Merge branch 'audit_fixes' into 'master'

reliability improvements

See merge request leap/bitmask_android!248

7 files changed, 61 insertions, 15 deletions

diff --git a/app/src/main/java/de/blinkt/openvpn/core/ConfigParser.java b/app/src/main/java/de/blinkt/openvpn/core/ConfigParser.java
index e8d333e3..ff27a5a2 100644
--- a/app/src/main/java/de/blinkt/openvpn/core/ConfigParser.java
+++ b/app/src/main/java/de/blinkt/openvpn/core/ConfigParser.java
@@ -70,9 +70,7 @@ public class ConfigParser {
             "management",
             "management-client",
             "management-query-remote",
-            "management-query-passwords",
             "management-query-proxy",
-            "management-external-key",
             "management-forget-disconnect",
             "management-signal",
             "management-log-cache",
diff --git a/app/src/main/java/de/blinkt/openvpn/core/ExtAuthHelper.java b/app/src/main/java/de/blinkt/openvpn/core/ExtAuthHelper.java
index a62a4c62..d102dce2 100644
--- a/app/src/main/java/de/blinkt/openvpn/core/ExtAuthHelper.java
+++ b/app/src/main/java/de/blinkt/openvpn/core/ExtAuthHelper.java
@@ -108,15 +108,23 @@ public class ExtAuthHelper {
     public static byte[] signData(@NonNull Context context,
                                   @NonNull String extAuthPackageName,
                                   @NonNull String alias,
-                                  @NonNull byte[] data
+                                  @NonNull byte[] data,
+                                  @NonNull Bundle extra
     ) throws KeyChainException, InterruptedException
 
     {
 
 
-        try (ExternalAuthProviderConnection authProviderConnection = bindToExtAuthProvider(context.getApplicationContext(), extAuthPackageName)) {
+        try (ExternalAuthProviderConnection authProviderConnection =
+                     bindToExtAuthProvider(context.getApplicationContext(), extAuthPackageName)) {
             ExternalCertificateProvider externalAuthProvider = authProviderConnection.getService();
-            return externalAuthProvider.getSignedData(alias, data);
+
+            byte[] result = externalAuthProvider.getSignedDataWithExtra(alias, data, extra);
+            // When the desired method is not implemented, a default implementation is called, returning null
+            if (result == null)
+                result = externalAuthProvider.getSignedData(alias, data);
+
+            return result;
 
         } catch (RemoteException e) {
             throw new KeyChainException(e);
diff --git a/app/src/main/java/de/blinkt/openvpn/core/NativeUtils.java b/app/src/main/java/de/blinkt/openvpn/core/NativeUtils.java
index f769b38e..818564c7 100644
--- a/app/src/main/java/de/blinkt/openvpn/core/NativeUtils.java
+++ b/app/src/main/java/de/blinkt/openvpn/core/NativeUtils.java
@@ -29,6 +29,21 @@ public class NativeUtils {
     private static native String getJNIAPI();
 
 
+    static boolean rsspssloaded = false;
+
+    public static byte[] addRssPssPadding(int hashtype, int MSBits, int rsa_size, byte[] from)
+    {
+        if (!rsspssloaded) {
+            rsspssloaded = true;
+            System.loadLibrary("rsapss");
+        }
+
+        return rsapss(hashtype, MSBits, rsa_size, from);
+    }
+
+    private static native byte[] rsapss(int hashtype, int MSBits, int rsa_size, byte[] from);
+
+
     public final static int[] openSSLlengths = {
         16, 64, 256, 1024, 8 * 1024, 16 * 1024
     };
diff --git a/app/src/main/java/de/blinkt/openvpn/core/OpenVPNManagement.java b/app/src/main/java/de/blinkt/openvpn/core/OpenVPNManagement.java
index ef17e98b..02e4eca9 100644
--- a/app/src/main/java/de/blinkt/openvpn/core/OpenVPNManagement.java
+++ b/app/src/main/java/de/blinkt/openvpn/core/OpenVPNManagement.java
@@ -16,6 +16,12 @@ public interface OpenVPNManagement {
         screenOff,
     }
 
