Update to latest Conscrypt release and add workarounds for bugs (#10211)

Motivation:

We are far behind with the version of Conscrypt we are using during testing. We should ensure we use the latest.

Modifications:

- Update conscrypt dependency
- Ensure we use conscrypt provider in tests
- Add workarounds for conscrypt bugs in testsuite

Result:

Use latest Conscrypt release
This commit is contained in:
Norman Maurer 2020-04-28 09:50:05 +02:00 committed by GitHub
parent c354fa48e1
commit 83012a038b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 47 additions and 33 deletions

View File

@ -80,18 +80,4 @@ public class ConscryptJdkSslEngineInteropTest extends SSLEngineTest {
// TODO(scott): work around for a JDK issue. The exception should be SSLHandshakeException.
return super.mySetupMutualAuthServerIsValidServerException(cause) || causedBySSLException(cause);
}
@Ignore("Ignore due bug in Conscrypt")
@Override
public void testSessionBindingEvent() throws Exception {
// Ignore due bug in Conscrypt where the incorrect SSLSession object is used in the SSLSessionBindingEvent.
// See https://github.com/google/conscrypt/issues/593
}
@Ignore("Ignore due bug in Conscrypt")
@Override
public void testHandshakeSession() throws Exception {
// Ignore as Conscrypt does not correctly return the local certificates while the TrustManager is invoked.
// See https://github.com/google/conscrypt/issues/634
}
}

View File

@ -78,18 +78,4 @@ public class ConscryptSslEngineTest extends SSLEngineTest {
@Override
public void testMutualAuthValidClientCertChainTooLongFailRequireClientAuth() {
}
@Ignore("Ignore due bug in Conscrypt")
@Override
public void testSessionBindingEvent() throws Exception {
// Ignore due bug in Conscrypt where the incorrect SSLSession object is used in the SSLSessionBindingEvent.
// See https://github.com/google/conscrypt/issues/593
}
@Ignore("Ignore due bug in Conscrypt")
@Override
public void testHandshakeSession() throws Exception {
// Ignore as Conscrypt does not correctly return the local certificates while the TrustManager is invoked.
// See https://github.com/google/conscrypt/issues/634
}
}

