conversations-classic/src/main/java/eu/siacs/conversations/utils/SSLSocketHelper.java

package eu.siacs.conversations.utils;

import android.os.Build;
import android.support.annotation.RequiresApi;
import android.util.Log;

import java.lang.reflect.Method;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.LinkedList;

import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;

import eu.siacs.conversations.Config;
import eu.siacs.conversations.entities.Account;

public class SSLSocketHelper {

    public static void setSecurity(final SSLSocket sslSocket) {
        final String[] supportProtocols;
        final Collection<String> supportedProtocols = new LinkedList<>(
                Arrays.asList(sslSocket.getSupportedProtocols()));
        supportedProtocols.remove("SSLv3");
        supportProtocols = supportedProtocols.toArray(new String[supportedProtocols.size()]);

        sslSocket.setEnabledProtocols(supportProtocols);

        final String[] cipherSuites = CryptoHelper.getOrderedCipherSuites(
                sslSocket.getSupportedCipherSuites());
        if (cipherSuites.length > 0) {
            sslSocket.setEnabledCipherSuites(cipherSuites);
        }
    }

    public static void setSNIHost(final SSLSocket socket, final String hostname) {
        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.N) {
            setSNIHostNougat(socket, hostname);
        } else {
            try {
                socket.getClass().getMethod("setHostname", String.class).invoke(socket, hostname);
            } catch (Throwable e) {
                Log.e(Config.LOGTAG, "unable to set SNI name on socket (" + hostname + ")", e);
            }
        }
    }

    @RequiresApi(api = Build.VERSION_CODES.N)
    private static void setSNIHostNougat(final SSLSocket socket, final String hostname) {
        final SSLParameters parameters = new SSLParameters();
        parameters.setServerNames(Collections.singletonList(new SNIHostName(hostname)));
        socket.setSSLParameters(parameters);
    }

    public static void setAlpnProtocol(final SSLSocket socket, final String protocol) {
        try {
            final Method method = socket.getClass().getMethod("setAlpnProtocols", byte[].class);
            // the concatenation of 8-bit, length prefixed protocol names, just one in our case...
            // http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-4
            final byte[] protocolUTF8Bytes = protocol.getBytes("UTF-8");
            final byte[] lengthPrefixedProtocols = new byte[protocolUTF8Bytes.length + 1];
            lengthPrefixedProtocols[0] = (byte) protocol.length(); // cannot be over 255 anyhow
            System.arraycopy(protocolUTF8Bytes, 0, lengthPrefixedProtocols, 1, protocolUTF8Bytes.length);
            method.invoke(socket, new Object[]{lengthPrefixedProtocols});
        } catch (Throwable e) {
            Log.e(Config.LOGTAG,"unable to set ALPN on socket",e);
        }
    }

    public static SSLContext getSSLContext() throws NoSuchAlgorithmException {
        return SSLContext.getInstance("TLSv1.3");
    }

    public static void log(Account account, SSLSocket socket) {
        SSLSession session = socket.getSession();
        Log.d(Config.LOGTAG,account.getJid().asBareJid()+": protocol="+session.getProtocol()+" cipher="+session.getCipherSuite());
    }
}
move some ssl socket modifiers into a seperate helper class 2016-01-12 15:33:15 +00:00			`package eu.siacs.conversations.utils;`

fixed regression that didn’t enable SNI 2018-09-22 11:32:46 +00:00			`import android.os.Build;`
			`import android.support.annotation.RequiresApi;`
use conscrypt as security provider to provide tls 1.3 and modern cyphers on old androids 2018-09-21 14:33:07 +00:00			`import android.util.Log;`
use TLSv1.2 as SSL context on supported plattforms 2016-02-03 17:17:16 +00:00
move some ssl socket modifiers into a seperate helper class 2016-01-12 15:33:15 +00:00			`import java.lang.reflect.Method;`
			`import java.security.NoSuchAlgorithmException;`
			`import java.util.Arrays;`
			`import java.util.Collection;`
fixed regression that didn’t enable SNI 2018-09-22 11:32:46 +00:00			`import java.util.Collections;`
move some ssl socket modifiers into a seperate helper class 2016-01-12 15:33:15 +00:00			`import java.util.LinkedList;`

fixed regression that didn’t enable SNI 2018-09-22 11:32:46 +00:00			`import javax.net.ssl.SNIHostName;`
			`import javax.net.ssl.SNIServerName;`
use TLSv1.2 as SSL context on supported plattforms 2016-02-03 17:17:16 +00:00			`import javax.net.ssl.SSLContext;`
fixed regression that didn’t enable SNI 2018-09-22 11:32:46 +00:00			`import javax.net.ssl.SSLParameters;`
use conscrypt as security provider to provide tls 1.3 and modern cyphers on old androids 2018-09-21 14:33:07 +00:00			`import javax.net.ssl.SSLSession;`
move some ssl socket modifiers into a seperate helper class 2016-01-12 15:33:15 +00:00			`import javax.net.ssl.SSLSocket;`
			`import javax.net.ssl.SSLSocketFactory;`

