msb-public
/
FairEmail
mirror of https://github.com/M66B/FairEmail.git
1
0
Code Issues Projects Releases Wiki Activity

Added option to disable host name checks

Browse Source
pull/214/head
M66B 2 years ago
parent db105290a8
commit d78ad87c5f
6 changed files with 68 additions and 38 deletions
Show Stats Download Patch File Download Diff File

9
app/src/main/java/eu/faircode/email/EmailService.java
Unescape View File

@ -103,6 +103,7 @@ public class EmailService implements AutoCloseable {
private boolean ssl_harden; private boolean ssl_harden;
private boolean ssl_harden_strict; private boolean ssl_harden_strict;
private boolean cert_strict; private boolean cert_strict;
private boolean check_names;
private boolean useip; private boolean useip;
private String ehlo; private String ehlo;
private boolean log; private boolean log;
@ -190,6 +191,7 @@ public class EmailService implements AutoCloseable {
this.ssl_harden = prefs.getBoolean("ssl_harden", false); this.ssl_harden = prefs.getBoolean("ssl_harden", false);
this.ssl_harden_strict = prefs.getBoolean("ssl_harden_strict", false); this.ssl_harden_strict = prefs.getBoolean("ssl_harden_strict", false);
this.cert_strict = prefs.getBoolean("cert_strict", true); this.cert_strict = prefs.getBoolean("cert_strict", true);
this.check_names = prefs.getBoolean("check_names", !BuildConfig.PLAY_STORE_RELEASE);
boolean auth_plain = prefs.getBoolean("auth_plain", true); boolean auth_plain = prefs.getBoolean("auth_plain", true);
boolean auth_login = prefs.getBoolean("auth_login", true); boolean auth_login = prefs.getBoolean("auth_login", true);
@ -449,7 +451,8 @@ public class EmailService implements AutoCloseable {
boolean bc = prefs.getBoolean("bouncy_castle", false); boolean bc = prefs.getBoolean("bouncy_castle", false);
boolean fips = prefs.getBoolean("bc_fips", false); boolean fips = prefs.getBoolean("bc_fips", false);
factory = new SSLSocketFactoryService(host, insecure, ssl_harden, strict, cert_strict, bc, fips, key, chain, fingerprint); factory = new SSLSocketFactoryService(
host, insecure, ssl_harden, strict, cert_strict, check_names, bc, fips, key, chain, fingerprint);
properties.put("mail." + protocol + ".ssl.socketFactory", factory); properties.put("mail." + protocol + ".ssl.socketFactory", factory);
properties.put("mail." + protocol + ".socketFactory.fallback", "false"); properties.put("mail." + protocol + ".socketFactory.fallback", "false");
properties.put("mail." + protocol + ".ssl.checkserveridentity", "false"); properties.put("mail." + protocol + ".ssl.checkserveridentity", "false");
@ -1037,7 +1040,7 @@ public class EmailService implements AutoCloseable {
private X509Certificate certificate; private X509Certificate certificate;
SSLSocketFactoryService(String host, boolean insecure, SSLSocketFactoryService(String host, boolean insecure,
boolean ssl_harden, boolean ssl_harden_strict, boolean cert_strict, boolean ssl_harden, boolean ssl_harden_strict, boolean cert_strict, boolean check_names,
boolean bc, boolean fips, boolean bc, boolean fips,
PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException { PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException {
this.server = host; this.server = host;
@ -1047,7 +1050,7 @@ public class EmailService implements AutoCloseable {
this.cert_strict = cert_strict; this.cert_strict = cert_strict;
this.trustedFingerprint = fingerprint; this.trustedFingerprint = fingerprint;
TrustManager[] tms = SSLHelper.getTrustManagers(server, secure, cert_strict, trustedFingerprint, TrustManager[] tms = SSLHelper.getTrustManagers(server, secure, cert_strict, check_names, trustedFingerprint,
new SSLHelper.ITrust() { new SSLHelper.ITrust() {
@Override @Override
public void checkServerTrusted(X509Certificate[] chain) { public void checkServerTrusted(X509Certificate[] chain) {

13
app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java
Unescape View File

