Verified Commit 8006b2c8 authored by Marvin W.'s avatar Marvin W. 🐿
Browse files

ProviderInstaller: Use conscrypt-gmscore instead of original conscrypt

Helps with bunch of apps that use OkHttp
parent 0bb46d6a
/*
* SPDX-FileCopyrightText: 2020, microG Project Team
* SPDX-License-Identifier: Apache-2.0
* Notice: Portions of this file are reproduced from work created and shared by Google and used
* according to terms described in the Creative Commons 4.0 Attribution License.
* See https://developers.google.com/readme/policies for details.
*/
package com.google.android.gms.security;
import android.content.Context;
import android.content.Intent;
import java.security.Provider;
/**
* A utility class for installing a dynamically updatable {@link Provider} to replace the platform default provider.
*/
public class ProviderInstaller {
public static final String PROVIDER_NAME = "GmsCore_OpenSSL";
/**
* Installs the dynamically updatable security provider, if it's not already installed.
*
* @throws GooglePlayServicesRepairableException
* @throws GooglePlayServicesNotAvailableException
*/
public static void installIfNeeded(Context context) {
}
/**
* Asynchronously installs the dynamically updatable security provider, if it's not already installed. This method must be called on the UI thread.
*
* @param context
* @param listener called when the installation completes
*/
public static void installIfNeededAsync(Context context, ProviderInstallListener listener) {
if (listener != null) listener.onProviderInstalled();
}
/**
* Callback for notification of the result of provider installation.
*/
public interface ProviderInstallListener {
/**
* Called when installing the provider fails. This method is always called on the UI thread.
* <p>
* Implementers may use {@code errorCode} with the standard UI elements provided by {@link GoogleApiAvailability}; or {@code recoveryIntent} to implement custom UI.
*
* @param errorCode error code for the failure, for use with {@link GoogleApiAvailability#showErrorDialogFragment(Activity, int, int)} or {@link GoogleApiAvailability#showErrorNotification(Context, ConnectionResult)}
* @param recoveryIntent if non-null, an intent that can be used to install or update Google Play Services such that the provider can be installed
*/
void onProviderInstallFailed(int errorCode, Intent recoveryIntent);
/**
* Called when installing the provider succeeds. This method is always called on the UI thread.
*/
void onProviderInstalled();
}
}
/*
* SPDX-FileCopyrightText: 2020, microG Project Team
* SPDX-License-Identifier: Apache-2.0
*/
apply plugin: 'com.android.library'
dependencies {
implementation "org.microg.gms:conscrypt-gmscore:2.5.1"
implementation "androidx.annotation:annotation:$annotationVersion"
implementation project(":play-services-base-core")
}
android {
compileSdkVersion androidCompileSdk
buildToolsVersion "$androidBuildVersionTools"
defaultConfig {
versionName version
minSdkVersion androidMinSdk
targetSdkVersion androidTargetSdk
}
compileOptions {
sourceCompatibility = 1.8
targetCompatibility = 1.8
}
}
<?xml version="1.0" encoding="utf-8"?>
<!--
~ SPDX-FileCopyrightText: 2020, microG Project Team
~ SPDX-License-Identifier: Apache-2.0
-->
<manifest package="org.microg.gms.core.conscrypt">
<application />
</manifest>
/*
* SPDX-FileCopyrightText: 2020, microG Project Team
* SPDX-License-Identifier: Apache-2.0
*/
package com.google.android.gms.common.security;
import android.content.Context;
import android.content.pm.ApplicationInfo;
import android.os.Build;
import android.os.Process;
import android.util.Log;
import androidx.annotation.Keep;
import com.google.android.gms.org.conscrypt.Conscrypt;
import com.google.android.gms.org.conscrypt.NativeCrypto;
import org.microg.gms.common.PackageUtils;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.Provider;
import java.security.Security;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import java.util.zip.ZipEntry;
