Update to latest Conscrypt release and add workarounds for bugs (#10211)

Motivation:

We are far behind with the version of Conscrypt we are using during testing. We should ensure we use the latest.

Modifications:

- Update conscrypt dependency
- Ensure we use conscrypt provider in tests
- Add workarounds for conscrypt bugs in testsuite

Result:

Use latest Conscrypt release
This commit is contained in:
Norman Maurer 2020-04-28 09:50:05 +02:00 committed by GitHub
parent c354fa48e1
commit 83012a038b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 47 additions and 33 deletions

View File

@ -80,18 +80,4 @@ public class ConscryptJdkSslEngineInteropTest extends SSLEngineTest {
// TODO(scott): work around for a JDK issue. The exception should be SSLHandshakeException. // TODO(scott): work around for a JDK issue. The exception should be SSLHandshakeException.
return super.mySetupMutualAuthServerIsValidServerException(cause) || causedBySSLException(cause); return super.mySetupMutualAuthServerIsValidServerException(cause) || causedBySSLException(cause);
} }
@Ignore("Ignore due bug in Conscrypt")
@Override
public void testSessionBindingEvent() throws Exception {
// Ignore due bug in Conscrypt where the incorrect SSLSession object is used in the SSLSessionBindingEvent.
// See https://github.com/google/conscrypt/issues/593
}
@Ignore("Ignore due bug in Conscrypt")
@Override
public void testHandshakeSession() throws Exception {
// Ignore as Conscrypt does not correctly return the local certificates while the TrustManager is invoked.
// See https://github.com/google/conscrypt/issues/634
}
} }

View File

@ -78,18 +78,4 @@ public class ConscryptSslEngineTest extends SSLEngineTest {
@Override @Override
public void testMutualAuthValidClientCertChainTooLongFailRequireClientAuth() { public void testMutualAuthValidClientCertChainTooLongFailRequireClientAuth() {
} }
@Ignore("Ignore due bug in Conscrypt")
@Override
public void testSessionBindingEvent() throws Exception {
// Ignore due bug in Conscrypt where the incorrect SSLSession object is used in the SSLSessionBindingEvent.
// See https://github.com/google/conscrypt/issues/593
}
@Ignore("Ignore due bug in Conscrypt")
@Override
public void testHandshakeSession() throws Exception {
// Ignore as Conscrypt does not correctly return the local certificates while the TrustManager is invoked.
// See https://github.com/google/conscrypt/issues/634
}
} }

