From 87446cbc0c818a374c057894b57e93156443a270 Mon Sep 17 00:00:00 2001 From: cyBerta Date: Sun, 31 Jul 2022 04:07:47 +0200 Subject: implement obfuscation pinning --- .../java/se/leap/bitmaskclient/eip/Gateway.java | 56 ++++--- .../se/leap/bitmaskclient/eip/GatewaysManager.java | 58 +++++-- .../leap/bitmaskclient/eip/VpnConfigGenerator.java | 173 ++++++++++++++++----- 3 files changed, 216 insertions(+), 71 deletions(-) (limited to 'app/src/main/java/se/leap/bitmaskclient/eip') diff --git a/app/src/main/java/se/leap/bitmaskclient/eip/Gateway.java b/app/src/main/java/se/leap/bitmaskclient/eip/Gateway.java index e9281609..ff1dd05e 100644 --- a/app/src/main/java/se/leap/bitmaskclient/eip/Gateway.java +++ b/app/src/main/java/se/leap/bitmaskclient/eip/Gateway.java @@ -26,6 +26,17 @@ import static se.leap.bitmaskclient.base.models.Constants.OPENVPN_CONFIGURATION; import static se.leap.bitmaskclient.base.models.Constants.OVERLOAD; import static se.leap.bitmaskclient.base.models.Constants.TIMEZONE; import static se.leap.bitmaskclient.base.models.Constants.VERSION; +import static se.leap.bitmaskclient.base.utils.PreferenceHelper.allowExperimentalTransports; +import static se.leap.bitmaskclient.base.utils.PreferenceHelper.getExcludedApps; +import static se.leap.bitmaskclient.base.utils.PreferenceHelper.getObfuscationPinningCert; +import static se.leap.bitmaskclient.base.utils.PreferenceHelper.getObfuscationPinningGatewayHost; +import static se.leap.bitmaskclient.base.utils.PreferenceHelper.getObfuscationPinningGatewayIP; +import static se.leap.bitmaskclient.base.utils.PreferenceHelper.getObfuscationPinningGatewayLocation; +import static se.leap.bitmaskclient.base.utils.PreferenceHelper.getObfuscationPinningIP; +import static se.leap.bitmaskclient.base.utils.PreferenceHelper.getObfuscationPinningKCP; +import static se.leap.bitmaskclient.base.utils.PreferenceHelper.getObfuscationPinningPort; +import static se.leap.bitmaskclient.base.utils.PreferenceHelper.getPreferUDP; +import static se.leap.bitmaskclient.base.utils.PreferenceHelper.useObfuscationPinning; import android.content.Context; @@ -45,7 +56,6 @@ import de.blinkt.openvpn.VpnProfile; import de.blinkt.openvpn.core.ConfigParser; import de.blinkt.openvpn.core.connection.Connection; import se.leap.bitmaskclient.base.utils.ConfigHelper; -import se.leap.bitmaskclient.base.utils.PreferenceHelper; /** * Gateway provides objects defining gateways and their metadata. @@ -87,28 +97,37 @@ public class Gateway { this.secrets = secrets; this.load = load; + apiVersion = getApiVersion(eipDefinition); + VpnConfigGenerator.Configuration configuration = getProfileConfig(context, eipDefinition, apiVersion); generalConfiguration = getGeneralConfiguration(eipDefinition); timezone = getTimezone(eipDefinition); - name = locationAsName(eipDefinition); - apiVersion = getApiVersion(eipDefinition); - vpnProfiles = createVPNProfiles(context); + name = configuration.profileName; + vpnProfiles = createVPNProfiles(configuration); + } + + private VpnConfigGenerator.Configuration getProfileConfig(Context context, JSONObject eipDefinition, int apiVersion) { + VpnConfigGenerator.Configuration config = new VpnConfigGenerator.Configuration(); + config.apiVersion = apiVersion; + config.preferUDP = getPreferUDP(context); + config.experimentalTransports = allowExperimentalTransports(context); + config.excludedApps = getExcludedApps(context); + + config.useObfuscationPinning = useObfuscationPinning(context); + config.profileName = config.useObfuscationPinning ? getObfuscationPinningGatewayLocation(context) : locationAsName(eipDefinition); + config.remoteGatewayIP = config.useObfuscationPinning ? getObfuscationPinningGatewayIP(context) : gateway.optString(IP_ADDRESS); + if (config.useObfuscationPinning) { + config.obfuscationProxyIP = getObfuscationPinningIP(context); + config.obfuscationProxyPort = getObfuscationPinningPort(context); + config.obfuscationProxyCert = getObfuscationPinningCert(context); + config.obfuscationProxyKCP = getObfuscationPinningKCP(context); + } + return config; } public void updateLoad(JSONObject load) { this.load = load; } - private void addProfileInfos(Context context, HashMap profiles) { - Set excludedAppsVpn = PreferenceHelper.getExcludedApps(context); - for (VpnProfile profile : profiles.values()) { - profile.mName = name; - profile.mGatewayIp = gateway.optString(IP_ADDRESS); - if (excludedAppsVpn != null) { - profile.mAllowedAppsVpn = new HashSet<>(excludedAppsVpn); - } - } - } - private JSONObject getGeneralConfiguration(JSONObject eipDefinition) { try { return eipDefinition.getJSONObject(OPENVPN_CONFIGURATION); @@ -172,13 +191,10 @@ public class Gateway { /** * Create and attach the VpnProfile to our gateway object */ - private @NonNull HashMap createVPNProfiles(Context context) + private @NonNull HashMap createVPNProfiles(VpnConfigGenerator.Configuration profileConfig) throws ConfigParser.ConfigParseError, IOException, JSONException { - boolean preferUDP = PreferenceHelper.getPreferUDP(context); - boolean allowExperimentalTransports = PreferenceHelper.allowExperimentalTransports(context); - VpnConfigGenerator vpnConfigurationGenerator = new VpnConfigGenerator(generalConfiguration, secrets, gateway, apiVersion, preferUDP, allowExperimentalTransports); + VpnConfigGenerator vpnConfigurationGenerator = new VpnConfigGenerator(generalConfiguration, secrets, gateway, profileConfig); HashMap profiles = vpnConfigurationGenerator.generateVpnProfiles(); - addProfileInfos(context, profiles); return profiles; } diff --git a/app/src/main/java/se/leap/bitmaskclient/eip/GatewaysManager.java b/app/src/main/java/se/leap/bitmaskclient/eip/GatewaysManager.java index db7dd38c..7bcd0def 100644 --- a/app/src/main/java/se/leap/bitmaskclient/eip/GatewaysManager.java +++ b/app/src/main/java/se/leap/bitmaskclient/eip/GatewaysManager.java @@ -16,6 +16,20 @@ */ package se.leap.bitmaskclient.eip; +import static de.blinkt.openvpn.core.connection.Connection.TransportType.OBFS4; +import static de.blinkt.openvpn.core.connection.Connection.TransportType.OBFS4_KCP; +import static de.blinkt.openvpn.core.connection.Connection.TransportType.OPENVPN; +import static de.blinkt.openvpn.core.connection.Connection.TransportType.PT; +import static se.leap.bitmaskclient.base.models.Constants.GATEWAYS; +import static se.leap.bitmaskclient.base.models.Constants.HOST; +import static se.leap.bitmaskclient.base.models.Constants.PROVIDER_PRIVATE_KEY; +import static se.leap.bitmaskclient.base.models.Constants.PROVIDER_VPN_CERTIFICATE; +import static se.leap.bitmaskclient.base.models.Constants.SORTED_GATEWAYS; +import static se.leap.bitmaskclient.base.utils.PreferenceHelper.getObfuscationPinningKCP; +import static se.leap.bitmaskclient.base.utils.PreferenceHelper.getPreferredCity; +import static se.leap.bitmaskclient.base.utils.PreferenceHelper.getUseBridges; +import static se.leap.bitmaskclient.base.utils.PreferenceHelper.useObfuscationPinning; + import android.content.Context; import android.util.Log; @@ -48,18 +62,6 @@ import se.leap.bitmaskclient.base.models.Provider; import se.leap.bitmaskclient.base.models.ProviderObservable; import se.leap.bitmaskclient.base.utils.PreferenceHelper; -import static de.blinkt.openvpn.core.connection.Connection.TransportType.OBFS4; -import static de.blinkt.openvpn.core.connection.Connection.TransportType.OBFS4_KCP; -import static de.blinkt.openvpn.core.connection.Connection.TransportType.OPENVPN; -import static