summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/se/leap/bitmaskclient/ConfigHelper.java13
-rw-r--r--src/se/leap/bitmaskclient/ConfigurationWizard.java28
-rw-r--r--src/se/leap/bitmaskclient/Dashboard.java15
-rw-r--r--src/se/leap/bitmaskclient/DownloadFailedDialog.java59
-rw-r--r--src/se/leap/bitmaskclient/EIP.java10
-rw-r--r--src/se/leap/bitmaskclient/PRNGFixes.java338
-rw-r--r--src/se/leap/bitmaskclient/ProviderAPI.java188
-rw-r--r--src/se/leap/openvpn/OpenVPN.java4
-rw-r--r--src/se/leap/openvpn/OpenVpnManagementThread.java12
-rw-r--r--src/se/leap/openvpn/VpnProfile.java4
10 files changed, 575 insertions, 96 deletions
diff --git a/src/se/leap/bitmaskclient/ConfigHelper.java b/src/se/leap/bitmaskclient/ConfigHelper.java
index b916a9ac..97a62bb2 100644
--- a/src/se/leap/bitmaskclient/ConfigHelper.java
+++ b/src/se/leap/bitmaskclient/ConfigHelper.java
@@ -50,7 +50,6 @@ public class ConfigHelper {
public static SharedPreferences shared_preferences;
private static KeyStore keystore_trusted;
-
final public static String NG_1024 =
"eeaf0ab9adb38dd69c33f80afa8fc5e86072618775ff3c0b9ea2314c9c256576d674df7496ea81d3383b4813d692c6e0e0d5d8e250b98be48e495c1d6089dad15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e57ec68edbc3c05726cc02fd4cbf4976eaa9afd5138fe8376435b9fc61d2fc0eb06e3";
final public static BigInteger G = new BigInteger("2");
@@ -178,6 +177,18 @@ public class ConfigHelper {
shared_preferences_editor.remove(shared_preferences_key);
return shared_preferences_editor.commit();
}
+
+ public static boolean checkErroneousDownload(String downloaded_string) {
+ try {
+ if(new JSONObject(downloaded_string).has(ProviderAPI.ERRORS) || downloaded_string.isEmpty()) {
+ return true;
+ } else {
+ return false;
+ }
+ } catch(JSONException e) {
+ return false;
+ }
+ }
/**
* Treat the input as the MSB representation of a number,
diff --git a/src/se/leap/bitmaskclient/ConfigurationWizard.java b/src/se/leap/bitmaskclient/ConfigurationWizard.java
index a0ac1bc2..c03d7c9e 100644
--- a/src/se/leap/bitmaskclient/ConfigurationWizard.java
+++ b/src/se/leap/bitmaskclient/ConfigurationWizard.java
@@ -124,8 +124,10 @@ implements ProviderListFragment.Callbacks, NewProviderDialog.NewProviderDialogIn
//Toast.makeText(this, getResources().getString(R.string.config_error_parsing), Toast.LENGTH_LONG);
setResult(RESULT_CANCELED, mConfigState);
}
- }
+ }
else if(resultCode == ProviderAPI.INCORRECTLY_UPDATED_PROVIDER_DOT_JSON) {
+ String reason_to_fail = resultData.getString(ProviderAPI.ERRORS);
+ showDownloadFailedDialog(getCurrentFocus(), reason_to_fail);
mProgressDialog.dismiss();
setResult(RESULT_CANCELED, mConfigState);
}
@@ -142,8 +144,9 @@ implements ProviderListFragment.Callbacks, NewProviderDialog.NewProviderDialogIn
}
}
else if(resultCode == ProviderAPI.INCORRECTLY_DOWNLOADED_JSON_FILES) {
- //Toast.makeText(getApplicationContext(), R.string.incorrectly_downloaded_json_files_message, Toast.LENGTH_LONG).show();
- mProgressDialog.dismiss();
+ //Toast.makeText(getApplicationContext(), R.string.incorrectly_downloaded_json_files_message, Toast.LENGTH_LONG).show();
+ String reason_to_fail = resultData.getString(ProviderAPI.ERRORS);
+ showDownloadFailedDialog(getCurrentFocus(), reason_to_fail);
setResult(RESULT_CANCELED, mConfigState);
}
else if(resultCode == ProviderAPI.CORRECTLY_DOWNLOADED_CERTIFICATE) {
@@ -319,6 +322,25 @@ implements ProviderListFragment.Callbacks, NewProviderDialog.NewProviderDialogIn
* use it anonymously (if possible)
* or cancel his/her election pressing the back button.
* @param view
+ * @param reason_to_fail
+ */
+ public void showDownloadFailedDialog(View view, String reason_to_fail) {
+ FragmentTransaction fragment_transaction = getFragmentManager().beginTransaction();
+ Fragment previous_provider_details_dialog = getFragmentManager().findFragmentByTag(DownloadFailedDialog.TAG);
+ if (previous_provider_details_dialog != null) {
+ fragment_transaction.remove(previous_provider_details_dialog);
+ }
+ fragment_transaction.addToBackStack(null);
+
+ DialogFragment newFragment = DownloadFailedDialog.newInstance(reason_to_fail);
+ newFragment.show(fragment_transaction, DownloadFailedDialog.TAG);
+ }
+
+ /**
+ * Once selected a provider, this fragment offers the user to log in,
+ * use it anonymously (if possible)
+ * or cancel his/her election pressing the back button.