import java.util.zip.ZipFile;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import static com.google.android.gms.security.ProviderInstaller.PROVIDER_NAME;
@Keep
public class ProviderInstallerImpl {
private static final String TAG = "GmsProviderInstaller";
private static final List<String> DISABLED = Collections.unmodifiableList(Arrays.asList("com.bankid.bus"));
private static final Object lock = new Object();
private static Provider provider;
private static String getRealSelfPackageName(Context context) {
String packageName = PackageUtils.packageFromProcessId(context, Process.myPid());
if (packageName != null && packageName.contains(".")) return packageName;
try {
Method getBasePackageName = Context.class.getDeclaredMethod("getBasePackageName");
packageName = (String) getBasePackageName.invoke(context);
if (packageName != null) return packageName;
} catch (Exception e) {
}
if (Build.VERSION.SDK_INT >= 29) {
return context.getOpPackageName();
}
Context applicationContext = context.getApplicationContext();
if (applicationContext != null) {
return applicationContext.getPackageName();
}
return context.getPackageName();
}
@Keep
public static void insertProvider(Context context) {
String packageName = getRealSelfPackageName(context);
try {
if (DISABLED.contains(packageName)) {
Log.d(TAG, "Package " + packageName + " is excluded from usage of provider installer");
return;
}
if (Security.getProvider(PROVIDER_NAME) != null) {
Log.d(TAG, "Provider already inserted in " + packageName);
return;
}
synchronized (lock) {
initProvider(context, packageName);
if (provider == null) {
Log.w(TAG, "Failed to initialize Conscrypt");
return;
}
int res = Security.insertProviderAt(provider, 1);
if (res == 1) {
Security.setProperty("ssl.SocketFactory.provider", "com.google.android.gms.org.conscrypt.OpenSSLSocketFactoryImpl");
Security.setProperty("ssl.ServerSocketFactory.provider", "com.google.android.gms.org.conscrypt.OpenSSLServerSocketFactoryImpl");
SSLContext sslContext = SSLContext.getInstance("Default");
SSLContext.setDefault(sslContext);
HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
Log.d(TAG, "Installed default security provider " + PROVIDER_NAME);
} else {
throw new SecurityException("Failed to install security provider " + PROVIDER_NAME + ", result: " + res);
}
}
} catch (Throwable e) {
Log.w(TAG, e);
}
}
private static void initProvider(Context context, String packageName) {
Log.d(TAG, "Initializing provider for " + packageName);
try {
provider = Conscrypt.newProviderBuilder().setName(PROVIDER_NAME).defaultTlsProtocol("TLSv1.2").build();
} catch (UnsatisfiedLinkError e) {
Log.w(TAG, "Could not link conscrypt via default loader, trying manual loading");
try {
loadConscryptDirect(context, packageName);
provider = Conscrypt.newProviderBuilder().setName(PROVIDER_NAME).defaultTlsProtocol("TLSv1.2").build();
} catch (Exception e2) {
Log.w(TAG, e2);
}
}
}
private static void loadConscryptDirect(Context context, String packageName) throws Exception {
ApplicationInfo otherAppInfo = context.getPackageManager().getApplicationInfo(packageName, 0);
// TODO: Move manual loading into helper function (as it is also used in both maps implementations)
String primaryCpuAbi = (String) ApplicationInfo.class.getField("primaryCpuAbi").get(otherAppInfo);
if (primaryCpuAbi != null) {
String path = "lib/" + primaryCpuAbi + "/libconscrypt_jni.so";
File cacheFile = new File(context.createPackageContext(packageName, 0).getCacheDir().getAbsolutePath() + "/.gmscore/" + path);
cacheFile.getParentFile().mkdirs();
File apkFile = new File(context.getPackageCodePath());
if (!cacheFile.exists() || cacheFile.lastModified() < apkFile.lastModified()) {
ZipFile zipFile = new ZipFile(apkFile);
ZipEntry entry = zipFile.getEntry(path);
if (entry != null) {
copyInputStream(zipFile.getInputStream(entry), new FileOutputStream(cacheFile));
} else {
Log.d(TAG, "Can't load native library: " + path + " does not exist in " + apkFile);
