am 779c726a: Merge "Fixes associated with the tzdata 2015a update" into kitkat-cts-dev
* commit '779c726a7a24ae169cefacf2aa91cc54139a96ec':
Fixes associated with the tzdata 2015a update
diff --git a/crypto/src/main/java/org/conscrypt/OpenSSLX509Certificate.java b/crypto/src/main/java/org/conscrypt/OpenSSLX509Certificate.java
index b1cd986..faec561 100644
--- a/crypto/src/main/java/org/conscrypt/OpenSSLX509Certificate.java
+++ b/crypto/src/main/java/org/conscrypt/OpenSSLX509Certificate.java
@@ -50,7 +50,7 @@
import org.conscrypt.OpenSSLX509CertificateFactory.ParsingException;
public class OpenSSLX509Certificate extends X509Certificate {
- private final long mContext;
+ private transient final long mContext;
OpenSSLX509Certificate(long ctx) {
mContext = ctx;
diff --git a/crypto/src/test/java/org/conscrypt/OpenSSLX509CertificateTest.java b/crypto/src/test/java/org/conscrypt/OpenSSLX509CertificateTest.java
new file mode 100644
index 0000000..7c46e50
--- /dev/null
+++ b/crypto/src/test/java/org/conscrypt/OpenSSLX509CertificateTest.java
@@ -0,0 +1,79 @@
+/*
+ * Copyright 2015 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.conscrypt;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.io.ObjectStreamClass;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+
+import junit.framework.TestCase;
+
+public class OpenSSLX509CertificateTest extends TestCase {
+ public void testSerialization_NoContextDeserialization() throws Exception {
+ // Set correct serialVersionUID
+ {
+ ObjectStreamClass clDesc = ObjectStreamClass.lookup(OpenSSLX509Certificate.class);
+ assertNotNull(clDesc);
+
+ // Set our fake class's serialization UID.
+ Field targetUID = ZpenSSLX509Certificate.class.getDeclaredField("serialVersionUID");
+ targetUID.setAccessible(true);
+ targetUID.set(null, clDesc.getSerialVersionUID());
+ }
+
+ final byte[] impostorBytes;
+ // Serialization
+ {
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ ObjectOutputStream oos = new ObjectOutputStream(baos);
+ oos.writeObject(new ZpenSSLX509Certificate(0xA5A5A5A5A5A5A5A5L));
+ oos.close();
+ impostorBytes = baos.toByteArray();
+ }
+
+ // Fix class name
+ {
+ boolean fixed = false;
+ for (int i = 0; i < impostorBytes.length - 4; i++) {
+ if (impostorBytes[i] == 'Z' && impostorBytes[i + 1] == 'p'
+ && impostorBytes[i + 2] == 'e' && impostorBytes[i + 3] == 'n') {
+ impostorBytes[i] = 'O';
+ fixed = true;
+ break;
+ }
+ }
+ assertTrue(fixed);
+ }
+
+ // Deserialization
+ {
+ ByteArrayInputStream bais = new ByteArrayInputStream(impostorBytes);
+ ObjectInputStream ois = new ObjectInputStream(bais);
+ OpenSSLX509Certificate cert = (OpenSSLX509Certificate) ois.readObject();
+ ois.close();
+ Method m_getContext = OpenSSLX509Certificate.class.getDeclaredMethod("getContext");
+ m_getContext.setAccessible(true);
+ Long context = (Long) m_getContext.invoke(cert);
+ assertEquals(0L, (long) context);
+ }
+ }
+}
diff --git a/crypto/src/test/java/org/conscrypt/ZpenSSLX509Certificate.java b/crypto/src/test/java/org/conscrypt/ZpenSSLX509Certificate.java
new file mode 100644
index 0000000..ea3870a
--- /dev/null
+++ b/crypto/src/test/java/org/conscrypt/ZpenSSLX509Certificate.java
@@ -0,0 +1,33 @@
+/*
+ * Copyright 2015 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.conscrypt;
+
+import java.io.Serializable;
+
+/**
+ * This is a fake class to test de-serialization with malicious payloads.
+ */
+public class ZpenSSLX509Certificate implements Serializable {
+ /** This will be set via reflection in the test. */
+ private static final long serialVersionUID = 0L;
+
+ public final long mContext;
+
+ ZpenSSLX509Certificate(long ctx) {
+ mContext = ctx;
+ }
+}
diff --git a/luni/src/test/java/libcore/javax/net/ssl/DefaultHostnameVerifierTest.java b/luni/src/test/java/libcore/javax/net/ssl/DefaultHostnameVerifierTest.java
index e1c9fe3..feecebe 100644
--- a/luni/src/test/java/libcore/javax/net/ssl/DefaultHostnameVerifierTest.java
+++ b/luni/src/test/java/libcore/javax/net/ssl/DefaultHostnameVerifierTest.java
@@ -114,15 +114,18 @@
public void testWildcardMatchesWildcardSuffix() {
assertTrue(verifier.verifyHostName("b.c.d", "*.b.c.d"));
assertTrue(verifier.verifyHostName("imap.google.com", "*.imap.google.com"));
+ assertFalse(verifier.verifyHostName("imap.google.com.au", "*.imap.google.com"));
}
public void testWildcardMatchingSubstring() {
assertTrue(verifier.verifyHostName("b.c.d", "b*.c.d"));
assertTrue(verifier.verifyHostName("imap.google.com", "ima*.google.com"));
+ assertFalse(verifier.verifyHostName("imap.google.com.au", "ima*.google.com"));
}
public void testWildcardMatchingEmptySubstring() {
assertTrue(verifier.verifyHostName("imap.google.com", "imap*.google.com"));
+ assertFalse(verifier.verifyHostName("imap.google.com.au", "imap*.google.com"));
}
public void testWildcardMatchesChildDomain() {