summaryrefslogtreecommitdiff
path: root/src/de/blinkt/openvpn/VpnProfile.java
diff options
context:
space:
mode:
Diffstat (limited to 'src/de/blinkt/openvpn/VpnProfile.java')
-rw-r--r--src/de/blinkt/openvpn/VpnProfile.java111
1 files changed, 70 insertions, 41 deletions
diff --git a/src/de/blinkt/openvpn/VpnProfile.java b/src/de/blinkt/openvpn/VpnProfile.java
index ea034b55..fcb0679f 100644
--- a/src/de/blinkt/openvpn/VpnProfile.java
+++ b/src/de/blinkt/openvpn/VpnProfile.java
@@ -57,6 +57,14 @@ public class VpnProfile implements Serializable{
public static final int TYPE_USERPASS_PKCS12 = 6;
public static final int TYPE_USERPASS_KEYSTORE = 7;
+ public static final int X509_VERIFY_TLSREMOTE=0;
+ public static final int X509_VERIFY_TLSREMOTE_COMPAT_NOREMAPPING=1;
+ public static final int X509_VERIFY_TLSREMOTE_DN=2;
+ public static final int X509_VERIFY_TLSREMOTE_RDN=3;
+ public static final int X509_VERIFY_TLSREMOTE_RDN_PREFIX=4;
+
+
+
// Don't change this, not all parts of the program use this constant
public static final String EXTRA_PROFILEUUID = "de.blinkt.openvpn.profileUUID";
public static final String INLINE_TAG = "[[INLINE]]";
@@ -119,10 +127,11 @@ public class VpnProfile implements Serializable{
public String mConnectRetry="5";
public boolean mUserEditable=true;
public String mAuth="";
-
+ public int mX509AuthType=X509_VERIFY_TLSREMOTE_RDN;
+
static final String MINIVPN = "miniopenvpn";
-
-
+
+
static private native byte[] rsasign(byte[] input,int pkey) throws InvalidKeyException;
static {
System.loadLibrary("opvpnutil");
@@ -211,16 +220,16 @@ public class VpnProfile implements Serializable{
if(mConnectRetryMax ==null) {
mConnectRetryMax="5";
}
-
+
if(!mConnectRetryMax.equals("-1"))
- cfg+="connect-retry-max " + mConnectRetryMax+ "\n";
-
+ cfg+="connect-retry-max " + mConnectRetryMax+ "\n";
+
if(mConnectRetry==null)
mConnectRetry="5";
-
-
+
+
cfg+="connect-retry " + mConnectRetry + "\n";
-
+
cfg+="resolv-retry 60\n";
@@ -330,7 +339,7 @@ public class VpnProfile implements Serializable{
cfg+="max-routes " + numroutes + "\n";
}
cfg+=routes;
-
+
if(mOverrideDNS || !mUsePull) {
if(nonNull(mDNS1))
cfg+="dhcp-option DNS " + mDNS1 + "\n";
@@ -349,9 +358,29 @@ public class VpnProfile implements Serializable{
// Authentication
if(mCheckRemoteCN) {
if(mRemoteCN == null || mRemoteCN.equals("") )
- cfg+="tls-remote " + mServerName + "\n";
- else
- cfg += "tls-remote " + openVpnEscape(mRemoteCN) + "\n";
+ cfg+="x509-verify-name " + mServerName + " name\n";
+ else
+ switch (mX509AuthType) {
+
+ // 2.2 style x509 checks
+ case X509_VERIFY_TLSREMOTE_COMPAT_NOREMAPPING:
+ cfg+="compat-names no-remapping\n";
+ case X509_VERIFY_TLSREMOTE:
+ cfg+="tls-remote " + openVpnEscape(mRemoteCN) + "\n";
+ break;
+
+ case X509_VERIFY_TLSREMOTE_RDN:
+ cfg+="x509-verify-name " + openVpnEscape(mRemoteCN) + " name\n";
+ break;
+
+ case X509_VERIFY_TLSREMOTE_RDN_PREFIX:
+ cfg+="x509-verify-name " + openVpnEscape(mRemoteCN) + " name-prefix\n";
+ break;
+
+ case X509_VERIFY_TLSREMOTE_DN:
+ cfg+="x509-verify-name " + openVpnEscape(mRemoteCN) + "\n";
+ break;
+ }
}
if(mExpectTLSCert)
cfg += "remote-cert-tls server\n";
@@ -377,15 +406,15 @@ public class VpnProfile implements Serializable{
cfg+= "# persist-tun also sets persist-remote-ip to avoid DNS resolve problem\n";
cfg+= "persist-remote-ip\n";
}
-
+
SharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(context);
boolean usesystemproxy = prefs.getBoolean("usesystemproxy", true);
