diff options
| author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-07-13 20:02:36 +0000 |
|---|---|---|
| committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-07-13 20:02:36 +0000 |
| commit | 44e26ef9b2ca05bd76866115105002babcca5679 (patch) | |
| tree | 0d652bd64e3736f3b78e0807b3ce74afd134817b | |
| parent | 73428e8fd13790bc0474d52f58d8135667a50cc4 (diff) | |
| parent | d075ab478a3b9e89040f9bd8f0957bc3dc9670fc (diff) | |
| download | conscrypt-44e26ef9b2ca05bd76866115105002babcca5679.tar.gz | |
Snap for 10489348 from d075ab478a3b9e89040f9bd8f0957bc3dc9670fc to android12-tests-release
Change-Id: I4f04ab3766960cbd08689a91c29a92ef292605a8
17 files changed, 273 insertions, 230 deletions
@@ -599,7 +599,7 @@ java_test { enabled: false, }, }, - java_version: "1.7", + java_version: "1.8", } // Make the conscrypt-benchmarks library. diff --git a/benchmark-base/src/main/java/org/conscrypt/ServerSocketBenchmark.java b/benchmark-base/src/main/java/org/conscrypt/ServerSocketBenchmark.java index 29682f2a..97ff8051 100644 --- a/benchmark-base/src/main/java/org/conscrypt/ServerSocketBenchmark.java +++ b/benchmark-base/src/main/java/org/conscrypt/ServerSocketBenchmark.java @@ -16,7 +16,7 @@ package org.conscrypt; -import static org.conscrypt.TestUtils.getProtocols; +import static org.conscrypt.TestUtils.getCommonProtocolSuites; import static org.conscrypt.TestUtils.newTextMessage; import static org.junit.Assert.assertEquals; @@ -62,7 +62,7 @@ public final class ServerSocketBenchmark { final ChannelType channelType = config.channelType(); server = config.serverFactory().newServer( - channelType, config.messageSize(), getProtocols(), ciphers(config)); + channelType, config.messageSize(), getCommonProtocolSuites(), ciphers(config)); server.setMessageProcessor(new MessageProcessor() { @Override public void processMessage(byte[] inMessage, int numBytes, OutputStream os) { @@ -86,7 +86,7 @@ public final class ServerSocketBenchmark { // Always use the same client for consistency across the benchmarks. client = config.clientFactory().newClient( - ChannelType.CHANNEL, server.port(), getProtocols(), ciphers(config)); + ChannelType.CHANNEL, server.port(), getCommonProtocolSuites(), ciphers(config)); client.start(); // Wait for the initial connection to complete. diff --git a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketTest.java b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketTest.java index d0d5dd7e..e5a18cef 100644 --- a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketTest.java +++ b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketTest.java @@ -424,6 +424,8 @@ public class SSLSocketTest { public void test_SSLSocket_noncontiguousProtocols_useLower() throws Exception { TestSSLContext c = TestSSLContext.create(); SSLContext clientContext = c.clientContext; + // Can't test fallback without at least 3 protocol versions enabled. + TestUtils.assumeTlsV11Enabled(clientContext); SSLSocket client = (SSLSocket) clientContext.getSocketFactory().createSocket(c.host, c.port); client.setEnabledProtocols(new String[] {"TLSv1.3", "TLSv1.1"}); @@ -455,6 +457,8 @@ public class SSLSocketTest { public void test_SSLSocket_noncontiguousProtocols_canNegotiate() throws Exception { TestSSLContext c = TestSSLContext.create(); SSLContext clientContext = c.clientContext; + // Can't test fallback without at least 3 protocol versions enabled. + TestUtils.assumeTlsV11Enabled(clientContext); SSLSocket client = (SSLSocket) clientContext.getSocketFactory().createSocket(c.host, c.port); client.setEnabledProtocols(new String[] {"TLSv1.3", "TLSv1.1"}); @@ -1006,6 +1010,8 @@ public class SSLSocketTest { @Test public void test_SSLSocket_sendsNoTlsFallbackScsv_Fallback_Success() throws Exception { TestSSLContext context = TestSSLContext.create(); + // TLS_FALLBACK_SCSV is only applicable to TLS <= 1.2 + TestUtils.assumeTlsV11Enabled(context.clientContext); final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket( context.host, context.port); final SSLSocket server = (SSLSocket) context.serverSocket.accept(); @@ -1045,6 +1051,8 @@ public class SSLSocketTest { public void test_SSLSocket_sendsTlsFallbackScsv_InappropriateFallback_Failure() throws Exception { TestSSLContext context = TestSSLContext.create(); + // TLS_FALLBACK_SCSV is only applicable to TLS <= 1.2 + TestUtils.assumeTlsV11Enabled(context.clientContext); final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket( context.host, context.port); final SSLSocket server = (SSLSocket) context.serverSocket.accept(); diff --git a/openjdk/src/test/java/org/conscrypt/ConscryptEngineTest.java b/openjdk/src/test/java/org/conscrypt/ConscryptEngineTest.java index f10c388e..de30bbfa 100644 --- a/openjdk/src/test/java/org/conscrypt/ConscryptEngineTest.java +++ b/openjdk/src/test/java/org/conscrypt/ConscryptEngineTest.java @@ -18,7 +18,7 @@ package org.conscrypt; import static org.conscrypt.TestUtils.getConscryptProvider; import static org.conscrypt.TestUtils.getJdkProvider; -import static org.conscrypt.TestUtils.getProtocols; +import static org.conscrypt.TestUtils.highestCommonProtocol; import static org.conscrypt.TestUtils.initSslContext; import static org.conscrypt.TestUtils.newTextMessage; import