Use JSSE cipher suite names and restore JSSE SSLSessionContext semantics

Summary: - Switch to using JSSE cipher suite names - SSLSessionContext implementation cleanup - Updated tests Details: Switch to using JSSE cipher suite names - We maintain backward compatability for enabling cipher suites using OpenSSL names for old code that did so without checking for the presence of the names in the supported list. - We now have a well defined list of the supported cipher suites which are sorted in priority order as specified in JSSE documentation so that callers doing: s.setEnabledCipherSuites(s.getSupportedCipherSuites()) will get something reasonable. - We now have a default cipher suite list that is chose to match RI behavior and priority, not based on OpenSSLs default and priorities. Details: - Added NativeCrypto OPENSSL_TO_STANDARD and STANDARD_TO_OPENSSL mapping between naming conventions. STANDARD_TO_OPENSSL is a LinkedHashMap so enumerating it gives the proper order for SUPPORTED_CIPHER_SUITES. - SSL_get_ciphers and SSL_set_cipher_list are removed, we now use our own SSL_set_cipher_lists (defined seperately in external/openssl/patches/jsse.patch) to set the set and order of cipher suites. SSL_CTX_get_ciphers is also removed because we no longer rely on the OpenSSL for the default cipher suites behavior. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp Add cipherSuite and protocol field caches for native values, mapping the cipherSuite to a JSSE name from the OpenSSL name returned by SSL_SESSION_cipher. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java Fixed a long standing bug where we reused sessions found in the client host/port cache even if the old protocol and cipher suite where no longer compatible with what was specified by setEnabledCipherSuites and setProtocols. Also fixed a recently introduced bug where lastAccessedTime was being set on a cached session even if it was not reused, found by fixed the above. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java Move most of SSLSessionContext implementation from subclasses to AbstractSessionContext. This was primarily to align the implementations of how different sessions id for the same host and port were handled for RI compatability. client subclasses now focuses on handling its host/port based cache and both deal with their own persistent cache details. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/AbstractSessionContext.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java Tests Added some variants of assertSSLSessionContextSize to simplify tests code. Broke test_SSLSessionContext_setSessionCacheSize_oneConnect out of test_SSLSessionContext_setSessionCacheSize_dynamic. Renamed test_SSLSessionContext_setSessionCacheSize_basic to test_SSLSessionContext_setSessionCacheSize_noConnect to match name of _oneConnect. _dynamic was cleaned up a bit as getting it working was the only goal of this change list. Fixed to filter SSL_RSA_EXPORT_ ciphers since our test certificate key length is too long for those. Lower test requirement to 3 unique cipher suites. luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java Added checks that cipher suites and protocols have standard names. luni/src/test/java/javax/net/ssl/SSLSessionTest.java Removing known failures related to cipher suite naming. Fixed bug of using assertNotNull instead of assertTrue. Added extra size/length check which would have found the assertNotNull/assertTrue issue. luni/src/test/java/javax/net/ssl/SSLSocketFactoryTest.java luni/src/test/java/javax/net/ssl/SSLSocketTest.java Fixing test the explicitly worked around broken cipher suite naming. luni/src/test/java/tests/api/javax/net/ssl/SSLSessionTest.java Updated standard cipher suites to RI 6 list, which also now specifies ordering, which we now align with. support/src/test/java/javax/net/ssl/StandardNames.java Unrelated Remove more now obsolete jars from the test classpath run-core-tests Change-Id: I45c274a9327c9a1aeeccb39ecaf5a3fbe2903c8f
author: Brian Carlstrom <bdc@google.com> 2010-05-14 11:14:18 -0700
committer: Brian Carlstrom <bdc@google.com> 2010-05-14 15:06:32 -0700
commit: 9acacc36bafda869c6e9cc63786cdddd995ca96a (patch)
tree: 1997531d039b0509811f7c249c017ba36f5df2cb /support/src
parent: 7cf7ec13b4e7e8f044c310e63dd0f6f9f58577d7 (diff)
download: libcore-9acacc36bafda869c6e9cc63786cdddd995ca96a.zip
libcore-9acacc36bafda869c6e9cc63786cdddd995ca96a.tar.gz
libcore-9acacc36bafda869c6e9cc63786cdddd995ca96a.tar.bz2
1 files changed, 106 insertions, 46 deletions
diff --git a/support/src/test/java/javax/net/ssl/StandardNames.java b/support/src/test/java/javax/net/ssl/StandardNames.java
index ccd3ee1..86dbd78 100644
--- a/support/src/test/java/javax/net/ssl/StandardNames.java
+++ b/support/src/test/java/javax/net/ssl/StandardNames.java
@@ -18,11 +18,15 @@ package javax.net.ssl;
 
 import java.util.Arrays;
 import java.util.HashSet;
+import java.util.LinkedHashSet;
 import java.util.Set;
 
