From b20c9d2a477189b8fc7e18adf996c66203c2f7a1 Mon Sep 17 00:00:00 2001
From: M66B <M66B@users.noreply.github.com>
Date: Sun, 30 Jan 2022 14:54:17 +0100
Subject: [PATCH] Strict cert checking option

---
 .../java/eu/faircode/email/EmailService.java  | 17 +++++++------
 .../email/FragmentOptionsConnection.java      | 16 ++++++-------
 .../eu/faircode/email/ServiceSynchronize.java |  2 +-
 .../layout/fragment_options_connection.xml    | 24 +++++++++----------
 app/src/main/res/values/strings.xml           |  4 ++--
 5 files changed, 31 insertions(+), 32 deletions(-)

diff --git a/app/src/main/java/eu/faircode/email/EmailService.java b/app/src/main/java/eu/faircode/email/EmailService.java
index 7ee754eaf5..2545ba20ce 100644
--- a/app/src/main/java/eu/faircode/email/EmailService.java
+++ b/app/src/main/java/eu/faircode/email/EmailService.java
@@ -75,7 +75,6 @@ import java.util.HashMap;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.Objects;
 import java.util.Properties;
 import java.util.concurrent.ExecutorService;
 import java.util.regex.Pattern;
@@ -106,9 +105,9 @@ public class EmailService implements AutoCloseable {
     private Context context;
     private String protocol;
     private boolean insecure;
-    private boolean anchor;
     private int purpose;
     private boolean harden;
+    private boolean cert_strict;
     private boolean useip;
     private String ehlo;
     private boolean log;
@@ -186,8 +185,8 @@ public class EmailService implements AutoCloseable {
             prefs.edit().putBoolean("protocol", false).apply();
         this.log = prefs.getBoolean("protocol", false);
         this.level = prefs.getInt("log_level", Log.getDefaultLogLevel());
-        this.anchor = prefs.getBoolean("ssl_anchor", !BuildConfig.PLAY_STORE_RELEASE);
         this.harden = prefs.getBoolean("ssl_harden", false);
+        this.cert_strict = prefs.getBoolean("cert_strict", !BuildConfig.PLAY_STORE_RELEASE);
 
         boolean auth_plain = prefs.getBoolean("auth_plain", true);
         boolean auth_login = prefs.getBoolean("auth_login", true);
@@ -408,7 +407,7 @@ public class EmailService implements AutoCloseable {
                 }
             }
 
-            factory = new SSLSocketFactoryService(host, insecure, anchor, harden, key, chain, fingerprint);
+            factory = new SSLSocketFactoryService(host, insecure, harden, cert_strict, key, chain, fingerprint);
             properties.put("mail." + protocol + ".ssl.socketFactory", factory);
             properties.put("mail." + protocol + ".socketFactory.fallback", "false");
             properties.put("mail." + protocol + ".ssl.checkserveridentity", "false");
@@ -946,17 +945,17 @@ public class EmailService implements AutoCloseable {
         // openssl s_client -connect host:port < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
         private String server;
         private boolean secure;
-        private boolean anchor;
         private boolean harden;
+        private boolean cert_strict;
         private String trustedFingerprint;
         private SSLSocketFactory factory;
         private X509Certificate certificate;
 
-        SSLSocketFactoryService(String host, boolean insecure, boolean anchor, boolean harden, PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException {
+        SSLSocketFactoryService(String host, boolean insecure, boolean harden, boolean cert_strict, PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException {
             this.server = host;
             this.secure = !insecure;
-            this.anchor = anchor;
             this.harden = harden;
+            this.cert_strict = cert_strict;
             this.trustedFingerprint = fingerprint;
 
             SSLContext sslContext = SSLContext.getInstance("TLS");
@@ -1003,7 +1002,7 @@ public class EmailService implements AutoCloseable {
                                     if (ex.getCause() instanceof CertPathValidatorException &&
                                             "Trust anchor for certification path not found."
                                                     .equals(ex.getCause().getMessage())) {
-                                        if (anchor)
+                                        if (cert_strict)
                                             throw new CertificateException(principal.getName(), ex);
                                         else
                                             Log.w(ex);
@@ -1019,7 +1018,7 @@ public class EmailService implements AutoCloseable {
                                 return;
 