static org.junit.Assert.assertArrayEquals; @@ -569,7 +569,7 @@ public class ConscryptEngineTest { private static SSLContext newContext(Provider provider, TestKeyStore keyStore) { try { - SSLContext ctx = SSLContext.getInstance(getProtocols()[0], provider); + SSLContext ctx = SSLContext.getInstance(highestCommonProtocol(), provider); return initSslContext(ctx, keyStore); } catch (NoSuchAlgorithmException e) { throw new RuntimeException(e); diff --git a/openjdk/src/test/java/org/conscrypt/ConscryptTest.java b/openjdk/src/test/java/org/conscrypt/ConscryptTest.java index 84a0ff69..44533ce9 100644 --- a/openjdk/src/test/java/org/conscrypt/ConscryptTest.java +++ b/openjdk/src/test/java/org/conscrypt/ConscryptTest.java @@ -17,7 +17,6 @@ package org.conscrypt; import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertSame; import static org.junit.Assert.assertTrue; @@ -25,10 +24,9 @@ import static org.junit.Assert.fail; import java.security.Provider; import java.security.Security; -import java.util.Arrays; -import java.util.HashSet; -import java.util.Set; import javax.net.ssl.SSLContext; + +import org.conscrypt.java.security.StandardNames; import org.junit.Test; import org.junit.runner.RunWith; import org.junit.runners.JUnit4; @@ -52,69 +50,61 @@ public class ConscryptTest { } @Test - public void testProviderBuilder() throws Exception { - Provider p = Conscrypt.newProviderBuilder() - .setName("test name") - .provideTrustManager(true) - .defaultTlsProtocol("TLSv1.2").build(); - - assertEquals("test name", p.getName()); - assertTrue(p.containsKey("TrustManagerFactory.PKIX")); + public void buildTls12WithTrustManager() throws Exception { + buildProvider("TLSv1.2", true); + } + @Test + public void buildTls12WithoutTrustManager() throws Exception { + buildProvider("TLSv1.2", false); + } - try { - Security.insertProviderAt(p, 1); + @Test + public void buildTls13WithTrustManager() throws Exception { + buildProvider("TLSv1.3", true); + } - SSLContext context = SSLContext.getInstance("TLS"); - context.init(null, null, null); - assertEquals(p, context.getProvider()); - Set<String> expected = new HashSet<>(Arrays.asList("TLSv1.2", "TLSv1.1", "TLSv1")); - Set<String> found = - new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + @Test + public void buildTls13WithoutTrustManager() throws Exception { + buildProvider("TLSv1.3", false); + } - context = SSLContext.getInstance("Default"); - assertEquals(p, context.getProvider()); - expected = new HashSet<>(Arrays.asList("TLSv1.2", "TLSv1.1", "TLSv1")); - found = new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); - } finally { - Security.removeProvider("test name"); + @Test + public void buildInvalid() { + try { + Conscrypt.newProviderBuilder() + .defaultTlsProtocol("invalid").build(); + fail(); + } catch (IllegalArgumentException e) { + // Expected. } + } + + private void buildProvider(String defaultProtocol, boolean withTrustManager) throws Exception { + Provider provider = Conscrypt.newProviderBuilder() + .setName("test name") + .provideTrustManager(withTrustManager) + .defaultTlsProtocol(defaultProtocol) + .build(); - p = Conscrypt.newProviderBuilder() - .setName("test name 2") - .provideTrustManager(false) - .defaultTlsProtocol("TLSv1.3").build(); + assertEquals("test name", provider.getName()); + assertEquals(withTrustManager, provider.containsKey("TrustManagerFactory.PKIX")); - assertEquals("test name 2", p.getName()); - assertFalse(p.containsKey("TrustManagerFactory.PKIX")); - try { - Security.insertProviderAt(p, 1); + Security.insertProviderAt(provider, 1); SSLContext context = SSLContext.getInstance("TLS"); context.init(null, null, null); - assertEquals(p, context.getProvider()); - Set<String> expected = - new HashSet<>(Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1")); - Set<String> found = - new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + assertEquals(provider, context.getProvider()); + StandardNames.assertSSLContextEnabledProtocols( + defaultProtocol, context.createSSLEngine().getEnabledProtocols()); + context = SSLContext.getInstance("Default"); - assertEquals(p, context.getProvider()); - expected = new HashSet<>(Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1")); - found = new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + assertEquals(provider, context.getProvider()); + StandardNames.assertSSLContextEnabledProtocols( + defaultProtocol, context.createSSLEngine().getEnabledProtocols()); } finally { - Security.removeProvider("test name 2"); - } - - try { - Conscrypt.newProviderBuilder() - .defaultTlsProtocol("invalid").build(); - fail(); - } catch (IllegalArgumentException expected) { + Security.removeProvider("test name"); } } } diff --git a/openjdk/src/test/java/org/conscrypt/MockSessionBuilder.java b/openjdk/src/test/java/org/conscrypt/MockSessionBuilder.java index c253da22..c7a8de88 100644 --- a/openjdk/src/test/java/org/conscrypt/MockSessionBuilder.java +++ b/openjdk/src/test/java/org/conscrypt/MockSessionBuilder.java @@ -77,7 +77,7 @@ final class MockSessionBuilder { when(session.getId()).thenReturn(id); when(session.isValid()).thenReturn(valid); when(session.isSingleUse()).thenReturn(singleUse); - when(session.getProtocol()).thenReturn(TestUtils.getProtocols()[0]); + when(session.getProtocol()).thenReturn(TestUtils.highestCommonProtocol()); when(session.getPeerHost()).thenReturn(host); when(session.getPeerPort()).thenReturn(port); when(session.getCipherSuite()).thenReturn(cipherSuite); diff --git a/openjdk/src/test/java/org/conscrypt/RenegotiationTest.java b/openjdk/src/test/java/org/conscrypt/RenegotiationTest.java index e4297842..601fceec 100644 --- a/openjdk/src/test/java/org/conscrypt/RenegotiationTest.java +++ b/openjdk/src/test/java/org/conscrypt/RenegotiationTest.java @@ -144,7 +144,7 @@ public class RenegotiationTest { Conscrypt.setUseEngineSocket(socketFactory, useEngineSocket); socket = (SSLSocket) socketFactory.createSocket( TestUtils.getLoopbackAddress(), port); - socket.setEnabledProtocols(TestUtils.getProtocols()); + socket.setEnabledProtocols(TestUtils.getCommonProtocolSuites()); socket.setEnabledCipherSuites(TestUtils.getCommonCipherSuites()); } catch (IOException e) { throw new RuntimeException(e); @@ -234,7 +234,7 @@ public class RenegotiationTest { serverChannel = ServerSocketChannel.open(); serverChannel.socket().bind(new InetSocketAddress(TestUtils.getLoopbackAddress(), 0)); engine = newJdkServerContext().createSSLEngine(); - engine.setEnabledProtocols(TestUtils.getProtocols()); + engine.setEnabledProtocols(TestUtils.getCommonProtocolSuites()); engine.setEnabledCipherSuites(TestUtils.getCommonCipherSuites()); engine.setUseClientMode(false); diff --git a/repackaged/benchmark-base/src/main/java/com/android/org/conscrypt/ServerSocketBenchmark.java b/repackaged/benchmark-base/src/main/java/com/android/org/conscrypt/ServerSocketBenchmark.java index f8a80bb6..03a97157 100644 --- a/repackaged/benchmark-base/src/main/java/com/android/org/conscrypt/ServerSocketBenchmark.java +++ b/repackaged/benchmark-base/src/main/java/com/android/org/conscrypt/ServerSocketBenchmark.java @@ -17,10 +17,11 @@ package com.android.org.conscrypt; -import static com.android.org.conscrypt.TestUtils.getProtocols; +import static com.android.org.conscrypt.TestUtils.getCommonProtocolSuites; import static com.android.org.conscrypt.TestUtils.newTextMessage; import static org.junit.Assert.assertEquals; +import com.android.org.conscrypt.ServerEndpoint.MessageProcessor; import java.io.IOException; import java.io.OutputStream; import java.net.SocketException; @@ -30,7 +31,6 @@ import java.util.concurrent.Future; import java.util.concurrent.TimeUnit; import java.util.concurrent.atomic.AtomicBoolean; import java.util.concurrent.atomic.AtomicLong; -import com.android.org.conscrypt.ServerEndpoint.MessageProcessor; /** * Benchmark for comparing performance of server socket implementations. @@ -64,7 +64,7 @@ public final class ServerSocketBenchmark { final ChannelType channelType = config.channelType(); server = config.serverFactory().newServer( - channelType, config.messageSize(), getProtocols(), ciphers(config)); + channelType, config.messageSize(), getCommonProtocolSuites(), ciphers(config)); server.setMessageProcessor(new MessageProcessor() { @Override public void processMessage(byte[] inMessage, int numBytes, OutputStream os) { @@ -88,7 +88,7 @@ public final class ServerSocketBenchmark { // Always use the same client for consistency across the benchmarks. client = config.clientFactory().newClient( - ChannelType.CHANNEL, server.port(), getProtocols(), ciphers(config)); + ChannelType.CHANNEL, server.port(), getCommonProtocolSuites(), ciphers(config)); client.start(); // Wait for the initial connection to complete. diff --git a/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLSocketTest.java b/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLSocketTest.java index 80c84866..197674b2 100644 --- a/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLSocketTest.java +++ b/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLSocketTest.java @@ -428,6 +428,8 @@ public class SSLSocketTest { public void test_SSLSocket_noncontiguousProtocols_useLower() throws Exception { TestSSLContext c = TestSSLContext.create(); SSLContext clientContext = c.clientContext; + // Can't test fallback without at least 3 protocol versions enabled. + TestUtils.assumeTlsV11Enabled(clientContext); SSLSocket client = (SSLSocket) clientContext.getSocketFactory().createSocket(c.host, c.port); client.setEnabledProtocols(new String[] {"TLSv1.3", "TLSv1.1"}); @@ -459,6 +461,8 @@ public class SSLSocketTest { public void test_SSLSocket_noncontiguousProtocols_canNegotiate() throws Exception { TestSSLContext c = TestSSLContext.create(); SSLContext clientContext = c.clientContext; + // Can't test fallback without at least 3 protocol versions enabled. + TestUtils.assumeTlsV11Enabled(clientContext); SSLSocket client = (SSLSocket) clientContext.getSocketFactory().createSocket(c.host, c.port); client.setEnabledProtocols(new String[] {"TLSv1.3", "TLSv1.1"}); @@ -1010,6 +1014,8 @@ public class SSLSocketTest { @Test public void test_SSLSocket_sendsNoTlsFallbackScsv_Fallback_Success() throws Exception { TestSSLContext context = TestSSLContext.create(); + // TLS_FALLBACK_SCSV is only applicable to TLS <= 1.2 + TestUtils.assumeTlsV11Enabled(context.clientContext); final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket( context.host, context.port); final