diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2024-02-01 21:02:14 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2024-02-01 21:02:14 +0000 |
commit | 7f98e78213a83b602594ea7d4860bff7f10ea30f (patch) | |
tree | 5ea9ff398a6afb850ebb09b95cbd23da45cbed3b | |
parent | ba6aa98ca1f1dc54216b53e74c9caa733b59d041 (diff) | |
parent | 5dc9cdaf41d6d15ab992ac27a79e556719b0f23e (diff) | |
download | conscrypt-7f98e78213a83b602594ea7d4860bff7f10ea30f.tar.gz |
Snap for 11384920 from 5dc9cdaf41d6d15ab992ac27a79e556719b0f23e to android11-tests-release
Change-Id: I626cd0913c516b7b9332985c04ba9a33fcd9d68f
16 files changed, 318 insertions, 247 deletions
diff --git a/benchmark-base/src/main/java/org/conscrypt/ServerSocketBenchmark.java b/benchmark-base/src/main/java/org/conscrypt/ServerSocketBenchmark.java index 29682f2a..97ff8051 100644 --- a/benchmark-base/src/main/java/org/conscrypt/ServerSocketBenchmark.java +++ b/benchmark-base/src/main/java/org/conscrypt/ServerSocketBenchmark.java @@ -16,7 +16,7 @@ package org.conscrypt; -import static org.conscrypt.TestUtils.getProtocols; +import static org.conscrypt.TestUtils.getCommonProtocolSuites; import static org.conscrypt.TestUtils.newTextMessage; import static org.junit.Assert.assertEquals; @@ -62,7 +62,7 @@ public final class ServerSocketBenchmark { final ChannelType channelType = config.channelType(); server = config.serverFactory().newServer( - channelType, config.messageSize(), getProtocols(), ciphers(config)); + channelType, config.messageSize(), getCommonProtocolSuites(), ciphers(config)); server.setMessageProcessor(new MessageProcessor() { @Override public void processMessage(byte[] inMessage, int numBytes, OutputStream os) { @@ -86,7 +86,7 @@ public final class ServerSocketBenchmark { // Always use the same client for consistency across the benchmarks. client = config.clientFactory().newClient( - ChannelType.CHANNEL, server.port(), getProtocols(), ciphers(config)); + ChannelType.CHANNEL, server.port(), getCommonProtocolSuites(), ciphers(config)); client.start(); // Wait for the initial connection to complete. diff --git a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketTest.java b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketTest.java index 445ed976..aa603b00 100644 --- a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketTest.java +++ b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketTest.java @@ -425,6 +425,8 @@ public class SSLSocketTest { public void test_SSLSocket_noncontiguousProtocols_useLower() throws Exception { TestSSLContext c = TestSSLContext.create(); SSLContext clientContext = c.clientContext; + // Can't test fallback without at least 3 protocol versions enabled. + TestUtils.assumeTlsV11Enabled(clientContext); SSLSocket client = (SSLSocket) clientContext.getSocketFactory().createSocket(c.host, c.port); client.setEnabledProtocols(new String[] {"TLSv1.3", "TLSv1.1"}); @@ -456,6 +458,8 @@ public class SSLSocketTest { public void test_SSLSocket_noncontiguousProtocols_canNegotiate() throws Exception { TestSSLContext c = TestSSLContext.create(); SSLContext clientContext = c.clientContext; + // Can't test fallback without at least 3 protocol versions enabled. + TestUtils.assumeTlsV11Enabled(clientContext); SSLSocket client = (SSLSocket) clientContext.getSocketFactory().createSocket(c.host, c.port); client.setEnabledProtocols(new String[] {"TLSv1.3", "TLSv1.1"}); @@ -1007,6 +1011,8 @@ public class SSLSocketTest { @Test public void test_SSLSocket_sendsNoTlsFallbackScsv_Fallback_Success() throws Exception { TestSSLContext context = TestSSLContext.create(); + // TLS_FALLBACK_SCSV is only applicable to TLS <= 1.2 + TestUtils.assumeTlsV11Enabled(context.clientContext); final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket( context.host, context.port); final SSLSocket server = (SSLSocket) context.serverSocket.accept(); @@ -1046,6 +1052,8 @@ public class SSLSocketTest { public void test_SSLSocket_sendsTlsFallbackScsv_InappropriateFallback_Failure() throws Exception { TestSSLContext context = TestSSLContext.create(); + // TLS_FALLBACK_SCSV is only applicable to TLS <= 1.2 + TestUtils.assumeTlsV11Enabled(context.clientContext); final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket( context.host, context.port); final SSLSocket server = (SSLSocket) context.serverSocket.accept(); diff --git a/openjdk/src/test/java/org/conscrypt/ConscryptEngineTest.java b/openjdk/src/test/java/org/conscrypt/ConscryptEngineTest.java index f10c388e..de30bbfa 100644 --- a/openjdk/src/test/java/org/conscrypt/ConscryptEngineTest.java +++ b/openjdk/src/test/java/org/conscrypt/ConscryptEngineTest.java @@ -18,7 +18,7 @@ package org.conscrypt; import static org.conscrypt.TestUtils.getConscryptProvider; import static org.conscrypt.TestUtils.getJdkProvider; -import static org.conscrypt.TestUtils.getProtocols; +import static org.conscrypt.TestUtils.highestCommonProtocol; import static org.conscrypt.TestUtils.initSslContext; import static org.conscrypt.TestUtils.newTextMessage; import static org.junit.Assert.assertArrayEquals; @@ -569,7 +569,7 @@ public class ConscryptEngineTest { private static SSLContext newContext(Provider provider, TestKeyStore keyStore) { try { - SSLContext ctx = SSLContext.getInstance(getProtocols()[0], provider); + SSLContext ctx = SSLContext.getInstance(highestCommonProtocol(), provider); return initSslContext(ctx, keyStore); } catch (NoSuchAlgorithmException e) { throw new RuntimeException(e); diff --git