                             // Fallback: check server/certificate IP address
-                            if (!harden)
+                            if (!cert_strict)
                                 try {
                                     InetAddress ip = InetAddress.getByName(server);
                                     for (String name : names) {
diff --git a/app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java b/app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java
index dcb109b7ae..410f056786 100644
--- a/app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java
+++ b/app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java
@@ -70,8 +70,8 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
     private SwitchCompat swStandaloneVpn;
     private SwitchCompat swTcpKeepAlive;
     private TextView tvTcpKeepAliveHint;
-    private SwitchCompat swSslAnchor;
     private SwitchCompat swSslHarden;
+    private SwitchCompat swCertStrict;
     private Button btnManage;
     private TextView tvNetworkMetered;
     private TextView tvNetworkRoaming;
@@ -85,7 +85,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
             "download_headers", "download_eml",
             "require_validated", "vpn_only",
             "timeout", "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive",
-            "ssl_anchor", "ssl_harden"
+            "ssl_harden", "cert_strict"
     };
 
     @Override
@@ -112,8 +112,8 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
         swStandaloneVpn = view.findViewById(R.id.swStandaloneVpn);
         swTcpKeepAlive = view.findViewById(R.id.swTcpKeepAlive);
         tvTcpKeepAliveHint = view.findViewById(R.id.tvTcpKeepAliveHint);
-        swSslAnchor = view.findViewById(R.id.swSslAnchor);
         swSslHarden = view.findViewById(R.id.swSslHarden);
+        swCertStrict = view.findViewById(R.id.swCertStrict);
         btnManage = view.findViewById(R.id.btnManage);
 
         tvNetworkMetered = view.findViewById(R.id.tvNetworkMetered);
@@ -259,17 +259,17 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
             }
         });
 
-        swSslAnchor.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
+        swSslHarden.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
             @Override
             public void onCheckedChanged(CompoundButton compoundButton, boolean checked) {
-                prefs.edit().putBoolean("ssl_anchor", checked).apply();
+                prefs.edit().putBoolean("ssl_harden", checked).apply();
             }
         });
 
-        swSslHarden.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
+        swCertStrict.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
             @Override
             public void onCheckedChanged(CompoundButton compoundButton, boolean checked) {
-                prefs.edit().putBoolean("ssl_harden", checked).apply();
+                prefs.edit().putBoolean("cert_strict", checked).apply();
             }
         });
 
@@ -383,8 +383,8 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
         swBindSocket.setChecked(prefs.getBoolean("bind_socket", false));
         swStandaloneVpn.setChecked(prefs.getBoolean("standalone_vpn", false));
         swTcpKeepAlive.setChecked(prefs.getBoolean("tcp_keep_alive", false));
-        swSslAnchor.setChecked(prefs.getBoolean("ssl_anchor", !BuildConfig.PLAY_STORE_RELEASE));
         swSslHarden.setChecked(prefs.getBoolean("ssl_harden", false));
+        swCertStrict.setChecked(prefs.getBoolean("cert_strict", !BuildConfig.PLAY_STORE_RELEASE));
     }
 
     private static Intent getIntentConnectivity() {
diff --git a/app/src/main/java/eu/faircode/email/ServiceSynchronize.java b/app/src/main/java/eu/faircode/email/ServiceSynchronize.java
index fb34dee3e7..3da387c1d6 100644
--- a/app/src/main/java/eu/faircode/email/ServiceSynchronize.java
+++ b/app/src/main/java/eu/faircode/email/ServiceSynchronize.java
@@ -153,7 +153,7 @@ public class ServiceSynchronize extends ServiceBase implements SharedPreferences
             "sync_folders",
             "sync_shared_folders",
             "download_headers", "download_eml",
-            "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", "ssl_anchor", "ssl_harden", // force reconnect
+            "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", "ssl_harden", "cert_strict", // force reconnect
             "experiments", "debug", "protocol", // force reconnect
             "auth_plain", "auth_login", "auth_ntlm", "auth_sasl", // force reconnect
             "keep_alive_poll", "empty_pool", "idle_done", // force reconnect
diff --git a/app/src/main/res/layout/fragment_options_connection.xml b/app/src/main/res/layout/fragment_options_connection.xml
index ba61a2347d..0177ade025 100644
--- a/app/src/main/res/layout/fragment_options_connection.xml
+++ b/app/src/main/res/layout/fragment_options_connection.xml
@@ -380,50 +380,50 @@
                     app:layout_constraintTop_toBottomOf="@id/swTcpKeepAlive" />
 
                 <androidx.appcompat.widget.SwitchCompat
-                    android:id="@+id/swSslAnchor"
+                    android:id="@+id/swSslHarden"
                     android:layout_width="0dp"
                     android:layout_height="wrap_content"
                     android:layout_marginTop="12dp"
-                    android:text="@string/title_advanced_ssl_anchor"
+                    android:text="@string/title_advanced_ssl_harden"
                     app:layout_constraintEnd_toEndOf="parent"
                     app:layout_constraintStart_toStartOf="parent"
                     app:layout_constraintTop_toBottomOf="@id/tvTcpKeepAliveHint"
                     app:switchPadding="12dp" />
 
