]>
Commit | Line | Data |
---|---|---|
a4f9028e | 1 | /* |
6ca0b46c | 2 | * Copyright (C) 2012-2018 Tobias Brunner |
a4f9028e TB |
3 | * Copyright (C) 2012 Giuliano Grassi |
4 | * Copyright (C) 2012 Ralf Sager | |
19ef2aec TB |
5 | * |
6 | * Copyright (C) secunet Security Networks AG | |
a4f9028e TB |
7 | * |
8 | * This program is free software; you can redistribute it and/or modify it | |
9 | * under the terms of the GNU General Public License as published by the | |
10 | * Free Software Foundation; either version 2 of the License, or (at your | |
11 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, but | |
14 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
15 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
16 | * for more details. | |
17 | */ | |
18 | ||
8bf30276 | 19 | package org.strongswan.android.logic; |
4a208143 | 20 | |
acc8948f | 21 | import android.annotation.TargetApi; |
d5070425 | 22 | import android.app.Notification; |
6ca0b46c | 23 | import android.app.NotificationChannel; |
d5070425 | 24 | import android.app.NotificationManager; |
9c0be3ac | 25 | import android.app.PendingIntent; |
03de55ad TB |
26 | import android.app.Service; |
27 | import android.content.ComponentName; | |
9c0be3ac | 28 | import android.content.Context; |
4a208143 | 29 | import android.content.Intent; |
03de55ad | 30 | import android.content.ServiceConnection; |
08c79d51 | 31 | import android.content.SharedPreferences; |
f2e7156d | 32 | import android.content.pm.PackageManager; |
4a208143 | 33 | import android.net.VpnService; |
69e0215b | 34 | import android.os.Build; |
a4f9028e | 35 | import android.os.Bundle; |
70d6a0cf | 36 | import android.os.Handler; |
03de55ad | 37 | import android.os.IBinder; |
5215d512 | 38 | import android.os.ParcelFileDescriptor; |
3aba3386 TB |
39 | import android.security.KeyChain; |
40 | import android.security.KeyChainException; | |
acc8948f | 41 | import android.system.OsConstants; |
a4f9028e | 42 | import android.util.Log; |
4a208143 | 43 | |
d5070425 TB |
44 | import org.strongswan.android.R; |
45 | import org.strongswan.android.data.VpnProfile; | |
f2e7156d | 46 | import org.strongswan.android.data.VpnProfile.SelectedAppsHandling; |
d5070425 TB |
47 | import org.strongswan.android.data.VpnProfileDataSource; |
48 | import org.strongswan.android.data.VpnType.VpnTypeFeature; | |
49 | import org.strongswan.android.logic.VpnStateService.ErrorState; | |
50 | import org.strongswan.android.logic.VpnStateService.State; | |
51 | import org.strongswan.android.logic.imc.ImcState; | |
52 | import org.strongswan.android.logic.imc.RemediationInstruction; | |
53 | import org.strongswan.android.ui.MainActivity; | |
58d139da | 54 | import org.strongswan.android.ui.VpnProfileControlActivity; |
08c79d51 | 55 | import org.strongswan.android.utils.Constants; |
72b7c289 TB |
56 | import org.strongswan.android.utils.IPRange; |
57 | import org.strongswan.android.utils.IPRangeSet; | |
d5070425 | 58 | import org.strongswan.android.utils.SettingsWriter; |
2ef473be | 59 | import org.strongswan.android.utils.Utils; |
d5070425 TB |
60 | |
61 | import java.io.File; | |
fe1f1432 TB |
62 | import java.io.FileInputStream; |
63 | import java.io.IOException; | |