@ -100,6 +100,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
private SwitchCompat swSslHarden; private SwitchCompat swSslHarden;
private SwitchCompat swSslHardenStrict; private SwitchCompat swSslHardenStrict;
private SwitchCompat swCertStrict; private SwitchCompat swCertStrict;
private SwitchCompat swCheckNames;
private SwitchCompat swOpenSafe; private SwitchCompat swOpenSafe;
private SwitchCompat swHttpRedirect; private SwitchCompat swHttpRedirect;
private SwitchCompat swBouncyCastle; private SwitchCompat swBouncyCastle;
@ -123,7 +124,8 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
"download_headers", "download_eml", "download_plain", "download_headers", "download_eml", "download_plain",
"require_validated", "require_validated_captive", "vpn_only", "require_validated", "require_validated_captive", "vpn_only",
"timeout", "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", "timeout", "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive",
"ssl_update", "ssl_harden", "ssl_harden_strict", "cert_strict", "open_safe", "http_redirect", "ssl_update", "ssl_harden", "ssl_harden_strict", "cert_strict", "check_names",
"open_safe", "http_redirect",
"bouncy_castle", "bc_fips" "bouncy_castle", "bc_fips"
}; };
@ -159,6 +161,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
swSslHarden = view.findViewById(R.id.swSslHarden); swSslHarden = view.findViewById(R.id.swSslHarden);
swSslHardenStrict = view.findViewById(R.id.swSslHardenStrict); swSslHardenStrict = view.findViewById(R.id.swSslHardenStrict);
swCertStrict = view.findViewById(R.id.swCertStrict); swCertStrict = view.findViewById(R.id.swCertStrict);
swCheckNames = view.findViewById(R.id.swCheckNames);
swOpenSafe = view.findViewById(R.id.swOpenSafe); swOpenSafe = view.findViewById(R.id.swOpenSafe);
swHttpRedirect = view.findViewById(R.id.swHttpRedirect); swHttpRedirect = view.findViewById(R.id.swHttpRedirect);
swBouncyCastle = view.findViewById(R.id.swBouncyCastle); swBouncyCastle = view.findViewById(R.id.swBouncyCastle);
@ -376,6 +379,13 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
} }
}); });
swCheckNames.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
@Override
public void onCheckedChanged(CompoundButton compoundButton, boolean checked) {
prefs.edit().putBoolean("check_names", checked).apply();
}
});
swOpenSafe.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() { swOpenSafe.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
@Override @Override
public void onCheckedChanged(CompoundButton compoundButton, boolean checked) { public void onCheckedChanged(CompoundButton compoundButton, boolean checked) {
@ -691,6 +701,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
swSslHardenStrict.setChecked(prefs.getBoolean("ssl_harden_strict", false)); swSslHardenStrict.setChecked(prefs.getBoolean("ssl_harden_strict", false));
swSslHardenStrict.setEnabled(swSslHarden.isChecked()); swSslHardenStrict.setEnabled(swSslHarden.isChecked());
swCertStrict.setChecked(prefs.getBoolean("cert_strict", true)); swCertStrict.setChecked(prefs.getBoolean("cert_strict", true));
swCheckNames.setChecked(prefs.getBoolean("check_names", !BuildConfig.PLAY_STORE_RELEASE));
swOpenSafe.setChecked(prefs.getBoolean("open_safe", false)); swOpenSafe.setChecked(prefs.getBoolean("open_safe", false));
swHttpRedirect.setChecked(prefs.getBoolean("http_redirect", true)); swHttpRedirect.setChecked(prefs.getBoolean("http_redirect", true));
swBouncyCastle.setChecked(prefs.getBoolean("bouncy_castle", false)); swBouncyCastle.setChecked(prefs.getBoolean("bouncy_castle", false));

67
app/src/main/java/eu/faircode/email/SSLHelper.java
Unescape View File

@ -20,7 +20,8 @@ import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager; import javax.net.ssl.X509TrustManager;
public class SSLHelper { public class SSLHelper {
static TrustManager[] getTrustManagers(String server, boolean secure, boolean cert_strict, String trustedFingerprint, ITrust intf) { static TrustManager[] getTrustManagers(
String server, boolean secure, boolean cert_strict, boolean check_names, String trustedFingerprint, ITrust intf) {
TrustManagerFactory tmf; TrustManagerFactory tmf;
try { try {
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
@ -85,39 +86,41 @@ public class SSLHelper {
} }
// Check host name // Check host name
List<String> names = EntityCertificate.getDnsNames(chain[0]); if (check_names) {
if (EntityCertificate.matches(server, names)) List<String> names = EntityCertificate.getDnsNames(chain[0]);
return; if (EntityCertificate.matches(server, names))
return;
// Fallback: check server/certificate IP address
if (!cert_strict) // Fallback: check server/certificate IP address
try { if (!cert_strict)
InetAddress ip = InetAddress.getByName(server); try {
Log.i("Checking server ip=" + ip); InetAddress ip = InetAddress.getByName(server);
for (String name : names) { Log.i("Checking server ip=" + ip);
if (name.startsWith("*.")) for (String name : names) {
name = name.substring(2); if (name.startsWith("*."))
Log.i("Checking cert name=" + name); name = name.substring(2);
Log.i("Checking cert name=" + name);
try {
for (InetAddress addr : InetAddress.getAllByName(name)) try {
if (Arrays.equals(ip.getAddress(), addr.getAddress())) { for (InetAddress addr : InetAddress.getAllByName(name))
Log.i("Accepted " + name + " for " + server); if (Arrays.equals(ip.getAddress(), addr.getAddress())) {
return; Log.i("Accepted " + name + " for " + server);
} return;
} catch (UnknownHostException ex) { }
Log.w(ex); } catch (UnknownHostException ex) {
Log.w(ex);
}
} }
} catch (UnknownHostException ex) {
Log.w(ex);
} catch (Throwable ex) {
Log.e(ex);
} }
} catch (UnknownHostException ex) {
Log.w(ex); String error = server + " not in certificate: " + TextUtils.join(",", names);
} catch (Throwable ex) { Log.i(error);
Log.e(ex); throw new CertificateException(error);
} }
String error = server + " not in certificate: " + TextUtils.join(",", names);
Log.i(error);
throw new CertificateException(error);
} }
} }