SSLSocket server = (SSLSocket) context.serverSocket.accept(); @@ -1049,6 +1055,8 @@ public class SSLSocketTest { public void test_SSLSocket_sendsTlsFallbackScsv_InappropriateFallback_Failure() throws Exception { TestSSLContext context = TestSSLContext.create(); + // TLS_FALLBACK_SCSV is only applicable to TLS <= 1.2 + TestUtils.assumeTlsV11Enabled(context.clientContext); final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket( context.host, context.port); final SSLSocket server = (SSLSocket) context.serverSocket.accept(); diff --git a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptEngineTest.java b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptEngineTest.java index bfe10f9e..e1f4a13a 100644 --- a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptEngineTest.java +++ b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptEngineTest.java @@ -19,7 +19,7 @@ package com.android.org.conscrypt; import static com.android.org.conscrypt.TestUtils.getConscryptProvider; import static com.android.org.conscrypt.TestUtils.getJdkProvider; -import static com.android.org.conscrypt.TestUtils.getProtocols; +import static com.android.org.conscrypt.TestUtils.highestCommonProtocol; import static com.android.org.conscrypt.TestUtils.initSslContext; import static com.android.org.conscrypt.TestUtils.newTextMessage; import static org.junit.Assert.assertArrayEquals; @@ -578,7 +578,7 @@ public class ConscryptEngineTest { private static SSLContext newContext(Provider provider, TestKeyStore keyStore) { try { - SSLContext ctx = SSLContext.getInstance(getProtocols()[0], provider); + SSLContext ctx = SSLContext.getInstance(highestCommonProtocol(), provider); return initSslContext(ctx, keyStore); } catch (NoSuchAlgorithmException e) { throw new RuntimeException(e); diff --git a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptTest.java b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptTest.java index b40f8353..59cd9d9b 100644 --- a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptTest.java +++ b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptTest.java @@ -18,17 +18,14 @@ package com.android.org.conscrypt; import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertSame; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; +import com.android.org.conscrypt.java.security.StandardNames; import java.security.Provider; import java.security.Security; -import java.util.Arrays; -import java.util.HashSet; -import java.util.Set; import javax.net.ssl.SSLContext; import org.junit.Test; import org.junit.runner.RunWith; @@ -56,70 +53,59 @@ public class ConscryptTest { } @Test - public void testProviderBuilder() throws Exception { - Provider p = Conscrypt.newProviderBuilder() - .setName("test name") - .provideTrustManager(true) - .defaultTlsProtocol("TLSv1.2") - .build(); - - assertEquals("test name", p.getName()); - assertTrue(p.containsKey("TrustManagerFactory.PKIX")); + public void buildTls12WithTrustManager() throws Exception { + buildProvider("TLSv1.2", true); + } + @Test + public void buildTls12WithoutTrustManager() throws Exception { + buildProvider("TLSv1.2", false); + } - try { - Security.insertProviderAt(p, 1); + @Test + public void buildTls13WithTrustManager() throws Exception { + buildProvider("TLSv1.3", true); + } - SSLContext context = SSLContext.getInstance("TLS"); - context.init(null, null, null); - assertEquals(p, context.getProvider()); - Set<String> expected = new HashSet<>(Arrays.asList("TLSv1.2", "TLSv1.1", "TLSv1")); - Set<String> found = - new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + @Test + public void buildTls13WithoutTrustManager() throws Exception { + buildProvider("TLSv1.3", false); + } - context = SSLContext.getInstance("Default"); - assertEquals(p, context.getProvider()); - expected = new HashSet<>(Arrays.asList("TLSv1.2", "TLSv1.1", "TLSv1")); - found = new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); - } finally { - Security.removeProvider("test name"); + @Test + public void buildInvalid() { + try { + Conscrypt.newProviderBuilder().defaultTlsProtocol("invalid").build(); + fail(); + } catch (IllegalArgumentException e) { + // Expected. } + } - p = Conscrypt.newProviderBuilder() - .setName("test name 2") - .provideTrustManager(false) - .defaultTlsProtocol("TLSv1.3") - .build(); + private void buildProvider(String defaultProtocol, boolean withTrustManager) throws Exception { + Provider provider = Conscrypt.newProviderBuilder() + .setName("test name") + .provideTrustManager(withTrustManager) + .defaultTlsProtocol(defaultProtocol) + .build(); - assertEquals("test name 2", p.getName()); - assertFalse(p.containsKey("TrustManagerFactory.PKIX")); + assertEquals("test name", provider.getName()); + assertEquals(withTrustManager, provider.containsKey("TrustManagerFactory.PKIX")); try { - Security.insertProviderAt(p, 1); + Security.insertProviderAt(provider, 1); SSLContext context = SSLContext.getInstance("TLS"); context.init(null, null, null); - assertEquals(p, context.getProvider()); - Set<String> expected = - new HashSet<>(Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1")); - Set<String> found = - new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + assertEquals(provider, context.getProvider()); + StandardNames.assertSSLContextEnabledProtocols( + defaultProtocol, context.createSSLEngine().getEnabledProtocols()); context = SSLContext.getInstance("Default"); - assertEquals(p, context.getProvider()); - expected = new HashSet<>(Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1")); - found = new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + assertEquals(provider, context.getProvider()); + StandardNames.assertSSLContextEnabledProtocols( + defaultProtocol, context.createSSLEngine().getEnabledProtocols()); } finally { - Security.removeProvider("test name 2"); - } - - try { - Conscrypt.newProviderBuilder().defaultTlsProtocol("invalid").build(); - fail(); - } catch (IllegalArgumentException expected) { + Security.removeProvider("test name"); } } } diff --git a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/MockSessionBuilder.java b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/MockSessionBuilder.java index 49b7abf0..aafc5951 100644 --- a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/MockSessionBuilder.java +++ b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/MockSessionBuilder.java @@ -78,7 +78,7 @@ final class MockSessionBuilder { when(session.getId()).thenReturn(id); when(session.isValid()).thenReturn(valid); when(session.isSingleUse()).thenReturn(singleUse); - when(session.getProtocol()).thenReturn(TestUtils.getProtocols()[0]); + when(session.getProtocol()).thenReturn(TestUtils.highestCommonProtocol()); when(session.getPeerHost()).thenReturn(host); when(session.getPeerPort()).thenReturn(port); when(session.getCipherSuite()).thenReturn(cipherSuite); diff --git a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/RenegotiationTest.java b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/RenegotiationTest.java index bc843dca..e2541cb1 100644 --- a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/RenegotiationTest.java +++ b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/RenegotiationTest.java @@ -149,7 +149,7 @@ public class RenegotiationTest { Conscrypt.setUseEngineSocket(socketFactory, useEngineSocket); socket = (SSLSocket) socketFactory.createSocket( TestUtils.getLoopbackAddress(), port); - socket.setEnabledProtocols(TestUtils.getProtocols()); + socket.setEnabledProtocols(TestUtils.getCommonProtocolSuites()); socket.setEnabledCipherSuites(TestUtils.getCommonCipherSuites()); } catch (IOException e) { throw new RuntimeException(e); @@ -239,7 +239,7 @@ public class RenegotiationTest { serverChannel = ServerSocketChannel.open(); serverChannel.socket().bind(new InetSocketAddress(TestUtils.getLoopbackAddress(), 0)); engine = newJdkServerContext().createSSLEngine(); - engine.setEnabledProtocols(TestUtils.getProtocols()); + engine.setEnabledProtocols(TestUtils.getCommonProtocolSuites()); engine.setEnabledCipherSuites(TestUtils.getCommonCipherSuites()); engine.setUseClientMode(false); diff --git a/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java b/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java index c750c71b..fedb2e48 100644 --- a/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java +++ b/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java @@ -48,12 +48,12 @@ import java.security.spec.X509EncodedKeySpec; import java.util.ArrayList; import java.util.Arrays; import java.util.Base64; -import java.util.Iterator; -import java.util.LinkedHashSet; +import java.util.HashSet; import java.util.List; import java.util.Locale; import java.util.Random; import java.util.Set; +import java.util.function.Predicate; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; @@ -71,16 +71,16 @@ import org.junit.Assume; */ public final class TestUtils { public static final Charset UTF_8 = StandardCharsets.UTF_8; + private static final String PROTOCOL_TLS_V1_3 = "TLSv1.3"; private static final String PROTOCOL_TLS_V1_2 = "TLSv1.2"; private static final String PROTOCOL_TLS_V1_1 = "TLSv1.1"; - private static final String PROTOCOL_TLS_V1 = "TLSv1"; - private static final String[] DESIRED_PROTOCOLS = - new String[] {PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1_1, PROTOCOL_TLS_V1}; + // For interop testing we need a JDK Provider that can do TLS 1.2 as 1.x may be disabled + // in Conscrypt and 1.3 does not (yet) handle interoperability with the JDK Provider. + private static final String[] DESIRED_JDK_PROTOCOLS = new String[] {PROTOCOL_TLS_V1_2}; private static final Provider JDK_PROVIDER = getNonConscryptTlsProvider(); private static final byte[] CHARS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".getBytes(UTF_8); private static final ByteBuffer EMPTY_BUFFER = ByteBuffer.allocateDirect(0); - private static final String[] PROTOCOLS = getProtocolsInternal(); static final String TEST_CIPHER = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; @@ -125,10 +125,10 @@ public final class TestUtils { private TestUtils() {} private static Provider getNonConscryptTlsProvider() { - for (String protocol : DESIRED_PROTOCOLS) { + for (String protocol : DESIRED_JDK_PROTOCOLS) { for (Provider p : Security.getProviders()) { if (!p.getClass().getPackage().getName().contains("conscrypt") - && hasProtocol(p, protocol)) { + && hasSslContext(p, protocol)) { return