Remove 3DES from conscrypt

android/src/main/java/org/conscrypt/Platform.java

@@ -69,16 +69,21 @@
 import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.StandardConstants;
 import javax.net.ssl.X509TrustManager;
+import org.conscrypt.NativeCrypto;
 
 /**
  * Platform-specific methods for unbundled Android.
  */
 @Internal
 final public class Platform {
     private static final String TAG = "Conscrypt";
+    static boolean DEPRECATED_TLS_V1 = true;
+    static boolean ENABLED_TLS_V1 = false;
+    private static boolean FILTERED_TLS_V1 = true;
 
     private static Method m_getCurveName;
     static {
+        NativeCrypto.setTlsV1DeprecationStatus(DEPRECATED_TLS_V1, ENABLED_TLS_V1);
         try {
             m_getCurveName = ECParameterSpec.class.getDeclaredMethod("getCurveName");
             m_getCurveName.setAccessible(true);
@@ -89,7 +94,12 @@ final public class Platform {
 
     private Platform() {}
 
-    public static void setup() {}
+    public static void setup(boolean deprecatedTlsV1, boolean enabledTlsV1) {
+        DEPRECATED_TLS_V1 = deprecatedTlsV1;
+        ENABLED_TLS_V1 = enabledTlsV1;
+        FILTERED_TLS_V1 = !enabledTlsV1;
+        NativeCrypto.setTlsV1DeprecationStatus(DEPRECATED_TLS_V1, ENABLED_TLS_V1);
+    }
 
     /**
      * Default name used in the {@link java.security.Security JCE system} by {@code OpenSSLProvider}
@@ -955,14 +965,14 @@ public static boolean isJavaxCertificateSupported() {
     }
 
     public static boolean isTlsV1Deprecated() {
-        return true;
+        return DEPRECATED_TLS_V1;
     }
 
     public static boolean isTlsV1Filtered() {
-        return false;
+        return FILTERED_TLS_V1;
     }
 
     public static boolean isTlsV1Supported() {
-        return false;
+        return ENABLED_TLS_V1;
     }
 }

common/src/main/java/org/conscrypt/Conscrypt.java

@@ -160,6 +160,8 @@ public static class ProviderBuilder {
         private String name = Platform.getDefaultProviderName();
         private boolean provideTrustManager = Platform.provideTrustManagerByDefault();
         private String defaultTlsProtocol = NativeCrypto.SUPPORTED_PROTOCOL_TLSV1_3;
+        private boolean deprecatedTlsV1 = true;
+        private boolean enabledTlsV1 = false;
 
         private ProviderBuilder() {}
 
@@ -200,8 +202,21 @@ public ProviderBuilder defaultTlsProtocol(String defaultTlsProtocol) {
             return this;
         }
 
+        /** Specifies whether TLS v1.0 and 1.1 should be deprecated */
+        public ProviderBuilder isTlsV1Deprecated(boolean deprecatedTlsV1) {
+            this.deprecatedTlsV1 = deprecatedTlsV1;
+            return this;
+        }
+
+        /** Specifies whether TLS v1.0 and 1.1 should be enabled */
+        public ProviderBuilder isTlsV1Enabled(boolean enabledTlsV1) {
+            this.enabledTlsV1 = enabledTlsV1;
+            return this;
+        }
+
         public Provider build() {
-            return new OpenSSLProvider(name, provideTrustManager, defaultTlsProtocol);
+            return new OpenSSLProvider(name, provideTrustManager,
+                defaultTlsProtocol, deprecatedTlsV1, enabledTlsV1);
         }
     }
 

common/src/main/java/org/conscrypt/NativeCrypto.java

@@ -863,10 +863,8 @@ static String cipherSuiteFromJava(String javaCipherSuite) {
         if (loadError == null) {
             // If loadError is not null, it means the native code was not loaded, so
             // get_cipher_names will throw UnsatisfiedLinkError. Populate the list of supported
-            // ciphers with BoringSSL's default, and also explicitly include 3DES.
-            // https://boringssl-review.googlesource.com/c/boringssl/+/59425 will remove 3DES
-            // from BoringSSL's default, but Conscrypt isn't quite ready to remove it yet.
-            String[] allCipherSuites = get_cipher_names("ALL:3DES");
+            // ciphers with BoringSSL's default.
+            String[] allCipherSuites = get_cipher_names("ALL");
 
