summaryrefslogtreecommitdiff
path: root/main/src
diff options
context:
space:
mode:
authorArne Schwabe <arne@rfc2549.org>2022-07-22 13:18:18 +0200
committerArne Schwabe <arne@rfc2549.org>2022-07-22 16:35:02 +0200
commitfd3554ab36b8ab20e34a187afdc82ceead470739 (patch)
tree3b90fe5fe668df6926bfe7ca7d3a286f211b142f /main/src
parent4528aba9bad3782cd57c91205799eaf2cccd1e39 (diff)
Update OpenVPN/OpenVPN3, use xkey in OpenVPN3
Diffstat (limited to 'main/src')
-rw-r--r--main/src/main/cpp/CMakeLists.txt7
m---------main/src/main/cpp/openvpn0
m---------main/src/main/cpp/openvpn30
-rw-r--r--main/src/main/cpp/ovpnutil/rsapss.cpp70
-rw-r--r--main/src/main/java/de/blinkt/openvpn/core/X509Utils.java8
-rw-r--r--main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java6
6 files changed, 47 insertions, 44 deletions
diff --git a/main/src/main/cpp/CMakeLists.txt b/main/src/main/cpp/CMakeLists.txt
index ac32fd80..0921e807 100644
--- a/main/src/main/cpp/CMakeLists.txt
+++ b/main/src/main/cpp/CMakeLists.txt
@@ -21,6 +21,9 @@ SET(OPENVPN3OSSL ON)
SET(SSLLIBTYPE STATIC)
SET(OPENSSL_PATH "openssl")
+set(CMAKE_CXX_STANDARD 17)
+
+
#add_subdirectory(lzo)
include(tools.cmake)
include(lzo.cmake)
@@ -56,6 +59,8 @@ if (NOT ${CMAKE_LIBRARY_OUTPUT_DIRECTORY} MATCHES "build/intermediates/cmake/.*s
set(ovpn3_SRCS
openvpn3/client/ovpncli.cpp
+ openvpn3/openvpn/openssl/xkey/xkey_provider.c
+ openvpn3/openvpn/openssl/xkey/xkey_helper.c
ovpncli_wrap.cxx)
add_library(ovpn3 SHARED ${ovpn3_SRCS})
@@ -80,7 +85,6 @@ if (NOT ${CMAKE_LIBRARY_OUTPUT_DIRECTORY} MATCHES "build/intermediates/cmake/.*s
target_link_libraries(ovpn3 mbedtls mbedx509 mbedcrypto lzo lz4)
endif ()
- target_compile_options(ovpn3 PRIVATE -std=c++1y)
target_compile_definitions(ovpn3 PRIVATE
-DHAVE_CONFIG_H
-DHAVE_LZO
@@ -92,6 +96,7 @@ if (NOT ${CMAKE_LIBRARY_OUTPUT_DIRECTORY} MATCHES "build/intermediates/cmake/.*s
-DOPENVPN_SHOW_SESSION_TOKEN
-DOPENSSL_API_COMPAT=0x10200000L
-DOPENVPN_ALLOW_INSECURE_CERTPROFILE
+ -DENABLE_EXTERNAL_PKI
)
else ()
message("Not budiling OpenVPN for output dir ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}")
diff --git a/main/src/main/cpp/openvpn b/main/src/main/cpp/openvpn
-Subproject 53560170b95ec99dcd9f27031515f11a23370e3
+Subproject 6036a5d74a7afc61466fc388ec6fd20159a3d87
diff --git a/main/src/main/cpp/openvpn3 b/main/src/main/cpp/openvpn3
-Subproject 6274c08e40b567397c92680f937953db47af50d
+Subproject 9f02ce1670f75d8f3b9eb903394368fee53cd05
diff --git a/main/src/main/cpp/ovpnutil/rsapss.cpp b/main/src/main/cpp/ovpnutil/rsapss.cpp
index d6346811..112c2fe4 100644
--- a/main/src/main/cpp/ovpnutil/rsapss.cpp
+++ b/main/src/main/cpp/ovpnutil/rsapss.cpp
@@ -16,15 +16,15 @@
#include <array>
-static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
+static const unsigned char zeroes[] = {0, 0, 0, 0, 0, 0, 0, 0};
static char opensslerr[1024];
extern "C" jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsapss(JNIEnv *env,
- jclass,
- jint hashtype,
- jint MSBits,
- jint rsa_size,
- jbyteArray from) {
+ jclass,
+ jint hashtype,
+ jint MSBits,
+ jint rsa_size,
+ jbyteArray from) {
/*
unsigned char *EM,
@@ -33,7 +33,7 @@ extern "C" jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsapss(JNIEnv *env
int sLen)
*/
- jbyte *data = env->GetByteArrayElements(from, NULL);
+ jbyte *data = env->GetByteArrayElements(from, nullptr);
int datalen = env->GetArrayLength(from);
const auto *mHash = reinterpret_cast<const unsigned char *>(data);
@@ -41,17 +41,17 @@ extern "C" jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsapss(JNIEnv *env
const EVP_MD *Hash;
if (hashtype == 0) {
- Hash = EVP_md5();
+ Hash = EVP_md5();
} else if (hashtype == 1) {
- Hash = EVP_sha1();
+ Hash = EVP_sha1();
} else if (hashtype == 2) {
- Hash = EVP_sha224();
+ Hash = EVP_sha224();
} else if (hashtype == 3) {
- Hash = EVP_sha256();
+ Hash = EVP_sha256();
} else if (hashtype == 4) {
- Hash = EVP_sha384();
+ Hash = EVP_sha384();
} else if (hashtype == 5) {
- Hash = EVP_sha512();
+ Hash = EVP_sha512();
}
const EVP_MD *mgf1Hash = Hash;
