43,6 @@
import javax.net.ssl.SSLException;
import javax.security.auth.x500.X500Principal;
import org.conscrypt.OpenSSLX509CertificateFactory.ParsingException;
-import org.conscrypt.Platform;
/**
* Provides the Java side of our JNI glue for OpenSSL.
@@ -1013,16 +1012,24 @@
static native void set_SSL_psk_server_callback_enabled(long ssl, NativeSsl ssl_holder, boolean enabled);
+ private static final String[] ENABLED_PROTOCOLS_TLSV1 = Platform.isTlsV1Deprecated()
+ ? new String[0]
+ : new String[] {
+ DEPRECATED_PROTOCOL_TLSV1,
+ DEPRECATED_PROTOCOL_TLSV1_1,
+ };
+
+
/** Protocols to enable by default when "TLSv1.3" is requested. */
- static final String[] TLSV13_PROTOCOLS = new String[] {
+ static final String[] TLSV13_PROTOCOLS = ArrayUtils.concatValues(
+ ENABLED_PROTOCOLS_TLSV1,
SUPPORTED_PROTOCOL_TLSV1_2,
- SUPPORTED_PROTOCOL_TLSV1_3,
- };
+ SUPPORTED_PROTOCOL_TLSV1_3);
/** Protocols to enable by default when "TLSv1.2" is requested. */
- static final String[] TLSV12_PROTOCOLS = new String[] {
- SUPPORTED_PROTOCOL_TLSV1_2,
- };
+ static final String[] TLSV12_PROTOCOLS = ArrayUtils.concatValues(
+ ENABLED_PROTOCOLS_TLSV1,
+ SUPPORTED_PROTOCOL_TLSV1_2);
/** Protocols to enable by default when "TLSv1.1" is requested. */
static final String[] TLSV11_PROTOCOLS = new String[] {
diff --git a/repackaged/common/src/main/java/com/android/org/conscrypt/ArrayUtils.java b/repackaged/common/src/main/java/com/android/org/conscrypt/ArrayUtils.java
index 49a06c0..15534f2 100644
--- a/repackaged/common/src/main/java/com/android/org/conscrypt/ArrayUtils.java
+++ b/repackaged/common/src/main/java/com/android/org/conscrypt/ArrayUtils.java
@@ -33,4 +33,20 @@
+ offset + "; regionLength=" + count);
}
}
+
+ static String[] concatValues(String[] a1, String... values) {
+ return concat(a1, values);
+ }
+
+ static String[] concat(String[] a1, String[] a2) {
+ String[] result = new String[a1.length + a2.length];
+ int offset = 0;
+ for (int i = 0; i < a1.length; i++, offset++) {
+ result[offset] = a1[i];
+ }
+ for (int i = 0; i < a2.length; i++, offset++) {
+ result[offset] = a2[i];
+ }
+ return result;
+ }
}
diff --git a/repackaged/common/src/main/java/com/android/org/conscrypt/NativeCrypto.java b/repackaged/common/src/main/java/com/android/org/conscrypt/NativeCrypto.java
index f53c91d..263de5b 100644
--- a/repackaged/common/src/main/java/com/android/org/conscrypt/NativeCrypto.java
+++ b/repackaged/common/src/main/java/com/android/org/conscrypt/NativeCrypto.java
@@ -18,7 +18,6 @@
package com.android.org.conscrypt;
import com.android.org.conscrypt.OpenSSLX509CertificateFactory.ParsingException;
-import com.android.org.conscrypt.Platform;
import java.io.FileDescriptor;
import java.io.IOException;
import java.io.OutputStream;
@@ -1043,16 +1042,20 @@
static native void set_SSL_psk_server_callback_enabled(long ssl, NativeSsl ssl_holder, boolean enabled);
+ private static final String[] ENABLED_PROTOCOLS_TLSV1 = Platform.isTlsV1Deprecated()
+ ? new String[0]
+ : new String[] {
+ DEPRECATED_PROTOCOL_TLSV1,
+ DEPRECATED_PROTOCOL_TLSV1_1,
+ };
+
/** Protocols to enable by default when "TLSv1.3" is requested. */
- static final String[] TLSV13_PROTOCOLS = new String[] {
- SUPPORTED_PROTOCOL_TLSV1_2,
- SUPPORTED_PROTOCOL_TLSV1_3,
- };
+ static final String[] TLSV13_PROTOCOLS = ArrayUtils.concatValues(
+ ENABLED_PROTOCOLS_TLSV1, SUPPORTED_PROTOCOL_TLSV1_2, SUPPORTED_PROTOCOL_TLSV1_3);
/** Protocols to enable by default when "TLSv1.2" is requested. */
- static final String[] TLSV12_PROTOCOLS = new String[] {
- SUPPORTED_PROTOCOL_TLSV1_2,
- };
+ static final String[] TLSV12_PROTOCOLS =
+ ArrayUtils.concatValues(ENABLED_PROTOCOLS_TLSV1, SUPPORTED_PROTOCOL_TLSV1_2);
/** Protocols to enable by default when "TLSv1.1" is requested. */
static final String[] TLSV11_PROTOCOLS = new String[] {
diff --git a/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java b/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java
index afd6ef9..ff5d3c4 100644
--- a/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java
+++ b/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java
@@ -811,4 +811,15 @@
String name = osName();
return name.startsWith("macosx") || name.startsWith("osx");
}
+
+ // Find base method via reflection due to visibility issues when building with Gradle.
