From 15d61fae315d24c0abfcc1f6b3934f56e701fda6 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Thu, 12 Dec 2019 00:32:53 +0100 Subject: Fix TLS 1.3 and TLS 1.2 with Android 4.1 (jelly bean) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit For a colleague who really wanted it: "Oh come on, it's a simple fix. Simply fix 10 year old software a bit. 😜" --- main/src/main/cpp/jbcrypto/jbcrypto.cpp | 10 ++++++---- main/src/main/java/de/blinkt/openvpn/VpnProfile.java | 6 +++--- main/src/main/java/de/blinkt/openvpn/core/NativeUtils.java | 2 +- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/main/src/main/cpp/jbcrypto/jbcrypto.cpp b/main/src/main/cpp/jbcrypto/jbcrypto.cpp index 93a17d95..2ac52120 100644 --- a/main/src/main/cpp/jbcrypto/jbcrypto.cpp +++ b/main/src/main/cpp/jbcrypto/jbcrypto.cpp @@ -28,10 +28,11 @@ struct EVP_PKEY } pkey; }; -# define RSA_PKCS1_PADDING 1 +#define RSA_PKCS1_PADDING 1 +#define RSA_NO_PADDING 3 extern "C" { - jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsasign(JNIEnv* env, jclass, jbyteArray from, jint pkeyRef); + jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsasign(JNIEnv* env, jclass, jbyteArray from, jint pkeyRef, jboolean pkcs1padding); int jniThrowException(JNIEnv* env, const char* className, const char* msg); int (*RSA_size_dyn)(const RSA *); @@ -65,7 +66,7 @@ int jniThrowException(JNIEnv* env, const char* className, const char* msg) { } static char opensslerr[1024]; -jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsasign (JNIEnv* env, jclass, jbyteArray from, jint pkeyRef) { +jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsasign (JNIEnv* env, jclass, jbyteArray from, jint pkeyRef, jboolean pkcs1padding) { // EVP_MD_CTX* ctx = reinterpret_cast(ctxRef); @@ -96,7 +97,8 @@ jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsasign (JNIEnv* env, jclass, sigret, &siglen, pkey->pkey.rsa) <= 0 ) */ RSA_private_encrypt_dyn=(int (*)(int, const unsigned char *, unsigned char *, RSA *, int)) dlsym(RTLD_DEFAULT, "RSA_private_encrypt"); - siglen = RSA_private_encrypt_dyn(datalen,(unsigned char*) data,sigret,pkey->pkey.rsa,RSA_PKCS1_PADDING); + int paddding = pkcs1padding ? RSA_PKCS1_PADDING : RSA_NO_PADDING; + siglen = RSA_private_encrypt_dyn(datalen,(unsigned char*) data,sigret,pkey->pkey.rsa, paddding); if (siglen < 0) { diff --git a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java index f5ba358b..bf1b995b 100644 --- a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java +++ b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java @@ -1165,7 +1165,7 @@ public class VpnProfile implements Serializable, Cloneable { // The Jelly Bean *evil* Hack // 4.2 implements the RSA/ECB/PKCS1PADDING in the OpenSSLprovider if (Build.VERSION.SDK_INT == Build.VERSION_CODES.JELLY_BEAN) { - return processSignJellyBeans(privkey, data); + return processSignJellyBeans(privkey, data, pkcs1padding); } @@ -1204,7 +1204,7 @@ public class VpnProfile implements Serializable, Cloneable { } } - private byte[] processSignJellyBeans(PrivateKey privkey, byte[] data) { + private byte[] processSignJellyBeans(PrivateKey privkey, byte[] data, boolean pkcs1padding) { try { Method getKey = privkey.getClass().getSuperclass().getDeclaredMethod("getOpenSSLKey"); getKey.setAccessible(true); @@ -1222,7 +1222,7 @@ public class VpnProfile implements Serializable, Cloneable { getPkeyContext.setAccessible(false); // 112 with TLS 1.2 (172 back with 4.3), 36 with TLS 1.0 - return NativeUtils.rsasign(data, pkey); + return NativeUtils.rsasign(data, pkey, pkcs1padding); } catch (NoSuchMethodException | InvalidKeyException | InvocationTargetException | IllegalAccessException | IllegalArgumentException e) { VpnStatus.logError(R.string.error_rsa_sign, e.getClass().toString(), e.getLocalizedMessage()); diff --git a/main/src/main/java/de/blinkt/openvpn/core/NativeUtils.java b/main/src/main/java/de/blinkt/openvpn/core/NativeUtils.java index ecf27ef5..d6c1cdb9 100644 --- a/main/src/main/java/de/blinkt/openvpn/core/NativeUtils.java +++ b/main/src/main/java/de/blinkt/openvpn/core/NativeUtils.java @@ -11,7 +11,7 @@ import de.blinkt.openvpn.BuildConfig; import java.security.InvalidKeyException; public class NativeUtils { - public static native byte[] rsasign(byte[] input, int pkey) throws InvalidKeyException; + public static native byte[] rsasign(byte[] input, int pkey, boolean pkcs1padding) throws InvalidKeyException; public static native String[] getIfconfig() throws IllegalArgumentException; -- cgit v1.2.3