 /**
  * This class defines expected string names for protocols, key types, client and server auth types, cipher suites.
+ * 
  * Based on documentation from http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA
+ *
+ * Java 6 version http://java.sun.com/javase/6/docs/technotes/guides/security/SunProviders.html
  */
 public final class StandardNames {
 
@@ -63,50 +67,106 @@ public final class StandardNames {
         "RSA_EXPORT1024",
         "UNKNOWN"));
 
-    // removed cipher suites not actually found in RI
-    public static final Set<String> CIPHER_SUITES = new HashSet<String>(Arrays.asList(
-        "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
-        "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
-        "SSL_DHE_DSS_WITH_DES_CBC_SHA",
-        "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
-        "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
-        "SSL_DHE_RSA_WITH_DES_CBC_SHA",
-        //"SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
-        //"SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
-        "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
-        "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",
-        "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
-        "SSL_DH_anon_WITH_DES_CBC_SHA",
-        "SSL_DH_anon_WITH_RC4_128_MD5",
-        //"SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA",
-        //"SSL_RSA_EXPORT1024_WITH_RC4_56_SHA",
-        "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
-        //"SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
-        "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
-        "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
-        "SSL_RSA_WITH_DES_CBC_SHA",
-        "SSL_RSA_WITH_NULL_MD5",
-        "SSL_RSA_WITH_NULL_SHA",
-        "SSL_RSA_WITH_RC4_128_MD5",
-        "SSL_RSA_WITH_RC4_128_SHA",
-        "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
-        //"TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
-        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
-        //"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
-        "TLS_DH_anon_WITH_AES_128_CBC_SHA",
-        //"TLS_DH_anon_WITH_AES_256_CBC_SHA",
-        "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
-        "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
-        //"TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
-        //"TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
-        "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
-        "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
-        "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
-        "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
-        "TLS_KRB5_WITH_DES_CBC_MD5",
-        "TLS_KRB5_WITH_DES_CBC_SHA",
-        "TLS_KRB5_WITH_RC4_128_MD5",
-        "TLS_KRB5_WITH_RC4_128_SHA",
-        "TLS_RSA_WITH_AES_128_CBC_SHA"));
-        //"TLS_RSA_WITH_AES_256_CBC_SHA"));
+    public static final Set<String> CIPHER_SUITES_NEITHER = new HashSet<String>();
+
+    public static final Set<String> CIPHER_SUITES_RI = new LinkedHashSet<String>();
+    public static final Set<String> CIPHER_SUITES_OPENSSL = new LinkedHashSet<String>();
+
+    public static final Set<String> CIPHER_SUITES;
+
+    private static final void addRi(String cipherSuite) {
+        CIPHER_SUITES_RI.add(cipherSuite);
+    }
+
+    private static final void addOpenSsl(String cipherSuite) {
+        CIPHER_SUITES_OPENSSL.add(cipherSuite);
+    }
+
+    private static final void addBoth(String cipherSuite) {
+        addRi(cipherSuite);
+        addOpenSsl(cipherSuite);
+    }
+
+    static {
+        // Note these are added in priority order as defined by RI 6 documentation.
+        addBoth(   "SSL_RSA_WITH_RC4_128_MD5");
+        addBoth(   "SSL_RSA_WITH_RC4_128_SHA");
+        addBoth(   "TLS_RSA_WITH_AES_128_CBC_SHA");
+        addOpenSsl("TLS_RSA_WITH_AES_256_CBC_SHA");
+        addOpenSsl("TLS_ECDH_ECDSA_WITH_RC4_128_SHA");
+        addOpenSsl("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA");
+        addOpenSsl("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA");
+        addOpenSsl("TLS_ECDH_RSA_WITH_RC4_128_SHA");
+        addOpenSsl("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA");
+        addOpenSsl("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA");
+        addOpenSsl("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA");
+        addOpenSsl("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA");