+ public static boolean isTlsV1Deprecated() {
+ try {
+ return (Boolean) conscryptClass("Platform")
+ .getDeclaredMethod("isTlsV1Deprecated")
+ .invoke(null);
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ }
}
diff --git a/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java b/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java
index e0cb275..2c59d82 100644
--- a/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java
+++ b/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java
@@ -21,6 +21,7 @@
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
+import com.android.org.conscrypt.TestUtils;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
@@ -166,8 +167,13 @@
public static final Set<String> SSL_CONTEXT_PROTOCOLS_WITH_DEFAULT_CONFIG = new HashSet<String>(
Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1.3"));
// Deprecated TLS protocols... May or may not be present or enabled.
- public static final Set<String> SSL_CONTEXT_PROTOCOLS_DEPRECATED =
- new HashSet<>(Arrays.asList("TLSv1", "TLSv1.1"));
+ public static final Set<String> SSL_CONTEXT_PROTOCOLS_DEPRECATED = new HashSet<>();
+ static {
+ if (TestUtils.isTlsV1Deprecated()) {
+ SSL_CONTEXT_PROTOCOLS_DEPRECATED.add("TLSv1");
+ SSL_CONTEXT_PROTOCOLS_DEPRECATED.add("TLSv1.1");
+ }
+ }
public static final Set<String> KEY_TYPES = new HashSet<String>(
Arrays.asList("RSA", "DSA", "DH_RSA", "DH_DSA", "EC", "EC_EC", "EC_RSA"));
@@ -465,10 +471,8 @@
new HashSet<>(Arrays.asList(SSL_CONTEXT_PROTOCOLS_ENABLED.get(version)));
Set<String> actual = new HashSet<>(Arrays.asList(protocols));
- // TODO(prb): Temporary measure - just ignore deprecated protocols. Allows
- // testing on source trees where these have been disabled in unknown ways.
- // Future work will provide a supported API for disabling protocols, but for
- // now we need to work with what's in the field.
+ // Ignore deprecated protocols, which are set earlier based
+ // on Platform.isTlsV1Deprecated().
expected.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED);
actual.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED);
diff --git a/testing/src/main/java/org/conscrypt/TestUtils.java b/testing/src/main/java/org/conscrypt/TestUtils.java
index c9f2fc0..bd148c4 100644
--- a/testing/src/main/java/org/conscrypt/TestUtils.java
+++ b/testing/src/main/java/org/conscrypt/TestUtils.java
@@ -806,4 +806,15 @@
String name = osName();
return name.startsWith("macosx") || name.startsWith("osx");
}
+
+ // Find base method via reflection due to visibility issues when building with Gradle.
+ public static boolean isTlsV1Deprecated() {
+ try {
+ return (Boolean) conscryptClass("Platform")
+ .getDeclaredMethod("isTlsV1Deprecated")
+ .invoke(null);
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ }
}
diff --git a/testing/src/main/java/org/conscrypt/java/security/StandardNames.java b/testing/src/main/java/org/conscrypt/java/security/StandardNames.java
index 7a8672a..54a26d0 100644
--- a/testing/src/main/java/org/conscrypt/java/security/StandardNames.java
+++ b/testing/src/main/java/org/conscrypt/java/security/StandardNames.java
@@ -29,6 +29,8 @@
import java.util.Set;
import java.util.TreeSet;
+import org.conscrypt.TestUtils;
+
/**
* This class defines expected string names for protocols, key types,
* client and server auth types, cipher suites.
@@ -164,8 +166,13 @@
public static final Set<String> SSL_CONTEXT_PROTOCOLS_WITH_DEFAULT_CONFIG = new HashSet<String>(
Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1.3"));
// Deprecated TLS protocols... May or may not be present or enabled.
- public static final Set<String> SSL_CONTEXT_PROTOCOLS_DEPRECATED = new HashSet<>(
- Arrays.asList("TLSv1", "TLSv1.1"));
+ public static final Set<String> SSL_CONTEXT_PROTOCOLS_DEPRECATED = new HashSet<>();
+ static {
+ if (TestUtils.isTlsV1Deprecated()) {
+ SSL_CONTEXT_PROTOCOLS_DEPRECATED.add("TLSv1");
+ SSL_CONTEXT_PROTOCOLS_DEPRECATED.add("TLSv1.1");
+ }
+ }
public static final Set<String> KEY_TYPES = new HashSet<String>(
Arrays.asList("RSA", "DSA", "DH_RSA", "DH_DSA", "EC", "EC_EC", "EC_RSA"));
@@ -463,10 +470,8 @@
Arrays.asList(SSL_CONTEXT_PROTOCOLS_ENABLED.get(version)));
Set<String> actual = new HashSet<>(Arrays.asList(protocols));
- // TODO(prb): Temporary measure - just ignore deprecated protocols. Allows
- // testing on source trees where these have been disabled in unknown ways.
- // Future work will provide a supported API for disabling protocols, but for
- // now we need to work with what's in the field.
+ // Ignore deprecated protocols, which are set earlier based
+ // on Platform.isTlsV1Deprecated().
expected.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED);
actual.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED);