d5070425 TB |
64 | import java.net.Inet4Address; |
65 | import java.net.Inet6Address; | |
66 | import java.net.InetAddress; | |
67 | import java.net.UnknownHostException; | |
fe1f1432 TB |
68 | import java.nio.ByteBuffer; |
69 | import java.nio.channels.ClosedByInterruptException; | |
d5070425 TB |
70 | import java.security.PrivateKey; |
71 | import java.security.cert.CertificateEncodingException; | |
72 | import java.security.cert.X509Certificate; | |
73 | import java.util.ArrayList; | |
74 | import java.util.List; | |
75 | import java.util.Locale; | |
800f881a | 76 | import java.util.SortedSet; |
d5070425 | 77 | |
3b9696fc TB |
78 | import androidx.core.app.NotificationCompat; |
79 | import androidx.core.content.ContextCompat; | |
e106fce4 | 80 | import androidx.preference.PreferenceManager; |
3b9696fc | 81 | |
d5070425 | 82 | public class CharonVpnService extends VpnService implements Runnable, VpnStateService.VpnStateListener |
a4057603 | 83 | { |
a4f9028e | 84 | private static final String TAG = CharonVpnService.class.getSimpleName(); |
56f59956 | 85 | private static final String VPN_SERVICE_ACTION = "android.net.VpnService"; |
59693d6c | 86 | public static final String DISCONNECT_ACTION = "org.strongswan.android.CharonVpnService.DISCONNECT"; |
6ca0b46c | 87 | private static final String NOTIFICATION_CHANNEL = "org.strongswan.android.CharonVpnService.VPN_STATE_NOTIFICATION"; |
fe05f1f0 | 88 | public static final String LOG_FILE = "charon.log"; |
fb3772ec | 89 | public static final String KEY_IS_RETRY = "retry"; |
d5070425 | 90 | public static final int VPN_STATE_NOTIFICATION_ID = 1; |
fe05f1f0 TB |
91 | |
92 | private String mLogFile; | |
3fe9a436 | 93 | private String mAppDir; |
a4f9028e TB |
94 | private VpnProfileDataSource mDataSource; |
95 | private Thread mConnectionHandler; | |
96 | private VpnProfile mCurrentProfile; | |
9d0f8a3a | 97 | private volatile String mCurrentCertificateAlias; |
3aba3386 | 98 | private volatile String mCurrentUserCertificateAlias; |
a4f9028e TB |
99 | private VpnProfile mNextProfile; |
100 | private volatile boolean mProfileUpdated; | |
101 | private volatile boolean mTerminate; | |
a7c8b166 | 102 | private volatile boolean mIsDisconnecting; |
d5070425 | 103 | private volatile boolean mShowNotification; |
fe1f1432 | 104 | private BuilderAdapter mBuilderAdapter = new BuilderAdapter(); |
70d6a0cf | 105 | private Handler mHandler; |
03de55ad TB |
106 | private VpnStateService mService; |
107 | private final Object mServiceLock = new Object(); | |
108 | private final ServiceConnection mServiceConnection = new ServiceConnection() { | |
109 | @Override | |
110 | public void onServiceDisconnected(ComponentName name) | |
111 | { /* since the service is local this is theoretically only called when the process is terminated */ | |
112 | synchronized (mServiceLock) | |
113 | { | |
114 | mService = null; | |
115 | } | |
116 | } | |
117 | ||
118 | @Override | |
119 | public void onServiceConnected(ComponentName name, IBinder service) | |
120 | { | |
121 | synchronized (mServiceLock) | |
122 | { | |
123 | mService = ((VpnStateService.LocalBinder)service).getService(); | |
124 | } | |
125 | /* we are now ready to start the handler thread */ | |
