From 8bb986f5149f1efdece68eec329b693795d8cf75 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Fri, 5 May 2023 16:48:44 +0200 Subject: Fix hash comparison when profile is base64 encoded. Allow going back to non-Alias config --- .../de/blinkt/openvpn/api/AppRestrictions.java | 48 +++++++++++++++++----- 1 file changed, 37 insertions(+), 11 deletions(-) (limited to 'main/src') diff --git a/main/src/main/java/de/blinkt/openvpn/api/AppRestrictions.java b/main/src/main/java/de/blinkt/openvpn/api/AppRestrictions.java index c2f539ae..bdab3be3 100644 --- a/main/src/main/java/de/blinkt/openvpn/api/AppRestrictions.java +++ b/main/src/main/java/de/blinkt/openvpn/api/AppRestrictions.java @@ -60,7 +60,8 @@ public class AppRestrictions { c.unregisterReceiver(mRestrictionsReceiver); } - private String hashConfig(String config) { + private String hashConfig(String rawconfig) { + String config = prepare(rawconfig); MessageDigest digest; try { digest = MessageDigest.getInstance("SHA1"); @@ -121,6 +122,10 @@ public class AppRestrictions { continue; } + /* we always use lower case uuid since Android UUID class will use present + * them that way */ + uuid = uuid.toLowerCase(Locale.US); + if (uuid.equals(defaultprofile)) defaultprofileProvisioned = true; @@ -188,22 +193,43 @@ public class AppRestrictions { * the authentication method and will also set the keystore alias */ private void addCertificateAlias(VpnProfile vpnProfile, String certAlias, Context c) { - if (certAlias == null || vpnProfile == null) + if (vpnProfile == null) return; int oldType = vpnProfile.mAuthenticationType; String oldAlias = vpnProfile.mAlias; - switch (vpnProfile.mAuthenticationType) + if (!TextUtils.isEmpty(certAlias)) { + switch (vpnProfile.mAuthenticationType) + { + case VpnProfile.TYPE_PKCS12: + case VpnProfile.TYPE_CERTIFICATES: + vpnProfile.mAuthenticationType = VpnProfile.TYPE_KEYSTORE; + break; + case VpnProfile.TYPE_USERPASS_CERTIFICATES: + case VpnProfile.TYPE_USERPASS_PKCS12: + vpnProfile.mAuthenticationType = VpnProfile.TYPE_USERPASS_KEYSTORE; + break; + } + + } else { - case VpnProfile.TYPE_PKCS12: - case VpnProfile.TYPE_CERTIFICATES: - vpnProfile.mAuthenticationType = VpnProfile.TYPE_KEYSTORE; - break; - case VpnProfile.TYPE_USERPASS_CERTIFICATES: - case VpnProfile.TYPE_USERPASS_PKCS12: - vpnProfile.mAuthenticationType = VpnProfile.TYPE_USERPASS_KEYSTORE; - break; + /* Alias is null, return to non keystore method */ + boolean pkcs12present = !TextUtils.isEmpty(vpnProfile.mPKCS12Filename); + switch (vpnProfile.mAuthenticationType) { + case VpnProfile.TYPE_USERPASS_KEYSTORE: + if (pkcs12present) + vpnProfile.mAuthenticationType = VpnProfile.TYPE_USERPASS_PKCS12; + else + vpnProfile.mAuthenticationType = VpnProfile.TYPE_USERPASS_CERTIFICATES; + break; + case VpnProfile.TYPE_KEYSTORE: + if (pkcs12present) + vpnProfile.mAuthenticationType = VpnProfile.TYPE_PKCS12; + else + vpnProfile.mAuthenticationType = VpnProfile.TYPE_CERTIFICATES; + break; + } } vpnProfile.mAlias = certAlias; -- cgit v1.2.3