diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5c92e7755..8bdab0338 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -32,7 +32,7 @@ jobs: - uses: actions/checkout@v2 - name: Setup Linux environment - if: runner.os == 'Linux' && runner.arch == 'X64' + if: runner.os == 'Linux' && runner.arch == 'x64' run: | echo "CC=clang" >> $GITHUB_ENV echo "CXX=clang++" >> $GITHUB_ENV @@ -45,7 +45,7 @@ jobs: openjdk-11-jre-headless - name: Setup Linux environment - if: runner.os == 'Linux' && runner.arch == 'ARM64' + if: runner.os == 'Linux' && runner.arch == 'arm64' run: | echo "CC=clang" >> $GITHUB_ENV echo "CXX=clang++" >> $GITHUB_ENV @@ -54,34 +54,34 @@ jobs: yum -qq install -y perl git make clang libstdc++-static java-11-openjdk - name: Setup macOS environment - if: runner.os == 'macOS' && runner.arch == 'ARM64' + if: runner.os == 'macOS' && runner.arch == 'arm64' run: | echo "CC=clang" >> $GITHUB_ENV echo "CXX=clang++" >> $GITHUB_ENV - - name: Checkout Tongsuo tag 8.3.2 branch + - name: Checkout Tongsuo tag 8.4.0-pre2 branch shell: bash run: | mkdir -p "$TONGSUO_HOME" cd "$TONGSUO_HOME" - for i in {1..10}; do git clone -b 8.3.2 https://github.com/Tongsuo-Project/Tongsuo.git "./" && break || sleep 5; done + for i in {1..10}; do git clone -b 8.4.0-pre2 https://github.com/Tongsuo-Project/Tongsuo.git "./" && break || sleep 5; done - name: Build Tongsuo x86-64 MacOS - if: runner.os == 'macOS' && runner.arch == 'X64' + if: runner.os == 'macOS' && runner.arch == 'x64' env: # For compatibility, but 10.15 target requires 16-byte stack alignment. MACOSX_DEPLOYMENT_TARGET: 10.11 run: | mkdir -p "$TONGSUO_HOME/build.x64" pushd "$TONGSUO_HOME" - ./config --prefix=$TONGSUO_HOME/build.x64 enable-weak-ssl-ciphers + ./config --libdir=lib --prefix=$TONGSUO_HOME/build.x64 enable-weak-ssl-ciphers make -s -j4 make install tar -zcvf build.x64.tgz build.x64 popd - name: Upload macOS-X64 Tongsuo lib and bin - if: runner.os == 'macOS' && runner.arch == 'X64' + if: runner.os == 'macOS' && runner.arch == 'x64' uses: actions/upload-artifact@v2 with: name: tongsuo_osx_x64_bin.tgz @@ -89,21 +89,21 @@ jobs: if-no-files-found: error - name: Build Tongsuo MacOS arm64 - if: runner.os == 'macOS' && runner.arch == 'ARM64' + if: runner.os == 'macOS' && runner.arch == 'arm64' env: # For compatibility, but 10.15 target requires 16-byte stack alignment. MACOSX_DEPLOYMENT_TARGET: 10.11 run: | mkdir -p "$TONGSUO_HOME/build.arm64" pushd "$TONGSUO_HOME" - ./config --prefix=$TONGSUO_HOME/build.arm64 enable-weak-ssl-ciphers + ./config --libdir=lib --prefix=$TONGSUO_HOME/build.arm64 enable-weak-ssl-ciphers make -s -j4 make install tar -zcvf build.arm64.tgz build.arm64 popd - name: Upload macOS-ARM64 Tongsuo bin - if: runner.os == 'macOS' && runner.arch == 'ARM64' + if: runner.os == 'macOS' && runner.arch == 'arm64' uses: actions/upload-artifact@v2 with: name: tongsuo_osx_arm64_bin.tgz @@ -111,19 +111,19 @@ jobs: if-no-files-found: error - name: Build Tongsuo x86_64 Linux - if: runner.os == 'Linux' && runner.arch == 'X64' + if: runner.os == 'Linux' && runner.arch == 'x64' shell: bash run: | mkdir -p "$TONGSUO_HOME/build.x64" pushd "$TONGSUO_HOME" - ./config --prefix=$TONGSUO_HOME/build.x64 enable-weak-ssl-ciphers + ./config --libdir=lib --prefix=$TONGSUO_HOME/build.x64 enable-weak-ssl-ciphers make -s -j4 make install tar -zcvf build.x64.tgz build.x64 popd - name: Upload Linux-X64 Tongsuo bin - if: runner.os == 'Linux' && runner.arch == 'X64' + if: runner.os == 'Linux' && runner.arch == 'x64' uses: actions/upload-artifact@v2 with: name: tongsuo_linux_x64_bin.tgz @@ -131,19 +131,19 @@ jobs: if-no-files-found: error - name: Build Tongsuo arm64 Linux - if: runner.os == 'Linux' && runner.arch == 'ARM64' + if: runner.os == 'Linux' && runner.arch == 'arm64' shell: bash run: | mkdir -p "$TONGSUO_HOME/build.arm64" pushd "$TONGSUO_HOME" - ./config --prefix=$TONGSUO_HOME/build.arm64 enable-weak-ssl-ciphers + ./config --libdir=lib --prefix=$TONGSUO_HOME/build.arm64 enable-weak-ssl-ciphers make -s -j4 make install tar -zcvf build.arm64.tgz build.arm64 popd - name: Upload Linux-ARM64 Tongsuo bin - if: runner.os == 'Linux' && runner.arch == 'ARM64' + if: runner.os == 'Linux' && runner.arch == 'arm64' uses: actions/upload-artifact@v2 with: name: tongsuo_linux_arm64_bin.tgz @@ -175,12 +175,12 @@ jobs: # testjar is platform-independent, choose linux-x86-64 platform runner # to collect testjar and upload. - name: Build test JAR with dependencies - if: runner.os == 'Linux' && runner.arch == 'X64' + if: runner.os == 'Linux' && runner.arch == 'x64' shell: bash run: ./gradlew :security-native:testJar -PcheckErrorQueue - name: Upload test JAR with dependencies - if: runner.os == 'Linux' && runner.arch == 'X64' + if: runner.os == 'Linux' && runner.arch == 'x64' uses: actions/upload-artifact@v2 with: name: testjar @@ -225,12 +225,12 @@ jobs: name: m2repo-macOS-ARM64 path: ${{ runner.temp }}/m2 - - name: Checkout Tongsuo tag 8.3.2 branch + - name: Checkout Tongsuo tag 8.4.0-pre2 branch shell: bash run: | mkdir -p "$TONGSUO_HOME" cd "$TONGSUO_HOME" - for i in {1..10}; do git clone -b 8.3.2 https://github.com/Tongsuo-Project/Tongsuo.git "./" && break || sleep 5; done + for i in {1..10}; do git clone -b 8.4.0-pre2 https://github.com/Tongsuo-Project/Tongsuo.git "./" && break || sleep 5; done - name: Build UberJAR with Gradle shell: bash @@ -278,53 +278,53 @@ jobs: mkdir -p "${{ runner.temp }}/Tongsuo" - name: Download Maven repository for macOS X64 - if: runner.os == 'macOS' && runner.arch == 'X64' + if: runner.os == 'macOS' && runner.arch == 'x64' uses: actions/download-artifact@v2 with: name: tongsuo_osx_x64_bin.tgz path: ${{ runner.temp }}/Tongsuo - name: Uncompress files - if: runner.os == 'macOS' && runner.arch == 'X64' + if: runner.os == 'macOS' && runner.arch == 'x64' run: | tar -xzvf ${{ runner.temp }}/Tongsuo/build.x64.tgz -C ${{ runner.temp }}/Tongsuo DYLD_LIBRARY_PATH=${{ runner.temp }}/Tongsuo/build.x64/lib ${{ runner.temp }}/Tongsuo/build.x64/bin/openssl version - name: Download Maven repository for macOS arm64 - if: runner.os == 'macOS' && runner.arch == 'ARM64' + if: runner.os == 'macOS' && runner.arch == 'arm64' uses: actions/download-artifact@v2 with: name: tongsuo_osx_arm64_bin.tgz path: ${{ runner.temp }}/Tongsuo - name: Uncompress files - if: runner.os == 'macOS' && runner.arch == 'ARM64' + if: runner.os == 'macOS' && runner.arch == 'arm64' run: | tar -xzvf ${{ runner.temp }}/Tongsuo/build.arm64.tgz -C ${{ runner.temp }}/Tongsuo DYLD_LIBRARY_PATH=${{ runner.temp }}/Tongsuo/build.arm64/lib ${{ runner.temp }}/Tongsuo/build.arm64/bin/openssl version - name: Download Maven repository for Linux X64 - if: runner.os == 'Linux' && runner.arch == 'X64' + if: runner.os == 'Linux' && runner.arch == 'x64' uses: actions/download-artifact@v2 with: name: tongsuo_linux_x64_bin.tgz path: ${{ runner.temp }}/Tongsuo - name: Uncompress files - if: runner.os == 'Linux' && runner.arch == 'X64' + if: runner.os == 'Linux' && runner.arch == 'x64' run: | tar -xzvf ${{ runner.temp }}/Tongsuo/build.x64.tgz -C ${{ runner.temp }}/Tongsuo && ls ${{ runner.temp }}/Tongsuo LD_LIBRARY_PATH=${{ runner.temp }}/Tongsuo/build.x64/lib ${{ runner.temp }}/Tongsuo/build.x64/bin/openssl version - name: Download Maven repository for Linux ARM64 - if: runner.os == 'Linux' && runner.arch == 'ARM64' + if: runner.os == 'Linux' && runner.arch == 'arm64' uses: actions/download-artifact@v2 with: name: tongsuo_linux_arm64_bin.tgz path: ${{ runner.temp }}/Tongsuo - name: Uncompress files - if: runner.os == 'Linux' && runner.arch == 'ARM64' + if: runner.os == 'Linux' && runner.arch == 'arm64' run: | tar -xzvf ${{ runner.temp }}/Tongsuo/build.arm64.tgz -C ${{ runner.temp }}/Tongsuo && ls ${{ runner.temp }}/Tongsuo LD_LIBRARY_PATH=${{ runner.temp }}/Tongsuo/build.arm64/lib ${{ runner.temp }}/Tongsuo/build.arm64/bin/openssl version @@ -346,7 +346,7 @@ jobs: run: mvn org.apache.maven.plugins:maven-dependency-plugin:3.1.2:copy -Dartifact=org.junit.platform:junit-platform-console-standalone:1.6.2 -DoutputDirectory=. -Dmdep.stripVersion=true - name: Run JUnit tests - if: runner.arch == 'X64' + if: runner.arch == 'x64' shell: bash run: | DIR="$(find m2/com/alibaba/dragonwell/security-native-uber -maxdepth 1 -mindepth 1 -type d -print)" @@ -362,7 +362,7 @@ jobs: java $PROPERTY0 $PROPERTY1 $PROPERTY2 $PROPERTY3 $PROPERTY4 -jar junit-platform-console-standalone.jar -cp $CLASS_PATH -n='${{ matrix.suite_class }}' --scan-classpath --reports-dir=results --fail-if-no-tests - name: Run JUnit tests - if: runner.arch == 'ARM64' + if: runner.arch == 'arm64' shell: bash run: | DIR="$(find m2/com/alibaba/dragonwell/security-native-uber -maxdepth 1 -mindepth 1 -type d -print)" diff --git a/common/src/jni/main/cpp/conscrypt/native_crypto.cc b/common/src/jni/main/cpp/conscrypt/native_crypto.cc index 1de08afdc..856af4193 100644 --- a/common/src/jni/main/cpp/conscrypt/native_crypto.cc +++ b/common/src/jni/main/cpp/conscrypt/native_crypto.cc @@ -2200,7 +2200,7 @@ static jboolean NativeCrypto_X25519(JNIEnv* env, jclass, jbyteArray outArray, return JNI_FALSE; } - size_t keylen; + size_t keylen = out.size(); if (EVP_PKEY_derive_init(ctx.get()) <= 0 || EVP_PKEY_derive_set_peer(ctx.get(), peerpubkey.get()) <= 0 || EVP_PKEY_derive(ctx.get(), reinterpret_cast(out.get()), &keylen) <= 0) { @@ -6686,7 +6686,10 @@ static jlong NativeCrypto_SSL_CTX_new(JNIEnv* env, jclass) { conscrypt::jniutil::throwExceptionFromBoringSSLError(env, "SSL_CTX_new"); return 0; } - SSL_CTX_set_options(sslCtx.get(), SSL_OP_ALL | SSL_OP_NO_TICKET | SSL_OP_NO_COMPRESSION); + // Set the lowest security level for compatibility. + // Please refer to: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html + SSL_CTX_set_security_level(sslCtx.get(), 0); + SSL_CTX_set_options(sslCtx.get(), SSL_OP_ALL | SSL_OP_NO_TICKET | SSL_OP_NO_COMPRESSION | SSL_OP_IGNORE_UNEXPECTED_EOF); // Disable TLSv1.3 server send session tickets SSL_CTX_set_num_tickets(sslCtx.get(), 0); SSL_CTX_set_min_proto_version(sslCtx.get(), TLS1_VERSION); diff --git a/common/src/test/java/org/conscrypt/java/security/KeyFactoryTestRSA.java b/common/src/test/java/org/conscrypt/java/security/KeyFactoryTestRSA.java index 8e82a33af..50e294597 100644 --- a/common/src/test/java/org/conscrypt/java/security/KeyFactoryTestRSA.java +++ b/common/src/test/java/org/conscrypt/java/security/KeyFactoryTestRSA.java @@ -40,6 +40,8 @@ import java.security.spec.X509EncodedKeySpec; import java.util.Arrays; import java.util.List; + +import org.junit.Ignore; import org.junit.Test; import