From e92ca10c7620dd54c5e13fdabb6f1ff6adefd9fd Mon Sep 17 00:00:00 2001 From: Brian Carlstrom Date: Thu, 15 Apr 2010 14:00:03 -0700 Subject: openssl-1.0.0 upgrade external/openssl Updated version to 1.0.0 openssl.version Updated small records patch for 1.0.0. This is probably the most significant change. patches/small_records.patch Removed bad_version.patch since fix is included in 0.9.8n and beyond patches/README patches/bad_version.patch openssl.config Changed import_openssl.sh to generate armv4 asm with the 1.0.0 scripts, not our backported 0.9.9-dev backported version in patches/arm-asm.patch. import_openssl.sh openssl.config patches/README patches/arm-asm.patch Added -DOPENSSL_NO_STORE to match ./Configure output Added -DOPENSSL_NO_WHIRLPOOL (no-whrlpool) to skip new optional cipher android-config.mk openssl.config Fixed import to remove include directory during import like other imported directories (apps, ssl, crypto) import_openssl.sh Updated UNNEEDED_SOURCES. Pruned Makefiles which we don't use. openssl.config Updated to build newly required files patches/apps_Android.mk patches/crypto_Android.mk Disable some new openssl tools patches/progs.patch Automatically imported android.testssl/ apps/ crypto/ e_os.h e_os2.h include/ ssl/ dalvik Change makeCipherList to skip SSLv2 ciphers that 1.0.0 now returns so there are not duplicate ciphersuite names in getEnabledCipherSuites. libcore/x-net/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp Updated OpenSSLSocketImpl_cipherauthenticationmethod for new SSL_CIPHER algorithms -> algorithm_auth (and const-ness) libcore/x-net/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp Update to const SSL_CIPHER in OpenSSLSessionImpl_getCipherSuite (and cipherauthenticationmethod) libcore/x-net/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp test_EnabledCipherSuites on both SSLSocketTest and SSLServerSocketTest caught the makeCipherList problem. However the asserts where a bit out of sync and didn't give good messages because they didn't actually show what was going on. As part of debugging the issue they found, I tried to make align the asserts and improve their output for the future. libcore/x-net/src/test/java/tests/api/javax/net/ssl/SSLServerSocketTest.java libcore/x-net/src/test/java/tests/api/javax/net/ssl/SSLSocketTest.java vendor/google Add const to X509V3_EXT_METHOD* for 1.0.0 compatibility libraries/libjingle/talk/base/openssladapter.cc Change-Id: I9e848c79772211d3956f8561ec526339b30e24a4 --- ...che_harmony_xnet_provider_jsse_NativeCrypto.cpp | 57 ++++++++++++++-------- .../api/javax/net/ssl/SSLServerSocketTest.java | 5 +- .../tests/api/javax/net/ssl/SSLSocketTest.java | 8 +-- 3 files changed, 46 insertions(+), 24 deletions(-) (limited to 'x-net/src') diff --git a/x-net/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp b/x-net/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp index 5191fdc..d0682a4 100644 --- a/x-net/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp +++ b/x-net/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp @@ -1717,9 +1717,16 @@ static void org_apache_harmony_xnet_provider_jsse_OpenSSLSocketImpl_setenabledpr } static jobjectArray makeCipherList(JNIEnv* env, SSL* ssl) { + STACK_OF(SSL_CIPHER)* cipher_list = SSL_get_ciphers(ssl); // Count the ciphers. + int num = sk_SSL_CIPHER_num(cipher_list); int cipherCount = 0; - while (SSL_get_cipher_list(ssl, cipherCount) != NULL) { + for (int i = 0; i < num; ++i) { + SSL_CIPHER* cipher = sk_SSL_CIPHER_value(cipher_list, i); + if (strcmp(SSL_CIPHER_get_version(cipher), SSL_TXT_SSLV2) == 0) { + // openssl-1.0.0 includes duplicate names for SSLv2 and SSLv3 ciphers + continue; + } ++cipherCount; } @@ -1734,9 +1741,14 @@ static jobjectArray makeCipherList(JNIEnv* env, SSL* ssl) { } // Fill in the cipher names. - for (int i = 0; i < cipherCount; ++i) { - const char* c = SSL_get_cipher_list(ssl, i); - env->SetObjectArrayElement(array, i, env->NewStringUTF(c)); + int cipherIndex = 0; + for (int i = 0; i < num; ++i) { + SSL_CIPHER* cipher = sk_SSL_CIPHER_value(cipher_list, i); + if (strcmp(SSL_CIPHER_get_version(cipher), SSL_TXT_SSLV2) == 0) { + continue; + } + env->SetObjectArrayElement(array, cipherIndex, env->NewStringUTF(cipher->name)); + ++cipherIndex; } return array; } @@ -1801,15 +1813,14 @@ static void