From b9e1f2354520e37f0e2784f156f1288e55e1a993 Mon Sep 17 00:00:00 2001 From: cyBerta Date: Mon, 18 Jul 2022 18:29:15 +0200 Subject: update soon expiring vpn certificates after connecting to the VPN --- .../leap/bitmaskclient/base/models/Provider.java | 10 ++++++++ .../main/java/se/leap/bitmaskclient/eip/EIP.java | 19 +++++++++++++++ .../leap/bitmaskclient/eip/EipSetupObserver.java | 8 +++++++ .../bitmaskclient/eip/VpnCertificateValidator.java | 27 ++++++++++++++++------ .../bitmaskclient/providersetup/ProviderAPI.java | 6 +++++ .../providersetup/ProviderApiManagerBase.java | 21 +++++++++++++++++ 6 files changed, 84 insertions(+), 7 deletions(-) (limited to 'app/src/main/java/se/leap') diff --git a/app/src/main/java/se/leap/bitmaskclient/base/models/Provider.java b/app/src/main/java/se/leap/bitmaskclient/base/models/Provider.java index 974aef80..02a9694a 100644 --- a/app/src/main/java/se/leap/bitmaskclient/base/models/Provider.java +++ b/app/src/main/java/se/leap/bitmaskclient/base/models/Provider.java @@ -63,6 +63,7 @@ public final class Provider implements Parcelable { private String vpnCertificate = ""; private long lastEipServiceUpdate = 0L; private long lastGeoIpUpdate = 0L; + private boolean shouldUpdateVpnCertificate; private boolean allowAnonymous; private boolean allowRegistered; @@ -361,6 +362,7 @@ public final class Provider implements Parcelable { parcel.writeString(getVpnCertificate()); parcel.writeLong(lastEipServiceUpdate); parcel.writeLong(lastGeoIpUpdate); + parcel.writeInt(shouldUpdateVpnCertificate ? 0 : 1); } @@ -407,6 +409,7 @@ public final class Provider implements Parcelable { } this.lastEipServiceUpdate = in.readLong(); this.lastGeoIpUpdate = in.readLong(); + this.shouldUpdateVpnCertificate = in.readInt() == 0; } catch (MalformedURLException | JSONException e) { e.printStackTrace(); } @@ -492,6 +495,13 @@ public final class Provider implements Parcelable { return System.currentTimeMillis() - lastEipServiceUpdate >= EIP_SERVICE_TIMEOUT; } + public void setShouldUpdateVpnCertificate(Boolean update) { + shouldUpdateVpnCertificate = update; + } + + public boolean shouldUpdateVpnCertificate() { + return shouldUpdateVpnCertificate; + } public void setLastGeoIpUpdate(long timestamp) { lastGeoIpUpdate = timestamp; diff --git a/app/src/main/java/se/leap/bitmaskclient/eip/EIP.java b/app/src/main/java/se/leap/bitmaskclient/eip/EIP.java index cf4dc9bf..46f91781 100644 --- a/app/src/main/java/se/leap/bitmaskclient/eip/EIP.java +++ b/app/src/main/java/se/leap/bitmaskclient/eip/EIP.java @@ -56,6 +56,7 @@ import de.blinkt.openvpn.core.VpnStatus; import de.blinkt.openvpn.core.connection.Connection; import se.leap.bitmaskclient.R; import se.leap.bitmaskclient.base.OnBootReceiver; +import se.leap.bitmaskclient.base.models.Provider; import se.leap.bitmaskclient.base.models.ProviderObservable; import se.leap.bitmaskclient.base.utils.PreferenceHelper; @@ -242,6 +243,12 @@ public final class EIP extends JobIntentService implements Observer { return; } + if (shouldUpdateVPNCertificate()) { + Provider p = ProviderObservable.getInstance().getCurrentProvider(); + p.setShouldUpdateVpnCertificate(true); + ProviderObservable.getInstance().updateProvider(p); + } + GatewaysManager gatewaysManager = new GatewaysManager(getApplicationContext()); if (gatewaysManager.isEmpty()) { setErrorResult(result, warning_client_parsing_error_gateways, null); @@ -267,6 +274,12 @@ public final class EIP extends JobIntentService implements Observer { Gateway gateway = gatewaysManager.select(0); Bundle result = new Bundle(); + if (shouldUpdateVPNCertificate()) { + Provider p = ProviderObservable.getInstance().getCurrentProvider(); + p.setShouldUpdateVpnCertificate(true); + ProviderObservable.getInstance().updateProvider(p); + } + launchActiveGateway(gateway, 0, result); if (result.containsKey(BROADCAST_RESULT_KEY) && !result.getBoolean(BROADCAST_RESULT_KEY)){ VpnStatus.logWarning("ALWAYS-ON VPN: " + getString(R.string.no_vpn_profiles_defined)); @@ -415,6 +428,12 @@ public final class EIP extends JobIntentService implements Observer { return validator.isValid(); } + private boolean shouldUpdateVPNCertificate() { + VpnCertificateValidator validator = new VpnCertificateValidator(preferences.getString(PROVIDER_VPN_CERTIFICATE, "")); + return validator.shouldBeUpdated(); + } + + /** * helper function to add error to result bundle * diff --git a/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java b/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java index 9d67340e..56350703 100644 --- a/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java +++ b/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java @@ -39,12 +39,14 @@ import static se.leap.bitmaskclient.base.models.Constants.PROVIDER_PROFILE; import static se.leap.bitmaskclient.providersetup.ProviderAPI.CORRECTLY_DOWNLOADED_EIP_SERVICE; import static se.leap.bitmaskclient.providersetup.ProviderAPI.CORRECTLY_DOWNLOADED_GEOIP_JSON; import static se.leap.bitmaskclient.providersetup.ProviderAPI.CORRECTLY_UPDATED_INVALID_VPN_CERTIFICATE; +import static se.leap.bitmaskclient.providersetup.ProviderAPI.DELAY; import static se.leap.bitmaskclient.providersetup.ProviderAPI.INCORRECTLY_DOWNLOADED_EIP_SERVICE; import static se.leap.bitmaskclient.providersetup.ProviderAPI.INCORRECTLY_DOWNLOADED_GEOIP_JSON; import static se.leap.bitmaskclient.providersetup.ProviderAPI.INCORRECTLY_DOWNLOADED_VPN_CERTIFICATE; import static se.leap.bitmaskclient.providersetup.ProviderAPI.INCORRECTLY_UPDATED_INVALID_VPN_CERTIFICATE; import static se.leap.bitmaskclient.providersetup.ProviderAPI.PROVIDER_NOK; import static se.leap.bitmaskclient.providersetup.ProviderAPI.PROVIDER_OK; +import static se.leap.bitmaskclient.providersetup.ProviderAPI.QUIETLY_UPDATE_VPN_CERTIFICATE; import static se.leap.bitmaskclient.providersetup.ProviderAPI.TOR_EXCEPTION; import static se.leap.bitmaskclient.providersetup.ProviderAPI.TOR_TIMEOUT; import static se.leap.bitmaskclient.providersetup.ProviderAPI.UPDATE_INVALID_VPN_CERTIFICATE; @@ -373,6 +375,12 @@ public class EipSetupObserver extends BroadcastReceiver implements VpnStatus.Sta if (shouldCheckAppUpdate()) { DownloadServiceCommand.execute(appContext, CHECK_VERSION_FILE); } + + if (provider.shouldUpdateVpnCertificate()) { + Bundle parameters = new Bundle(); + parameters.putLong(DELAY, 500); + ProviderAPICommand.execute(appContext, QUIETLY_UPDATE_VPN_CERTIFICATE, parameters, provider); + } finishGatewaySetup(false); } else if ("TCP_CONNECT".equals(state)) { changingGateway.set(false); diff --git a/app/src/main/java/se/leap/bitmaskclient/eip/VpnCertificateValidator.java b/app/src/main/java/se/leap/bitmaskclient/eip/VpnCertificateValidator.java index 16d1c5ad..8841ae94 100644 --- a/app/src/main/java/se/leap/bitmaskclient/eip/VpnCertificateValidator.java +++ b/app/src/main/java/se/leap/bitmaskclient/eip/VpnCertificateValidator.java @@ -45,9 +45,22 @@ public class VpnCertificateValidator { /** * - * @return true if all certificates are valid for more than 15 more days + * @return true if all certificates are valid for 1 more day */ public boolean isValid() { + return isValid(1); + } + + /** + * + * @return return true if certificates will expire in 8 days or less + */ + public boolean shouldBeUpdated() { + return !isValid(8); + } + + + private boolean isValid(int offsetDays) { if (certificate.isEmpty()) { return