From 2ee0c527c6614fffb2fdff39d4ce6cc0bc1a02fd Mon Sep 17 00:00:00 2001 From: yamilmedina Date: Thu, 16 Nov 2023 16:39:43 +0100 Subject: [PATCH] chore: configure and allow cipher suites --- .../com/wire/kalium/network/HttpEngine.kt | 12 +++- .../kalium/HttpClientConnectionSpecsTest.kt | 61 ++++++++++++++++++- 2 files changed, 68 insertions(+), 5 deletions(-) diff --git a/network/src/commonJvmAndroid/kotlin/com/wire/kalium/network/HttpEngine.kt b/network/src/commonJvmAndroid/kotlin/com/wire/kalium/network/HttpEngine.kt index be2ce3bd512..39d18306f18 100644 --- a/network/src/commonJvmAndroid/kotlin/com/wire/kalium/network/HttpEngine.kt +++ b/network/src/commonJvmAndroid/kotlin/com/wire/kalium/network/HttpEngine.kt @@ -27,6 +27,9 @@ import com.wire.kalium.network.tools.isProxyRequired import io.ktor.client.engine.HttpClientEngine import io.ktor.client.engine.okhttp.OkHttp import okhttp3.CertificatePinner +import okhttp3.CipherSuite.Companion.TLS_AES_128_GCM_SHA256 +import okhttp3.CipherSuite.Companion.TLS_AES_256_GCM_SHA384 +import okhttp3.CipherSuite.Companion.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 import okhttp3.ConnectionSpec import okhttp3.OkHttpClient import okhttp3.TlsVersion @@ -51,7 +54,7 @@ internal object OkHttpSingleton { .connectTimeout(WEBSOCKET_TIMEOUT, TimeUnit.MILLISECONDS) .readTimeout(WEBSOCKET_TIMEOUT, TimeUnit.MILLISECONDS) .writeTimeout(WEBSOCKET_TIMEOUT, TimeUnit.MILLISECONDS) - }.build() + }.connectionSpecs(supportedConnectionSpecs()).build() fun createNew(block: OkHttpClient.Builder.() -> Unit): OkHttpClient { return sharedClient.newBuilder().apply(block).build() @@ -98,8 +101,6 @@ actual fun defaultHttpEngine( proxy(proxy) } - connectionSpecs(supportedConnectionSpecs()) - }.also { preconfigured = it webSocketFactory = KaliumWebSocketFactory(it) @@ -125,6 +126,11 @@ private fun OkHttpClient.Builder.ignoreAllSSLErrors() { private fun supportedConnectionSpecs(): List { val wireSpec = ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS) .tlsVersions(TlsVersion.TLS_1_2) + .cipherSuites( + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_AES_128_GCM_SHA256, + TLS_AES_256_GCM_SHA384 + ) .build() return listOf(wireSpec, ConnectionSpec.CLEARTEXT) diff --git a/network/src/jvmTest/kotlin/com/wire/kalium/HttpClientConnectionSpecsTest.kt b/network/src/jvmTest/kotlin/com/wire/kalium/HttpClientConnectionSpecsTest.kt index cc3c2eb6565..0f926a7e985 100644 --- a/network/src/jvmTest/kotlin/com/wire/kalium/HttpClientConnectionSpecsTest.kt +++ b/network/src/jvmTest/kotlin/com/wire/kalium/HttpClientConnectionSpecsTest.kt @@ -18,24 +18,81 @@ package com.wire.kalium import com.wire.kalium.network.OkHttpSingleton +import okhttp3.CipherSuite +import okhttp3.CipherSuite.Companion.TLS_CHACHA20_POLY1305_SHA256 +import okhttp3.CipherSuite.Companion.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 +import okhttp3.CipherSuite.Companion.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +import okhttp3.CipherSuite.Companion.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 +import okhttp3.CipherSuite.Companion.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA +import okhttp3.CipherSuite.Companion.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 +import okhttp3.CipherSuite.Companion.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 +import okhttp3.CipherSuite.Companion.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA +import okhttp3.CipherSuite.Companion.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 +import okhttp3.CipherSuite.Companion.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +import okhttp3.CipherSuite.Companion.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 +import okhttp3.CipherSuite.Companion.TLS_RSA_WITH_3DES_EDE_CBC_SHA +import okhttp3.CipherSuite.Companion.TLS_RSA_WITH_AES_128_CBC_SHA +import okhttp3.CipherSuite.Companion.TLS_RSA_WITH_AES_128_CBC_SHA256 +import okhttp3.CipherSuite.Companion.TLS_RSA_WITH_AES_128_GCM_SHA256 +import okhttp3.CipherSuite.Companion.TLS_RSA_WITH_AES_256_CBC_SHA +import okhttp3.CipherSuite.Companion.TLS_RSA_WITH_AES_256_GCM_SHA384 import okhttp3.ConnectionSpec import okhttp3.TlsVersion import kotlin.test.Test import kotlin.test.assertEquals +import kotlin.test.assertFalse import kotlin.test.assertTrue class HttpClientConnectionSpecsTest { @Test + // This test conforms to the following testing standards: + // @SF.Channel @TSFI.RESTfulAPI @S0.2 @S0.3 @S3 fun givenTheHttpClientIsCreated_ThenEnsureOnlySupportedSpecsArePresent() { val connectionSpecs = OkHttpSingleton.createNew {}.connectionSpecs with(connectionSpecs[0]) { tlsVersions?.let { - assertTrue(it.contains(TlsVersion.TLS_1_2) && it.contains(TlsVersion.TLS_1_3)) - assertTrue(!it.contains(TlsVersion.TLS_1_1) && !it.contains(TlsVersion.TLS_1_0) && !it.contains(TlsVersion.SSL_3_0)) + assertTrue { validTlsVersions.containsAll(it) } + assertFalse { notValidTlsVersions.containsAll(it) } + } + + cipherSuites?.let { + assertTrue { validCipherSuites.containsAll(it) } + assertFalse { notValidCipherSuites.containsAll(it) } } } assertEquals(connectionSpecs[1], ConnectionSpec.CLEARTEXT) } + + private companion object { + val validTlsVersions = listOf(TlsVersion.TLS_1_3, TlsVersion.TLS_1_2) + val notValidTlsVersions = listOf(TlsVersion.TLS_1_1, TlsVersion.TLS_1_0, TlsVersion.SSL_3_0) + + val notValidCipherSuites = listOf( + TLS_CHACHA20_POLY1305_SHA256, + TLS_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + TLS_RSA_WITH_AES_128_CBC_SHA256, + TLS_RSA_WITH_AES_128_CBC_SHA, + TLS_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + ) + + val validCipherSuites = listOf( + CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + CipherSuite.TLS_AES_128_GCM_SHA256, + CipherSuite.TLS_AES_256_GCM_SHA384 + ) + } }