mirror/monocles_chat_clean
1
0
Fork 1
Code Activity

Add option to enforce secure TLS ciphers

Browse source
This commit is contained in:
Arne 2024-12-28 23:57:27 +01:00
parent 3bf652a432
commit d39b72513b
7 changed files with 56 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/main/java/eu/siacs/conversations/AppSettings.java
View file

@ -49,9 +49,9 @@ public class AppSettings {
public static final String SHOW_LINK_PREVIEWS = "show_link_previews"; public static final String SHOW_LINK_PREVIEWS = "show_link_previews";
public static final String SHOW_AVATARS = "show_avatars"; public static final String SHOW_AVATARS = "show_avatars";
public static final String CALL_INTEGRATION = "call_integration"; public static final String CALL_INTEGRATION = "call_integration";
private static final String ACCEPT_INVITES_FROM_STRANGERS = "accept_invites_from_strangers"; private static final String ACCEPT_INVITES_FROM_STRANGERS = "accept_invites_from_strangers";
private static final String INSTALLATION_ID = "im.conversations.android.install_id"; private static final String INSTALLATION_ID = "im.conversations.android.install_id";
public static final String SECURE_TLS = "secure_tls";
private final Context context; private final Context context;
@ -124,6 +124,10 @@ public class AppSettings {
return getBooleanPreference(SHOW_AVATARS, R.bool.show_avatars); return getBooleanPreference(SHOW_AVATARS, R.bool.show_avatars);
} }
public boolean isSecureTLS() {
return getBooleanPreference(SECURE_TLS, R.bool.secure_tls);
}
public boolean isCallIntegration() { public boolean isCallIntegration() {
return getBooleanPreference(CALL_INTEGRATION, R.bool.call_integration); return getBooleanPreference(CALL_INTEGRATION, R.bool.call_integration);
} }

24
src/main/java/eu/siacs/conversations/Config.java
View file

@ -163,15 +163,15 @@ public final class Config {
//only allow secure tls chipers now //only allow secure tls chipers now
public static final String[] ENABLED_CIPHERS = { public static final String[] ENABLED_CIPHERS = {
//post quantum key agreement with traditional encryption
"TLS_ECDHE_KYBER_WITH_CHACHA20_POLY1305_SHA256",
//pre shared key for resource constrained devices (e.g. Alexa, IoT)
// with post quantum encryption
"TLS_PSK_WITH_AES_128_GCM_SHA256",
//TLS 1.3 //TLS 1.3
"TLS_AES_256_GCM_SHA384", "TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256", "TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_128_GCM_SHA256", "TLS_AES_128_GCM_SHA256",
//post quantum key agreement with traditional encryption
"TLS_ECDHE_KYBER_WITH_CHACHA20_POLY1305_SHA256",
//pre shared key for resource constrained devices (e.g. Alexa, IoT)
// with post quantum encryption
"TLS_PSK_WITH_AES_128_GCM_SHA256",
//TLS 1.2 with traditional key agreement and encryption //TLS 1.2 with traditional key agreement and encryption
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
@ -181,6 +181,20 @@ public final class Config {
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
}; };
public static final String[] SECURE_CIPHERS = {
//post quantum key agreement with traditional encryption
"TLS_ECDHE_KYBER_WITH_CHACHA20_POLY1305_SHA256",
//pre shared key for resource constrained devices (e.g. Alexa, IoT)
// with post quantum encryption
"TLS_PSK_WITH_AES_128_GCM_SHA256",
//TLS 1.3
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_128_GCM_SHA256",
};
public static final String[] WEAK_CIPHER_PATTERNS = { public static final String[] WEAK_CIPHER_PATTERNS = {
"_NULL_", "_NULL_",
"_EXPORT_", "_EXPORT_",

2
src/main/java/eu/siacs/conversations/ui/fragment/settings/SecuritySettingsFragment.java
View file

@ -73,7 +73,7 @@ public class SecuritySettingsFragment extends XmppPreferenceFragment {
requireService().updateMemorizingTrustManager(); requireService().updateMemorizingTrustManager();
reconnectAccounts(); reconnectAccounts();
} }
case AppSettings.DANE_ENFORCED, AppSettings.REQUIRE_CHANNEL_BINDING -> { case AppSettings.DANE_ENFORCED, AppSettings.REQUIRE_CHANNEL_BINDING, AppSettings.SECURE_TLS -> {
reconnectAccounts(); reconnectAccounts();
} }
case AppSettings.AUTOMATIC_MESSAGE_DELETION -> { case AppSettings.AUTOMATIC_MESSAGE_DELETION -> {