de.blinkt.openvpn.core.connection.Connection.TransportType.PT; -import static se.leap.bitmaskclient.base.models.Constants.GATEWAYS; -import static se.leap.bitmaskclient.base.models.Constants.HOST; -import static se.leap.bitmaskclient.base.models.Constants.PROVIDER_PRIVATE_KEY; -import static se.leap.bitmaskclient.base.models.Constants.PROVIDER_VPN_CERTIFICATE; -import static se.leap.bitmaskclient.base.models.Constants.SORTED_GATEWAYS; -import static se.leap.bitmaskclient.base.utils.PreferenceHelper.getPreferredCity; -import static se.leap.bitmaskclient.base.utils.PreferenceHelper.getUseBridges; - /** * @author parmegv */ @@ -115,6 +117,13 @@ public class GatewaysManager { * @return the n closest Gateway */ public Pair select(int nClosest) { + if (PreferenceHelper.useObfuscationPinning(context)) { + Gateway gateway = gateways.get(PreferenceHelper.getObfuscationPinningGatewayHost(context)); + if (gateway == null) { + return null; + } + return new Pair<>(gateway, getObfuscationPinningKCP(context) ? OBFS4_KCP : OBFS4); + } String selectedCity = getPreferredCity(context); return select(nClosest, selectedCity); } @@ -135,6 +144,23 @@ public class GatewaysManager { } } + public ArrayList getHosts() { + ArrayList hosts = new ArrayList<>(); + for (Gateway gateway : gateways.values()) { + hosts.add(gateway.getHost()); + } + return hosts; + } + + + public String getIpForHost(String gatewayHostName) { + Gateway gateway = gateways.get(gatewayHostName); + if (gateway == null) { + return null; + } + return gateway.getRemoteIP(); + } + public List getGatewayLocations() { return getSortedGatewayLocations(null); } @@ -202,6 +228,14 @@ public class GatewaysManager { } } + public String getLocationNameForHost(String name) { + Gateway gateway = gateways.get(name); + if (gateway != null) { + return gateway.getName(); + } + return "Unknown Location"; + } + @Nullable public Location getLocation(String name) { List locations = getGatewayLocations(); diff --git a/app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java b/app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java index 58732713..a7df99bf 100644 --- a/app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java +++ b/app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java @@ -19,6 +19,7 @@ package se.leap.bitmaskclient.eip; import static de.blinkt.openvpn.core.connection.Connection.TransportType.OBFS4; import static de.blinkt.openvpn.core.connection.Connection.TransportType.OBFS4_KCP; import static de.blinkt.openvpn.core.connection.Connection.TransportType.OPENVPN; +import static de.blinkt.openvpn.core.connection.Connection.TransportType.PT; import static se.leap.bitmaskclient.base.models.Constants.CAPABILITIES; import static se.leap.bitmaskclient.base.models.Constants.IP_ADDRESS; import static se.leap.bitmaskclient.base.models.Constants.IP_ADDRESS6; @@ -44,14 +45,17 @@ import org.json.JSONObject; import java.io.IOException; import java.io.StringReader; import java.util.HashMap; +import java.util.HashSet; import java.util.Iterator; +import java.util.Set; import de.blinkt.openvpn.VpnProfile; import de.blinkt.openvpn.core.ConfigParser; import de.blinkt.openvpn.core.VpnStatus; import de.blinkt.openvpn.core.connection.Connection; -import se.leap.bitmaskclient.BuildConfig; +import de.blinkt.openvpn.core.connection.Connection.TransportType; import se.leap.bitmaskclient.base.models.Provider; +import se.leap.bitmaskclient.base.models.Transport; import se.leap.bitmaskclient.base.utils.ConfigHelper; import se.leap.bitmaskclient.pluggableTransports.Obfs4Options; @@ -64,23 +68,65 @@ public class VpnConfigGenerator { private final int apiVersion; private final boolean preferUDP; private final boolean experimentalTransports; + private final