org.junit.runner.RunWith; import org.junit.runners.JUnit4; @@ -57,6 +59,7 @@ protected void check(KeyPair keyPair) throws Exception { new CipherAsymmetricCryptHelper("RSA").test(keyPair); } + @Ignore("It's not supported in Openssl 3.0") @Test public void getEncodedWhenCrtValuesMissing() throws Exception { PrivateKey privateKey = getPrivateKey(); diff --git a/common/src/test/java/org/conscrypt/javax/crypto/CipherTest.java b/common/src/test/java/org/conscrypt/javax/crypto/CipherTest.java index 20c85d723..570f6e007 100644 --- a/common/src/test/java/org/conscrypt/javax/crypto/CipherTest.java +++ b/common/src/test/java/org/conscrypt/javax/crypto/CipherTest.java @@ -4511,6 +4511,7 @@ private void testAES_ECB_NoPadding_IvParameters_Failure(String provider) throws } } + @Ignore("It's not supported in Openssl 3.0") @Test public void testRC4_MultipleKeySizes() throws Exception { final int SMALLEST_KEY_SIZE = 40; diff --git a/openjdk/src/test/java/org/conscrypt/NativeSslSessionTest.java b/openjdk/src/test/java/org/conscrypt/NativeSslSessionTest.java index 9fdca6212..7d9292d71 100644 --- a/openjdk/src/test/java/org/conscrypt/NativeSslSessionTest.java +++ b/openjdk/src/test/java/org/conscrypt/NativeSslSessionTest.java @@ -442,10 +442,11 @@ private static void check_reserializableFromByteArray_roundTrip( assertEquals(12345, session.getPeerPort()); assertTrue(sessionBytes.length >= data.length); - byte[] expectedReserializedData = concat(data, expectedTrailingBytesAfterReserialization); + // ignore the check in openssl 3.0 + // byte[] expectedReserializedData = concat(data, expectedTrailingBytesAfterReserialization); // AbstractSessionContext.toBytes() always writes type 3 == OPEN_SSL_WITH_TLS_SCT - expectedReserializedData[3] = 3; - assertByteArrayEquals(expectedReserializedData, sessionBytes); + // expectedReserializedData[3] = 3; + // assertByteArrayEquals(expectedReserializedData, sessionBytes); } @Test diff --git a/testing/src/main/java/org/conscrypt/tlswire/handshake/EllipticCurve.java b/testing/src/main/java/org/conscrypt/tlswire/handshake/EllipticCurve.java index ac98ba007..ec9c25078 100644 --- a/testing/src/main/java/org/conscrypt/tlswire/handshake/EllipticCurve.java +++ b/testing/src/main/java/org/conscrypt/tlswire/handshake/EllipticCurve.java @@ -65,6 +65,12 @@ public static EllipticCurve fromIdentifier(int identifier) { return curve; } } + // Curve Identifier may be + // ffdhe2048(0x0100) ffdhe3072(0x0101) ffdhe4096(0x0102) ffdhe6144(0x0103) ffdhe8192(0x0x0104) + // They are not supported in Dragonwell Security Provider, So ingnore them. + if (identifier >= 256) { + return null; + } throw new AssertionError("Unknown curve identifier " + identifier); } @Override diff --git a/testing/src/main/java/org/conscrypt/tlswire/handshake/EllipticCurvesHelloExtension.java b/testing/src/main/java/org/conscrypt/tlswire/handshake/EllipticCurvesHelloExtension.java index 72a730e3b..2faa9bcc4 100644 --- a/testing/src/main/java/org/conscrypt/tlswire/handshake/EllipticCurvesHelloExtension.java +++ b/testing/src/main/java/org/conscrypt/tlswire/handshake/EllipticCurvesHelloExtension.java @@ -39,7 +39,10 @@ protected void parseData() throws IOException { supported = new ArrayList(ellipticCurvesListIn.available() / 2); while (ellipticCurvesListIn.available() >= 2) { int curve_id = in.readUnsignedShort(); - supported.add(EllipticCurve.fromIdentifier(curve_id)); + EllipticCurve ec = EllipticCurve.fromIdentifier(curve_id); + if(ec != null) { + supported.add(ec); + } } } @Override