diff options
author | David Benjamin <davidben@google.com> | 2015-12-15 13:31:03 -0500 |
---|---|---|
committer | Kenny Root <kroot@google.com> | 2016-01-11 18:35:12 +0000 |
commit | 883eeb452dc0aa01f74a426e8084e2af66daaad4 (patch) | |
tree | 80959300981b929588b96ffa12451079f2d38bb0 | |
parent | 7b67911beb2a2010a4b0d94b31d31a7961a4ba49 (diff) | |
download | conscrypt-brillo-m9-dev.tar.gz |
Fix unneccessary access of BoringSSL SSL structs.brillo-m9-releasebrillo-m9-dev
get_SSL_CIPHER_algorithm_mkey and get_SSL_CIPHER_algorithm_auth are never used.
There are also some struct accesses that have public API variants. Finally,
requiring ssl->server be set to 0 before SSL_set1_tls_channel_id was a bug that
has been fixed in BoringSSL. (See
https://boringssl.googlesource.com/boringssl/+/a3d9de05fb6df2c0dffab83717139e6c71d3d329/ssl/s3_lib.c#337)
Change-Id: If68efce2901f3ef89bdf5bb47cbc7d5fddaa6ef6
-rw-r--r-- | src/main/java/org/conscrypt/NativeCrypto.java | 3 | ||||
-rw-r--r-- | src/main/native/org_conscrypt_NativeCrypto.cpp | 34 |
2 files changed, 13 insertions, 24 deletions
diff --git a/src/main/java/org/conscrypt/NativeCrypto.java b/src/main/java/org/conscrypt/NativeCrypto.java index 854c99d2..8956d329 100644 --- a/src/main/java/org/conscrypt/NativeCrypto.java +++ b/src/main/java/org/conscrypt/NativeCrypto.java @@ -962,9 +962,6 @@ public final class NativeCrypto { */ public static native long[] SSL_get_ciphers(long ssl); - public static native int get_SSL_CIPHER_algorithm_mkey(long sslCipher); - public static native int get_SSL_CIPHER_algorithm_auth(long sslCipher); - public static void setEnabledCipherSuites(long ssl, String[] cipherSuites) { checkEnabledCipherSuites(cipherSuites); List<String> opensslSuites = new ArrayList<String>(); diff --git a/src/main/native/org_conscrypt_NativeCrypto.cpp b/src/main/native/org_conscrypt_NativeCrypto.cpp index 48478211..61d3fae6 100644 --- a/src/main/native/org_conscrypt_NativeCrypto.cpp +++ b/src/main/native/org_conscrypt_NativeCrypto.cpp @@ -7777,7 +7777,7 @@ static int client_cert_cb(SSL* ssl, X509** x509Out, EVP_PKEY** pkeyOut) { #else const uint8_t* ctype = nullptr; int ctype_num = SSL_get0_certificate_types(ssl, &ctype); - jobjectArray issuers = getPrincipalBytes(env, ssl->s3->tmp.ca_names); + jobjectArray issuers = getPrincipalBytes(env, SSL_get_client_CA_list(ssl)); #endif #ifdef WITH_JNI_TRACE @@ -8257,10 +8257,12 @@ static void NativeCrypto_SSL_set1_tls_channel_id(JNIEnv* env, jclass, return; } +#if !defined(OPENSSL_IS_BORINGSSL) // SSL_set1_tls_channel_id requires ssl->server to be set to 0. // Unfortunately, the default value is 1 and it's only changed to 0 just // before the handshake starts (see NativeCrypto_SSL_do_handshake). ssl->server = 0; +#endif long ret = SSL_set1_tls_channel_id(ssl, pkey); if (ret != 1L) { @@ -8805,22 +8807,6 @@ static jlongArray NativeCrypto_SSL_get_ciphers(JNIEnv* env, jclass, jlong ssl_ad return ciphersArray.release(); } -static jint NativeCrypto_get_SSL_CIPHER_algorithm_mkey(JNIEnv* env, jclass, - jlong ssl_cipher_address) -{ - SSL_CIPHER* cipher = to_SSL_CIPHER(env, ssl_cipher_address, true); - JNI_TRACE("cipher=%p get_SSL_CIPHER_algorithm_mkey => %ld", cipher, (long) cipher->algorithm_mkey); - return cipher->algorithm_mkey; -} - -static jint NativeCrypto_get_SSL_CIPHER_algorithm_auth(JNIEnv* env, jclass, - jlong ssl_cipher_address) -{ - SSL_CIPHER* cipher = to_SSL_CIPHER(env, ssl_cipher_address, true); - JNI_TRACE("cipher=%p get_SSL_CIPHER_algorithm_auth => %ld", cipher, (long) cipher->algorithm_auth); - return cipher->algorithm_auth; -} - /** * Sets the ciphers suites that are enabled in the SSL */ @@ -9606,7 +9592,7 @@ static void NativeCrypto_SSL_renegotiate(JNIEnv* env, jclass, jlong ssl_address) return; } // if client agrees, set ssl state and perform renegotiation - ssl->state = SSL_ST_ACCEPT; + SSL_set_state(ssl, SSL_ST_ACCEPT); SSL_do_handshake(ssl); JNI_TRACE("ssl=%p NativeCrypto_SSL_renegotiate =>", ssl); } @@ -9672,6 +9658,14 @@ static jlongArray NativeCrypto_SSL_get_certificate(JNIEnv* env, jclass, jlong ss return refArray; } +#if !defined(OPENSSL_IS_BORINGSSL) +// Compatibility shim for SSL_is_server, available in BoringSSL (and OpenSSL 1.0.2). +static int SSL_is_server(SSL* ssl) +{ + return ssl->server; +} +#endif + // Fills a long[] with the peer certificates in the chain. static jlongArray NativeCrypto_SSL_get_peer_cert_chain(JNIEnv* env, jclass, jlong ssl_address) { @@ -9682,7 +9676,7 @@ static jlongArray NativeCrypto_SSL_get_peer_cert_chain(JNIEnv* env, jclass, jlon } STACK_OF(X509)* chain = SSL_get_peer_cert_chain(ssl); Unique_sk_X509 chain_copy(nullptr); - if (ssl->server) { + if (SSL_is_server(ssl)) { X509* x509 = SSL_get_peer_certificate(ssl); if (x509 == nullptr) { JNI_TRACE("ssl=%p NativeCrypto_SSL_get_peer_cert_chain => NULL", ssl); @@ -11225,8 +11219,6 @@ static JNINativeMethod sNativeCryptoMethods[] = { NATIVE_METHOD(NativeCrypto, set_SSL_psk_server_callback_enabled, "(JZ)V"), NATIVE_METHOD(NativeCrypto, SSL_set_cipher_lists, "(J[Ljava/lang/String;)V"), NATIVE_METHOD(NativeCrypto, SSL_get_ciphers, "(J)[J"), - NATIVE_METHOD(NativeCrypto, get_SSL_CIPHER_algorithm_auth, "(J)I"), - NATIVE_METHOD(NativeCrypto, get_SSL_CIPHER_algorithm_mkey, "(J)I"), NATIVE_METHOD(NativeCrypto, SSL_set_accept_state, "(J)V"), NATIVE_METHOD(NativeCrypto, SSL_set_connect_state, "(J)V"), NATIVE_METHOD(NativeCrypto, SSL_set_verify, "(JI)V"), |