From c0b51141a76b23f05e809d133fdf627b3b4c09bb Mon Sep 17 00:00:00 2001 From: Christian Schneppe Date: Mon, 1 Oct 2018 10:59:54 +0200 Subject: use conscrypt as security provider to provide tls 1.3 and modern cyphers on old androids --- .../messenger/services/XmppConnectionService.java | 5 ++-- .../de/pixart/messenger/utils/SSLSocketHelper.java | 29 +++++++++++----------- .../pixart/messenger/utils/TLSSocketFactory.java | 20 ++++++--------- .../de/pixart/messenger/xmpp/XmppConnection.java | 4 +++ 4 files changed, 29 insertions(+), 29 deletions(-) (limited to 'src/main/java/de/pixart') diff --git a/src/main/java/de/pixart/messenger/services/XmppConnectionService.java b/src/main/java/de/pixart/messenger/services/XmppConnectionService.java index 132ede7b6..93b9fc3aa 100644 --- a/src/main/java/de/pixart/messenger/services/XmppConnectionService.java +++ b/src/main/java/de/pixart/messenger/services/XmppConnectionService.java @@ -47,12 +47,14 @@ import net.java.otr4j.session.SessionID; import net.java.otr4j.session.SessionImpl; import net.java.otr4j.session.SessionStatus; +import org.conscrypt.Conscrypt; import org.openintents.openpgp.IOpenPgpService2; import org.openintents.openpgp.util.OpenPgpApi; import org.openintents.openpgp.util.OpenPgpServiceConnection; import java.net.URL; import java.security.SecureRandom; +import java.security.Security; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.text.SimpleDateFormat; @@ -125,7 +127,6 @@ import de.pixart.messenger.utils.ExceptionHelper; import de.pixart.messenger.utils.MimeUtils; import de.pixart.messenger.utils.Namespace; import de.pixart.messenger.utils.OnPhoneContactsLoadedListener; -import de.pixart.messenger.utils.PRNGFixes; import de.pixart.messenger.utils.PhoneHelper; import de.pixart.messenger.utils.QuickLoader; import de.pixart.messenger.utils.ReplacingSerialSingleThreadExecutor; @@ -1100,7 +1101,7 @@ public class XmppConnectionService extends Service { public void onCreate() { OmemoSetting.load(this); ExceptionHelper.init(getApplicationContext()); - PRNGFixes.apply(); + Security.insertProviderAt(Conscrypt.newProvider(), 1); Resolver.init(this); this.mRandom = new SecureRandom(); updateMemorizingTrustmanager(); diff --git a/src/main/java/de/pixart/messenger/utils/SSLSocketHelper.java b/src/main/java/de/pixart/messenger/utils/SSLSocketHelper.java index ad3629354..f0d1c00ec 100644 --- a/src/main/java/de/pixart/messenger/utils/SSLSocketHelper.java +++ b/src/main/java/de/pixart/messenger/utils/SSLSocketHelper.java @@ -1,6 +1,6 @@ package de.pixart.messenger.utils; -import android.os.Build; +import android.util.Log; import java.lang.reflect.Method; import java.security.NoSuchAlgorithmException; @@ -9,12 +9,16 @@ import java.util.Collection; import java.util.LinkedList; import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; +import de.pixart.messenger.Config; +import de.pixart.messenger.entities.Account; + public class SSLSocketHelper { - public static void setSecurity(final SSLSocket sslSocket) throws NoSuchAlgorithmException { + public static void setSecurity(final SSLSocket sslSocket) { final String[] supportProtocols; final Collection supportedProtocols = new LinkedList<>( Arrays.asList(sslSocket.getSupportedProtocols())); @@ -31,14 +35,8 @@ public class SSLSocketHelper { } public static void setSNIHost(final SSLSocketFactory factory, final SSLSocket socket, final String hostname) { - if (factory instanceof android.net.SSLCertificateSocketFactory && android.os.Build.VERSION.SDK_INT >= android.os.Build.VERSION_CODES.JELLY_BEAN_MR1) { + if (factory instanceof android.net.SSLCertificateSocketFactory) { ((android.net.SSLCertificateSocketFactory) factory).setHostname(socket, hostname); - } else { - try { - socket.getClass().getMethod("setHostname", String.class).invoke(socket, hostname); - } catch (Throwable e) { - // ignore any error, we just can't set the hostname... - } } } @@ -64,10 +62,11 @@ public class SSLSocketHelper { } public static SSLContext getSSLContext() throws NoSuchAlgorithmException { - if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN) { - return SSLContext.getInstance("TLSv1.2"); - } else { - return SSLContext.getInstance("TLS"); - } + return SSLContext.getInstance("TLSv1.3"); + } + + public static void log(Account account, SSLSocket socket) { + SSLSession session = socket.getSession(); + Log.d(Config.LOGTAG, account.getJid().asBareJid() + ": protocol=" + session.getProtocol() + " cipher=" + session.getCipherSuite()); } -} +} \ No newline at end of file diff --git a/src/main/java/de/pixart/messenger/utils/TLSSocketFactory.java b/src/main/java/de/pixart/messenger/utils/TLSSocketFactory.java index cfefbd93d..84b361dea 100644 --- a/src/main/java/de/pixart/messenger/utils/TLSSocketFactory.java +++ b/src/main/java/de/pixart/messenger/utils/TLSSocketFactory.java @@ -17,11 +17,18 @@ public class TLSSocketFactory extends SSLSocketFactory { private final SSLSocketFactory internalSSLSocketFactory; public TLSSocketFactory(X509TrustManager[] trustManager, SecureRandom random) throws KeyManagementException, NoSuchAlgorithmException { - SSLContext context = SSLContext.getInstance("TLS"); + SSLContext context = SSLSocketHelper.getSSLContext(); context.init(null, trustManager, random); this.internalSSLSocketFactory = context.getSocketFactory(); } + private static Socket enableTLSOnSocket(Socket socket) { + if (socket != null && (socket instanceof SSLSocket)) { + SSLSocketHelper.setSecurity((SSLSocket) socket); + } + return socket; + } + @Override public String[] getDefaultCipherSuites() { return CryptoHelper.getOrderedCipherSuites(internalSSLSocketFactory.getDefaultCipherSuites()); @@ -56,15 +63,4 @@ public class TLSSocketFactory extends SSLSocketFactory { public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException { return enableTLSOnSocket(internalSSLSocketFactory.createSocket(address, port, localAddress, localPort)); } - - private static Socket enableTLSOnSocket(Socket socket) { - if(socket != null && (socket instanceof SSLSocket)) { - try { - SSLSocketHelper.setSecurity((SSLSocket) socket); - } catch (NoSuchAlgorithmException e) { - //ignoring - } - } - return socket; - } } \ No newline at end of file diff --git a/src/main/java/de/pixart/messenger/xmpp/XmppConnection.java b/src/main/java/de/pixart/messenger/xmpp/XmppConnection.java index cbfdbc365..aee945d21 100644 --- a/src/main/java/de/pixart/messenger/xmpp/XmppConnection.java +++ b/src/main/java/de/pixart/messenger/xmpp/XmppConnection.java @@ -482,6 +482,9 @@ public class XmppConnection implements Runnable { if (Thread.currentThread().isInterrupted()) { throw new InterruptedException(); } + if (socket instanceof SSLSocket) { + SSLSocketHelper.log(account, (SSLSocket) socket); + } return tag != null && tag.isStart("stream"); } @@ -881,6 +884,7 @@ public class XmppConnection implements Runnable { features.encryptionEnabled = true; final Tag tag = tagReader.readTag(); if (tag != null && tag.isStart("stream")) { + SSLSocketHelper.log(account, sslSocket); processStream(); } else { throw new IOException("server didn't restart stream after STARTTLS"); -- cgit v1.2.3