From 59931af646b19fd8e206ea10a40e0971b968d620 Mon Sep 17 00:00:00 2001 From: cyBerta Date: Sun, 14 Nov 2021 17:42:59 +0100 Subject: don't allow openvpn configs without --remote or block --- app/src/main/java/de/blinkt/openvpn/core/ConfigParser.java | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'app/src/main/java') diff --git a/app/src/main/java/de/blinkt/openvpn/core/ConfigParser.java b/app/src/main/java/de/blinkt/openvpn/core/ConfigParser.java index 5b4ab361..4a8bcf99 100644 --- a/app/src/main/java/de/blinkt/openvpn/core/ConfigParser.java +++ b/app/src/main/java/de/blinkt/openvpn/core/ConfigParser.java @@ -714,6 +714,10 @@ public class ConfigParser { Vector> connectionBlocks = getAllOption("connection", 1, 1); + if (connectionBlocks == null && np.mConnections.length == 0) { + throw new ConfigParseError("No --remote or block found."); + } + if (np.mConnections.length > 0 && connectionBlocks != null) { throw new ConfigParseError("Using a block and --remote is not allowed."); } -- cgit v1.2.3 From 187c2091b0735f531e505462ea92a284de59846b Mon Sep 17 00:00:00 2001 From: cyBerta Date: Sun, 14 Nov 2021 18:23:45 +0100 Subject: implement IPv4 address check based on regex --- .../java/se/leap/bitmaskclient/base/utils/ConfigHelper.java | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'app/src/main/java') diff --git a/app/src/main/java/se/leap/bitmaskclient/base/utils/ConfigHelper.java b/app/src/main/java/se/leap/bitmaskclient/base/utils/ConfigHelper.java index 4248072a..005a8b82 100644 --- a/app/src/main/java/se/leap/bitmaskclient/base/utils/ConfigHelper.java +++ b/app/src/main/java/se/leap/bitmaskclient/base/utils/ConfigHelper.java @@ -44,10 +44,12 @@ import java.security.interfaces.RSAPrivateKey; import java.security.spec.InvalidKeySpecException; import java.security.spec.PKCS8EncodedKeySpec; import java.util.Calendar; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import se.leap.bitmaskclient.BuildConfig; -import se.leap.bitmaskclient.providersetup.ProviderAPI; import se.leap.bitmaskclient.R; +import se.leap.bitmaskclient.providersetup.ProviderAPI; import static se.leap.bitmaskclient.base.models.Constants.DEFAULT_BITMASK; @@ -62,6 +64,7 @@ public class ConfigHelper { final public static String NG_1024 = "eeaf0ab9adb38dd69c33f80afa8fc5e86072618775ff3c0b9ea2314c9c256576d674df7496ea81d3383b4813d692c6e0e0d5d8e250b98be48e495c1d6089dad15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e57ec68edbc3c05726cc02fd4cbf4976eaa9afd5138fe8376435b9fc61d2fc0eb06e3"; final public static BigInteger G = new BigInteger("2"); + final public static Pattern IPv4_PATTERN = Pattern.compile("^(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])\\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])$"); public static boolean checkErroneousDownload(String downloadedString) { try { @@ -227,4 +230,12 @@ public class ConfigHelper { } } + public static boolean isIPv4(String ipv4) { + if (ipv4 == null) { + return false; + } + Matcher matcher = IPv4_PATTERN.matcher(ipv4); + return matcher.matches(); + } + } -- cgit v1.2.3 From bbf53b0a888656c7ce2652e4cb02811170da8d3d Mon Sep 17 00:00:00 2001 From: cyBerta Date: Sun, 14 Nov 2021 18:24:27 +0100 Subject: suppress lint warnings for methods used in fatweb flavor builds --- .../main/java/se/leap/bitmaskclient/base/utils/ConfigHelper.java | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'app/src/main/java') diff --git a/app/src/main/java/se/leap/bitmaskclient/base/utils/ConfigHelper.java b/app/src/main/java/se/leap/bitmaskclient/base/utils/ConfigHelper.java index 005a8b82..64b51960 100644 --- a/app/src/main/java/se/leap/bitmaskclient/base/utils/ConfigHelper.java +++ b/app/src/main/java/se/leap/bitmaskclient/base/utils/ConfigHelper.java @@ -20,6 +20,7 @@ import android.content.Context; import android.content.res.Resources; import android.os.Build; import android.os.Looper; + import androidx.annotation.NonNull; import androidx.annotation.Nullable; import androidx.annotation.StringRes; @@ -206,6 +207,8 @@ public class ConfigHelper { (string1 != null && string1.equals(string2)); } + @SuppressWarnings("unused") + // FatWeb Flavor uses that for auto-update public static String getApkFileName() { try { return BuildConfig.update_apk_url.substring(BuildConfig.update_apk_url.lastIndexOf("/")); @@ -214,6 +217,8 @@ public class ConfigHelper { } } + @SuppressWarnings("unused") + // FatWeb Flavor uses that for auto-update public static String getVersionFileName() { try { return BuildConfig.version_file_url.substring(BuildConfig.version_file_url.lastIndexOf("/")); @@ -222,6 +227,8 @@ public class ConfigHelper { } } + @SuppressWarnings("unused") + // FatWeb Flavor uses that for auto-update public static String getSignatureFileName() { try { return