                 <eu.faircode.email.FixedTextView
-                    android:id="@+id/tvSslAnchorHint"
+                    android:id="@+id/tvSslHardenHint"
                     android:layout_width="0dp"
                     android:layout_height="wrap_content"
                     android:layout_marginEnd="48dp"
-                    android:text="@string/title_advanced_ssl_anchor_hint"
+                    android:text="@string/title_advanced_ssl_harden_hint"
                     android:textAppearance="@style/TextAppearance.AppCompat.Small"
                     android:textStyle="italic"
                     app:layout_constraintEnd_toEndOf="parent"
                     app:layout_constraintStart_toStartOf="parent"
-                    app:layout_constraintTop_toBottomOf="@id/swSslAnchor" />
+                    app:layout_constraintTop_toBottomOf="@id/swSslHarden" />
 
                 <androidx.appcompat.widget.SwitchCompat
-                    android:id="@+id/swSslHarden"
+                    android:id="@+id/swCertStrict"
                     android:layout_width="0dp"
                     android:layout_height="wrap_content"
                     android:layout_marginTop="12dp"
-                    android:text="@string/title_advanced_ssl_harden"
+                    android:text="@string/title_advanced_cert_strict"
                     app:layout_constraintEnd_toEndOf="parent"
                     app:layout_constraintStart_toStartOf="parent"
-                    app:layout_constraintTop_toBottomOf="@id/tvSslAnchorHint"
+                    app:layout_constraintTop_toBottomOf="@id/tvSslHardenHint"
                     app:switchPadding="12dp" />
 
                 <eu.faircode.email.FixedTextView
-                    android:id="@+id/tvSslHardenHint"
+                    android:id="@+id/tvCertStrictHint"
                     android:layout_width="0dp"
                     android:layout_height="wrap_content"
                     android:layout_marginEnd="48dp"
-                    android:text="@string/title_advanced_ssl_harden_hint"
+                    android:text="@string/title_advanced_cert_strict_hint"
                     android:textAppearance="@style/TextAppearance.AppCompat.Small"
                     android:textStyle="italic"
                     app:layout_constraintEnd_toEndOf="parent"
                     app:layout_constraintStart_toStartOf="parent"
-                    app:layout_constraintTop_toBottomOf="@id/swSslHarden" />
+                    app:layout_constraintTop_toBottomOf="@id/swCertStrict" />
 
                 <Button
                     android:id="@+id/btnManage"
@@ -435,7 +435,7 @@
                     android:drawablePadding="6dp"
                     android:text="@string/title_advanced_manage_connectivity"
                     app:layout_constraintStart_toStartOf="parent"
-                    app:layout_constraintTop_toBottomOf="@id/tvSslHardenHint" />
+                    app:layout_constraintTop_toBottomOf="@id/tvCertStrictHint" />
 
                 <eu.faircode.email.FixedTextView
                     android:id="@+id/tvNetworkMetered"
diff --git a/app/src/main/res/values/strings.xml b/app/src/main/res/values/strings.xml
index 0b1cf92120..1929d92cd5 100644
--- a/app/src/main/res/values/strings.xml
+++ b/app/src/main/res/values/strings.xml
@@ -419,8 +419,8 @@
     <string name="title_advanced_bind_socket" translatable="false">Bind sockets to the active network</string>
     <string name="title_advanced_standalone_vpn" translatable="false">Standalone VPN</string>
     <string name="title_advanced_tcp_keep_alive" translatable="false">TCP keep alive</string>
-    <string name="title_advanced_ssl_anchor">Anchor SSL connections</string>
     <string name="title_advanced_ssl_harden">Harden SSL connections</string>
+    <string name="title_advanced_cert_strict">Strict certificate checking</string>
     <string name="title_advanced_manage_connectivity">Manage connectivity</string>
 
     <string name="title_advanced_caption_general">General</string>
@@ -757,7 +757,7 @@
     <string name="title_advanced_tcp_keep_alive_hint">Enabling this can cause connection problems on some devices</string>
     <string name="title_advanced_validate_hint">This can result in not synchronizing messages, for example when using a VPN, but also in other situations</string>
     <string name="title_advanced_timeout_hint">The read/write timeout will be set to the double of the connection timeout. Higher values will result in more battery use.</string>
-    <string name="title_advanced_ssl_anchor_hint">Enabling this will check the root certificate of server certificate chains</string>
+    <string name="title_advanced_cert_strict_hint">Disabling this will relax checking of server certificates</string>
     <string name="title_advanced_ssl_harden_hint">Enabling this will disable weak SSL protocols and ciphers, which can lead to connection problems</string>
     <string name="title_advanced_roaming_hint">Messages headers will always be fetched when roaming. You can use the device\'s roaming setting to disable internet while roaming.</string>