View File

@ -1947,12 +1947,14 @@ public abstract class SSLEngineTest {
.trustManager(InsecureTrustManagerFactory.INSTANCE) .trustManager(InsecureTrustManagerFactory.INSTANCE)
.ciphers(Collections.singletonList(sharedCipher)) .ciphers(Collections.singletonList(sharedCipher))
.protocols(PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1) .protocols(PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1)
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider()) .sslProvider(sslClientProvider())
.build()); .build());
serverSslCtx = wrapContext(SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()) serverSslCtx = wrapContext(SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
.ciphers(Collections.singletonList(sharedCipher)) .ciphers(Collections.singletonList(sharedCipher))
.protocols(PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1) .protocols(PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1)
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider()) .sslProvider(sslServerProvider())
.build()); .build());
SSLEngine clientEngine = null; SSLEngine clientEngine = null;
@ -1978,12 +1980,14 @@ public abstract class SSLEngineTest {
.trustManager(InsecureTrustManagerFactory.INSTANCE) .trustManager(InsecureTrustManagerFactory.INSTANCE)
.ciphers(Collections.singletonList(sharedCipher), SupportedCipherSuiteFilter.INSTANCE) .ciphers(Collections.singletonList(sharedCipher), SupportedCipherSuiteFilter.INSTANCE)
.protocols(PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1) .protocols(PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1)
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider()) .sslProvider(sslClientProvider())
.build()); .build());
serverSslCtx = wrapContext(SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()) serverSslCtx = wrapContext(SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
.ciphers(Collections.singletonList(sharedCipher), SupportedCipherSuiteFilter.INSTANCE) .ciphers(Collections.singletonList(sharedCipher), SupportedCipherSuiteFilter.INSTANCE)
.protocols(PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1) .protocols(PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1)
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider()) .sslProvider(sslServerProvider())
.build()); .build());
SSLEngine clientEngine = null; SSLEngine clientEngine = null;
@ -2006,6 +2010,7 @@ public abstract class SSLEngineTest {
clientSslCtx = wrapContext(SslContextBuilder clientSslCtx = wrapContext(SslContextBuilder
.forClient() .forClient()
.trustManager(cert.cert()) .trustManager(cert.cert())
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider()) .sslProvider(sslClientProvider())
.protocols(protocols()) .protocols(protocols())
.ciphers(ciphers()) .ciphers(ciphers())
@ -2014,6 +2019,7 @@ public abstract class SSLEngineTest {
serverSslCtx = wrapContext(SslContextBuilder serverSslCtx = wrapContext(SslContextBuilder
.forServer(cert.certificate(), cert.privateKey()) .forServer(cert.certificate(), cert.privateKey())
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider()) .sslProvider(sslServerProvider())
.protocols(protocols()) .protocols(protocols())
.ciphers(ciphers()) .ciphers(ciphers())
@ -2049,6 +2055,7 @@ public abstract class SSLEngineTest {
public void testSSLEngineUnwrapNoSslRecord() throws Exception { public void testSSLEngineUnwrapNoSslRecord() throws Exception {
clientSslCtx = wrapContext(SslContextBuilder clientSslCtx = wrapContext(SslContextBuilder
.forClient() .forClient()
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider()) .sslProvider(sslClientProvider())
.protocols(protocols()) .protocols(protocols())
.ciphers(ciphers()) .ciphers(ciphers())
@ -2079,6 +2086,7 @@ public abstract class SSLEngineTest {
public void testBeginHandshakeAfterEngineClosed() throws SSLException { public void testBeginHandshakeAfterEngineClosed() throws SSLException {
clientSslCtx = wrapContext(SslContextBuilder clientSslCtx = wrapContext(SslContextBuilder
.forClient() .forClient()
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider()) .sslProvider(sslClientProvider())
.protocols(protocols()) .protocols(protocols())
.ciphers(ciphers()) .ciphers(ciphers())
@ -2093,6 +2101,12 @@ public abstract class SSLEngineTest {
fail(); fail();
} catch (SSLException expected) { } catch (SSLException expected) {
// expected // expected
} catch (IllegalStateException e) {
if (!Conscrypt.isEngineSupported(client)) {
throw e;
}
// Workaround for conscrypt bug
// See https://github.com/google/conscrypt/issues/840
} }
} finally { } finally {
cleanupClientSslEngine(client); cleanupClientSslEngine(client);
@ -2105,6 +2119,7 @@ public abstract class SSLEngineTest {
clientSslCtx = wrapContext(SslContextBuilder clientSslCtx = wrapContext(SslContextBuilder
.forClient() .forClient()
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider()) .sslProvider(sslClientProvider())
.protocols(protocols()) .protocols(protocols())
.ciphers(ciphers()) .ciphers(ciphers())
@ -2113,6 +2128,7 @@ public abstract class SSLEngineTest {
serverSslCtx = wrapContext(SslContextBuilder serverSslCtx = wrapContext(SslContextBuilder
.forServer(cert.certificate(), cert.privateKey()) .forServer(cert.certificate(), cert.privateKey())