d5070425 | 126 | mService.registerListener(CharonVpnService.this); |
03de55ad TB |
127 | mConnectionHandler.start(); |
128 | } | |
129 | }; | |
4a208143 | 130 | |
8c2af60c TB |
131 | /** |
132 | * as defined in charonservice.h | |
133 | */ | |
134 | static final int STATE_CHILD_SA_UP = 1; | |
135 | static final int STATE_CHILD_SA_DOWN = 2; | |
136 | static final int STATE_AUTH_ERROR = 3; | |
137 | static final int STATE_PEER_AUTH_ERROR = 4; | |
138 | static final int STATE_LOOKUP_ERROR = 5; | |
139 | static final int STATE_UNREACHABLE_ERROR = 6; | |
ab5dbbc4 TB |
140 | static final int STATE_CERTIFICATE_UNAVAILABLE = 7; |
141 | static final int STATE_GENERIC_ERROR = 8; | |
8c2af60c | 142 | |
4a208143 | 143 | @Override |
a4057603 TB |
144 | public int onStartCommand(Intent intent, int flags, int startId) |
145 | { | |
a4f9028e TB |
146 | if (intent != null) |
147 | { | |
56f59956 | 148 | VpnProfile profile = null; |
fb3772ec | 149 | boolean retry = false; |
56f59956 TB |
150 | |
151 | if (VPN_SERVICE_ACTION.equals(intent.getAction())) | |
152 | { /* triggered when Always-on VPN is activated */ | |
153 | SharedPreferences pref = PreferenceManager.getDefaultSharedPreferences(this); | |
154 | String uuid = pref.getString(Constants.PREF_DEFAULT_VPN_PROFILE, null); | |
155 | if (uuid == null || uuid.equals(Constants.PREF_DEFAULT_VPN_PROFILE_MRU)) | |
156 | { | |
157 | uuid = pref.getString(Constants.PREF_MRU_VPN_PROFILE, null); | |
158 | } | |
159 | profile = mDataSource.getVpnProfile(uuid); | |
59693d6c | 160 | } |
56f59956 | 161 | else if (!DISCONNECT_ACTION.equals(intent.getAction())) |
59693d6c TB |
162 | { |
163 | Bundle bundle = intent.getExtras(); | |
59693d6c | 164 | if (bundle != null) |
a4f9028e | 165 | { |
6f9b96ac | 166 | profile = mDataSource.getVpnProfile(bundle.getString(VpnProfileDataSource.KEY_UUID)); |
59693d6c TB |
167 | if (profile != null) |
168 | { | |
169 | String password = bundle.getString(VpnProfileDataSource.KEY_PASSWORD); | |
170 | profile.setPassword(password); | |
08c79d51 | 171 | |
fb3772ec TB |
172 | retry = bundle.getBoolean(CharonVpnService.KEY_IS_RETRY, false); |
173 | ||
08c79d51 TB |
174 | SharedPreferences pref = PreferenceManager.getDefaultSharedPreferences(this); |
175 | pref.edit().putString(Constants.PREF_MRU_VPN_PROFILE, profile.getUUID().toString()) | |
176 | .apply(); | |
59693d6c | 177 | } |
a4f9028e TB |
178 | } |
179 | } | |
fb3772ec TB |
180 | if (profile != null && !retry) |
181 | { /* delete the log file if this is not an automatic retry */ | |
182 | deleteFile(LOG_FILE); | |
183 | } | |
56f59956 | 184 | setNextProfile(profile); |
a4f9028e TB |
185 | } |
186 | return START_NOT_STICKY; | |
4a208143 TB |
187 | } |
188 | ||
189 | @Override | |
a4057603 TB |
190 | public void onCreate() |
191 | { | |
fe05f1f0 | 192 | mLogFile = getFilesDir().getAbsolutePath() + File.separator + LOG_FILE; |
3fe9a436 | 193 | mAppDir = getFilesDir().getAbsolutePath(); |
fe05f1f0 | 194 | |
70d6a0cf | 195 | /* handler used to do changes in the main UI thread */ |
dc351a30 | 196 | mHandler = new Handler(getMainLooper()); |
70d6a0cf | 197 | |
a4f9028e TB |
198 | mDataSource = new VpnProfileDataSource(this); |
199 | mDataSource.open(); | |