p; } } @@ -136,7 +136,7 @@ public final class TestUtils { return new BouncyCastleProvider(); } - private static boolean hasProtocol(Provider p, String protocol) { + private static boolean hasSslContext(Provider p, String protocol) { return p.get("SSLContext." + protocol) != null; } @@ -314,23 +314,6 @@ public final class TestUtils { throw ex; } - /** - * Returns an array containing only {@link #PROTOCOL_TLS_V1_2}. - */ - public static String[] getProtocols() { - return PROTOCOLS; - } - - private static String[] getProtocolsInternal() { - List<String> protocols = new ArrayList<>(); - for (String protocol : DESIRED_PROTOCOLS) { - if (hasProtocol(getJdkProvider(), protocol)) { - protocols.add(protocol); - } - } - return protocols.toArray(new String[0]); - } - static SSLSocketFactory setUseEngineSocket( SSLSocketFactory conscryptFactory, boolean useEngineSocket) { try { @@ -375,32 +358,59 @@ public final class TestUtils { } } - static String[] getCommonCipherSuites() { - SSLContext jdkContext = - TestUtils.initSslContext(newContext(getJdkProvider()), TestKeyStore.getClient()); - SSLContext conscryptContext = TestUtils.initSslContext( - newContext(getConscryptProvider()), TestKeyStore.getClient()); - Set<String> supported = new LinkedHashSet<>(supportedCiphers(jdkContext)); - supported.retainAll(supportedCiphers(conscryptContext)); - filterCiphers(supported); + public static String highestCommonProtocol() { + String[] common = getCommonProtocolSuites(); + Arrays.sort(common); + return common[common.length - 1]; + } + + public static String[] getCommonProtocolSuites() { + SSLContext jdkContext = newClientSslContext(getJdkProvider()); + SSLContext conscryptContext = newClientSslContext(getConscryptProvider()); + // No point building a Set here due to small list sizes. + List<String> conscryptProtocols = getSupportedProtocols(conscryptContext); + Predicate<String> predicate = p + -> conscryptProtocols.contains(p) + // TODO(prb): Certificate auth fails when connecting Conscrypt and JDK's TLS 1.3. + && !p.equals(PROTOCOL_TLS_V1_3); + return getSupportedProtocols(jdkContext, predicate); + } - return supported.toArray(new String[0]); + public static String[] getCommonCipherSuites() { + SSLContext jdkContext = newClientSslContext(getJdkProvider()); + SSLContext conscryptContext = newClientSslContext(getConscryptProvider()); + Set<String> conscryptCiphers = new HashSet<>(getSupportedCiphers(conscryptContext)); + Predicate<String> predicate = c -> isTlsCipherSuite(c) && conscryptCiphers.contains(c); + return getSupportedCiphers(jdkContext, predicate); } - private static List<String> supportedCiphers(SSLContext ctx) { + public static List<String> getSupportedCiphers(SSLContext ctx) { return Arrays.asList(ctx.getDefaultSSLParameters().getCipherSuites()); } - private static void filterCiphers(Iterable<String> ciphers) { - // Filter all non-TLS ciphers. - Iterator<String> iter = ciphers.iterator(); - while (iter.hasNext()) { - String cipher = iter.next(); - if (cipher.startsWith("SSL_") || cipher.startsWith("TLS_EMPTY") - || cipher.contains("_RC4_")) { - iter.remove(); - } - } + public static String[] getSupportedCiphers(SSLContext ctx, Predicate<String> predicate) { + return Arrays.stream(ctx.getDefaultSSLParameters().getCipherSuites()) + .filter(predicate) + .toArray(String[] ::new); + } + + public static List<String> getSupportedProtocols(SSLContext ctx) { + return Arrays.asList(ctx.getDefaultSSLParameters().getProtocols()); + } + + public static String[] getSupportedProtocols(SSLContext ctx, Predicate<String> predicate) { + return Arrays.stream(ctx.getDefaultSSLParameters().getProtocols()) + .filter(predicate) + .toArray(String[] ::new); + } + + private static boolean isTlsCipherSuite(String cipher) { + return !cipher.startsWith("SSL_") && !cipher.startsWith("TLS_EMPTY") + && !cipher.contains("_RC4_"); + } + + public static void assumeTlsV11Enabled(SSLContext context) { + Assume.assumeTrue(getSupportedProtocols(context).contains(PROTOCOL_TLS_V1_1)); } /** diff --git a/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java b/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java index 07bfd5c9..e0cb2757 100644 --- a/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java +++ b/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java @@ -165,6 +165,9 @@ public final class StandardNames { Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3")); public static final Set<String> SSL_CONTEXT_PROTOCOLS_WITH_DEFAULT_CONFIG = new HashSet<String>( Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1.3")); + // Deprecated TLS protocols... May or may not be present or enabled. + public static final Set<String> SSL_CONTEXT_PROTOCOLS_DEPRECATED = + new HashSet<>(Arrays.asList("TLSv1", "TLSv1.1")); public static final Set<String> KEY_TYPES = new HashSet<String>( Arrays.asList("RSA", "DSA", "DH_RSA", "DH_DSA", "EC", "EC_EC", "EC_RSA")); @@ -411,10 +414,13 @@ public final class StandardNames { * assertSupportedProtocols additionally verifies that all * supported protocols where in the input array. */ - private static void assertSupportedProtocols(Set<String> expected, String[] protocols) { - Set<String> remainingProtocols = assertValidProtocols(expected, protocols); + private static void assertSupportedProtocols(Set<String> valid, String[] protocols) { + Set<String> remainingProtocols = assertValidProtocols(valid, protocols); + + // TODO(prb) Temporarily ignore TLSv1.x: See comment for assertSSLContextEnabledProtocols() + remainingProtocols.