From c59e17ec3979728e6d9e24308e509d9273f2d230 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Thu, 19 Mar 2015 11:30:12 +0100 Subject: Fix importing of auth-user-pass (closes #334), add support for finding the absolute path of a crl file (closes #264) --- .../blinkt/openvpn/activities/ConfigConverter.java | 42 ++++++++++++++++------ .../java/de/blinkt/openvpn/core/ConfigParser.java | 38 +++++++++++++++++++- .../java/de/blinkt/openvpn/fragments/Utils.java | 5 ++- main/src/main/res/values/strings.xml | 1 + 4 files changed, 74 insertions(+), 12 deletions(-) (limited to 'main/src') diff --git a/main/src/main/java/de/blinkt/openvpn/activities/ConfigConverter.java b/main/src/main/java/de/blinkt/openvpn/activities/ConfigConverter.java index a7789c52..262c6e9b 100644 --- a/main/src/main/java/de/blinkt/openvpn/activities/ConfigConverter.java +++ b/main/src/main/java/de/blinkt/openvpn/activities/ConfigConverter.java @@ -71,6 +71,7 @@ public class ConfigConverter extends Activity implements FileSelectCallback { private Map fileSelectMap = new HashMap(); private String mEmbeddedPwFile; private Vector mLogEntries = new Vector(); + private String mCrlFileName; @Override public boolean onOptionsItemSelected(MenuItem item) { @@ -118,6 +119,7 @@ public class ConfigConverter extends Activity implements FileSelectCallback { } outState.putIntArray("fileselects", fileselects); outState.putString("pwfile",mEmbeddedPwFile); + outState.putString("crlfile", mCrlFileName); } @Override @@ -154,6 +156,9 @@ public class ConfigConverter extends Activity implements FileSelectCallback { case KEYFILE: mResult.mClientKeyFilename = data; break; + case CRL_FILE: + mCrlFileName = data; + break; default: Assert.fail(); } @@ -169,6 +174,13 @@ public class ConfigConverter extends Activity implements FileSelectCallback { if (!TextUtils.isEmpty(mEmbeddedPwFile)) ConfigParser.useEmbbedUserAuth(mResult, mEmbeddedPwFile); + if (!TextUtils.isEmpty(mCrlFileName)) + { + // TODO: COnvert this to a real config option that is parsed + ConfigParser.removeCRLCustomOption(mResult); + mResult.mCustomConfigOptions += "crl-verify " + mCrlFileName; + } + vpl.addProfile(mResult); vpl.saveProfile(this, mResult); vpl.saveProfileList(this); @@ -279,7 +291,7 @@ public class ConfigConverter extends Activity implements FileSelectCallback { return true; } - private String embedFile(String filename, Utils.FileType type) { + private String embedFile(String filename, Utils.FileType type, boolean onlyFindFile) { if (filename == null) return null; @@ -290,6 +302,8 @@ public class ConfigConverter extends Activity implements FileSelectCallback { File possibleFile = findFile(filename, type); if (possibleFile == null) return filename; + else if (onlyFindFile) + return possibleFile.getAbsolutePath(); else return readFileContent(possibleFile, type == Utils.FileType.PKCS12); @@ -300,7 +314,8 @@ public class ConfigConverter extends Activity implements FileSelectCallback { if (foundfile == null && filename != null && !filename.equals("")) { log(R.string.import_could_not_open, filename); - addFileSelectDialog(fileType); + if (fileType != Utils.FileType.CRL_FILE) + addFileSelectDialog(fileType); } @@ -342,6 +357,10 @@ public class ConfigConverter extends Activity implements FileSelectCallback { value = mEmbeddedPwFile; break; + case CRL_FILE: + titleRes = R.string.crl_file; + value = mCrlFileName; + break; } boolean isCert = type == Utils.FileType.CA_CERTIFICATE || type == Utils.FileType.CLIENT_CERTIFICATE; @@ -462,7 +481,7 @@ public class ConfigConverter extends Activity implements FileSelectCallback { return bytes; } - void embedFiles() { + void embedFiles(ConfigParser cp) { // This where I would like to have a c++ style // void embedFile(std::string & option) @@ -476,12 +495,14 @@ public class ConfigConverter extends Activity implements FileSelectCallback { } - mResult.mCaFilename = embedFile(mResult.mCaFilename, Utils.FileType.CA_CERTIFICATE); - mResult.mClientCertFilename = embedFile(mResult.mClientCertFilename, Utils.FileType.CLIENT_CERTIFICATE); - mResult.mClientKeyFilename = embedFile(mResult.mClientKeyFilename, Utils.FileType.KEYFILE); - mResult.mTLSAuthFilename = embedFile(mResult.mTLSAuthFilename, Utils.FileType.TLS_AUTH_FILE); - mResult.mPKCS12Filename = embedFile(mResult.mPKCS12Filename, Utils.FileType.PKCS12); - mEmbeddedPwFile = embedFile(mResult.mPassword, Utils.FileType.USERPW_FILE); + mResult.mCaFilename = embedFile(mResult.mCaFilename, Utils.FileType.CA_CERTIFICATE, false); + mResult.mClientCertFilename = embedFile(mResult.mClientCertFilename, Utils.FileType.CLIENT_CERTIFICATE, false); + mResult.mClientKeyFilename = embedFile(mResult.mClientKeyFilename, Utils.FileType.KEYFILE, false); + mResult.mTLSAuthFilename = embedFile(mResult.mTLSAuthFilename, Utils.FileType.TLS_AUTH_FILE, false); + mResult.mPKCS12Filename = embedFile(mResult.mPKCS12Filename, Utils.FileType.PKCS12, false); + mEmbeddedPwFile = cp.getAuthUserPassFile(); + mEmbeddedPwFile = embedFile(cp.getAuthUserPassFile(), Utils.FileType.USERPW_FILE, false); + mCrlFileName = embedFile(cp.getCrlVerifyFile(), Utils.FileType.CRL_FILE, true); } @Override @@ -494,6 +515,7 @@ public class ConfigConverter