From fd3554ab36b8ab20e34a187afdc82ceead470739 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Fri, 22 Jul 2022 13:18:18 +0200 Subject: Update OpenVPN/OpenVPN3, use xkey in OpenVPN3 --- main/src/main/cpp/CMakeLists.txt | 7 ++- main/src/main/cpp/openvpn | 2 +- main/src/main/cpp/openvpn3 | 2 +- main/src/main/cpp/ovpnutil/rsapss.cpp | 70 +++++++++++----------- .../java/de/blinkt/openvpn/core/X509Utils.java | 8 +-- .../de/blinkt/openvpn/core/OpenVPNThreadv3.java | 6 +- 6 files changed, 49 insertions(+), 46 deletions(-) diff --git a/main/src/main/cpp/CMakeLists.txt b/main/src/main/cpp/CMakeLists.txt index ac32fd80..0921e807 100644 --- a/main/src/main/cpp/CMakeLists.txt +++ b/main/src/main/cpp/CMakeLists.txt @@ -21,6 +21,9 @@ SET(OPENVPN3OSSL ON) SET(SSLLIBTYPE STATIC) SET(OPENSSL_PATH "openssl") +set(CMAKE_CXX_STANDARD 17) + + #add_subdirectory(lzo) include(tools.cmake) include(lzo.cmake) @@ -56,6 +59,8 @@ if (NOT ${CMAKE_LIBRARY_OUTPUT_DIRECTORY} MATCHES "build/intermediates/cmake/.*s set(ovpn3_SRCS openvpn3/client/ovpncli.cpp + openvpn3/openvpn/openssl/xkey/xkey_provider.c + openvpn3/openvpn/openssl/xkey/xkey_helper.c ovpncli_wrap.cxx) add_library(ovpn3 SHARED ${ovpn3_SRCS}) @@ -80,7 +85,6 @@ if (NOT ${CMAKE_LIBRARY_OUTPUT_DIRECTORY} MATCHES "build/intermediates/cmake/.*s target_link_libraries(ovpn3 mbedtls mbedx509 mbedcrypto lzo lz4) endif () - target_compile_options(ovpn3 PRIVATE -std=c++1y) target_compile_definitions(ovpn3 PRIVATE -DHAVE_CONFIG_H -DHAVE_LZO @@ -92,6 +96,7 @@ if (NOT ${CMAKE_LIBRARY_OUTPUT_DIRECTORY} MATCHES "build/intermediates/cmake/.*s -DOPENVPN_SHOW_SESSION_TOKEN -DOPENSSL_API_COMPAT=0x10200000L -DOPENVPN_ALLOW_INSECURE_CERTPROFILE + -DENABLE_EXTERNAL_PKI ) else () message("Not budiling OpenVPN for output dir ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}") diff --git a/main/src/main/cpp/openvpn b/main/src/main/cpp/openvpn index 53560170..6036a5d7 160000 --- a/main/src/main/cpp/openvpn +++ b/main/src/main/cpp/openvpn @@ -1 +1 @@ -Subproject commit 53560170b95ec99dcd9f27031515f11a23370e3f +Subproject commit 6036a5d74a7afc61466fc388ec6fd20159a3d876 diff --git a/main/src/main/cpp/openvpn3 b/main/src/main/cpp/openvpn3 index 6274c08e..9f02ce16 160000 --- a/main/src/main/cpp/openvpn3 +++ b/main/src/main/cpp/openvpn3 @@ -1 +1 @@ -Subproject commit 6274c08e40b567397c92680f937953db47af50d0 +Subproject commit 9f02ce1670f75d8f3b9eb903394368fee53cd056 diff --git a/main/src/main/cpp/ovpnutil/rsapss.cpp b/main/src/main/cpp/ovpnutil/rsapss.cpp index d6346811..112c2fe4 100644 --- a/main/src/main/cpp/ovpnutil/rsapss.cpp +++ b/main/src/main/cpp/ovpnutil/rsapss.cpp @@ -16,15 +16,15 @@ #include -static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 }; +static const unsigned char zeroes[] = {0, 0, 0, 0, 0, 0, 0, 0}; static char opensslerr[1024]; extern "C" jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsapss(JNIEnv *env, - jclass, - jint hashtype, - jint MSBits, - jint rsa_size, - jbyteArray from) { + jclass, + jint hashtype, + jint MSBits, + jint rsa_size, + jbyteArray from) { /* unsigned char *EM, @@ -33,7 +33,7 @@ extern "C" jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsapss(JNIEnv *env int sLen) */ - jbyte *data = env->GetByteArrayElements(from, NULL); + jbyte *data = env->GetByteArrayElements(from, nullptr); int datalen = env->GetArrayLength(from); const auto *mHash = reinterpret_cast(data); @@ -41,17 +41,17 @@ extern "C" jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsapss(JNIEnv *env const EVP_MD *Hash; if (hashtype == 0) { - Hash = EVP_md5(); + Hash = EVP_md5(); } else if (hashtype == 1) { - Hash = EVP_sha1(); + Hash = EVP_sha1(); } else if (hashtype == 2) { - Hash = EVP_sha224(); + Hash = EVP_sha224(); } else if (hashtype == 3) { - Hash = EVP_sha256(); + Hash = EVP_sha256(); } else if (hashtype == 4) { - Hash = EVP_sha384(); + Hash = EVP_sha384(); } else if (hashtype == 5) { - Hash = EVP_sha512(); + Hash = EVP_sha512(); } const EVP_MD *mgf1Hash = Hash; @@ -68,47 +68,47 @@ extern "C" jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsapss(JNIEnv *env unsigned char *EM = buf.data(); if (hLen < 0) - goto err; + goto err; emLen = rsa_size; if (MSBits == 0) { - *EM++ = 0; - emLen--; + *EM++ = 0; + emLen--; } if (emLen < hLen + 2) { - goto err; + goto err; } if (sLen == RSA_PSS_SALTLEN_MAX) { - sLen = emLen - hLen - 2; + sLen = emLen - hLen - 2; } else if (sLen > emLen - hLen - 2) { - goto err; + goto err; } if (sLen > 0) { - salt = (unsigned char *) OPENSSL_malloc(sLen); - if (salt == nullptr) { - goto err; - } - if (RAND_bytes_ex(nullptr, salt, sLen, 0) <= 0) - goto err; + salt = (unsigned char *) OPENSSL_malloc(sLen); + if (salt == nullptr) { + goto err; + } + if (RAND_bytes_ex(nullptr, salt, sLen, 0) <= 0) + goto err; } maskedDBLen = emLen - hLen - 1; H = EM + maskedDBLen; ctx = EVP_MD_CTX_new(); if (ctx == nullptr) - goto err; + goto err; if (!EVP_DigestInit_ex(ctx, Hash, nullptr) - || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes)) - || !EVP_DigestUpdate(ctx, mHash, hLen)) - goto err; + || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes)) + || !EVP_DigestUpdate(ctx, mHash, hLen)) + goto err; if (sLen && !EVP_DigestUpdate(ctx, salt, sLen)) - goto err; + goto err; if (!EVP_DigestFinal_ex(ctx, H, nullptr)) - goto err; + goto err; /* Generate dbMask in place then perform XOR on it */ if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) - goto err; + goto err; p = EM; @@ -119,11 +119,11 @@ extern "C" jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsapss(JNIEnv *env p += emLen - sLen - hLen - 2; *p++ ^= 0x1; if (sLen > 0) { - for (int i = 0; i < sLen; i++) - *p++ ^= salt[i]; + for (int i = 0; i < sLen; i++) + *p++ ^= salt[i]; } if (MSBits) - EM[0] &= 0xFF >> (8 - MSBits); + EM[0] &= 0xFF >> (8 - MSBits); /* H is already in place so just set final 0xbc */ diff --git a/main/src/main/java/de/blinkt/openvpn/core/X509Utils.java b/main/src/main/java/de/blinkt/openvpn/core/X509Utils.java index 21a7f1ae..eeb54675 100644 --- a/main/src/main/java/de/blinkt/openvpn/core/X509Utils.java +++ b/main/src/main/java/de/blinkt/openvpn/core/X509Utils.java @@ -146,17 +146,11 @@ public class X509Utils { friendlyName= (String) toString.invoke(subjectName,true,defaultSymbols); - } catch (ClassNotFoundException e) { + } catch (ClassNotFoundException | IllegalAccessException | NoSuchFieldException | NoSuchMethodException e) { exp =e ; - } catch (NoSuchMethodException e) { - exp =e; } catch (InvocationTargetException e) { /* Ignore this. Modern Android versions do not expose this */ exp = null; - } catch (IllegalAccessException e) { - exp =e; - } catch (NoSuchFieldException e) { - exp =e; } if (exp!=null) { VpnStatus.logException("Getting X509 Name from certificate", exp); diff --git a/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java b/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java index 780fa217..0cbd7ce5 100644 --- a/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java +++ b/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java @@ -237,6 +237,9 @@ public class OpenVPNThreadv3 extends ClientAPI_OpenVPNClient implements Runnable VpnStatus.logDebug("Got external PKI signing request from OpenVPN core for algorithm " + signreq.getAlgorithm()); SignaturePadding padding; switch (signreq.getAlgorithm()) { + case "RSA_PKCS1_PSS_PADDING": + padding = SignaturePadding.RSA_PKCS1_PSS_PADDING; + break; case "RSA_PKCS1_PADDING": padding = SignaturePadding.RSA_PKCS1_PADDING; break; @@ -249,7 +252,8 @@ public class OpenVPNThreadv3 extends ClientAPI_OpenVPNClient implements Runnable default: throw new IllegalArgumentException("Illegal padding in sign request" + signreq.getAlgorithm()); } - signreq.setSig(mVp.getSignedData(mService, signreq.getData(), padding, "", "", false)); + boolean needDigest = !signreq.getHashalg().isEmpty(); + signreq.setSig(mVp.getSignedData(mService, signreq.getData(), padding, signreq.getSaltlen(), signreq.getHashalg(), needDigest)); } void setUserPW() { -- cgit v1.2.3