@@ -68,47 +68,47 @@ extern "C" jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsapss(JNIEnv *env
unsigned char *EM = buf.data();
if (hLen < 0)
- goto err;
+ goto err;
emLen = rsa_size;
if (MSBits == 0) {
- *EM++ = 0;
- emLen--;
+ *EM++ = 0;
+ emLen--;
}
if (emLen < hLen + 2) {
- goto err;
+ goto err;
}
if (sLen == RSA_PSS_SALTLEN_MAX) {
- sLen = emLen - hLen - 2;
+ sLen = emLen - hLen - 2;
} else if (sLen > emLen - hLen - 2) {
- goto err;
+ goto err;
}
if (sLen > 0) {
- salt = (unsigned char *) OPENSSL_malloc(sLen);
- if (salt == nullptr) {
- goto err;
- }
- if (RAND_bytes_ex(nullptr, salt, sLen, 0) <= 0)
- goto err;
+ salt = (unsigned char *) OPENSSL_malloc(sLen);
+ if (salt == nullptr) {
+ goto err;
+ }
+ if (RAND_bytes_ex(nullptr, salt, sLen, 0) <= 0)
+ goto err;
}
maskedDBLen = emLen - hLen - 1;
H = EM + maskedDBLen;
ctx = EVP_MD_CTX_new();
if (ctx == nullptr)
- goto err;
+ goto err;
if (!EVP_DigestInit_ex(ctx, Hash, nullptr)
- || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
- || !EVP_DigestUpdate(ctx, mHash, hLen))
- goto err;
+ || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
+ || !EVP_DigestUpdate(ctx, mHash, hLen))
+ goto err;
if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
- goto err;
+ goto err;
if (!EVP_DigestFinal_ex(ctx, H, nullptr))
- goto err;
+ goto err;
/* Generate dbMask in place then perform XOR on it */
if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
- goto err;
+ goto err;
p = EM;
@@ -119,11 +119,11 @@ extern "C" jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsapss(JNIEnv *env
p += emLen - sLen - hLen - 2;
*p++ ^= 0x1;
if (sLen > 0) {
- for (int i = 0; i < sLen; i++)
- *p++ ^= salt[i];
+ for (int i = 0; i < sLen; i++)
+ *p++ ^= salt[i];
}
if (MSBits)
- EM[0] &= 0xFF >> (8 - MSBits);
+ EM[0] &= 0xFF >> (8 - MSBits);
/* H is already in place so just set final 0xbc */
diff --git a/main/src/main/java/de/blinkt/openvpn/core/X509Utils.java b/main/src/main/java/de/blinkt/openvpn/core/X509Utils.java
index 21a7f1ae..eeb54675 100644
--- a/main/src/main/java/de/blinkt/openvpn/core/X509Utils.java
+++ b/main/src/main/java/de/blinkt/openvpn/core/X509Utils.java
@@ -146,17 +146,11 @@ public class X509Utils {
friendlyName= (String) toString.invoke(subjectName,true,defaultSymbols);
- } catch (ClassNotFoundException e) {
+ } catch (ClassNotFoundException | IllegalAccessException | NoSuchFieldException | NoSuchMethodException e) {
exp =e ;
- } catch (NoSuchMethodException e) {
- exp =e;
} catch (InvocationTargetException e) {
/* Ignore this. Modern Android versions do not expose this */
exp = null;
- } catch (IllegalAccessException e) {
- exp =e;
- } catch (NoSuchFieldException e) {
- exp =e;
}
if (exp!=null) {
VpnStatus.logException("Getting X509 Name from certificate", exp);
diff --git a/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java b/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java
index 780fa217..0cbd7ce5 100644
--- a/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java
+++ b/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java
@@ -237,6 +237,9 @@ public class OpenVPNThreadv3 extends ClientAPI_OpenVPNClient implements Runnable
VpnStatus.logDebug("Got external PKI signing request from OpenVPN core for algorithm " + signreq.getAlgorithm());
SignaturePadding padding;
switch (signreq.getAlgorithm()) {
+ case "RSA_PKCS1_PSS_PADDING":
+ padding = SignaturePadding.RSA_PKCS1_PSS_PADDING;
+ break;
case "RSA_PKCS1_PADDING":
padding = SignaturePadding.RSA_PKCS1_PADDING;
break;
@@ -249,7 +252,8 @@ public class OpenVPNThreadv3 extends ClientAPI_OpenVPNClient implements Runnable
default:
throw new IllegalArgumentException("Illegal padding in sign request" + signreq.getAlgorithm());
}
- signreq.setSig(mVp.getSignedData(mService, signreq.getData(), padding, "", "", false));
+ boolean needDigest = !signreq.getHashalg().isEmpty();
+ signreq.setSig(mVp.getSignedData(mService, signreq.getData(), padding, signreq.getSaltlen(), signreq.getHashalg(), needDigest));
}
void setUserPW() {