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider()) .sslProvider(sslServerProvider())
.protocols(protocols()) .protocols(protocols())
.ciphers(ciphers()) .ciphers(ciphers())
@ -2156,6 +2172,7 @@ public abstract class SSLEngineTest {
clientSslCtx = wrapContext(SslContextBuilder clientSslCtx = wrapContext(SslContextBuilder
.forClient() .forClient()
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider()) .sslProvider(sslClientProvider())
.protocols(protocols()) .protocols(protocols())
.ciphers(ciphers()) .ciphers(ciphers())
@ -2164,6 +2181,7 @@ public abstract class SSLEngineTest {
serverSslCtx = wrapContext(SslContextBuilder serverSslCtx = wrapContext(SslContextBuilder
.forServer(cert.certificate(), cert.privateKey()) .forServer(cert.certificate(), cert.privateKey())
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider()) .sslProvider(sslServerProvider())
.protocols(protocols()) .protocols(protocols())
.ciphers(ciphers()) .ciphers(ciphers())
@ -2184,7 +2202,11 @@ public abstract class SSLEngineTest {
engine.beginHandshake(); engine.beginHandshake();
try { try {
engine.closeInbound(); engine.closeInbound();
fail(); // Workaround for conscrypt bug
// See https://github.com/google/conscrypt/issues/839
if (!Conscrypt.isEngineSupported(engine)) {
fail();
}
} catch (SSLException expected) { } catch (SSLException expected) {
// expected // expected
} }
@ -2197,6 +2219,7 @@ public abstract class SSLEngineTest {
clientSslCtx = wrapContext(SslContextBuilder clientSslCtx = wrapContext(SslContextBuilder
.forClient() .forClient()
.trustManager(cert.cert()) .trustManager(cert.cert())
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider()) .sslProvider(sslClientProvider())
// This test only works for non TLSv1.3 for now // This test only works for non TLSv1.3 for now
.protocols(PROTOCOL_TLS_V1_2) .protocols(PROTOCOL_TLS_V1_2)
@ -2205,6 +2228,7 @@ public abstract class SSLEngineTest {
serverSslCtx = wrapContext(SslContextBuilder serverSslCtx = wrapContext(SslContextBuilder
.forServer(cert.certificate(), cert.privateKey()) .forServer(cert.certificate(), cert.privateKey())
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider()) .sslProvider(sslServerProvider())
// This test only works for non TLSv1.3 for now // This test only works for non TLSv1.3 for now
.protocols(PROTOCOL_TLS_V1_2) .protocols(PROTOCOL_TLS_V1_2)
@ -2234,7 +2258,8 @@ public abstract class SSLEngineTest {
assertEquals(SSLEngineResult.Status.CLOSED, result.getStatus()); assertEquals(SSLEngineResult.Status.CLOSED, result.getStatus());
// Need an UNWRAP to read the response of the close_notify // Need an UNWRAP to read the response of the close_notify
if (PlatformDependent.javaVersion() >= 12 && sslClientProvider() == SslProvider.JDK) { if ((PlatformDependent.javaVersion() >= 12 && sslClientProvider() == SslProvider.JDK)
|| Conscrypt.isEngineSupported(client)) {
// This is a workaround for a possible JDK12+ bug. // This is a workaround for a possible JDK12+ bug.
// //
// See http://mail.openjdk.java.net/pipermail/security-dev/2019-February/019406.html. // See http://mail.openjdk.java.net/pipermail/security-dev/2019-February/019406.html.
@ -2352,6 +2377,7 @@ public abstract class SSLEngineTest {
.forClient() .forClient()
.trustManager(cert.cert()) .trustManager(cert.cert())
.sslProvider(sslClientProvider()) .sslProvider(sslClientProvider())
.sslContextProvider(clientSslContextProvider())
.protocols(protocols()) .protocols(protocols())
.ciphers(ciphers()) .ciphers(ciphers())
.build()); .build());
@ -2360,6 +2386,7 @@ public abstract class SSLEngineTest {
serverSslCtx = wrapContext(SslContextBuilder serverSslCtx = wrapContext(SslContextBuilder
.forServer(cert.certificate(), cert.privateKey()) .forServer(cert.certificate(), cert.privateKey())
.sslProvider(sslServerProvider()) .sslProvider(sslServerProvider())
.sslContextProvider(serverSslContextProvider())
.protocols(protocols()) .protocols(protocols())
.ciphers(ciphers()) .ciphers(ciphers())
.build()); .build());
@ -2394,6 +2421,7 @@ public abstract class SSLEngineTest {
clientSslCtx = wrapContext(SslContextBuilder clientSslCtx = wrapContext(SslContextBuilder
.forClient() .forClient()
.trustManager(cert.cert()) .trustManager(cert.cert())
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider()) .sslProvider(sslClientProvider())
.protocols(protocols()) .protocols(protocols())
.ciphers(ciphers()) .ciphers(ciphers())
@ -2402,6 +2430,7 @@ public abstract class SSLEngineTest {
serverSslCtx = wrapContext(SslContextBuilder serverSslCtx = wrapContext(SslContextBuilder
.forServer(cert.certificate(), cert.privateKey()) .forServer(cert.certificate(), cert.privateKey())
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider()) .sslProvider(sslServerProvider())
.protocols(protocols()) .protocols(protocols())
.ciphers(ciphers()) .ciphers(ciphers())
@ -2473,6 +2502,7 @@ public abstract class SSLEngineTest {
clientSslCtx = wrapContext(SslContextBuilder clientSslCtx = wrapContext(SslContextBuilder
.forClient() .forClient()
.trustManager(cert.cert()) .trustManager(cert.cert())
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider()) .sslProvider(sslClientProvider())
.protocols(protocols()) .protocols(protocols())
.ciphers(ciphers()) .ciphers(ciphers())
@ -2481,6 +2511,7 @@ public abstract class SSLEngineTest {
