Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a StrictMode noteSlowCall for SSL init #8339

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Add a StrictMode noteSlowCall for SSL init #8339

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
6595d59
StrictMode warning
yschimke Apr 6, 2024
e114794
Fix test
yschimke Apr 6, 2024
467aa82
Add strict mode checks on slow calls
yschimke Apr 6, 2024
2446e01
Add strict mode checks on slow calls
yschimke Apr 6, 2024
f4805b0
dont fail
yschimke Apr 6, 2024
3389def
Update StrictModeTest.kt
yschimke Apr 6, 2024
6f39d9a
Cleanup
yschimke Apr 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
69 changes: 69 additions & 0 deletions android-test/src/androidTest/java/okhttp/android/test/StrictModeTest.kt
View file
Open in desktop
@@ -0,0 +1,69 @@
package okhttp.android.test

import android.os.StrictMode
import android.os.StrictMode.ThreadPolicy
import android.os.strictmode.Violation
import assertk.assertThat
import assertk.assertions.hasSize
import assertk.assertions.isEmpty
import assertk.assertions.isEqualTo
import okhttp3.HttpUrl.Companion.toHttpUrl
import okhttp3.OkHttpClient
import okhttp3.Request
import okhttp3.internal.platform.Platform
import org.junit.jupiter.api.AfterEach
import org.junit.jupiter.api.Test
import org.junit.jupiter.api.parallel.Isolated

@Isolated
class StrictModeTest {
private val violations = mutableListOf<Violation>()

@AfterEach
fun cleanup() {
StrictMode.setThreadPolicy(
ThreadPolicy.Builder()
.permitAll()
.build(),
)
}

@Test
fun testInit() {
Platform.resetForTests()

applyStrictMode()

// Not currently safe
// See https://github.com/square/okhttp/pull/8248
OkHttpClient()

assertThat(violations).hasSize(1)
assertThat(violations[0].message).isEqualTo("newSSLContext")
}

@Test
fun testNewCall() {
Platform.resetForTests()

val client = OkHttpClient()

applyStrictMode()

// Safe on main
client.newCall(Request("https://google.com/robots.txt".toHttpUrl()))

assertThat(violations).isEmpty()
}

private fun applyStrictMode() {
StrictMode.setThreadPolicy(
ThreadPolicy.Builder()
.detectCustomSlowCalls()
.penaltyListener({ it.run() }) {
violations.add(it)
}
.build(),
)
}
}
15 changes: 15 additions & 0 deletions okhttp/src/main/kotlin/okhttp3/internal/platform/Android10Platform.kt
View file
Open in desktop
Expand Up @@ -17,8 +17,10 @@ package okhttp3.internal.platform

import android.annotation.SuppressLint
import android.os.Build
import android.os.StrictMode
import android.security.NetworkSecurityPolicy
import android.util.CloseGuard
import javax.net.ssl.SSLContext
import javax.net.ssl.SSLSocket
import javax.net.ssl.SSLSocketFactory
import javax.net.ssl.X509TrustManager
Expand All @@ -31,6 +33,7 @@ import okhttp3.internal.platform.android.BouncyCastleSocketAdapter
import okhttp3.internal.platform.android.ConscryptSocketAdapter
import okhttp3.internal.platform.android.DeferredSocketAdapter
import okhttp3.internal.tls.CertificateChainCleaner
import okhttp3.internal.tls.TrustRootIndex

/** Android 10+ (API 29+). */
@SuppressSignatureCheck
Expand All @@ -48,6 +51,18 @@ class Android10Platform : Platform() {
socketAdapters.find { it.matchesSocketFactory(sslSocketFactory) }
?.trustManager(sslSocketFactory)

override fun newSSLContext(): SSLContext {
StrictMode.noteSlowCall("newSSLContext")

return super.newSSLContext()
}

override fun buildTrustRootIndex(trustManager: X509TrustManager): TrustRootIndex {
StrictMode.noteSlowCall("buildTrustRootIndex")

return super.buildTrustRootIndex(trustManager)
}

override fun configureTlsExtensions(
sslSocket: SSLSocket,
hostname: String?,
Expand Down
10 changes: 10 additions & 0 deletions okhttp/src/main/kotlin/okhttp3/internal/platform/AndroidPlatform.kt
View file
Open in desktop
Expand Up @@ -16,6 +16,7 @@
package okhttp3.internal.platform

import android.os.Build
import android.os.StrictMode
import android.security.NetworkSecurityPolicy
import java.io.IOException
import java.lang.reflect.InvocationTargetException
Expand All @@ -24,6 +25,7 @@ import java.net.InetSocketAddress
import java.net.Socket
import java.security.cert.TrustAnchor
import java.security.cert.X509Certificate
import javax.net.ssl.SSLContext
import javax.net.ssl.SSLSocket
import javax.net.ssl.SSLSocketFactory
import javax.net.ssl.X509TrustManager
Expand Down Expand Up @@ -70,6 +72,12 @@ class AndroidPlatform : Platform() {
}
}

override fun newSSLContext(): SSLContext {
StrictMode.noteSlowCall("newSSLContext")

return super.newSSLContext()
}

override fun trustManager(sslSocketFactory: SSLSocketFactory): X509TrustManager? =
socketAdapters.find { it.matchesSocketFactory(sslSocketFactory) }
?.trustManager(sslSocketFactory)
Expand Down Expand Up @@ -100,6 +108,8 @@ class AndroidPlatform : Platform() {

override fun buildTrustRootIndex(trustManager: X509TrustManager): TrustRootIndex =
try {
StrictMode.noteSlowCall("buildTrustRootIndex")

// From org.conscrypt.TrustManagerImpl, we want the method with this signature:
// private TrustAnchor findTrustAnchorByIssuerAndSignature(X509Certificate lastCert);
val method =
Expand Down