From 5fd116fe8fbf00a551e305f5c31ec07d54274ab0 Mon Sep 17 00:00:00 2001 From: Elinor Fung Date: Thu, 8 Apr 2021 10:36:11 -0700 Subject: [PATCH 1/7] Handle requested SslProtocols --- .../Interop.Ssl.ProtocolSupport.cs | 14 +++ .../Interop.Ssl.cs | 10 ++ .../Native/Unix/Common/pal_ssl_types.h | 19 +++ .../pal_jni.c | 4 + .../pal_jni.h | 2 + .../pal_ssl.c | 65 ++++++---- .../pal_ssl.h | 17 +-- .../pal_sslstream.c | 112 +++++++++++++----- .../pal_sslstream.h | 11 ++ .../pal_ssl.h | 13 +- .../src/Resources/Strings.resx | 3 + .../src/System.Net.Security.csproj | 4 + .../Pal.Android/SafeDeleteSslContext.cs | 24 +++- .../Pal.Managed/SslProtocolsValidation.cs | 75 ++++++++++++ .../Security/Pal.OSX/SafeDeleteSslContext.cs | 65 +--------- .../Net/Security/SslConnectionInfo.Android.cs | 3 +- 16 files changed, 301 insertions(+), 140 deletions(-) create mode 100644 src/libraries/Common/src/Interop/Android/System.Security.Cryptography.Native.Android/Interop.Ssl.ProtocolSupport.cs create mode 100644 src/libraries/Native/Unix/Common/pal_ssl_types.h create mode 100644 src/libraries/System.Net.Security/src/System/Net/Security/Pal.Managed/SslProtocolsValidation.cs diff --git a/src/libraries/Common/src/Interop/Android/System.Security.Cryptography.Native.Android/Interop.Ssl.ProtocolSupport.cs b/src/libraries/Common/src/Interop/Android/System.Security.Cryptography.Native.Android/Interop.Ssl.ProtocolSupport.cs new file mode 100644 index 00000000000000..65981eccfb3aba --- /dev/null +++ b/src/libraries/Common/src/Interop/Android/System.Security.Cryptography.Native.Android/Interop.Ssl.ProtocolSupport.cs @@ -0,0 +1,14 @@ +// Licensed to the .NET Foundation under one or more agreements. +// The .NET Foundation licenses this file to you under the MIT license. + +using System.Runtime.InteropServices; +using System.Security.Authentication; + +internal static partial class Interop +{ + internal static partial class AndroidCrypto + { + [DllImport(Interop.Libraries.CryptoNative, EntryPoint = "AndroidCryptoNative_SSLGetSupportedProtocols")] + internal static extern SslProtocols SSLGetSupportedProtocols(); + } +} diff --git a/src/libraries/Common/src/Interop/Android/System.Security.Cryptography.Native.Android/Interop.Ssl.cs b/src/libraries/Common/src/Interop/Android/System.Security.Cryptography.Native.Android/Interop.Ssl.cs index b9aed3973f845a..fcd6cab6fcaf12 100644 --- a/src/libraries/Common/src/Interop/Android/System.Security.Cryptography.Native.Android/Interop.Ssl.cs +++ b/src/libraries/Common/src/Interop/Android/System.Security.Cryptography.Native.Android/Interop.Ssl.cs @@ -4,6 +4,7 @@ using System; using System.Buffers; using System.Runtime.InteropServices; +using System.Security.Authentication; using System.Security.Cryptography.X509Certificates; using Microsoft.Win32.SafeHandles; @@ -78,6 +79,15 @@ internal static void SSLStreamConfigureParameters( throw new SslException(); } + [DllImport(Interop.Libraries.CryptoNative, EntryPoint = "AndroidCryptoNative_SSLStreamSetEnabledProtocols")] + private static extern int SSLStreamSetEnabledProtocols(SafeSslHandle sslHandle, ref SslProtocols protocols, int length); + internal static void SSLStreamSetEnabledProtocols(SafeSslHandle sslHandle, ReadOnlySpan protocols) + { + int ret = SSLStreamSetEnabledProtocols(sslHandle, ref MemoryMarshal.GetReference(protocols), protocols.Length); + if (ret != SUCCESS) + throw new SslException(); + } + [DllImport(Interop.Libraries.CryptoNative, EntryPoint = "AndroidCryptoNative_SSLStreamHandshake")] internal static extern PAL_SSLStreamStatus SSLStreamHandshake(SafeSslHandle sslHandle); diff --git a/src/libraries/Native/Unix/Common/pal_ssl_types.h b/src/libraries/Native/Unix/Common/pal_ssl_types.h new file mode 100644 index 00000000000000..67e8b6e382ba0c --- /dev/null +++ b/src/libraries/Native/Unix/Common/pal_ssl_types.h @@ -0,0 +1,19 @@ +// Licensed to the .NET Foundation under one or more agreements. +// The .NET Foundation licenses this file to you under the MIT license. + +#pragma once + +#include + +// Matches managed System.Security.Authentication.SslProtocols +enum +{ + PAL_SslProtocol_None = 0, + PAL_SslProtocol_Ssl2 = 12, + PAL_SslProtocol_Ssl3 = 48, + PAL_SslProtocol_Tls10 = 192, + PAL_SslProtocol_Tls11 = 768, + PAL_SslProtocol_Tls12 = 3072, + PAL_SslProtocol_Tls13 = 12288, +}; +typedef int32_t PAL_SslProtocol; diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_jni.c b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_jni.c index 7519257f5368a9..280ef1dfbabd02 100644 --- a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_jni.c +++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_jni.c @@ -405,6 +405,8 @@ jmethodID g_SSLEngineWrap; jmethodID g_SSLEngineUnwrap; jmethodID g_SSLEngineCloseOutbound; jmethodID g_SSLEngineGetHandshakeStatus; +jmethodID g_SSLEngineGetSupportedProtocols; +jmethodID g_SSLEngineSetEnabledProtocols; jmethodID g_SSLEngineSetSSLParameters; // java/nio/ByteBuffer @@ -976,6 +978,8 @@ JNI_OnLoad(JavaVM *vm, void *reserved) g_SSLEngineUnwrap = GetMethod(env, false, g_SSLEngine, "unwrap", "(Ljava/nio/ByteBuffer;Ljava/nio/ByteBuffer;)Ljavax/net/ssl/SSLEngineResult;"); g_SSLEngineGetHandshakeStatus = GetMethod(env, false, g_SSLEngine, "getHandshakeStatus", "()Ljavax/net/ssl/SSLEngineResult$HandshakeStatus;"); g_SSLEngineCloseOutbound = GetMethod(env, false, g_SSLEngine, "closeOutbound", "()V"); + g_SSLEngineGetSupportedProtocols = GetMethod(env, false, g_SSLEngine, "getSupportedProtocols", "()[Ljava/lang/String;"); + g_SSLEngineSetEnabledProtocols = GetMethod(env, false, g_SSLEngine, "setEnabledProtocols", "([Ljava/lang/String;)V"); g_SSLEngineSetSSLParameters = GetMethod(env, false, g_SSLEngine, "setSSLParameters", "(Ljavax/net/ssl/SSLParameters;)V"); g_ByteBuffer = GetClassGRef(env, "java/nio/ByteBuffer"); diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_jni.h b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_jni.h index 6095640415b864..9d6f7199376d0d 100644 --- a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_jni.h +++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_jni.h @@ -419,6 +419,8 @@ extern jmethodID g_SSLEngineWrap; extern jmethodID g_SSLEngineUnwrap; extern jmethodID g_SSLEngineCloseOutbound; extern jmethodID g_SSLEngineGetHandshakeStatus; +extern jmethodID g_SSLEngineGetSupportedProtocols; +extern jmethodID g_SSLEngineSetEnabledProtocols; extern jmethodID g_SSLEngineSetSSLParameters; // java/nio/ByteBuffer diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_ssl.c b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_ssl.c index d2866f906ae383..dd0b840e57c128 100644 --- a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_ssl.c +++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_ssl.c @@ -3,34 +3,55 @@ #include "pal_ssl.h" -int32_t CryptoNative_OpenSslGetProtocolSupport(SslProtocols protocol) +PAL_SslProtocol AndroidCryptoNative_SSLGetSupportedProtocols(void) { JNIEnv* env = GetJNIEnv(); - jobject sslCtxObj = (*env)->CallStaticObjectMethod(env, g_sslCtxClass, g_sslCtxGetDefaultMethod); - jobject sslParametersObj = (*env)->CallObjectMethod(env, sslCtxObj, g_sslCtxGetDefaultSslParamsMethod); - jobjectArray protocols = (jobjectArray)(*env)->CallObjectMethod(env, sslParametersObj, g_SSLParametersGetProtocols); + PAL_SslProtocol supported = 0; + INIT_LOCALS(loc, context, params, protocols); - int protocolsCount = (*env)->GetArrayLength(env, protocols); - int supported = 0; - for (int i = 0; i < protocolsCount; i++) + // SSLContext context = SSLContext.getDefault(); + // SSLParameters