+    enum SignaturePadding {
+        RSA_PKCS1_PSS_PADDING,
+        RSA_PKCS1_PADDING,
+        NO_PADDING
+    }
+
     int mBytecountInterval = 2;
 
     void reconnect();
diff --git a/app/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java b/app/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java
index a02e7e27..88b933eb 100644
--- a/app/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java
+++ b/app/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java
@@ -194,7 +194,7 @@ public class OpenVpnManagementThread implements Runnable, OpenVPNManagement {
 
             // Closing one of the two sockets also closes the other
             //mServerSocketLocal.close();
-            managmentCommand("version 2\n");
+            managmentCommand("version 3\n");
 
             while (true) {
 
@@ -730,9 +730,33 @@ public class OpenVpnManagementThread implements Runnable, OpenVPNManagement {
         releaseHold();
     }
 
-    private void processSignCommand(String b64data) {
+    private void processSignCommand(String argument) {
 
-        String signed_string = mProfile.getSignedData(mOpenVPNService, b64data, false);
+        String[] arguments = argument.split(",");
+
+        // NC9t8IkYrjAQcCzc85zN0H5TvwfAUDwYkR4j2ga6fGw=,RSA_PKCS1_PSS_PADDING,hashalg=SHA256,saltlen=digest
+
+
+        SignaturePadding padding = SignaturePadding.NO_PADDING;
+        String saltlen="";
+        String hashalg="";
+        boolean needsDigest = false;
+
+        for (int i=1;i < arguments.length;i++) {
+            String arg = arguments[i];
+            if(arg.equals("RSA_PKCS1_PADDING"))
+                padding = SignaturePadding.RSA_PKCS1_PADDING;
+            else if (arg.equals("RSA_PKCS1_PSS_PADDING"))
+                padding = SignaturePadding.RSA_PKCS1_PSS_PADDING;
+            else if (arg.startsWith("saltlen="))
+                saltlen= arg.substring(8);
+            else if (arg.startsWith("hashalg="))
+                hashalg = arg.substring(8);
+            else if (arg.equals("data=message"))
+                needsDigest = true;
+        }
+
+        String signed_string = mProfile.getSignedData(mOpenVPNService, arguments[0], padding, saltlen, hashalg, needsDigest);
 
         if (signed_string == null) {
             managmentCommand("pk-sig\n");
diff --git a/app/src/main/java/de/blinkt/openvpn/core/VPNLaunchHelper.java b/app/src/main/java/de/blinkt/openvpn/core/VPNLaunchHelper.java
index 80427a03..67636762 100644
--- a/app/src/main/java/de/blinkt/openvpn/core/VPNLaunchHelper.java
+++ b/app/src/main/java/de/blinkt/openvpn/core/VPNLaunchHelper.java
@@ -5,7 +5,6 @@
 
 package de.blinkt.openvpn.core;
 
-import android.annotation.TargetApi;
 import android.content.Context;
 import android.os.Build;
 
diff --git a/app/src/main/java/de/blinkt/openvpn/core/VpnStatus.java b/app/src/main/java/de/blinkt/openvpn/core/VpnStatus.java
index f28651f3..8115548f 100644
--- a/app/src/main/java/de/blinkt/openvpn/core/VpnStatus.java
+++ b/app/src/main/java/de/blinkt/openvpn/core/VpnStatus.java
@@ -5,6 +5,8 @@
 
 package de.blinkt.openvpn.core;
 
+import static se.leap.bitmaskclient.base.utils.ConfigHelper.getProviderFormattedString;
+
 import android.content.Context;
 import android.os.Build;
 import android.os.HandlerThread;
@@ -23,8 +25,6 @@ import de.blinkt.openvpn.VpnProfile;
 import se.leap.bitmaskclient.R;
 import se.leap.bitmaskclient.base.utils.PreferenceHelper;
 
-import static se.leap.bitmaskclient.base.utils.ConfigHelper.getProviderFormattedString;
-
 public class VpnStatus {
 
 
@@ -485,10 +485,6 @@ public class VpnStatus {
                 mLogFileHandler.sendMessage(mLogFileHandler.obtainMessage(LogFileHandler.TRIM_LOG_FILE));
         }
 
-        //if (BuildConfig.DEBUG && !cachedLine && !BuildConfig.FLAVOR.equals("test"))
-        //    Log.d("OpenVPN", logItem.getString(null));
-
-
         for (LogListener ll : logListener) {
             ll.newLog(logItem);
         }