a/openjdk/src/test/java/org/conscrypt/ConscryptTest.java b/openjdk/src/test/java/org/conscrypt/ConscryptTest.java index 84a0ff69..44533ce9 100644 --- a/openjdk/src/test/java/org/conscrypt/ConscryptTest.java +++ b/openjdk/src/test/java/org/conscrypt/ConscryptTest.java @@ -17,7 +17,6 @@ package org.conscrypt; import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertSame; import static org.junit.Assert.assertTrue; @@ -25,10 +24,9 @@ import static org.junit.Assert.fail; import java.security.Provider; import java.security.Security; -import java.util.Arrays; -import java.util.HashSet; -import java.util.Set; import javax.net.ssl.SSLContext; + +import org.conscrypt.java.security.StandardNames; import org.junit.Test; import org.junit.runner.RunWith; import org.junit.runners.JUnit4; @@ -52,69 +50,61 @@ public class ConscryptTest { } @Test - public void testProviderBuilder() throws Exception { - Provider p = Conscrypt.newProviderBuilder() - .setName("test name") - .provideTrustManager(true) - .defaultTlsProtocol("TLSv1.2").build(); - - assertEquals("test name", p.getName()); - assertTrue(p.containsKey("TrustManagerFactory.PKIX")); + public void buildTls12WithTrustManager() throws Exception { + buildProvider("TLSv1.2", true); + } + @Test + public void buildTls12WithoutTrustManager() throws Exception { + buildProvider("TLSv1.2", false); + } - try { - Security.insertProviderAt(p, 1); + @Test + public void buildTls13WithTrustManager() throws Exception { + buildProvider("TLSv1.3", true); + } - SSLContext context = SSLContext.getInstance("TLS"); - context.init(null, null, null); - assertEquals(p, context.getProvider()); - Set<String> expected = new HashSet<>(Arrays.asList("TLSv1.2", "TLSv1.1", "TLSv1")); - Set<String> found = - new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + @Test + public void buildTls13WithoutTrustManager() throws Exception { + buildProvider("TLSv1.3", false); + } - context = SSLContext.getInstance("Default"); - assertEquals(p, context.getProvider()); - expected = new HashSet<>(Arrays.asList("TLSv1.2", "TLSv1.1", "TLSv1")); - found = new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); - } finally { - Security.removeProvider("test name"); + @Test + public void buildInvalid() { + try { + Conscrypt.newProviderBuilder() + .defaultTlsProtocol("invalid").build(); + fail(); + } catch (IllegalArgumentException e) { + // Expected. } + } + + private void buildProvider(String defaultProtocol, boolean withTrustManager) throws Exception { + Provider provider = Conscrypt.newProviderBuilder() + .setName("test name") + .provideTrustManager(withTrustManager) + .defaultTlsProtocol(defaultProtocol) + .build(); - p = Conscrypt.newProviderBuilder() - .setName("test name 2") - .provideTrustManager(false) - .defaultTlsProtocol("TLSv1.3").build(); + assertEquals("test name", provider.getName()); + assertEquals(withTrustManager, provider.containsKey("TrustManagerFactory.PKIX")); - assertEquals("test name 2", p.getName()); - assertFalse(p.containsKey("TrustManagerFactory.PKIX")); - try { - Security.insertProviderAt(p, 1); + Security.insertProviderAt(provider, 1); SSLContext context = SSLContext.getInstance("TLS"); context.init(null, null, null); - assertEquals(p, context.getProvider()); - Set<String> expected = - new HashSet<>(Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1")); - Set<String> found = - new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + assertEquals(provider, context.getProvider()); + StandardNames.assertSSLContextEnabledProtocols( + defaultProtocol, context.createSSLEngine().getEnabledProtocols()); + context = SSLContext.getInstance("Default"); - assertEquals(p, context.getProvider()); - expected = new HashSet<>(Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1")); - found = new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + assertEquals(provider, context.getProvider()); + StandardNames.assertSSLContextEnabledProtocols( + defaultProtocol, context.createSSLEngine().getEnabledProtocols()); } finally { - Security.removeProvider("test name 2"); - } - - try { - Conscrypt.newProviderBuilder() - .defaultTlsProtocol("invalid").build(); - fail(); - } catch (IllegalArgumentException expected) { + Security.removeProvider("test name"); } } } diff --git a/openjdk/src/test/java/org/conscrypt/MockSessionBuilder.java b/openjdk/src/test/java/org/conscrypt/MockSessionBuilder.java index c253da22..c7a8de88 100644 --- a/openjdk/src/test/java/org/conscrypt/MockSessionBuilder.java +++ b/openjdk/src/test/java/org/conscrypt/MockSessionBuilder.java @@ -77,7 +77,7 @@ final class MockSessionBuilder { when(session.getId()).thenReturn(id); when(session.isValid()).thenReturn(valid); when(session.isSingleUse()).thenReturn(singleUse); - when(session.getProtocol()).thenReturn(TestUtils.getProtocols()[0]); + when(session.getProtocol()).thenReturn(TestUtils.highestCommonProtocol()); when(session.getPeerHost()).thenReturn(host); when(session.getPeerPort()).thenReturn(port); when(session.getCipherSuite()).thenReturn(cipherSuite); diff --git a/openjdk/src/test/java/org/conscrypt/RenegotiationTest.java b/openjdk/src/test/java/org/conscrypt/RenegotiationTest.java index e4297842..601fceec 100644 --- a/openjdk/src/test/java/org/conscrypt/RenegotiationTest.java +++ b/openjdk/src/test/java/org/conscrypt/RenegotiationTest.java @@ -144,7 +144,7 @@ public class RenegotiationTest { Conscrypt.setUseEngineSocket(socketFactory, useEngineSocket); socket = (SSLSocket) socketFactory.createSocket( TestUtils.getLoopbackAddress(), port); - socket.setEnabledProtocols(TestUtils.getProtocols()); + socket.setEnabledProtocols(TestUtils.getCommonProtocolSuites()); socket.setEnabledCipherSuites(TestUtils.getCommonCipherSuites()); } catch (IOException e) { throw new RuntimeException(e); @@ -234,7 +234,7 @@ public class RenegotiationTest { serverChannel = ServerSocketChannel.open(); serverChannel.socket().bind(new InetSocketAddress(TestUtils.getLoopbackAddress(), 0)); engine = newJdkServerContext().createSSLEngine(); - engine.setEnabledProtocols(TestUtils.getProtocols()); + engine.setEnabledProtocols(TestUtils.getCommonProtocolSuites()); engine.setEnabledCipherSuites(TestUtils.getCommonCipherSuites()); engine.setUseClientMode(false); diff --git a/repackaged/benchmark-base/src/main/java/com/android/org/conscrypt/ServerSocketBenchmark.java b/repackaged/benchmark-base/src/main/java/com/android/org/conscrypt/ServerSocketBenchmark.java index f8a80bb6..03a97157 100644 --- a/repackaged/benchmark-base/src/main/java/com/android/org/conscrypt/ServerSocketBenchmark.java +++ b/repackaged/benchmark-base/src/main/java/com/android/org/conscrypt/ServerSocketBenchmark.java @@ -17,10 +17,11 @@ package com.android.org.conscrypt; -import static com.android.org.conscrypt.TestUtils.getProtocols; +import static com.android.org.conscrypt.TestUtils.getCommonProtocolSuites; import static com.android.org.conscrypt.TestUtils.newTextMessage; import static org.junit.Assert.assertEquals; +import com.android.org.conscrypt.ServerEndpoint.MessageProcessor; import java.io.IOException; import java.io.OutputStream; import java.net.SocketException; @@ -30,7 +31,6 @@ import java.util.concurrent.Future; import java.util.concurrent.TimeUnit; import java.util.concurrent.atomic.AtomicBoolean; import java.util.concurrent.atomic.AtomicLong; -import com.android.org.conscrypt.ServerEndpoint.MessageProcessor; /** * Benchmark for comparing performance of server socket implementations. @@ -64,7 +64,7 @@ public final class ServerSocketBenchmark { final ChannelType channelType = config.channelType(); server = config.serverFactory().newServer( - channelType, config.messageSize(), getProtocols(), ciphers(config)); + channelType, config.messageSize(), getCommonProtocolSuites(), ciphers(config)); server.setMessageProcessor(new MessageProcessor() { @Override public void processMessage(byte[] inMessage, int numBytes, OutputStream os) { @@ -88,7 +88,7 @@ public final class ServerSocketBenchmark { // Always use the same client for consistency across the benchmarks. client = config.clientFactory().newClient( - ChannelType.CHANNEL, server.port(), getProtocols(), ciphers(config)); + ChannelType.CHANNEL, server.port(), getCommonProtocolSuites(), ciphers(config)); client.start(); // Wait for the initial connection to complete. diff --git a/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLSocketTest.java b/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLSocketTest.java index 8cabe71e..77b01799 100644 --- a/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLSocketTest.java +++ b/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLSocketTest.java @@ -429,6 +429,8 @@ public class SSLSocketTest { public void test_SSLSocket_noncontiguousProtocols_useLower() throws Exception { TestSSLContext c = TestSSLContext.create(); SSLContext clientContext = c.clientContext; + // Can't test fallback without at least 3 protocol versions enabled. + TestUtils.assumeTlsV11Enabled(clientContext); SSLSocket client = (SSLSocket) clientContext.getSocketFactory().createSocket(c.host, c.port); client.setEnabledProtocols(new String[] {"TLSv1.3", "TLSv1.1"}); @@ -460,6 +462,8 @@ public class SSLSocketTest { public void test_SSLSocket_noncontiguousProtocols_canNegotiate() throws Exception { TestSSLContext c = TestSSLContext.create(); SSLContext clientContext = c.clientContext; + // Can't test fallback without at least 3 protocol versions enabled. + TestUtils.assumeTlsV11Enabled(clientContext); SSLSocket client = (SSLSocket) clientContext.getSocketFactory().createSocket(c.host, c.port); client.setEnabledProtocols(new String[] {"TLSv1.3", "TLSv1.1"}); @@ -1011,6 +1015,8 @@ public class SSLSocketTest { @Test public void test_SSLSocket_sendsNoTlsFallbackScsv_Fallback_Success() throws Exception { TestSSLContext context = TestSSLContext.create(); + // TLS_FALLBACK_SCSV is only applicable to TLS <= 1.2 + TestUtils.assumeTlsV11Enabled(context.clientContext); final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket( context.host, context.port); final SSLSocket server = (SSLSocket) context.serverSocket.accept(); @@ -1050,6 +1056,8 @@ public class SSLSocketTest { public void test_SSLSocket_sendsTlsFallbackScsv_InappropriateFallback_Failure() throws Exception { TestSSLContext context = TestSSLContext.create(); + // TLS_FALLBACK_SCSV is only applicable to TLS <= 1.2 + TestUtils.assumeTlsV11Enabled(context.clientContext); final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket( context.host, context.port); final SSLSocket server = (SSLSocket) context.serverSocket.accept(); diff --git a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptEngineTest.java b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptEngineTest.java index bfe10f9e..e1f4a13a 100644 --- a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptEngineTest.java +++ b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptEngineTest.java @@ -19,7 +19,7 @@ package com.android.org.conscrypt; import static