2
app/src/main/java/eu/faircode/email/ServiceSynchronize.java
Unescape View File

@ -172,7 +172,7 @@ public class ServiceSynchronize extends ServiceBase implements SharedPreferences
"sync_shared_folders", "sync_shared_folders",
"download_headers", "download_eml", "download_headers", "download_eml",
"prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", // force reconnect "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", // force reconnect
"ssl_harden", "ssl_harden_strict", "cert_strict", "bouncy_castle", "bc_fips", // force reconnect "ssl_harden", "ssl_harden_strict", "cert_strict", "check_names", "bouncy_castle", "bc_fips", // force reconnect
"experiments", "debug", "protocol", // force reconnect "experiments", "debug", "protocol", // force reconnect
"auth_plain", "auth_login", "auth_ntlm", "auth_sasl", "auth_apop", // force reconnect "auth_plain", "auth_login", "auth_ntlm", "auth_sasl", "auth_apop", // force reconnect
"keep_alive_poll", "empty_pool", "idle_done", // force reconnect "keep_alive_poll", "empty_pool", "idle_done", // force reconnect

14
app/src/main/res/layout/fragment_options_connection.xml
Unescape View File

@ -533,6 +533,18 @@
app:layout_constraintStart_toStartOf="parent" app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/swCertStrict" /> app:layout_constraintTop_toBottomOf="@id/swCertStrict" />
<androidx.appcompat.widget.SwitchCompat
android:id="@+id/swCheckNames"
android:layout_width="0dp"
android:layout_height="wrap_content"
android:layout_marginTop="12dp"
android:checked="true"
android:text="@string/title_advanced_check_names"
app:layout_constraintEnd_toEndOf="parent"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/tvCertStrictHint"
app:switchPadding="12dp" />
<androidx.appcompat.widget.SwitchCompat <androidx.appcompat.widget.SwitchCompat
android:id="@+id/swOpenSafe" android:id="@+id/swOpenSafe"
android:layout_width="0dp" android:layout_width="0dp"
@ -541,7 +553,7 @@
android:text="@string/title_advanced_open_safe" android:text="@string/title_advanced_open_safe"
app:layout_constraintEnd_toEndOf="parent" app:layout_constraintEnd_toEndOf="parent"
app:layout_constraintStart_toStartOf="parent" app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/tvCertStrictHint" app:layout_constraintTop_toBottomOf="@id/swCheckNames"
app:switchPadding="12dp" /> app:switchPadding="12dp" />
<TextView <TextView

1
app/src/main/res/values/strings.xml
Unescape View File

@ -520,6 +520,7 @@
<string name="title_advanced_ssl_harden">Harden SSL connections</string> <string name="title_advanced_ssl_harden">Harden SSL connections</string>
<string name="title_advanced_ssl_harden_strict">Require TLS 1.3</string> <string name="title_advanced_ssl_harden_strict">Require TLS 1.3</string>
<string name="title_advanced_cert_strict">Strict certificate checking</string> <string name="title_advanced_cert_strict">Strict certificate checking</string>
<string name="title_advanced_check_names">Check host names against server certificates</string>
<string name="title_advanced_open_safe">Open secure connections only</string> <string name="title_advanced_open_safe">Open secure connections only</string>
<string name="title_advanced_http_redirect">Allow connection redirection</string> <string name="title_advanced_http_redirect">Allow connection redirection</string>
<string name="title_advanced_bouncy_castle">Use Bouncy Castle\'s secure socket provider (JSSE)</string> <string name="title_advanced_bouncy_castle">Use Bouncy Castle\'s secure socket provider (JSSE)</string>

Write Preview
Loading…
Cancel
Save