diff options
author | ThiƩbaud Weksteen <tweksteen@gmail.com> | 2024-05-08 16:16:49 +1000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-05-08 07:16:49 +0100 |
commit | 655ad5069e1cb4d1989b8117eaf090371885af99 (patch) | |
tree | 4edb9c845ab1c87753c6d924335fb4e37862691f | |
parent | a5a0aa01a54e586945222c1aa476575200bf3229 (diff) | |
download | conscrypt-upstream-master.tar.gz |
Upstream AOSP changes (#1207)upstream-master
* Turn conscrypt-platform CT verification into a no-op
Upstreams https://r.android.com/2986189
Test: m conscrypt
* Remove NetworkSecurityPolicy references
Upstreams https://r.android.com/3048194
Test: build
---------
Co-authored-by: Sandro Montanari <sandrom@google.com>
-rw-r--r-- | libcore-stub/src/main/java/libcore/net/NetworkSecurityPolicy.java | 98 | ||||
-rw-r--r-- | platform/src/main/java/org/conscrypt/Platform.java | 4 |
2 files changed, 1 insertions, 101 deletions
diff --git a/libcore-stub/src/main/java/libcore/net/NetworkSecurityPolicy.java b/libcore-stub/src/main/java/libcore/net/NetworkSecurityPolicy.java deleted file mode 100644 index d9c87a41..00000000 --- a/libcore-stub/src/main/java/libcore/net/NetworkSecurityPolicy.java +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Copyright (C) 2015 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package libcore.net; - -/** - * Network security policy for this process/application. - * - * <p>Network stacks/components are expected to honor this policy. Components which can use the - * Android framework API should be accessing this policy via the framework's - * {@code android.security.NetworkSecurityPolicy} instead of via this class. - * - * <p>The policy currently consists of a single flag: whether cleartext network traffic is - * permitted. See {@link #isCleartextTrafficPermitted()}. - */ -public abstract class NetworkSecurityPolicy { - - private static volatile NetworkSecurityPolicy instance = new DefaultNetworkSecurityPolicy(); - - public static NetworkSecurityPolicy getInstance() { - return instance; - } - - public static void setInstance(NetworkSecurityPolicy policy) { - if (policy == null) { - throw new NullPointerException("policy == null"); - } - instance = policy; - } - - /** - * Returns {@code true} if cleartext network traffic (e.g. HTTP, FTP, XMPP, IMAP, SMTP -- - * without TLS or STARTTLS) is permitted for all network communications of this process. - * - * <p>{@link #isCleartextTrafficPermitted(String)} should be used to determine if cleartext - * traffic is permitted for a specific host. - * - * <p>When cleartext network traffic is not permitted, the platform's components (e.g. HTTP - * stacks, {@code WebView}, {@code MediaPlayer}) will refuse this process's requests to use - * cleartext traffic. Third-party libraries are encouraged to do the same. - * - * <p>This flag is honored on a best effort basis because it's impossible to prevent all - * cleartext traffic from an application given the level of access provided to applications on - * Android. For example, there's no expectation that {@link java.net.Socket} API will honor this - * flag. Luckily, most network traffic from apps is handled by higher-level network stacks which - * can be made to honor this flag. Platform-provided network stacks (e.g. HTTP and FTP) honor - * this flag from day one, and well-established third-party network stacks will eventually - * honor it. - */ - public abstract boolean isCleartextTrafficPermitted(); - - /** - * Returns {@code true} if cleartext network traffic (e.g. HTTP, FTP, XMPP, IMAP, SMTP -- - * without TLS or STARTTLS) is permitted for communicating with {@code hostname} for this - * process. - * - * <p>See {@link #isCleartextTrafficPermitted} for more details. - */ - public abstract boolean isCleartextTrafficPermitted(String hostname); - - /** - * Returns {@code true} if Certificate Transparency information is required to be presented by - * the server and verified by the client in TLS connections to {@code hostname}. - * - * <p>See RFC6962 section 3.3 for more details. - */ - public abstract boolean isCertificateTransparencyVerificationRequired(String hostname); - - public static final class DefaultNetworkSecurityPolicy extends NetworkSecurityPolicy { - @Override - public boolean isCleartextTrafficPermitted() { - return true; - } - - @Override - public boolean isCleartextTrafficPermitted(String hostname) { - return isCleartextTrafficPermitted(); - } - - @Override - public boolean isCertificateTransparencyVerificationRequired(String hostname) { - return false; - } - } -} diff --git a/platform/src/main/java/org/conscrypt/Platform.java b/platform/src/main/java/org/conscrypt/Platform.java index cbeaa52a..36bc5bc6 100644 --- a/platform/src/main/java/org/conscrypt/Platform.java +++ b/platform/src/main/java/org/conscrypt/Platform.java @@ -61,7 +61,6 @@ import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.StandardConstants; import javax.net.ssl.X509ExtendedTrustManager; import javax.net.ssl.X509TrustManager; -import libcore.net.NetworkSecurityPolicy; import org.conscrypt.ct.CTLogStore; import org.conscrypt.ct.CTLogStoreImpl; import org.conscrypt.ct.CTPolicy; @@ -462,8 +461,7 @@ final class Platform { } static boolean isCTVerificationRequired(String hostname) { - return NetworkSecurityPolicy.getInstance().isCertificateTransparencyVerificationRequired( - hostname); + return false; } static boolean supportsConscryptCertStore() { |