params = context.getDefaultSSLParameters(); + // String[] protocols = params.getProtocols(); + loc[context] = (*env)->CallStaticObjectMethod(env, g_sslCtxClass, g_sslCtxGetDefaultMethod); + loc[params] = (*env)->CallObjectMethod(env, loc[context], g_sslCtxGetDefaultSslParamsMethod); + loc[protocols] = (*env)->CallObjectMethod(env, loc[params], g_SSLParametersGetProtocols); + + const char tlsv1[] = "TLSv1"; + size_t tlsv1Len = (sizeof(tlsv1) - 1) / sizeof(char); + + int count = (*env)->GetArrayLength(env, loc[protocols]); + for (int i = 0; i < count; i++) { - jstring protocolStr = (jstring) ((*env)->GetObjectArrayElement(env, protocols, i)); - const char* protocolStrPtr = (*env)->GetStringUTFChars(env, protocolStr, NULL); - if ((!strcmp(protocolStrPtr, "TLSv1") && protocol == PAL_SSL_TLS) || - (!strcmp(protocolStrPtr, "TLSv1.1") && protocol == PAL_SSL_TLS11) || - (!strcmp(protocolStrPtr, "TLSv1.2") && protocol == PAL_SSL_TLS12) || - (!strcmp(protocolStrPtr, "TLSv1.3") && protocol == PAL_SSL_TLS13)) + jstring protocol = (*env)->GetObjectArrayElement(env, loc[protocols], i); + const char* protocolStr = (*env)->GetStringUTFChars(env, protocol, NULL); + if (strncmp(protocolStr, tlsv1, tlsv1Len) == 0) + { + if (strlen(protocolStr) == tlsv1Len) + { + supported |= PAL_SslProtocol_Tls10; + } + else if (strcmp(protocolStr + tlsv1Len, ".1") == 0) + { + supported |= PAL_SslProtocol_Tls11; + } + else if (strcmp(protocolStr + tlsv1Len, ".2") == 0) + { + supported |= PAL_SslProtocol_Tls12; + } + else if (strcmp(protocolStr + tlsv1Len, ".3") == 0) + { + supported |= PAL_SslProtocol_Tls13; + } + } + else if (strcmp(protocolStr, "SSLv3") == 0) { - supported = 1; - (*env)->ReleaseStringUTFChars(env, protocolStr, protocolStrPtr); - (*env)->DeleteLocalRef(env, protocolStr); - break; + supported |= PAL_SslProtocol_Ssl3; } - (*env)->ReleaseStringUTFChars(env, protocolStr, protocolStrPtr); - (*env)->DeleteLocalRef(env, protocolStr); + + (*env)->ReleaseStringUTFChars(env, protocol, protocolStr); + (*env)->DeleteLocalRef(env, protocol); } - (*env)->DeleteLocalRef(env, sslCtxObj); - (*env)->DeleteLocalRef(env, sslParametersObj); - (*env)->DeleteLocalRef(env, protocols); + + RELEASE_LOCALS(loc, env); return supported; } diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_ssl.h b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_ssl.h index 04227972f8175c..d4f1dcd23bd8c8 100644 --- a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_ssl.h +++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_ssl.h @@ -4,16 +4,9 @@ #pragma once #include "pal_jni.h" +#include -typedef enum -{ - PAL_SSL_NONE = 0, - PAL_SSL_SSL2 = 12, - PAL_SSL_SSL3 = 48, - PAL_SSL_TLS = 192, - PAL_SSL_TLS11 = 768, - PAL_SSL_TLS12 = 3072, - PAL_SSL_TLS13 = 12288, -} SslProtocols; - -PALEXPORT int32_t CryptoNative_OpenSslGetProtocolSupport(SslProtocols protocol); +/* +Get the supported protocols +*/ +PALEXPORT PAL_SslProtocol AndroidCryptoNative_SSLGetSupportedProtocols(void); diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.c b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.c index 6f1c8b238fc717..7352a30d81f3ed 100644 --- a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.c +++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.c @@ -53,13 +53,14 @@ static PAL_SSLStreamStatus Flush(JNIEnv* env, SSLStream* sslStream) netOutBuffer.compact(); */ + PAL_SSLStreamStatus ret = SSLStreamStatus_Error; + IGNORE_RETURN((*env)->CallObjectMethod(env, sslStream->netOutBuffer, g_ByteBufferFlip)); int bufferLimit = (*env)->CallIntMethod(env, sslStream->netOutBuffer, g_ByteBufferLimit); jbyteArray data = (*env)->NewByteArray(env, bufferLimit); IGNORE_RETURN((*env)->CallObjectMethod(env, sslStream->netOutBuffer, g_ByteBufferGet, data)); - if (CheckJNIExceptions(env)) - return SSLStreamStatus_Error; + ON_EXCEPTION_PRINT_AND_GOTO(cleanup); uint8_t* dataPtr = (uint8_t*)malloc((size_t)bufferLimit); (*env)->GetByteArrayRegion(env, data, 0, bufferLimit, (jbyte*)dataPtr); @@ -67,35 +68,33 @@ static PAL_SSLStreamStatus Flush(JNIEnv* env, SSLStream* sslStream) free(dataPtr); IGNORE_RETURN((*env)->CallObjectMethod(env, sslStream->netOutBuffer, g_ByteBufferCompact)); - if (CheckJNIExceptions(env)) - return SSLStreamStatus_Error; + ON_EXCEPTION_PRINT_AND_GOTO(cleanup); + + ret = SSLStreamStatus_OK; - return SSLStreamStatus_OK; +cleanup: + (*env)->DeleteLocalRef(env, data); + return ret; } -static jobject EnsureRemaining(JNIEnv* env, SSLStream* sslStream, jobject oldBuffer, int newRemaining) +static jobject ExpandBuffer(JNIEnv* env, jobject oldBuffer, int newCapacity) { - /* - if (oldBuffer.remaining() < newRemaining) { - oldBuffer.flip(); - final ByteBuffer newBuffer = ByteBuffer.allocate(oldBuffer.remaining() + newRemaining); - newBuffer.put(oldBuffer); - return newBuffer; - } else { - return oldBuffer; - } - */ + // oldBuffer.flip(); + // ByteBuffer newBuffer = ByteBuffer.allocate(newCapacity); + // newBuffer.put(oldBuffer); + IGNORE_RETURN((*env)->CallObjectMethod(env, oldBuffer, g_ByteBufferFlip)); + jobject newBuffer = ToGRef(env, (*env)->CallStaticObjectMethod(env, g_ByteBuffer, g_ByteBufferAllocate, newCapacity)); + IGNORE_RETURN((*env)->CallObjectMethod(env, newBuffer, g_ByteBufferPutBuffer, oldBuffer)); + ReleaseGRef(env, oldBuffer); + return newBuffer; +} +static jobject EnsureRemaining(JNIEnv* env, jobject oldBuffer, int newRemaining) +{ int oldRemaining = (*env)->CallIntMethod(env, oldBuffer, g_ByteBufferRemaining); if (oldRemaining < newRemaining) { - IGNORE_RETURN((*env)->CallObjectMethod(env, oldBuffer, g_ByteBufferFlip)); - jobject newBuffer = ToGRef( - env, (*env)->CallStaticObjectMethod(env, g_ByteBuffer, g_ByteBufferAllocate, oldRemaining + newRemaining)); - - IGNORE_RETURN((*env)->CallObjectMethod(env, newBuffer, g_ByteBufferPutBuffer, oldBuffer)); - ReleaseGRef(env, oldBuffer); - return newBuffer; + return ExpandBuffer(env, oldBuffer, oldRemaining + newRemaining); } else { @@ -120,6 +119,8 @@ static PAL_SSLStreamStatus DoWrap(JNIEnv* env, SSLStream* sslStream, int* handsh // SSLEngineResult.Status status = result.getStatus(); *handshakeStatus = GetEnumAsInt(env, (*env)->CallObjectMethod(env, result, g_SSLEngineResultGetHandshakeStatus)); int status = GetEnumAsInt(env, (*env)->CallObjectMethod(env, result, g_SSLEngineResultGetStatus)); + (*env)->DeleteLocalRef(env, result); + switch (status) { case STATUS__OK: @@ -135,9 +136,10 @@ static PAL_SSLStreamStatus DoWrap(JNIEnv* env, SSLStream* sslStream, int* handsh case STATUS__BUFFER_OVERFLOW: { // Expand buffer - // int newRemaining = sslSession.getPacketBufferSize(); - int newRemaining = (*env)->CallIntMethod(env, sslStream->sslSession, g_SSLSessionGetPacketBufferSize); - sslStream->netOutBuffer = EnsureRemaining(env, sslStream, sslStream->netOutBuffer, newRemaining); + // int newCapacity = sslSession.getPacketBufferSize() + netOutBuffer.remaining(); + int newCapacity = (*env)->CallIntMethod(env, sslStream->sslSession, g_SSLSessionGetPacketBufferSize) + + (*env)->CallIntMethod(env, sslStream->netOutBuffer, g_ByteBufferRemaining); + sslStream->netOutBuffer = ExpandBuffer(env, sslStream->netOutBuffer, newCapacity); return SSLStreamStatus_OK; } default: @@ -165,6 +167,7 @@ static PAL_SSLStreamStatus DoUnwrap(JNIEnv* env, SSLStream* sslStream, int* hand PAL_SSLStreamStatus status = sslStream->streamReader(tmpNative, &count); if (status != SSLStreamStatus_OK) { + (*env)->DeleteLocalRef(env, tmp); return status; } @@ -190,6 +193,7 @@ static PAL_SSLStreamStatus