com.android.org.conscrypt.TestUtils.getConscryptProvider; import static com.android.org.conscrypt.TestUtils.getJdkProvider; -import static com.android.org.conscrypt.TestUtils.getProtocols; +import static com.android.org.conscrypt.TestUtils.highestCommonProtocol; import static com.android.org.conscrypt.TestUtils.initSslContext; import static com.android.org.conscrypt.TestUtils.newTextMessage; import static org.junit.Assert.assertArrayEquals; @@ -578,7 +578,7 @@ public class ConscryptEngineTest { private static SSLContext newContext(Provider provider, TestKeyStore keyStore) { try { - SSLContext ctx = SSLContext.getInstance(getProtocols()[0], provider); + SSLContext ctx = SSLContext.getInstance(highestCommonProtocol(), provider); return initSslContext(ctx, keyStore); } catch (NoSuchAlgorithmException e) { throw new RuntimeException(e); diff --git a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptTest.java b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptTest.java index b40f8353..59cd9d9b 100644 --- a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptTest.java +++ b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptTest.java @@ -18,17 +18,14 @@ package com.android.org.conscrypt; import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertSame; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; +import com.android.org.conscrypt.java.security.StandardNames; import java.security.Provider; import java.security.Security; -import java.util.Arrays; -import java.util.HashSet; -import java.util.Set; import javax.net.ssl.SSLContext; import org.junit.Test; import org.junit.runner.RunWith; @@ -56,70 +53,59 @@ public class ConscryptTest { } @Test - public void testProviderBuilder() throws Exception { - Provider p = Conscrypt.newProviderBuilder() - .setName("test name") - .provideTrustManager(true) - .defaultTlsProtocol("TLSv1.2") - .build(); - - assertEquals("test name", p.getName()); - assertTrue(p.containsKey("TrustManagerFactory.PKIX")); + public void buildTls12WithTrustManager() throws Exception { + buildProvider("TLSv1.2", true); + } + @Test + public void buildTls12WithoutTrustManager() throws Exception { + buildProvider("TLSv1.2", false); + } - try { - Security.insertProviderAt(p, 1); + @Test + public void buildTls13WithTrustManager() throws Exception { + buildProvider("TLSv1.3", true); + } - SSLContext context = SSLContext.getInstance("TLS"); - context.init(null, null, null); - assertEquals(p, context.getProvider()); - Set<String> expected = new HashSet<>(Arrays.asList("TLSv1.2", "TLSv1.1", "TLSv1")); - Set<String> found = - new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + @Test + public void buildTls13WithoutTrustManager() throws Exception { + buildProvider("TLSv1.3", false); + } - context = SSLContext.getInstance("Default"); - assertEquals(p, context.getProvider()); - expected = new HashSet<>(Arrays.asList("TLSv1.2", "TLSv1.1", "TLSv1")); - found = new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); - } finally { - Security.removeProvider("test name"); + @Test + public void buildInvalid() { + try { + Conscrypt.newProviderBuilder().defaultTlsProtocol("invalid").build(); + fail(); + } catch (IllegalArgumentException e) { + // Expected. } + } - p = Conscrypt.newProviderBuilder() - .setName("test name 2") - .provideTrustManager(false) - .defaultTlsProtocol("TLSv1.3") - .build(); + private void buildProvider(String defaultProtocol, boolean withTrustManager) throws Exception { + Provider provider = Conscrypt.newProviderBuilder() + .setName("test name") + .provideTrustManager(withTrustManager) + .defaultTlsProtocol(defaultProtocol) + .build(); - assertEquals("test name 2", p.getName()); - assertFalse(p.containsKey("TrustManagerFactory.PKIX")); + assertEquals("test name", provider.getName()); + assertEquals(withTrustManager, provider.containsKey("TrustManagerFactory.PKIX")); try { - Security.insertProviderAt(p, 1); + Security.insertProviderAt(provider, 1); SSLContext context = SSLContext.getInstance("TLS"); context.init(null, null, null); - assertEquals(p, context.getProvider()); - Set<String> expected = - new HashSet<>(Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1")); - Set<String> found = - new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + assertEquals(provider, context.getProvider()); + StandardNames.assertSSLContextEnabledProtocols( + defaultProtocol, context.createSSLEngine().getEnabledProtocols()); context = SSLContext.getInstance("Default"); - assertEquals(p, context.getProvider()); - expected = new HashSet<>(Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1")); - found = new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + assertEquals(provider, context.getProvider()); + StandardNames.assertSSLContextEnabledProtocols( + defaultProtocol, context.createSSLEngine().getEnabledProtocols()); } finally { - Security.removeProvider("test name 2"); - } - - try { - Conscrypt.newProviderBuilder().defaultTlsProtocol("invalid").build(); - fail(); - } catch (IllegalArgumentException expected) { + Security.removeProvider("test name"); } } } diff --git a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/MockSessionBuilder.java b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/MockSessionBuilder.java index 49b7abf0..aafc5951 100644 --- a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/MockSessionBuilder.java +++ b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/MockSessionBuilder.java @@ -78,7 +78,7 @@ final class MockSessionBuilder { when(session.getId()).thenReturn(id); when(session.isValid()).thenReturn(valid); when(session.isSingleUse()).thenReturn(singleUse); - when(session.getProtocol()).thenReturn(TestUtils.getProtocols()[0]); + when(session.getProtocol()).thenReturn(TestUtils.highestCommonProtocol()); when(session.getPeerHost()).thenReturn(host); when(session.getPeerPort()).thenReturn(port); when(session.getCipherSuite()).thenReturn(cipherSuite); diff --git a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/RenegotiationTest.java b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/RenegotiationTest.java index bc843dca..e2541cb1 100644 --- a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/RenegotiationTest.java +++ b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/RenegotiationTest.java @@ -149,7 +149,7 @@ public class RenegotiationTest { Conscrypt.setUseEngineSocket(socketFactory, useEngineSocket); socket = (SSLSocket) socketFactory.createSocket( TestUtils.getLoopbackAddress(), port); - socket.setEnabledProtocols(TestUtils.getProtocols()); + socket.setEnabledProtocols(TestUtils.getCommonProtocolSuites()); socket.setEnabledCipherSuites(TestUtils.getCommonCipherSuites()); } catch (IOException e) { throw new RuntimeException(e); @@ -239,7 +239,7 @@ public class RenegotiationTest { serverChannel = ServerSocketChannel.open(); serverChannel.socket().bind(new InetSocketAddress(TestUtils.getLoopbackAddress(), 0)); engine = newJdkServerContext().createSSLEngine(); - engine.setEnabledProtocols(TestUtils.getProtocols()); + engine.setEnabledProtocols(TestUtils.getCommonProtocolSuites()); engine.setEnabledCipherSuites(TestUtils.getCommonCipherSuites()); engine.setUseClientMode(false); diff --git a/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java b/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java index 5d4c869e..11b757e0 100644 --- a/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java +++ b/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java @@ -34,6 +34,7 @@ import java.net.ServerSocket; import java.net.UnknownHostException; import java.nio.ByteBuffer; import java.nio.charset.Charset; +import java.nio.charset.StandardCharsets; import java.security.KeyFactory; import java.security.NoSuchAlgorithmException; import java.security.Provider; @@ -45,10 +46,12 @@ import java.security.spec.X509EncodedKeySpec; import java.util.ArrayList; import java.util.Arrays; import java.util.Base64; -import java.util.Iterator; -import java.util.LinkedHashSet; +import java.util.HashSet; import java.util.List; import java.util.Set; +import java.util.function.IntFunction; +import java.util.function.Predicate; + import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; @@ -66,27 +69,27 @@ import org.junit.Assume; * @hide This class is not part of the Android public SDK API */ public final class TestUtils { - public static final Charset UTF_8 = Charset.forName("UTF-8"); + public static final Charset UTF_8 = StandardCharsets.UTF_8; + private static final String PROTOCOL_TLS_V1_3 = "TLSv1.3"; private static final String PROTOCOL_TLS_V1_2 = "TLSv1.2"; private static final String PROTOCOL_TLS_V1_1 = "TLSv1.1"; - private static final String PROTOCOL_TLS_V1 = "TLSv1"; - private static final String[] DESIRED_PROTOCOLS = - new String[] {PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1_1, PROTOCOL_TLS_V1}; + // For interop testing we need a JDK Provider that can do TLS 1.2 as 1.x may be disabled + // in Conscrypt and 1.3 does not (yet) handle interoperability with the JDK Provider. + private static final String[] DESIRED_JDK_PROTOCOLS = new String[] {PROTOCOL_TLS_V1_2}; private static final Provider JDK_PROVIDER = getNonConscryptTlsProvider(); private static final byte[] CHARS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".getBytes(UTF_8); private static final ByteBuffer EMPTY_BUFFER = ByteBuffer.allocateDirect(0); - private static final String[] PROTOCOLS = getProtocolsInternal(); static final String TEST_CIPHER = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; private TestUtils() {} private static Provider getNonConscryptTlsProvider() { - for (String protocol : DESIRED_PROTOCOLS) { + for (String protocol : DESIRED_JDK_PROTOCOLS) { for (Provider p : Security.getProviders()) { if (!p.getClass().getPackage().getName().contains("conscrypt") - && hasProtocol(p, protocol)) { + && hasSslContext(p, protocol)) { return p; } } @@ -94,7 +97,7 @@ public final class TestUtils { return new BouncyCastleProvider(); } - private static boolean hasProtocol(Provider p, String protocol) { + private static boolean hasSslContext(Provider p, String protocol) { return p.get("SSLContext." + protocol) != null; } @@ -275,31 +278,6 @@ public final class TestUtils { throw ex; } - /** - * Returns an array containing only {@link #PROTOCOL_TLS_V1_2}. - */ - public static String[] getProtocols() { - return PROTOCOLS; - } - - private static String[] getProtocolsInternal() { - List<String> protocols = new ArrayList<String>(); - for (String protocol : DESIRED_PROTOCOLS) { - if (hasProtocol(getJdkProvider(), protocol)) { - protocols.add(protocol); - } - } - return protocols.toArray(new String[protocols.size()]); - } - - public static SSLSocketFactory getJdkSocketFactory() { - return getSocketFactory(JDK_PROVIDER); - } - - public static SSLServerSocketFactory getJdkServerSocketFactory() { - return getServerSocketFactory(JDK_PROVIDER); - } - static SSLSocketFactory setUseEngineSocket( SSLSocketFactory conscryptFactory, boolean