mirror
/
FairEmail
mirror of https://github.com/M66B/FairEmail.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Added BC FIPS mode

This commit is contained in:
M66B 2023-11-10 08:30:22 +01:00
parent f4409b3530
commit 0ccc25bf7f
6 changed files with 66 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
app/src/main/java/eu/faircode/email/EmailService.java
View File

@ -448,7 +448,8 @@ public class EmailService implements AutoCloseable {
}
boolean bc = prefs.getBoolean("bouncy_castle", false);
factory = new SSLSocketFactoryService(host, insecure, ssl_harden, strict, cert_strict, bc, key, chain, fingerprint);
boolean fips = prefs.getBoolean("bc_fips", false);
factory = new SSLSocketFactoryService(host, insecure, ssl_harden, strict, cert_strict, bc, fips, key, chain, fingerprint);
properties.put("mail." + protocol + ".ssl.socketFactory", factory);
properties.put("mail." + protocol + ".socketFactory.fallback", "false");
properties.put("mail." + protocol + ".ssl.checkserveridentity", "false");
@ -1038,7 +1039,10 @@ public class EmailService implements AutoCloseable {
private SSLSocketFactory factory;
private X509Certificate certificate;
SSLSocketFactoryService(String host, boolean insecure, boolean ssl_harden, boolean ssl_harden_strict, boolean cert_strict, boolean bc, PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException {
SSLSocketFactoryService(String host, boolean insecure,
boolean ssl_harden, boolean ssl_harden_strict, boolean cert_strict,
boolean bc, boolean fips,
PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException {
this.server = host;
this.secure = !insecure;
this.ssl_harden = ssl_harden;
@ -1050,10 +1054,10 @@ public class EmailService implements AutoCloseable {
SSLContext sslContext;
String protocol = (insecure ? "SSL" : "TLS");
if (bc)
sslContext = SSLContext.getInstance(protocol, new BouncyCastleJsseProvider());
sslContext = SSLContext.getInstance(protocol, new BouncyCastleJsseProvider(fips));
else
sslContext = SSLContext.getInstance(protocol);
Log.i("Using protocol=" + protocol + " bc=" + bc);
Log.i("Using protocol=" + protocol + " bc=" + bc + " FIPS=" + fips);
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);

14
app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java
View File

@ -93,6 +93,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
private SwitchCompat swCertStrict;
private SwitchCompat swOpenSafe;
private SwitchCompat swBouncyCastle;
private SwitchCompat swFipsMode;
private Button btnManage;
private TextView tvNetworkMetered;
private TextView tvNetworkRoaming;
@ -111,7 +112,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
"download_headers", "download_eml", "download_plain",
"require_validated", "require_validated_captive", "vpn_only",
"timeout", "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive",
"ssl_harden", "ssl_harden_strict", "cert_strict", "open_safe", "bouncy_castle"
"ssl_harden", "ssl_harden_strict", "cert_strict", "open_safe", "bouncy_castle", "bc_fips"
};
@Override
@ -146,6 +147,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
swCertStrict = view.findViewById(R.id.swCertStrict);
swOpenSafe = view.findViewById(R.id.swOpenSafe);
swBouncyCastle = view.findViewById(R.id.swBouncyCastle);
swFipsMode = view.findViewById(R.id.swFipsMode);
btnManage = view.findViewById(R.id.btnManage);
tvNetworkMetered = view.findViewById(R.id.tvNetworkMetered);
@ -354,6 +356,14 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
@Override
public void onCheckedChanged(CompoundButton compoundButton, boolean checked) {
prefs.edit().putBoolean("bouncy_castle", checked).apply();
swFipsMode.setEnabled(checked);
}
});
swFipsMode.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
@Override
public void onCheckedChanged(CompoundButton compoundButton, boolean checked) {
prefs.edit().putBoolean("bc_fips", checked).apply();
}
});
@ -619,6 +629,8 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
swCertStrict.setChecked(prefs.getBoolean("cert_strict", !BuildConfig.PLAY_STORE_RELEASE));
swOpenSafe.setChecked(prefs.getBoolean("open_safe", false));
swBouncyCastle.setChecked(prefs.getBoolean("bouncy_castle", false));
swFipsMode.setChecked(prefs.getBoolean("bc_fips", false));
swFipsMode.setEnabled(swBouncyCastle.isChecked());
} catch (Throwable ex) {
Log.e(ex);
}