boolean useObfuscationPinning; + private final String obfuscationPinningIP; + private final String obfuscationPinningPort; + private final String obfuscationPinningCert; + private final boolean obfuscationPinningKCP; + private final String remoteGatewayIP; + private final String profileName; + private final Set excludedApps; public final static String TAG = VpnConfigGenerator.class.getSimpleName(); private final String newLine = System.getProperty("line.separator"); // Platform new line - public VpnConfigGenerator(JSONObject generalConfiguration, JSONObject secrets, JSONObject gateway, int apiVersion, boolean preferUDP, boolean experimentalTransports) throws ConfigParser.ConfigParseError { + public static class Configuration { + int apiVersion; + boolean preferUDP; + boolean experimentalTransports; + String remoteGatewayIP = ""; + String profileName = ""; + Set excludedApps = null; + + boolean useObfuscationPinning; + boolean obfuscationProxyKCP; + String obfuscationProxyIP = ""; + String obfuscationProxyPort = ""; + String obfuscationProxyCert = ""; + } + + public VpnConfigGenerator(JSONObject generalConfiguration, JSONObject secrets, JSONObject gateway, Configuration config) throws ConfigParser.ConfigParseError { this.generalConfiguration = generalConfiguration; this.gateway = gateway; this.secrets = secrets; - this.apiVersion = apiVersion; - this.preferUDP = preferUDP; - this.experimentalTransports = experimentalTransports; + this.apiVersion = config.apiVersion; + this.preferUDP = config.preferUDP; + this.experimentalTransports = config.experimentalTransports; + this.useObfuscationPinning = config.useObfuscationPinning; + this.obfuscationPinningIP = config.obfuscationProxyIP; + this.obfuscationPinningPort = config.obfuscationProxyPort; + this.obfuscationPinningCert = config.obfuscationProxyCert; + this.obfuscationPinningKCP = config.obfuscationProxyKCP; + this.remoteGatewayIP = config.remoteGatewayIP; + this.profileName = config.profileName; + this.excludedApps = config.excludedApps; checkCapabilities(); } public void checkCapabilities() throws ConfigParser.ConfigParseError { try { + if (useObfuscationPinning) { + if (obfuscationPinningKCP) { + // the protocol TCP refers to the allowed openvpn protocol + obfs4TKcpTransport = new JSONObject(new Transport(OBFS4_KCP.toString(), new String[]{"tcp"}, new String[]{obfuscationPinningPort}, obfuscationPinningCert).toString()); + } else { + String jsonTransportString = new Transport(OBFS4.toString(), new String[]{"tcp"}, new String[]{obfuscationPinningPort}, obfuscationPinningCert).toString(); + obfs4Transport = new JSONObject(jsonTransportString); + } + return; + } + if (apiVersion >= 3) { JSONArray supportedTransports = gateway.getJSONObject(CAPABILITIES).getJSONArray(TRANSPORT); for (int i = 0; i < supportedTransports.length(); i++) { @@ -101,7 +147,7 @@ public class VpnConfigGenerator { } } - public HashMap generateVpnProfiles() throws + public HashMap generateVpnProfiles() throws ConfigParser.ConfigParseError, NumberFormatException, JSONException, @@ -133,7 +179,7 @@ public class VpnConfigGenerator { return obfs4TKcpTransport != null; } - private String getConfigurationString(Connection.TransportType transportType) { + private String getConfigurationString(TransportType transportType) { return generalConfiguration() + newLine + gatewayConfiguration(transportType) @@ -144,7 +190,7 @@ public class VpnConfigGenerator { } @VisibleForTesting - protected VpnProfile createProfile(Connection.TransportType transportType) throws IOException, ConfigParser.ConfigParseError, JSONException { + protected VpnProfile createProfile(TransportType transportType) throws IOException, ConfigParser.ConfigParseError, JSONException { String configuration = getConfigurationString(transportType); ConfigParser icsOpenvpnConfigParser = new ConfigParser(); icsOpenvpnConfigParser.parseConfig(new StringReader(configuration)); @@ -153,22 +199,30 @@ public class VpnConfigGenerator { } else if (transportType == OBFS4_KCP) { icsOpenvpnConfigParser.setObfs4Options(getObfs4Options(obfs4TKcpTransport, true)); } - return icsOpenvpnConfigParser.convertProfile(transportType); + + VpnProfile profile = icsOpenvpnConfigParser.convertProfile(transportType); + profile.mName = profileName; + profile.mGatewayIp = remoteGatewayIP; + if (excludedApps != null) { + profile.mAllowedAppsVpn = new HashSet<>(excludedApps); + } + return profile; } + // TODO: whad does private Obfs4Options getObfs4Options(JSONObject transportJson, boolean useUdp) throws JSONException { JSONObject transportOptions = transportJson.getJSONObject(OPTIONS); String iatMode = transportOptions.getString("iatMode"); String cert = transportOptions.getString("cert"); - String port = obfs4Transport.getJSONArray(PORTS).getString(0); + String port = transportJson.getJSONArray(PORTS).getString(0); String ip = gateway.getString(IP_ADDRESS); boolean udp = useUdp; - if (BuildConfig.obfsvpn_pinning) { - cert = BuildConfig.obfsvpn_cert; - port = BuildConfig.obfsvpn_port; - ip = BuildConfig.obfsvpn_port; - udp = BuildConfig.obfsvpn_use_kcp; + if (useObfuscationPinning) { + cert = obfuscationPinningCert; + port = obfuscationPinningPort; + ip = obfuscationPinningIP; + udp = obfuscationPinningKCP; } return new Obfs4Options(ip, port, cert, iatMode, udp); } @@ -196,7 +250,7 @@ public class VpnConfigGenerator { return commonOptions; } - private String gatewayConfiguration(Connection.TransportType transportType) { + private String gatewayConfiguration(TransportType transportType) { String remotes = ""; StringBuilder stringBuilder = new StringBuilder(); @@ -217,6 +271,7 @@ public class VpnConfigGenerator { String[] ipAddresses = ipAddress6.isEmpty() ? new String[]{ipAddress} : new String[]{ipAddress6, ipAddress}; + JSONArray transports = capabilities.getJSONArray(TRANSPORT); gatewayConfigMinApiv3(transportType, stringBuilder, ipAddresses, transports); break; @@ -234,9 +289,9 @@ public class VpnConfigGenerator { return remotes; } - private void gatewayConfigMinApiv3(Connection.TransportType transportType, StringBuilder stringBuilder, String[] ipAddresses, JSONArray transports) throws JSONException { - if (transportType == OBFS4) { - obfs4GatewayConfigMinApiv3(stringBuilder, ipAddresses, transports); + private void gatewayConfigMinApiv3(TransportType transportType, StringBuilder stringBuilder, String[] ipAddresses, JSONArray transports) throws JSONException { + if (transportType.getMetaType() == PT) { + ptGatewayConfigMinApiv3(stringBuilder, ipAddresses, transportType, transports); } else { ovpnGatewayConfigMinApi3(stringBuilder, ipAddresses, transports); } @@ -296,7 +351,7 @@ public class VpnConfigGenerator { } } - private JSONObject getTransport(JSONArray transports, Connection.TransportType transportType) throws JSONException { + private JSONObject getTransport(JSONArray transports, TransportType transportType) throws JSONException { JSONObject selectedTransport = new JSONObject(); for (int i = 0; i < transports.length(); i++) { JSONObject transport = transports.getJSONObject(i); @@ -308,9 +363,35 @@ public class VpnConfigGenerator { return selectedTransport; } - private void obfs4GatewayConfigMinApiv3(StringBuilder stringBuilder, String[] ipAddresses, JSONArray transports) throws JSONException { - JSONObject obfs4Transport = getTransport(transports, OBFS4); - JSONArray protocols = obfs4Transport.getJSONArray(PROTOCOLS); + private boolean isAllowedProtocol(TransportType transportType, String