diff options
| author | Brian Carlstrom <bdc@google.com> | 2012-03-16 15:58:01 -0700 |
|---|---|---|
| committer | Brian Carlstrom <bdc@google.com> | 2012-03-21 11:31:02 -0700 |
| commit | 3e6dd45baa0d7f9b4fa06f4ade76e088b59cc7bf (patch) | |
| tree | 6271159662693711de9222bb4551cb9a6fe2b9a8 | |
| parent | 92f87a4de2f7c360a44f0195ef748874a1f4378e (diff) | |
| download | libcore-3e6dd45baa0d7f9b4fa06f4ade76e088b59cc7bf.zip libcore-3e6dd45baa0d7f9b4fa06f4ade76e088b59cc7bf.tar.gz libcore-3e6dd45baa0d7f9b4fa06f4ade76e088b59cc7bf.tar.bz2 | |
Tracking openssl-1.0.1
Bug: 6168278
Change-Id: I240d2cbc91f616fd486efc5203e2221c9896d90f
14 files changed, 63 insertions, 27 deletions
diff --git a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java index e43324b..0d10cf0 100644 --- a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java +++ b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java @@ -194,6 +194,8 @@ public final class NativeCrypto { private static final String SUPPORTED_PROTOCOL_SSLV3 = "SSLv3"; private static final String SUPPORTED_PROTOCOL_TLSV1 = "TLSv1"; + private static final String SUPPORTED_PROTOCOL_TLSV1_1 = "TLSv1.1"; + private static final String SUPPORTED_PROTOCOL_TLSV1_2 = "TLSv1.2"; public static final Map<String, String> OPENSSL_TO_STANDARD_CIPHER_SUITES = new HashMap<String, String>(); @@ -340,6 +342,8 @@ public final class NativeCrypto { public static final long SSL_OP_NO_COMPRESSION = 0x00020000L; public static final long SSL_OP_NO_SSLv3 = 0x02000000L; public static final long SSL_OP_NO_TLSv1 = 0x04000000L; + public static final long SSL_OP_NO_TLSv1_1 = 0x00000400L; + public static final long SSL_OP_NO_TLSv1_2 = 0x08000000L; public static native int SSL_CTX_new(); @@ -432,7 +436,11 @@ public final class NativeCrypto { public static native long SSL_clear_options(int ssl, long options); public static String[] getSupportedProtocols() { - return new String[] { SUPPORTED_PROTOCOL_SSLV3, SUPPORTED_PROTOCOL_TLSV1 }; + return new String[] { SUPPORTED_PROTOCOL_SSLV3, + SUPPORTED_PROTOCOL_TLSV1, + SUPPORTED_PROTOCOL_TLSV1_1, + SUPPORTED_PROTOCOL_TLSV1_2, + }; } public static void setEnabledProtocols(int ssl, String[] protocols) { @@ -440,7 +448,7 @@ public final class NativeCrypto { // openssl uses negative logic letting you disable protocols. // so first, assume we need to set all (disable all) and clear none (enable none). // in the loop, selectively move bits from set to clear (from disable to enable) - long optionsToSet = (SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1); + long optionsToSet = (SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2); long optionsToClear = 0; for (int i = 0; i < protocols.length; i++) { String protocol = protocols[i]; @@ -450,6 +458,12 @@ public final class NativeCrypto { } else if (protocol.equals(SUPPORTED_PROTOCOL_TLSV1)) { optionsToSet &= ~SSL_OP_NO_TLSv1; optionsToClear |= SSL_OP_NO_TLSv1; + } else if (protocol.equals(SUPPORTED_PROTOCOL_TLSV1_1)) { + optionsToSet &= ~SSL_OP_NO_TLSv1_1; + optionsToClear |= SSL_OP_NO_TLSv1_1; + } else if (protocol.equals(SUPPORTED_PROTOCOL_TLSV1_2)) { + optionsToSet &= ~SSL_OP_NO_TLSv1_2; + optionsToClear |= SSL_OP_NO_TLSv1_2; } else { // error checked by checkEnabledProtocols throw new IllegalStateException(); @@ -470,7 +484,9 @@ public final class NativeCrypto { throw new IllegalArgumentException("protocols[" + i + "] == null"); } if ((!protocol.equals(SUPPORTED_PROTOCOL_SSLV3)) - && (!protocol.equals(SUPPORTED_PROTOCOL_TLSV1))) { + && (!protocol.equals(SUPPORTED_PROTOCOL_TLSV1)) + && (!protocol.equals(SUPPORTED_PROTOCOL_TLSV1_1)) + && (!protocol.equals(SUPPORTED_PROTOCOL_TLSV1_2))) { throw new IllegalArgumentException("protocol " + protocol + " is not supported"); } diff --git a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLProvider.java