Implement tls-cert-profile in profile and parser

2024-09-19 19:42:29 +02:00 · 2021-10-15 01:31:14 +02:00 · 2021-10-15 01:31:14 +02:00 · 90ba71780c
commit 90ba71780c
parent 9ca366fb2d
8 changed files with 29 additions and 7 deletions
--- a/main/src/main/cpp/CMakeLists.txt
+++ b/main/src/main/cpp/CMakeLists.txt
@ -91,7 +91,7 @@ if (NOT ${CMAKE_LIBRARY_OUTPUT_DIRECTORY} MATCHES "build/intermediates/cmake/.*s
            -DNO_ROUTE_EXCLUDE_EMULATION
            -DOPENVPN_SHOW_SESSION_TOKEN
            -DOPENSSL_API_COMPAT=0x10200000L
-
+            -DOPENVPN_ALLOW_INSECURE_CERTPROFILE
            )
 else ()
    message("Not budiling OpenVPN for output dir ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}")
--- a/main/src/main/cpp/openvpn
+++ b/main/src/main/cpp/openvpn
@ -1 +1 @@
-Subproject commit 6857da80d8ac395e457df4f8ea5d7d9260137a0e
+Subproject commit 5800c9b4ee989e4b27428669af0a36353d377612
--- a/main/src/main/cpp/openvpn3
+++ b/main/src/main/cpp/openvpn3
@ -1 +1 @@
-Subproject commit dfa16e552e3dca8aa11766a5db0c097060c8a7d3
+Subproject commit d5c5efaf01aaf5317de4900a78558ca53761bbfb
--- a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
+++ b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
@ -385,6 +385,9 @@ public class VpnProfile implements Serializable, Cloneable {

            if (mUseLegacyProvider)
                cfg.append("provider legacy:default\n");
+
+            if (!TextUtils.isEmpty(mTlSCertProfile))
+                cfg.append(String.format("tls-cert-profile %s\n", mTlSCertProfile));
        } else {
            cfg.append("# Config for OpenVPN 3 C++\n");
        }
--- a/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java
+++ b/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java
@ -546,6 +546,21 @@ public class ConfigParser {
        {
            np.mDataCiphers = ncp_ciphers.get(1);
        }
+        Vector<String> tls_cert_profile = getOption("tls-cert-profile", 1, 1);
+        if (tls_cert_profile != null)
+        {
+            String profile = tls_cert_profile.get(1);
+            for (String choice : new String[]{"insecure", "preferred", "legacy", "suiteb"}) {
+                if (choice.equals(profile)) {
+                    np.mTlSCertProfile = profile;
+                    break;
+                }
+            }
+            if (!profile.equals(np.mTlSCertProfile))
+            {
+                throw new ConfigParseError("Invalid tls-cert-profile '" + profile + "'");
+            }
+        }


        Vector<String> compatmode = getOption("compat-mode", 1, 1);
--- a/main/src/main/res/values/strings.xml
+++ b/main/src/main/res/values/strings.xml
@ -442,9 +442,7 @@
        MD5. Additionally with the OpenSSL 3.0 signatures with SHA1 are also rejected.&lt;/p>&lt;p>
        You should update the VPN certificates as soon as possible as SHA1 will also no longer work on other platforms in the
        near future.&lt;/p>
-        &lt;p>If you really want to use old and broken certificates use the custom
-        configuration option tls-cipher "DEFAULT:@SECLEVEL=0" under advanced configuration or as additional line in your
-        imported configuration&lt;/p>
+        &lt;p>If you really want to use old and broken certificates select "insecure" for the TLS security profile under Authentication/Encryption of the profile&lt;/p>
    </string>
    <string name="volume_byte">%.0f B</string>
    <string name="volume_kbyte">%.1f kB</string>
@ -499,7 +497,7 @@
    <string name="check_peer_fingerprint">Check peer certificate fingerprint</string>
    <string name="fingerprint">(Enter the SHA256 fingerprint of the server certificate(s))</string>
    <string name="proxy_info">HTTP Proxy: %1$s %2$d</string>
-    <string name="use_alwayson_vpn">Please you the Always-On Feature of Android to enable VPN at boot time.</string>
+    <string name="use_alwayson_vpn">Please use the Always-On Feature of Android to enable VPN at boot time.</string>
    <string name="open_vpn_settings">Open VPN Settings</string>
    <string name="trigger_pending_auth_dialog">Press here open a window to enter additional required authentication</string>
    <string name="compatmode">Compatibility Mode</string>
--- a/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java
+++ b/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java
@ -3,6 +3,7 @@ package de.blinkt.openvpn.core;
 import android.annotation.SuppressLint;
 import android.content.Context;
 import android.provider.Settings;
+import android.text.TextUtils;

 import net.openvpn.ovpn3.ClientAPI_Config;
 import net.openvpn.ovpn3.ClientAPI_EvalConfig;
@ -183,6 +184,8 @@ public class OpenVPNThreadv3 extends ClientAPI_OpenVPNClient implements Runnable
        boolean retryOnAuthFailed = mVp.mAuthRetry == AUTH_RETRY_NOINTERACT;
        config.setRetryOnAuthFailed(retryOnAuthFailed);
        config.setEnableLegacyAlgorithms(mVp.mUseLegacyProvider);
+        if (!TextUtils.isEmpty(mVp.mTlSCertProfile))
+            config.setTlsCertProfileOverride(mVp.mTlSCertProfile);

        ClientAPI_EvalConfig ec = eval_config(config);
        if (ec.getExternalPki()) {
--- a/main/src/ui/java/de/blinkt/openvpn/fragments/Utils.kt
+++ b/main/src/ui/java/de/blinkt/openvpn/fragments/Utils.kt
@ -302,6 +302,9 @@ object Utils {
        if (vp.mCompatMode > 0 )
            warnings.add("compat mode enabled")

+        if ("insecure".equals(vp.mTlSCertProfile))
+            warnings.add("low security (TLS security profile 'insecure' selected)");
+
        var cipher= vp.mCipher.toUpperCase(Locale.ROOT)
        if (cipher.isNullOrEmpty())
            cipher = "BF-CBC";