Implement profile encryption using KeyMaster library

3 files changed, 72 insertions, 0 deletions

diff --git a/main/src/ui/AndroidManifest.xml b/main/src/ui/AndroidManifest.xml
index b3bd8ecf..21241f0a 100644
--- a/main/src/ui/AndroidManifest.xml
+++ b/main/src/ui/AndroidManifest.xml
@@ -14,6 +14,10 @@
             android:name="android.hardware.touchscreen"
             android:required="false" />
 
+    <!-- This library wants SDK version 23 but we do runtime checks to not use it before
+        API 23 -->
+    <uses-sdk tools:overrideLibrary="androidx.security"/>
+
     <application android:banner="@mipmap/banner_tv">
         <activity
                 android:exported="true"
diff --git a/main/src/ui/java/de/blinkt/openvpn/core/ProfileEncryption.kt b/main/src/ui/java/de/blinkt/openvpn/core/ProfileEncryption.kt
new file mode 100644
index 00000000..ad22460f
--- /dev/null
+++ b/main/src/ui/java/de/blinkt/openvpn/core/ProfileEncryption.kt
@@ -0,0 +1,63 @@
+/*
+ * Copyright (c) 2012-2022 Arne Schwabe
+ * Distributed under the GNU GPL v2 with additional terms. For full terms see the file doc/LICENSE.txt
+ */
+package de.blinkt.openvpn.core
+
+import android.content.Context
+import android.os.Build
+import androidx.security.crypto.EncryptedFile
+import androidx.security.crypto.MasterKeys
+import java.io.File
+import java.io.FileInputStream
+import java.io.FileOutputStream
+import java.io.IOException
+import java.security.GeneralSecurityException
+
+internal class ProfileEncryption {
+
+    companion object {
+        @JvmStatic
+        fun encryptionEnabled(): Boolean {
+            return mMasterKeyAlias != null
+        }
+
+        private var mMasterKeyAlias: String? = null
+        @JvmStatic
+        fun initMasterCryptAlias() {
+            if (Build.VERSION.SDK_INT < Build.VERSION_CODES.M)
+                return
+            try {
+                mMasterKeyAlias = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC)
+            } catch (e: GeneralSecurityException) {
+                VpnStatus.logException("Could not initialise file encryption key.", e)
+            } catch (e: IOException) {
+                VpnStatus.logException("Could not initialise file encryption key.", e)
+            }
+        }
+
+        @JvmStatic
+        @Throws(GeneralSecurityException::class, IOException::class)
+        fun getEncryptedVpInput(context: Context, file: File): FileInputStream {
+            val encryptedFile = EncryptedFile.Builder(
+                file,
+                context,
+                mMasterKeyAlias!!,
+                EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
+            ).build()
+            return encryptedFile.openFileInput()
+        }
+
+        @JvmStatic
+        @Throws(GeneralSecurityException::class, IOException::class)
+        fun getEncryptedVpOutput(context: Context, file: File): FileOutputStream {
+            val encryptedFile = EncryptedFile.Builder(
+                file,
+                context,
+                mMasterKeyAlias!!,
+                EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
+            ).build()
+            return encryptedFile.openFileOutput()
+        }
+    }
+}
\ No newline at end of file
diff --git a/main/src/ui/res/xml/general_settings.xml b/main/src/ui/res/xml/general_settings.xml
index 4f294a1a..55eedb94 100644
--- a/main/src/ui/res/xml/general_settings.xml
+++ b/main/src/ui/res/xml/general_settings.xml
@@ -42,6 +42,11 @@
                 android:summary="@string/onbootrestartsummary"
                 android:title="@string/onbootrestart"/>
 
+        <CheckBoxPreference
+                android:defaultValue="true"
+                android:key="preferencryption"
+                android:title="@string/encrypt_profiles"/>
+
         <Preference
                 android:key="clearapi"
                 android:persistent="false"