serverSslCtx = wrapContext(SslContextBuilder serverSslCtx = wrapContext(SslContextBuilder
.forServer(cert.certificate(), cert.privateKey()) .forServer(cert.certificate(), cert.privateKey())
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider()) .sslProvider(sslServerProvider())
.protocols(protocols()) .protocols(protocols())
.ciphers(ciphers()) .ciphers(ciphers())
@ -2541,6 +2572,7 @@ public abstract class SSLEngineTest {
clientSslCtx = wrapContext(SslContextBuilder clientSslCtx = wrapContext(SslContextBuilder
.forClient() .forClient()
.trustManager(cert.cert()) .trustManager(cert.cert())
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider()) .sslProvider(sslClientProvider())
.protocols(protocols()) .protocols(protocols())
.ciphers(ciphers()) .ciphers(ciphers())
@ -2549,6 +2581,7 @@ public abstract class SSLEngineTest {
serverSslCtx = wrapContext(SslContextBuilder serverSslCtx = wrapContext(SslContextBuilder
.forServer(cert.certificate(), cert.privateKey()) .forServer(cert.certificate(), cert.privateKey())
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider()) .sslProvider(sslServerProvider())
.protocols(protocols()) .protocols(protocols())
.ciphers(ciphers()) .ciphers(ciphers())
@ -2616,6 +2649,7 @@ public abstract class SSLEngineTest {
clientSslCtx = wrapContext(SslContextBuilder clientSslCtx = wrapContext(SslContextBuilder
.forClient() .forClient()
.trustManager(cert.cert()) .trustManager(cert.cert())
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider()) .sslProvider(sslClientProvider())
.protocols(protocols()) .protocols(protocols())
.ciphers(ciphers()) .ciphers(ciphers())
@ -2624,6 +2658,7 @@ public abstract class SSLEngineTest {
serverSslCtx = wrapContext(SslContextBuilder serverSslCtx = wrapContext(SslContextBuilder
.forServer(cert.certificate(), cert.privateKey()) .forServer(cert.certificate(), cert.privateKey())
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider()) .sslProvider(sslServerProvider())
.protocols(protocols()) .protocols(protocols())
.ciphers(ciphers()) .ciphers(ciphers())
@ -2672,6 +2707,7 @@ public abstract class SSLEngineTest {
SslContext ctx = wrapContext(SslContextBuilder SslContext ctx = wrapContext(SslContextBuilder
.forServer(cert.certificate(), cert.privateKey()) .forServer(cert.certificate(), cert.privateKey())
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider()) .sslProvider(sslServerProvider())
.protocols(protocols()) .protocols(protocols())
.ciphers(ciphers()) .ciphers(ciphers())
@ -2704,7 +2740,10 @@ public abstract class SSLEngineTest {
@Test @Test
public void testUsingX509TrustManagerVerifiesHostname() throws Exception { public void testUsingX509TrustManagerVerifiesHostname() throws Exception {
SslProvider clientProvider = sslClientProvider(); if (clientSslContextProvider() != null) {
// Not supported when using conscrypt
return;
}
SelfSignedCertificate cert = new SelfSignedCertificate(); SelfSignedCertificate cert = new SelfSignedCertificate();
clientSslCtx = wrapContext(SslContextBuilder clientSslCtx = wrapContext(SslContextBuilder
.forClient() .forClient()
@ -2743,6 +2782,7 @@ public abstract class SSLEngineTest {
} }
}, null, TrustManagerFactory.getDefaultAlgorithm()) { }, null, TrustManagerFactory.getDefaultAlgorithm()) {
}) })
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider()) .sslProvider(sslClientProvider())
.build()); .build());
@ -2753,6 +2793,7 @@ public abstract class SSLEngineTest {
serverSslCtx = wrapContext(SslContextBuilder serverSslCtx = wrapContext(SslContextBuilder
.forServer(cert.certificate(), cert.privateKey()) .forServer(cert.certificate(), cert.privateKey())
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider()) .sslProvider(sslServerProvider())
.build()); .build());
@ -2778,7 +2819,8 @@ public abstract class SSLEngineTest {
SSLEngine server = null; SSLEngine server = null;
try { try {
serverSslCtx = wrapContext(SslContextBuilder.forServer(cert.key(), cert.cert()) serverSslCtx = wrapContext(SslContextBuilder.forServer(cert.key(), cert.cert())
.sslProvider(sslClientProvider()) .sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider())
.ciphers(cipherList).build()); .ciphers(cipherList).build());
server = wrapEngine(serverSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT)); server = wrapEngine(serverSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT));
fail(); fail();

View File

@ -359,7 +359,7 @@
<tcnative.classifier>${os.detected.classifier}</tcnative.classifier> <tcnative.classifier>${os.detected.classifier}</tcnative.classifier>
<conscrypt.groupId>org.conscrypt</conscrypt.groupId> <conscrypt.groupId>org.conscrypt</conscrypt.groupId>
<conscrypt.artifactId>conscrypt-openjdk-uber</conscrypt.artifactId> <conscrypt.artifactId>conscrypt-openjdk-uber</conscrypt.artifactId>
<conscrypt.version>1.3.0</conscrypt.version> <conscrypt.version>2.4.0</conscrypt.version>
<conscrypt.classifier /> <conscrypt.classifier />
<jni.classifier>${os.detected.name}-${os.detected.arch}</jni.classifier> <jni.classifier>${os.detected.name}-${os.detected.arch}</jni.classifier>
<logging.config>${project.basedir}/../common/src/test/resources/logback-test.xml</logging.config> <logging.config>${project.basedir}/../common/src/test/resources/logback-test.xml</logging.config>