             // get_cipher_names returns an array where even indices are the standard name and odd
             // indices are the OpenSSL name.
@@ -1025,29 +1023,48 @@ static native void SSL_set_client_CA_list(long ssl, NativeSsl ssl_holder, byte[]
 
     static native void set_SSL_psk_server_callback_enabled(long ssl, NativeSsl ssl_holder, boolean enabled);
 
-    private static final String[] ENABLED_PROTOCOLS_TLSV1 = Platform.isTlsV1Deprecated()
-            ? new String[0]
-            : new String[] {
+    public static void setTlsV1DeprecationStatus(boolean deprecated, boolean supported) {
+        if (deprecated) {
+            TLSV12_PROTOCOLS = new String[] {
+                SUPPORTED_PROTOCOL_TLSV1_2,
+            };
+            TLSV13_PROTOCOLS = new String[] {
+                SUPPORTED_PROTOCOL_TLSV1_2,
+                SUPPORTED_PROTOCOL_TLSV1_3,
+            };
+        } else {
+            TLSV12_PROTOCOLS = new String[] {
                 DEPRECATED_PROTOCOL_TLSV1,
                 DEPRECATED_PROTOCOL_TLSV1_1,
+                SUPPORTED_PROTOCOL_TLSV1_2,
             };
-
-    private static final String[] SUPPORTED_PROTOCOLS_TLSV1 = Platform.isTlsV1Supported()
-            ? new String[] {
+            TLSV13_PROTOCOLS = new String[] {
                 DEPRECATED_PROTOCOL_TLSV1,
                 DEPRECATED_PROTOCOL_TLSV1_1,
-            } : new String[0];
+                SUPPORTED_PROTOCOL_TLSV1_2,
+                SUPPORTED_PROTOCOL_TLSV1_3,
+            };
+        }
+        if (supported) {
+            SUPPORTED_PROTOCOLS = new String[] {
+                DEPRECATED_PROTOCOL_TLSV1,
+                DEPRECATED_PROTOCOL_TLSV1_1,
+                SUPPORTED_PROTOCOL_TLSV1_2,
+                SUPPORTED_PROTOCOL_TLSV1_3,
+            };
+        } else {
+            SUPPORTED_PROTOCOLS = new String[] {
+                SUPPORTED_PROTOCOL_TLSV1_2,
+                SUPPORTED_PROTOCOL_TLSV1_3,
+            };
+        }
+    }
 
     /** Protocols to enable by default when "TLSv1.3" is requested. */
-    static final String[] TLSV13_PROTOCOLS = ArrayUtils.concatValues(
-            ENABLED_PROTOCOLS_TLSV1,
-            SUPPORTED_PROTOCOL_TLSV1_2,
-            SUPPORTED_PROTOCOL_TLSV1_3);
+    static String[] TLSV13_PROTOCOLS;
 
     /** Protocols to enable by default when "TLSv1.2" is requested. */
-    static final String[] TLSV12_PROTOCOLS = ArrayUtils.concatValues(
-            ENABLED_PROTOCOLS_TLSV1,
-            SUPPORTED_PROTOCOL_TLSV1_2);
+    static String[] TLSV12_PROTOCOLS;
 
     /** Protocols to enable by default when "TLSv1.1" is requested. */
     static final String[] TLSV11_PROTOCOLS = new String[] {
@@ -1059,20 +1076,12 @@ static native void SSL_set_client_CA_list(long ssl, NativeSsl ssl_holder, byte[]
     /** Protocols to enable by default when "TLSv1" is requested. */
     static final String[] TLSV1_PROTOCOLS = TLSV11_PROTOCOLS;
 
