diff options
author | cyberta <cyberta@riseup.net> | 2022-12-26 14:12:10 +0000 |
---|---|---|
committer | cyberta <cyberta@riseup.net> | 2022-12-26 14:12:10 +0000 |
commit | 9d64ea1f6274ca66c4e44f7bd24698a1f64c3ffe (patch) | |
tree | 1bf433d5363a437d388851e7368ee143a226f6b7 /app/src/main/java/de/blinkt | |
parent | 6334225050f02901119812b807c29a4a07ebe182 (diff) | |
parent | 35bd57e5399e8bec5102338c7f0900fbc18970b2 (diff) |
Merge branch 'rc_fixes' into 'master'
Rc fixes
See merge request leap/bitmask_android!235
Diffstat (limited to 'app/src/main/java/de/blinkt')
7 files changed, 35 insertions, 176 deletions
diff --git a/app/src/main/java/de/blinkt/openvpn/VpnProfile.java b/app/src/main/java/de/blinkt/openvpn/VpnProfile.java index 7dd75432..83cde85e 100644 --- a/app/src/main/java/de/blinkt/openvpn/VpnProfile.java +++ b/app/src/main/java/de/blinkt/openvpn/VpnProfile.java @@ -473,9 +473,6 @@ public class VpnProfile implements Serializable, Cloneable { cfg.append("management-external-key nopadding\n"); } else { cfg.append(context.getString(R.string.keychain_access)).append("\n"); - if (Build.VERSION.SDK_INT == Build.VERSION_CODES.JELLY_BEAN) - if (!mAlias.matches("^[a-zA-Z0-9]$")) - cfg.append(context.getString(R.string.jelly_keystore_alphanumeric_bug)).append("\n"); } } break; @@ -932,11 +929,6 @@ public class VpnProfile implements Serializable, Cloneable { VpnStatus.logError(R.string.keyChainAccessError, e.getLocalizedMessage()); VpnStatus.logError(R.string.keychain_access); - if (Build.VERSION.SDK_INT == Build.VERSION_CODES.JELLY_BEAN) { - if (!mAlias.matches("^[a-zA-Z0-9]$")) { - VpnStatus.logError(R.string.jelly_keystore_alphanumeric_bug); - } - } return null; } catch (AssertionError e) { @@ -1196,12 +1188,6 @@ public class VpnProfile implements Serializable, Cloneable { private byte[] getKeyChainSignedData(byte[] data, boolean pkcs1padding) { PrivateKey privkey = getKeystoreKey(); - // The Jelly Bean *evil* Hack - // 4.2 implements the RSA/ECB/PKCS1PADDING in the OpenSSLprovider - if (Build.VERSION.SDK_INT == Build.VERSION_CODES.JELLY_BEAN) { - return processSignJellyBeans(privkey, data); - } - try { @SuppressLint("GetInstance") @@ -1238,32 +1224,6 @@ public class VpnProfile implements Serializable, Cloneable { } } - private byte[] processSignJellyBeans(PrivateKey privkey, byte[] data) { - try { - Method getKey = privkey.getClass().getSuperclass().getDeclaredMethod("getOpenSSLKey"); - getKey.setAccessible(true); - - // Real object type is OpenSSLKey - Object opensslkey = getKey.invoke(privkey); - - getKey.setAccessible(false); - - Method getPkeyContext = opensslkey.getClass().getDeclaredMethod("getPkeyContext"); - - // integer pointer to EVP_pkey - getPkeyContext.setAccessible(true); - int pkey = (Integer) getPkeyContext.invoke(opensslkey); - getPkeyContext.setAccessible(false); - - // 112 with TLS 1.2 (172 back with 4.3), 36 with TLS 1.0 - return NativeUtils.rsasign(data, pkey); - - } catch (NoSuchMethodException | InvalidKeyException | InvocationTargetException | IllegalAccessException | IllegalArgumentException e) { - VpnStatus.logError(R.string.error_rsa_sign, e.getClass().toString(), e.getLocalizedMessage()); - return null; - } - } - private boolean usesExtraProxyOptions() { if (mUseCustomConfig && mCustomConfigOptions != null && mCustomConfigOptions.contains("http-proxy-option ")) return true; diff --git a/app/src/main/java/de/blinkt/openvpn/core/NativeUtils.java b/app/src/main/java/de/blinkt/openvpn/core/NativeUtils.java index 5a1757ac..f769b38e 100644 --- a/app/src/main/java/de/blinkt/openvpn/core/NativeUtils.java +++ b/app/src/main/java/de/blinkt/openvpn/core/NativeUtils.java @@ -38,8 +38,6 @@ public class NativeUtils { static { if (!isRoboUnitTest() && !isUnitTest()) { System.loadLibrary("ovpnutil"); - if (Build.VERSION.SDK_INT == Build.VERSION_CODES.JELLY_BEAN) - System.loadLibrary("jbcrypto"); } } diff --git a/app/src/main/java/de/blinkt/openvpn/core/NetworkSpace.java b/app/src/main/java/de/blinkt/openvpn/core/NetworkSpace.java index 860897db..457ae971 100644 --- a/app/src/main/java/de/blinkt/openvpn/core/NetworkSpace.java +++ b/app/src/main/java/de/blinkt/openvpn/core/NetworkSpace.java @@ -336,35 +336,6 @@ public class NetworkSpace { ips.add(ia); } - if (Build.VERSION.SDK_INT < Build.VERSION_CODES.KITKAT) { - // Include postive routes from the original set under < 4.4 since these might overrule the local - // network but only if no smaller negative route exists - for (IpAddress origIp : mIpAddresses) { - if (!origIp.included) - continue; - - // The netspace exists - if (ipsSorted.contains(origIp)) - continue; - - boolean skipIp = false; - // If there is any smaller net that is excluded we may not add the positive route back - - for (IpAddress calculatedIp : ipsSorted) { - if (!calculatedIp.included && origIp.containsNet(calculatedIp)) { - skipIp = true; - break; - } - } - if (skipIp) - continue; - - // It is safe to include the IP - ips.add(origIp); - } - - } - return ips; } diff --git a/app/src/main/java/de/blinkt/openvpn/core/NetworkUtils.java b/app/src/main/java/de/blinkt/openvpn/core/NetworkUtils.java index 5b11c0a0..25af6121 100644 --- a/app/src/main/java/de/blinkt/openvpn/core/NetworkUtils.java +++ b/app/src/main/java/de/blinkt/openvpn/core/NetworkUtils.java @@ -24,63 +24,35 @@ public class NetworkUtils { public static Vector<String> getLocalNetworks(Context c, boolean ipv6) { Vector<String> nets = new Vector<>(); ConnectivityManager conn = (ConnectivityManager) c.getSystemService(Context.CONNECTIVITY_SERVICE); - if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) { - Network[] networks = conn.getAllNetworks(); - for (Network network : networks) { - try { - NetworkInfo ni = conn.getNetworkInfo(network); - LinkProperties li = conn.getLinkProperties(network); + Network[] networks = conn.getAllNetworks(); + for (Network network : networks) { + try { + NetworkInfo ni = conn.getNetworkInfo(network); + LinkProperties li = conn.getLinkProperties(network); - NetworkCapabilities nc = conn.getNetworkCapabilities(network); + NetworkCapabilities nc = conn.getNetworkCapabilities(network); - if (nc == null) { - continue; - } - - // Skip VPN networks like ourselves - if (nc.hasTransport(NetworkCapabilities.TRANSPORT_VPN)) - continue; - - // Also skip mobile networks - if (nc.hasTransport(NetworkCapabilities.TRANSPORT_CELLULAR)) - continue; - - - for (LinkAddress la : li.getLinkAddresses()) { - if ((la.getAddress() instanceof Inet4Address && !ipv6) || - (la.getAddress() instanceof Inet6Address && ipv6)) - nets.add(la.toString()); - } - } catch (SecurityException se) { - se.printStackTrace(); + if (nc == null) { + continue; } - } - } else { - // Old Android Version, use native utils via ifconfig instead - // Add local network interfaces - if (ipv6) - return nets; - String[] localRoutes = NativeUtils.getIfconfig(); - - // The format of mLocalRoutes is kind of broken because I don't really like JNI - for (int i = 0; i < localRoutes.length; i += 3) { - String intf = localRoutes[i]; - String ipAddr = localRoutes[i + 1]; - String netMask = localRoutes[i + 2]; - - if (intf == null || intf.equals("lo") || - intf.startsWith("tun") || intf.startsWith("rmnet")) + // Skip VPN networks like ourselves + if (nc.hasTransport(NetworkCapabilities.TRANSPORT_VPN)) continue; - if (ipAddr == null || netMask == null) { - VpnStatus.logError("Local routes are broken?! (Report to author) " + TextUtils.join("|", localRoutes)); + // Also skip mobile networks + if (nc.hasTransport(NetworkCapabilities.TRANSPORT_CELLULAR)) continue; - } - nets.add(ipAddr + "/" + CIDRIP.calculateLenFromMask(netMask)); - } + for (LinkAddress la : li.getLinkAddresses()) { + if ((la.getAddress() instanceof Inet4Address && !ipv6) || + (la.getAddress() instanceof Inet6Address && ipv6)) + nets.add(la.toString()); + } + } catch (SecurityException se) { + se.printStackTrace(); + } } return nets; } diff --git a/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java b/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java index 88a85de3..0ae7639e 100644 --- a/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java +++ b/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java @@ -589,7 +589,7 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac VpnStatus.logInfo(R.string.last_openvpn_tun_config); - boolean allowUnsetAF = Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP && !mProfile.mBlockUnusedAddressFamilies; + boolean allowUnsetAF = !mProfile.mBlockUnusedAddressFamilies; if (allowUnsetAF) { allowAllAFFamilies(builder); } @@ -631,20 +631,12 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac } } - String release = Build.VERSION.RELEASE; - if ((Build.VERSION.SDK_INT == Build.VERSION_CODES.KITKAT && !release.startsWith("4.4.3") - && !release.startsWith("4.4.4") && !release.startsWith("4.4.5") && !release.startsWith("4.4.6")) - && mMtu < 1280) { - VpnStatus.logInfo(String.format(Locale.US, "Forcing MTU to 1280 instead of %d to workaround Android Bug #70916", mMtu)); - builder.setMtu(1280); - } else { - builder.setMtu(mMtu); - } + builder.setMtu(mMtu); Collection<IpAddress> positiveIPv4Routes = mRoutes.getPositiveIPList(); Collection<IpAddress> positiveIPv6Routes = mRoutesv6.getPositiveIPList(); - if ("samsung".equals(Build.BRAND) && Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP && mDnslist.size() >= 1) { + if ("samsung".equals(Build.BRAND) && mDnslist.size() >= 1) { // Check if the first DNS Server is in the VPN range try { IpAddress dnsServer = new IpAddress(new CIDRIP(mDnslist.get(0), 32), true); @@ -725,9 +717,8 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac VpnStatus.logInfo(R.string.routes_info_incl, TextUtils.join(", ", mRoutes.getNetworks(true)), TextUtils.join(", ", mRoutesv6.getNetworks(true))); VpnStatus.logInfo(R.string.routes_info_excl, TextUtils.join(", ", mRoutes.getNetworks(false)), TextUtils.join(", ", mRoutesv6.getNetworks(false))); VpnStatus.logDebug(R.string.routes_debug, TextUtils.join(", ", positiveIPv4Routes), TextUtils.join(", ", positiveIPv6Routes)); - if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) { - setAllowedVpnPackages(builder); - } + + setAllowedVpnPackages(builder); if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP_MR1) { // VPN always uses the default network builder.setUnderlyingNetworks(null); @@ -773,9 +764,6 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac } catch (Exception e) { VpnStatus.logError(R.string.tun_open_error); VpnStatus.logError(getString(R.string.error) + e.getLocalizedMessage()); - if (Build.VERSION.SDK_INT <= Build.VERSION_CODES.JELLY_BEAN_MR1) { - VpnStatus.logError(R.string.tun_error_helpful); - } return null; } @@ -790,7 +778,6 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac } } - @TargetApi(Build.VERSION_CODES.LOLLIPOP) private void allowAllAFFamilies(Builder builder) { builder.allowFamily(OsConstants.AF_INET); builder.allowFamily(OsConstants.AF_INET6); @@ -805,11 +792,9 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac if (ipAddr.equals(mLocalIP.mIp)) continue; - if (Build.VERSION.SDK_INT < Build.VERSION_CODES.KITKAT && !mProfile.mAllowLocalLAN) { - mRoutes.addIPSplit(new CIDRIP(ipAddr, netMask), true); - - } else if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT && mProfile.mAllowLocalLAN) + if (mProfile.mAllowLocalLAN) { mRoutes.addIP(new