DoUnwrap(JNIEnv* env, SSLStream* sslStream, int* hand // SSLEngineResult.Status status = result.getStatus(); *handshakeStatus = GetEnumAsInt(env, (*env)->CallObjectMethod(env, result, g_SSLEngineResultGetHandshakeStatus)); int status = GetEnumAsInt(env, (*env)->CallObjectMethod(env, result, g_SSLEngineResultGetStatus)); + (*env)->DeleteLocalRef(env, result); switch (status) { case STATUS__OK: @@ -205,15 +209,16 @@ static PAL_SSLStreamStatus DoUnwrap(JNIEnv* env, SSLStream* sslStream, int* hand // Expand buffer // int newRemaining = sslSession.getPacketBufferSize(); int newRemaining = (*env)->CallIntMethod(env, sslStream->sslSession, g_SSLSessionGetPacketBufferSize); - sslStream->netInBuffer = EnsureRemaining(env, sslStream, sslStream->netInBuffer, newRemaining); + sslStream->netInBuffer = EnsureRemaining(env, sslStream->netInBuffer, newRemaining); return SSLStreamStatus_OK; } case STATUS__BUFFER_OVERFLOW: { // Expand buffer - // int newRemaining = sslSession.getApplicationBufferSize(); - int newRemaining = (*env)->CallIntMethod(env, sslStream->sslSession, g_SSLSessionGetApplicationBufferSize); - sslStream->appInBuffer = EnsureRemaining(env, sslStream, sslStream->appInBuffer, newRemaining); + // int newCapacity = sslSession.getApplicationBufferSize() + appInBuffer.remaining(); + int newCapacity = (*env)->CallIntMethod(env, sslStream->sslSession, g_SSLSessionGetApplicationBufferSize) + + (*env)->CallIntMethod(env, sslStream->appInBuffer, g_ByteBufferRemaining); + sslStream->appInBuffer = ExpandBuffer(env, sslStream->appInBuffer, newCapacity); return SSLStreamStatus_OK; } default: @@ -750,6 +755,53 @@ int32_t AndroidCryptoNative_SSLStreamGetPeerCertificates(SSLStream* sslStream, j return ret; } +static jstring GetSslProtocolAsString(JNIEnv* env, PAL_SslProtocol protocol) +{ + switch (protocol) + { + case PAL_SslProtocol_Ssl3: + return JSTRING("SSLv3"); + case PAL_SslProtocol_Tls10: + return JSTRING("TLSv1"); + case PAL_SslProtocol_Tls11: + return JSTRING("TLSv1.1"); + case PAL_SslProtocol_Tls12: + return JSTRING("TLSv1.2"); + case PAL_SslProtocol_Tls13: + return JSTRING("TLSv1.3"); + default: + LOG_ERROR("Unsupported SslProtocols value: %d", protocol); + return NULL; + } +} + +int32_t AndroidCryptoNative_SSLStreamSetEnabledProtocols(SSLStream* sslStream, PAL_SslProtocol* protocols, int32_t count) +{ + assert(sslStream != NULL); + + JNIEnv* env = GetJNIEnv(); + int32_t ret = FAIL; + + // String[] protocolsArray = new String[count]; + jobjectArray protocolsArray = (*env)->NewObjectArray(env, count, g_String, NULL); + for (int i = 0; i < count; ++i) + { + jstring protocol = GetSslProtocolAsString(env, protocols[i]); + (*env)->SetObjectArrayElement(env, protocolsArray, i, protocol); + (*env)->DeleteLocalRef(env, protocol); + } + + // sslEngine.setEnabledProtocols(protocolsArray); + (*env)->CallVoidMethod(env, sslStream->sslEngine, g_SSLEngineSetEnabledProtocols, protocolsArray); + ON_EXCEPTION_PRINT_AND_GOTO(cleanup); + + ret = SUCCESS; + +cleanup: + (*env)->DeleteLocalRef(env, protocolsArray); + return ret; +} + bool AndroidCryptoNative_SSLStreamVerifyHostname(SSLStream* sslStream, char* hostname) { assert(sslStream != NULL); diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.h b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.h index afe966935c9484..fb0b6fca41aefd 100644 --- a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.h +++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.h @@ -6,6 +6,8 @@ #include "pal_jni.h" #include "pal_x509.h" +#include + typedef void (*STREAM_WRITER)(uint8_t*, int32_t); typedef int (*STREAM_READER)(uint8_t*, int32_t*); @@ -141,6 +143,15 @@ PALEXPORT int32_t AndroidCryptoNative_SSLStreamGetPeerCertificates(SSLStream* ss jobject** /*X509Certificate[]*/ out, int* outLen); +/* +Set enabled protocols + - protocols : array of protocols to enable + - count : number of elements in protocols + +Returns 1 on success, 0 otherwise +*/ +PALEXPORT int32_t AndroidCryptoNative_SSLStreamSetEnabledProtocols(SSLStream* sslStream, PAL_SslProtocol* protocols, int32_t count); + /* Verify hostname using the peer certificate for the current session diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Apple/pal_ssl.h b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Apple/pal_ssl.h index 518ef35c67f388..8c3b61d530f833 100644 --- a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Apple/pal_ssl.h +++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Apple/pal_ssl.h @@ -4,6 +4,7 @@ #pragma once #include "pal_compiler.h" +#include #include #include @@ -27,18 +28,6 @@ enum }; typedef int32_t PAL_TlsIo; -enum -{ - PAL_SslProtocol_None = 0, - PAL_SslProtocol_Ssl2 = 12, - PAL_SslProtocol_Ssl3 = 48, - PAL_SslProtocol_Tls10 = 192, - PAL_SslProtocol_Tls11 = 768, - PAL_SslProtocol_Tls12 = 3072, - PAL_SslProtocol_Tls13 = 12288, -}; -typedef int32_t PAL_SslProtocol; - /* Create an SSL context, for the Server or Client role as determined by isServer. diff --git a/src/libraries/System.Net.Security/src/Resources/Strings.resx b/src/libraries/System.Net.Security/src/Resources/Strings.resx index 74c7555633d2a2..cf50b284e6f4f9 100644 --- a/src/libraries/System.Net.Security/src/Resources/Strings.resx +++ b/src/libraries/System.Net.Security/src/Resources/Strings.resx @@ -422,6 +422,9 @@ The requested combination of SslProtocols ({0}) is not valid for this platform because it skips intermediate versions. + + The requested SslProtocols ({0}) are not supported on this platform. + The '{0}' encryption policy is not supported on this platform. diff --git a/src/libraries/System.Net.Security/src/System.Net.Security.csproj b/src/libraries/System.Net.Security/src/System.Net.Security.csproj index be5811068e77db..69f7d83079a3dd 100644 --- a/src/libraries/System.Net.Security/src/System.Net.Security.csproj +++ b/src/libraries/System.Net.Security/src/System.Net.Security.csproj @@ -335,11 +335,14 @@ Link="Common\Interop\Android\Interop.JObjectLifetime.cs" /> + + @@ -373,6 +376,7 @@ Link="Common\Microsoft\Win32\SafeHandles\SafeCreateHandle.OSX.cs" /> + diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/Pal.Android/SafeDeleteSslContext.cs b/src/libraries/System.Net.Security/src/System/Net/Security/Pal.Android/SafeDeleteSslContext.cs index 776bd6358ca7db..79f2afbb61df29 100644 --- a/src/libraries/System.Net.Security/src/System/Net/Security/Pal.Android/SafeDeleteSslContext.cs +++ b/src/libraries/System.Net.Security/src/System/Net/Security/Pal.Android/SafeDeleteSslContext.cs @@ -18,6 +18,17 @@ namespace System.Net internal sealed class SafeDeleteSslContext : SafeDeleteContext { private const int InitialBufferSize = 2048; + private static readonly SslProtocols[] s_orderedSslProtocols = new SslProtocols[] + { +#pragma warning disable 0618 // 'SslProtocols.Ssl3' is obsolete + SslProtocols.Ssl3, +#pragma warning restore 0618 + SslProtocols.Tls, + SslProtocols.Tls11, + SslProtocols.Tls12, + SslProtocols.Tls13, + }; + private static readonly Lazy s_supportedSslProtocols = new Lazy(Interop.AndroidCrypto.SSLGetSupportedProtocols); private readonly SafeSslHandle _sslContext; private readonly Interop.AndroidCrypto.SSLReadCallback _readCallback; @@ -198,7 +209,6 @@ private static void InitializeSslContext( if (authOptions.ApplicationProtocols != null || authOptions.CipherSuitesPolicy != null - || credential.Protocols != SslProtocols.None || (isServer && authOptions.RemoteCertRequired)) { // TODO: [AndroidCrypto] Handle non-system-default options @@ -207,6 +217,18 @@ private static void