diff options
Diffstat (limited to 'src/main/java/de/pixart/messenger/utils/SSLSocketHelper.java')
-rw-r--r-- | src/main/java/de/pixart/messenger/utils/SSLSocketHelper.java | 91 |
1 files changed, 61 insertions, 30 deletions
diff --git a/src/main/java/de/pixart/messenger/utils/SSLSocketHelper.java b/src/main/java/de/pixart/messenger/utils/SSLSocketHelper.java index ad3629354..ce8aa009f 100644 --- a/src/main/java/de/pixart/messenger/utils/SSLSocketHelper.java +++ b/src/main/java/de/pixart/messenger/utils/SSLSocketHelper.java @@ -1,20 +1,30 @@ package de.pixart.messenger.utils; import android.os.Build; +import android.support.annotation.RequiresApi; +import android.util.Log; + +import org.conscrypt.Conscrypt; import java.lang.reflect.Method; import java.security.NoSuchAlgorithmException; import java.util.Arrays; import java.util.Collection; +import java.util.Collections; import java.util.LinkedList; +import javax.net.ssl.SNIHostName; import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLParameters; +import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSocket; -import javax.net.ssl.SSLSocketFactory; + +import de.pixart.messenger.Config; +import de.pixart.messenger.entities.Account; public class SSLSocketHelper { - public static void setSecurity(final SSLSocket sslSocket) throws NoSuchAlgorithmException { + public static void setSecurity(final SSLSocket sslSocket) { final String[] supportProtocols; final Collection<String> supportedProtocols = new LinkedList<>( Arrays.asList(sslSocket.getSupportedProtocols())); @@ -30,44 +40,65 @@ public class SSLSocketHelper { } } - public static void setSNIHost(final SSLSocketFactory factory, final SSLSocket socket, final String hostname) { - if (factory instanceof android.net.SSLCertificateSocketFactory && android.os.Build.VERSION.SDK_INT >= android.os.Build.VERSION_CODES.JELLY_BEAN_MR1) { - ((android.net.SSLCertificateSocketFactory) factory).setHostname(socket, hostname); + public static void setHostname(final SSLSocket socket, final String hostname) { + if (Conscrypt.isConscrypt(socket)) { + Conscrypt.setHostname(socket, hostname); + } else if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.N) { + setHostnameNougat(socket, hostname); } else { - try { - socket.getClass().getMethod("setHostname", String.class).invoke(socket, hostname); - } catch (Throwable e) { - // ignore any error, we just can't set the hostname... - } + setHostnameReflection(socket, hostname); } } - public static void setAlpnProtocol(final SSLSocketFactory factory, final SSLSocket socket, final String protocol) { + private static void setHostnameReflection(final SSLSocket socket, final String hostname) { + try { + socket.getClass().getMethod("setHostname", String.class).invoke(socket, hostname); + } catch (Throwable e) { + Log.e(Config.LOGTAG, "unable to set SNI name on socket (" + hostname + ")", e); + } + } + + + @RequiresApi(api = Build.VERSION_CODES.N) + private static void setHostnameNougat(final SSLSocket socket, final String hostname) { + final SSLParameters parameters = new SSLParameters(); + parameters.setServerNames(Collections.singletonList(new SNIHostName(hostname))); + socket.setSSLParameters(parameters); + } + + private static void setApplicationProtocolReflection(final SSLSocket socket, final String protocol) { try { - if (factory instanceof android.net.SSLCertificateSocketFactory && android.os.Build.VERSION.SDK_INT >= android.os.Build.VERSION_CODES.KITKAT) { - // can't call directly because of @hide? - //((android.net.SSLCertificateSocketFactory)factory).setAlpnProtocols(new byte[][]{protocol.getBytes("UTF-8")}); - android.net.SSLCertificateSocketFactory.class.getMethod("setAlpnProtocols", byte[][].class).invoke(socket, new Object[]{new byte[][]{protocol.getBytes("UTF-8")}}); - } else { - final Method method = socket.getClass().getMethod("setAlpnProtocols", byte[].class); - // the concatenation of 8-bit, length prefixed protocol names, just one in our case... - // http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-4 - final byte[] protocolUTF8Bytes = protocol.getBytes("UTF-8"); - final byte[] lengthPrefixedProtocols = new byte[protocolUTF8Bytes.length + 1]; - lengthPrefixedProtocols[0] = (byte) protocol.length(); // cannot be over 255 anyhow - System.arraycopy(protocolUTF8Bytes, 0, lengthPrefixedProtocols, 1, protocolUTF8Bytes.length); - method.invoke(socket, new Object[]{lengthPrefixedProtocols}); - } + final Method method = socket.getClass().getMethod("setAlpnProtocols", byte[].class); + // the concatenation of 8-bit, length prefixed protocol names, just one in our case... + // http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-4 + final byte[] protocolUTF8Bytes = protocol.getBytes("UTF-8"); + final byte[] lengthPrefixedProtocols = new byte[protocolUTF8Bytes.length + 1]; + lengthPrefixedProtocols[0] = (byte) protocol.length(); // cannot be over 255 anyhow + System.arraycopy(protocolUTF8Bytes, 0, lengthPrefixedProtocols, 1, protocolUTF8Bytes.length); + method.invoke(socket, new Object[]{lengthPrefixedProtocols}); } catch (Throwable e) { - // ignore any error, we just can't set the alpn protocol... + Log.e(Config.LOGTAG, "unable to set ALPN on socket", e); + } + } + + public static void setApplicationProtocol(final SSLSocket socket, final String protocol) { + if (Conscrypt.isConscrypt(socket)) { + Conscrypt.setApplicationProtocols(socket, new String[]{protocol}); + } else { + setApplicationProtocolReflection(socket, protocol); } } public static SSLContext getSSLContext() throws NoSuchAlgorithmException { - if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN) { + try { + return SSLContext.getInstance("TLSv1.3"); + } catch (NoSuchAlgorithmException e) { return SSLContext.getInstance("TLSv1.2"); - } else { - return SSLContext.getInstance("TLS"); } } -} + + public static void log(Account account, SSLSocket socket) { + SSLSession session = socket.getSession(); + Log.d(Config.LOGTAG, account.getJid().asBareJid() + ": protocol=" + session.getProtocol() + " cipher=" + session.getCipherSuite()); + } +}
\ No newline at end of file |