useEngineSocket) { try { @@ -362,33 +340,79 @@ public final class TestUtils { } } - static String[] getCommonCipherSuites() { - SSLContext jdkContext = - TestUtils.initSslContext(newContext(getJdkProvider()), TestKeyStore.getClient()); - SSLContext conscryptContext = TestUtils.initSslContext( - newContext(getConscryptProvider()), TestKeyStore.getClient()); - Set<String> supported = new LinkedHashSet<String>(); - supported.addAll(supportedCiphers(jdkContext)); - supported.retainAll(supportedCiphers(conscryptContext)); - filterCiphers(supported); + public static String highestCommonProtocol() { + String[] common = getCommonProtocolSuites(); + Arrays.sort(common); + return common[common.length - 1]; + } - return supported.toArray(new String[supported.size()]); + public static String[] getCommonProtocolSuites() { + SSLContext jdkContext = newClientSslContext(getJdkProvider()); + SSLContext conscryptContext = newClientSslContext(getConscryptProvider()); + // No point building a Set here due to small list sizes. + final List<String> conscryptProtocols = getSupportedProtocols(conscryptContext); + // TODO(prb): Certificate auth fails when connecting Conscrypt and JDK's TLS 1.3. + Predicate<String> predicate = new Predicate<String>() { + @Override + public boolean test(String string) { + return conscryptProtocols.contains(string) && !string.equals(PROTOCOL_TLS_V1_3); + } + }; + return getSupportedProtocols(jdkContext, predicate); + } + + public static String[] getCommonCipherSuites() { + SSLContext jdkContext = newClientSslContext(getJdkProvider()); + SSLContext conscryptContext = newClientSslContext(getConscryptProvider()); + final Set<String> conscryptCiphers = new HashSet<>(getSupportedCiphers(conscryptContext)); + Predicate<String> predicate = new Predicate<String>() { + @Override + public boolean test(String string) { + return isTlsCipherSuite(string) && conscryptCiphers.contains(string); + } + }; + return getSupportedCiphers(jdkContext, predicate); } - private static List<String> supportedCiphers(SSLContext ctx) { + public static List<String> getSupportedCiphers(SSLContext ctx) { return Arrays.asList(ctx.getDefaultSSLParameters().getCipherSuites()); } - private static void filterCiphers(Iterable<String> ciphers) { - // Filter all non-TLS ciphers. - Iterator<String> iter = ciphers.iterator(); - while (iter.hasNext()) { - String cipher = iter.next(); - if (cipher.startsWith("SSL_") || cipher.startsWith("TLS_EMPTY") - || cipher.contains("_RC4_")) { - iter.remove(); + public static String[] getSupportedCiphers(SSLContext ctx, Predicate<String> predicate) { + IntFunction<String[]> transform = new IntFunction<String[]>() { + @Override + public String[] apply(int value) { + return new String[value]; } - } + }; + return Arrays.stream(ctx.getDefaultSSLParameters().getCipherSuites()) + .filter(predicate) + .toArray(transform); + } + + public static List<String> getSupportedProtocols(SSLContext ctx) { + return Arrays.asList(ctx.getDefaultSSLParameters().getProtocols()); + } + + public static String[] getSupportedProtocols(SSLContext ctx, Predicate<String> predicate) { + IntFunction<String[]> transform = new IntFunction<String[]>() { + @Override + public String[] apply(int value) { + return new String[value]; + } + }; + return Arrays.stream(ctx.getDefaultSSLParameters().getProtocols()) + .filter(predicate) + .toArray(transform); + } + + private static boolean isTlsCipherSuite(String cipher) { + return !cipher.startsWith("SSL_") && !cipher.startsWith("TLS_EMPTY") + && !cipher.contains("_RC4_"); + } + + public static void assumeTlsV11Enabled(SSLContext context) { + Assume.assumeTrue(getSupportedProtocols(context).contains(PROTOCOL_TLS_V1_1)); } /** diff --git a/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java b/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java index 917df975..28256773 100644 --- a/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java +++ b/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java @@ -144,6 +144,9 @@ public final class StandardNames { Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3")); public static final Set<String> SSL_CONTEXT_PROTOCOLS_WITH_DEFAULT_CONFIG = new HashSet<String>( Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1.3")); + // Deprecated TLS protocols... May or may not be present or enabled. + public static final Set<String> SSL_CONTEXT_PROTOCOLS_DEPRECATED = + new HashSet<>(Arrays.asList("TLSv1", "TLSv1.1")); public static final Set<String> KEY_TYPES = new HashSet<String>( Arrays.asList("RSA", "DSA", "DH_RSA", "DH_DSA", "EC", "EC_EC", "EC_RSA")); @@ -390,10 +393,13 @@ public final class StandardNames { * assertSupportedProtocols additionally verifies that all * supported protocols where in the input array. */ - private static void assertSupportedProtocols(Set<String> expected, String[] protocols) { - Set<String> remainingProtocols = assertValidProtocols(expected, protocols); + private static void assertSupportedProtocols(Set<String> valid, String[] protocols) { + Set<String> remainingProtocols = assertValidProtocols(valid, protocols); + + // TODO(prb) Temporarily ignore TLSv1.x: See comment for assertSSLContextEnabledProtocols() + remainingProtocols.