+ * @param view
*/
public void showProviderDetails(View view) {
FragmentTransaction fragment_transaction = getFragmentManager().beginTransaction();
diff --git a/src/se/leap/bitmaskclient/Dashboard.java b/src/se/leap/bitmaskclient/Dashboard.java
index 97367e25..fd8d6be6 100644
--- a/src/se/leap/bitmaskclient/Dashboard.java
+++ b/src/se/leap/bitmaskclient/Dashboard.java
@@ -66,7 +66,7 @@ public class Dashboard extends Activity implements LogInDialog.LogInDialogInterf
private TextView providerNameTV;
- private boolean authed = false;
+ private boolean authed_eip = false;
public ProviderAPIResultReceiver providerAPI_result_receiver;
@@ -75,10 +75,12 @@ public class Dashboard extends Activity implements LogInDialog.LogInDialogInterf
super.onCreate(savedInstanceState);
app = this;
-
+
+ PRNGFixes.apply();
ConfigHelper.setSharedPreferences(getSharedPreferences(SHARED_PREFERENCES, MODE_PRIVATE));
preferences = ConfigHelper.shared_preferences;
+ authed_eip = ConfigHelper.getBoolFromSharedPref(EIP.AUTHED_EIP);
if (ConfigHelper.getStringFromSharedPref(Provider.KEY).isEmpty())
startActivityForResult(new Intent(this,ConfigurationWizard.class),CONFIGURE_LEAP);
else
@@ -89,6 +91,7 @@ public class Dashboard extends Activity implements LogInDialog.LogInDialogInterf
protected void onActivityResult(int requestCode, int resultCode, Intent data){
if ( requestCode == CONFIGURE_LEAP ) {
if ( resultCode == RESULT_OK ){
+ ConfigHelper.saveSharedPref(EIP.AUTHED_EIP, authed_eip);
startService( new Intent(EIP.ACTION_UPDATE_EIP_SERVICE) );
buildDashboard();
if(data != null && data.hasExtra(LogInDialog.VERB)) {
@@ -157,7 +160,7 @@ public class Dashboard extends Activity implements LogInDialog.LogInDialogInterf
provider_json = ConfigHelper.getJsonFromSharedPref(Provider.KEY);
JSONObject service_description = provider_json.getJSONObject(Provider.SERVICE);
if(service_description.getBoolean(Provider.ALLOW_REGISTRATION)) {
- if(authed) {
+ if(authed_eip) {
menu.findItem(R.id.login_button).setVisible(false);
menu.findItem(R.id.logout_button).setVisible(true);
} else {
@@ -313,7 +316,8 @@ public class Dashboard extends Activity implements LogInDialog.LogInDialogInterf
String session_id_cookie_key = resultData.getString(ProviderAPI.SESSION_ID_COOKIE_KEY);
String session_id_string = resultData.getString(ProviderAPI.SESSION_ID_KEY);
setResult(RESULT_OK);
- authed = true;
+ authed_eip = true;
+ ConfigHelper.saveSharedPref(EIP.AUTHED_EIP, authed_eip);
invalidateOptionsMenu();
//Cookie session_id = new BasicClientCookie(session_id_cookie_key, session_id_string);
@@ -322,7 +326,8 @@ public class Dashboard extends Activity implements LogInDialog.LogInDialogInterf
mProgressDialog.dismiss();
logInDialog(getCurrentFocus(), resultData);
} else if(resultCode == ProviderAPI.LOGOUT_SUCCESSFUL) {
- authed = false;
+ authed_eip = false;
+ ConfigHelper.saveSharedPref(EIP.AUTHED_EIP, authed_eip);
invalidateOptionsMenu();
setResult(RESULT_OK);
mProgressDialog.dismiss();
diff --git a/src/se/leap/bitmaskclient/DownloadFailedDialog.java b/src/se/leap/bitmaskclient/DownloadFailedDialog.java
new file mode 100644
index 00000000..3ce101a6
--- /dev/null
+++ b/src/se/leap/bitmaskclient/DownloadFailedDialog.java
@@ -0,0 +1,59 @@
+/**
+ * Copyright (c) 2013 LEAP Encryption Access Project and contributers
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+ package se.leap.bitmaskclient;
+
+import se.leap.bitmaskclient.R;
+import android.app.AlertDialog;
+import android.app.Dialog;
+import android.app.DialogFragment;
+import android.content.DialogInterface;
+import android.os.Bundle;
+
+/**
+ * Implements a dialog to show why a download failed.
+ *
+ * @author parmegv
+ *
+ */
+public class DownloadFailedDialog extends DialogFragment {
+
+ public static String TAG = "downloaded_failed_dialog";
+ private String reason_to_fail;
+ /**
+ * @return a new instance of this DialogFragment.