InitializeSslContext( Interop.AndroidCrypto.SSLStreamInitialize(handle, isServer, readCallback, writeCallback, InitialBufferSize); + if (credential.Protocols != SslProtocols.None) + {; + SslProtocols protocolsToEnable = credential.Protocols & s_supportedSslProtocols.Value; + if (protocolsToEnable == 0) + { + throw new PlatformNotSupportedException(SR.Format(SR.net_security_sslprotocol_notsupported, credential.Protocols)); + } + + (int minIndex, int maxIndex) = protocolsToEnable.ValidateContiguous(s_orderedSslProtocols); + Interop.AndroidCrypto.SSLStreamSetEnabledProtocols(handle, s_orderedSslProtocols.AsSpan(minIndex, maxIndex - minIndex + 1)); + } + if (!isServer && !string.IsNullOrEmpty(authOptions.TargetHost)) { Interop.AndroidCrypto.SSLStreamConfigureParameters(handle, authOptions.TargetHost); diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/Pal.Managed/SslProtocolsValidation.cs b/src/libraries/System.Net.Security/src/System/Net/Security/Pal.Managed/SslProtocolsValidation.cs new file mode 100644 index 00000000000000..8343f88f2a603c --- /dev/null +++ b/src/libraries/System.Net.Security/src/System/Net/Security/Pal.Managed/SslProtocolsValidation.cs @@ -0,0 +1,75 @@ +// Licensed to the .NET Foundation under one or more agreements. +// The .NET Foundation licenses this file to you under the MIT license. + +using System.Security.Authentication; + +namespace System.Net +{ + internal static class SslProtocolsValidation + { + public static (int MinIndex, int MaxIndex) ValidateContiguous(this SslProtocols protocols, SslProtocols[] orderedSslProtocols) + { + // A contiguous range of protocols is required. Find the min and max of the range, + // or throw if it's non-contiguous or if no protocols are specified. + + // First, mark all of the specified protocols. + Span protocolSet = stackalloc bool[orderedSslProtocols.Length]; + for (int i = 0; i < orderedSslProtocols.Length; i++) + { + protocolSet[i] = (protocols & orderedSslProtocols[i]) != 0; + } + + int minIndex = -1; + int maxIndex = -1; + + // Loop through them, starting from the lowest. + for (int min = 0; min < protocolSet.Length; min++) + { + if (protocolSet[min]) + { + // We found the first one that's set; that's the bottom of the range. + minIndex = min; + + // Now loop from there to look for the max of the range. + for (int max = min + 1; max < protocolSet.Length; max++) + { + if (!protocolSet[max]) + { + // We found the first one after the min that's not set; the top of the range + // is the one before this (which might be the same as the min). + maxIndex = max - 1; + + // Finally, verify that nothing beyond this one is set, as that would be + // a discontiguous set of protocols. + for (int verifyNotSet = max + 1; verifyNotSet < protocolSet.Length; verifyNotSet++) + { + if (protocolSet[verifyNotSet]) + { + throw new PlatformNotSupportedException(SR.Format(SR.net_security_sslprotocol_contiguous, protocols)); + } + } + + break; + } + } + + break; + } + } + + // If no protocols were set, throw. + if (minIndex == -1) + { + throw new PlatformNotSupportedException(SR.net_securityprotocolnotsupported); + } + + // If we didn't find an unset protocol after the min, go all the way to the last one. + if (maxIndex == -1) + { + maxIndex = orderedSslProtocols.Length - 1; + } + + return (minIndex, maxIndex); + } + } +} diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/Pal.OSX/SafeDeleteSslContext.cs b/src/libraries/System.Net.Security/src/System/Net/Security/Pal.OSX/SafeDeleteSslContext.cs index 44fc356c33668a..44c8757c51e82a 100644 --- a/src/libraries/System.Net.Security/src/System/Net/Security/Pal.OSX/SafeDeleteSslContext.cs +++ b/src/libraries/System.Net.Security/src/System/Net/Security/Pal.OSX/SafeDeleteSslContext.cs @@ -272,68 +272,11 @@ internal int ReadPendingWrites(byte[] buf, int offset, int count) private static void SetProtocols(SafeSslHandle sslContext, SslProtocols protocols) { - // A contiguous range of protocols is required. Find the min and max of the range, - // or throw if it's non-contiguous or if no protocols are specified. + (int minIndex, int maxIndex) = protocols.ValidateContiguous(s_orderedSslProtocols); + SslProtocols minProtocolId = s_orderedSslProtocols[minIndex]; + SslProtocols maxProtocolId = s_orderedSslProtocols[maxIndex]; - // First, mark all of the specified protocols. - SslProtocols[] orderedSslProtocols = s_orderedSslProtocols; - Span protocolSet = stackalloc bool[orderedSslProtocols.Length]; - for (int i = 0; i < orderedSslProtocols.Length; i++) - { - protocolSet[i] = (protocols & orderedSslProtocols[i]) != 0; - } - - SslProtocols minProtocolId = (SslProtocols)(-1); - SslProtocols maxProtocolId = (SslProtocols)(-1); - - // Loop through them, starting from the lowest. - for (int min = 0; min < protocolSet.Length; min++) - { - if (protocolSet[min]) - { - // We found the first one that's set; that's the bottom of the range. - minProtocolId = orderedSslProtocols[min]; - - // Now loop from there to look for the max of the range. - for (int max = min + 1; max < protocolSet.Length; max++) - { - if (!protocolSet[max]) - { - // We found the first one after the min that's not set; the top of the range - // is the one before this (which might be the same as the min). - maxProtocolId = orderedSslProtocols[max - 1]; - - // Finally, verify that nothing beyond this one is set, as that would be - // a discontiguous set of protocols. - for (int verifyNotSet = max + 1; verifyNotSet < protocolSet.Length; verifyNotSet++) - { - if (protocolSet[verifyNotSet]) - { - throw new PlatformNotSupportedException(SR.Format(SR.net_security_sslprotocol_contiguous, protocols)); - } - } - - break; - } - } - - break; - } - } - - // If no protocols were set, throw. - if (minProtocolId == (SslProtocols)(-1)) - { - throw new PlatformNotSupportedException(SR.net_securityprotocolnotsupported); - } - - // If we didn't find an unset protocol after the min, go all the way to the last one. - if (maxProtocolId == (SslProtocols)(-1)) - { - maxProtocolId = orderedSslProtocols[orderedSslProtocols.Length - 1]; - } - - // Finally set this min and max. + // Set the min and max. Interop.AppleCrypto.SslSetMinProtocolVersion(sslContext, minProtocolId); Interop.AppleCrypto.SslSetMaxProtocolVersion(sslContext, maxProtocolId); } diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslConnectionInfo.Android.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslConnectionInfo.Android.cs index 9635907c86f0b3..46024d39abe94c 100644 --- a/src/libraries/System.Net.Security/src/System/Net/Security/SslConnectionInfo.Android.cs +++ b/src/libraries/System.Net.Security/src/System/Net/Security/SslConnectionInfo.Android.cs @@ -14,8 +14,7 @@ public SslConnectionInfo(SafeSslHandle sslContext) string protocolString = Interop.AndroidCrypto.SSLStreamGetProtocol(sslContext); SslProtocols protocol = protocolString switch { -#pragma warning disable 0618 // Ssl2 and Ssl3 are deprecated. - "SSLv2" => SslProtocols.Ssl2, +#pragma warning disable 0618 // 'SslProtocols.Ssl3' is obsolete "SSLv3" => SslProtocols.Ssl3, #pragma warning restore "TLSv1" => SslProtocols.Tls, From d0f1f225a0b0e7dec22c9e7b2af01869c4d6e2e6 Mon Sep 17 00:00:00 2001 From: Elinor Fung Date: Thu, 8 Apr 2021 20:09:24 -0700 Subject: [PATCH 2/7] Throw PNSE for EncryptionPolicy.NoEncryption --- .../Net/Security/Pal.Android/SafeDeleteSslContext.cs | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/Pal.Android/SafeDeleteSslContext.cs b/src/libraries/System.Net.Security/src/System/Net/Security/Pal.Android/SafeDeleteSslContext.cs index 79f2afbb61df29..c7d70b2fc05a95 