diff --git a/app/src/main/java/org/schabi/newpipe/DownloaderImpl.java b/app/src/main/java/org/schabi/newpipe/DownloaderImpl.java index 5dd9d1b74..7e4ac304e 100644 --- a/app/src/main/java/org/schabi/newpipe/DownloaderImpl.java +++ b/app/src/main/java/org/schabi/newpipe/DownloaderImpl.java @@ -1,26 +1,42 @@ package org.schabi.newpipe; +import android.os.Build; import android.text.TextUtils; import org.schabi.newpipe.extractor.downloader.Downloader; import org.schabi.newpipe.extractor.downloader.Request; import org.schabi.newpipe.extractor.downloader.Response; import org.schabi.newpipe.extractor.exceptions.ReCaptchaException; +import org.schabi.newpipe.util.TLSSocketFactoryCompat; import java.io.IOException; import java.io.InputStream; +import java.security.KeyManagementException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.util.ArrayList; +import java.util.Arrays; import java.util.List; import java.util.Map; import java.util.concurrent.TimeUnit; -import androidx.annotation.NonNull; +import javax.net.ssl.SSLSocketFactory; +import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; +import javax.net.ssl.X509TrustManager; +import androidx.annotation.NonNull; import androidx.annotation.Nullable; +import okhttp3.CipherSuite; +import okhttp3.ConnectionSpec; import okhttp3.OkHttpClient; import okhttp3.RequestBody; import okhttp3.ResponseBody; +import static org.schabi.newpipe.MainActivity.DEBUG; + public class DownloaderImpl extends Downloader { public static final String USER_AGENT = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"; @@ -29,6 +45,9 @@ public class DownloaderImpl extends Downloader { private OkHttpClient client; private DownloaderImpl(OkHttpClient.Builder builder) { + if (Build.VERSION.SDK_INT == Build.VERSION_CODES.KITKAT) { + enableModernTLS(builder); + } this.client = builder .readTimeout(30, TimeUnit.SECONDS) //.cache(new Cache(new File(context.getExternalCacheDir(), "okhttp"), 16 * 1024 * 1024)) @@ -154,4 +173,47 @@ public class DownloaderImpl extends Downloader { return new Response(response.code(), response.message(), response.headers().toMultimap(), responseBodyToReturn); } + + /** + * Enable TLS 1.2 and 1.1 on Android Kitkat. This function is mostly taken from the documentation of + * OkHttpClient.Builder.sslSocketFactory(_,_) + *

+ * If there is an error, the function will safely fall back to doing nothing and printing the error to the console. + * + * @param builder The HTTPClient Builder on which TLS is enabled on (will be modified in-place) + */ + private static void enableModernTLS(OkHttpClient.Builder builder) { + try { + // get the default TrustManager + TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( + TrustManagerFactory.getDefaultAlgorithm()); + trustManagerFactory.init((KeyStore) null); + TrustManager[] trustManagers = trustManagerFactory.getTrustManagers(); + if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) { + throw new IllegalStateException("Unexpected default trust managers:" + + Arrays.toString(trustManagers)); + } + X509TrustManager trustManager = (X509TrustManager) trustManagers[0]; + + // insert our own TLSSocketFactory + SSLSocketFactory sslSocketFactory = TLSSocketFactoryCompat.getInstance(); + + builder.sslSocketFactory(sslSocketFactory, trustManager); + + // This will try to enable all modern CipherSuites(+2 more) that are supported on the device. + // Necessary because some servers (e.g. Framatube.org) don't support the old cipher suites. + // https://github.com/square/okhttp/issues/4053#issuecomment-402579554 + List cipherSuites = new ArrayList<>(); + cipherSuites.addAll(ConnectionSpec.MODERN_TLS.cipherSuites()); + cipherSuites.add(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA); + cipherSuites.add(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA); + ConnectionSpec legacyTLS = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS) + .cipherSuites(cipherSuites.toArray(new CipherSuite[0])) + .build(); + + builder.connectionSpecs(Arrays.asList(legacyTLS, ConnectionSpec.CLEARTEXT)); + } catch (KeyManagementException | NoSuchAlgorithmException | KeyStoreException e) { + if (DEBUG) e.printStackTrace(); + } + } } diff --git a/app/src/main/java/org/schabi/newpipe/MainActivity.java b/app/src/main/java/org/schabi/newpipe/MainActivity.java index 927fc1589..90d299c7f 100644 --- a/app/src/main/java/org/schabi/newpipe/MainActivity.java +++ b/app/src/main/java/org/schabi/newpipe/MainActivity.java @@ -72,6 +72,7 @@ import org.schabi.newpipe.util.PeertubeHelper; import org.schabi.newpipe.util.PermissionHelper; import org.schabi.newpipe.util.ServiceHelper; import org.schabi.newpipe.util.StateSaver; +import org.schabi.newpipe.util.TLSSocketFactoryCompat; import org.schabi.newpipe.util.ThemeHelper; import java.util.ArrayList; @@ -108,6 +109,11 @@ public class MainActivity extends AppCompatActivity { protected void onCreate(Bundle savedInstanceState) { if (DEBUG) Log.d(TAG, "onCreate() called with: savedInstanceState = [" + savedInstanceState + "]"); + // enable TLS1.1/1.2 for kitkat devices, to fix download and play for mediaCCC sources + if (Build.VERSION.SDK_INT == Build.VERSION_CODES.KITKAT) { + TLSSocketFactoryCompat.setAsDefault(); + } + ThemeHelper.setTheme(this, ServiceHelper.getSelectedServiceId(this)); super.onCreate(savedInstanceState); diff --git a/app/src/main/java/org/schabi/newpipe/util/TLSSocketFactoryCompat.java b/app/src/main/java/org/schabi/newpipe/util/TLSSocketFactoryCompat.java new file mode 100644 index 000000000..d8b6f78f5 --- /dev/null +++ b/app/src/main/java/org/schabi/newpipe/util/TLSSocketFactoryCompat.java @@ -0,0 +1,104 @@ +package org.schabi.newpipe.util; + +import java.io.IOException; +import java.net.InetAddress; +import java.net.Socket; +import java.net.UnknownHostException; +import java.security.KeyManagementException; +import java.security.NoSuchAlgorithmException; + +import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.SSLSocketFactory; +import javax.net.ssl.TrustManager; + +import static org.schabi.newpipe.MainActivity.DEBUG; + + +/** + * This is an extension of the SSLSocketFactory which enables TLS 1.2 and 1.1. + * Created for usage on Android 4.1-4.4 devices, which haven't enabled those by default. + */ +public class TLSSocketFactoryCompat extends SSLSocketFactory { + + + private static TLSSocketFactoryCompat instance = null; + + private SSLSocketFactory internalSSLSocketFactory; + + public static TLSSocketFactoryCompat getInstance() throws NoSuchAlgorithmException, KeyManagementException { + if (instance != null) { + return instance; + } + return instance = new TLSSocketFactoryCompat(); + } + + + public TLSSocketFactoryCompat() throws KeyManagementException, NoSuchAlgorithmException { + SSLContext context = SSLContext.getInstance("TLS"); + context.init(null, null, null); + internalSSLSocketFactory = context.getSocketFactory(); + } + + public TLSSocketFactoryCompat(TrustManager[] tm) throws KeyManagementException, NoSuchAlgorithmException { + SSLContext context = SSLContext.getInstance("TLS"); + context.init(null, tm, new java.security.SecureRandom()); + internalSSLSocketFactory = context.getSocketFactory(); + } + + public static void setAsDefault() { + try { + HttpsURLConnection.setDefaultSSLSocketFactory(getInstance()); + } catch (NoSuchAlgorithmException | KeyManagementException e) { + if (DEBUG) e.printStackTrace(); + } + } + + @Override + public String[] getDefaultCipherSuites() { + return internalSSLSocketFactory.getDefaultCipherSuites(); + } + + @Override + public String[] getSupportedCipherSuites() { + return internalSSLSocketFactory.getSupportedCipherSuites(); + } + + @Override + public Socket createSocket() throws IOException { + return enableTLSOnSocket(internalSSLSocketFactory.createSocket()); + } + + @Override + public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException { + return enableTLSOnSocket(internalSSLSocketFactory.createSocket(s, host, port, autoClose)); + } + + @Override + public Socket createSocket(String host, int port) throws IOException, UnknownHostException { + return enableTLSOnSocket(internalSSLSocketFactory.createSocket(host, port)); + } + + @Override + public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException { + return enableTLSOnSocket(internalSSLSocketFactory.createSocket(host, port, localHost, localPort)); + } + + @Override + public Socket createSocket(InetAddress host, int port) throws IOException { + return enableTLSOnSocket(internalSSLSocketFactory.createSocket(host, port)); + } + + @Override + public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException { + return enableTLSOnSocket(internalSSLSocketFactory.createSocket(address, port, localAddress, localPort)); + } + + private Socket enableTLSOnSocket(Socket socket) { + if (socket != null && (socket instanceof SSLSocket)) { + ((SSLSocket) socket).setEnabledProtocols(new String[]{"TLSv1.1", "TLSv1.2"}); + } + return socket; + } +} \ No newline at end of file