Commits

Anonymous committed a0d32ad

DO NOT MERGE

Disable SSL compression

Bug: 7079965

Change-Id: I8e060a827613e212bbcced66507fbf124bb04543

modified: luni/src/main/java/libcore/net/http/HttpConnection.java
modified: luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
modified: luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
modified: luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
modified: luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
modified: luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
modified: luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java

Comments (0)

Files changed (7)

luni/src/main/java/libcore/net/http/HttpConnection.java

         // tlsTolerant mimics Chrome's behavior
         if (tlsTolerant && unverifiedSocket instanceof OpenSSLSocketImpl) {
             OpenSSLSocketImpl openSslSocket = (OpenSSLSocketImpl) unverifiedSocket;
-            openSslSocket.setEnabledCompressionMethods(new String[] { "ZLIB"});
             openSslSocket.setUseSessionTickets(true);
             openSslSocket.setHostname(address.uriHost);
             // use SSLSocketFactory default enabled protocols

luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java

     // SSL options from ssl.h
     public static final long SSL_OP_NO_TICKET                              = 0x00004000L;
     public static final long SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 0x00010000L;
-    public static final long SSL_OP_NO_COMPRESSION                         = 0x00020000L;
     public static final long SSL_OP_NO_SSLv3                               = 0x02000000L;
     public static final long SSL_OP_NO_TLSv1                               = 0x04000000L;
     public static final long SSL_OP_NO_TLSv1_1                             = 0x10000000L;
         return cipherSuites;
     }
 
-    public static final String SUPPORTED_COMPRESSION_METHOD_ZLIB = "ZLIB";
-    public static final String SUPPORTED_COMPRESSION_METHOD_NULL = "NULL";
-
-    private static final String[] SUPPORTED_COMPRESSION_METHODS
-            = { SUPPORTED_COMPRESSION_METHOD_ZLIB, SUPPORTED_COMPRESSION_METHOD_NULL };
-
-    public static String[] getSupportedCompressionMethods() {
-        return SUPPORTED_COMPRESSION_METHODS.clone();
-    }
-
-    public static final String[] getDefaultCompressionMethods() {
-        return new String[] { SUPPORTED_COMPRESSION_METHOD_NULL };
-    }
-
-    public static String[] checkEnabledCompressionMethods(String[] methods) {
-        if (methods == null) {
-            throw new IllegalArgumentException("methods == null");
-        }
-        if (methods.length < 1
-                && !methods[methods.length-1].equals(SUPPORTED_COMPRESSION_METHOD_NULL)) {
-            throw new IllegalArgumentException("last method must be NULL");
-        }
-        for (int i = 0; i < methods.length; i++) {
-            String method = methods[i];
-            if (method == null) {
-                throw new IllegalArgumentException("methods[" + i + "] == null");
-            }
-            if (!method.equals(SUPPORTED_COMPRESSION_METHOD_ZLIB)
-                    && !method.equals(SUPPORTED_COMPRESSION_METHOD_NULL)) {
-                throw new IllegalArgumentException("method " + method
-                                                   + " is not supported");
-            }
-        }
-        return methods;
-    }
-
-    public static void setEnabledCompressionMethods(int ssl, String[] methods) {
-        checkEnabledCompressionMethods(methods);
-        // openssl uses negative logic letting you disable compression.
-        // so first, assume we need to set all (disable all) and clear none (enable none).
-        // in the loop, selectively move bits from set to clear (from disable to enable)
-        long optionsToSet = (SSL_OP_NO_COMPRESSION);
-        long optionsToClear = 0;
-        for (int i = 0; i < methods.length; i++) {
-            String method = methods[i];
-            if (method.equals(SUPPORTED_COMPRESSION_METHOD_NULL)) {
-                // nothing to do to support NULL
-            } else if (method.equals(SUPPORTED_COMPRESSION_METHOD_ZLIB)) {
-                optionsToSet &= ~SSL_OP_NO_COMPRESSION;
-                optionsToClear |= SSL_OP_NO_COMPRESSION;
-            } else {
-                // error checked by checkEnabledCompressionMethods
-                throw new IllegalStateException();
-            }
-        }
-
-        SSL_set_options(ssl, optionsToSet);
-        SSL_clear_options(ssl, optionsToClear);
-    }
-
     /*
      * See the OpenSSL ssl.h header file for more information.
      */
 
     public static native String SSL_SESSION_cipher(int sslSessionNativePointer);
 