200 | /* use a separate thread as main thread for charon */ | |
201 | mConnectionHandler = new Thread(this); | |
03de55ad TB |
202 | /* the thread is started when the service is bound */ |
203 | bindService(new Intent(this, VpnStateService.class), | |
204 | mServiceConnection, Service.BIND_AUTO_CREATE); | |
6ca0b46c TB |
205 | |
206 | createNotificationChannel(); | |
a4f9028e TB |
207 | } |
208 | ||
209 | @Override | |
210 | public void onRevoke() | |
211 | { /* the system revoked the rights grated with the initial prepare() call. | |
212 | * called when the user clicks disconnect in the system's VPN dialog */ | |
213 | setNextProfile(null); | |
4a208143 TB |
214 | } |
215 | ||
216 | @Override | |
a4057603 TB |
217 | public void onDestroy() |
218 | { | |
a4f9028e TB |
219 | mTerminate = true; |
220 | setNextProfile(null); | |
221 | try | |
222 | { | |
223 | mConnectionHandler.join(); | |
224 | } | |
225 | catch (InterruptedException e) | |
226 | { | |
227 | e.printStackTrace(); | |
228 | } | |
03de55ad TB |
229 | if (mService != null) |
230 | { | |
d5070425 | 231 | mService.unregisterListener(this); |
03de55ad TB |
232 | unbindService(mServiceConnection); |
233 | } | |
a4f9028e TB |
234 | mDataSource.close(); |
235 | } | |
236 | ||
237 | /** | |
238 | * Set the profile that is to be initiated next. Notify the handler thread. | |
239 | * | |
240 | * @param profile the profile to initiate | |
241 | */ | |
242 | private void setNextProfile(VpnProfile profile) | |
243 | { | |
244 | synchronized (this) | |
245 | { | |
246 | this.mNextProfile = profile; | |
247 | mProfileUpdated = true; | |
248 | notifyAll(); | |
249 | } | |
250 | } | |
251 | ||
252 | @Override | |
253 | public void run() | |
254 | { | |
255 | while (true) | |
256 | { | |
257 | synchronized (this) | |
258 | { | |
259 | try | |
260 | { | |
261 | while (!mProfileUpdated) | |
262 | { | |
263 | wait(); | |
264 | } | |
265 | ||
266 | mProfileUpdated = false; | |
267 | stopCurrentConnection(); | |
268 | if (mNextProfile == null) | |
269 | { | |
03de55ad | 270 | setState(State.DISABLED); |
a4f9028e TB |
271 | if (mTerminate) |
272 | { | |
273 | break; | |
274 | } | |
275 | } | |
276 | else | |
277 | { | |
278 | mCurrentProfile = mNextProfile; | |
279 | mNextProfile = null; | |
280 | ||
9d0f8a3a TB |
281 | /* store this in a separate (volatile) variable to avoid |
282 | * a possible deadlock during deinitialization */ | |
283 | mCurrentCertificateAlias = mCurrentProfile.getCertificateAlias(); | |
3aba3386 | 284 | mCurrentUserCertificateAlias = mCurrentProfile.getUserCertificateAlias(); |
9d0f8a3a | 285 | |
38172313 | 286 | startConnection(mCurrentProfile); |
a7c8b166 | 287 | mIsDisconnecting = false; |
03de55ad | 288 | |
ad2d20e5 | 289 | SimpleFetcher.enable(); |
d5070425 | 290 | addNotification(); |
fe1f1432 | 291 | mBuilderAdapter.setProfile(mCurrentProfile); |
35819143 TB |
292 | if (initializeCharon(mBuilderAdapter, mLogFile, mAppDir, mCurrentProfile.getVpnType().has(VpnTypeFeature.BYOD), |
293 | (mCurrentProfile.getFlags() & VpnProfile.FLAGS_IPv6_TRANSPORT) != 0)) | |
c3ee829e TB |
294 | { |
295 | Log.i(TAG, "charon started"); | |
f0b3e303 TB |
296 | |
297 | if (mCurrentProfile.getVpnType().has(VpnTypeFeature.USER_PASS) && | |