BuildConfig.signature_url.substring(BuildConfig.signature_url.lastIndexOf("/")); -- cgit v1.2.3 From a48c6c1c719247e4663d946e4ee56bfada98b5e6 Mon Sep 17 00:00:00 2001 From: cyBerta Date: Sun, 14 Nov 2021 18:27:48 +0100 Subject: allow ipv6 only openvpn gateways --- app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'app/src/main/java') diff --git a/app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java b/app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java index 6fffb403..245c7b8b 100644 --- a/app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java +++ b/app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java @@ -162,16 +162,18 @@ public class VpnConfigGenerator { StringBuilder stringBuilder = new StringBuilder(); try { - String ipAddress = gateway.getString(IP_ADDRESS); + String ipAddress = null; JSONObject capabilities = gateway.getJSONObject(CAPABILITIES); switch (apiVersion) { default: case 1: case 2: + ipAddress = gateway.getString(IP_ADDRESS); gatewayConfigApiv1(stringBuilder, ipAddress, capabilities); break; case 3: case 4: + ipAddress = gateway.optString(IP_ADDRESS); String ipAddress6 = gateway.optString(IP_ADDRESS6); String[] ipAddresses = ipAddress6.isEmpty() ? new String[]{ipAddress} : -- cgit v1.2.3 From f18a85e4cd95f938c9ed78b31b8d27b2a02994c7 Mon Sep 17 00:00:00 2001 From: cyBerta Date: Sun, 14 Nov 2021 18:34:04 +0100 Subject: skip obfs4 connections using either ipv6 addresses or UDP --- .../leap/bitmaskclient/eip/VpnConfigGenerator.java | 42 ++++++++++++++++++++-- 1 file changed, 39 insertions(+), 3 deletions(-) (limited to 'app/src/main/java') diff --git a/app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java b/app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java index 245c7b8b..d72f0936 100644 --- a/app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java +++ b/app/src/main/java/se/leap/bitmaskclient/eip/VpnConfigGenerator.java @@ -29,8 +29,10 @@ import java.util.Iterator; import de.blinkt.openvpn.VpnProfile; import de.blinkt.openvpn.core.ConfigParser; +import de.blinkt.openvpn.core.VpnStatus; import de.blinkt.openvpn.core.connection.Connection; import se.leap.bitmaskclient.base.models.Provider; +import se.leap.bitmaskclient.base.utils.ConfigHelper; import se.leap.bitmaskclient.pluggableTransports.Obfs4Options; import static de.blinkt.openvpn.core.connection.Connection.TransportType.OBFS4; @@ -95,7 +97,11 @@ public class VpnConfigGenerator { HashMap profiles = new HashMap<>(); profiles.put(OPENVPN, createProfile(OPENVPN)); if (supportsObfs4()) { - profiles.put(OBFS4, createProfile(OBFS4)); + try { + profiles.put(OBFS4, createProfile(OBFS4)); + } catch (ConfigParser.ConfigParseError | NumberFormatException | JSONException | IOException e) { + e.printStackTrace(); + } } return profiles; } @@ -191,6 +197,7 @@ public class VpnConfigGenerator { if (remotes.endsWith(newLine)) { remotes = remotes.substring(0, remotes.lastIndexOf(newLine)); } + return remotes; } @@ -249,6 +256,7 @@ public class VpnConfigGenerator { private void obfs4GatewayConfigMinApiv3(StringBuilder stringBuilder, String[] ipAddresses, JSONArray transports) throws JSONException { JSONObject obfs4Transport = getTransport(transports, OBFS4); + JSONArray protocols = obfs4Transport.getJSONArray(PROTOCOLS); //for now only use ipv4 gateway the syntax route remote_host 255.255.255.255 net_gateway is not yet working // https://community.openvpn.net/openvpn/ticket/1161 /*for (String ipAddress : ipAddresses) { @@ -260,10 +268,38 @@ public class VpnConfigGenerator { return; } - String ipAddress = ipAddresses[ipAddresses.length - 1]; + // check if at least one address is IPv4, IPv6 is currently not supported for obfs4 + String ipAddress = null; + for (String address : ipAddresses) { + if (ConfigHelper.isIPv4(address)) { + ipAddress = address; + break; + } + VpnStatus.logWarning("Skipping IP address " + address + " while configuring obfs4."); + } + + if (ipAddress == null) { + VpnStatus.logError("No matching IPv4 address found to configure obfs4."); + return; + } + + // check if at least one protocol is TCP, UDP is currently not supported for obfs4 + boolean hasTcp = false; + for (int i = 0; i < protocols.length(); i++) { + String protocol = protocols.getString(i); + if (protocol.contains("tcp")) { + hasTcp = true; + } + } + + if (!hasTcp) { + VpnStatus.logError("obfs4 currently only allows TCP! Skipping obfs4 config for ip " + ipAddress); + return; + } + String route = "route " + ipAddress + " 255.255.255.255 net_gateway" + newLine; stringBuilder.append(route); - String remote = REMOTE + " " + DISPATCHER_IP + " " + DISPATCHER_PORT + " " + obfs4Transport.getJSONArray(PROTOCOLS).getString(0) + newLine; + String remote = REMOTE + " " + DISPATCHER_IP + " " + DISPATCHER_PORT + " tcp" + newLine; stringBuilder.append(remote); } -- cgit v1.2.3