-    static final String[] DEFAULT_PROTOCOLS = TLSV13_PROTOCOLS;
-
     // If we ever get a new protocol go look for tests which are skipped using
     // assumeTlsV11Enabled()
-    private static final String[] SUPPORTED_PROTOCOLS = ArrayUtils.concatValues(
-            SUPPORTED_PROTOCOLS_TLSV1,
-            SUPPORTED_PROTOCOL_TLSV1_2,
-            SUPPORTED_PROTOCOL_TLSV1_3);
+    private static String[] SUPPORTED_PROTOCOLS;
 
     public static String[] getDefaultProtocols() {
-        if (Platform.isTlsV1Deprecated()) {
-          return DEFAULT_PROTOCOLS.clone();
-        }
-        return SUPPORTED_PROTOCOLS.clone();
+        return TLSV13_PROTOCOLS.clone();
     }
 
     static String[] getSupportedProtocols() {

common/src/main/java/org/conscrypt/OpenSSLProvider.java

@@ -51,17 +51,29 @@ public OpenSSLProvider() {
 
     @SuppressWarnings("deprecation")
     public OpenSSLProvider(String providerName) {
-        this(providerName, Platform.provideTrustManagerByDefault(), "TLSv1.3");
+        this(providerName, Platform.provideTrustManagerByDefault(), "TLSv1.3",
+            Platform.DEPRECATED_TLS_V1, Platform.ENABLED_TLS_V1);
     }
 
-    OpenSSLProvider(String providerName, boolean includeTrustManager, String defaultTlsProtocol) {
+    OpenSSLProvider(String providerName, boolean includeTrustManager,
+            String defaultTlsProtocol) {
+        this(providerName, includeTrustManager, defaultTlsProtocol,
+            Platform.DEPRECATED_TLS_V1, Platform.ENABLED_TLS_V1);
+    }
+
+    OpenSSLProvider(String providerName, boolean includeTrustManager,
+            String defaultTlsProtocol, boolean deprecatedTlsV1,
+            boolean enabledTlsV1) {
         super(providerName, 1.0, "Android's OpenSSL-backed security provider");
 
         // Ensure that the native library has been loaded.
         NativeCrypto.checkAvailability();
 
+        if (!deprecatedTlsV1 && !enabledTlsV1) {
+            throw new IllegalArgumentException("TLSv1 is not deprecated and cannot be disabled.");
+        }
         // Make sure the platform is initialized.
-        Platform.setup();
+        Platform.setup(deprecatedTlsV1, enabledTlsV1);
 
         /* === SSL Contexts === */
         String classOpenSSLContextImpl = PREFIX + "OpenSSLContextImpl";

openjdk/src/main/java/org/conscrypt/Platform.java

@@ -84,6 +84,7 @@
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509ExtendedTrustManager;
 import javax.net.ssl.X509TrustManager;
+import org.conscrypt.NativeCrypto;
 
 /**
  * Platform-specific methods for OpenJDK.
@@ -94,9 +95,12 @@
 final public class Platform {
     private static final int JAVA_VERSION = javaVersion0();
     private static final Method GET_CURVE_NAME_METHOD;
+    static boolean DEPRECATED_TLS_V1 = true;
+    static boolean ENABLED_TLS_V1 = false;
+    private static boolean FILTERED_TLS_V1 = true;
 
     static {
-
+        NativeCrypto.setTlsV1DeprecationStatus(DEPRECATED_TLS_V1, ENABLED_TLS_V1);
         Method getCurveNameMethod = null;
         try {
             getCurveNameMethod = ECParameterSpec.class.getDeclaredMethod("getCurveName");
@@ -109,7 +113,12 @@ final public class Platform {
 
     private Platform() {}
 
-    static void setup() {}
+    public static void setup(boolean deprecatedTlsV1, boolean enabledTlsV1) {
+        DEPRECATED_TLS_V1 = deprecatedTlsV1;
+        ENABLED_TLS_V1 = enabledTlsV1;
+        FILTERED_TLS_V1 = !enabledTlsV1;
+        NativeCrypto.setTlsV1DeprecationStatus(DEPRECATED_TLS_V1, ENABLED_TLS_V1);
+    }
 