View File

@ -1947,12 +1947,14 @@ public abstract class SSLEngineTest {
.trustManager(InsecureTrustManagerFactory.INSTANCE)
.ciphers(Collections.singletonList(sharedCipher))
.protocols(PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1)
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider())
.build());
serverSslCtx = wrapContext(SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
.ciphers(Collections.singletonList(sharedCipher))
.protocols(PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1)
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider())
.build());
SSLEngine clientEngine = null;
@ -1978,12 +1980,14 @@ public abstract class SSLEngineTest {
.trustManager(InsecureTrustManagerFactory.INSTANCE)
.ciphers(Collections.singletonList(sharedCipher), SupportedCipherSuiteFilter.INSTANCE)
.protocols(PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1)
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider())
.build());
serverSslCtx = wrapContext(SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
.ciphers(Collections.singletonList(sharedCipher), SupportedCipherSuiteFilter.INSTANCE)
.protocols(PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1)
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider())
.build());
SSLEngine clientEngine = null;
@ -2006,6 +2010,7 @@ public abstract class SSLEngineTest {
clientSslCtx = wrapContext(SslContextBuilder
.forClient()
.trustManager(cert.cert())
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider())
.protocols(protocols())
.ciphers(ciphers())
@ -2014,6 +2019,7 @@ public abstract class SSLEngineTest {
serverSslCtx = wrapContext(SslContextBuilder
.forServer(cert.certificate(), cert.privateKey())
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider())
.protocols(protocols())
.ciphers(ciphers())
@ -2049,6 +2055,7 @@ public abstract class SSLEngineTest {
public void testSSLEngineUnwrapNoSslRecord() throws Exception {
clientSslCtx = wrapContext(SslContextBuilder
.forClient()
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider())
.protocols(protocols())
.ciphers(ciphers())
@ -2079,6 +2086,7 @@ public abstract class SSLEngineTest {
public void testBeginHandshakeAfterEngineClosed() throws SSLException {
clientSslCtx = wrapContext(SslContextBuilder
.forClient()
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider())
.protocols(protocols())
.ciphers(ciphers())
@ -2093,6 +2101,12 @@ public abstract class SSLEngineTest {
fail();
} catch (SSLException expected) {
// expected
} catch (IllegalStateException e) {
if (!Conscrypt.isEngineSupported(client)) {
throw e;
}
// Workaround for conscrypt bug
// See https://github.com/google/conscrypt/issues/840
}
} finally {
cleanupClientSslEngine(client);
@ -2105,6 +2119,7 @@ public abstract class SSLEngineTest {
clientSslCtx = wrapContext(SslContextBuilder
.forClient()
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider())
.protocols(protocols())
.ciphers(ciphers())
@ -2113,6 +2128,7 @@ public abstract class SSLEngineTest {
serverSslCtx = wrapContext(SslContextBuilder
.forServer(cert.certificate(), cert.privateKey())
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider())
.protocols(protocols())
.ciphers(ciphers())
@ -2156,6 +2172,7 @@ public abstract class SSLEngineTest {
clientSslCtx = wrapContext(SslContextBuilder
.forClient()
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider())
.protocols(protocols())
.ciphers(ciphers())
@ -2164,6 +2181,7 @@ public abstract class SSLEngineTest {
serverSslCtx = wrapContext(SslContextBuilder
.forServer(cert.certificate(), cert.privateKey())
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider())
.protocols(protocols())
.ciphers(ciphers())
@ -2184,7 +2202,11 @@ public abstract class SSLEngineTest {
engine.beginHandshake();
try {
engine.closeInbound();
// Workaround for conscrypt bug
// See https://github.com/google/conscrypt/issues/839
if (!Conscrypt.isEngineSupported(engine)) {
fail();
}
} catch (SSLException expected) {
// expected
}
@ -2197,6 +2219,7 @@ public abstract class SSLEngineTest {
clientSslCtx = wrapContext(SslContextBuilder
.forClient()
.trustManager(cert.cert())
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider())
// This test only works for non TLSv1.3 for now
.protocols(PROTOCOL_TLS_V1_2)
@ -2205,6 +2228,7 @@ public abstract class SSLEngineTest {
serverSslCtx = wrapContext(SslContextBuilder
.forServer(cert.certificate(), cert.privateKey())
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider())
// This test only works for non TLSv1.3 for now
.protocols(PROTOCOL_TLS_V1_2)
@ -2234,7 +2258,8 @@ public abstract class SSLEngineTest {
assertEquals(SSLEngineResult.Status.CLOSED, result.getStatus());
// Need an UNWRAP to read the response of the close_notify
if (PlatformDependent.javaVersion() >= 12 && sslClientProvider() == SslProvider.JDK) {
