Add option to enforce secure TLS ciphers
This commit is contained in:
parent
3bf652a432
commit
d39b72513b
7 changed files with 56 additions and 14 deletions
|
@ -49,9 +49,9 @@ public class AppSettings {
|
|||
public static final String SHOW_LINK_PREVIEWS = "show_link_previews";
|
||||
public static final String SHOW_AVATARS = "show_avatars";
|
||||
public static final String CALL_INTEGRATION = "call_integration";
|
||||
|
||||
private static final String ACCEPT_INVITES_FROM_STRANGERS = "accept_invites_from_strangers";
|
||||
private static final String INSTALLATION_ID = "im.conversations.android.install_id";
|
||||
public static final String SECURE_TLS = "secure_tls";
|
||||
|
||||
private final Context context;
|
||||
|
||||
|
@ -124,6 +124,10 @@ public class AppSettings {
|
|||
return getBooleanPreference(SHOW_AVATARS, R.bool.show_avatars);
|
||||
}
|
||||
|
||||
public boolean isSecureTLS() {
|
||||
return getBooleanPreference(SECURE_TLS, R.bool.secure_tls);
|
||||
}
|
||||
|
||||
public boolean isCallIntegration() {
|
||||
return getBooleanPreference(CALL_INTEGRATION, R.bool.call_integration);
|
||||
}
|
||||
|
|
|
@ -163,15 +163,15 @@ public final class Config {
|
|||
|
||||
//only allow secure tls chipers now
|
||||
public static final String[] ENABLED_CIPHERS = {
|
||||
//TLS 1.3
|
||||
"TLS_AES_256_GCM_SHA384",
|
||||
"TLS_CHACHA20_POLY1305_SHA256",
|
||||
"TLS_AES_128_GCM_SHA256",
|
||||
//post quantum key agreement with traditional encryption
|
||||
"TLS_ECDHE_KYBER_WITH_CHACHA20_POLY1305_SHA256",
|
||||
//pre shared key for resource constrained devices (e.g. Alexa, IoT)
|
||||
// with post quantum encryption
|
||||
"TLS_PSK_WITH_AES_128_GCM_SHA256",
|
||||
//TLS 1.3
|
||||
"TLS_AES_256_GCM_SHA384",
|
||||
"TLS_CHACHA20_POLY1305_SHA256",
|
||||
"TLS_AES_128_GCM_SHA256",
|
||||
//TLS 1.2 with traditional key agreement and encryption
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
||||
|
@ -181,6 +181,20 @@ public final class Config {
|
|||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||
};
|
||||
|
||||
public static final String[] SECURE_CIPHERS = {
|
||||
//post quantum key agreement with traditional encryption
|
||||
"TLS_ECDHE_KYBER_WITH_CHACHA20_POLY1305_SHA256",
|
||||
//pre shared key for resource constrained devices (e.g. Alexa, IoT)
|
||||
// with post quantum encryption
|
||||
"TLS_PSK_WITH_AES_128_GCM_SHA256",
|
||||
//TLS 1.3
|
||||
"TLS_AES_256_GCM_SHA384",
|
||||
"TLS_CHACHA20_POLY1305_SHA256",
|
||||
"TLS_AES_128_GCM_SHA256",
|
||||
};
|
||||
|
||||
|
||||
|
||||
public static final String[] WEAK_CIPHER_PATTERNS = {
|
||||
"_NULL_",
|
||||
"_EXPORT_",
|
||||
|
|
|
@ -73,7 +73,7 @@ public class SecuritySettingsFragment extends XmppPreferenceFragment {
|
|||
requireService().updateMemorizingTrustManager();
|
||||
reconnectAccounts();
|
||||
}
|
||||
case AppSettings.DANE_ENFORCED, AppSettings.REQUIRE_CHANNEL_BINDING -> {
|
||||
case AppSettings.DANE_ENFORCED, AppSettings.REQUIRE_CHANNEL_BINDING, AppSettings.SECURE_TLS -> {
|
||||
reconnectAccounts();
|
||||
}
|
||||
case AppSettings.AUTOMATIC_MESSAGE_DELETION -> {
|
||||
|
|
|
@ -31,12 +31,15 @@ import java.util.LinkedHashSet;
|
|||
import java.util.List;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import eu.siacs.conversations.AppSettings;
|
||||
import eu.siacs.conversations.Conversations;
|
||||
import io.ipfs.cid.Cid;
|
||||
import io.ipfs.multihash.Multihash;
|
||||
|
||||
import eu.siacs.conversations.Config;