use conscrypt as security provider to provide tls 1.3 and modern cyphers on old androids 2018-09-21 14:33:07 +00:00			`import eu.siacs.conversations.Config;`
			`import eu.siacs.conversations.entities.Account;`

move some ssl socket modifiers into a seperate helper class 2016-01-12 15:33:15 +00:00			`public class SSLSocketHelper {`

use conscrypt as security provider to provide tls 1.3 and modern cyphers on old androids 2018-09-21 14:33:07 +00:00			`public static void setSecurity(final SSLSocket sslSocket) {`
			`final String[] supportProtocols;`
			`final Collection<String> supportedProtocols = new LinkedList<>(`
			`Arrays.asList(sslSocket.getSupportedProtocols()));`
			`supportedProtocols.remove("SSLv3");`
			`supportProtocols = supportedProtocols.toArray(new String[supportedProtocols.size()]);`

			`sslSocket.setEnabledProtocols(supportProtocols);`
move some ssl socket modifiers into a seperate helper class 2016-01-12 15:33:15 +00:00
use conscrypt as security provider to provide tls 1.3 and modern cyphers on old androids 2018-09-21 14:33:07 +00:00			`final String[] cipherSuites = CryptoHelper.getOrderedCipherSuites(`
			`sslSocket.getSupportedCipherSuites());`
			`if (cipherSuites.length > 0) {`
			`sslSocket.setEnabledCipherSuites(cipherSuites);`
			`}`
			`}`
move some ssl socket modifiers into a seperate helper class 2016-01-12 15:33:15 +00:00
fixed regression that didn’t enable SNI 2018-09-22 11:32:46 +00:00			`public static void setSNIHost(final SSLSocket socket, final String hostname) {`
			`if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.N) {`
			`setSNIHostNougat(socket, hostname);`
			`} else {`
			`try {`
			`socket.getClass().getMethod("setHostname", String.class).invoke(socket, hostname);`
			`} catch (Throwable e) {`
			`Log.e(Config.LOGTAG, "unable to set SNI name on socket (" + hostname + ")", e);`
			`}`
use conscrypt as security provider to provide tls 1.3 and modern cyphers on old androids 2018-09-21 14:33:07 +00:00			`}`
			`}`
move some ssl socket modifiers into a seperate helper class 2016-01-12 15:33:15 +00:00
fixed regression that didn’t enable SNI 2018-09-22 11:32:46 +00:00			`@RequiresApi(api = Build.VERSION_CODES.N)`
			`private static void setSNIHostNougat(final SSLSocket socket, final String hostname) {`
			`final SSLParameters parameters = new SSLParameters();`
			`parameters.setServerNames(Collections.singletonList(new SNIHostName(hostname)));`
			`socket.setSSLParameters(parameters);`
			`}`

			`public static void setAlpnProtocol(final SSLSocket socket, final String protocol) {`
use conscrypt as security provider to provide tls 1.3 and modern cyphers on old androids 2018-09-21 14:33:07 +00:00			`try {`
fixed regression that didn’t enable SNI 2018-09-22 11:32:46 +00:00			`final Method method = socket.getClass().getMethod("setAlpnProtocols", byte[].class);`
			`// the concatenation of 8-bit, length prefixed protocol names, just one in our case...`
			`// http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-4`
			`final byte[] protocolUTF8Bytes = protocol.getBytes("UTF-8");`
			`final byte[] lengthPrefixedProtocols = new byte[protocolUTF8Bytes.length + 1];`
			`lengthPrefixedProtocols[0] = (byte) protocol.length(); // cannot be over 255 anyhow`
			`System.arraycopy(protocolUTF8Bytes, 0, lengthPrefixedProtocols, 1, protocolUTF8Bytes.length);`
			`method.invoke(socket, new Object[]{lengthPrefixedProtocols});`
use conscrypt as security provider to provide tls 1.3 and modern cyphers on old androids 2018-09-21 14:33:07 +00:00			`} catch (Throwable e) {`
fixed regression that didn’t enable SNI 2018-09-22 11:32:46 +00:00			`Log.e(Config.LOGTAG,"unable to set ALPN on socket",e);`
use conscrypt as security provider to provide tls 1.3 and modern cyphers on old androids 2018-09-21 14:33:07 +00:00			`}`
			`}`
move some ssl socket modifiers into a seperate helper class 2016-01-12 15:33:15 +00:00
use conscrypt as security provider to provide tls 1.3 and modern cyphers on old androids 2018-09-21 14:33:07 +00:00			`public static SSLContext getSSLContext() throws NoSuchAlgorithmException {`
			`return SSLContext.getInstance("TLSv1.3");`
			`}`
use TLSv1.2 as SSL context on supported plattforms 2016-02-03 17:17:16 +00:00
use conscrypt as security provider to provide tls 1.3 and modern cyphers on old androids 2018-09-21 14:33:07 +00:00			`public static void log(Account account, SSLSocket socket) {`
			`SSLSession session = socket.getSession();`
			`Log.d(Config.LOGTAG,account.getJid().asBareJid()+": protocol="+session.getProtocol()+" cipher="+session.getCipherSuite());`
			`}`
move some ssl socket modifiers into a seperate helper class 2016-01-12 15:33:15 +00:00			`}`