summaryrefslogtreecommitdiff
path: root/main/src
diff options
context:
space:
mode:
authorArne Schwabe <arne@rfc2549.org>2019-12-12 00:32:53 +0100
committerArne Schwabe <arne@rfc2549.org>2019-12-12 00:33:47 +0100
commit15d61fae315d24c0abfcc1f6b3934f56e701fda6 (patch)
treeed18923968085e17ee0a56ffefcd6a7ad69e902d /main/src
parentd1de65101a3b19db7badc313e575e38c1ce1b468 (diff)
Fix TLS 1.3 and TLS 1.2 with Android 4.1 (jelly bean)
For a colleague who really wanted it: "Oh come on, it's a simple fix. Simply fix 10 year old software a bit. 😜"
Diffstat (limited to 'main/src')
-rw-r--r--main/src/main/cpp/jbcrypto/jbcrypto.cpp10
-rw-r--r--main/src/main/java/de/blinkt/openvpn/VpnProfile.java6
-rw-r--r--main/src/main/java/de/blinkt/openvpn/core/NativeUtils.java2
3 files changed, 10 insertions, 8 deletions
diff --git a/main/src/main/cpp/jbcrypto/jbcrypto.cpp b/main/src/main/cpp/jbcrypto/jbcrypto.cpp
index 93a17d95..2ac52120 100644
--- a/main/src/main/cpp/jbcrypto/jbcrypto.cpp
+++ b/main/src/main/cpp/jbcrypto/jbcrypto.cpp
@@ -28,10 +28,11 @@ struct EVP_PKEY
} pkey;
};
-# define RSA_PKCS1_PADDING 1
+#define RSA_PKCS1_PADDING 1
+#define RSA_NO_PADDING 3
extern "C" {
- jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsasign(JNIEnv* env, jclass, jbyteArray from, jint pkeyRef);
+ jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsasign(JNIEnv* env, jclass, jbyteArray from, jint pkeyRef, jboolean pkcs1padding);
int jniThrowException(JNIEnv* env, const char* className, const char* msg);
int (*RSA_size_dyn)(const RSA *);
@@ -65,7 +66,7 @@ int jniThrowException(JNIEnv* env, const char* className, const char* msg) {
}
static char opensslerr[1024];
-jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsasign (JNIEnv* env, jclass, jbyteArray from, jint pkeyRef) {
+jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsasign (JNIEnv* env, jclass, jbyteArray from, jint pkeyRef, jboolean pkcs1padding) {
// EVP_MD_CTX* ctx = reinterpret_cast<EVP_MD_CTX*>(ctxRef);
@@ -96,7 +97,8 @@ jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsasign (JNIEnv* env, jclass,
sigret, &siglen, pkey->pkey.rsa) <= 0 ) */
RSA_private_encrypt_dyn=(int (*)(int, const unsigned char *, unsigned char *, RSA *, int)) dlsym(RTLD_DEFAULT, "RSA_private_encrypt");
- siglen = RSA_private_encrypt_dyn(datalen,(unsigned char*) data,sigret,pkey->pkey.rsa,RSA_PKCS1_PADDING);
+ int paddding = pkcs1padding ? RSA_PKCS1_PADDING : RSA_NO_PADDING;
+ siglen = RSA_private_encrypt_dyn(datalen,(unsigned char*) data,sigret,pkey->pkey.rsa, paddding);
if (siglen < 0)
{
diff --git a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
index f5ba358b..bf1b995b 100644
--- a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
+++ b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
@@ -1165,7 +1165,7 @@ public class VpnProfile implements Serializable, Cloneable {
// The Jelly Bean *evil* Hack
// 4.2 implements the RSA/ECB/PKCS1PADDING in the OpenSSLprovider
if (Build.VERSION.SDK_INT == Build.VERSION_CODES.JELLY_BEAN) {
- return processSignJellyBeans(privkey, data);
+ return processSignJellyBeans(privkey, data, pkcs1padding);
}
@@ -1204,7 +1204,7 @@ public class VpnProfile implements Serializable, Cloneable {
}
}
- private byte[] processSignJellyBeans(PrivateKey privkey, byte[] data) {
+ private byte[] processSignJellyBeans(PrivateKey privkey, byte[] data, boolean pkcs1padding) {
try {
Method getKey = privkey.getClass().getSuperclass().getDeclaredMethod("getOpenSSLKey");
getKey.setAccessible(true);
@@ -1222,7 +1222,7 @@ public class VpnProfile implements Serializable, Cloneable {
getPkeyContext.setAccessible(false);
// 112 with TLS 1.2 (172 back with 4.3), 36 with TLS 1.0
- return NativeUtils.rsasign(data, pkey);
+ return NativeUtils.rsasign(data, pkey, pkcs1padding);
} catch (NoSuchMethodException | InvalidKeyException | InvocationTargetException | IllegalAccessException | IllegalArgumentException e) {
VpnStatus.logError(R.string.error_rsa_sign, e.getClass().toString(), e.getLocalizedMessage());
diff --git a/main/src/main/java/de/blinkt/openvpn/core/NativeUtils.java b/main/src/main/java/de/blinkt/openvpn/core/NativeUtils.java
index ecf27ef5..d6c1cdb9 100644
--- a/main/src/main/java/de/blinkt/openvpn/core/NativeUtils.java
+++ b/main/src/main/java/de/blinkt/openvpn/core/NativeUtils.java
@@ -11,7 +11,7 @@ import de.blinkt.openvpn.BuildConfig;
import java.security.InvalidKeyException;
public class NativeUtils {
- public static native byte[] rsasign(byte[] input, int pkey) throws InvalidKeyException;
+ public static native byte[] rsasign(byte[] input, int pkey, boolean pkcs1padding) throws InvalidKeyException;
public static native String[] getIfconfig() throws IllegalArgumentException;