b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLProvider.java index d112074..97753cf 100644 --- a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLProvider.java +++ b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLProvider.java @@ -29,6 +29,8 @@ public final class OpenSSLProvider extends Provider { put("SSLContext.SSLv3", OpenSSLContextImpl.class.getName()); put("SSLContext.TLS", OpenSSLContextImpl.class.getName()); put("SSLContext.TLSv1", OpenSSLContextImpl.class.getName()); + put("SSLContext.TLSv1.1", OpenSSLContextImpl.class.getName()); + put("SSLContext.TLSv1.2", OpenSSLContextImpl.class.getName()); put("SSLContext.Default", DefaultSSLContextImpl.class.getName()); // Message Digests diff --git a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java index 20219e0..841c31c 100644 --- a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java +++ b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java @@ -27,9 +27,6 @@ import javax.net.ssl.SSLException; /** * OpenSSL-based implementation of server sockets. - * - * This class only supports SSLv3 and TLSv1. This should be documented elsewhere - * later, for example in the package.html or a separate reference document. */ public class OpenSSLServerSocketImpl extends javax.net.ssl.SSLServerSocket { private final SSLParametersImpl sslParameters; diff --git a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java index d289449..49a6170 100644 --- a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java +++ b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java @@ -48,9 +48,6 @@ import org.apache.harmony.security.provider.cert.X509CertImpl; /** * Implementation of the class OpenSSLSocketImpl based on OpenSSL. * <p> - * This class only supports SSLv3 and TLSv1. This should be documented elsewhere - * later, for example in the package.html or a separate reference document. - * <p> * Extensions to SSLSocket include: * <ul> * <li>handshake timeout diff --git a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLRecordProtocol.java b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLRecordProtocol.java index abec7d1..e9f77f7 100644 --- a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLRecordProtocol.java +++ b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLRecordProtocol.java @@ -442,7 +442,7 @@ public class SSLRecordProtocol { /** * Sets up the SSL version used in this connection. * This method is calling from the handshake protocol after - * it becomes known witch protocol version will be used. + * it becomes known which protocol version will be used. * @param ver: byte[] * @return */ diff --git a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java index b6a65b4..613e671 100644 --- a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java +++ b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java @@ -330,11 +330,17 @@ public class ServerHandshakeImpl extends HandshakeProtocol { "HANDSHAKE FAILURE. Incorrect client hello message"); } + byte[] server_version = clientHello.client_version; if (!ProtocolVersion.isSupported(clientHello.client_version)) { - fatalAlert(AlertProtocol.PROTOCOL_VERSION, - "PROTOCOL VERSION. Unsupported client version " - + clientHello.client_version[0] - + clientHello.client_version[1]); + if (clientHello.client_version[0] >= 3) { + // Protocol from the future, admit that the newest thing we know is TLSv1 + server_version = ProtocolVersion.TLSv1.version; + } else { + fatalAlert(AlertProtocol.PROTOCOL_VERSION, + "PROTOCOL VERSION. Unsupported client version " + + clientHello.client_version[0] + + clientHello.client_version[1]); + } } isResuming = false; @@ -404,13 +410,13 @@ public class ServerHandshakeImpl extends HandshakeProtocol { } } - recordProtocol.setVersion(clientHello.client_version); - session.protocol = ProtocolVersion.getByVersion(clientHello.client_version); + recordProtocol.setVersion(server_version); + session.protocol = ProtocolVersion.getByVersion(server_version); session.clientRandom = clientHello.random; // create server hello message serverHello = new ServerHello(parameters.getSecureRandom(), - clientHello.client_version, + server_version, session.getId(), cipher_suite, (byte) 0); //CompressionMethod.null session.serverRandom = serverHello.random; send(serverHello); diff --git a/luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp b/luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp index c4c796a..aca3269 100644 --- a/luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp +++ b/luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp @@ -2368,6 +2368,8 @@ static int client_cert_cb(SSL* ssl, X509** x509Out, EVP_PKEY** pkeyOut) { break; case SSL3_VERSION: case TLS1_VERSION: + case TLS1_1_VERSION: + case TLS1_2_VERSION: case DTLS1_VERSION: ctype = ssl->s3->tmp.ctype; ctype_num = ssl->s3->tmp.ctype_num; diff --git a/luni/src/test/java/libcore/java/net/URLConnectionTest.java b/luni/src/test/java/libcore/java/net/URLConnectionTest.java index 0c1719c..04cd045 100644 --- a/luni/src/test/java/libcore/java/net/URLConnectionTest.java +++ b/luni/src/test/java/libcore/java/net/URLConnectionTest.java @@ -449,7 +449,7 @@ public final class URLConnectionTest extends TestCase { RecordedRequest request = server.takeRequest(); assertEquals("GET /foo HTTP/1.1", request.getRequestLine()); - assertEquals("TLSv1", request.getSslProtocol()); + assertEquals("TLSv1.2", request.getSslProtocol()); } public void testConnectViaHttpsReusingConnections() throws IOException, InterruptedException { diff --git a/luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java b/luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java index 5e91dc1..e3ae16f 100644 --- a/luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java +++ b/luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java @@ -166,7 +166,8 @@ public class SSLEngineTest extends TestCase { TestSSLContext c = TestSSLContext.create(); SSLEngine e = c.clientContext.createSSLEngine(); String[] protocols = e.getSupportedProtocols(); - StandardNames.assertSupportedProtocols(StandardNames.SSL_SOCKET_PROTOCOLS, protocols); + StandardNames.assertSupportedProtocols(StandardNames.SSL_SOCKET_PROTOCOLS_SSLENGINE, + protocols); assertNotSame(protocols, e.getSupportedProtocols()); c.close(); } diff --git a/luni/src/test/java/org/apache/harmony/luni/tests/internal/net/www/protocol/https/HttpsURLConnectionTest.java b/luni/src/test/java/org/apache/harmony/luni/tests/internal/net/www/protocol/https/HttpsURLConnectionTest.java index c516f67..e18b328 100644 --- a/luni/src/test/java/org/apache/harmony/luni/tests/internal/net/www/protocol/https/HttpsURLConnectionTest.java +++ b/luni/src/test/java/org/apache/harmony/luni/tests/internal/net/www/protocol/https/HttpsURLConnectionTest.java @@ -691,7 +691,7 @@ public class HttpsURLConnectionTest extends TestCase { trustManagers = TestTrustManager.wrap(trustManagers); } - SSLContext ctx = SSLContext.getInstance("TLSv1"); + SSLContext ctx = SSLContext.getInstance("TLSv1.2"); ctx.init(keyManagers, trustManagers, null); return ctx; } diff --git a/luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java b/luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java index 934bd6f..e964940 100644 --- a/luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java +++ b/luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java @@ -161,6 +161,8 @@ public class NativeCryptoTest extends TestCase { assertTrue((NativeCrypto.SSL_get_options(s) & 0x01000000L) != 0); // SSL_OP_NO_SSLv2 assertTrue((NativeCrypto.SSL_get_options(s) & NativeCrypto.SSL_OP_NO_SSLv3) == 