diff options
author | Parménides GV <parmegv@sdf.org> | 2014-07-31 12:09:49 +0200 |
---|---|---|
committer | Parménides GV <parmegv@sdf.org> | 2014-07-31 12:09:49 +0200 |
commit | 0393ba6656ce6cf679a2c4663275b3ed0f1a34b9 (patch) | |
tree | f000311e97598ab3fc42e2bea23e6cb342ad166c /ics-openvpn-stripped/main/src/main/java/de/blinkt/openvpn/VpnProfile.java | |
parent | b28eeb08e8ec3baafdd9388cc5b70c6c84db9cf1 (diff) |
Updated ics-openvpn to rev 859 + no 2nd notification.
Diffstat (limited to 'ics-openvpn-stripped/main/src/main/java/de/blinkt/openvpn/VpnProfile.java')
-rw-r--r-- | ics-openvpn-stripped/main/src/main/java/de/blinkt/openvpn/VpnProfile.java | 92 |
1 files changed, 45 insertions, 47 deletions
diff --git a/ics-openvpn-stripped/main/src/main/java/de/blinkt/openvpn/VpnProfile.java b/ics-openvpn-stripped/main/src/main/java/de/blinkt/openvpn/VpnProfile.java index d351610d..e2ebfd42 100644 --- a/ics-openvpn-stripped/main/src/main/java/de/blinkt/openvpn/VpnProfile.java +++ b/ics-openvpn-stripped/main/src/main/java/de/blinkt/openvpn/VpnProfile.java @@ -2,6 +2,7 @@ package de.blinkt.openvpn; import se.leap.bitmaskclient.R; +import android.annotation.SuppressLint; import android.content.Context; import android.content.Intent; import android.content.SharedPreferences; @@ -12,6 +13,7 @@ import android.os.Build; import android.preference.PreferenceManager; import android.security.KeyChain; import android.security.KeyChainException; +import android.text.TextUtils; import android.util.Base64; import org.spongycastle.util.io.pem.PemObject; @@ -113,8 +115,8 @@ public class VpnProfile implements Serializable { public boolean mUseDefaultRoute = true; public boolean mUsePull = true; public String mCustomRoutes; - public boolean mCheckRemoteCN = false; - public boolean mExpectTLSCert = true; + public boolean mCheckRemoteCN = true; + public boolean mExpectTLSCert = false; public String mRemoteCN = ""; public String mPassword = ""; public String mUsername = ""; @@ -179,6 +181,7 @@ public class VpnProfile implements Serializable { mUseDefaultRoute = false; mUseDefaultRoutev6 = false; mExpectTLSCert = false; + mCheckRemoteCN = false; mPersistTun = false; mAllowLocalLAN = true; } @@ -197,10 +200,7 @@ public class VpnProfile implements Serializable { public void upgradeProfile(){ if(mProfileVersion< 2) { /* default to the behaviour the OS used */ - if (Build.VERSION.SDK_INT < Build.VERSION_CODES.KITKAT) - mAllowLocalLAN = true; - else - mAllowLocalLAN = false; + mAllowLocalLAN = Build.VERSION.SDK_INT < Build.VERSION_CODES.KITKAT; } mProfileVersion= CURRENT_PROFILE_VERSION; @@ -211,7 +211,7 @@ public class VpnProfile implements Serializable { File cacheDir = context.getCacheDir(); String cfg = ""; - // Enable managment interface + // Enable management interface cfg += "# Enables connection to GUI\n"; cfg += "management "; @@ -228,6 +228,9 @@ public class VpnProfile implements Serializable { cfg += "machine-readable-output\n"; + // Users are confused by warnings that are misleading... + cfg += "ifconfig-nowarn\n"; + boolean useTLSClient = (mAuthenticationType != TYPE_STATICKEYS); @@ -325,7 +328,7 @@ public class VpnProfile implements Serializable { else cfg += insertFileData("tls-auth", mTLSAuthFilename); - if (nonNull(mTLSAuthDirection)) { + if (!TextUtils.isEmpty(mTLSAuthDirection)) { cfg += "key-direction "; cfg += mTLSAuthDirection; cfg += "\n"; @@ -334,10 +337,10 @@ public class VpnProfile implements Serializable { } if (!mUsePull) { - if (nonNull(mIPv4Address)) + if (!TextUtils.isEmpty(mIPv4Address)) cfg += "ifconfig " + cidrToIPAndNetmask(mIPv4Address) + "\n"; - if (nonNull(mIPv6Address)) + if (!TextUtils.isEmpty(mIPv6Address)) cfg += "ifconfig-ipv6 " + mIPv6Address + "\n"; } @@ -375,11 +378,11 @@ public class VpnProfile implements Serializable { cfg += routes; if (mOverrideDNS || !mUsePull) { - if (nonNull(mDNS1)) + if (!TextUtils.isEmpty(mDNS1)) cfg += "dhcp-option DNS " + mDNS1 + "\n"; - if (nonNull(mDNS2)) + if (!TextUtils.isEmpty(mDNS2)) cfg += "dhcp-option DNS " + mDNS2 + "\n"; - if (nonNull(mSearchDomain)) + if (!TextUtils.isEmpty(mSearchDomain)) cfg += "dhcp-option DOMAIN " + mSearchDomain + "\n"; } @@ -420,11 +423,11 @@ public class VpnProfile implements Serializable { cfg += "remote-cert-tls server\n"; } - if (nonNull(mCipher)) { + if (!TextUtils.isEmpty(mCipher)) { cfg += "cipher " + mCipher + "\n"; } - if (nonNull(mAuth)) { + if (!TextUtils.isEmpty(mAuth)) { cfg += "auth " + mAuth + "\n"; } @@ -486,13 +489,6 @@ public class VpnProfile