From 761c936e4f8b929c97f0ae65bc4867883f8da444 Mon Sep 17 00:00:00 2001 From: cyBerta Date: Wed, 30 Dec 2020 02:05:23 +0100 Subject: update ics-openvpn, openvpn, openssl, prepare Bitmask for Android 11 --- .../main/java/de/blinkt/openvpn/VpnProfile.java | 7 ++- .../de/blinkt/openvpn/core/OpenVPNService.java | 57 ++++++++++++++++++++-- .../java/de/blinkt/openvpn/core/OpenVPNThread.java | 5 +- .../de/blinkt/openvpn/core/VPNLaunchHelper.java | 5 +- 4 files changed, 67 insertions(+), 7 deletions(-) (limited to 'app/src/main/java/de/blinkt') diff --git a/app/src/main/java/de/blinkt/openvpn/VpnProfile.java b/app/src/main/java/de/blinkt/openvpn/VpnProfile.java index 5df1d56b..3792d092 100644 --- a/app/src/main/java/de/blinkt/openvpn/VpnProfile.java +++ b/app/src/main/java/de/blinkt/openvpn/VpnProfile.java @@ -165,6 +165,7 @@ public class VpnProfile implements Serializable, Cloneable { public boolean mRemoteRandom = false; public HashSet mAllowedAppsVpn = new HashSet<>(); public boolean mAllowedAppsVpnAreDisallowed = true; + public boolean mAllowAppVpnBypass = false; public String mCrlFilename; public String mProfileCreator; public String mExternalAuthenticator; @@ -186,6 +187,7 @@ public class VpnProfile implements Serializable, Cloneable { // set members to default values private UUID mUuid; private int mProfileVersion; + public boolean mBlockUnusedAddressFamilies = true; public String mGatewayIp; public boolean mUsePluggableTransports; @@ -509,15 +511,18 @@ public class VpnProfile implements Serializable, Cloneable { if (mUseTLSAuth) { boolean useTlsCrypt = mTLSAuthDirection.equals("tls-crypt"); + boolean useTlsCrypt2 = mTLSAuthDirection.equals("tls-crypt-v2"); if (mAuthenticationType == TYPE_STATICKEYS) cfg.append(insertFileData("secret", mTLSAuthFilename)); else if (useTlsCrypt) cfg.append(insertFileData("tls-crypt", mTLSAuthFilename)); + else if (useTlsCrypt2) + cfg.append(insertFileData("tls-crypt-v2", mTLSAuthFilename)); else cfg.append(insertFileData("tls-auth", mTLSAuthFilename)); - if (!TextUtils.isEmpty(mTLSAuthDirection) && !useTlsCrypt) { + if (!TextUtils.isEmpty(mTLSAuthDirection) && !useTlsCrypt && !useTlsCrypt2) { cfg.append("key-direction "); cfg.append(mTLSAuthDirection); cfg.append("\n"); diff --git a/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java b/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java index 7dfacd91..0d4a8037 100644 --- a/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java +++ b/app/src/main/java/de/blinkt/openvpn/core/OpenVPNService.java @@ -199,6 +199,8 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac private boolean runningOnAndroidTV() { UiModeManager uiModeManager = (UiModeManager) getSystemService(UI_MODE_SERVICE); + if (uiModeManager == null) + return false; return uiModeManager.getCurrentModeType() == Configuration.UI_MODE_TYPE_TELEVISION; } @@ -393,6 +395,13 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac return; } String nativeLibraryDirectory = getApplicationInfo().nativeLibraryDir; + String tmpDir; + try { + tmpDir = getApplication().getCacheDir().getCanonicalPath(); + } catch (IOException e) { + e.printStackTrace(); + tmpDir = "/tmp"; + } // Write OpenVPN binary String[] argv = VPNLaunchHelper.buildOpenvpnArgv(this); @@ -439,7 +448,7 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac processThread = (Runnable) mOpenVPN3; mManagement = mOpenVPN3; } else { - processThread = new OpenVPNThread(this, argv, nativeLibraryDirectory); + processThread = new OpenVPNThread(this, argv, nativeLibraryDirectory, tmpDir); mOpenVPNThread = processThread; } @@ -570,7 +579,8 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac VpnStatus.logInfo(R.string.last_openvpn_tun_config); - if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP && mProfile.mAllowLocalLAN) { + boolean allowUnsetAF = Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP && !mProfile.mBlockUnusedAddressFamilies; + if (allowUnsetAF) { allowAllAFFamilies(builder); } @@ -673,15 +683,34 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac builder.addSearchDomain(mDomain); String ipv4info; + String ipv6info; + if (allowUnsetAF) { + ipv4info = "(not set, allowed)"; + ipv6info = "(not set, allowed)"; + } else { + ipv4info = "(not set)"; + ipv6info = "(not set)"; + } + int ipv4len; if (mLocalIP!