extends Activity implements FileSelectCallback { mResult = (VpnProfile) savedInstanceState.getSerializable(VPNPROFILE); mAliasName = savedInstanceState.getString("mAliasName"); mEmbeddedPwFile = savedInstanceState.getString("pwfile"); + mCrlFileName = savedInstanceState.getString("crlfile"); if (savedInstanceState.containsKey("logentries")) { //noinspection ConstantConditions @@ -599,7 +621,7 @@ public class ConfigConverter extends Activity implements FileSelectCallback { cp.parseConfig(isr); mResult = cp.convertProfile(); - embedFiles(); + embedFiles(cp); displayWarnings(); mResult.mName = getUniqueProfileName(newName); diff --git a/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java b/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java index fe51aff2..232c454b 100644 --- a/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java +++ b/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java @@ -31,6 +31,9 @@ public class ConfigParser { public static final String CONVERTED_PROFILE = "converted Profile"; private HashMap>> options = new HashMap>>(); private HashMap> meta = new HashMap>(); + private String auth_user_pass_file; + private String crl_verify_file; + public void parseConfig(Reader reader) throws IOException, ConfigParseError { @@ -114,6 +117,14 @@ public class ConfigParser { } + public String getAuthUserPassFile() { + return auth_user_pass_file; + } + + public String getCrlVerifyFile() { + return crl_verify_file; + } + enum linestate { initial, readin_single_quote, reading_quoted, reading_unquoted, done @@ -572,6 +583,7 @@ public class ConfigParser { options.put("remotetls", remotetls); Vector authuser = getOption("auth-user-pass", 0, 1); + if (authuser != null) { if (noauthtypeset) { np.mAuthenticationType = VpnProfile.TYPE_USERPASS; @@ -581,11 +593,24 @@ public class ConfigParser { np.mAuthenticationType = VpnProfile.TYPE_USERPASS_KEYSTORE; } if (authuser.size() > 1) { + if (!authuser.get(1).startsWith(VpnProfile.INLINE_TAG)) + auth_user_pass_file = authuser.get(1); np.mUsername = null; useEmbbedUserAuth(np, authuser.get(1)); } } + Vector crlfile = getOption("crl-verify", 1, 2); + if (crlfile != null) { + // If the 'dir' parameter is present just add it as custom option .. + np.mCustomConfigOptions += TextUtils.join(" ", crlfile) + "\n"; + if (crlfile.size() == 2) { + // Save the filename for the config converter to add later + crl_verify_file = crlfile.get(1); + } + } + + Pair conns = parseConnectionOptions(null); np.mConnections = conns.second; @@ -760,6 +785,16 @@ public class ConfigParser { } } + public static void removeCRLCustomOption(VpnProfile np) { + String lines[] = np.mCustomConfigOptions.split("\\r?\\n"); + Vector keeplines = new Vector<>(); + for (String l : lines) { + if (!l.startsWith("crl-verify ")) + keeplines.add(l); + } + np.mCustomConfigOptions = TextUtils.join("\n", keeplines); + } + private void checkIgnoreAndInvalidOptions(VpnProfile np) throws ConfigParseError { for (String option : unsupportedOptions) if (options.containsKey(option)) @@ -771,7 +806,8 @@ public class ConfigParser { if (options.size() > 0) { - np.mCustomConfigOptions += "# These Options were found in the config file do not map to config settings:\n"; + np.mCustomConfigOptions = "# These options found in the config file do not map to config settings:\n" + + np.mCustomConfigOptions; for (Vector> option : options.values()) { diff --git a/main/src/main/java/de/blinkt/openvpn/fragments/Utils.java b/main/src/main/java/de/blinkt/openvpn/fragments/Utils.java index 8676ccaf..606ea5f2 100644 --- a/main/src/main/java/de/blinkt/openvpn/fragments/Utils.java +++ b/main/src/main/java/de/blinkt/openvpn/fragments/Utils.java @@ -155,7 +155,8 @@ public class Utils { OVPN_CONFIG(3), KEYFILE(4), TLS_AUTH_FILE(5), - USERPW_FILE(6); + USERPW_FILE(6), + CRL_FILE(7); private int value; @@ -179,6 +180,8 @@ public class Utils { return TLS_AUTH_FILE; case 6: return USERPW_FILE; + case 7: + return CRL_FILE; default: return null; } diff --git a/main/src/main/res/values/strings.xml b/main/src/main/res/values/strings.xml index f552cb3d..7eb1c66c 100755 --- a/main/src/main/res/values/strings.xml +++ b/main/src/main/res/values/strings.xml @@ -379,5 +379,6 @@ Connections fails with SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Newer OpenVPN for Android versions (0.6.29/March 2015) use a more secure default for the allowed cipher suites (tls-cipher \"DEFAULT:!EXP:!PSK:!SRP:!kRSA\"). Unfortunately, omitting the less secure cipher suites and export cipher suites, especially the omission of cipher suites that do not support Perfect Forward Secrecy (Diffie-Hellman) causes some problems. This usually caused by an well-intentioned but poorly executed attempts to strengthen TLS security by setting tls-cipher on the server.\nTo solve this problem the problem, set the tls-cipher settings on the server to reasonable default like tls-cipher \"DEFAULT:!EXP:!PSK:!SRP:!kRSA\". To work around the problem on the client add the custom option tls-cipher DEFAULT on the Android client. This profile has been added from an external app (%s) and has been marked as not user editable. + Certificate Revocation List -- cgit v1.2.3