if(usesystemproxy) {
cfg+= "# Use system proxy setting\n";
cfg+= "management-query-proxy\n";
}
-
-
+
+
if(mUseCustomConfig) {
cfg += "# Custom configuration options\n";
cfg += "# You are on your on own here :)\n";
@@ -536,17 +565,17 @@ public class VpnProfile implements Serializable{
try {
privateKey = KeyChain.getPrivateKey(context,mAlias);
mPrivateKey = privateKey;
-
+
cachain = KeyChain.getCertificateChain(context, mAlias);
if(cachain.length <= 1 && !nonNull(mCaFilename))
OpenVPN.logMessage(0, "", context.getString(R.string.keychain_nocacert));
-
+
for(X509Certificate cert:cachain) {
OpenVPN.logInfo(R.string.cert_from_keystore,cert.getSubjectDN());
}
-
-
-
+
+
+
if(nonNull(mCaFilename)) {
try {
@@ -554,15 +583,15 @@ public class VpnProfile implements Serializable{
X509Certificate[] newcachain = new X509Certificate[cachain.length+1];
for(int i=0;i<cachain.length;i++)
newcachain[i]=cachain[i];
-
+
newcachain[cachain.length-1]=(X509Certificate) cacert;
-
+
} catch (Exception e) {
OpenVPN.logError("Could not read CA certificate" + e.getLocalizedMessage());
}
}
-
+
StringWriter caout = new StringWriter();
@@ -571,9 +600,9 @@ public class VpnProfile implements Serializable{
pw.writeObject(new PemObject("CERTIFICATE", cert.getEncoded()));
}
pw.close();
-
-
-
+
+
+
StringWriter certout = new StringWriter();
@@ -606,16 +635,16 @@ public class VpnProfile implements Serializable{
return null;
}
private Certificate getCacertFromFile() throws FileNotFoundException, CertificateException {
- CertificateFactory certFact = CertificateFactory.getInstance("X.509");
-
- InputStream inStream;
-
- if(mCaFilename.startsWith(INLINE_TAG))
- inStream = new ByteArrayInputStream(mCaFilename.replace(INLINE_TAG,"").getBytes());
+ CertificateFactory certFact = CertificateFactory.getInstance("X.509");
+
+ InputStream inStream;
+
+ if(mCaFilename.startsWith(INLINE_TAG))
+ inStream = new ByteArrayInputStream(mCaFilename.replace(INLINE_TAG,"").getBytes());
else
inStream = new FileInputStream(mCaFilename);
-
- return certFact.generateCertificate(inStream);
+
+ return certFact.generateCertificate(inStream);
}
@@ -703,7 +732,7 @@ public class VpnProfile implements Serializable{
}
}
-
+
if(data.contains("Proc-Type: 4,ENCRYPTED"))
return true;
else if(data.contains("-----BEGIN ENCRYPTED PRIVATE KEY-----"))
@@ -718,14 +747,14 @@ public class VpnProfile implements Serializable{
if(mTransientPCKS12PW==null)
return R.string.pkcs12_file_encryption_key;
}
-
+
if(mAuthenticationType == TYPE_CERTIFICATES || mAuthenticationType == TYPE_USERPASS_CERTIFICATES) {
if(requireTLSKeyPassword() && !nonNull(mKeyPassword))
if(mTransientPCKS12PW==null) {
return R.string.private_key_password;
}
}
-
+
if(isUserPWAuth() && (mPassword.equals("") || mPassword == null)) {
if(mTransientPW==null)
return R.string.password;
@@ -783,7 +812,7 @@ public class VpnProfile implements Serializable{
byte[] signed_bytes = rsasinger.doFinal(data);
return Base64.encodeToString(signed_bytes, Base64.NO_WRAP);
-
+
} catch (NoSuchAlgorithmException e){
err =e;
} catch (InvalidKeyException e) {
@@ -825,7 +854,7 @@ public class VpnProfile implements Serializable{
byte[] signed_bytes = rsasign(data, pkey);
return Base64.encodeToString(signed_bytes, Base64.NO_WRAP);
-
+
} catch (NoSuchMethodException e) {
err=e;
} catch (IllegalArgumentException e) {
@@ -845,7 +874,7 @@ public class VpnProfile implements Serializable{
}
-
+
}