1package eu.siacs.conversations.utils;
2
3import android.os.Build;
4import android.support.annotation.RequiresApi;
5import android.util.Log;
6
7import org.conscrypt.Conscrypt;
8
9import java.lang.reflect.Method;
10import java.security.NoSuchAlgorithmException;
11import java.util.Arrays;
12import java.util.Collection;
13import java.util.Collections;
14import java.util.LinkedList;
15
16import javax.net.ssl.SNIHostName;
17import javax.net.ssl.SSLContext;
18import javax.net.ssl.SSLParameters;
19import javax.net.ssl.SSLSession;
20import javax.net.ssl.SSLSocket;
21
22import eu.siacs.conversations.Config;
23import eu.siacs.conversations.entities.Account;
24
25public class SSLSocketHelper {
26
27 public static void setSecurity(final SSLSocket sslSocket) {
28 final String[] supportProtocols;
29 final Collection<String> supportedProtocols = new LinkedList<>(
30 Arrays.asList(sslSocket.getSupportedProtocols()));
31 supportedProtocols.remove("SSLv3");
32 supportProtocols = supportedProtocols.toArray(new String[supportedProtocols.size()]);
33
34 sslSocket.setEnabledProtocols(supportProtocols);
35
36 final String[] cipherSuites = CryptoHelper.getOrderedCipherSuites(
37 sslSocket.getSupportedCipherSuites());
38 if (cipherSuites.length > 0) {
39 sslSocket.setEnabledCipherSuites(cipherSuites);
40 }
41 }
42
43 public static void setHostname(final SSLSocket socket, final String hostname) {
44 if (Conscrypt.isConscrypt(socket)) {
45 Conscrypt.setHostname(socket, hostname);
46 } else if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.N) {
47 setHostnameNougat(socket, hostname);
48 } else {
49 setHostnameReflection(socket, hostname);
50 }
51 }
52
53 private static void setHostnameReflection(final SSLSocket socket, final String hostname) {
54 try {
55 socket.getClass().getMethod("setHostname", String.class).invoke(socket, hostname);
56 } catch (Throwable e) {
57 Log.e(Config.LOGTAG, "unable to set SNI name on socket (" + hostname + ")", e);
58 }
59 }
60
61 @RequiresApi(api = Build.VERSION_CODES.N)
62 private static void setHostnameNougat(final SSLSocket socket, final String hostname) {
63 final SSLParameters parameters = new SSLParameters();
64 parameters.setServerNames(Collections.singletonList(new SNIHostName(hostname)));
65 socket.setSSLParameters(parameters);
66 }
67
68 private static void setApplicationProtocolReflection(final SSLSocket socket, final String protocol) {
69 try {
70 final Method method = socket.getClass().getMethod("setAlpnProtocols", byte[].class);
71 // the concatenation of 8-bit, length prefixed protocol names, just one in our case...
72 // http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-4
73 final byte[] protocolUTF8Bytes = protocol.getBytes("UTF-8");
74 final byte[] lengthPrefixedProtocols = new byte[protocolUTF8Bytes.length + 1];
75 lengthPrefixedProtocols[0] = (byte) protocol.length(); // cannot be over 255 anyhow
76 System.arraycopy(protocolUTF8Bytes, 0, lengthPrefixedProtocols, 1, protocolUTF8Bytes.length);
77 method.invoke(socket, new Object[]{lengthPrefixedProtocols});
78 } catch (Throwable e) {
79 Log.e(Config.LOGTAG,"unable to set ALPN on socket",e);
80 }
81 }
82
83 public static void setApplicationProtocol(final SSLSocket socket, final String protocol) {
84 if (Conscrypt.isConscrypt(socket)) {
85 Conscrypt.setApplicationProtocols(socket, new String[]{protocol});
86 } else {
87 setApplicationProtocolReflection(socket, protocol);
88 }
89 }
90
91 public static SSLContext getSSLContext() throws NoSuchAlgorithmException {
92 try {
93 return SSLContext.getInstance("TLSv1.3");
94 } catch (NoSuchAlgorithmException e) {
95 return SSLContext.getInstance("TLSv1.2");
96 }
97 }
98
99 public static void log(Account account, SSLSocket socket) {
100 SSLSession session = socket.getSession();
101 Log.d(Config.LOGTAG, account.getJid().asBareJid() + ": protocol=" + session.getProtocol() + " cipher=" + session.getCipherSuite());
102 }
103}