From ea13917b41ed161f8a385ed438ee8fd3742f557b Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Tue, 1 Nov 2022 18:35:16 +0100 Subject: Add OpenSSL version in about screen --- main/src/main/cpp/CMakeLists.txt | 4 +- main/src/main/cpp/ovpnutil/jniglue.c | 3 +- main/src/main/cpp/ovpnutil/osslutil.cpp | 153 +++++++++++++++++++++ main/src/main/cpp/ovpnutil/rsapss.cpp | 146 -------------------- .../java/de/blinkt/openvpn/core/NativeUtils.java | 22 ++- .../de/blinkt/openvpn/fragments/AboutFragment.java | 4 + main/src/ui/res/layout/about.xml | 8 +- 7 files changed, 182 insertions(+), 158 deletions(-) create mode 100644 main/src/main/cpp/ovpnutil/osslutil.cpp delete mode 100644 main/src/main/cpp/ovpnutil/rsapss.cpp (limited to 'main') diff --git a/main/src/main/cpp/CMakeLists.txt b/main/src/main/cpp/CMakeLists.txt index 3ffdc4c2..3dc1370f 100644 --- a/main/src/main/cpp/CMakeLists.txt +++ b/main/src/main/cpp/CMakeLists.txt @@ -109,8 +109,8 @@ target_compile_definitions(ovpnutil PRIVATE -DTARGET_ARCH_ABI=\"${ANDROID_ABI}\" ) target_link_libraries(ovpnutil log) -add_library(rsapss SHARED ovpnutil/rsapss.cpp) -target_link_libraries(rsapss log crypto ssl) +add_library(osslutil SHARED ovpnutil/osslutil.cpp) +target_link_libraries(osslutil log crypto ssl) if (NOT ${CMAKE_LIBRARY_OUTPUT_DIRECTORY} MATCHES "build/intermediates/cmake/.*skeleton.*/") add_library(osslspeedtest SHARED ovpnutil/sslspeed.c) diff --git a/main/src/main/cpp/ovpnutil/jniglue.c b/main/src/main/cpp/ovpnutil/jniglue.c index 65a13406..b70deac0 100644 --- a/main/src/main/cpp/ovpnutil/jniglue.c +++ b/main/src/main/cpp/ovpnutil/jniglue.c @@ -3,7 +3,6 @@ #include #include - #include "jniglue.h" jint JNI_OnLoad(JavaVM *vm, void *reserved) { @@ -37,4 +36,4 @@ jstring Java_de_blinkt_openvpn_core_NativeUtils_getOpenVPN3GitVersion(JNIEnv *en { return (*env)->NewStringUTF(env, OPENVPN3_GIT_REVISION); -} +} \ No newline at end of file diff --git a/main/src/main/cpp/ovpnutil/osslutil.cpp b/main/src/main/cpp/ovpnutil/osslutil.cpp new file mode 100644 index 00000000..6a33338e --- /dev/null +++ b/main/src/main/cpp/ovpnutil/osslutil.cpp @@ -0,0 +1,153 @@ +/* Adapted from OpenSSL's rsa_pss.c from OpenSSL 3.0.1 */ + +/* + * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ +#include "jni.h" + +#include +#include +#include +#include + +#include + + +extern "C" jstring Java_de_blinkt_openvpn_core_NativeUtils_getOpenSSLVersionString(JNIEnv *env, jclass jo) +{ + return env->NewStringUTF(OPENSSL_VERSION_TEXT); +} + +static const unsigned char zeroes[] = {0, 0, 0, 0, 0, 0, 0, 0}; + +static char opensslerr[1024]; +extern "C" jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsapss(JNIEnv *env, + jclass, + jint hashtype, + jint MSBits, + jint rsa_size, + jbyteArray from) { + + /* + unsigned char *EM, + const unsigned char *mHash, + const EVP_MD *Hash, const EVP_MD *mgf1Hash, + int sLen) +*/ + + jbyte *data = env->GetByteArrayElements(from, nullptr); + int datalen = env->GetArrayLength(from); + + const auto *mHash = reinterpret_cast(data); + + const EVP_MD *Hash; + + if (hashtype == 0) { + Hash = EVP_md5(); + } else if (hashtype == 1) { + Hash = EVP_sha1(); + } else if (hashtype == 2) { + Hash = EVP_sha224(); + } else if (hashtype == 3) { + Hash = EVP_sha256(); + } else if (hashtype == 4) { + Hash = EVP_sha384(); + } else if (hashtype == 5) { + Hash = EVP_sha512(); + } + + const EVP_MD *mgf1Hash = Hash; + + int ret = 0; + int maskedDBLen, emLen; + unsigned char *H, *salt = nullptr, *p; + EVP_MD_CTX *ctx = nullptr; + + int hLen = EVP_MD_get_size(Hash); + int sLen = hLen; /* RSA_PSS_SALTLEN_DIGEST */ + + std::array buf{}; + unsigned char *EM = buf.data(); + + if (hLen < 0) + goto err; + + emLen = rsa_size; + if (MSBits == 0) { + *EM++ = 0; + emLen--; + } + if (emLen < hLen + 2) { + goto err; + } + if (sLen == RSA_PSS_SALTLEN_MAX) { + sLen = emLen - hLen - 2; + } else if (sLen > emLen - hLen - 2) { + goto err; + } + + if (sLen > 0) { + salt = (unsigned char *) OPENSSL_malloc(sLen); + if (salt == nullptr) { + goto err; + } + if (RAND_bytes_ex(nullptr, salt, sLen, 0) <= 0) + goto err; + } + maskedDBLen = emLen - hLen - 1; + H = EM + maskedDBLen; + ctx = EVP_MD_CTX_new(); + if (ctx == nullptr) + goto err; + if (!EVP_DigestInit_ex(ctx, Hash, nullptr) + || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes)) + || !EVP_DigestUpdate(ctx, mHash, hLen)) + goto err; + if (sLen && !EVP_DigestUpdate(ctx, salt, sLen)) + goto err; + if (!EVP_DigestFinal_ex(ctx, H, nullptr)) + goto err; + + /* Generate dbMask in place then perform XOR on it */ + if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) + goto err; + + p = EM; + + /* + * Initial PS XORs with all zeroes which is a NOP so just update pointer. + * Note from a test above this value is guaranteed to be non-negative. + */ + p += emLen - sLen - hLen - 2; + *p++ ^= 0x1; + if (sLen > 0) { + for (int i = 0; i < sLen; i++) + *p++ ^= salt[i]; + } + if (MSBits) + EM[0] &= 0xFF >> (8 - MSBits); + + /* H is already in place so just set final 0xbc */ + + EM[emLen - 1] = 0xbc; + + ret = 1; + + err: + EVP_MD_CTX_free(ctx); + OPENSSL_clear_free(salt, (size_t) sLen); /* salt != NULL implies sLen > 0 */ + + + jbyteArray jb; + + jb = env->NewByteArray(emLen); + + env->SetByteArrayRegion(jb, 0, emLen, (jbyte *) EM); + + return jb; +} \ No newline at end of file diff --git a/main/src/main/cpp/ovpnutil/rsapss.cpp b/main/src/main/cpp/ovpnutil/rsapss.cpp deleted file mode 100644 index 112c2fe4..00000000 --- a/main/src/main/cpp/ovpnutil/rsapss.cpp +++ /dev/null @@ -1,146 +0,0 @@ -/* Adapted from OpenSSL's rsa_pss.c from OpenSSL 3.0.1 */ - -/* - * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ -#include "jni.h" - -#include -#include -#include - -#include - -static const unsigned char zeroes[] = {0, 0, 0, 0, 0, 0, 0, 0}; - -static char opensslerr[1024]; -extern "C" jbyteArray Java_de_blinkt_openvpn_core_NativeUtils_rsapss(JNIEnv *env, - jclass, - jint hashtype, - jint MSBits, - jint rsa_size, - jbyteArray from) { - - /* - unsigned char *EM, - const unsigned char *mHash, - const EVP_MD *Hash, const EVP_MD *mgf1Hash, - int sLen) -*/ - - jbyte *data = env->GetByteArrayElements(from, nullptr); - int datalen = env->GetArrayLength(from); - - const auto *mHash = reinterpret_cast(data); - - const EVP_MD *Hash; - - if (hashtype == 0) { - Hash = EVP_md5(); - } else if (hashtype == 1) { - Hash = EVP_sha1(); - } else if (hashtype == 2) { - Hash = EVP_sha224(); - } else if (hashtype == 3) { - Hash = EVP_sha256(); - } else if (hashtype == 4) { - Hash = EVP_sha384(); - } else if (hashtype == 5) { - Hash = EVP_sha512(); - } - - const EVP_MD *mgf1Hash = Hash; - - int ret = 0; - int maskedDBLen, emLen; - unsigned char *H, *salt = nullptr, *p; - EVP_MD_CTX *ctx = nullptr; - - int hLen = EVP_MD_get_size(Hash); - int sLen = hLen; /* RSA_PSS_SALTLEN_DIGEST */ - - std::array buf{}; - unsigned char *EM = buf.data(); - - if (hLen < 0) - goto err; - - emLen = rsa_size; - if (MSBits == 0) { - *EM++ = 0; - emLen--; - } - if (emLen < hLen + 2) { - goto err; - } - if (sLen == RSA_PSS_SALTLEN_MAX) { - sLen = emLen - hLen - 2; - } else if (sLen > emLen - hLen - 2) { - goto err; - } - - if (sLen > 0) { - salt = (unsigned char *) OPENSSL_malloc(sLen); - if (salt == nullptr) { - goto err; - } - if (RAND_bytes_ex(nullptr, salt, sLen, 0) <= 0) - goto err; - } - maskedDBLen = emLen - hLen - 1; - H = EM + maskedDBLen; - ctx = EVP_MD_CTX_new(); - if (ctx == nullptr) - goto err; - if (!EVP_DigestInit_ex(ctx, Hash, nullptr) - || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes)) - || !EVP_DigestUpdate(ctx, mHash, hLen)) - goto err; - if (sLen && !EVP_DigestUpdate(ctx, salt, sLen)) - goto err; - if (!EVP_DigestFinal_ex(ctx, H, nullptr)) - goto err; - - /* Generate dbMask in place then perform XOR on it */ - if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) - goto err; - - p = EM; - - /* - * Initial PS XORs with all zeroes which is a NOP so just update pointer. - * Note from a test above this value is guaranteed to be non-negative. - */ - p += emLen - sLen - hLen - 2; - *p++ ^= 0x1; - if (sLen > 0) { - for (int i = 0; i < sLen; i++) - *p++ ^= salt[i]; - } - if (MSBits) - EM[0] &= 0xFF >> (8 - MSBits); - - /* H is already in place so just set final 0xbc */ - - EM[emLen - 1] = 0xbc; - - ret = 1; - - err: - EVP_MD_CTX_free(ctx); - OPENSSL_clear_free(salt, (size_t) sLen); /* salt != NULL implies sLen > 0 */ - - - jbyteArray jb; - - jb = env->NewByteArray(emLen); - - env->SetByteArrayRegion(jb, 0, emLen, (jbyte *) EM); - - return jb; -} \ No newline at end of file diff --git a/main/src/main/java/de/blinkt/openvpn/core/NativeUtils.java b/main/src/main/java/de/blinkt/openvpn/core/NativeUtils.java index 72b2b784..9bfa5e67 100644 --- a/main/src/main/java/de/blinkt/openvpn/core/NativeUtils.java +++ b/main/src/main/java/de/blinkt/openvpn/core/NativeUtils.java @@ -30,18 +30,28 @@ public class NativeUtils { public static native String getOpenVPN3GitVersion(); - static boolean rsspssloaded = false; + private static native String getOpenSSLVersionString(); + + public static String getOpenSSLVersion() { + loadOsslUtil(); + return getOpenSSLVersionString(); + } + + static boolean osslutilloaded = false; public static byte[] addRssPssPadding(int hashtype, int MSBits, int rsa_size, byte[] from) { - if (!rsspssloaded) { - rsspssloaded = true; - System.loadLibrary("rsapss"); - } - + loadOsslUtil(); return rsapss(hashtype, MSBits, rsa_size, from); } + private static void loadOsslUtil() { + if (!osslutilloaded) { + osslutilloaded = true; + System.loadLibrary("osslutil"); + } + } + private static native byte[] rsapss(int hashtype, int MSBits, int rsa_size, byte[] from); public final static int[] openSSLlengths = { diff --git a/main/src/ui/java/de/blinkt/openvpn/fragments/AboutFragment.java b/main/src/ui/java/de/blinkt/openvpn/fragments/AboutFragment.java index 240fbe06..182c1a56 100644 --- a/main/src/ui/java/de/blinkt/openvpn/fragments/AboutFragment.java +++ b/main/src/ui/java/de/blinkt/openvpn/fragments/AboutFragment.java @@ -83,9 +83,13 @@ public class AboutFragment extends Fragment implements View.OnClickListener { TextView verO2 = v.findViewById(R.id.version_ovpn2); TextView verO3 = v.findViewById(R.id.version_ovpn3); + TextView osslVer = v.findViewById(R.id.openssl_version); verO2.setText(String.format(Locale.US, "OpenVPN version: %s", NativeUtils.getOpenVPN2GitVersion())); verO3.setText(String.format(Locale.US, "OpenVPN3 core version: %s", NativeUtils.getOpenVPN3GitVersion())); + osslVer.setText(String.format(Locale.US, "OpenSSL version: %s", NativeUtils.getOpenSSLVersion())); + + /* recreating view without onCreate/onDestroy cycle */ TextView translation = (TextView) v.findViewById(R.id.translation); diff --git a/main/src/ui/res/layout/about.xml b/main/src/ui/res/layout/about.xml index fb2497ff..cd482996 100644 --- a/main/src/ui/res/layout/about.xml +++ b/main/src/ui/res/layout/about.xml @@ -45,9 +45,13 @@ android:id="@+id/version_ovpn3" android:layout_width="match_parent" android:layout_height="wrap_content" - android:layout_marginBottom="12sp" tools:text="OpenVPN3 core version 8df8718283" /> - +