if ((PlatformDependent.javaVersion() >= 12 && sslClientProvider() == SslProvider.JDK)
|| Conscrypt.isEngineSupported(client)) {
// This is a workaround for a possible JDK12+ bug.
//
// See http://mail.openjdk.java.net/pipermail/security-dev/2019-February/019406.html.
@ -2352,6 +2377,7 @@ public abstract class SSLEngineTest {
.forClient()
.trustManager(cert.cert())
.sslProvider(sslClientProvider())
.sslContextProvider(clientSslContextProvider())
.protocols(protocols())
.ciphers(ciphers())
.build());
@ -2360,6 +2386,7 @@ public abstract class SSLEngineTest {
serverSslCtx = wrapContext(SslContextBuilder
.forServer(cert.certificate(), cert.privateKey())
.sslProvider(sslServerProvider())
.sslContextProvider(serverSslContextProvider())
.protocols(protocols())
.ciphers(ciphers())
.build());
@ -2394,6 +2421,7 @@ public abstract class SSLEngineTest {
clientSslCtx = wrapContext(SslContextBuilder
.forClient()
.trustManager(cert.cert())
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider())
.protocols(protocols())
.ciphers(ciphers())
@ -2402,6 +2430,7 @@ public abstract class SSLEngineTest {
serverSslCtx = wrapContext(SslContextBuilder
.forServer(cert.certificate(), cert.privateKey())
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider())
.protocols(protocols())
.ciphers(ciphers())
@ -2473,6 +2502,7 @@ public abstract class SSLEngineTest {
clientSslCtx = wrapContext(SslContextBuilder
.forClient()
.trustManager(cert.cert())
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider())
.protocols(protocols())
.ciphers(ciphers())
@ -2481,6 +2511,7 @@ public abstract class SSLEngineTest {
serverSslCtx = wrapContext(SslContextBuilder
.forServer(cert.certificate(), cert.privateKey())
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider())
.protocols(protocols())
.ciphers(ciphers())
@ -2541,6 +2572,7 @@ public abstract class SSLEngineTest {
clientSslCtx = wrapContext(SslContextBuilder
.forClient()
.trustManager(cert.cert())
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider())
.protocols(protocols())
.ciphers(ciphers())
@ -2549,6 +2581,7 @@ public abstract class SSLEngineTest {
serverSslCtx = wrapContext(SslContextBuilder
.forServer(cert.certificate(), cert.privateKey())
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider())
.protocols(protocols())
.ciphers(ciphers())
@ -2616,6 +2649,7 @@ public abstract class SSLEngineTest {
clientSslCtx = wrapContext(SslContextBuilder
.forClient()
.trustManager(cert.cert())
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider())
.protocols(protocols())
.ciphers(ciphers())
@ -2624,6 +2658,7 @@ public abstract class SSLEngineTest {
serverSslCtx = wrapContext(SslContextBuilder
.forServer(cert.certificate(), cert.privateKey())
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider())
.protocols(protocols())
.ciphers(ciphers())
@ -2672,6 +2707,7 @@ public abstract class SSLEngineTest {
SslContext ctx = wrapContext(SslContextBuilder
.forServer(cert.certificate(), cert.privateKey())
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider())
.protocols(protocols())
.ciphers(ciphers())
@ -2704,7 +2740,10 @@ public abstract class SSLEngineTest {
@Test
public void testUsingX509TrustManagerVerifiesHostname() throws Exception {
SslProvider clientProvider = sslClientProvider();
if (clientSslContextProvider() != null) {
// Not supported when using conscrypt
return;
}
SelfSignedCertificate cert = new SelfSignedCertificate();
clientSslCtx = wrapContext(SslContextBuilder
.forClient()
@ -2743,6 +2782,7 @@ public abstract class SSLEngineTest {
}
}, null, TrustManagerFactory.getDefaultAlgorithm()) {
})
.sslContextProvider(clientSslContextProvider())
.sslProvider(sslClientProvider())
.build());
@ -2753,6 +2793,7 @@ public abstract class SSLEngineTest {
serverSslCtx = wrapContext(SslContextBuilder
.forServer(cert.certificate(), cert.privateKey())
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider())
.build());
@ -2778,7 +2819,8 @@ public abstract class SSLEngineTest {
SSLEngine server = null;
try {
serverSslCtx = wrapContext(SslContextBuilder.forServer(cert.key(), cert.cert())
.sslProvider(sslClientProvider())
.sslContextProvider(serverSslContextProvider())
.sslProvider(sslServerProvider())
.ciphers(cipherList).build());
server = wrapEngine(serverSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT));
fail();

View File

@ -359,7 +359,7 @@
<tcnative.classifier>${os.detected.classifier}</tcnative.classifier>
<conscrypt.groupId>org.conscrypt</conscrypt.groupId>
<conscrypt.artifactId>conscrypt-openjdk-uber</conscrypt.artifactId>
<conscrypt.version>1.3.0</conscrypt.version>
<conscrypt.version>2.4.0</conscrypt.version>
<conscrypt.classifier />
<jni.classifier>${os.detected.name}-${os.detected.arch}</jni.classifier>
<logging.config>${project.basedir}/../common/src/test/resources/logback-test.xml</logging.config>