From 15d61fae315d24c0abfcc1f6b3934f56e701fda6 Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Thu, 12 Dec 2019 00:32:53 +0100
Subject: Fix TLS 1.3 and TLS 1.2 with Android 4.1 (jelly bean)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

For a colleague who really wanted it:
 "Oh come on, it's a simple fix. Simply fix 10 year old software a bit. 😜"
---
 main/src/main/cpp/jbcrypto/jbcrypto.cpp                    | 10 ++++++----
 main/src/main/java/de/blinkt/openvpn/VpnProfile.java       |  6 +++---
 main/src/main/java/de/blinkt/openvpn/core/NativeUtils.java |  2 +-
 3 files changed, 10 insertions(+), 8 deletions(-)

(limited to 'main')

diff --git a/main/src/main/cpp/jbcrypto/jbcrypto.cpp b/main/src/main/cpp/jbcrypto/jbcrypto.cpp
index 93a17d95..2ac52120 100644
--- a/main/src/main/cpp/jbcrypto/jbcrypto.cpp
+++ b/main/src/main/cpp/jbcrypto/jbcrypto.cpp
@@ -28,10 +28,11 @@ struct EVP_PKEY
   } pkey;
 };
 
-# define RSA_PKCS1_PADDING       1
+#define RSA_PKCS1_PADDING       1
+#define RSA_NO_PADDING		3
 
 extern "C" {
-    jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsasign(JNIEnv* env, jclass, jbyteArray from, jint pkeyRef);
+    jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsasign(JNIEnv* env, jclass, jbyteArray from, jint pkeyRef, jboolean pkcs1padding);
     int jniThrowException(JNIEnv* env, const char* className, const char* msg);
 
     int (*RSA_size_dyn)(const RSA *);
@@ -65,7 +66,7 @@ int jniThrowException(JNIEnv* env, const char* className, const char* msg) {
 }
 
 static char opensslerr[1024];
-jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsasign (JNIEnv* env, jclass, jbyteArray from, jint pkeyRef) {
+jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsasign (JNIEnv* env, jclass, jbyteArray from, jint pkeyRef, jboolean pkcs1padding) {
 
 
 	//	EVP_MD_CTX* ctx = reinterpret_cast<EVP_MD_CTX*>(ctxRef);
@@ -96,7 +97,8 @@ jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsasign (JNIEnv* env, jclass,
         sigret, &siglen, pkey->pkey.rsa) <= 0 ) */
 
     RSA_private_encrypt_dyn=(int (*)(int, const unsigned char *, unsigned char *, RSA *, int)) dlsym(RTLD_DEFAULT, "RSA_private_encrypt");
-    siglen = RSA_private_encrypt_dyn(datalen,(unsigned char*) data,sigret,pkey->pkey.rsa,RSA_PKCS1_PADDING);
+    int paddding = pkcs1padding ? RSA_PKCS1_PADDING : RSA_NO_PADDING;
+    siglen = RSA_private_encrypt_dyn(datalen,(unsigned char*) data,sigret,pkey->pkey.rsa, paddding);
 
     if (siglen < 0)
 	{
diff --git a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
index f5ba358b..bf1b995b 100644
--- a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
+++ b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
@@ -1165,7 +1165,7 @@ public class VpnProfile implements Serializable, Cloneable {
         // The Jelly Bean *evil* Hack
         // 4.2 implements the RSA/ECB/PKCS1PADDING in the OpenSSLprovider
         if (Build.VERSION.SDK_INT == Build.VERSION_CODES.JELLY_BEAN) {
-            return processSignJellyBeans(privkey, data);
+            return processSignJellyBeans(privkey, data, pkcs1padding);
         }
 
 
@@ -1204,7 +1204,7 @@ public class VpnProfile implements Serializable, Cloneable {
         }
     }
 
-    private byte[] processSignJellyBeans(PrivateKey privkey, byte[] data) {
+    private byte[] processSignJellyBeans(PrivateKey privkey, byte[] data, boolean pkcs1padding) {
         try {
             Method getKey = privkey.getClass().getSuperclass().getDeclaredMethod("getOpenSSLKey");
             getKey.setAccessible(true);
@@ -1222,7 +1222,7 @@ public class VpnProfile implements Serializable, Cloneable {
             getPkeyContext.setAccessible(false);
 
             // 112 with TLS 1.2 (172 back with 4.3), 36 with TLS 1.0
-            return NativeUtils.rsasign(data, pkey);
+            return NativeUtils.rsasign(data, pkey, pkcs1padding);
 
         } catch (NoSuchMethodException | InvalidKeyException | InvocationTargetException | IllegalAccessException | IllegalArgumentException e) {
             VpnStatus.logError(R.string.error_rsa_sign, e.getClass().toString(), e.getLocalizedMessage());
diff --git a/main/src/main/java/de/blinkt/openvpn/core/NativeUtils.java b/main/src/main/java/de/blinkt/openvpn/core/NativeUtils.java
index ecf27ef5..d6c1cdb9 100644
--- a/main/src/main/java/de/blinkt/openvpn/core/NativeUtils.java
+++ b/main/src/main/java/de/blinkt/openvpn/core/NativeUtils.java
@@ -11,7 +11,7 @@ import de.blinkt.openvpn.BuildConfig;
 import java.security.InvalidKeyException;
 
 public class NativeUtils {
-    public static native byte[] rsasign(byte[] input, int pkey) throws InvalidKeyException;
+    public static native byte[] rsasign(byte[] input, int pkey, boolean pkcs1padding) throws InvalidKeyException;
 
     public static native String[] getIfconfig() throws IllegalArgumentException;
 
-- 
cgit v1.2.3