false; } @@ -57,7 +70,7 @@ public class VpnCertificateValidator { return false; } for (X509Certificate cert : x509Certificates) { - if (!isValid(cert)) { + if (!isValid(cert, offsetDays)) { return false; } } @@ -65,12 +78,12 @@ public class VpnCertificateValidator { } - private boolean isValid(X509Certificate certificate) { + private boolean isValid(X509Certificate certificate, int offsetDays) { if (certificate == null) { return false; } - Calendar offsetDate = calculateOffsetCertificateValidity(certificate); + Calendar offsetDate = calculateOffsetCertificateValidity(certificate, offsetDays); try { certificate.checkValidity(offsetDate.getTime()); return true; @@ -81,15 +94,15 @@ public class VpnCertificateValidator { } } - private Calendar calculateOffsetCertificateValidity(X509Certificate certificate) { + private Calendar calculateOffsetCertificateValidity(X509Certificate certificate, int offsetDays) { Calendar limitDate = calendarProvider.getCalendar(); Date startDate = certificate.getNotBefore(); // if certificates start date is before current date just return the current date without an offset if (startDate.getTime() >= limitDate.getTime().getTime()) { return limitDate; } - // else add an offset of 15 days to the current date - limitDate.add(Calendar.DAY_OF_YEAR, 15); + // else add an offset to the current date + limitDate.add(Calendar.DAY_OF_YEAR, offsetDays); return limitDate; } diff --git a/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderAPI.java b/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderAPI.java index da77af2f..063c9e00 100644 --- a/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderAPI.java +++ b/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderAPI.java @@ -63,9 +63,15 @@ public class ProviderAPI extends JobIntentService implements ProviderApiManagerB SIGN_UP = "srpRegister", LOG_IN = "srpAuth", LOG_OUT = "logOut", + // all vpn certificate download commands are used in different scenarios with different error handling + // command key used for the initial vpn certificate download during the provider setup DOWNLOAD_VPN_CERTIFICATE = "downloadUserAuthedVPNCertificate", + // command key used to update soon expiring but yet valid certificates after connecting to the vpn + QUIETLY_UPDATE_VPN_CERTIFICATE = "ProviderAPI.QUIETLY_UPDATE_VPN_CERTIFICATE", + // command key used to update invalid certificates, connecting to the vpn is impossible UPDATE_INVALID_VPN_CERTIFICATE = "ProviderAPI.UPDATE_INVALID_VPN_CERTIFICATE", PARAMETERS = "parameters", + DELAY = "delay", RECEIVER_KEY = "receiver", ERRORS = "errors", ERRORID = "errorId", diff --git a/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderApiManagerBase.java b/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderApiManagerBase.java index ecddb9c7..607339fd 100644 --- a/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderApiManagerBase.java +++ b/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderApiManagerBase.java @@ -52,6 +52,7 @@ import static se.leap.bitmaskclient.providersetup.ProviderAPI.CORRECTLY_DOWNLOAD import static se.leap.bitmaskclient.providersetup.ProviderAPI.CORRECTLY_DOWNLOADED_GEOIP_JSON; import static se.leap.bitmaskclient.providersetup.ProviderAPI.CORRECTLY_DOWNLOADED_VPN_CERTIFICATE; import static se.leap.bitmaskclient.providersetup.ProviderAPI.CORRECTLY_UPDATED_INVALID_VPN_CERTIFICATE; +import static se.leap.bitmaskclient.providersetup.ProviderAPI.DELAY; import static se.leap.bitmaskclient.providersetup.ProviderAPI.DOWNLOAD_GEOIP_JSON; import static se.leap.bitmaskclient.providersetup.ProviderAPI.DOWNLOAD_SERVICE_JSON; import static se.leap.bitmaskclient.providersetup.ProviderAPI.DOWNLOAD_VPN_CERTIFICATE; @@ -71,6 +72,7 @@ import static se.leap.bitmaskclient.providersetup.ProviderAPI.MISSING_NETWORK_CO import static se.leap.bitmaskclient.providersetup.ProviderAPI.PARAMETERS; import static se.leap.bitmaskclient.providersetup.ProviderAPI.PROVIDER_NOK; import static se.leap.bitmaskclient.providersetup.ProviderAPI.PROVIDER_OK; +import static se.leap.bitmaskclient.providersetup.ProviderAPI.QUIETLY_UPDATE_VPN_CERTIFICATE; import static se.leap.bitmaskclient.providersetup.ProviderAPI.RECEIVER_KEY; import static se.leap.bitmaskclient.providersetup.ProviderAPI.SET_UP_PROVIDER; import static se.leap.bitmaskclient.providersetup.ProviderAPI.SIGN_UP; @@ -193,6 +195,14 @@ public abstract class ProviderApiManagerBase { return; } + if (parameters.containsKey(DELAY)) { + try { + Thread.sleep(parameters.getLong(DELAY)); + } catch (InterruptedException e) { + e.printStackTrace(); + } + } + if (!serviceCallback.hasNetworkConnection()) { Bundle result = new Bundle(); setErrorResult(result, R.string.error_network_connection, null); @@ -277,6 +287,17 @@ public abstract class ProviderApiManagerBase { } ProviderObservable.getInstance().setProviderForDns(null); break; + case QUIETLY_UPDATE_VPN_CERTIFICATE: + ProviderObservable.getInstance().setProviderForDns(provider); + result = updateVpnCertificate(provider); + if (result.getBoolean(BROADCAST_RESULT_KEY)) { + Log.d(TAG, "successfully downloaded VPN certificate"); + provider.setShouldUpdateVpnCertificate(false); + PreferenceHelper.storeProviderInPreferences(preferences, provider); + ProviderObservable.getInstance().updateProvider(provider); + } + ProviderObservable.getInstance().setProviderForDns(null); + break; case UPDATE_INVALID_VPN_CERTIFICATE: ProviderObservable.getInstance().setProviderForDns(provider); result = updateVpnCertificate(provider); -- cgit v1.2.3 From e9afdcda3e10c9cb86a39f4c1da1702e07597ef6 Mon Sep 17 00:00:00 2001 From: cyBerta Date: Mon, 18 Jul 2022 18:33:26 +0200 Subject: only allow already established network connections when trying to call the provider API --- app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderAPI.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/src/main/java/se/leap') diff --git a/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderAPI.java b/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderAPI.java index 063c9e00..cada516d 100644 --- a/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderAPI.java +++ b/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderAPI.java @@ -162,7 +162,7 @@ public class ProviderAPI extends JobIntentService implements ProviderApiManagerB if (Build.VERSION.SDK_INT < Build.VERSION_CODES.Q) { NetworkInfo activeNetwork = cm.getActiveNetworkInfo(); return activeNetwork != null && - activeNetwork.isConnectedOrConnecting(); + activeNetwork.isConnected(); } else { NetworkCapabilities capabilities = cm.getNetworkCapabilities(cm.getActiveNetwork()); if (capabilities != null) { -- cgit v1.2.3 From ea0e8e4d5ef61af57ef5826d7526f0bfc4c459b2 Mon Sep 17 00:00:00 2001 From: cyBerta Date: Mon, 18 Jul 2022 18:37:02 +0200 Subject: update eip-service.json every 3 days or after a unsuccessful connection attempt, use a small delay to ensure the VPN is ready for the first network request --- app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'app/src/main/java/se/leap') diff --git a/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java b/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java index 56350703..a523f440 100644 --- a/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java +++ b/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java @@ -373,7 +373,9 @@ public class EipSetupObserver