Merge pull request #4077 from Slinger/conscrypt_bundle2.0.1

Bundle a modern Security Provider (Conscrypt) in the Free builds.
author: H. Lehmann <ByteHamster@users.noreply.github.com> 2020-10-04 15:21:18 +0200
committer: GitHub <noreply@github.com> 2020-10-04 15:21:18 +0200
commit: e1ff4c8763c604c014a62c4c4905737cb92ebebb (patch)
tree: e689fad58a58f0aad36d879d9500238d2c9e44ed /core/src/main/java
parent: af1a6a7ef92ed0ab6061c803f94bd22ad17a6243 (diff)
parent: 06d212b911af1ce54e03c63bad69b99e938cb430 (diff)
download: AntennaPod-e1ff4c8763c604c014a62c4c4905737cb92ebebb.zip
1 files changed, 37 insertions, 3 deletions
diff --git a/core/src/main/java/de/danoeh/antennapod/core/service/download/AntennapodHttpClient.java b/core/src/main/java/de/danoeh/antennapod/core/service/download/AntennapodHttpClient.java
index e0c23bdac..807af0a3f 100644
--- a/core/src/main/java/de/danoeh/antennapod/core/service/download/AntennapodHttpClient.java
+++ b/core/src/main/java/de/danoeh/antennapod/core/service/download/AntennapodHttpClient.java
@@ -34,6 +34,7 @@ import javax.net.ssl.X509TrustManager;
 import de.danoeh.antennapod.core.preferences.UserPreferences;
 import de.danoeh.antennapod.core.service.UserAgentInterceptor;
 import de.danoeh.antennapod.core.storage.DBWriter;
+import de.danoeh.antennapod.core.util.Flavors;
 import okhttp3.Cache;
 import okhttp3.CipherSuite;
 import okhttp3.ConnectionSpec;
@@ -149,7 +150,16 @@ public class AntennapodHttpClient {
                 });
             }
         }
-        if (Build.VERSION.SDK_INT < 21) {
+
+        if (Flavors.FLAVOR == Flavors.FREE) {
+            // The Free flavor bundles a modern conscrypt (security provider), so CustomSslSocketFactory
+            // is only used to make sure that modern protocols (TLSv1.3 and TLSv1.2) are enabled and
+            // that old, deprecated, protocols (like SSLv3, TLSv1.0 and TLSv1.1) are disabled.
+            builder.sslSocketFactory(new CustomSslSocketFactory(), trustManager());
+        } else if (Build.VERSION.SDK_INT < 21) {
+            // The Play flavor can not be assumed to have a modern security provider, so for Android
+            // older than 5.0 CustomSslSocketFactory is used to enable all possible protocols (modern
+            // and deprecated). And we explicitly enable deprecated cipher suites disabled by default.
             builder.sslSocketFactory(new CustomSslSocketFactory(), trustManager());
 
             // workaround for Android 4.x for certain web sites.
@@ -178,6 +188,9 @@ public class AntennapodHttpClient {
         }
     }
 
+    /**
+     * Reimplements default trust manager (required for calling sslSocketFactory).
+     */
     private static X509TrustManager trustManager() {
         try {
             TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
@@ -199,13 +212,26 @@ public class AntennapodHttpClient {
         AntennapodHttpClient.cacheDirectory = cacheDirectory;
     }
 
+    /**
+     * Used to disable deprecated protocols and explicitly enable TLSv1.3 and TLSv1.2, or to enable
+     * all protocols (including deprecated) up to TLSv1.2, depending on build flavor (Free or Play).
+     */
     private static class CustomSslSocketFactory extends SSLSocketFactory {
 
         private SSLSocketFactory factory;
 
         public CustomSslSocketFactory() {
             try {
-                SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
+                SSLContext sslContext;
+
+                if (Flavors.FLAVOR == Flavors.FREE) {
+                    // Free flavor (bundles modern conscrypt): support for TLSv1.3 is guaranteed.
+                    sslContext = SSLContext.getInstance("TLSv1.3");
+                } else {
+                    // Play flavor (security provider can vary): only TLSv1.2 is guaranteed.
+                    sslContext = SSLContext.getInstance("TLSv1.2");
+                }
+
                 sslContext.init(null, null, null);
                 factory= sslContext.getSocketFactory();
             } catch(GeneralSecurityException e) {
@@ -260,7 +286,15 @@ public class AntennapodHttpClient {
         }
 
         private void configureSocket(SSLSocket s) {
-            s.setEnabledProtocols(new String[] { "TLSv1.2", "TLSv1.1", "TLSv1" } );
+            if (Flavors.FLAVOR == Flavors.FREE) {
+                // Free flavor (bundles modern conscrypt): TLSv1.3 and modern cipher suites are
+                // guaranteed. Protocols older than TLSv1.2 are now deprecated and can be disabled.
+                s.setEnabledProtocols(new String[] { "TLSv1.3", "TLSv1.2" });
+            } else {
+                // Play flavor (security provider can vary): only TLSv1.2 is guaranteed, supported
+                // cipher suites may vary. Old protocols might be necessary to keep things working.
+                s.setEnabledProtocols(new String[] { "TLSv1.2", "TLSv1.1", "TLSv1" });
+            }
         }
 
     }
author	H. Lehmann <ByteHamster@users.noreply.github.com>	2020-10-04 15:21:18 +0200
committer	GitHub <noreply@github.com>	2020-10-04 15:21:18 +0200
commit	e1ff4c8763c604c014a62c4c4905737cb92ebebb (patch)
tree	e689fad58a58f0aad36d879d9500238d2c9e44ed /core/src/main/java
parent	af1a6a7ef92ed0ab6061c803f94bd22ad17a6243 (diff)
parent	06d212b911af1ce54e03c63bad69b99e938cb430 (diff)
download	AntennaPod-e1ff4c8763c604c014a62c4c4905737cb92ebebb.zip