protocol) { + switch (transportType) { + case OPENVPN: + return "tcp".equals(protocol) || "udp".equals(protocol); + case OBFS4: + case OBFS4_KCP: + return "tcp".equals(protocol); + } + return false; + } + + private void ptGatewayConfigMinApiv3(StringBuilder stringBuilder, String[] ipAddresses, TransportType transportType, JSONArray transports) throws JSONException { + if (useObfuscationPinning) { + JSONArray pinnedTransports = new JSONArray(); + for (int i = 0; i < transports.length(); i++) { + if (OPENVPN.toString().equals(transports.getJSONObject(i).get(TYPE))) { + pinnedTransports.put(transports.getJSONObject(i)); + break; + } + } + pinnedTransports.put(supportsObfs4() ? obfs4Transport : obfs4TKcpTransport); + transports = pinnedTransports; + } + + JSONObject ptTransport = getTransport(transports, transportType); + JSONArray ptProtocols = ptTransport.getJSONArray(PROTOCOLS); + JSONObject openvpnTransport = getTransport(transports, OPENVPN); + JSONArray gatewayProtocols = openvpnTransport.getJSONArray(PROTOCOLS); + //for now only use ipv4 gateway the syntax route remote_host 255.255.255.255 net_gateway is not yet working // https://community.openvpn.net/openvpn/ticket/1161 /*for (String ipAddress : ipAddresses) { @@ -337,41 +418,55 @@ public class VpnConfigGenerator { return; } - // check if at least one protocol is TCP, UDP is currently not supported for obfs4 - boolean hasTcp = false; - for (int i = 0; i < protocols.length(); i++) { - String protocol = protocols.getString(i); + // check if at least one openvpn protocol is TCP, openvpn in UDP is currently not supported for obfs4, + // however on the wire UDP might be used + boolean hasOpenvpnTcp = false; + for (int i = 0; i < gatewayProtocols.length(); i++) { + String protocol = gatewayProtocols.getString(i); if (protocol.contains("tcp")) { - hasTcp = true; + hasOpenvpnTcp = true; + break; + } + } + + if (!hasOpenvpnTcp) { + VpnStatus.logError("obfs4 currently only allows openvpn in TCP mode! Skipping obfs4 config for ip " + ipAddress); + return; + } + + boolean hasAllowedPTProtocol = false; + for (int i = 0; i < ptProtocols.length(); i++) { + String protocol = ptProtocols.getString(i); + if (isAllowedProtocol(transportType, protocol)) { + hasAllowedPTProtocol = true; + break; } } - if (!hasTcp) { - VpnStatus.logError("obfs4 currently only allows TCP! Skipping obfs4 config for ip " + ipAddress); + if (!hasAllowedPTProtocol) { + VpnStatus.logError("Misconfigured provider: wrong protocol defined in " + transportType.toString()+ " transport JSON."); return; } - JSONArray ports = obfs4Transport.getJSONArray(PORTS); + JSONArray ports = ptTransport.getJSONArray(PORTS); if (ports.isNull(0)){ - VpnStatus.logError("Misconfigured provider: no ports defined in obfs4 transport JSON."); + VpnStatus.logError("Misconfigured provider: no ports defined in " + transportType.toString()+ " transport JSON."); return; } String route = "route " + ipAddress + " 255.255.255.255 net_gateway" + newLine; stringBuilder.append(route); + String remote; if (useObfsVpn()) { - String remote; - if (BuildConfig.obfsvpn_pinning) { - remote = REMOTE + " " + BuildConfig.obfsvpn_ip + " " + BuildConfig.obfsvpn_port + newLine; + if (useObfuscationPinning) { + remote = REMOTE + " " + obfuscationPinningIP + " " + obfuscationPinningPort + newLine; } else { remote = REMOTE + " " + ipAddress + " " + ports.getString(0) + newLine; } - - stringBuilder.append(remote); } else { - String remote = REMOTE + " " + DISPATCHER_IP + " " + DISPATCHER_PORT + " tcp" + newLine; - stringBuilder.append(remote); + remote = REMOTE + " " + DISPATCHER_IP + " " + DISPATCHER_PORT + " tcp" + newLine; } + stringBuilder.append(remote); } private String secretsConfiguration() { -- cgit v1.2.3