OpenSSLSocketImpl_nativeSetEnabledCipherSuites(JNIEnv* env, jclass, setEnabledCipherSuites(env, controlString, ssl_ctx); } -#define SSL_AUTH_MASK 0x00007F00L -#define SSL_aRSA 0x00000100L /* Authenticate with RSA */ -#define SSL_aDSS 0x00000200L /* Authenticate with DSS */ -#define SSL_DSS SSL_aDSS -#define SSL_aFZA 0x00000400L -#define SSL_aNULL 0x00000800L /* no Authenticate, ADH */ -#define SSL_aDH 0x00001000L /* no Authenticate, ADH */ -#define SSL_aKRB5 0x00002000L /* Authenticate with KRB5 */ -#define SSL_aECDSA 0x00004000L /* Authenticate with ECDSA */ +#define SSL_aRSA 0x00000001L +#define SSL_aDSS 0x00000002L +#define SSL_aNULL 0x00000004L +#define SSL_aDH 0x00000008L +#define SSL_aECDH 0x00000010L +#define SSL_aKRB5 0x00000020L +#define SSL_aECDSA 0x00000040L +#define SSL_aPSK 0x00000080L /** * Sets the client's crypto algorithms and authentication methods. @@ -1818,10 +1829,10 @@ static jstring org_apache_harmony_xnet_provider_jsse_OpenSSLSocketImpl_cipheraut jobject object) { SSL* ssl; - SSL_CIPHER *cipher; + const SSL_CIPHER *cipher; jstring ret; char buf[512]; - unsigned long alg; + unsigned long alg_auth; const char *au; ssl = getSslPointer(env, object, true); @@ -1831,9 +1842,9 @@ static jstring org_apache_harmony_xnet_provider_jsse_OpenSSLSocketImpl_cipheraut cipher = SSL_get_current_cipher(ssl); - alg = cipher->algorithms; + alg_auth = cipher->algorithm_auth; - switch (alg&SSL_AUTH_MASK) { + switch (alg_auth) { case SSL_aRSA: au="RSA"; break; @@ -1843,8 +1854,11 @@ static jstring org_apache_harmony_xnet_provider_jsse_OpenSSLSocketImpl_cipheraut case SSL_aDH: au="DH"; break; - case SSL_aFZA: - au = "FZA"; + case SSL_aKRB5: + au="KRB5"; + break; + case SSL_aECDH: + au = "ECDH"; break; case SSL_aNULL: au="None"; @@ -1852,6 +1866,9 @@ static jstring org_apache_harmony_xnet_provider_jsse_OpenSSLSocketImpl_cipheraut case SSL_aECDSA: au="ECDSA"; break; + case SSL_aPSK: + au="PSK"; + break; default: au="unknown"; break; @@ -2514,7 +2531,7 @@ static jstring OpenSSLSessionImpl_getCipherSuite(JNIEnv* env, jobject object) { SSL_set_session(ssl, ssl_session); - SSL_CIPHER* cipher = SSL_get_current_cipher(ssl); + const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl); jstring result = env->NewStringUTF(SSL_CIPHER_get_name(cipher)); SSL_free(ssl); diff --git a/x-net/src/test/java/tests/api/javax/net/ssl/SSLServerSocketTest.java b/x-net/src/test/java/tests/api/javax/net/ssl/SSLServerSocketTest.java index c4bae0a..d12959b 100644 --- a/x-net/src/test/java/tests/api/javax/net/ssl/SSLServerSocketTest.java +++ b/x-net/src/test/java/tests/api/javax/net/ssl/SSLServerSocketTest.java @@ -33,6 +33,7 @@ import java.io.InputStream; import java.net.InetAddress; import java.security.KeyStore; import java.security.SecureRandom; +import java.util.Arrays; import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; @@ -327,7 +328,9 @@ public class SSLServerSocketTest extends TestCase { sss.setEnabledCipherSuites(sss.getSupportedCipherSuites()); String[] res = sss.getEnabledCipherSuites(); assertNotNull("NULL result", res); - assertTrue("No enabled cipher suites.", res.length == count); + assertEquals("not all supported cipher suites were enabled", + Arrays.asList(sss.getSupportedCipherSuites()), + Arrays.asList(res)); } /** diff --git a/x-net/src/test/java/tests/api/javax/net/ssl/SSLSocketTest.java b/x-net/src/test/java/tests/api/javax/net/ssl/SSLSocketTest.java index 13a0e59..a17df93 100644 --- a/x-net/src/test/java/tests/api/javax/net/ssl/SSLSocketTest.java +++ b/x-net/src/test/java/tests/api/javax/net/ssl/SSLSocketTest.java @@ -27,7 +27,7 @@ import javax.security.cert.X509Certificate; import java.net.*; import java.security.KeyStore; import java.security.SecureRandom; -import java.lang.String; +import java.util.Arrays; import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; @@ -636,8 +636,10 @@ public class SSLSocketTest extends TestCase { } ssl.setEnabledCipherSuites(ssl.getSupportedCipherSuites()); String[] res = ssl.getEnabledCipherSuites(); - assertEquals("not all supported cipher suites where enabled", - ssl.getSupportedCipherSuites().length, res.length); + assertNotNull("NULL result", res); + assertEquals("not all supported cipher suites were enabled", + Arrays.asList(ssl.getSupportedCipherSuites()), + Arrays.asList(res)); } /** -- cgit v1.1