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + assertEquals("Missing protocols", Collections.EMPTY_SET, remainingProtocols); - assertEquals(expected.size(), protocols.length); } /** @@ -455,9 +461,18 @@ public final class StandardNames { } public static void assertSSLContextEnabledProtocols(String version, String[] protocols) { - assertEquals("For protocol \"" + version + "\"", - Arrays.toString(SSL_CONTEXT_PROTOCOLS_ENABLED.get(version)), - Arrays.toString(protocols)); + Set<String> expected = + new HashSet<>(Arrays.asList(SSL_CONTEXT_PROTOCOLS_ENABLED.get(version))); + Set<String> actual = new HashSet<>(Arrays.asList(protocols)); + + // TODO(prb): Temporary measure - just ignore deprecated protocols. Allows + // testing on source trees where these have been disabled in unknown ways. + // Future work will provide a supported API for disabling protocols, but for + // now we need to work with what's in the field. + expected.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + actual.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + + assertEquals("For protocol \"" + version + "\"", expected, actual); } /** diff --git a/testing/src/main/java/org/conscrypt/TestUtils.java b/testing/src/main/java/org/conscrypt/TestUtils.java index bfc0d9dc..b0ca9718 100644 --- a/testing/src/main/java/org/conscrypt/TestUtils.java +++ b/testing/src/main/java/org/conscrypt/TestUtils.java @@ -44,12 +44,13 @@ import java.security.spec.X509EncodedKeySpec; import java.util.ArrayList; import java.util.Arrays; import java.util.Base64; -import java.util.Iterator; -import java.util.LinkedHashSet; +import java.util.HashSet; import java.util.List; import java.util.Locale; import java.util.Random; import java.util.Set; +import java.util.function.Predicate; + import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; @@ -69,16 +70,16 @@ import org.junit.Assume; */ public final class TestUtils { public static final Charset UTF_8 = StandardCharsets.UTF_8; + private static final String PROTOCOL_TLS_V1_3 = "TLSv1.3"; private static final String PROTOCOL_TLS_V1_2 = "TLSv1.2"; private static final String PROTOCOL_TLS_V1_1 = "TLSv1.1"; - private static final String PROTOCOL_TLS_V1 = "TLSv1"; - private static final String[] DESIRED_PROTOCOLS = - new String[] {PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1_1, PROTOCOL_TLS_V1}; + // For interop testing we need a JDK Provider that can do TLS 1.2 as 1.x may be disabled + // in Conscrypt and 1.3 does not (yet) handle interoperability with the JDK Provider. + private static final String[] DESIRED_JDK_PROTOCOLS = new String[] { PROTOCOL_TLS_V1_2 }; private static final Provider JDK_PROVIDER = getNonConscryptTlsProvider(); private static final byte[] CHARS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".getBytes(UTF_8); private static final ByteBuffer EMPTY_BUFFER = ByteBuffer.allocateDirect(0); - private static final String[] PROTOCOLS = getProtocolsInternal(); static final String TEST_CIPHER = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; @@ -120,10 +121,10 @@ public final class TestUtils { private TestUtils() {} private static Provider getNonConscryptTlsProvider() { - for (String protocol : DESIRED_PROTOCOLS) { + for (String protocol : DESIRED_JDK_PROTOCOLS) { for (Provider p : Security.getProviders()) { if (!p.getClass().getPackage().getName().contains("conscrypt") - && hasProtocol(p, protocol)) { + && hasSslContext(p, protocol)) { return p; } } @@ -131,7 +132,7 @@ public final class TestUtils { return new BouncyCastleProvider(); } - private static boolean hasProtocol(Provider p, String protocol) { + private static boolean hasSslContext(Provider p, String protocol) { return p.get("SSLContext." + protocol) != null; } @@ -308,23 +309,6 @@ public final class TestUtils { throw ex; } - /** - * Returns an array containing only {@link #PROTOCOL_TLS_V1_2}. - */ - public static String[] getProtocols() { - return PROTOCOLS; - } - - private static String[] getProtocolsInternal() { - List<String> protocols = new ArrayList<>(); - for (String protocol : DESIRED_PROTOCOLS) { - if (hasProtocol(getJdkProvider(), protocol)) { - protocols.add(protocol); - } - } - return protocols.toArray(new String[0]); - } - static SSLSocketFactory setUseEngineSocket( SSLSocketFactory conscryptFactory, boolean useEngineSocket) { try { @@ -369,32 +353,59 @@ public final class TestUtils { } } - static String[] getCommonCipherSuites() { - SSLContext jdkContext = - TestUtils.initSslContext(newContext(getJdkProvider()), TestKeyStore.getClient()); - SSLContext conscryptContext = TestUtils.initSslContext( - newContext(getConscryptProvider()), TestKeyStore.getClient()); - Set<String> supported = new LinkedHashSet<>(supportedCiphers(jdkContext)); - supported.retainAll(supportedCiphers(conscryptContext)); - filterCiphers(supported); + public static String highestCommonProtocol() { + String[] common = getCommonProtocolSuites(); + Arrays.sort(common); + return