diff --git a/common/src/main/java/org/conscrypt/AbstractConscryptSocket.java b/common/src/main/java/org/conscrypt/AbstractConscryptSocket.java index b917fb405..8d21bea3f 100644 --- a/common/src/main/java/org/conscrypt/AbstractConscryptSocket.java +++ b/common/src/main/java/org/conscrypt/AbstractConscryptSocket.java @@ -513,6 +513,8 @@ public String toString() { return builder.toString(); } + public abstract void setNamedGroups(String[] namedGroups); + abstract String getCurveNameForTesting(); /** diff --git a/common/src/main/java/org/conscrypt/Conscrypt.java b/common/src/main/java/org/conscrypt/Conscrypt.java index b868d6959..b7f140792 100644 --- a/common/src/main/java/org/conscrypt/Conscrypt.java +++ b/common/src/main/java/org/conscrypt/Conscrypt.java @@ -361,6 +361,16 @@ private static AbstractConscryptSocket toConscrypt(SSLSocket socket) { return (AbstractConscryptSocket) socket; } + /** + * Sets the prioritized array of key exchange named groups names that can be used over the + * TLS socket. + * + *

See {@link SSLParameters#setNamedGroups(String[])} for more details. + */ + public static void setNamedGroups(SSLSocket socket, String[] namedGroups) { + toConscrypt(socket).setNamedGroups(namedGroups); + } + /** * This method enables Server Name Indication (SNI) and overrides the hostname supplied * during socket creation. If the hostname is not a valid SNI hostname, the SNI extension diff --git a/common/src/main/java/org/conscrypt/ConscryptEngine.java b/common/src/main/java/org/conscrypt/ConscryptEngine.java index 696b5accd..16e7b5137 100644 --- a/common/src/main/java/org/conscrypt/ConscryptEngine.java +++ b/common/src/main/java/org/conscrypt/ConscryptEngine.java @@ -212,6 +212,10 @@ private static NativeSsl newSsl(SSLParametersImpl sslParameters, ConscryptEngine } } + public void setNamedGroups(String[] namedGroups) { + sslParameters.setNamedGroups(namedGroups); + } + String getCurveNameForTesting() { return ssl.getCurveNameForTesting(); } diff --git a/common/src/main/java/org/conscrypt/ConscryptEngineSocket.java b/common/src/main/java/org/conscrypt/ConscryptEngineSocket.java index 93de52def..f6dcc713a 100644 --- a/common/src/main/java/org/conscrypt/ConscryptEngineSocket.java +++ b/common/src/main/java/org/conscrypt/ConscryptEngineSocket.java @@ -441,6 +441,11 @@ public final void setEnabledProtocols(String[] protocols) { engine.setEnabledProtocols(protocols); } + @Override + public final void setNamedGroups(String[] namedGroups) { + engine.setNamedGroups(namedGroups); + } + @Override public final String getCurveNameForTesting() { return engine.getCurveNameForTesting(); diff --git a/common/src/main/java/org/conscrypt/ConscryptFileDescriptorSocket.java b/common/src/main/java/org/conscrypt/ConscryptFileDescriptorSocket.java index 65b296d38..a2be687a2 100644 --- a/common/src/main/java/org/conscrypt/ConscryptFileDescriptorSocket.java +++ b/common/src/main/java/org/conscrypt/ConscryptFileDescriptorSocket.java @@ -762,6 +762,11 @@ public final void setEnabledProtocols(String[] protocols) { sslParameters.setEnabledProtocols(protocols); } + @Override + public final void setNamedGroups(String[] namedGroups) { + sslParameters.setNamedGroups(namedGroups); + } + @Override public final String getCurveNameForTesting() { return ssl.getCurveNameForTesting(); diff --git a/common/src/main/java/org/conscrypt/OpenSSLSocketImpl.java b/common/src/main/java/org/conscrypt/OpenSSLSocketImpl.java index 3e28cec21..c24bdb8cb 100644 --- a/common/src/main/java/org/conscrypt/OpenSSLSocketImpl.java +++ b/common/src/main/java/org/conscrypt/OpenSSLSocketImpl.java @@ -146,5 +146,7 @@ public final void setAlpnProtocols(byte[] protocols) { SSLUtils.decodeProtocols(protocols == null ? EmptyArray.BYTE : protocols)); } + @Override public abstract void setNamedGroups(String[] namedGroups); + @Override public abstract String getCurveNameForTesting(); } diff --git a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketTest.java b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketTest.java index acf021424..3787545d6 100644 --- a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketTest.java +++ b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketTest.java @@ -82,6 +82,7 @@ import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.X509ExtendedTrustManager; +import org.conscrypt.Conscrypt; import tests.net.DelegatingSSLSocketFactory; import tests.util.ForEachRunner; @@ -1214,6 +1215,34 @@ public void handshake_withX25519MLKEM768_works() throws Exception { context.close(); } + @Test + public void socket_setNamedGroups_works() throws Exception { + TestSSLContext context = TestSSLContext.create(); + final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket( + context.host, context.port); + Conscrypt.setNamedGroups(client, new String[] {"P-384"}); + + // For the server, we don't set the named groups. P-384 should be + // enabled by default. + final SSLSocket server = (SSLSocket) context.serverSocket.accept(); + Future s = runAsync(() -> { + server.startHandshake(); + return null; + }); + Future c = runAsync(() -> { + client.startHandshake(); + return null; + }); + s.get(); + c.get(); + // This must works even if sslParametersSupportsNamedGroups is false. + assertEquals("P-384", getCurveName(client)); + assertEquals("P-384", getCurveName(server)); + client.close(); + server.close(); + context.close(); + } + @Test public void handshake_namedGroupsDontIntersect_throwsException() throws Exception { TestSSLContext context = TestSSLContext.create();