-    public static native String SSL_SESSION_compress_meth(int sslCtxNativePointer,
-                                                          int sslSessionNativePointer);
-
     public static native void SSL_SESSION_free(int sslSessionNativePointer);
 
     public static native byte[] i2d_SSL_SESSION(int sslSessionNativePointer);

luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java

     private final SSLParametersImpl sslParameters;
     private String[] enabledProtocols = NativeCrypto.getSupportedProtocols();
     private String[] enabledCipherSuites = NativeCrypto.getDefaultCipherSuites();
-    private String[] enabledCompressionMethods = NativeCrypto.getDefaultCompressionMethods();
 
     protected OpenSSLServerSocketImpl(SSLParametersImpl sslParameters) throws IOException {
         this.sslParameters = sslParameters;
         enabledCipherSuites = NativeCrypto.checkEnabledCipherSuites(suites);
     }
 
-    public String[] getSupportedCompressionMethods() {
-        return NativeCrypto.getSupportedCompressionMethods();
-    }
-
-    public String[] getEnabledCompressionMethods() {
-        return enabledCompressionMethods.clone();
-    }
-
-    /**
-     * This method enables the compression methods listed by
-     * getSupportedCompressionMethods().
-     *
-     * @param suites the names of all the compression methods to enable
-     * @throws IllegalArgumentException when one or more of the ciphers in array
-     *         suites are not supported, or when the array is null.
-     */
-    public void setEnabledCompressionMethods(String[] methods) {
-        enabledCompressionMethods = NativeCrypto.checkEnabledCompressionMethods(methods);
-    }
-
     @Override
     public boolean getWantClientAuth() {
         return sslParameters.getWantClientAuth();
 
         OpenSSLSocketImpl socket = new OpenSSLSocketImpl(sslParameters,
                                                          enabledProtocols.clone(),
-                                                         enabledCipherSuites.clone(),
-                                                         enabledCompressionMethods.clone());
+                                                         enabledCipherSuites.clone());
         implAccept(socket);
         return socket;
     }

luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java

     private int peerPort = -1;
     private String cipherSuite;
     private String protocol;
-    private String compressionMethod;
     private AbstractSessionContext sessionContext;
     private byte[] id;
 
     }
 
     /**
-     * Returns the compression method name used in all connections
-     * pertaining to this SSL session.
-     */
-    public String getCompressionMethod() {
-        if (compressionMethod == null) {
-            compressionMethod
-                    = NativeCrypto.SSL_SESSION_compress_meth(sessionContext.sslCtxNativePointer,
-                                                             sslSessionNativePointer);
-        }
-        return compressionMethod;
-    }
-
-    /**
      * Returns the context to which the actual SSL session is bound. A SSL
      * context consists of (1) a possible delegate, (2) a provider and (3) a
      * protocol.

luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java

  * Extensions to SSLSocket include:
  * <ul>
  * <li>handshake timeout
- * <li>compression methods
  * <li>session tickets
  * <li>Server Name Indication
  * </ul>
     private byte[] npnProtocols;
     private String[] enabledProtocols;
     private String[] enabledCipherSuites;
-    private String[] enabledCompressionMethods;
     private boolean useSessionTickets;
     private String hostname;
     private OpenSSLSessionImpl sslSession;
 
     protected OpenSSLSocketImpl(SSLParametersImpl sslParameters,
                                 String[] enabledProtocols,
-                                String[] enabledCipherSuites,
-                                String[] enabledCompressionMethods) throws IOException {
+                                String[] enabledCipherSuites) throws IOException {
         this.socket = this;
-        init(sslParameters, enabledProtocols, enabledCipherSuites, enabledCompressionMethods);
+        init(sslParameters, enabledProtocols, enabledCipherSuites);
     }
 
     protected OpenSSLSocketImpl(String host, int port, SSLParametersImpl sslParameters)
     private void init(SSLParametersImpl sslParameters) throws IOException {
         init(sslParameters,
              NativeCrypto.getDefaultProtocols(),
-             NativeCrypto.getDefaultCipherSuites(),
-             NativeCrypto.getDefaultCompressionMethods());
+             NativeCrypto.getDefaultCipherSuites());
     }
 