=null) { ipv4len=mLocalIP.len; ipv4info=mLocalIP.mIp; } else { ipv4len = -1; - ipv4info="(not set)"; } - VpnStatus.logInfo(R.string.local_ip_info, ipv4info, ipv4len, mLocalIPv6, mMtu); + + if (mLocalIPv6!=null) + { + ipv6info = mLocalIPv6; + } + + if ((!mRoutes.getNetworks(false).isEmpty() || !mRoutesv6.getNetworks(false).isEmpty()) && isLockdownEnabledCompat()) + { + VpnStatus.logInfo("VPN lockdown enabled (do not allow apps to bypass VPN) enabled. Route exclusion will not allow apps to bypass VPN (e.g. bypass VPN for local networks)"); + } + + VpnStatus.logInfo(R.string.local_ip_info, ipv4info, ipv4len, ipv6info, mMtu); VpnStatus.logInfo(R.string.dns_server_info, TextUtils.join(", ", mDnslist), mDomain); VpnStatus.logInfo(R.string.routes_info_incl, TextUtils.join(", ", mRoutes.getNetworks(true)), TextUtils.join(", ", mRoutesv6.getNetworks(true))); VpnStatus.logInfo(R.string.routes_info_excl, TextUtils.join(", ", mRoutes.getNetworks(false)), TextUtils.join(", ", mRoutesv6.getNetworks(false))); @@ -694,6 +723,12 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac builder.setUnderlyingNetworks(null); } + if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) { + // Setting this false, will cause the VPN to inherit the underlying network metered + // value + builder.setMetered(false); + } + String session = mProfile.mName; if (mLocalIP != null && mLocalIPv6 != null) @@ -736,6 +771,15 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac } + private boolean isLockdownEnabledCompat() { + if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) { + return isLockdownEnabled(); + } else { + /* We cannot determine this, return false */ + return false; + } + } + @TargetApi(Build.VERSION_CODES.LOLLIPOP) private void allowAllAFFamilies(Builder builder) { builder.allowFamily(OsConstants.AF_INET); @@ -822,6 +866,11 @@ public class OpenVPNService extends VpnService implements StateListener, Callbac } else { VpnStatus.logDebug(R.string.allowed_vpn_apps_info, TextUtils.join(", ", mProfile.mAllowedAppsVpn)); } + + if (mProfile.mAllowAppVpnBypass) { + builder.allowBypass(); + VpnStatus.logDebug("Apps may bypass VPN"); + } } public void addDNS(String dns) { diff --git a/app/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java b/app/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java index b902f5d7..fc77d9a5 100644 --- a/app/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java +++ b/app/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java @@ -37,15 +37,17 @@ public class OpenVPNThread implements Runnable { private String[] mArgv; private Process mProcess; private String mNativeDir; + private String mTmpDir; private OpenVPNService mService; private String mDumpPath; private boolean mBrokenPie = false; private boolean mNoProcessExitStatus = false; - public OpenVPNThread(OpenVPNService service, String[] argv, String nativelibdir) { + public OpenVPNThread(OpenVPNService service, String[] argv, String nativelibdir, String tmpdir) { mArgv = argv; mNativeDir = nativelibdir; mService = service; + mTmpDir = tmpdir; } public void stopProcess() { @@ -128,6 +130,7 @@ public class OpenVPNThread implements Runnable { String lbpath = genLibraryPath(argv, pb); pb.environment().put("LD_LIBRARY_PATH", lbpath); + pb.environment().put("TMPDIR", mTmpDir); pb.redirectErrorStream(true); try { diff --git a/app/src/main/java/de/blinkt/openvpn/core/VPNLaunchHelper.java b/app/src/main/java/de/blinkt/openvpn/core/VPNLaunchHelper.java index 810974df..7c742746 100644 --- a/app/src/main/java/de/blinkt/openvpn/core/VPNLaunchHelper.java +++ b/app/src/main/java/de/blinkt/openvpn/core/VPNLaunchHelper.java @@ -27,6 +27,10 @@ public class VPNLaunchHelper { private static String writeMiniVPN(Context context) { + String nativeAPI = NativeUtils.getNativeAPI(); + /* Q does not allow executing binaries written in temp directory anymore */ + if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) + return new File(context.getApplicationInfo().nativeLibraryDir, "libovpnexec.so").getPath(); String[] abis; if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) abis = getSupportedABIsLollipop(); @@ -34,7 +38,6 @@ public class VPNLaunchHelper { //noinspection deprecation abis = new String[]{Build.CPU_ABI, Build.CPU_ABI2}; - String nativeAPI = NativeUtils.getNativeAPI(); if (!nativeAPI.equals(abis[0])) { VpnStatus.logWarning(R.string.abi_mismatch, Arrays.toString(abis), nativeAPI); abis = new String[]{nativeAPI}; -- cgit v1.2.3