summaryrefslogtreecommitdiff
path: root/app/src
diff options
context:
space:
mode:
authorcyBerta <cyberta@riseup.net>2020-12-30 02:05:23 +0100
committercyBerta <cyberta@riseup.net>2020-12-30 02:05:23 +0100
commit761c936e4f8b929c97f0ae65bc4867883f8da444 (patch)
tree40d479c91683166a804e1c180576aa1d54b3bb72 /app/src
parentbc0eef8231e6d35eb36e5ed33291e37c08053b80 (diff)
update ics-openvpn, openvpn, openssl, prepare Bitmask for Android 11
Diffstat (limited to 'app/src')
-rw-r--r--app/src/main/AndroidManifest.xml4
-rw-r--r--app/src/main/java/de/blinkt/openvpn/VpnProfile.java7
-rw-r--r--app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java57
-rw-r--r--app/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java5
-rw-r--r--app/src/main/java/de/blinkt/openvpn/core/VPNLaunchHelper.java5
5 files changed, 71 insertions, 7 deletions
diff --git a/app/src/main/AndroidManifest.xml b/app/src/main/AndroidManifest.xml
index 7e964211..75b166d9 100644
--- a/app/src/main/AndroidManifest.xml
+++ b/app/src/main/AndroidManifest.xml
@@ -27,12 +27,16 @@
<uses-permission android:name="android.permission.FOREGROUND_SERVICE" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"
android:maxSdkVersion="18"/>
+ <!-- Used to show all apps in the allowed Apps selection -->
+ <uses-permission android:name="android.permission.QUERY_ALL_PACKAGES" />
<application
android:name=".base.BitmaskApp"
android:allowBackup="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
+ android:extractNativeLibs="true"
+ android:appCategory="productivity"
android:logo="@mipmap/ic_launcher"
android:theme="@style/BitmaskTheme">
<service
diff --git a/app/src/main/java/de/blinkt/openvpn/VpnProfile.java b/app/src/main/java/de/blinkt/openvpn/VpnProfile.java
index 5df1d56b..3792d092 100644
--- a/app/src/main/java/de/blinkt/openvpn/VpnProfile.java
+++ b/app/src/main/java/de/blinkt/openvpn/VpnProfile.java
@@ -165,6 +165,7 @@ public class VpnProfile implements Serializable, Cloneable {
public boolean mRemoteRandom = false;
public HashSet<String> mAllowedAppsVpn = new HashSet<>();
public boolean mAllowedAppsVpnAreDisallowed = true;
+ public boolean mAllowAppVpnBypass = false;
public String mCrlFilename;
public String mProfileCreator;
public String mExternalAuthenticator;
@@ -186,6 +187,7 @@ public class VpnProfile implements Serializable, Cloneable {
// set members to default values
private UUID mUuid;
private int mProfileVersion;
+ public boolean mBlockUnusedAddressFamilies = true;
public String mGatewayIp;
public boolean mUsePluggableTransports;
@@ -509,15 +511,18 @@ public class VpnProfile implements Serializable, Cloneable {
if (mUseTLSAuth) {
boolean useTlsCrypt = mTLSAuthDirection.equals("tls-crypt");
+ boolean useTlsCrypt2 = mTLSAuthDirection.equals("tls-crypt-v2");
if (mAuthenticationType == TYPE_STATICKEYS)
cfg.append(insertFileData("secret", mTLSAuthFilename));
else if (useTlsCrypt)
cfg.append(insertFileData("tls-crypt", mTLSAuthFilename));
+ else if (useTlsCrypt2)
+ cfg.append(insertFileData("tls-crypt-v2", mTLSAuthFilename));
else
cfg.append(insertFileData("tls-auth", mTLSAuthFilename));
- if (!TextUtils.isEmpty(mTLSAuthDirection) && !useTlsCrypt) {
+ if (!TextUtils.isEmpty(mTLSAuthDirection) && !useTlsCrypt && !useTlsCrypt2) {
cfg.append("key-direction ");
cfg.append(mTLSAuthDirection);
cfg.append("\n");
diff --git a/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java b/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java
index 7dfacd91..0d4a8037 100644
--- a/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java
+++ b/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java
@@ -199,6 +199,8 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac
private boolean runningOnAndroidTV() {
UiModeManager uiModeManager = (UiModeManager) getSystemService(UI_MODE_SERVICE);
+ if (uiModeManager == null)
+ return false;
return uiModeManager.getCurrentModeType() == Configuration.UI_MODE_TYPE_TELEVISION;
}
@@ -393,6 +395,13 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac
return;
}
String nativeLibraryDirectory = getApplicationInfo().nativeLibraryDir;
+ String tmpDir;
+ try {
+ tmpDir = getApplication().getCacheDir().getCanonicalPath();
+ } catch (IOException e) {
+ e.printStackTrace();
+ tmpDir = "/tmp";
+ }
// Write OpenVPN binary
String[] argv = VPNLaunchHelper.buildOpenvpnArgv(this);
@@ -439,7 +448,7 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac
processThread = (Runnable) mOpenVPN3;
mManagement = mOpenVPN3;
} else {
- processThread = new OpenVPNThread(this, argv, nativeLibraryDirectory);
+ processThread = new OpenVPNThread(this, argv, nativeLibraryDirectory, tmpDir);
mOpenVPNThread = processThread;
}
@@ -570,7 +579,8 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac
VpnStatus.logInfo(R.string.last_openvpn_tun_config);
- if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP && mProfile.mAllowLocalLAN) {
