From 90ba71780c8ad851f0146e2176a9e40efe532e05 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Fri, 15 Oct 2021 01:31:14 +0200 Subject: Implement tls-cert-profile in profile and parser --- main/src/main/cpp/CMakeLists.txt | 2 +- main/src/main/cpp/openvpn | 2 +- main/src/main/cpp/openvpn3 | 2 +- main/src/main/java/de/blinkt/openvpn/VpnProfile.java | 3 +++ .../main/java/de/blinkt/openvpn/core/ConfigParser.java | 15 +++++++++++++++ main/src/main/res/values/strings.xml | 6 ++---- .../ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java | 3 +++ main/src/ui/java/de/blinkt/openvpn/fragments/Utils.kt | 3 +++ 8 files changed, 29 insertions(+), 7 deletions(-) diff --git a/main/src/main/cpp/CMakeLists.txt b/main/src/main/cpp/CMakeLists.txt index a4689802..1a1176bd 100644 --- a/main/src/main/cpp/CMakeLists.txt +++ b/main/src/main/cpp/CMakeLists.txt @@ -91,7 +91,7 @@ if (NOT ${CMAKE_LIBRARY_OUTPUT_DIRECTORY} MATCHES "build/intermediates/cmake/.*s -DNO_ROUTE_EXCLUDE_EMULATION -DOPENVPN_SHOW_SESSION_TOKEN -DOPENSSL_API_COMPAT=0x10200000L - + -DOPENVPN_ALLOW_INSECURE_CERTPROFILE ) else () message("Not budiling OpenVPN for output dir ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}") diff --git a/main/src/main/cpp/openvpn b/main/src/main/cpp/openvpn index 6857da80..5800c9b4 160000 --- a/main/src/main/cpp/openvpn +++ b/main/src/main/cpp/openvpn @@ -1 +1 @@ -Subproject commit 6857da80d8ac395e457df4f8ea5d7d9260137a0e +Subproject commit 5800c9b4ee989e4b27428669af0a36353d377612 diff --git a/main/src/main/cpp/openvpn3 b/main/src/main/cpp/openvpn3 index dfa16e55..d5c5efaf 160000 --- a/main/src/main/cpp/openvpn3 +++ b/main/src/main/cpp/openvpn3 @@ -1 +1 @@ -Subproject commit dfa16e552e3dca8aa11766a5db0c097060c8a7d3 +Subproject commit d5c5efaf01aaf5317de4900a78558ca53761bbfb diff --git a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java index 84e7975d..fd30ea5a 100644 --- a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java +++ b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java @@ -385,6 +385,9 @@ public class VpnProfile implements Serializable, Cloneable { if (mUseLegacyProvider) cfg.append("provider legacy:default\n"); + + if (!TextUtils.isEmpty(mTlSCertProfile)) + cfg.append(String.format("tls-cert-profile %s\n", mTlSCertProfile)); } else { cfg.append("# Config for OpenVPN 3 C++\n"); } diff --git a/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java b/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java index a1b1bcb6..4126f65c 100644 --- a/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java +++ b/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java @@ -546,6 +546,21 @@ public class ConfigParser { { np.mDataCiphers = ncp_ciphers.get(1); } + Vector tls_cert_profile = getOption("tls-cert-profile", 1, 1); + if (tls_cert_profile != null) + { + String profile = tls_cert_profile.get(1); + for (String choice : new String[]{"insecure", "preferred", "legacy", "suiteb"}) { + if (choice.equals(profile)) { + np.mTlSCertProfile = profile; + break; + } + } + if (!profile.equals(np.mTlSCertProfile)) + { + throw new ConfigParseError("Invalid tls-cert-profile '" + profile + "'"); + } + } Vector compatmode = getOption("compat-mode", 1, 1); diff --git a/main/src/main/res/values/strings.xml b/main/src/main/res/values/strings.xml index b82d70ca..6dc900a9 100755 --- a/main/src/main/res/values/strings.xml +++ b/main/src/main/res/values/strings.xml @@ -442,9 +442,7 @@ MD5. Additionally with the OpenSSL 3.0 signatures with SHA1 are also rejected.</p><p> You should update the VPN certificates as soon as possible as SHA1 will also no longer work on other platforms in the near future.</p> - <p>If you really want to use old and broken certificates use the custom - configuration option tls-cipher "DEFAULT:@SECLEVEL=0" under advanced configuration or as additional line in your - imported configuration</p> + <p>If you really want to use old and broken certificates select "insecure" for the TLS security profile under Authentication/Encryption of the profile</p> %.0f B %.1f kB @@ -499,7 +497,7 @@ Check peer certificate fingerprint (Enter the SHA256 fingerprint of the server certificate(s)) HTTP Proxy: %1$s %2$d - Please you the Always-On Feature of Android to enable VPN at boot time. + Please use the Always-On Feature of Android to enable VPN at boot time. Open VPN Settings Press here open a window to enter additional required authentication Compatibility Mode diff --git a/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java b/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java index 1e49f2e6..da652ef9 100644 --- a/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java +++ b/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java @@ -3,6 +3,7 @@ package de.blinkt.openvpn.core; import android.annotation.SuppressLint; import android.content.Context; import android.provider.Settings; +import android.text.TextUtils; import net.openvpn.ovpn3.ClientAPI_Config; import net.openvpn.ovpn3.ClientAPI_EvalConfig; @@ -183,6 +184,8 @@ public class OpenVPNThreadv3 extends ClientAPI_OpenVPNClient implements Runnable boolean retryOnAuthFailed = mVp.mAuthRetry == AUTH_RETRY_NOINTERACT; config.setRetryOnAuthFailed(retryOnAuthFailed); config.setEnableLegacyAlgorithms(mVp.mUseLegacyProvider); + if (!TextUtils.isEmpty(mVp.mTlSCertProfile)) + config.setTlsCertProfileOverride(mVp.mTlSCertProfile); ClientAPI_EvalConfig ec = eval_config(config); if (ec.getExternalPki()) { diff --git a/main/src/ui/java/de/blinkt/openvpn/fragments/Utils.kt b/main/src/ui/java/de/blinkt/openvpn/fragments/Utils.kt index 8756b5b0..2130cdef 100644 --- a/main/src/ui/java/de/blinkt/openvpn/fragments/Utils.kt +++ b/main/src/ui/java/de/blinkt/openvpn/fragments/Utils.kt @@ -302,6 +302,9 @@ object Utils { if (vp.mCompatMode > 0 ) warnings.add("compat mode enabled") + if ("insecure".equals(vp.mTlSCertProfile)) + warnings.add("low security (TLS security profile 'insecure' selected)"); + var cipher= vp.mCipher.toUpperCase(Locale.ROOT) if (cipher.isNullOrEmpty()) cipher = "BF-CBC"; -- cgit v1.2.3