implements Serializable { } } - private boolean nonNull(String val) { - if (val == null || val.equals("")) - return false; - else - return true; - } - private Collection<String> getCustomRoutes(String routes) { Vector<String> cidrRoutes = new Vector<String>(); if (routes == null) { @@ -634,8 +630,8 @@ public class VpnProfile implements Serializable { synchronized String[] getKeyStoreCertificates(Context context,int tries) { PrivateKey privateKey = null; - X509Certificate[] cachain; - Exception exp=null; + X509Certificate[] caChain; + Exception exp; try { privateKey = KeyChain.getPrivateKey(context, mAlias); mPrivateKey = privateKey; @@ -643,18 +639,18 @@ public class VpnProfile implements Serializable { String keystoreChain = null; - cachain = KeyChain.getCertificateChain(context, mAlias); - if(cachain == null) + caChain = KeyChain.getCertificateChain(context, mAlias); + if(caChain == null) throw new NoCertReturnedException("No certificate returned from Keystore"); - if (cachain.length <= 1 && !nonNull(mCaFilename)) { + if (caChain.length <= 1 && TextUtils.isEmpty(mCaFilename)) { VpnStatus.logMessage(VpnStatus.LogLevel.ERROR, "", context.getString(R.string.keychain_nocacert)); } else { StringWriter ksStringWriter = new StringWriter(); PemWriter pw = new PemWriter(ksStringWriter); - for (int i = 1; i < cachain.length; i++) { - X509Certificate cert = cachain[i]; + for (int i = 1; i < caChain.length; i++) { + X509Certificate cert = caChain[i]; pw.writeObject(new PemObject("CERTIFICATE", cert.getEncoded())); } pw.close(); @@ -663,7 +659,7 @@ public class VpnProfile implements Serializable { String caout = null; - if (nonNull(mCaFilename)) { + if (!TextUtils.isEmpty(mCaFilename)) { try { Certificate cacert = X509Utils.getCertificateFromFile(mCaFilename); StringWriter caoutWriter = new StringWriter(); @@ -682,8 +678,8 @@ public class VpnProfile implements Serializable { StringWriter certout = new StringWriter(); - if (cachain.length >= 1) { - X509Certificate usercert = cachain[0]; + if (caChain.length >= 1) { + X509Certificate usercert = caChain[0]; PemWriter upw = new PemWriter(certout); upw.writeObject(new PemObject("CERTIFICATE", usercert.getEncoded())); @@ -728,15 +724,14 @@ public class VpnProfile implements Serializable { } return getKeyStoreCertificates(context, tries-1); } - if (exp != null) { - exp.printStackTrace(); - VpnStatus.logError(R.string.keyChainAccessError, exp.getLocalizedMessage()); - VpnStatus.logError(R.string.keychain_access); - if (Build.VERSION.SDK_INT == Build.VERSION_CODES.JELLY_BEAN) { - if (!mAlias.matches("^[a-zA-Z0-9]$")) { - VpnStatus.logError(R.string.jelly_keystore_alphanumeric_bug); - } + exp.printStackTrace(); + VpnStatus.logError(R.string.keyChainAccessError, exp.getLocalizedMessage()); + + VpnStatus.logError(R.string.keychain_access); + if (Build.VERSION.SDK_INT == Build.VERSION_CODES.JELLY_BEAN) { + if (!mAlias.matches("^[a-zA-Z0-9]$")) { + VpnStatus.logError(R.string.jelly_keystore_alphanumeric_bug); } } return null; @@ -799,7 +794,7 @@ public class VpnProfile implements Serializable { } public boolean requireTLSKeyPassword() { - if (!nonNull(mClientKeyFilename)) + if (TextUtils.isEmpty(mClientKeyFilename)) return false; String data = ""; @@ -840,13 +835,13 @@ public class VpnProfile implements Serializable { } if (mAuthenticationType == TYPE_CERTIFICATES || mAuthenticationType == TYPE_USERPASS_CERTIFICATES) { - if (requireTLSKeyPassword() && !nonNull(mKeyPassword)) + if (requireTLSKeyPassword() && TextUtils.isEmpty(mKeyPassword)) if (mTransientPCKS12PW == null) { return R.string.private_key_password; } } - if (isUserPWAuth() && !(nonNull(mUsername) && (nonNull(mPassword) || mTransientPW != null))) { + if (isUserPWAuth() && !(!TextUtils.isEmpty(mUsername) && (!TextUtils.isEmpty(mPassword) || mTransientPW != null))) { return R.string.password; } return 0; @@ -891,12 +886,15 @@ public class VpnProfile implements Serializable { try { + /* ECB is perfectly fine in this special case, since we are using it for + the public/private part in the TLS exchange + */ + @SuppressLint("GetInstance") + Cipher rsaSigner = Cipher.getInstance("RSA/ECB/PKCS1PADDING"); - Cipher rsasinger = Cipher.getInstance("RSA/ECB/PKCS1PADDING"); - - rsasinger.init(Cipher.ENCRYPT_MODE, privkey); + rsaSigner.init(Cipher.ENCRYPT_MODE, privkey); - byte[] signed_bytes = rsasinger.doFinal(data); + byte[] signed_bytes = rsaSigner.doFinal(data); return Base64.encodeToString(signed_bytes, Base64.NO_WRAP); } catch (NoSuchAlgorithmException e) { |