100644 --- a/src/libraries/System.Net.Security/src/System/Net/Security/Pal.Android/SafeDeleteSslContext.cs +++ b/src/libraries/System.Net.Security/src/System/Net/Security/Pal.Android/SafeDeleteSslContext.cs @@ -205,6 +205,15 @@ private static void InitializeSslContext( SafeFreeSslCredentials credential, SslAuthenticationOptions authOptions) { + switch (credential.Policy) + { + case EncryptionPolicy.RequireEncryption: + case EncryptionPolicy.AllowNoEncryption: + break; + default: + throw new PlatformNotSupportedException(SR.Format(SR.net_encryptionpolicy_notsupported, credential.Policy)); + } + bool isServer = authOptions.IsServer; if (authOptions.ApplicationProtocols != null From b106226021c0ab4084a4e42c449bad58d9c42b6d Mon Sep 17 00:00:00 2001 From: Elinor Fung Date: Thu, 8 Apr 2021 20:22:55 -0700 Subject: [PATCH 3/7] Update test utilities to check SslProtocols support on Android --- .../System/PlatformDetection.Unix.cs | 2 +- .../TestUtilities/System/PlatformDetection.cs | 19 ++++++++++++++++++- .../tests/TestUtilities/TestUtilities.csproj | 7 ++++++- .../FunctionalTests/TestConfiguration.cs | 4 ++-- 4 files changed, 27 insertions(+), 5 deletions(-) diff --git a/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.Unix.cs b/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.Unix.cs index c9603889017322..73dff40f517dce 100644 --- a/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.Unix.cs +++ b/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.Unix.cs @@ -52,7 +52,7 @@ public static partial class PlatformDetection public static bool IsSuperUser => IsBrowser || IsWindows ? false : libc.geteuid() == 0; - public static Version OpenSslVersion => !IsOSXLike && !IsWindows ? + public static Version OpenSslVersion => !IsOSXLike && !IsWindows && !IsAndroid ? GetOpenSslVersion() : throw new PlatformNotSupportedException(); diff --git a/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs b/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs index 75879136f3291a..941e530908b054 100644 --- a/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs +++ b/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs @@ -85,7 +85,7 @@ public static bool IsDrawingSupported } } - + public static bool IsLineNumbersSupported => true; public static bool IsInContainer => GetIsInContainer(); @@ -281,6 +281,12 @@ private static bool GetSsl3Support() // Alternatively the returned values must have been some other types. return !IsWindows10Version2004OrGreater; } + else if (IsAndroid) + { +#pragma warning disable 0618 // 'SslProtocols.Ssl3' is obsolete + return AndroidGetSslProtocolSupport(SslProtocols.Ssl3); +#pragma warning restore 0618 + } return (IsOSX || (IsLinux && OpenSslVersion < new Version(1, 0, 2) && !IsDebian)); } @@ -293,6 +299,13 @@ private static bool OpenSslGetTlsSupport(SslProtocols protocol) return ret == 1; } + private static readonly Lazy s_androidSupportedSslProtocols = new Lazy(Interop.AndroidCrypto.SSLGetSupportedProtocols); + private static bool AndroidGetSslProtocolSupport(SslProtocols protocol) + { + Debug.Assert(IsAndroid); + return (protocol & s_androidSupportedSslProtocols.Value) == protocol; + } + private static bool GetTls10Support() { // on Windows, macOS, and Android TLS1.0/1.1 are supported. @@ -359,6 +372,10 @@ private static bool GetTls13Support() // [ActiveIssue("https://github.com/dotnet/runtime/issues/1979")] return false; } + else if (IsAndroid) + { + return AndroidGetSslProtocolSupport(SslProtocols.Tls13); + } else if (IsOpenSslSupported) { // Covers Linux, FreeBSD, illumos and Solaris diff --git a/src/libraries/Common/tests/TestUtilities/TestUtilities.csproj b/src/libraries/Common/tests/TestUtilities/TestUtilities.csproj index 3e6464239d718c..f0b1b772e27771 100644 --- a/src/libraries/Common/tests/TestUtilities/TestUtilities.csproj +++ b/src/libraries/Common/tests/TestUtilities/TestUtilities.csproj @@ -28,7 +28,7 @@ - @@ -66,6 +66,11 @@ + + + + diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/TestConfiguration.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/TestConfiguration.cs index ecfba44a860a48..a7dbdc9451ea4b 100644 --- a/src/libraries/System.Net.Security/tests/FunctionalTests/TestConfiguration.cs +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/TestConfiguration.cs @@ -41,8 +41,8 @@ public static Task WhenAllOrAnyFailedWithTimeout(params Task[] tasks) return true; } - // On macOS, the null cipher (no encryption) is not supported. - if (OperatingSystem.IsMacOS()) + // On macOS and Android, the null cipher (no encryption) is not supported. + if (OperatingSystem.IsMacOS() || OperatingSystem.IsAndroid()) { return false; } From af2b4059e06101aad7bbb4e2b2d3c7f727e1e025 Mon Sep 17 00:00:00 2001 From: Elinor Fung Date: Thu, 8 Apr 2021 22:28:48 -0700 Subject: [PATCH 4/7] PR feedback --- .../pal_ssl.c | 6 +-- .../pal_sslstream.c | 38 +++++++++---------- .../pal_sslstream.h | 12 +++--- .../pal_x509store.c | 2 +- 4 files changed, 29 insertions(+), 29 deletions(-) diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_ssl.c b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_ssl.c index dd0b840e57c128..7b61a007990202 100644 --- a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_ssl.c +++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_ssl.c @@ -17,10 +17,10 @@ PAL_SslProtocol AndroidCryptoNative_SSLGetSupportedProtocols(void) loc[protocols] = (*env)->CallObjectMethod(env, loc[params], g_SSLParametersGetProtocols); const char tlsv1[] = "TLSv1"; - size_t tlsv1Len = (sizeof(tlsv1) - 1) / sizeof(char); + size_t tlsv1Len = (sizeof(tlsv1) / sizeof(*tlsv1)) - 1; - int count = (*env)->GetArrayLength(env, loc[protocols]); - for (int i = 0; i < count; i++) + jsize count = (*env)->GetArrayLength(env, loc[protocols]); + for (int32_t i = 0; i < count; i++) { jstring protocol = (*env)->GetObjectArrayElement(env, loc[protocols], i); const char* protocolStr = (*env)->GetStringUTFChars(env, protocol, NULL); diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.c b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.c index 7352a30d81f3ed..5c42d4455d9aa8 100644 --- a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.c +++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.c @@ -56,7 +56,7 @@ static PAL_SSLStreamStatus Flush(JNIEnv* env, SSLStream* sslStream) PAL_SSLStreamStatus ret = SSLStreamStatus_Error; IGNORE_RETURN((*env)->CallObjectMethod(env, sslStream->netOutBuffer, g_ByteBufferFlip)); - int bufferLimit = (*env)->CallIntMethod(env, sslStream->netOutBuffer, g_ByteBufferLimit); + int32_t bufferLimit = (*env)->CallIntMethod(env, sslStream->netOutBuffer, g_ByteBufferLimit); jbyteArray data = (*env)->NewByteArray(env, bufferLimit); IGNORE_RETURN((*env)->CallObjectMethod(env, sslStream->netOutBuffer, g_ByteBufferGet, data)); @@ -77,7 +77,7 @@ static PAL_SSLStreamStatus Flush(JNIEnv* env, SSLStream* sslStream) return ret; } -static jobject ExpandBuffer(JNIEnv* env, jobject oldBuffer, int newCapacity) +static jobject ExpandBuffer(JNIEnv* env, jobject oldBuffer, int32_t newCapacity) { // oldBuffer.flip(); // ByteBuffer newBuffer = ByteBuffer.allocate(newCapacity); @@ -89,9 +89,9 @@ static jobject ExpandBuffer(JNIEnv* env, jobject oldBuffer, int newCapacity) return newBuffer; } -static jobject EnsureRemaining(JNIEnv* env, jobject oldBuffer, int newRemaining) +static jobject EnsureRemaining(JNIEnv* env, jobject oldBuffer, int32_t newRemaining) { - int oldRemaining = (*env)->CallIntMethod(env, oldBuffer, g_ByteBufferRemaining); + int32_t oldRemaining = (*env)->CallIntMethod(env, oldBuffer, g_ByteBufferRemaining); if (oldRemaining < newRemaining) { return ExpandBuffer(env, oldBuffer, oldRemaining + newRemaining); @@ -137,7 +137,7 @@ static PAL_SSLStreamStatus DoWrap(JNIEnv* env, SSLStream* sslStream, int* handsh { // Expand buffer // int newCapacity = sslSession.getPacketBufferSize() + netOutBuffer.remaining(); - int newCapacity = (*env)->CallIntMethod(env, sslStream->sslSession, g_SSLSessionGetPacketBufferSize) + int32_t newCapacity = (*env)->CallIntMethod(env, sslStream->sslSession, g_SSLSessionGetPacketBufferSize) + (*env)->CallIntMethod(env, sslStream->netOutBuffer, g_ByteBufferRemaining); sslStream->netOutBuffer = ExpandBuffer(env, sslStream->netOutBuffer, newCapacity); return SSLStreamStatus_OK; @@ -208,7 +208,7 @@ static PAL_SSLStreamStatus DoUnwrap(JNIEnv* env, SSLStream* sslStream, int* hand { // Expand buffer // int newRemaining = sslSession.getPacketBufferSize(); - int newRemaining = (*env)->CallIntMethod(env, sslStream->sslSession, g_SSLSessionGetPacketBufferSize); + int32_t newRemaining = (*env)->CallIntMethod(env, sslStream->sslSession, g_SSLSessionGetPacketBufferSize); sslStream->netInBuffer = EnsureRemaining(env, sslStream->netInBuffer, newRemaining); return SSLStreamStatus_OK; } @@ -216,7 +216,7 @@ static PAL_SSLStreamStatus DoUnwrap(JNIEnv* env, SSLStream* sslStream, int* hand { // Expand buffer // int newCapacity = sslSession.getApplicationBufferSize() + appInBuffer.remaining(); - int newCapacity = (*env)->CallIntMethod(env, sslStream->sslSession, g_SSLSessionGetApplicationBufferSize) + int32_t newCapacity = (*env)->CallIntMethod(env, sslStream->sslSession, g_SSLSessionGetApplicationBufferSize) + (*env)->CallIntMethod(env, sslStream->appInBuffer, g_ByteBufferRemaining); sslStream->appInBuffer = ExpandBuffer(env, sslStream->appInBuffer, newCapacity); return SSLStreamStatus_OK; @@ -332,7 +332,7 @@ static int32_t AddCertChainToStore( // X509Certificate[] certArray = new X509Certificate[certsLen]; loc[certArray] = (*env)->NewObjectArray(env, certsLen, g_X509CertClass, NULL); - for (int i = 0; i < certsLen; ++i) + for (int32_t i = 0; i < certsLen; ++i) { (*env)->SetObjectArrayElement(env, loc[certArray], i, certs[i]); ON_EXCEPTION_PRINT_AND_GOTO(cleanup); @@ -414,7 +414,7 @@ int32_t AndroidCryptoNative_SSLStreamInitialize(SSLStream* sslStream, bool isServer, STREAM_READER streamReader, STREAM_WRITER streamWriter, - int appBufferSize) + int32_t appBufferSize) { assert(sslStream != NULL); assert(sslStream->sslContext != NULL); @@ -437,14 +437,14 @@ int32_t AndroidCryptoNative_SSLStreamInitialize(SSLStream* sslStream, // int applicationBufferSize = sslSession.getApplicationBufferSize(); // int packetBufferSize = sslSession.getPacketBufferSize(); - int applicationBufferSize = (*env)->CallIntMethod(env, sslStream->sslSession, g_SSLSessionGetApplicationBufferSize); - int packetBufferSize = (*env)->CallIntMethod(env, sslStream->sslSession, g_SSLSessionGetPacketBufferSize); + int32_t applicationBufferSize = (*env)->CallIntMethod(env, sslStream->sslSession, g_SSLSessionGetApplicationBufferSize); + int32_t packetBufferSize = (*env)->CallIntMethod(env, sslStream->sslSession, g_SSLSessionGetPacketBufferSize); // ByteBuffer appInBuffer = ByteBuffer.allocate(Math.max(applicationBufferSize, appBufferSize)); // ByteBuffer appOutBuffer = ByteBuffer.allocate(appBufferSize); // ByteBuffer netOutBuffer = ByteBuffer.allocate(packetBufferSize); // ByteBuffer netInBuffer = ByteBuffer.allocate(packetBufferSize); - int appInBufferSize = applicationBufferSize > appBufferSize ? applicationBufferSize : appBufferSize; + int32_t appInBufferSize = applicationBufferSize > appBufferSize ? applicationBufferSize : appBufferSize; sslStream->appInBuffer = ToGRef(env, (*env)->CallStaticObjectMethod(env, g_ByteBuffer, g_ByteBufferAllocate, appInBufferSize)); sslStream->appOutBuffer = @@ -512,7 +512,7 @@ PAL_SSLStreamStatus AndroidCryptoNative_SSLStreamHandshake(SSLStream* sslStream) return DoHandshake(env, sslStream); } -PAL_SSLStreamStatus AndroidCryptoNative_SSLStreamRead(SSLStream* sslStream, uint8_t* buffer, int length, int* read) +PAL_SSLStreamStatus AndroidCryptoNative_SSLStreamRead(SSLStream* sslStream, uint8_t* buffer, int32_t length, int32_t* read) { assert(sslStream != NULL); assert(read != NULL); @@ -540,7 +540,7 @@ PAL_SSLStreamStatus AndroidCryptoNative_SSLStreamRead(SSLStream* sslStream, uint */ IGNORE_RETURN((*env)->CallObjectMethod(env, sslStream->appInBuffer, g_ByteBufferFlip)); - int rem = (*env)->CallIntMethod(env, sslStream->appInBuffer, g_ByteBufferRemaining); + int32_t rem = (*env)->CallIntMethod(env, sslStream->appInBuffer, g_ByteBufferRemaining); if (rem == 0) { IGNORE_RETURN((*env)->CallObjectMethod(env, sslStream->appInBuffer, g_ByteBufferCompact)); @@ -586,7 +586,7 @@ PAL_SSLStreamStatus AndroidCryptoNative_SSLStreamRead(SSLStream* sslStream, uint return ret; } -PAL_SSLStreamStatus AndroidCryptoNative_SSLStreamWrite(SSLStream* sslStream, uint8_t* buffer, int length) +PAL_SSLStreamStatus AndroidCryptoNative_SSLStreamWrite(SSLStream* sslStream, uint8_t* buffer, int32_t length) { assert(sslStream != NULL); @@ -621,7 +621,7 @@ void AndroidCryptoNative_SSLStreamRelease(SSLStream* sslStream) FreeSSLStream(env, sslStream); } -int32_t AndroidCryptoNative_SSLStreamGetApplicationProtocol(SSLStream* sslStream, uint8_t* out, int* outLen) +int32_t AndroidCryptoNative_SSLStreamGetApplicationProtocol(SSLStream* sslStream, uint8_t* out, int32_t* outLen) { assert(sslStream != NULL); @@ -720,7 +720,7 @@ int32_t AndroidCryptoNative_SSLStreamGetPeerCertificate(SSLStream* sslStream, jo return ret; } -int32_t AndroidCryptoNative_SSLStreamGetPeerCertificates(SSLStream* sslStream, jobject** out, int* outLen) +int32_t AndroidCryptoNative_SSLStreamGetPeerCertificates(SSLStream* sslStream, jobject** out, int32_t* outLen) { assert(sslStream != NULL); assert(out != NULL); @@ -741,7 +741,7 @@ int32_t AndroidCryptoNative_SSLStreamGetPeerCertificates(SSLStream* sslStream, j if (len > 0) { *out = malloc(sizeof(jobject) * (size_t)len); - for (int i = 0; i < len; i++) + for (int32_t i = 0; i < len; i++) { jobject cert = (*env)->GetObjectArrayElement(env, certs, i); (*out)[i] = ToGRef(env, cert); @@ -784,7 +784,7 @@ int32_t AndroidCryptoNative_SSLStreamSetEnabledProtocols(SSLStream* sslStream, P // String[] protocolsArray = new String[count]; jobjectArray protocolsArray = (*env)->NewObjectArray(env, count, g_String, NULL); - for (int i = 0; i < count; ++i) + for (int32_t i = 0; i < count; ++i) { jstring protocol = GetSslProtocolAsString(env, protocols[i]); (*env)->SetObjectArrayElement(env, protocolsArray, i, protocol); diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.h b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.h index fb0b6fca41aefd..b2049fef0be8f5 100644 --- a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.h +++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.h @@ -62,7 +62,7 @@ PALEXPORT int32_t AndroidCryptoNative_SSLStreamInitialize(SSLStream* sslStream, bool isServer, STREAM_READER streamReader, STREAM_WRITER streamWriter, - int appBufferSize); + int32_t appBufferSize); /* Set configuration parameters @@ -87,8 +87,8 @@ Unless data from a previous incomplete read is present, this will invoke the STR */ PALEXPORT PAL_SSLStreamStatus AndroidCryptoNative_SSLStreamRead(SSLStream* sslStream, uint8_t* buffer, - int length, - int* read); + int32_t length, + int32_t* read); /* Encodes bytes from a buffer - buffer : data to encode @@ -96,7 +96,7 @@ Encodes bytes from a buffer This will invoke the STREAM_WRITER callback with the processed data. */ -PALEXPORT PAL_SSLStreamStatus AndroidCryptoNative_SSLStreamWrite(SSLStream* sslStream, uint8_t* buffer, int length); +PALEXPORT PAL_SSLStreamStatus AndroidCryptoNative_SSLStreamWrite(SSLStream* sslStream, uint8_t* buffer, int32_t length); /* Release the SSL context @@ -108,7 +108,7 @@ Get the negotiated application protocol for the current session Returns 1 on success, 0 otherwise */ -PALEXPORT int32_t AndroidCryptoNative_SSLStreamGetApplicationProtocol(SSLStream* sslStream, uint8_t* out, int* outLen); +PALEXPORT int32_t AndroidCryptoNative_SSLStreamGetApplicationProtocol(SSLStream* sslStream, uint8_t* out, int32_t* outLen); /* Get the name of the cipher suite for the current session @@ -141,7 +141,7 @@ Returns 1 on success, 0 otherwise */ PALEXPORT int32_t AndroidCryptoNative_SSLStreamGetPeerCertificates(SSLStream* sslStream, jobject** /*X509Certificate[]*/ out, - int* outLen); + int32_t* outLen); /* Set enabled protocols diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_x509store.c b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_x509store.c index 64b839d2018d3b..9724e8af2f4afa 100644 --- a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_x509store.c +++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_x509store.c @@ -329,7 +329,7 @@ int32_t AndroidCryptoNative_X509StoreEnumerateCertificates(jobject /*KeyStore*/ static bool SystemAliasFilter(JNIEnv* env, jstring alias) { const char systemPrefix[] = "system:"; - size_t prefixLen = (sizeof(systemPrefix) - 1) / sizeof(char); + size_t prefixLen = (sizeof(systemPrefix) / sizeof(*systemPrefix)) - 1; const char* aliasPtr = (*env)->GetStringUTFChars(env, alias, NULL); bool isSystem = (strncmp(aliasPtr, systemPrefix, prefixLen) == 0); From 4743859513dfb0792c679aadb3c9b5db9c0f5464 Mon Sep 17 00:00:00 2001 From: Elinor Fung Date: Thu, 8 Apr 2021 22:31:53 -0700 Subject: [PATCH 5/7] Run clang-format --- .../pal_sslstream.c | 55 +++++++++++-------- .../pal_sslstream.h | 23 +++++--- 2 files changed, 45 insertions(+), 33 deletions(-) diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.c b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.c index 5c42d4455d9aa8..2ef7c282367808 100644 --- a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.c +++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.c @@ -83,7 +83,8 @@ static jobject ExpandBuffer(JNIEnv* env, jobject oldBuffer, int32_t newCapacity) // ByteBuffer newBuffer = ByteBuffer.allocate(newCapacity); // newBuffer.put(oldBuffer); IGNORE_RETURN((*env)->CallObjectMethod(env, oldBuffer, g_ByteBufferFlip)); - jobject newBuffer = ToGRef(env, (*env)->CallStaticObjectMethod(env, g_ByteBuffer, g_ByteBufferAllocate, newCapacity)); + jobject newBuffer = + ToGRef(env, (*env)->CallStaticObjectMethod(env, g_ByteBuffer, g_ByteBufferAllocate, newCapacity)); IGNORE_RETURN((*env)->CallObjectMethod(env, newBuffer, g_ByteBufferPutBuffer, oldBuffer)); ReleaseGRef(env, oldBuffer); return newBuffer; @@ -137,8 +138,8 @@ static PAL_SSLStreamStatus DoWrap(JNIEnv* env, SSLStream* sslStream, int* handsh { // Expand buffer // int newCapacity = sslSession.getPacketBufferSize() + netOutBuffer.remaining(); - int32_t newCapacity = (*env)->CallIntMethod(env, sslStream->sslSession, g_SSLSessionGetPacketBufferSize) - + (*env)->CallIntMethod(env, sslStream->netOutBuffer, g_ByteBufferRemaining); + int32_t newCapacity = (*env)->CallIntMethod(env, sslStream->sslSession, g_SSLSessionGetPacketBufferSize) + + (*env)->CallIntMethod(env, sslStream->netOutBuffer, g_ByteBufferRemaining); sslStream->netOutBuffer = ExpandBuffer(env, sslStream->netOutBuffer, newCapacity); return SSLStreamStatus_OK; } @@ -216,8 +217,9 @@ static PAL_SSLStreamStatus DoUnwrap(JNIEnv* env, SSLStream* sslStream, int* hand { // Expand buffer // int newCapacity = sslSession.getApplicationBufferSize() + appInBuffer.remaining(); - int32_t newCapacity = (*env)->CallIntMethod(env, sslStream->sslSession, g_SSLSessionGetApplicationBufferSize) - + (*env)->CallIntMethod(env, sslStream->appInBuffer, g_ByteBufferRemaining); + int32_t newCapacity = + (*env)->CallIntMethod(env, sslStream->sslSession, g_SSLSessionGetApplicationBufferSize) + + (*env)->CallIntMethod(env, sslStream->appInBuffer, g_ByteBufferRemaining); sslStream->appInBuffer = ExpandBuffer(env, sslStream->appInBuffer, newCapacity); return SSLStreamStatus_OK; } @@ -291,14 +293,13 @@ SSLStream* AndroidCryptoNative_SSLStreamCreate(void) return sslStream; } -static int32_t AddCertChainToStore( - JNIEnv* env, - jobject store, - uint8_t* pkcs8PrivateKey, - int32_t pkcs8PrivateKeyLen, - PAL_KeyAlgorithm algorithm, - jobject* /*X509Certificate[]*/ certs, - int32_t certsLen) +static int32_t AddCertChainToStore(JNIEnv* env, + jobject store, + uint8_t* pkcs8PrivateKey, + int32_t pkcs8PrivateKeyLen, + PAL_KeyAlgorithm algorithm, + jobject* /*X509Certificate[]*/ certs, + int32_t certsLen) { int32_t ret = FAIL; INIT_LOCALS(loc, keyBytes, keySpec, algorithmName, keyFactory, privateKey, certArray, alias); @@ -327,7 +328,8 @@ static int32_t AddCertChainToStore( // KeyFactory keyFactory = KeyFactory.getInstance(algorithmName); // PrivateKey privateKey = keyFactory.generatePrivate(spec); - loc[keyFactory] = (*env)->CallStaticObjectMethod(env, g_KeyFactoryClass, g_KeyFactoryGetInstanceMethod, loc[algorithmName]); + loc[keyFactory] = + (*env)->CallStaticObjectMethod(env, g_KeyFactoryClass, g_KeyFactoryGetInstanceMethod, loc[algorithmName]); loc[privateKey] = (*env)->CallObjectMethod(env, loc[keyFactory], g_KeyFactoryGenPrivateMethod, loc[keySpec]); // X509Certificate[] certArray = new X509Certificate[certsLen]; @@ -350,7 +352,11 @@ static int32_t AddCertChainToStore( return ret; } -SSLStream* AndroidCryptoNative_SSLStreamCreateWithCertificates(uint8_t* pkcs8PrivateKey, int32_t pkcs8PrivateKeyLen, PAL_KeyAlgorithm algorithm, jobject* /*X509Certificate[]*/ certs, int32_t certsLen) +SSLStream* AndroidCryptoNative_SSLStreamCreateWithCertificates(uint8_t* pkcs8PrivateKey, + int32_t pkcs8PrivateKeyLen, + PAL_KeyAlgorithm algorithm, + jobject* /*X509Certificate[]*/ certs, + int32_t certsLen) { SSLStream* sslStream = NULL; JNIEnv* env = GetJNIEnv(); @@ -379,7 +385,8 @@ SSLStream* AndroidCryptoNative_SSLStreamCreateWithCertificates(uint8_t* pkcs8Pri (*env)->CallVoidMethod(env, loc[keyStore], g_KeyStoreLoad, NULL, NULL); ON_EXCEPTION_PRINT_AND_GOTO(cleanup); - int32_t status = AddCertChainToStore(env, loc[keyStore], pkcs8PrivateKey, pkcs8PrivateKeyLen, algorithm, certs, certsLen); + int32_t status = + AddCertChainToStore(env, loc[keyStore], pkcs8PrivateKey, pkcs8PrivateKeyLen, algorithm, certs, certsLen); if (status != SUCCESS) goto cleanup; @@ -410,11 +417,8 @@ SSLStream* AndroidCryptoNative_SSLStreamCreateWithCertificates(uint8_t* pkcs8Pri return sslStream; } -int32_t AndroidCryptoNative_SSLStreamInitialize(SSLStream* sslStream, - bool isServer, - STREAM_READER streamReader, - STREAM_WRITER streamWriter, - int32_t appBufferSize) +int32_t AndroidCryptoNative_SSLStreamInitialize( + SSLStream* sslStream, bool isServer, STREAM_READER streamReader, STREAM_WRITER streamWriter, int32_t appBufferSize) { assert(sslStream != NULL); assert(sslStream->sslContext != NULL); @@ -437,7 +441,8 @@ int32_t AndroidCryptoNative_SSLStreamInitialize(SSLStream* sslStream, // int applicationBufferSize = sslSession.getApplicationBufferSize(); // int packetBufferSize = sslSession.getPacketBufferSize(); - int32_t applicationBufferSize = (*env)->CallIntMethod(env, sslStream->sslSession, g_SSLSessionGetApplicationBufferSize); + int32_t applicationBufferSize = + (*env)->CallIntMethod(env, sslStream->sslSession, g_SSLSessionGetApplicationBufferSize); int32_t packetBufferSize = (*env)->CallIntMethod(env, sslStream->sslSession, g_SSLSessionGetPacketBufferSize); // ByteBuffer appInBuffer = ByteBuffer.allocate(Math.max(applicationBufferSize, appBufferSize)); @@ -512,7 +517,8 @@ PAL_SSLStreamStatus AndroidCryptoNative_SSLStreamHandshake(SSLStream* sslStream) return DoHandshake(env, sslStream); } -PAL_SSLStreamStatus AndroidCryptoNative_SSLStreamRead(SSLStream* sslStream, uint8_t* buffer, int32_t length, int32_t* read) +PAL_SSLStreamStatus +AndroidCryptoNative_SSLStreamRead(SSLStream* sslStream, uint8_t* buffer, int32_t length, int32_t* read) { assert(sslStream != NULL); assert(read != NULL); @@ -775,7 +781,8 @@ static jstring GetSslProtocolAsString(JNIEnv* env, PAL_SslProtocol protocol) } } -int32_t AndroidCryptoNative_SSLStreamSetEnabledProtocols(SSLStream* sslStream, PAL_SslProtocol* protocols, int32_t count) +int32_t +AndroidCryptoNative_SSLStreamSetEnabledProtocols(SSLStream* sslStream, PAL_SslProtocol* protocols, int32_t count) { assert(sslStream != NULL); diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.h b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.h index b2049fef0be8f5..fadd70ae15577c 100644 --- a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.h +++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.h @@ -9,7 +9,7 @@ #include typedef void (*STREAM_WRITER)(uint8_t*, int32_t); -typedef int (*STREAM_READER)(uint8_t*, int32_t*); +typedef int32_t (*STREAM_READER)(uint8_t*, int32_t*); typedef struct SSLStream { @@ -47,7 +47,11 @@ Create an SSL context with the specified certificates Returns NULL on failure */ -PALEXPORT SSLStream* AndroidCryptoNative_SSLStreamCreateWithCertificates(uint8_t* pkcs8PrivateKey, int32_t pkcs8PrivateKeyLen, PAL_KeyAlgorithm algorithm, jobject* /*X509Certificate[]*/ certs, int32_t certsLen); +PALEXPORT SSLStream* AndroidCryptoNative_SSLStreamCreateWithCertificates(uint8_t* pkcs8PrivateKey, + int32_t pkcs8PrivateKeyLen, + PAL_KeyAlgorithm algorithm, + jobject* /*X509Certificate[]*/ certs, + int32_t certsLen); /* Initialize an SSL context @@ -58,11 +62,8 @@ Initialize an SSL context Returns 1 on success, 0 otherwise */ -PALEXPORT int32_t AndroidCryptoNative_SSLStreamInitialize(SSLStream* sslStream, - bool isServer, - STREAM_READER streamReader, - STREAM_WRITER streamWriter, - int32_t appBufferSize); +PALEXPORT int32_t AndroidCryptoNative_SSLStreamInitialize( + SSLStream* sslStream, bool isServer, STREAM_READER streamReader, STREAM_WRITER streamWriter, int32_t appBufferSize); /* Set configuration parameters @@ -108,7 +109,9 @@ Get the negotiated application protocol for the current session Returns 1 on success, 0 otherwise */ -PALEXPORT int32_t AndroidCryptoNative_SSLStreamGetApplicationProtocol(SSLStream* sslStream, uint8_t* out, int32_t* outLen); +PALEXPORT int32_t AndroidCryptoNative_SSLStreamGetApplicationProtocol(SSLStream* sslStream, + uint8_t* out, + int32_t* outLen); /* Get the name of the cipher suite for the current session @@ -150,7 +153,9 @@ Set enabled protocols Returns 1 on success, 0 otherwise */ -PALEXPORT int32_t AndroidCryptoNative_SSLStreamSetEnabledProtocols(SSLStream* sslStream, PAL_SslProtocol* protocols, int32_t count); +PALEXPORT int32_t AndroidCryptoNative_SSLStreamSetEnabledProtocols(SSLStream* sslStream, + PAL_SslProtocol* protocols, + int32_t count); /* Verify hostname using the peer certificate for the current session From 4e0ba61c2458e76d07579ee0b4624e76e5f34e3f Mon Sep 17 00:00:00 2001 From: Elinor Fung Date: Fri, 9 Apr 2021 12:21:03 -0700 Subject: [PATCH 6/7] Fix .NET Framework build of test utilities --- .../Common/tests/TestUtilities/System/PlatformDetection.cs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs b/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs index 941e530908b054..e0585c6aa62faf 100644 --- a/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs +++ b/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs @@ -374,7 +374,11 @@ private static bool GetTls13Support() } else if (IsAndroid) { +#if NETFRAMEWORK + return false; +#else return AndroidGetSslProtocolSupport(SslProtocols.Tls13); +#endif } else if (IsOpenSslSupported) { From 82ae6b93e1c94f16a2d3b5908aa20cc7af7e320e Mon Sep 17 00:00:00 2001 From: Elinor Fung Date: Fri, 9 Apr 2021 21:19:21 -0700 Subject: [PATCH 7/7] Don't try to support explicitly setting SSL3 --- .../Common/tests/TestUtilities/System/PlatformDetection.cs | 6 ------ .../System.Security.Cryptography.Native.Android/pal_ssl.c | 4 ---- .../pal_sslstream.c | 2 -- .../System/Net/Security/Pal.Android/SafeDeleteSslContext.cs | 3 --- 4 files changed, 15 deletions(-) diff --git a/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs b/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs index e0585c6aa62faf..57b2df23622ce2 100644 --- a/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs +++ b/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs @@ -281,12 +281,6 @@ private static bool GetSsl3Support() // Alternatively the returned values must have been some other types. return !IsWindows10Version2004OrGreater; } - else if (IsAndroid) - { -#pragma warning disable 0618 // 'SslProtocols.Ssl3' is obsolete - return AndroidGetSslProtocolSupport(SslProtocols.Ssl3); -#pragma warning restore 0618 - } return (IsOSX || (IsLinux && OpenSslVersion < new Version(1, 0, 2) && !IsDebian)); } diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_ssl.c b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_ssl.c index 7b61a007990202..e512c77ae66f6b 100644 --- a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_ssl.c +++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_ssl.c @@ -43,10 +43,6 @@ PAL_SslProtocol AndroidCryptoNative_SSLGetSupportedProtocols(void) supported |= PAL_SslProtocol_Tls13; } } - else if (strcmp(protocolStr, "SSLv3") == 0) - { - supported |= PAL_SslProtocol_Ssl3; - } (*env)->ReleaseStringUTFChars(env, protocol, protocolStr); (*env)->DeleteLocalRef(env, protocol); diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.c b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.c index 2ef7c282367808..be336f291b05b5 100644 --- a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.c +++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Android/pal_sslstream.c @@ -765,8 +765,6 @@ static jstring GetSslProtocolAsString(JNIEnv* env, PAL_SslProtocol protocol) { switch (protocol) { - case PAL_SslProtocol_Ssl3: - return JSTRING("SSLv3"); case PAL_SslProtocol_Tls10: return JSTRING("TLSv1"); case PAL_SslProtocol_Tls11: diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/Pal.Android/SafeDeleteSslContext.cs b/src/libraries/System.Net.Security/src/System/Net/Security/Pal.Android/SafeDeleteSslContext.cs index c7d70b2fc05a95..69830d9ba75d68 100644 --- a/src/libraries/System.Net.Security/src/System/Net/Security/Pal.Android/SafeDeleteSslContext.cs +++ b/src/libraries/System.Net.Security/src/System/Net/Security/Pal.Android/SafeDeleteSslContext.cs @@ -20,9 +20,6 @@ internal sealed class SafeDeleteSslContext : SafeDeleteContext private const int InitialBufferSize = 2048; private static readonly SslProtocols[] s_orderedSslProtocols = new SslProtocols[] { -#pragma warning disable 0618 // 'SslProtocols.Ssl3' is obsolete - SslProtocols.Ssl3, -#pragma warning restore 0618 SslProtocols.Tls, SslProtocols.Tls11, SslProtocols.Tls12,