0); assertTrue((NativeCrypto.SSL_get_options(s) & NativeCrypto.SSL_OP_NO_TLSv1) == 0); + assertTrue((NativeCrypto.SSL_get_options(s) & NativeCrypto.SSL_OP_NO_TLSv1_1) == 0); + assertTrue((NativeCrypto.SSL_get_options(s) & NativeCrypto.SSL_OP_NO_TLSv1_2) == 0); int s2 = NativeCrypto.SSL_new(c); assertTrue(s != s2); diff --git a/luni/src/test/java/tests/api/javax/net/ssl/SSLSessionTest.java b/luni/src/test/java/tests/api/javax/net/ssl/SSLSessionTest.java index ec23cae..2b98182 100644 --- a/luni/src/test/java/tests/api/javax/net/ssl/SSLSessionTest.java +++ b/luni/src/test/java/tests/api/javax/net/ssl/SSLSessionTest.java @@ -179,7 +179,7 @@ public class SSLSessionTest extends TestCase { * javax.net.ssl.SSLSession#getProtocol() */ public void test_getProtocol() { - assertEquals("TLSv1", clientSession.getProtocol()); + assertEquals("TLSv1.2", clientSession.getProtocol()); } /** diff --git a/support/src/test/java/libcore/java/security/StandardNames.java b/support/src/test/java/libcore/java/security/StandardNames.java index 12f8539..e8b29e4 100644 --- a/support/src/test/java/libcore/java/security/StandardNames.java +++ b/support/src/test/java/libcore/java/security/StandardNames.java @@ -172,6 +172,8 @@ public final class StandardNames extends Assert { provide("Policy", "JavaPolicy"); provide("SSLContext", "SSLv3"); provide("SSLContext", "TLSv1"); + provide("SSLContext", "TLSv1.1"); + provide("SSLContext", "TLSv1.2"); provide("SecretKeyFactory", "DES"); provide("SecretKeyFactory", "DESede"); provide("SecretKeyFactory", "PBEWithMD5AndDES"); @@ -448,7 +450,9 @@ public final class StandardNames extends Assert { // "SSLv2", "SSLv3", "TLS", - "TLSv1")); + "TLSv1", + "TLSv1.1", + "TLSv1.2")); public static final String SSL_CONTEXT_PROTOCOL_DEFAULT = "TLS"; public static final Set<String> KEY_TYPES = new HashSet<String>(Arrays.asList( @@ -464,7 +468,9 @@ public final class StandardNames extends Assert { public static final Set<String> SSL_SOCKET_PROTOCOLS = new HashSet<String>(Arrays.asList( // "SSLv2", "SSLv3", - "TLSv1")); + "TLSv1", + "TLSv1.1", + "TLSv1.2")); static { if (IS_RI) { /* Even though we use OpenSSL's SSLv23_method which @@ -474,9 +480,15 @@ public final class StandardNames extends Assert { * do to disable general use of SSLv2. */ SSL_SOCKET_PROTOCOLS.add("SSLv2Hello"); + } + } - SSL_SOCKET_PROTOCOLS.add("TLSv1.1"); - SSL_SOCKET_PROTOCOLS.add("TLSv1.2"); + public static final Set<String> SSL_SOCKET_PROTOCOLS_SSLENGINE = new HashSet<String>(SSL_SOCKET_PROTOCOLS); + static { + // No TLSv1.1 or TLSv1.2 support on SSLEngine based provider + if (!IS_RI) { + SSL_SOCKET_PROTOCOLS_SSLENGINE.remove("TLSv1.1"); + SSL_SOCKET_PROTOCOLS_SSLENGINE.remove("TLSv1.2"); } } @@ -798,7 +810,7 @@ public final class StandardNames extends Assert { assertTrue(protocols.length != 0); // Make sure all protocols names are expected - Set remainingProtocols = new HashSet<String>(StandardNames.SSL_SOCKET_PROTOCOLS); + Set remainingProtocols = new HashSet<String>(expected); Set unknownProtocols = new HashSet<String>(); for (String protocol : protocols) { if (!remainingProtocols.remove(protocol)) { diff --git a/support/src/test/java/libcore/java/security/TestKeyStore.java b/support/src/test/java/libcore/java/security/TestKeyStore.java index 30e40fb..e24ee78 100644 --- a/support/src/test/java/libcore/java/security/TestKeyStore.java +++ b/support/src/test/java/libcore/java/security/TestKeyStore.java @@ -387,7 +387,8 @@ public final class TestKeyStore extends Assert { // 1.) we make the keys int keySize; if (keyAlgorithm.equals("RSA")) { - keySize = StandardNames.IS_RI ? 1024 : 512; // 512 breaks SSL_RSA_EXPORT_* on RI + // 512 breaks SSL_RSA_EXPORT_* on RI and TLS_ECDHE_RSA_WITH_RC4_128_SHA for us + keySize = 1024; } else if (keyAlgorithm.equals("DSA")) { keySize = 512; } else if (keyAlgorithm.equals("EC")) { |