+ */
+ public static DialogFragment newInstance(String reason_to_fail) {
+ DownloadFailedDialog dialog_fragment = new DownloadFailedDialog();
+ dialog_fragment.reason_to_fail = reason_to_fail;
+ return dialog_fragment;
+ }
+
+ @Override
+ public Dialog onCreateDialog(Bundle savedInstanceState) {
+ AlertDialog.Builder builder = new AlertDialog.Builder(getActivity());
+
+ builder.setMessage(reason_to_fail)
+ .setPositiveButton(R.string.ok, new DialogInterface.OnClickListener() {
+ public void onClick(DialogInterface dialog, int id) {
+ dialog.dismiss();
+ }
+ });
+
+ // Create the AlertDialog object and return it
+ return builder.create();
+ }
+}
diff --git a/src/se/leap/bitmaskclient/EIP.java b/src/se/leap/bitmaskclient/EIP.java
index c643d501..e059f1c1 100644
--- a/src/se/leap/bitmaskclient/EIP.java
+++ b/src/se/leap/bitmaskclient/EIP.java
@@ -58,10 +58,11 @@ import android.util.Log;
*/
public final class EIP extends IntentService {
- public final static String ACTION_START_EIP = "se.leap.bitmaskclient.START_EIP";
- public final static String ACTION_STOP_EIP = "se.leap.bitmaskclient.STOP_EIP";
- public final static String ACTION_UPDATE_EIP_SERVICE = "se.leap.bitmaskclient.UPDATE_EIP_SERVICE";
- public final static String ACTION_IS_EIP_RUNNING = "se.leap.bitmaskclient.IS_RUNNING";
+ public final static String ACTION_START_EIP = "se.leap.leapclient.START_EIP";
+ public final static String ACTION_STOP_EIP = "se.leap.leapclient.STOP_EIP";
+ public final static String ACTION_UPDATE_EIP_SERVICE = "se.leap.leapclient.UPDATE_EIP_SERVICE";
+ public final static String AUTHED_EIP = "authed_eip";
+ public final static String ACTION_IS_EIP_RUNNING = "se.leap.leapclient.IS_RUNNING";
public final static String EIP_NOTIFICATION = "EIP_NOTIFICATION";
public final static String ALLOWED_ANON = "allow_anonymous";
public final static String CERTIFICATE = "cert";
@@ -72,6 +73,7 @@ public final class EIP extends IntentService {
public final static String RECEIVER_TAG = "receiverTag";
public final static String REQUEST_TAG = "requestTag";
+
private static Context context;
private static ResultReceiver mReceiver;
private static OpenVpnService mVpnService;
diff --git a/src/se/leap/bitmaskclient/PRNGFixes.java b/src/se/leap/bitmaskclient/PRNGFixes.java
new file mode 100644
index 00000000..a046f01f
--- /dev/null
+++ b/src/se/leap/bitmaskclient/PRNGFixes.java
@@ -0,0 +1,338 @@
+package se.leap.bitmaskclient;
+
+/*
+ * This software is provided 'as-is', without any express or implied
+ * warranty. In no event will Google be held liable for any damages
+ * arising from the use of this software.
+ *
+ * Permission is granted to anyone to use this software for any purpose,
+ * including commercial applications, and to alter it and redistribute it
+ * freely, as long as the origin is not misrepresented.
+ *
+ * Source: http://android-developers.blogspot.de/2013/08/some-securerandom-thoughts.html
+ */
+
+import android.os.Build;
+import android.os.Process;
+import android.util.Log;
+
+import java.io.ByteArrayOutputStream;
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.UnsupportedEncodingException;
+import java.security.NoSuchAlgorithmException;
+import java.security.Provider;
+import java.security.SecureRandom;
+import java.security.SecureRandomSpi;
+import java.security.Security;
+
+/**
+ * Fixes for the output of the default PRNG having low entropy.
+ *
+ * The fixes need to be applied via {@link #apply()} before any use of Java
+ * Cryptography Architecture primitives. A good place to invoke them is in the
+ * application's {@code onCreate}.
+ */
+public final class PRNGFixes {
+
+ private static final int VERSION_CODE_JELLY_BEAN = 16;
+ private static final int VERSION_CODE_JELLY_BEAN_MR2 = 18;
+ private static final byte[] BUILD_FINGERPRINT_AND_DEVICE_SERIAL =
+ getBuildFingerprintAndDeviceSerial();
+
+ /** Hidden constructor to prevent instantiation. */
+ private PRNGFixes() {}
+
+ /**
+ * Applies all fixes.
+ *
+ * @throws SecurityException if a fix is needed but could not be applied.
+ */
+ public static void apply() {
+ applyOpenSSLFix();
+ installLinuxPRNGSecureRandom();
+ }
+
+ /**
+ * Applies the fix for OpenSSL PRNG having low entropy. Does nothing if the
+ * fix is not needed.
+ *
+ * @throws SecurityException if the fix is needed but could not be applied.
+ */
+ private static void applyOpenSSLFix() throws SecurityException {
+ if ((Build.VERSION.SDK_INT < VERSION_CODE_JELLY_BEAN)
+ || (Build.VERSION.SDK_INT > VERSION_CODE_JELLY_BEAN_MR2)) {
+ // No need to apply the fix
+ return;
+ }
+
+ try {
+ // Mix in the device- and invocation-specific seed.
+ Class.forName("org.apache.harmony.xnet.provider.jsse.NativeCrypto")
+ .getMethod("RAND_seed", byte[].class)
+ .invoke(null, generateSeed());
+
+ // Mix output of Linux PRNG into OpenSSL's PRNG
+ int bytesRead = (Integer) Class.forName(
+ "org.apache.harmony.xnet.provider.jsse.NativeCrypto")
+ .getMethod("RAND_load_file", String.class, long.class)
+ .invoke(null, "/dev/urandom", 1024);
+ if (bytesRead != 1024) {
+ throw new IOException(
+ "Unexpected number of bytes read from Linux PRNG: "
+ + bytesRead);
+ }
+ } catch (Exception e) {
+ throw new SecurityException("Failed to seed OpenSSL PRNG", e);
+ }
+ }
+
+ /**
+ * Installs a Linux PRNG-backed {@code SecureRandom} implementation as the
+ * default. Does nothing if the implementation is already the default or if
+ * there is not need to install the implementation.
+ *
+ * @throws SecurityException if the fix is needed but could not be applied.
+ */
+ private static void installLinuxPRNGSecureRandom()
+ throws SecurityException {
+ if (Build.VERSION.SDK_INT > VERSION_CODE_JELLY_BEAN_MR2) {
+ // No need to apply the fix
+ return;
+ }
+
+ // Install a Linux PRNG-based SecureRandom implementation as the
+ // default, if not yet installed.