}
}
Log.d(TAG, "Loading conscrypt_jni from " + cacheFile.getPath());
System.load(cacheFile.getAbsolutePath());
Class<NativeCrypto> clazz = NativeCrypto.class;
Field loadError = clazz.getDeclaredField("loadError");
loadError.setAccessible(true);
loadError.set(null, null);
Method clinit = clazz.getDeclaredMethod("clinit");
clinit.setAccessible(true);
Method get_cipher_names = clazz.getDeclaredMethod("get_cipher_names", String.class);
get_cipher_names.setAccessible(true);
Method cipherSuiteToJava = clazz.getDeclaredMethod("cipherSuiteToJava", String.class);
cipherSuiteToJava.setAccessible(true);
Method EVP_has_aes_hardware = clazz.getDeclaredMethod("EVP_has_aes_hardware");
EVP_has_aes_hardware.setAccessible(true);
Field f = clazz.getDeclaredField("SUPPORTED_TLS_1_2_CIPHER_SUITES_SET");
f.setAccessible(true);
Set<String> SUPPORTED_TLS_1_2_CIPHER_SUITES_SET = (Set<String>) f.get(null);
f = clazz.getDeclaredField("SUPPORTED_LEGACY_CIPHER_SUITES_SET");
f.setAccessible(true);
Set<String> SUPPORTED_LEGACY_CIPHER_SUITES_SET = (Set<String>) f.get(null);
f = clazz.getDeclaredField("SUPPORTED_TLS_1_2_CIPHER_SUITES");
f.setAccessible(true);
try {
clinit.invoke(null);
String[] allCipherSuites = (String[]) get_cipher_names.invoke(null, "ALL:!DHE");
int size = allCipherSuites.length;
String[] SUPPORTED_TLS_1_2_CIPHER_SUITES = new String[size / 2 + 2];
for (int i = 0; i < size; i += 2) {
String cipherSuite = (String) cipherSuiteToJava.invoke(null, allCipherSuites[i]);
SUPPORTED_TLS_1_2_CIPHER_SUITES[i / 2] = cipherSuite;
SUPPORTED_TLS_1_2_CIPHER_SUITES_SET.add(cipherSuite);
SUPPORTED_LEGACY_CIPHER_SUITES_SET.add(allCipherSuites[i + 1]);
}
SUPPORTED_TLS_1_2_CIPHER_SUITES[size / 2] = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV";
SUPPORTED_TLS_1_2_CIPHER_SUITES[size / 2 + 1] = "TLS_FALLBACK_SCSV";
f.set(null, SUPPORTED_TLS_1_2_CIPHER_SUITES);
f = clazz.getDeclaredField("HAS_AES_HARDWARE");
f.setAccessible(true);
f.set(null, (int) EVP_has_aes_hardware.invoke(null) == 1);
} catch (InvocationTargetException inner) {
if (inner.getTargetException() instanceof UnsatisfiedLinkError) {
loadError.set(null, inner.getTargetException());
}
}
}
}
private static final void copyInputStream(InputStream in, OutputStream out) throws IOException {
byte[] buffer = new byte[1024];
int len;
while ((len = in.read(buffer)) >= 0)
out.write(buffer, 0, len);
in.close();
out.close();
}
}
......@@ -29,7 +29,6 @@ configurations {
dependencies {
implementation "com.squareup.wire:wire-runtime:$wireVersion"
implementation "de.hdodenhof:circleimageview:1.3.0"
implementation "org.conscrypt:conscrypt-android:2.1.0"
// TODO: Switch to upstream once raw requests are merged
// https://github.com/vitalidze/chromecast-java-api-v2/pull/99
// implementation "su.litvak.chromecast:api-v2:0.10.4"
......@@ -44,6 +43,7 @@ dependencies {
implementation project(':firebase-auth-core')
implementation project(':play-services-base-core')
implementation project(':play-services-base-core-ui')
implementation project(':play-services-conscrypt-provider-core')
implementation project(':play-services-location-core')
withNearbyImplementation project(':play-services-nearby-core')
withNearbyImplementation project(':play-services-nearby-core-ui')
......@@ -62,11 +62,9 @@ dependencies {
implementation "androidx.multidex:multidex:$multidexVersion"
implementation "androidx.appcompat:appcompat:$appcompatVersion"
implementation "androidx.mediarouter:mediarouter:$mediarouterVersion"
implementation "androidx.preference:preference:$preferenceVersion"
implementation "androidx.preference:preference-ktx:$preferenceVersion"
// Navigation
implementation "androidx.navigation:navigation-fragment:$navigationVersion"
implementation "androidx.navigation:navigation-ui:$navigationVersion"
implementation "androidx.navigation:navigation-fragment-ktx:$navigationVersion"
implementation "androidx.navigation:navigation-ui-ktx:$navigationVersion"
......