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + assertEquals("Missing protocols", Collections.EMPTY_SET, remainingProtocols); - assertEquals(expected.size(), protocols.length); } /** @@ -434,9 +440,18 @@ public final class StandardNames { } public static void assertSSLContextEnabledProtocols(String version, String[] protocols) { - assertEquals("For protocol \"" + version + "\"", - Arrays.toString(SSL_CONTEXT_PROTOCOLS_ENABLED.get(version)), - Arrays.toString(protocols)); + Set<String> expected = + new HashSet<>(Arrays.asList(SSL_CONTEXT_PROTOCOLS_ENABLED.get(version))); + Set<String> actual = new HashSet<>(Arrays.asList(protocols)); + + // TODO(prb): Temporary measure - just ignore deprecated protocols. Allows + // testing on source trees where these have been disabled in unknown ways. + // Future work will provide a supported API for disabling protocols, but for + // now we need to work with what's in the field. + expected.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + actual.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + + assertEquals("For protocol \"" + version + "\"", expected, actual); } /** diff --git a/testing/src/main/java/org/conscrypt/TestUtils.java b/testing/src/main/java/org/conscrypt/TestUtils.java index b1ccad87..a434b153 100644 --- a/testing/src/main/java/org/conscrypt/TestUtils.java +++ b/testing/src/main/java/org/conscrypt/TestUtils.java @@ -30,6 +30,7 @@ import java.net.ServerSocket; import java.net.UnknownHostException; import java.nio.ByteBuffer; import java.nio.charset.Charset; +import java.nio.charset.StandardCharsets; import java.security.KeyFactory; import java.security.NoSuchAlgorithmException; import java.security.Provider; @@ -41,10 +42,12 @@ import java.security.spec.X509EncodedKeySpec; import java.util.ArrayList; import java.util.Arrays; import java.util.Base64; -import java.util.Iterator; -import java.util.LinkedHashSet; +import java.util.HashSet; import java.util.List; import java.util.Set; +import java.util.function.IntFunction; +import java.util.function.Predicate; + import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; @@ -64,27 +67,27 @@ import org.junit.Assume; * Utility methods to support testing. */ public final class TestUtils { - public static final Charset UTF_8 = Charset.forName("UTF-8"); + public static final Charset UTF_8 = StandardCharsets.UTF_8; + private static final String PROTOCOL_TLS_V1_3 = "TLSv1.3"; private static final String PROTOCOL_TLS_V1_2 = "TLSv1.2"; private static final String PROTOCOL_TLS_V1_1 = "TLSv1.1"; - private static final String PROTOCOL_TLS_V1 = "TLSv1"; - private static final String[] DESIRED_PROTOCOLS = - new String[] {PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1_1, PROTOCOL_TLS_V1}; + // For interop testing we need a JDK Provider that can do TLS 1.2 as 1.x may be disabled + // in Conscrypt and 1.3 does not (yet) handle interoperability with the JDK Provider. + private static final String[] DESIRED_JDK_PROTOCOLS = new String[] { PROTOCOL_TLS_V1_2 }; private static final Provider JDK_PROVIDER = getNonConscryptTlsProvider(); private static final byte[] CHARS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".getBytes(UTF_8); private static final ByteBuffer EMPTY_BUFFER = ByteBuffer.allocateDirect(0); - private static final String[] PROTOCOLS = getProtocolsInternal(); static final String TEST_CIPHER = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; private TestUtils() {} private static Provider getNonConscryptTlsProvider() { - for (String protocol : DESIRED_PROTOCOLS) { + for (String protocol : DESIRED_JDK_PROTOCOLS) { for (Provider p : Security.getProviders()) { if (!p.getClass().getPackage().getName().contains("conscrypt") - && hasProtocol(p, protocol)) { + && hasSslContext(p, protocol)) { return p; } } @@ -92,7 +95,7 @@ public final class TestUtils { return new BouncyCastleProvider(); } - private static boolean hasProtocol(Provider p, String protocol) { + private static boolean hasSslContext(Provider p, String protocol) { return p.get("SSLContext." + protocol) != null; } @@ -272,31 +275,6 @@ public final class TestUtils { throw ex; } - /** - * Returns an array containing only {@link #PROTOCOL_TLS_V1_2}. - */ - public static String[] getProtocols() { - return PROTOCOLS; - } - - private static String[] getProtocolsInternal() { - List<String> protocols = new ArrayList<String>(); - for (String protocol : DESIRED_PROTOCOLS) { - if (hasProtocol(getJdkProvider(), protocol)) { - protocols.add(protocol); - } - } - return protocols.toArray(new String[protocols.size()]); - } - - public static SSLSocketFactory getJdkSocketFactory() { - return getSocketFactory(JDK_PROVIDER); - } - - public static SSLServerSocketFactory getJdkServerSocketFactory() { - return getServerSocketFactory(JDK_PROVIDER); - } - static SSLSocketFactory setUseEngineSocket( SSLSocketFactory conscryptFactory, boolean useEngineSocket) { try { @@ -359,33 +337,80 @@ public final class TestUtils { } } - static String[] getCommonCipherSuites() { - SSLContext jdkContext = - TestUtils.initSslContext(newContext(getJdkProvider()), TestKeyStore.getClient()); - SSLContext conscryptContext = TestUtils.initSslContext( - newContext(getConscryptProvider()), TestKeyStore.getClient()); - Set<String> supported = new LinkedHashSet<String>(); - supported.addAll(supportedCiphers(jdkContext)); - supported.retainAll(supportedCiphers(conscryptContext)); - filterCiphers(supported); + public static String highestCommonProtocol() { + String[] common = getCommonProtocolSuites(); + Arrays.sort(common); + return common[common.length - 1]; + } - return supported.toArray(new String[supported.size()]); + public static String[] getCommonProtocolSuites() { + SSLContext jdkContext = newClientSslContext(getJdkProvider()); + SSLContext