common[common.length - 1]; + } + + public static String[] getCommonProtocolSuites() { + SSLContext jdkContext = newClientSslContext(getJdkProvider()); + SSLContext conscryptContext = newClientSslContext(getConscryptProvider()); + // No point building a Set here due to small list sizes. + List<String> conscryptProtocols = getSupportedProtocols(conscryptContext); + Predicate<String> predicate = p -> conscryptProtocols.contains(p) + // TODO(prb): Certificate auth fails when connecting Conscrypt and JDK's TLS 1.3. + && !p.equals(PROTOCOL_TLS_V1_3); + return getSupportedProtocols(jdkContext, predicate); + } - return supported.toArray(new String[0]); + public static String[] getCommonCipherSuites() { + SSLContext jdkContext = newClientSslContext(getJdkProvider()); + SSLContext conscryptContext = newClientSslContext(getConscryptProvider()); + Set<String> conscryptCiphers = new HashSet<>(getSupportedCiphers(conscryptContext)); + Predicate<String> predicate = c -> isTlsCipherSuite(c) && conscryptCiphers.contains(c); + return getSupportedCiphers(jdkContext, predicate); } - private static List<String> supportedCiphers(SSLContext ctx) { + public static List<String> getSupportedCiphers(SSLContext ctx) { return Arrays.asList(ctx.getDefaultSSLParameters().getCipherSuites()); } - private static void filterCiphers(Iterable<String> ciphers) { - // Filter all non-TLS ciphers. - Iterator<String> iter = ciphers.iterator(); - while (iter.hasNext()) { - String cipher = iter.next(); - if (cipher.startsWith("SSL_") || cipher.startsWith("TLS_EMPTY") - || cipher.contains("_RC4_")) { - iter.remove(); - } - } + public static String[] getSupportedCiphers(SSLContext ctx, Predicate<String> predicate) { + return Arrays.stream(ctx.getDefaultSSLParameters().getCipherSuites()) + .filter(predicate) + .toArray(String[]::new); + } + + public static List<String> getSupportedProtocols(SSLContext ctx) { + return Arrays.asList(ctx.getDefaultSSLParameters().getProtocols()); + } + + public static String[] getSupportedProtocols(SSLContext ctx, Predicate<String> predicate) { + return Arrays.stream(ctx.getDefaultSSLParameters().getProtocols()) + .filter(predicate) + .toArray(String[]::new); + } + + private static boolean isTlsCipherSuite(String cipher) { + return !cipher.startsWith("SSL_") + && !cipher.startsWith("TLS_EMPTY") + && !cipher.contains("_RC4_"); + } + + public static void assumeTlsV11Enabled(SSLContext context) { + Assume.assumeTrue(getSupportedProtocols(context).contains(PROTOCOL_TLS_V1_1)); } /** diff --git a/testing/src/main/java/org/conscrypt/java/security/StandardNames.java b/testing/src/main/java/org/conscrypt/java/security/StandardNames.java index 08a72bda..7a8672a9 100644 --- a/testing/src/main/java/org/conscrypt/java/security/StandardNames.java +++ b/testing/src/main/java/org/conscrypt/java/security/StandardNames.java @@ -163,6 +163,9 @@ public final class StandardNames { Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3")); public static final Set<String> SSL_CONTEXT_PROTOCOLS_WITH_DEFAULT_CONFIG = new HashSet<String>( Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1.3")); + // Deprecated TLS protocols... May or may not be present or enabled. + public static final Set<String> SSL_CONTEXT_PROTOCOLS_DEPRECATED = new HashSet<>( + Arrays.asList("TLSv1", "TLSv1.1")); public static final Set<String> KEY_TYPES = new HashSet<String>( Arrays.asList("RSA", "DSA", "DH_RSA", "DH_DSA", "EC", "EC_EC", "EC_RSA")); @@ -409,10 +412,13 @@ public final class StandardNames { * assertSupportedProtocols additionally verifies that all * supported protocols where in the input array. */ - private static void assertSupportedProtocols(Set<String> expected, String[] protocols) { - Set<String> remainingProtocols = assertValidProtocols(expected, protocols); + private static void assertSupportedProtocols(Set<String> valid, String[] protocols) { + Set<String> remainingProtocols = assertValidProtocols(valid, protocols); + + // TODO(prb) Temporarily ignore TLSv1.x: See comment for assertSSLContextEnabledProtocols() + remainingProtocols.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + assertEquals("Missing protocols", Collections.EMPTY_SET, remainingProtocols); - assertEquals(expected.size(), protocols.length); } /** @@ -453,9 +459,18 @@ public final class StandardNames { } public static void assertSSLContextEnabledProtocols(String version, String[] protocols) { - assertEquals("For protocol \"" + version + "\"", - Arrays.toString(SSL_CONTEXT_PROTOCOLS_ENABLED.get(version)), - Arrays.toString(protocols)); + Set<String> expected = new HashSet<>( + Arrays.asList(SSL_CONTEXT_PROTOCOLS_ENABLED.get(version))); + Set<String> actual = new HashSet<>(Arrays.asList(protocols)); + + // TODO(prb): Temporary measure - just ignore deprecated protocols. Allows + // testing on source trees where these have been disabled in unknown ways. + // Future work will provide a supported API for disabling protocols, but for + // now we need to work with what's in the field. + expected.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + actual.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + + assertEquals("For protocol \"" + version + "\"", expected, actual); } /** |