+ boolean allowUnsetAF = Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP && !mProfile.mBlockUnusedAddressFamilies;
+ if (allowUnsetAF) {
allowAllAFFamilies(builder);
}
@@ -673,15 +683,34 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac
builder.addSearchDomain(mDomain);
String ipv4info;
+ String ipv6info;
+ if (allowUnsetAF) {
+ ipv4info = "(not set, allowed)";
+ ipv6info = "(not set, allowed)";
+ } else {
+ ipv4info = "(not set)";
+ ipv6info = "(not set)";
+ }
+
int ipv4len;
if (mLocalIP!=null) {
ipv4len=mLocalIP.len;
ipv4info=mLocalIP.mIp;
} else {
ipv4len = -1;
- ipv4info="(not set)";
}
- VpnStatus.logInfo(R.string.local_ip_info, ipv4info, ipv4len, mLocalIPv6, mMtu);
+
+ if (mLocalIPv6!=null)
+ {
+ ipv6info = mLocalIPv6;
+ }
+
+ if ((!mRoutes.getNetworks(false).isEmpty() || !mRoutesv6.getNetworks(false).isEmpty()) && isLockdownEnabledCompat())
+ {
+ VpnStatus.logInfo("VPN lockdown enabled (do not allow apps to bypass VPN) enabled. Route exclusion will not allow apps to bypass VPN (e.g. bypass VPN for local networks)");
+ }
+
+ VpnStatus.logInfo(R.string.local_ip_info, ipv4info, ipv4len, ipv6info, mMtu);
VpnStatus.logInfo(R.string.dns_server_info, TextUtils.join(", ", mDnslist), mDomain);
VpnStatus.logInfo(R.string.routes_info_incl, TextUtils.join(", ", mRoutes.getNetworks(true)), TextUtils.join(", ", mRoutesv6.getNetworks(true)));
VpnStatus.logInfo(R.string.routes_info_excl, TextUtils.join(", ", mRoutes.getNetworks(false)), TextUtils.join(", ", mRoutesv6.getNetworks(false)));
@@ -694,6 +723,12 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac
builder.setUnderlyingNetworks(null);
}
+ if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) {
+ // Setting this false, will cause the VPN to inherit the underlying network metered
+ // value
+ builder.setMetered(false);
+ }
+
String session = mProfile.mName;
if (mLocalIP != null && mLocalIPv6 != null)
@@ -736,6 +771,15 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac
}
+ private boolean isLockdownEnabledCompat() {
+ if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) {
+ return isLockdownEnabled();
+ } else {
+ /* We cannot determine this, return false */
+ return false;
+ }
+ }
+
@TargetApi(Build.VERSION_CODES.LOLLIPOP)
private void allowAllAFFamilies(Builder builder) {
builder.allowFamily(OsConstants.AF_INET);
@@ -822,6 +866,11 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac
} else {
VpnStatus.logDebug(R.string.allowed_vpn_apps_info, TextUtils.join(", ", mProfile.mAllowedAppsVpn));
}
+
+ if (mProfile.mAllowAppVpnBypass) {
+ builder.allowBypass();
+ VpnStatus.logDebug("Apps may bypass VPN");
+ }
}
public void addDNS(String dns) {
diff --git a/app/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java b/app/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java
index b902f5d7..fc77d9a5 100644
--- a/app/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java
+++ b/app/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java
@@ -37,15 +37,17 @@ public class OpenVPNThread implements Runnable {
private String[] mArgv;
private Process mProcess;
private String mNativeDir;
+ private String mTmpDir;
private OpenVPNService mService;
private String mDumpPath;
private boolean mBrokenPie = false;
private boolean mNoProcessExitStatus = false;
- public OpenVPNThread(OpenVPNService service, String[] argv, String nativelibdir) {
+ public OpenVPNThread(OpenVPNService service, String[] argv, String nativelibdir, String tmpdir) {
mArgv = argv;
mNativeDir = nativelibdir;
mService = service;
+ mTmpDir = tmpdir;
}
public void stopProcess() {
@@ -128,6 +130,7 @@ public class OpenVPNThread implements Runnable {
String lbpath = genLibraryPath(argv, pb);
pb.environment().put("LD_LIBRARY_PATH", lbpath);
+ pb.environment().put("TMPDIR", mTmpDir);
pb.redirectErrorStream(true);
try {
diff --git a/app/src/main/java/de/blinkt/openvpn/core/VPNLaunchHelper.java b/app/src/main/java/de/blinkt/openvpn/core/VPNLaunchHelper.java
index 810974df..7c742746 100644
--- a/app/src/main/java/de/blinkt/openvpn/core/VPNLaunchHelper.java
+++ b/app/src/main/java/de/blinkt/openvpn/core/VPNLaunchHelper.java
@@ -27,6 +27,10 @@ public class VPNLaunchHelper {
private static String writeMiniVPN(Context context) {
+ String nativeAPI = NativeUtils.getNativeAPI();
+ /* Q does not allow executing binaries written in temp directory anymore */
+ if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P)
+ return new File(context.getApplicationInfo().nativeLibraryDir, "libovpnexec.so").getPath();
String[] abis;
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP)
abis = getSupportedABIsLollipop();
@@ -34,7 +38,6 @@ public class VPNLaunchHelper {
//noinspection deprecation
abis = new String[]{Build.CPU_ABI, Build.CPU_ABI2};
- String nativeAPI = NativeUtils.getNativeAPI();
if (!nativeAPI.equals(abis[0])) {
VpnStatus.logWarning(R.string.abi_mismatch, Arrays.toString(abis), nativeAPI);
abis = new String[]{nativeAPI};