298 | mCurrentProfile.getPassword() == null) | |
299 | { /* this can happen if Always-on VPN is enabled with an incomplete profile */ | |
300 | setError(ErrorState.PASSWORD_MISSING); | |
301 | continue; | |
302 | } | |
303 | ||
79af70c6 | 304 | SettingsWriter writer = new SettingsWriter(); |
6830cb1c | 305 | writer.setValue("global.language", Locale.getDefault().getLanguage()); |
4d02c49e | 306 | writer.setValue("global.mtu", mCurrentProfile.getMTU()); |
db599d6b | 307 | writer.setValue("global.nat_keepalive", mCurrentProfile.getNATKeepAlive()); |
205ec47d | 308 | writer.setValue("global.rsa_pss", (mCurrentProfile.getFlags() & VpnProfile.FLAGS_RSA_PSS) != 0); |
a7060581 TB |
309 | writer.setValue("global.crl", (mCurrentProfile.getFlags() & VpnProfile.FLAGS_DISABLE_CRL) == 0); |
310 | writer.setValue("global.ocsp", (mCurrentProfile.getFlags() & VpnProfile.FLAGS_DISABLE_OCSP) == 0); | |
79af70c6 TB |
311 | writer.setValue("connection.type", mCurrentProfile.getVpnType().getIdentifier()); |
312 | writer.setValue("connection.server", mCurrentProfile.getGateway()); | |
cda167c8 | 313 | writer.setValue("connection.port", mCurrentProfile.getPort()); |
79af70c6 TB |
314 | writer.setValue("connection.username", mCurrentProfile.getUsername()); |
315 | writer.setValue("connection.password", mCurrentProfile.getPassword()); | |
9c556441 TB |
316 | writer.setValue("connection.local_id", mCurrentProfile.getLocalId()); |
317 | writer.setValue("connection.remote_id", mCurrentProfile.getRemoteId()); | |
3f0592d0 | 318 | writer.setValue("connection.certreq", (mCurrentProfile.getFlags() & VpnProfile.FLAGS_SUPPRESS_CERT_REQS) == 0); |
a7060581 | 319 | writer.setValue("connection.strict_revocation", (mCurrentProfile.getFlags() & VpnProfile.FLAGS_STRICT_REVOCATION) != 0); |
a7c43544 TB |
320 | writer.setValue("connection.ike_proposal", mCurrentProfile.getIkeProposal()); |
321 | writer.setValue("connection.esp_proposal", mCurrentProfile.getEspProposal()); | |
79af70c6 | 322 | initiate(writer.serialize()); |
c3ee829e TB |
323 | } |
324 | else | |
325 | { | |
326 | Log.e(TAG, "failed to start charon"); | |
327 | setError(ErrorState.GENERIC_ERROR); | |
328 | setState(State.DISABLED); | |
329 | mCurrentProfile = null; | |
330 | } | |
a4f9028e TB |
331 | } |
332 | } | |
333 | catch (InterruptedException ex) | |
334 | { | |
335 | stopCurrentConnection(); | |
03de55ad | 336 | setState(State.DISABLED); |
a4f9028e TB |
337 | } |
338 | } | |
339 | } | |
340 | } | |
341 | ||
342 | /** | |
343 | * Stop any existing connection by deinitializing charon. | |
344 | */ | |
345 | private void stopCurrentConnection() | |
346 | { | |
347 | synchronized (this) | |
348 | { | |
fe1f1432 TB |
349 | if (mNextProfile != null && Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) |
350 | { | |
351 | mBuilderAdapter.setProfile(mNextProfile); | |
352 | mBuilderAdapter.establishBlocking(); | |
353 | } | |
354 | ||
a4f9028e TB |
355 | if (mCurrentProfile != null) |
356 | { | |
03de55ad | 357 | setState(State.DISCONNECTING); |
a7c8b166 | 358 | mIsDisconnecting = true; |
ad2d20e5 | 359 | SimpleFetcher.disable(); |
a4f9028e TB |
360 | deinitializeCharon(); |
361 | Log.i(TAG, "charon stopped"); | |