+        addOpenSsl("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA");
+        addOpenSsl("TLS_ECDHE_RSA_WITH_RC4_128_SHA");
+        addOpenSsl("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA");
+        addOpenSsl("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA");
+        addBoth(   "TLS_DHE_RSA_WITH_AES_128_CBC_SHA");
+        addOpenSsl("TLS_DHE_RSA_WITH_AES_256_CBC_SHA");
+        addBoth(   "TLS_DHE_DSS_WITH_AES_128_CBC_SHA");
+        addOpenSsl("TLS_DHE_DSS_WITH_AES_256_CBC_SHA");
+        addBoth(   "SSL_RSA_WITH_3DES_EDE_CBC_SHA");
+        addOpenSsl("TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA");
+        addOpenSsl("TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA");
+        addOpenSsl("TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA");
+        addOpenSsl("TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA");
+        addBoth(   "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA");
+        addBoth(   "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA");
+        addBoth(   "SSL_RSA_WITH_DES_CBC_SHA");
+        addBoth(   "SSL_DHE_RSA_WITH_DES_CBC_SHA");
+        addBoth(   "SSL_DHE_DSS_WITH_DES_CBC_SHA");
+        addBoth(   "SSL_RSA_EXPORT_WITH_RC4_40_MD5");
+        addBoth(   "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA");
+        addBoth(   "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA");
+        addBoth(   "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
+        addBoth(   "SSL_RSA_WITH_NULL_MD5");
+        addBoth(   "SSL_RSA_WITH_NULL_SHA");
+        addOpenSsl("TLS_ECDH_ECDSA_WITH_NULL_SHA");
+        addOpenSsl("TLS_ECDH_RSA_WITH_NULL_SHA");
+        addOpenSsl("TLS_ECDHE_ECDSA_WITH_NULL_SHA");
+        addOpenSsl("TLS_ECDHE_RSA_WITH_NULL_SHA");
+        addBoth(   "SSL_DH_anon_WITH_RC4_128_MD5");
+        addBoth(   "TLS_DH_anon_WITH_AES_128_CBC_SHA");
+        addOpenSsl("TLS_DH_anon_WITH_AES_256_CBC_SHA");
+        addBoth(   "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA");
+        addBoth(   "SSL_DH_anon_WITH_DES_CBC_SHA");
+        addOpenSsl("TLS_ECDH_anon_WITH_RC4_128_SHA");
+        addOpenSsl("TLS_ECDH_anon_WITH_AES_128_CBC_SHA");
+        addOpenSsl("TLS_ECDH_anon_WITH_AES_256_CBC_SHA");
+        addOpenSsl("TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA");
+        addBoth(   "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5");
+        addBoth(   "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA");
+        addOpenSsl("TLS_ECDH_anon_WITH_NULL_SHA");
+
+        // Android does not have Keberos support
+        addRi     ("TLS_KRB5_WITH_RC4_128_SHA");
+        addRi     ("TLS_KRB5_WITH_RC4_128_MD5");
+        addRi     ("TLS_KRB5_WITH_3DES_EDE_CBC_SHA");
+        addRi     ("TLS_KRB5_WITH_3DES_EDE_CBC_MD5");
+        addRi     ("TLS_KRB5_WITH_DES_CBC_SHA");
+        addRi     ("TLS_KRB5_WITH_DES_CBC_MD5");
+        addRi     ("TLS_KRB5_EXPORT_WITH_RC4_40_SHA");
+        addRi     ("TLS_KRB5_EXPORT_WITH_RC4_40_MD5");
+        addRi     ("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA");
+        addRi     ("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5");
+
+        // Dropped
+        CIPHER_SUITES_NEITHER.add("SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA");
+        CIPHER_SUITES_NEITHER.add("SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA");
+
+        // Old non standard exportable encryption
+        CIPHER_SUITES_NEITHER.add("SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA");
+        CIPHER_SUITES_NEITHER.add("SSL_RSA_EXPORT1024_WITH_RC4_56_SHA");
+        
+        // No RC2
+        CIPHER_SUITES_NEITHER.add("SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5");
+        CIPHER_SUITES_NEITHER.add("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA");
+        CIPHER_SUITES_NEITHER.add("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5");
+        
+        CIPHER_SUITES = (TestSSLContext.IS_RI) ? CIPHER_SUITES_RI : CIPHER_SUITES_OPENSSL;
+    }
 }
author	Brian Carlstrom <bdc@google.com>	2010-05-14 11:14:18 -0700
committer	Brian Carlstrom <bdc@google.com>	2010-05-14 15:06:32 -0700
commit	9acacc36bafda869c6e9cc63786cdddd995ca96a (patch)
tree	1997531d039b0509811f7c249c017ba36f5df2cb /support/src
parent	7cf7ec13b4e7e8f044c310e63dd0f6f9f58577d7 (diff)
download	libcore-9acacc36bafda869c6e9cc63786cdddd995ca96a.zip libcore-9acacc36bafda869c6e9cc63786cdddd995ca96a.tar.gz libcore-9acacc36bafda869c6e9cc63786cdddd995ca96a.tar.bz2