+ Provider[] secureRandomProviders =
+ Security.getProviders("SecureRandom.SHA1PRNG");
+ if ((secureRandomProviders == null)
+ || (secureRandomProviders.length < 1)
+ || (!LinuxPRNGSecureRandomProvider.class.equals(
+ secureRandomProviders[0].getClass()))) {
+ Security.insertProviderAt(new LinuxPRNGSecureRandomProvider(), 1);
+ }
+
+ // Assert that new SecureRandom() and
+ // SecureRandom.getInstance("SHA1PRNG") return a SecureRandom backed
+ // by the Linux PRNG-based SecureRandom implementation.
+ SecureRandom rng1 = new SecureRandom();
+ if (!LinuxPRNGSecureRandomProvider.class.equals(
+ rng1.getProvider().getClass())) {
+ throw new SecurityException(
+ "new SecureRandom() backed by wrong Provider: "
+ + rng1.getProvider().getClass());
+ }
+
+ SecureRandom rng2;
+ try {
+ rng2 = SecureRandom.getInstance("SHA1PRNG");
+ } catch (NoSuchAlgorithmException e) {
+ throw new SecurityException("SHA1PRNG not available", e);
+ }
+ if (!LinuxPRNGSecureRandomProvider.class.equals(
+ rng2.getProvider().getClass())) {
+ throw new SecurityException(
+ "SecureRandom.getInstance(\"SHA1PRNG\") backed by wrong"
+ + " Provider: " + rng2.getProvider().getClass());
+ }
+ }
+
+ /**
+ * {@code Provider} of {@code SecureRandom} engines which pass through
+ * all requests to the Linux PRNG.
+ */
+ private static class LinuxPRNGSecureRandomProvider extends Provider {
+
+ public LinuxPRNGSecureRandomProvider() {
+ super("LinuxPRNG",
+ 1.0,
+ "A Linux-specific random number provider that uses"
+ + " /dev/urandom");
+ // Although /dev/urandom is not a SHA-1 PRNG, some apps
+ // explicitly request a SHA1PRNG SecureRandom and we thus need to
+ // prevent them from getting the default implementation whose output
+ // may have low entropy.
+ put("SecureRandom.SHA1PRNG", LinuxPRNGSecureRandom.class.getName());
+ put("SecureRandom.SHA1PRNG ImplementedIn", "Software");
+ }
+ }
+
+ /**
+ * {@link SecureRandomSpi} which passes all requests to the Linux PRNG
+ * ({@code /dev/urandom}).
+ */
+ public static class LinuxPRNGSecureRandom extends SecureRandomSpi {
+
+ /*
+ * IMPLEMENTATION NOTE: Requests to generate bytes and to mix in a seed
+ * are passed through to the Linux PRNG (/dev/urandom). Instances of
+ * this class seed themselves by mixing in the current time, PID, UID,
+ * build fingerprint, and hardware serial number (where available) into
+ * Linux PRNG.
+ *
+ * Concurrency: Read requests to the underlying Linux PRNG are
+ * serialized (on sLock) to ensure that multiple threads do not get
+ * duplicated PRNG output.
+ */
+
+ private static final File URANDOM_FILE = new File("/dev/urandom");
+
+ private static final Object sLock = new Object();
+
+ /**
+ * Input stream for reading from Linux PRNG or {@code null} if not yet
+ * opened.
+ *
+ * @GuardedBy("sLock")
+ */
+ private static DataInputStream sUrandomIn;
+
+ /**
+ * Output stream for writing to Linux PRNG or {@code null} if not yet
+ * opened.
+ *
+ * @GuardedBy("sLock")
+ */
+ private static OutputStream sUrandomOut;
+
+ /**
+ * Whether this engine instance has been seeded. This is needed because
+ * each instance needs to seed itself if the client does not explicitly
+ * seed it.
+ */
+ private boolean mSeeded;
+
+ @Override
+ protected void engineSetSeed(byte[] bytes) {
+ try {
+ OutputStream out;
+ synchronized (sLock) {
+ out = getUrandomOutputStream();
+ }
+ out.write(bytes);
+ out.flush();
+ } catch (IOException e) {
+ // On a small fraction of devices /dev/urandom is not writable.
+ // Log and ignore.
+ Log.w(PRNGFixes.class.getSimpleName(),
+ "Failed to mix seed into " + URANDOM_FILE);
+ } finally {
+ mSeeded = true;
+ }
+ }
+
+ @Override
+ protected void engineNextBytes(byte[] bytes) {
+ if (!mSeeded) {
+ // Mix in the device- and invocation-specific seed.
+ engineSetSeed(generateSeed());
+ }
+
+ try {
+ DataInputStream in;
+ synchronized (sLock) {
+ in = getUrandomInputStream();
+ }
+ synchronized (in) {
+ in.readFully(bytes);
+ }
+ } catch (IOException e) {
+ throw new SecurityException(
+ "Failed to read from " + URANDOM_FILE, e);
+ }
+ }
+
+ @Override
+ protected byte[] engineGenerateSeed(int size) {
+ byte[] seed = new byte[size];
+ engineNextBytes(seed);
+ return seed;
+ }
+
+ private DataInputStream getUrandomInputStream() {
+ synchronized (sLock) {
+ if (sUrandomIn == null) {
+ // NOTE: Consider inserting a BufferedInputStream between
+ // DataInputStream and FileInputStream if you need higher
+ // PRNG output performance and can live with future PRNG
+ // output being pulled into this process prematurely.
+ try {
+ sUrandomIn = new DataInputStream(
+ new FileInputStream(URANDOM_FILE));
+ } catch (IOException e) {
+ throw new SecurityException("Failed to open "
+ + URANDOM_FILE + " for reading", e);
+ }
+ }
+ return sUrandomIn;
+ }
+ }
+
+ private OutputStream getUrandomOutputStream() throws IOException {
+ synchronized (sLock) {
+ if (sUrandomOut == null) {
+ sUrandomOut = new FileOutputStream(URANDOM_FILE);
+ }
+ return sUrandomOut;
+ }
+ }
+ }
+
+ /**
+ * Generates a device- and invocation-specific seed to be mixed into the
+ * Linux PRNG.
+ */
+ private static byte[] generateSeed() {
+ try {
+ ByteArrayOutputStream seedBuffer = new ByteArrayOutputStream();
+ DataOutputStream seedBufferOut =
+ new DataOutputStream(seedBuffer);
+ seedBufferOut.writeLong(System.currentTimeMillis());
+ seedBufferOut.writeLong(System.nanoTime());
+ seedBufferOut.writeInt(Process.myPid());
+ seedBufferOut.writeInt(Process.myUid());
+ seedBufferOut.write(BUILD_FINGERPRINT_AND_DEVICE_SERIAL);
+ seedBufferOut.close();
+ return seedBuffer.toByteArray();
+ } catch (IOException e) {
+ throw new SecurityException("Failed to generate seed", e);
+ }
+ }
+
+ /**
+ * Gets the hardware serial number of this device.
+ *
+ * @return serial number or {@code null} if not available.
+ */
+ private static String getDeviceSerialNumber() {
+ // We're using the Reflection API because Build.SERIAL is only available
+ // since API Level 9 (Gingerbread, Android 2.3).
+ try {
+ return (String) Build.class.getField("SERIAL").get(null);
+ } catch (Exception ignored) {
+ return null;
+ }
+ }
+
+ private static byte[] getBuildFingerprintAndDeviceSerial() {
+ StringBuilder result = new StringBuilder();
+ String fingerprint = Build.FINGERPRINT;
+ if (fingerprint != null) {
+ result.append(fingerprint);
+ }
+ String serial = getDeviceSerialNumber();
+ if (serial != null) {
+ result.append(serial);
+ }
+ try {
+ return result.toString().getBytes("UTF-8");
+ } catch (UnsupportedEncodingException e) {
+ throw new RuntimeException("UTF-8 encoding not supported");
+ }
+ }
+}
diff --git a/src/se/leap/bitmaskclient/ProviderAPI.java b/src/se/leap/bitmaskclient/ProviderAPI.java
index 25e9af45..6ed3a294 100644
--- a/src/se/leap/bitmaskclient/ProviderAPI.java
+++ b/src/se/leap/bitmaskclient/ProviderAPI.java
@@ -57,6 +57,7 @@ import org.apache.http.client.ClientProtocolException;
import org.jboss.security.srp.SRPParameters;
import org.json.JSONException;
import org.json.JSONObject;
+import org.json.JSONStringer;
import se.leap.bitmaskclient.R;
import se.leap.bitmaskclient.ProviderListContent.ProviderItem;
@@ -128,14 +129,8 @@ public class ProviderAPI extends IntentService {
CookieHandler.setDefault(new CookieManager(null, CookiePolicy.ACCEPT_ORIGINAL_SERVER) );
}
- private void displayToast(final int toast_string_id) {
- mHandler.post(new Runnable() {
-
- @Override
- public void run() {
- Toast.makeText(ProviderAPI.this, toast_string_id, Toast.LENGTH_LONG).show();
- }
- });
+ private String formatErrorMessage(final int toast_string_id) {
+ return "{ \"" + ERRORS + "\" : \""+getResources().getString(toast_string_id)+"\" }";
}
@Override
@@ -145,10 +140,11 @@ public class ProviderAPI extends IntentService {
Bundle parameters = command.getBundleExtra(PARAMETERS);
if(action.equalsIgnoreCase(DOWNLOAD_JSON_FILES_BUNDLE_EXTRA)) {
- if(!downloadJsonFiles(parameters)) {
- receiver.send(INCORRECTLY_DOWNLOADED_JSON_FILES, Bundle.EMPTY);
- } else {
+ Bundle result = downloadJsonFiles(parameters);
+ if(result.getBoolean(RESULT_KEY)) {
receiver.send(CORRECTLY_DOWNLOADED_JSON_FILES, Bundle.EMPTY);
+ } else {
+ receiver.send(INCORRECTLY_DOWNLOADED_JSON_FILES, result);
}
} else if(action.equalsIgnoreCase(UPDATE_PROVIDER_DOTJSON)) {
Bundle result = updateProviderDotJSON(parameters);
@@ -162,7 +158,7 @@ public class ProviderAPI extends IntentService {
if(result.getBoolean(RESULT_KEY)) {
receiver.send(CORRECTLY_UPDATED_PROVIDER_DOT_JSON, result);
} else {
- receiver.send(INCORRECTLY_DOWNLOADED_JSON_FILES, Bundle.EMPTY);
+ receiver.send(INCORRECTLY_DOWNLOADED_JSON_FILES, result);
}
} else if (action.equalsIgnoreCase(SRP_AUTH)) {
Bundle session_id_bundle = authenticateBySRP(parameters);
@@ -191,28 +187,53 @@ public class ProviderAPI extends IntentService {
* @param task
* @return true if eip-service.json was parsed as a JSON object correctly.
*/
- private boolean downloadJsonFiles(Bundle task) {
+ private Bundle downloadJsonFiles(Bundle task) {
+ Bundle result = new Bundle();
String cert_url = task.getString(Provider.CA_CERT);
String eip_service_json_url = task.getString(EIP.KEY);
boolean danger_on = task.getBoolean(ProviderItem.DANGER_ON);
try {
String cert_string = downloadWithCommercialCA(cert_url, danger_on);
- if(cert_string.isEmpty()) return false;
- X509Certificate certCert = ConfigHelper.parseX509CertificateFromString(cert_string);
- cert_string = Base64.encodeToString( certCert.getEncoded(), Base64.DEFAULT);
- ConfigHelper.saveSharedPref(Provider.CA_CERT, "-----BEGIN CERTIFICATE-----\n"+cert_string+"-----END CERTIFICATE-----");
-
- String eip_service_string = downloadWithCommercialCA(eip_service_json_url, danger_on);
- ConfigHelper.saveSharedPref(EIP.KEY, new JSONObject(eip_service_string));
-
- return true;
+
+ if(ConfigHelper.checkErroneousDownload(cert_string)) {
+ JSONObject possible_errors = new JSONObject(cert_string);
+ String reason_to_fail = "";
+ if(cert_string.isEmpty())
+ reason_to_fail = "Empty certificate downloaded";
+ else
+ reason_to_fail = possible_errors.getString(ERRORS);
+ result.putString(ERRORS, reason_to_fail);
+ result.putBoolean(RESULT_KEY, false);
+ } else {
+ X509Certificate certCert = ConfigHelper.parseX509CertificateFromString(cert_string);
+ cert_string = Base64.encodeToString( certCert.getEncoded(), Base64.DEFAULT);
+ ConfigHelper.saveSharedPref(Provider.CA_CERT, "-----BEGIN CERTIFICATE-----\n"+cert_string+"-----END CERTIFICATE-----");
+ }
} catch (JSONException e) {
- return false;
+ e.printStackTrace();
+ result.putBoolean(RESULT_KEY, false);
} catch (CertificateException e) {
// TODO Auto-generated catch block
e.printStackTrace();
- return false;
+ result.putBoolean(RESULT_KEY, false);
+ }
+
+ try {
+ String eip_service_string = downloadWithCommercialCA(eip_service_json_url, danger_on);
+ JSONObject eip_service_json = new JSONObject(eip_service_string);
+ if(eip_service_json.has(ERRORS)) {
+ String reason_to_fail = eip_service_json.getString(ERRORS);
+ result.putString(ERRORS, reason_to_fail);
+ result.putBoolean(RESULT_KEY, false);
+ }
+ else ConfigHelper.saveSharedPref(EIP.KEY, eip_service_json);
+
+ result.putBoolean(RESULT_KEY, true);
+ } catch (JSONException e) {
+ result.putBoolean(RESULT_KEY, false);
}
+
+ return result;
}
/**
@@ -458,12 +479,18 @@ public class ProviderAPI extends IntentService {
result.putBoolean(RESULT_KEY, false);
} else {
JSONObject provider_json = new JSONObject(provider_dot_json_string);
- ConfigHelper.saveSharedPref(EIP.ALLOWED_ANON, provider_json.getJSONObject(Provider.SERVICE).getBoolean(EIP.ALLOWED_ANON));
+ if(provider_json.has(ERRORS)) {
+ String reason_to_fail = provider_json.getString(ERRORS);
+ result.putString(ERRORS, reason_to_fail);
+ result.putBoolean(RESULT_KEY, false);
+ } else {
+ ConfigHelper.saveSharedPref(EIP.ALLOWED_ANON, provider_json.getJSONObject(Provider.SERVICE).getBoolean(EIP.ALLOWED_ANON));
- //ProviderListContent.addItem(new ProviderItem(provider_name, provider_json_url, provider_json, custom, danger_on));
- result.putBoolean(RESULT_KEY, true);
- result.putString(Provider.KEY, provider_json.toString());
- result.putBoolean(ProviderItem.DANGER_ON, danger_on);
+ //ProviderListContent.addItem(new ProviderItem(provider_name, provider_json_url, provider_json, custom, danger_on));
+ result.putBoolean(RESULT_KEY, true);
+ result.putString(Provider.KEY, provider_json.toString());
+ result.putBoolean(ProviderItem.DANGER_ON, danger_on);
+ }
}
} catch (JSONException e) {
result.putBoolean(RESULT_KEY, false);
@@ -493,19 +520,26 @@ public class ProviderAPI extends IntentService {
} else {
JSONObject provider_json = new JSONObject(provider_json_string);
- ConfigHelper.saveSharedPref(Provider.KEY, provider_json);
- ConfigHelper.saveSharedPref(ProviderItem.DANGER_ON, danger_on);
- ConfigHelper.saveSharedPref(EIP.ALLOWED_ANON, provider_json.getJSONObject(Provider.SERVICE).getBoolean(EIP.ALLOWED_ANON));
- ProviderItem added_provider = new ProviderItem(provider_name, provider_json_url, provider_json, custom, danger_on);
- ProviderListContent.addItem(added_provider);
-
- result.putString(Provider.NAME, added_provider.getName());
- result.putBoolean(RESULT_KEY, true);
- result.putString(Provider.KEY, provider_json.toString());
- result.putBoolean(ProviderItem.DANGER_ON, danger_on);
+ if(provider_json.has(ERRORS)) {
+ String reason_to_fail = provider_json.getString(ERRORS);
+ result.putString(ERRORS, reason_to_fail);
+ result.putBoolean(RESULT_KEY, false);
+ } else {
+ ConfigHelper.saveSharedPref(Provider.KEY, provider_json);
+ ConfigHelper.saveSharedPref(ProviderItem.DANGER_ON, danger_on);
+ ConfigHelper.saveSharedPref(EIP.ALLOWED_ANON, provider_json.getJSONObject(Provider.SERVICE).getBoolean(EIP.ALLOWED_ANON));
+ ProviderItem added_provider = new ProviderItem(provider_name, provider_json_url, provider_json, custom, danger_on);
+ ProviderListContent.addItem(added_provider);
+
+ result.putString(Provider.NAME, added_provider.getName());
+ result.putBoolean(RESULT_KEY, true);
+ result.putString(Provider.KEY, provider_json.toString());
+ result.putBoolean(ProviderItem.DANGER_ON, danger_on);
+ }
}
} catch (JSONException e) {
result.putBoolean(RESULT_KEY, false);
+ result.putString(ERRORS, "Corrupt download");
}
return result;
@@ -531,17 +565,14 @@ public class ProviderAPI extends IntentService {
url_connection.setConnectTimeout(seconds_of_timeout*1000);
json_file_content = new Scanner(url_connection.getInputStream()).useDelimiter("\\A").next();
} catch (MalformedURLException e) {
- displayToast(R.string.malformed_url);
+ json_file_content = formatErrorMessage(R.string.malformed_url);
} catch(SocketTimeoutException e) {
- displayToast(R.string.server_is_down_message);
- } catch (FileNotFoundException e) {
- e.printStackTrace();
- displayToast(R.string.server_is_down_message);
+ json_file_content = formatErrorMessage(R.string.server_is_down_message);
} catch (IOException e) {
if(provider_url != null) {
json_file_content = downloadWithProviderCA(provider_url, danger_on);
} else {
- displayToast(R.string.certificate_error);
+ json_file_content = formatErrorMessage(R.string.certificate_error);
}
} catch (Exception e) {
if(provider_url != null && danger_on) {
@@ -553,7 +584,7 @@ public class ProviderAPI extends IntentService {
}
/**
- * Tries to download the contents of the provided url using not commercially validated CA certificate from chosen provider.
+ * Tries to download the contents of the provided url using not commercially validated CA certificate from chosen provider.
* @param url
* @param danger_on true to download CA certificate in case it has not been downloaded.
* @return an empty string if it fails, the url content if not.
@@ -571,16 +602,13 @@ public class ProviderAPI extends IntentService {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (UnknownHostException e) {
- displayToast(R.string.server_is_down_message);
- } catch (FileNotFoundException e) {
- e.printStackTrace();
- displayToast(R.string.server_is_down_message);
+ json_file_content = formatErrorMessage(R.string.server_is_down_message);
} catch (IOException e) {
// The downloaded certificate doesn't validate our https connection.
if(danger_on) {
json_file_content = downloadWithoutCA(url);
} else {
- displayToast(R.string.certificate_error);
+ json_file_content = formatErrorMessage(R.string.certificate_error);
}
} catch (KeyStoreException e) {
// TODO Auto-generated catch block
@@ -656,11 +684,11 @@ public class ProviderAPI extends IntentService {
System.out.println("String ignoring certificate = " + string);
} catch (FileNotFoundException e) {
e.printStackTrace();
- displayToast(R.string.server_is_down_message);
+ string = formatErrorMessage(R.string.server_is_down_message);
} catch (IOException e) {
// The downloaded certificate doesn't validate our https connection.
e.printStackTrace();
- displayToast(R.string.certificate_error);
+ string = formatErrorMessage(R.string.certificate_error);
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
@@ -740,32 +768,40 @@ public class ProviderAPI extends IntentService {
boolean danger_on = ConfigHelper.getBoolFromSharedPref(ProviderItem.DANGER_ON);
String cert_string = downloadWithCommercialCA(new_cert_string_url, danger_on);
if(!cert_string.isEmpty()) {
- // API returns concatenated cert & key. Split them for OpenVPN options
- String certificateString = null, keyString = null;
- String[] certAndKey = cert_string.split("(?<=-\n)");
- for (int i=0; i < certAndKey.length-1; i++){
- if ( certAndKey[i].contains("KEY") ) {
- keyString = certAndKey[i++] + certAndKey[i];
+ if(ConfigHelper.checkErroneousDownload(cert_string)) {
+ String reason_to_fail = provider_json.getString(ERRORS);
+ //result.putString(ConfigHelper.ERRORS_KEY, reason_to_fail);
+ //result.putBoolean(ConfigHelper.RESULT_KEY, false);
+ return false;
+ } else {
+
+ // API returns concatenated cert & key. Split them for OpenVPN options
+ String certificateString = null, keyString = null;
+ String[] certAndKey = cert_string.split("(?<=-\n)");
+ for (int i=0; i < certAndKey.length-1; i++){
+ if ( certAndKey[i].contains("KEY") ) {
+ keyString = certAndKey[i++] + certAndKey[i];
+ }
+ else if ( certAndKey[i].contains("CERTIFICATE") ) {
+ certificateString = certAndKey[i++] + certAndKey[i];
+ }
}
- else if ( certAndKey[i].contains("CERTIFICATE") ) {
- certificateString = certAndKey[i++] + certAndKey[i];
+ try {
+ RSAPrivateKey keyCert = ConfigHelper.parseRsaKeyFromString(keyString);
+ keyString = Base64.encodeToString( keyCert.getEncoded(), Base64.DEFAULT );
+ ConfigHelper.saveSharedPref(EIP.PRIVATE_KEY, "-----BEGIN RSA PRIVATE KEY-----\n"+keyString+"-----END RSA PRIVATE KEY-----");
+
+ X509Certificate certCert = ConfigHelper.parseX509CertificateFromString(certificateString);
+ certificateString = Base64.encodeToString( certCert.getEncoded(), Base64.DEFAULT);
+ ConfigHelper.saveSharedPref(EIP.CERTIFICATE, "-----BEGIN CERTIFICATE-----\n"+certificateString+"-----END CERTIFICATE-----");
+
+ return true;
+ } catch (CertificateException e) {
+ // TODO Auto-generated catch block
+ e.printStackTrace();
+ return false;
}
}
- try {
- RSAPrivateKey keyCert = ConfigHelper.parseRsaKeyFromString(keyString);
- keyString = Base64.encodeToString( keyCert.getEncoded(), Base64.DEFAULT );
- ConfigHelper.saveSharedPref(EIP.PRIVATE_KEY, "-----BEGIN RSA PRIVATE KEY-----\n"+keyString+"-----END RSA PRIVATE KEY-----");
-
- X509Certificate certCert = ConfigHelper.parseX509CertificateFromString(certificateString);
- certificateString = Base64.encodeToString( certCert.getEncoded(), Base64.DEFAULT);
- ConfigHelper.saveSharedPref(EIP.CERTIFICATE, "-----BEGIN CERTIFICATE-----\n"+certificateString+"-----END CERTIFICATE-----");
-
- return true;
- } catch (CertificateException e) {
- // TODO Auto-generated catch block
- e.printStackTrace();
- return false;
- }
} else {
return false;
}
diff --git a/src/se/leap/openvpn/OpenVPN.java b/src/se/leap/openvpn/OpenVPN.java
index c6055abd..d7d17b4f 100644
--- a/src/se/leap/openvpn/OpenVPN.java
+++ b/src/se/leap/openvpn/OpenVPN.java
@@ -9,6 +9,7 @@ import se.leap.bitmaskclient.R;
import android.content.Context;
import android.os.Build;
+import android.util.Log;
public class OpenVPN {
@@ -57,6 +58,7 @@ public class OpenVPN {
public LogItem(String message) {
+
mMessage = message;
}
@@ -113,7 +115,7 @@ public class OpenVPN {
synchronized static void logMessage(int level,String prefix, String message)
{
newlogItem(new LogItem(prefix + message));
-
+ Log.d("OpenVPN log item", message);
}
synchronized static void clearLog() {
diff --git a/src/se/leap/openvpn/OpenVpnManagementThread.java b/src/se/leap/openvpn/OpenVpnManagementThread.java
index 028c6ec7..78ce5a2b 100644
--- a/src/se/leap/openvpn/OpenVpnManagementThread.java
+++ b/src/se/leap/openvpn/OpenVpnManagementThread.java
@@ -182,7 +182,6 @@ public class OpenVpnManagementThread implements Runnable {
String cmd = parts[0].substring(1);
String argument = parts[1];
-
if(cmd.equals("INFO")) {
// Ignore greeting from mgmt
//logStatusMessage(command);
@@ -273,13 +272,14 @@ public class OpenVpnManagementThread implements Runnable {
private void processState(String argument) {
String[] args = argument.split(",",3);
String currentstate = args[1];
+ Log.d("OpenVPN log", argument);
if(args[2].equals(",,"))
OpenVPN.updateStateString(currentstate,"");
else
OpenVPN.updateStateString(currentstate,args[2]);
}
-
+ private static int repeated_byte_counts = 0;
private void processByteCount(String argument) {
// >BYTECOUNT:{BYTES_IN},{BYTES_OUT}
int comma = argument.indexOf(',');
@@ -288,7 +288,10 @@ public class OpenVpnManagementThread implements Runnable {
long diffin = in - mLastIn;
long diffout = out - mLastOut;
-
+ if(diffin == 0 && diffout == 0)
+ repeated_byte_counts++;
+ if(repeated_byte_counts > 3)
+ Log.d("OpenVPN log", "Repeated byte count = " + repeated_byte_counts);
mLastIn=in;
mLastOut=out;
@@ -330,7 +333,8 @@ public class OpenVpnManagementThread implements Runnable {
mOpenVPNService.setDomain(extra);
} else if (needed.equals("ROUTE")) {
String[] routeparts = extra.split(" ");
- mOpenVPNService.addRoute(routeparts[0], routeparts[1]);
+ if(!mOpenVPNService.isRunning()) // We cannot add routes to an existing openvpn session
+ mOpenVPNService.addRoute(routeparts[0], routeparts[1]);
} else if (needed.equals("ROUTE6")) {
mOpenVPNService.addRoutev6(extra);
} else if (needed.equals("IFCONFIG")) {
diff --git a/src/se/leap/openvpn/VpnProfile.java b/src/se/leap/openvpn/VpnProfile.java
index 8eebb763..41cf574b 100644
--- a/src/se/leap/openvpn/VpnProfile.java
+++ b/src/se/leap/openvpn/VpnProfile.java
@@ -108,7 +108,7 @@ public class VpnProfile implements Serializable{
public String mKeyPassword="";
public boolean mPersistTun = false;
public String mConnectRetryMax="5";
- public String mConnectRetry="5";
+ public String mConnectRetry="10";
public boolean mUserEditable=true;
static final String MINIVPN = "miniopenvpn";
@@ -211,7 +211,7 @@ public class VpnProfile implements Serializable{
cfg+="connect-retry-max " + mConnectRetryMax+ "\n";
if(mConnectRetry==null)
- mConnectRetry="5";
+ mConnectRetry="10";
cfg+="connect-retry " + mConnectRetry + "\n";