47
app/src/main/java/eu/faircode/email/Log.java
View File

@ -3614,33 +3614,44 @@ public class Log {
static SpannableStringBuilder getCiphers() {
SpannableStringBuilder ssb = new SpannableStringBuilderEx();
for (Provider provider : new Provider[]{null, new BouncyCastleJsseProvider()})
for (Provider provider : new Provider[]{
null, // Android
new BouncyCastleJsseProvider(),
new BouncyCastleJsseProvider(true)})
for (String protocol : new String[]{"SSL", "TLS"})
try {
int begin = ssb.length();
ssb.append("Protocol: ").append(protocol)
.append(" ")
.append(provider == null ? "Android" : provider.getClass().getSimpleName());
ssb.setSpan(new StyleSpan(Typeface.BOLD), begin, ssb.length(), 0);
ssb.append("\r\n\r\n");
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);
ssb.append("Provider: ").append(tmf.getProvider().getName()).append("\r\n");
ssb.append("Algorithm: ").append(tmf.getAlgorithm()).append("\r\n");
TrustManager[] tms = tmf.getTrustManagers();
if (tms != null)
for (TrustManager tm : tms)
ssb.append("Manager: ").append(tm.getClass().getName()).append("\r\n");
SSLContext sslContext = (provider == null
? SSLContext.getInstance(protocol)
: SSLContext.getInstance(protocol, provider));
ssb.append("SSL protocol: ").append(sslContext.getProtocol()).append("\r\n");
Provider sslProvider = sslContext.getProvider();
ssb.append("SSL provider: ").append(sslProvider.getName());
if (sslProvider instanceof BouncyCastleJsseProvider) {
boolean fips = ((BouncyCastleJsseProvider) sslProvider).isFipsMode();
if (fips)
ssb.append(" FIPS");
}
ssb.append("\r\n");
ssb.append("SSL class: ").append(sslProvider.getClass().getName()).append("\r\n");
ssb.append("Context: ").append(sslContext.getProtocol()).append("\r\n\r\n");
ssb.setSpan(new StyleSpan(Typeface.BOLD), begin, ssb.length(), 0);
ssb.append("\r\n");
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);
ssb.append("Trust provider: ").append(tmf.getProvider().getName()).append("\r\n");
ssb.append("Trust class: ").append(tmf.getProvider().getClass().getName()).append("\r\n");
ssb.append("Trust algorithm: ").append(tmf.getAlgorithm()).append("\r\n");
TrustManager[] tms = tmf.getTrustManagers();
if (tms != null)
for (TrustManager tm : tms)
ssb.append("Trust manager: ").append(tm.getClass().getName()).append("\r\n");
ssb.append("\r\n");
sslContext.init(null, tmf.getTrustManagers(), null);
SSLSocket socket = (SSLSocket) sslContext.getSocketFactory().createSocket();

3
app/src/main/java/eu/faircode/email/ServiceSynchronize.java
View File

@ -170,7 +170,8 @@ public class ServiceSynchronize extends ServiceBase implements SharedPreferences
"sync_folders",
"sync_shared_folders",
"download_headers", "download_eml",
"prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", "ssl_harden", "ssl_harden_strict", "cert_strict", "bouncy_castle", // force reconnect
"prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", // force reconnect
"ssl_harden", "ssl_harden_strict", "cert_strict", "bouncy_castle", "bc_fips", // force reconnect
"experiments", "debug", "protocol", // force reconnect
"auth_plain", "auth_login", "auth_ntlm", "auth_sasl", "auth_apop", // force reconnect
"keep_alive_poll", "empty_pool", "idle_done", // force reconnect

14
app/src/main/res/layout/fragment_options_connection.xml
View File

@ -530,6 +530,18 @@
app:layout_constraintTop_toBottomOf="@id/tvOpenSafeHint"
app:switchPadding="12dp" />
<androidx.appcompat.widget.SwitchCompat
android:id="@+id/swFipsMode"
android:layout_width="0dp"
android:layout_height="wrap_content"
android:layout_marginStart="12dp"
android:layout_marginTop="12dp"
android:text="@string/title_advanced_fips_mode"
app:layout_constraintEnd_toEndOf="parent"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/swBouncyCastle"
app:switchPadding="12dp" />
<Button
android:id="@+id/btnManage"
style="?android:attr/buttonStyleSmall"
@ -540,7 +552,7 @@
android:drawablePadding="6dp"
android:text="@string/title_advanced_manage_connectivity"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/swBouncyCastle" />
app:layout_constraintTop_toBottomOf="@id/swFipsMode" />
<TextView
android:id="@+id/tvNetworkMetered"

1
app/src/main/res/values/strings.xml
View File

@ -518,6 +518,7 @@
<string name="title_advanced_cert_strict">Strict certificate checking</string>
<string name="title_advanced_open_safe">Open secure connections only</string>
<string name="title_advanced_bouncy_castle">Use Bouncy Castle\'s secure socket provider (JSSE)</string>
<string name="title_advanced_fips_mode" translatable="false">FIPS mode</string>
<string name="title_advanced_manage_connectivity">Manage connectivity</string>
<string name="title_advanced_caption_general">General</string>