 
     /**
@@ -839,14 +848,14 @@ public static boolean isJavaxCertificateSupported() {
     }
 
     public static boolean isTlsV1Deprecated() {
-        return true;
+        return DEPRECATED_TLS_V1;
     }
 
     public static boolean isTlsV1Filtered() {
-        return false;
+        return FILTERED_TLS_V1;
     }
 
     public static boolean isTlsV1Supported() {
-        return true;
+        return ENABLED_TLS_V1;
     }
 }

platform/src/main/java/org/conscrypt/Platform.java

@@ -75,18 +75,30 @@
 import javax.net.ssl.StandardConstants;
 import javax.net.ssl.X509ExtendedTrustManager;
 import javax.net.ssl.X509TrustManager;
-
+import libcore.net.NetworkSecurityPolicy;
+import org.conscrypt.NativeCrypto;
 import sun.security.x509.AlgorithmId;
 
 @Internal
 final public class Platform {
     private static class NoPreloadHolder { public static final Platform MAPPER = new Platform(); }
+    static boolean DEPRECATED_TLS_V1 = true;
+    static boolean ENABLED_TLS_V1 = false;
+    private static boolean FILTERED_TLS_V1 = true;
+
+    static {
+        NativeCrypto.setTlsV1DeprecationStatus(DEPRECATED_TLS_V1, ENABLED_TLS_V1);
+    }
 
     /**
      * Runs all the setup for the platform that only needs to run once.
      */
-    public static void setup() {
+    public static void setup(boolean deprecatedTlsV1, boolean enabledTlsV1) {
+        DEPRECATED_TLS_V1 = deprecatedTlsV1;
+        ENABLED_TLS_V1 = enabledTlsV1;
+        FILTERED_TLS_V1 = !enabledTlsV1;
         NoPreloadHolder.MAPPER.ping();
+        NativeCrypto.setTlsV1DeprecationStatus(DEPRECATED_TLS_V1, ENABLED_TLS_V1);
     }
 
     /**
@@ -552,34 +564,34 @@ public static boolean isJavaxCertificateSupported() {
     }
 
     public static boolean isTlsV1Deprecated() {
-        return true;
+        return DEPRECATED_TLS_V1;
     }
 
     public static boolean isTlsV1Filtered() {
         Object targetSdkVersion = getTargetSdkVersion();
-        if ((targetSdkVersion != null) && ((int) targetSdkVersion > 34))
+        if ((targetSdkVersion != null) && ((int) targetSdkVersion > 35)
+               && ((int) targetSdkVersion < 100))
             return false;
-        return true;
+        return FILTERED_TLS_V1;
     }
 
     public static boolean isTlsV1Supported() {
-        return false;
+        return ENABLED_TLS_V1;
     }
 
     static Object getTargetSdkVersion() {
         try {
-            Class<?> vmRuntime = Class.forName("dalvik.system.VMRuntime");
-            if (vmRuntime == null) {
-                return null;
-            }
-            OptionalMethod getSdkVersion =
-                    new OptionalMethod(vmRuntime,
-                                        "getTargetSdkVersion");
-            return getSdkVersion.invokeStatic();
-        } catch (ClassNotFoundException e) {
-            return null;
-        } catch (NullPointerException e) {
+            Class<?> vmRuntimeClass = Class.forName("dalvik.system.VMRuntime");
+            Method getRuntimeMethod = vmRuntimeClass.getDeclaredMethod("getRuntime");
+            Method getTargetSdkVersionMethod =
+                        vmRuntimeClass.getDeclaredMethod("getTargetSdkVersion");
+            Object vmRuntime = getRuntimeMethod.invoke(null);
+            return getTargetSdkVersionMethod.invoke(vmRuntime);
+        } catch (IllegalAccessException |
+          NullPointerException | InvocationTargetException e) {
             return null;
+        } catch (Exception e) {
+            throw new RuntimeException(e);
         }
     }
 }