     /**
      */
     private void init(SSLParametersImpl sslParameters,
                       String[] enabledProtocols,
-                      String[] enabledCipherSuites,
-                      String[] enabledCompressionMethods) throws IOException {
+                      String[] enabledCipherSuites) throws IOException {
         this.sslParameters = sslParameters;
         this.enabledProtocols = enabledProtocols;
         this.enabledCipherSuites = enabledCipherSuites;
-        this.enabledCompressionMethods = enabledCompressionMethods;
     }
 
     /**
             return null;
         }
 
-        String compressionMethod = session.getCompressionMethod();
-        if (!compressionMethod.equals(NativeCrypto.SUPPORTED_COMPRESSION_METHOD_NULL)) {
-            boolean compressionMethodFound = false;
-            for (String enabledCompressionMethod : enabledCompressionMethods) {
-                if (compressionMethod.equals(enabledCompressionMethod)) {
-                    compressionMethodFound = true;
-                    break;
-                }
-            }
-            if (!compressionMethodFound) {
-                return null;
-            }
-        }
-
         return session;
     }
 
 
             NativeCrypto.setEnabledProtocols(sslNativePointer, enabledProtocols);
             NativeCrypto.setEnabledCipherSuites(sslNativePointer, enabledCipherSuites);
-            if (enabledCompressionMethods.length != 0) {
-                NativeCrypto.setEnabledCompressionMethods(sslNativePointer,
-                                                          enabledCompressionMethods);
-            }
             if (useSessionTickets) {
                 NativeCrypto.SSL_clear_options(sslNativePointer, NativeCrypto.SSL_OP_NO_TICKET);
             }
     }
 
     /**
-     * The names of the compression methods that may be used on this SSL
-     * connection.
-     * @return an array of compression methods
-     */
-    public String[] getSupportedCompressionMethods() {
-        return NativeCrypto.getSupportedCompressionMethods();
-    }
-
-    /**
-     * The names of the compression methods versions that are in use
-     * on this SSL connection.
-     *
-     * @return an array of compression methods
-     */
-    public String[] getEnabledCompressionMethods() {
-        return enabledCompressionMethods.clone();
-    }
-
-    /**
-     * Enables compression methods listed by getSupportedCompressionMethods().
-     *
-     * @throws IllegalArgumentException when one or more of the names in the
-     *             array are not supported, or when the array is null.
-     */
-    public void setEnabledCompressionMethods(String[] methods) {
-        enabledCompressionMethods = NativeCrypto.checkEnabledCompressionMethods(methods);
-    }
-
-    /**
      * This method enables session ticket support.
      *
      * @param useSessionTickets True to enable session tickets

luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp

 }
 
 /**
- * Gets and returns in a string the compression method negotiated for the SSL session.
- */
-static jstring NativeCrypto_SSL_SESSION_compress_meth(JNIEnv* env, jclass,
-                                                      jint ssl_ctx_address,
-                                                      jint ssl_session_address) {
-    SSL_CTX* ssl_ctx = to_SSL_CTX(env, ssl_ctx_address, true);
-    SSL_SESSION* ssl_session = to_SSL_SESSION(env, ssl_session_address, true);
-    JNI_TRACE("ssl_session=%p NativeCrypto_SSL_SESSION_compress_meth ssl_ctx=%p",
-              ssl_session, ssl_ctx);
-    if (ssl_ctx == NULL || ssl_session == NULL) {
-        return NULL;
-    }
-
-    int compress_meth = ssl_session->compress_meth;
-    if (compress_meth == 0) {
-        const char* name = "NULL";
-        JNI_TRACE("ssl_session=%p NativeCrypto_SSL_SESSION_compress_meth => %s", ssl_session, name);
-        return env->NewStringUTF(name);
-    }
-
-    int num_comp_methods = sk_SSL_COMP_num(ssl_ctx->comp_methods);
-    for (int i = 0; i < num_comp_methods; i++) {
-        SSL_COMP* comp = sk_SSL_COMP_value(ssl_ctx->comp_methods, i);
-        if (comp->id != compress_meth) {
-            continue;
-        }
-        const char* name = ((comp->method && comp->method->type == NID_zlib_compression)
-                            ? SN_zlib_compression
-                            : (comp->name ? comp->name : "UNKNOWN"));
-        JNI_TRACE("ssl_session=%p NativeCrypto_SSL_SESSION_compress_meth => %s", ssl_session, name);
-        return env->NewStringUTF(name);
-    }
-    throwSSLExceptionStr(env, "Unknown compression method");
-    return NULL;
-}
-
-/**
  * Frees the SSL session.
  */
 static void NativeCrypto_SSL_SESSION_free(JNIEnv* env, jclass, jint ssl_session_address) {
     NATIVE_METHOD(NativeCrypto, SSL_SESSION_get_time, "(I)J"),
     NATIVE_METHOD(NativeCrypto, SSL_SESSION_get_version, "(I)Ljava/lang/String;"),
     NATIVE_METHOD(NativeCrypto, SSL_SESSION_cipher, "(I)Ljava/lang/String;"),
-    NATIVE_METHOD(NativeCrypto, SSL_SESSION_compress_meth, "(II)Ljava/lang/String;"),
     NATIVE_METHOD(NativeCrypto, SSL_SESSION_free, "(I)V"),
     NATIVE_METHOD(NativeCrypto, i2d_SSL_SESSION, "(I)[B"),
     NATIVE_METHOD(NativeCrypto, d2i_SSL_SESSION, "([B)I"),

luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java

         server.get(TIMEOUT_SECONDS, TimeUnit.SECONDS);
     }
 
-    public void test_SSL_SESSION_compress_meth_null() throws Exception {
-        try {
-            NativeCrypto.SSL_SESSION_compress_meth(NULL, NULL);
-            fail();
-        } catch (NullPointerException expected) {
-        }
-
-        {
-            int c = NativeCrypto.SSL_CTX_new();
-            try {
-                NativeCrypto.SSL_SESSION_compress_meth(c, NULL);
-            } catch (NullPointerException expected) {
-            }
-            NativeCrypto.SSL_CTX_free(c);
-        }
-    }
-
-    public void test_SSL_SESSION_compress_meth_NULL() throws Exception {
-        final ServerSocket listener = new ServerSocket(0);
-
-        Hooks cHooks = new Hooks() {
-            @Override
-            public void afterHandshake(int session, int s, int c,
-                                       Socket sock, FileDescriptor fd,
-                                       SSLHandshakeCallbacks callback)
-                    throws Exception {
-                assertEquals("NULL", NativeCrypto.SSL_SESSION_compress_meth(c, session));
-                super.afterHandshake(session, s, c, sock, fd, callback);
-            }
-        };
-        Hooks sHooks = new ServerHooks(getServerPrivateKey(), getServerCertificates());
-        Future<TestSSLHandshakeCallbacks> client = handshake(listener, 0, true, cHooks, null);
-        Future<TestSSLHandshakeCallbacks> server = handshake(listener, 0, false, sHooks, null);
-        client.get(TIMEOUT_SECONDS, TimeUnit.SECONDS);
-        server.get(TIMEOUT_SECONDS, TimeUnit.SECONDS);
-    }
-
-    public void test_SSL_SESSION_compress_meth_ZLIB() throws Exception {
-        final ServerSocket listener = new ServerSocket(0);
-
-        Hooks cHooks = new Hooks() {
-            @Override
-            public int beforeHandshake(int c) throws SSLException {
-                int s = super.beforeHandshake(c);
-                NativeCrypto.SSL_clear_options(s, NativeCrypto.SSL_OP_NO_COMPRESSION);
-                return s;
-            }
-            @Override
-            public void afterHandshake(int session, int s, int c,
-                                       Socket sock, FileDescriptor fd,
-                                       SSLHandshakeCallbacks callback)
-                    throws Exception {
-                assertEquals("ZLIB", NativeCrypto.SSL_SESSION_compress_meth(c, session));
-                super.afterHandshake(session, s, c, sock, fd, callback);
-            }
-        };
-        Hooks sHooks = new ServerHooks(getServerPrivateKey(), getServerCertificates()) {
-            @Override
-            public int beforeHandshake(int c) throws SSLException {
-                int s = super.beforeHandshake(c);
-                NativeCrypto.SSL_clear_options(s, NativeCrypto.SSL_OP_NO_COMPRESSION);
-                return s;
-            }
-        };
-        Future<TestSSLHandshakeCallbacks> client = handshake(listener, 0, true, cHooks, null);
-        Future<TestSSLHandshakeCallbacks> server = handshake(listener, 0, false, sHooks, null);
-        client.get(TIMEOUT_SECONDS, TimeUnit.SECONDS);
-        server.get(TIMEOUT_SECONDS, TimeUnit.SECONDS);
-    }
-
     public void test_SSL_SESSION_free() throws Exception {
         try {
             NativeCrypto.SSL_SESSION_free(NULL);