From 69ee8926dbdebd97cf0f8a9232050677730415a5 Mon Sep 17 00:00:00 2001
From: cyBerta <cyberta@riseup.net>
Date: Fri, 5 Aug 2022 18:33:26 +0200
Subject: let a gateway have only one transport if obfuscation proxy pinning is
 enabled

---
 .../leap/bitmaskclient/eip/VpnConfigGenerator.java | 69 +++++++++++-----------
 1 file changed, 34 insertions(+), 35 deletions(-)

(limited to 'app/src/main/java/se/leap')

diff --git a/app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java b/app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java
index 8864822a..f60d89ce 100644
--- a/app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java
+++ b/app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java
@@ -123,10 +123,10 @@ public class VpnConfigGenerator {
                     JSONObject transport = supportedTransports.getJSONObject(i);
                     if (transport.getString(TYPE).equals(OBFS4.toString())) {
                         obfs4Transport = transport;
-                        if (!experimentalTransports) {
+                        if (!experimentalTransports && !obfuscationPinningKCP) {
                             break;
                         }
-                    } else if (experimentalTransports && transport.getString(TYPE).equals(OBFS4_KCP.toString())) {
+                    } else if ((experimentalTransports || obfuscationPinningKCP) && transport.getString(TYPE).equals(OBFS4_KCP.toString())) {
                         obfs4TKcpTransport = transport;
                     }
                 }
@@ -139,11 +139,15 @@ public class VpnConfigGenerator {
 
     public HashMap<TransportType, VpnProfile> generateVpnProfiles() throws
             ConfigParser.ConfigParseError,
-            NumberFormatException,
-            JSONException,
-            IOException {
+            NumberFormatException {
         HashMap<Connection.TransportType, VpnProfile> profiles = new HashMap<>();
-        profiles.put(OPENVPN, createProfile(OPENVPN));
+        if (supportsOpenvpn()) {
+            try {
+                profiles.put(OPENVPN, createProfile(OPENVPN));
+            } catch (ConfigParser.ConfigParseError | NumberFormatException | JSONException | IOException e) {
+                e.printStackTrace();
+            }
+        }
         if (supportsObfs4()) {
             try {
                 profiles.put(OBFS4, createProfile(OBFS4));
@@ -158,15 +162,21 @@ public class VpnConfigGenerator {
                 e.printStackTrace();
             }
         }
+        if (profiles.isEmpty()) {
+            throw new ConfigParser.ConfigParseError("No supported transports detected.");
+        }
         return profiles;
     }
 
+    private boolean supportsOpenvpn() {
+        return !useObfuscationPinning && !gatewayConfiguration(OPENVPN).isEmpty();
+    }
     private boolean supportsObfs4(){
-        return obfs4Transport != null;
+        return obfs4Transport != null && !(useObfuscationPinning && obfuscationPinningKCP);
     }
 
     private boolean supportsObfs4Kcp() {
-        return obfs4TKcpTransport != null;
+        return obfs4TKcpTransport != null && !(useObfuscationPinning && !obfuscationPinningKCP);
     }
 
     private String getConfigurationString(TransportType transportType) {
@@ -365,22 +375,8 @@ public class VpnConfigGenerator {
     }
 
     private void ptGatewayConfigMinApiv3(StringBuilder stringBuilder, String[] ipAddresses, TransportType transportType, JSONArray transports) throws JSONException {
-        if (useObfuscationPinning) {
-            JSONArray pinnedTransports = new JSONArray();
-            for (int i = 0; i < transports.length(); i++) {
-                if (OPENVPN.toString().equals(transports.getJSONObject(i).get(TYPE))) {
-                    pinnedTransports.put(transports.getJSONObject(i));
-                    break;
-                }
-            }
-            pinnedTransports.put(supportsObfs4() ? obfs4Transport : obfs4TKcpTransport);
-            transports = pinnedTransports;
-        }
-
         JSONObject ptTransport = getTransport(transports, transportType);
         JSONArray ptProtocols = ptTransport.getJSONArray(PROTOCOLS);
-        JSONObject openvpnTransport = getTransport(transports, OPENVPN);
-        JSONArray gatewayProtocols = openvpnTransport.getJSONArray(PROTOCOLS);
 
         //for now only use ipv4 gateway the syntax route remote_host 255.255.255.255 net_gateway is not yet working
         // https://community.openvpn.net/openvpn/ticket/1161
@@ -408,20 +404,23 @@ public class VpnConfigGenerator {
             return;
         }
 
-        // check if at least one openvpn protocol is TCP, openvpn in UDP is currently not supported for obfs4,
-        // however on the wire UDP might be used
-        boolean hasOpenvpnTcp = false;
-        for (int i = 0; i < gatewayProtocols.length(); i++) {
-            String protocol = gatewayProtocols.getString(i);
-            if (protocol.contains("tcp")) {
-                hasOpenvpnTcp = true;
-                break;
+        if (!useObfuscationPinning) {
+            // check if at least one openvpn protocol is TCP, openvpn in UDP is currently not supported for obfs4,
+            // however on the wire UDP might be used
+            boolean hasOpenvpnTcp = false;
+            JSONObject openvpnTransport = getTransport(transports, OPENVPN);
+            JSONArray gatewayProtocols = openvpnTransport.getJSONArray(PROTOCOLS);
+            for (int i = 0; i < gatewayProtocols.length(); i++) {
+                String protocol = gatewayProtocols.getString(i);
+                if (protocol.contains("tcp")) {
+                    hasOpenvpnTcp = true;
+                    break;
+                }
+            }
+            if (!hasOpenvpnTcp) {
+                VpnStatus.logError("obfs4 currently only allows openvpn in TCP mode! Skipping obfs4 config for ip " + ipAddress);
+                return;
             }
-        }
-
-        if (!hasOpenvpnTcp) {
-            VpnStatus.logError("obfs4 currently only allows openvpn in TCP mode! Skipping obfs4 config for ip " + ipAddress);
-            return;
         }
 
         boolean hasAllowedPTProtocol = false;
-- 
cgit v1.2.3