extends BroadcastReceiver implements VpnStatus.Sta } if (shouldCheckAppUpdate()) { - DownloadServiceCommand.execute(appContext, CHECK_VERSION_FILE); + Bundle parameters = new Bundle(); + parameters.putLong(DELAY, 500); + DownloadServiceCommand.execute(appContext, CHECK_VERSION_FILE, parameters); } if (provider.shouldUpdateVpnCertificate()) { -- cgit v1.2.3 From 958c93974d5fd81e882e61bd30fa13ac89868106 Mon Sep 17 00:00:00 2001 From: cyBerta Date: Mon, 18 Jul 2022 18:40:57 +0200 Subject: removed unused ServiceConnection --- app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderAPI.java | 1 - 1 file changed, 1 deletion(-) (limited to 'app/src/main/java/se/leap') diff --git a/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderAPI.java b/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderAPI.java index cada516d..e45add50 100644 --- a/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderAPI.java +++ b/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderAPI.java @@ -103,7 +103,6 @@ public class ProviderAPI extends JobIntentService implements ProviderApiManagerB TOR_EXCEPTION = 21; ProviderApiManager providerApiManager; - private volatile TorServiceConnection torServiceConnection; //TODO: refactor me, please! //used in insecure flavor only -- cgit v1.2.3 From 512030e22fda6eadb69d4f486241490670d7bab1 Mon Sep 17 00:00:00 2001 From: cyBerta Date: Mon, 18 Jul 2022 18:46:46 +0200 Subject: implement small delay to check for version updates after a successful connection setup --- app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'app/src/main/java/se/leap') diff --git a/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java b/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java index a523f440..05991390 100644 --- a/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java +++ b/app/src/main/java/se/leap/bitmaskclient/eip/EipSetupObserver.java @@ -369,7 +369,9 @@ public class EipSetupObserver extends BroadcastReceiver implements VpnStatus.Sta Provider provider = ProviderObservable.getInstance().getCurrentProvider(); if (setupNClosestGateway.get() > 0 || provider.shouldUpdateEipServiceJson()) { //setupNClostestGateway > 0: at least one failed gateway -> did the provider change it's gateways? - ProviderAPICommand.execute(appContext, ProviderAPI.DOWNLOAD_SERVICE_JSON, provider); + Bundle parameters = new Bundle(); + parameters.putLong(DELAY, 500); + ProviderAPICommand.execute(appContext, ProviderAPI.DOWNLOAD_SERVICE_JSON, parameters, provider); } if (shouldCheckAppUpdate()) { -- cgit v1.2.3 From 8da92b90abaa39c1c66e305c61907eadb0ec1269 Mon Sep 17 00:00:00 2001 From: cyBerta Date: Mon, 18 Jul 2022 18:47:51 +0200 Subject: add missing static import for string in EipFragment --- app/src/main/java/se/leap/bitmaskclient/base/fragments/EipFragment.java | 1 + 1 file changed, 1 insertion(+) (limited to 'app/src/main/java/se/leap') diff --git a/app/src/main/java/se/leap/bitmaskclient/base/fragments/EipFragment.java b/app/src/main/java/se/leap/bitmaskclient/base/fragments/EipFragment.java index a61680a1..d993a119 100644 --- a/app/src/main/java/se/leap/bitmaskclient/base/fragments/EipFragment.java +++ b/app/src/main/java/se/leap/bitmaskclient/base/fragments/EipFragment.java @@ -17,6 +17,7 @@ package se.leap.bitmaskclient.base.fragments; import static de.blinkt.openvpn.core.ConnectionStatus.LEVEL_NONETWORK; +import static se.leap.bitmaskclient.R.string.vpn_certificate_user_message; import static se.leap.bitmaskclient.base.models.Constants.ASK_TO_CANCEL_VPN; import static se.leap.bitmaskclient.base.models.Constants.EIP_ACTION_START; import static se.leap.bitmaskclient.base.models.Constants.EIP_EARLY_ROUTES; -- cgit v1.2.3