/*
* Copyright (C) 2013-2017 microG Project Team
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.google.android.gms.common.security;
import android.content.Context;
import android.content.pm.ApplicationInfo;
import android.os.Process;
import android.util.Log;
import org.conscrypt.NativeCrypto;
import org.conscrypt.OpenSSLProvider;
import org.microg.gms.common.PackageUtils;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.Security;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import java.util.zip.ZipEntry;
import java.util.zip.ZipFile;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
public class ProviderInstallerImpl {
private static final String TAG = "GmsProviderInstaller";
private static final List<String> DISABLED = Collections.unmodifiableList(Arrays.asList("com.discord", "com.bankid.bus"));
public static void insertProvider(Context context) {
String packageName = PackageUtils.packageFromProcessId(context, Process.myPid());
Log.d(TAG, "Provider installer invoked for " + packageName);
try {
if (DISABLED.contains(packageName)) {
Log.d(TAG, "Package is excluded from usage of provider installer");
return;
}
OpenSSLProvider provider = null;
try {
provider = new OpenSSLProvider("GmsCore_OpenSSL");
} catch (UnsatisfiedLinkError e) {
Log.w(TAG, "Could not link conscrypt via default loader, trying manual loading");
// TODO: Move manual loading into helper function (as it is also used in both maps implementations)
try {
ApplicationInfo otherAppInfo = context.getPackageManager().getApplicationInfo(packageName, 0);
String primaryCpuAbi = (String) ApplicationInfo.class.getField("primaryCpuAbi").get(otherAppInfo);
if (primaryCpuAbi != null) {
String path = "lib/" + primaryCpuAbi + "/libconscrypt_jni.so";
File cacheFile = new File(context.createPackageContext(packageName, 0).getCacheDir().getAbsolutePath() + "/.gmscore/" + path);
cacheFile.getParentFile().mkdirs();
File apkFile = new File(context.getPackageCodePath());
if (!cacheFile.exists() || cacheFile.lastModified() < apkFile.lastModified()) {
ZipFile zipFile = new ZipFile(apkFile);
ZipEntry entry = zipFile.getEntry(path);
if (entry != null) {
copyInputStream(zipFile.getInputStream(entry), new FileOutputStream(cacheFile));
} else {
Log.d(TAG, "Can't load native library: " + path + " does not exist in " + apkFile);
}
}
Log.d(TAG, "Loading conscrypt_jni from " + cacheFile.getPath());
System.load(cacheFile.getAbsolutePath());
Class<NativeCrypto> clazz = NativeCrypto.class;
Field loadError = clazz.getDeclaredField("loadError");
loadError.setAccessible(true);
loadError.set(null, null);
Method clinit = clazz.getDeclaredMethod("clinit");
clinit.setAccessible(true);
Method get_cipher_names = clazz.getDeclaredMethod("get_cipher_names", String.class);
get_cipher_names.setAccessible(true);
Method cipherSuiteToJava = clazz.getDeclaredMethod("cipherSuiteToJava", String.class);
cipherSuiteToJava.setAccessible(true);