conscryptContext = newClientSslContext(getConscryptProvider()); + // No point building a Set here due to small list sizes. + final List<String> conscryptProtocols = getSupportedProtocols(conscryptContext); + // TODO(prb): Certificate auth fails when connecting Conscrypt and JDK's TLS 1.3. + Predicate<String> predicate = new Predicate<String>() { + @Override + public boolean test(String string) { + return conscryptProtocols.contains(string) && !string.equals(PROTOCOL_TLS_V1_3); + } + }; + return getSupportedProtocols(jdkContext, predicate); + } + + public static String[] getCommonCipherSuites() { + SSLContext jdkContext = newClientSslContext(getJdkProvider()); + SSLContext conscryptContext = newClientSslContext(getConscryptProvider()); + final Set<String> conscryptCiphers = new HashSet<>(getSupportedCiphers(conscryptContext)); + Predicate<String> predicate = new Predicate<String>() { + @Override + public boolean test(String string) { + return isTlsCipherSuite(string) && conscryptCiphers.contains(string); + } + }; + return getSupportedCiphers(jdkContext, predicate); } - private static List<String> supportedCiphers(SSLContext ctx) { + public static List<String> getSupportedCiphers(SSLContext ctx) { return Arrays.asList(ctx.getDefaultSSLParameters().getCipherSuites()); } - private static void filterCiphers(Iterable<String> ciphers) { - // Filter all non-TLS ciphers. - Iterator<String> iter = ciphers.iterator(); - while (iter.hasNext()) { - String cipher = iter.next(); - if (cipher.startsWith("SSL_") || cipher.startsWith("TLS_EMPTY") - || cipher.contains("_RC4_")) { - iter.remove(); + public static String[] getSupportedCiphers(SSLContext ctx, Predicate<String> predicate) { + IntFunction<String[]> transform = new IntFunction<String[]>() { + @Override + public String[] apply(int value) { + return new String[value]; } - } + }; + return Arrays.stream(ctx.getDefaultSSLParameters().getCipherSuites()) + .filter(predicate) + .toArray(transform); + } + + public static List<String> getSupportedProtocols(SSLContext ctx) { + return Arrays.asList(ctx.getDefaultSSLParameters().getProtocols()); + } + + public static String[] getSupportedProtocols(SSLContext ctx, Predicate<String> predicate) { + IntFunction<String[]> transform = new IntFunction<String[]>() { + @Override + public String[] apply(int value) { + return new String[value]; + } + }; + return Arrays.stream(ctx.getDefaultSSLParameters().getProtocols()) + .filter(predicate) + .toArray(transform); + } + + private static boolean isTlsCipherSuite(String cipher) { + return !cipher.startsWith("SSL_") + && !cipher.startsWith("TLS_EMPTY") + && !cipher.contains("_RC4_"); + } + + public static void assumeTlsV11Enabled(SSLContext context) { + Assume.assumeTrue(getSupportedProtocols(context).contains(PROTOCOL_TLS_V1_1)); } /** diff --git a/testing/src/main/java/org/conscrypt/java/security/StandardNames.java b/testing/src/main/java/org/conscrypt/java/security/StandardNames.java index a3d960d7..86c7d484 100644 --- a/testing/src/main/java/org/conscrypt/java/security/StandardNames.java +++ b/testing/src/main/java/org/conscrypt/java/security/StandardNames.java @@ -142,6 +142,9 @@ public final class StandardNames { Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3")); public static final Set<String> SSL_CONTEXT_PROTOCOLS_WITH_DEFAULT_CONFIG = new HashSet<String>( Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1.3")); + // Deprecated TLS protocols... May or may not be present or enabled. + public static final Set<String> SSL_CONTEXT_PROTOCOLS_DEPRECATED = new HashSet<>( + Arrays.asList("TLSv1", "TLSv1.1")); public static final Set<String> KEY_TYPES = new HashSet<String>( Arrays.asList("RSA", "DSA", "DH_RSA", "DH_DSA", "EC", "EC_EC", "EC_RSA")); @@ -388,10 +391,13 @@ public final class StandardNames { * assertSupportedProtocols additionally verifies that all * supported protocols where in the input array. */ - private static void assertSupportedProtocols(Set<String> expected, String[] protocols) { - Set<String> remainingProtocols = assertValidProtocols(expected, protocols); + private static void assertSupportedProtocols(Set<String> valid, String[] protocols) { + Set<String> remainingProtocols = assertValidProtocols(valid, protocols); + + // TODO(prb) Temporarily ignore TLSv1.x: See comment for assertSSLContextEnabledProtocols() + remainingProtocols.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + assertEquals("Missing protocols", Collections.EMPTY_SET, remainingProtocols); - assertEquals(expected.size(), protocols.length); } /** @@ -432,9 +438,18 @@ public final class StandardNames { } public static void assertSSLContextEnabledProtocols(String version, String[] protocols) { - assertEquals("For protocol \"" + version + "\"", - Arrays.toString(SSL_CONTEXT_PROTOCOLS_ENABLED.get(version)), - Arrays.toString(protocols)); + Set<String> expected = new HashSet<>( + Arrays.asList(SSL_CONTEXT_PROTOCOLS_ENABLED.get(version))); + Set<String> actual = new HashSet<>(Arrays.asList(protocols)); + + // TODO(prb): Temporary measure - just ignore deprecated protocols. Allows + // testing on source trees where these have been disabled in unknown ways. + // Future work will provide a supported API for disabling protocols, but for + // now we need to work with what's in the field. + expected.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + actual.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + + assertEquals("For protocol \"" + version + "\"", expected, actual); } /** |