CIDRIP(ipAddr, netMask), false); + } } // IPv6 is Lollipop+ only so we can skip the lower than KITKAT case @@ -823,7 +808,6 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac } - @TargetApi(Build.VERSION_CODES.LOLLIPOP) private void setAllowedVpnPackages(Builder builder) { boolean profileUsesOrBot = false; @@ -1094,13 +1078,7 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac if (currentConfiguration.equals(mLastTunCfg)) { return "NOACTION"; } else { - String release = Build.VERSION.RELEASE; - if (Build.VERSION.SDK_INT == Build.VERSION_CODES.KITKAT && !release.startsWith("4.4.3") - && !release.startsWith("4.4.4") && !release.startsWith("4.4.5") && !release.startsWith("4.4.6")) - // There will be probably no 4.4.4 or 4.4.5 version, so don't waste effort to do parsing here - return "OPEN_AFTER_CLOSE"; - else - return "OPEN_BEFORE_CLOSE"; + return "OPEN_BEFORE_CLOSE"; } } diff --git a/app/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java b/app/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java index 0edfeaeb..a02e7e27 100644 --- a/app/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java +++ b/app/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java @@ -242,12 +242,10 @@ public class OpenVpnManagementThread implements Runnable, OpenVPNManagement { VpnStatus.logWarning("Could not protect VPN socket"); - //ParcelFileDescriptor pfd = ParcelFileDescriptor.fromFd(fdint); - //pfd.close(); - if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) { - fdCloseLollipop(fd); - } else { - NativeUtils.jniclose(fdint); + try { + Os.close(fd); + } catch (Exception e) { + VpnStatus.logException("Failed to close fd (" + fd + ")", e); } return; } catch ( NoSuchMethodException | IllegalArgumentException | InvocationTargetException | IllegalAccessException | NullPointerException e) { @@ -258,15 +256,6 @@ public class OpenVpnManagementThread implements Runnable, OpenVPNManagement { } - @RequiresApi(api = Build.VERSION_CODES.LOLLIPOP) - private void fdCloseLollipop(FileDescriptor fd) { - try { - Os.close(fd); - } catch (Exception e) { - VpnStatus.logException("Failed to close fd (" + fd + ")", e); - } - } - private String processInput(String pendingInput) { diff --git a/app/src/main/java/de/blinkt/openvpn/core/VPNLaunchHelper.java b/app/src/main/java/de/blinkt/openvpn/core/VPNLaunchHelper.java index 540ca043..80427a03 100644 --- a/app/src/main/java/de/blinkt/openvpn/core/VPNLaunchHelper.java +++ b/app/src/main/java/de/blinkt/openvpn/core/VPNLaunchHelper.java @@ -30,11 +30,7 @@ public class VPNLaunchHelper { if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) return new File(context.getApplicationInfo().nativeLibraryDir, "libovpnexec.so").getPath(); String[] abis; - if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) - abis = getSupportedABIsLollipop(); - else - //noinspection deprecation - abis = new String[]{Build.CPU_ABI, Build.CPU_ABI2}; + abis = getSupportedABIsLollipop(); if (!nativeAPI.equals(abis[0])) { VpnStatus.logWarning(R.string.abi_mismatch, Arrays.toString(abis), nativeAPI); @@ -49,22 +45,17 @@ public class VPNLaunchHelper { } } - throw new RuntimeException("Cannot find any execulte for this device's ABIs " + abis.toString()); + throw new RuntimeException("Cannot find any execute for this device's ABIs " + abis.toString()); } - @TargetApi(Build.VERSION_CODES.LOLLIPOP) private static String[] getSupportedABIsLollipop() { return Build.SUPPORTED_ABIS; } private static String getMiniVPNExecutableName() { - if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN) - return MINIPIEVPN; - else - return MININONPIEVPN; + return MINIPIEVPN; } - public static String[] replacePieWithNoPie(String[] mArgv) { mArgv[0] = mArgv[0].replace(MINIPIEVPN, MININONPIEVPN); return mArgv; |