Method EVP_has_aes_hardware = clazz.getDeclaredMethod("EVP_has_aes_hardware");
EVP_has_aes_hardware.setAccessible(true);
Field f = clazz.getDeclaredField("SUPPORTED_TLS_1_2_CIPHER_SUITES_SET");
f.setAccessible(true);
Set<String> SUPPORTED_TLS_1_2_CIPHER_SUITES_SET = (Set<String>) f.get(null);
f = clazz.getDeclaredField("SUPPORTED_LEGACY_CIPHER_SUITES_SET");
f.setAccessible(true);
Set<String> SUPPORTED_LEGACY_CIPHER_SUITES_SET = (Set<String>) f.get(null);
f = clazz.getDeclaredField("SUPPORTED_TLS_1_2_CIPHER_SUITES");
f.setAccessible(true);
try {
clinit.invoke(null);
String[] allCipherSuites = (String[]) get_cipher_names.invoke(null, "ALL:!DHE");
int size = allCipherSuites.length;
String[] SUPPORTED_TLS_1_2_CIPHER_SUITES = new String[size / 2 + 2];
for (int i = 0; i < size; i += 2) {
String cipherSuite = (String) cipherSuiteToJava.invoke(null, allCipherSuites[i]);
SUPPORTED_TLS_1_2_CIPHER_SUITES[i / 2] = cipherSuite;
SUPPORTED_TLS_1_2_CIPHER_SUITES_SET.add(cipherSuite);
SUPPORTED_LEGACY_CIPHER_SUITES_SET.add(allCipherSuites[i + 1]);
}
SUPPORTED_TLS_1_2_CIPHER_SUITES[size / 2] = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV";
SUPPORTED_TLS_1_2_CIPHER_SUITES[size / 2 + 1] = "TLS_FALLBACK_SCSV";
f.set(null, SUPPORTED_TLS_1_2_CIPHER_SUITES);
f = clazz.getDeclaredField("HAS_AES_HARDWARE");
f.setAccessible(true);
f.set(null, (int) EVP_has_aes_hardware.invoke(null) == 1);
provider = new OpenSSLProvider("GmsCore_OpenSSL");
} catch (InvocationTargetException inner) {
if (inner.getTargetException() instanceof UnsatisfiedLinkError) {
loadError.set(null, inner.getTargetException());
}
}
}
} catch (Exception e2) {
Log.w(TAG, e2);
}
}
if (provider == null) {
Log.w(TAG, "Failed to initialize conscrypt provider");
return;
}
if (Security.insertProviderAt(provider, 1) == 1) {
Security.setProperty("ssl.SocketFactory.provider", "org.conscrypt.OpenSSLSocketFactoryImpl");
Security.setProperty("ssl.ServerSocketFactory.provider", "org.conscrypt.OpenSSLServerSocketFactoryImpl");
SSLContext.setDefault(SSLContext.getInstance("Default"));
HttpsURLConnection.setDefaultSSLSocketFactory(SSLContext.getDefault().getSocketFactory());
Log.d(TAG, "SSL provider installed");
} else {
Log.w(TAG, "Did not insert the new SSL provider");
}
} catch (Throwable e) {
Log.w(TAG, e);
}
}
private static final void copyInputStream(InputStream in, OutputStream out) throws IOException {
byte[] buffer = new byte[1024];
int len;
while ((len = in.read(buffer)) >= 0)
out.write(buffer, 0, len);
in.close();
out.close();
}
}
......@@ -18,6 +18,7 @@ include ':play-services-nearby-core-proto'
include ':play-services-wearable-proto'
include ':play-services-base-core'
include ':play-services-conscrypt-provider-core'
include ':play-services-location-core'
include ':play-services-maps-core-mapbox'
include ':play-services-maps-core-vtm'
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment