From 0393ba6656ce6cf679a2c4663275b3ed0f1a34b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Parm=C3=A9nides=20GV?= Date: Thu, 31 Jul 2014 12:09:49 +0200 Subject: Updated ics-openvpn to rev 859 + no 2nd notification. --- .../main/java/de/blinkt/openvpn/VpnProfile.java | 92 +++++++++++----------- 1 file changed, 45 insertions(+), 47 deletions(-) (limited to 'app/src/main/java/de/blinkt/openvpn/VpnProfile.java') diff --git a/app/src/main/java/de/blinkt/openvpn/VpnProfile.java b/app/src/main/java/de/blinkt/openvpn/VpnProfile.java index 0166eb98..d44d0f5a 100644 --- a/app/src/main/java/de/blinkt/openvpn/VpnProfile.java +++ b/app/src/main/java/de/blinkt/openvpn/VpnProfile.java @@ -4,6 +4,7 @@ import se.leap.bitmaskclient.R; import se.leap.bitmaskclient.R; +import android.annotation.SuppressLint; import android.content.Context; import android.content.Intent; import android.content.SharedPreferences; @@ -14,6 +15,7 @@ import android.os.Build; import android.preference.PreferenceManager; import android.security.KeyChain; import android.security.KeyChainException; +import android.text.TextUtils; import android.util.Base64; import org.spongycastle.util.io.pem.PemObject; @@ -115,8 +117,8 @@ public class VpnProfile implements Serializable { public boolean mUseDefaultRoute = true; public boolean mUsePull = true; public String mCustomRoutes; - public boolean mCheckRemoteCN = false; - public boolean mExpectTLSCert = true; + public boolean mCheckRemoteCN = true; + public boolean mExpectTLSCert = false; public String mRemoteCN = ""; public String mPassword = ""; public String mUsername = ""; @@ -181,6 +183,7 @@ public class VpnProfile implements Serializable { mUseDefaultRoute = false; mUseDefaultRoutev6 = false; mExpectTLSCert = false; + mCheckRemoteCN = false; mPersistTun = false; mAllowLocalLAN = true; } @@ -199,10 +202,7 @@ public class VpnProfile implements Serializable { public void upgradeProfile(){ if(mProfileVersion< 2) { /* default to the behaviour the OS used */ - if (Build.VERSION.SDK_INT < Build.VERSION_CODES.KITKAT) - mAllowLocalLAN = true; - else - mAllowLocalLAN = false; + mAllowLocalLAN = Build.VERSION.SDK_INT < Build.VERSION_CODES.KITKAT; } mProfileVersion= CURRENT_PROFILE_VERSION; @@ -213,7 +213,7 @@ public class VpnProfile implements Serializable { File cacheDir = context.getCacheDir(); String cfg = ""; - // Enable managment interface + // Enable management interface cfg += "# Enables connection to GUI\n"; cfg += "management "; @@ -230,6 +230,9 @@ public class VpnProfile implements Serializable { cfg += "machine-readable-output\n"; + // Users are confused by warnings that are misleading... + cfg += "ifconfig-nowarn\n"; + boolean useTLSClient = (mAuthenticationType != TYPE_STATICKEYS); @@ -327,7 +330,7 @@ public class VpnProfile implements Serializable { else cfg += insertFileData("tls-auth", mTLSAuthFilename); - if (nonNull(mTLSAuthDirection)) { + if (!TextUtils.isEmpty(mTLSAuthDirection)) { cfg += "key-direction "; cfg += mTLSAuthDirection; cfg += "\n"; @@ -336,10 +339,10 @@ public class VpnProfile implements Serializable { } if (!mUsePull) { - if (nonNull(mIPv4Address)) + if (!TextUtils.isEmpty(mIPv4Address)) cfg += "ifconfig " + cidrToIPAndNetmask(mIPv4Address) + "\n"; - if (nonNull(mIPv6Address)) + if (!TextUtils.isEmpty(mIPv6Address)) cfg += "ifconfig-ipv6 " + mIPv6Address + "\n"; } @@ -377,11 +380,11 @@ public class VpnProfile implements Serializable { cfg += routes; if (mOverrideDNS || !mUsePull) { - if (nonNull(mDNS1)) + if (!TextUtils.isEmpty(mDNS1)) cfg += "dhcp-option DNS " + mDNS1 + "\n"; - if (nonNull(mDNS2)) + if (!TextUtils.isEmpty(mDNS2)) cfg += "dhcp-option DNS " + mDNS2 + "\n"; - if (nonNull(mSearchDomain)) + if (!TextUtils.isEmpty(mSearchDomain)) cfg += "dhcp-option DOMAIN " + mSearchDomain + "\n"; } @@ -422,11 +425,11 @@ public class VpnProfile implements Serializable { cfg += "remote-cert-tls server\n"; } - if (nonNull(mCipher)) { + if (!TextUtils.isEmpty(mCipher)) { cfg += "cipher " + mCipher + "\n"; } - if (nonNull(mAuth)) { + if (!TextUtils.isEmpty(mAuth)) { cfg += "auth " + mAuth + "\n"; } @@ -488,13 +491,6 @@ public class VpnProfile implements Serializable { } } - private boolean nonNull(String val) { - if (val == null || val.equals("")) - return false; - else - return true; - } - private Collection getCustomRoutes(String routes) { Vector cidrRoutes = new Vector(); if (routes == null) { @@ -636,8 +632,8 @@ public class VpnProfile implements Serializable { synchronized String[] getKeyStoreCertificates(Context context,int tries) { PrivateKey privateKey = null; - X509Certificate[] cachain; - Exception exp=null; + X509Certificate[] caChain; + Exception exp; try { privateKey = KeyChain.getPrivateKey(context, mAlias); mPrivateKey = privateKey; @@ -645,18 +641,18 @@ public class VpnProfile implements Serializable { String keystoreChain = null; - cachain = KeyChain.getCertificateChain(context, mAlias); - if(cachain == null) + caChain = KeyChain.getCertificateChain(context, mAlias); + if(caChain == null) throw new NoCertReturnedException("No certificate returned from Keystore"); - if (cachain.length <= 1 && !nonNull(mCaFilename)) { + if (caChain.length <= 1 && TextUtils.isEmpty(mCaFilename)) { VpnStatus.logMessage(VpnStatus.LogLevel.ERROR, "", context.getString(R.string.keychain_nocacert)); } else { StringWriter ksStringWriter = new StringWriter(); PemWriter pw = new PemWriter(ksStringWriter); - for (int i = 1; i < cachain.length; i++) { - X509Certificate cert = cachain[i]; + for (int i = 1; i < caChain.length; i++) { + X509Certificate cert = caChain[i]; pw.writeObject(new PemObject("CERTIFICATE", cert.getEncoded())); } pw.close(); @@ -665,7 +661,7 @@ public class VpnProfile implements Serializable { String caout = null; - if (nonNull(mCaFilename)) { + if (!TextUtils.isEmpty(mCaFilename)) { try { Certificate cacert = X509Utils.getCertificateFromFile(mCaFilename); StringWriter caoutWriter = new StringWriter(); @@ -684,8 +680,8 @@ public class VpnProfile implements Serializable { StringWriter certout = new StringWriter(); - if (cachain.length >= 1) { - X509Certificate usercert = cachain[0]; + if (caChain.length >= 1) { + X509Certificate usercert = caChain[0]; PemWriter upw = new PemWriter(certout); upw.writeObject(new PemObject("CERTIFICATE", usercert.getEncoded())); @@ -730,15 +726,14 @@ public class VpnProfile implements Serializable { } return getKeyStoreCertificates(context, tries-1); } - if (exp != null) { - exp.printStackTrace(); - VpnStatus.logError(R.string.keyChainAccessError, exp.getLocalizedMessage()); - VpnStatus.logError(R.string.keychain_access); - if (Build.VERSION.SDK_INT == Build.VERSION_CODES.JELLY_BEAN) { - if (!mAlias.matches("^[a-zA-Z0-9]$")) { - VpnStatus.logError(R.string.jelly_keystore_alphanumeric_bug); - } + exp.printStackTrace(); + VpnStatus.logError(R.string.keyChainAccessError, exp.getLocalizedMessage()); + + VpnStatus.logError(R.string.keychain_access); + if (Build.VERSION.SDK_INT == Build.VERSION_CODES.JELLY_BEAN) { + if (!mAlias.matches("^[a-zA-Z0-9]$")) { + VpnStatus.logError(R.string.jelly_keystore_alphanumeric_bug); } } return null; @@ -801,7 +796,7 @@ public class VpnProfile implements Serializable { } public boolean requireTLSKeyPassword() { - if (!nonNull(mClientKeyFilename)) + if (TextUtils.isEmpty(mClientKeyFilename)) return false; String data = ""; @@ -842,13 +837,13 @@ public class VpnProfile implements Serializable { } if (mAuthenticationType == TYPE_CERTIFICATES || mAuthenticationType == TYPE_USERPASS_CERTIFICATES) { - if (requireTLSKeyPassword() && !nonNull(mKeyPassword)) + if (requireTLSKeyPassword() && TextUtils.isEmpty(mKeyPassword)) if (mTransientPCKS12PW == null) { return R.string.private_key_password; } } - if (isUserPWAuth() && !(nonNull(mUsername) && (nonNull(mPassword) || mTransientPW != null))) { + if (isUserPWAuth() && !(!TextUtils.isEmpty(mUsername) && (!TextUtils.isEmpty(mPassword) || mTransientPW != null))) { return R.string.password; } return 0; @@ -893,12 +888,15 @@ public class VpnProfile implements Serializable { try { + /* ECB is perfectly fine in this special case, since we are using it for + the public/private part in the TLS exchange + */ + @SuppressLint("GetInstance") + Cipher rsaSigner = Cipher.getInstance("RSA/ECB/PKCS1PADDING"); - Cipher rsasinger = Cipher.getInstance("RSA/ECB/PKCS1PADDING"); - - rsasinger.init(Cipher.ENCRYPT_MODE, privkey); + rsaSigner.init(Cipher.ENCRYPT_MODE, privkey); - byte[] signed_bytes = rsasinger.doFinal(data); + byte[] signed_bytes = rsaSigner.doFinal(data); return Base64.encodeToString(signed_bytes, Base64.NO_WRAP); } catch (NoSuchAlgorithmException e) { -- cgit v1.2.3