29
src/main/java/eu/siacs/conversations/utils/CryptoHelper.java
View file

@ -31,12 +31,15 @@ import java.util.LinkedHashSet;
import java.util.List; import java.util.List;
import java.util.regex.Pattern; import java.util.regex.Pattern;
import eu.siacs.conversations.AppSettings;
import eu.siacs.conversations.Conversations;
import io.ipfs.cid.Cid; import io.ipfs.cid.Cid;
import io.ipfs.multihash.Multihash; import io.ipfs.multihash.Multihash;
import eu.siacs.conversations.Config; import eu.siacs.conversations.Config;
import eu.siacs.conversations.R; import eu.siacs.conversations.R;
import eu.siacs.conversations.entities.Account; import eu.siacs.conversations.entities.Account;
import eu.siacs.conversations.entities.Conversation;
import eu.siacs.conversations.entities.Message; import eu.siacs.conversations.entities.Message;
import eu.siacs.conversations.xmpp.Jid; import eu.siacs.conversations.xmpp.Jid;
@ -51,6 +54,7 @@ public final class CryptoHelper {
public static final String FILETRANSFER = "?FILETRANSFERv1:"; public static final String FILETRANSFER = "?FILETRANSFERv1:";
private final static char[] hexArray = "0123456789abcdef".toCharArray(); private final static char[] hexArray = "0123456789abcdef".toCharArray();
public static String bytesToHex(byte[] bytes) { public static String bytesToHex(byte[] bytes) {
char[] hexChars = new char[bytes.length * 2]; char[] hexChars = new char[bytes.length * 2];
for (int j = 0; j < bytes.length; j++) { for (int j = 0; j < bytes.length; j++) {
@ -155,13 +159,24 @@ public final class CryptoHelper {
} }
public static String[] getOrderedCipherSuites(final String[] platformSupportedCipherSuites) { public static String[] getOrderedCipherSuites(final String[] platformSupportedCipherSuites) {
final Collection<String> cipherSuites = new LinkedHashSet<>(Arrays.asList(Config.ENABLED_CIPHERS)); final var appSettings = new AppSettings(Conversations.getContext());
final List<String> platformCiphers = Arrays.asList(platformSupportedCipherSuites); if (appSettings.isSecureTLS()) {
cipherSuites.retainAll(platformCiphers); final Collection<String> secureCipherSuites = new LinkedHashSet<>(Arrays.asList(Config.SECURE_CIPHERS));
cipherSuites.addAll(platformCiphers); final List<String> platformCiphers = Arrays.asList(platformSupportedCipherSuites);
filterWeakCipherSuites(cipherSuites); secureCipherSuites.retainAll(platformCiphers);
cipherSuites.remove("TLS_FALLBACK_SCSV"); secureCipherSuites.addAll(platformCiphers);
return cipherSuites.toArray(new String[cipherSuites.size()]); filterWeakCipherSuites(secureCipherSuites);
secureCipherSuites.remove("TLS_FALLBACK_SCSV");
return secureCipherSuites.toArray(new String[secureCipherSuites.size()]);
} else {
final Collection<String> cipherSuites = new LinkedHashSet<>(Arrays.asList(Config.ENABLED_CIPHERS));
final List<String> platformCiphers = Arrays.asList(platformSupportedCipherSuites);
cipherSuites.retainAll(platformCiphers);
cipherSuites.addAll(platformCiphers);
filterWeakCipherSuites(cipherSuites);
cipherSuites.remove("TLS_FALLBACK_SCSV");
return cipherSuites.toArray(new String[cipherSuites.size()]);
}
} }
private static void filterWeakCipherSuites(final Collection<String> cipherSuites) { private static void filterWeakCipherSuites(final Collection<String> cipherSuites) {

1
src/main/res/values/bools.xml
View file

@ -11,4 +11,5 @@
<bool name="use_unicolored_chatbg">false</bool> <bool name="use_unicolored_chatbg">false</bool>
<bool name="showtextformatting">false</bool> <bool name="showtextformatting">false</bool>
<bool name="app_lock_enabled">false</bool> <bool name="app_lock_enabled">false</bool>
<bool name="secure_tls">false</bool>
</resources> </resources>

2
src/main/res/values/strings.xml
View file

@ -1402,4 +1402,6 @@
<string name="reaction_to">to</string> <string name="reaction_to">to</string>
<string name="pref_hide_media_title">Hide media in gallery</string> <string name="pref_hide_media_title">Hide media in gallery</string>
<string name="pref_hide_media_summary">Hide received and sent media from system gallery views</string> <string name="pref_hide_media_summary">Hide received and sent media from system gallery views</string>
<string name="pref_secure_tls_summary">Use only securest TLS ciphers including post quantum key agreement if available on server</string>
<string name="pref_secure_tls">Use secure TLS Ciphers only</string>
</resources> </resources>

6
src/main/res/xml/preferences_security.xml
View file

@ -31,6 +31,12 @@
android:key="enforce_dane" android:key="enforce_dane"
android:summary="@string/pref_enforce_dane_summary" android:summary="@string/pref_enforce_dane_summary"
android:title="@string/pref_enforce_dane" /> android:title="@string/pref_enforce_dane" />
<SwitchPreferenceCompat
android:defaultValue="@bool/secure_tls"
android:icon="@drawable/ic_private_connectivity_24dp"
android:key="secure_tls"
android:summary="@string/pref_secure_tls_summary"
android:title="@string/pref_secure_tls" />
<SwitchPreferenceCompat <SwitchPreferenceCompat
android:defaultValue="@bool/trust_system_ca_store" android:defaultValue="@bool/trust_system_ca_store"
android:icon="@drawable/ic_assured_workload_24dp" android:icon="@drawable/ic_assured_workload_24dp"