|
||||
import eu.siacs.conversations.R;
|
||||
import eu.siacs.conversations.entities.Account;
|
||||
import eu.siacs.conversations.entities.Conversation;
|
||||
import eu.siacs.conversations.entities.Message;
|
||||
import eu.siacs.conversations.xmpp.Jid;
|
||||
|
||||
|
@ -51,6 +54,7 @@ public final class CryptoHelper {
|
|||
public static final String FILETRANSFER = "?FILETRANSFERv1:";
|
||||
private final static char[] hexArray = "0123456789abcdef".toCharArray();
|
||||
|
||||
|
||||
public static String bytesToHex(byte[] bytes) {
|
||||
char[] hexChars = new char[bytes.length * 2];
|
||||
for (int j = 0; j < bytes.length; j++) {
|
||||
|
@ -155,6 +159,16 @@ public final class CryptoHelper {
|
|||
}
|
||||
|
||||
public static String[] getOrderedCipherSuites(final String[] platformSupportedCipherSuites) {
|
||||
final var appSettings = new AppSettings(Conversations.getContext());
|
||||
if (appSettings.isSecureTLS()) {
|
||||
final Collection<String> secureCipherSuites = new LinkedHashSet<>(Arrays.asList(Config.SECURE_CIPHERS));
|
||||
final List<String> platformCiphers = Arrays.asList(platformSupportedCipherSuites);
|
||||
secureCipherSuites.retainAll(platformCiphers);
|
||||
secureCipherSuites.addAll(platformCiphers);
|
||||
filterWeakCipherSuites(secureCipherSuites);
|
||||
secureCipherSuites.remove("TLS_FALLBACK_SCSV");
|
||||
return secureCipherSuites.toArray(new String[secureCipherSuites.size()]);
|
||||
} else {
|
||||
final Collection<String> cipherSuites = new LinkedHashSet<>(Arrays.asList(Config.ENABLED_CIPHERS));
|
||||
final List<String> platformCiphers = Arrays.asList(platformSupportedCipherSuites);
|
||||
cipherSuites.retainAll(platformCiphers);
|
||||
|
@ -163,6 +177,7 @@ public final class CryptoHelper {
|
|||
cipherSuites.remove("TLS_FALLBACK_SCSV");
|
||||
return cipherSuites.toArray(new String[cipherSuites.size()]);
|
||||
}
|
||||
}
|
||||
|
||||
private static void filterWeakCipherSuites(final Collection<String> cipherSuites) {
|
||||
final Iterator<String> it = cipherSuites.iterator();
|
||||
|
|
|
@ -11,4 +11,5 @@
|
|||
<bool name="use_unicolored_chatbg">false</bool>
|
||||
<bool name="showtextformatting">false</bool>
|
||||
<bool name="app_lock_enabled">false</bool>
|
||||
<bool name="secure_tls">false</bool>
|
||||
</resources>
|
||||
|
|
|
@ -1402,4 +1402,6 @@
|
|||
<string name="reaction_to">to</string>
|
||||
<string name="pref_hide_media_title">Hide media in gallery</string>
|
||||
<string name="pref_hide_media_summary">Hide received and sent media from system gallery views</string>
|
||||
<string name="pref_secure_tls_summary">Use only securest TLS ciphers including post quantum key agreement if available on server</string>
|
||||
<string name="pref_secure_tls">Use secure TLS Ciphers only</string>
|
||||
</resources>
|
|
@ -31,6 +31,12 @@
|
|||
android:key="enforce_dane"
|
||||
android:summary="@string/pref_enforce_dane_summary"
|
||||
android:title="@string/pref_enforce_dane" />
|
||||
<SwitchPreferenceCompat
|
||||
android:defaultValue="@bool/secure_tls"
|
||||
android:icon="@drawable/ic_private_connectivity_24dp"
|
||||
android:key="secure_tls"
|
||||
android:summary="@string/pref_secure_tls_summary"
|
||||
android:title="@string/pref_secure_tls" />
|
||||
<SwitchPreferenceCompat
|
||||
android:defaultValue="@bool/trust_system_ca_store"
|
||||
android:icon="@drawable/ic_assured_workload_24dp"
|
||||
|
|
Loading…
Reference in a new issue