362 | mCurrentProfile = null; | |
bc528681 | 363 | if (mNextProfile == null) |
fe1f1432 | 364 | { /* only do this if we are not connecting to another profile */ |
bc528681 | 365 | removeNotification(); |
fe1f1432 | 366 | mBuilderAdapter.closeBlocking(); |
bc528681 | 367 | } |
a4f9028e TB |
368 | } |
369 | } | |
4a208143 TB |
370 | } |
371 | ||
d5070425 TB |
372 | /** |
373 | * Add a permanent notification while we are connected to avoid the service getting killed by | |
374 | * the system when low on memory. | |
375 | */ | |
376 | private void addNotification() | |
377 | { | |
70d6a0cf TB |
378 | mHandler.post(new Runnable() |
379 | { | |
380 | @Override | |
381 | public void run() | |
382 | { | |
383 | mShowNotification = true; | |
384 | startForeground(VPN_STATE_NOTIFICATION_ID, buildNotification(false)); | |
385 | } | |
386 | }); | |
d5070425 TB |
387 | } |
388 | ||
389 | /** | |
390 | * Remove the permanent notification. | |
391 | */ | |
392 | private void removeNotification() | |
393 | { | |
70d6a0cf TB |
394 | mHandler.post(new Runnable() |
395 | { | |
396 | @Override | |
397 | public void run() | |
398 | { | |
399 | mShowNotification = false; | |
400 | stopForeground(true); | |
401 | } | |
402 | }); | |
d5070425 TB |
403 | } |
404 | ||
6ca0b46c TB |
405 | /** |
406 | * Create a notification channel for Android 8+ | |
407 | */ | |
408 | private void createNotificationChannel() | |
409 | { | |
410 | if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) | |
411 | { | |
412 | NotificationChannel channel; | |
413 | channel = new NotificationChannel(NOTIFICATION_CHANNEL, getString(R.string.permanent_notification_name), | |
414 | NotificationManager.IMPORTANCE_LOW); | |
415 | channel.setDescription(getString(R.string.permanent_notification_description)); | |
416 | channel.setLockscreenVisibility(Notification.VISIBILITY_SECRET); | |
417 | channel.setShowBadge(false); | |
418 | NotificationManager notificationManager = getSystemService(NotificationManager.class); | |
419 | notificationManager.createNotificationChannel(channel); | |
420 | } | |
421 | } | |
422 | ||
423 | ||
d5070425 TB |
424 | /** |
425 | * Build a notification matching the current state | |
426 | */ | |
85059424 | 427 | private Notification buildNotification(boolean publicVersion) |
d5070425 TB |
428 | { |
429 | VpnProfile profile = mService.getProfile(); | |
430 | State state = mService.getState(); | |
431 | ErrorState error = mService.getErrorState(); | |
432 | String name = ""; | |
64c2d3ca | 433 | boolean add_action = false; |
d5070425 TB |
434 | |
435 | if (profile != null) | |
436 | { | |
437 | name = profile.getName(); | |
438 | } | |
6ca0b46c | 439 | NotificationCompat.Builder builder = new NotificationCompat.Builder(this, NOTIFICATION_CHANNEL) |
d5070425 TB |
440 | .setSmallIcon(R.drawable.ic_notification) |
441 | .setCategory(NotificationCompat.CATEGORY_SERVICE) | |
85059424 TB |
442 | .setVisibility(publicVersion ? NotificationCompat.VISIBILITY_PUBLIC |
443 | : NotificationCompat.VISIBILITY_PRIVATE); | |
d5070425 TB |
444 | int s = R.string.state_disabled; |
445 | if (error != ErrorState.NO_ERROR) | |
446 | { | |
a7d679ff | 447 | s = mService.getErrorText(); |
d5070425 TB |
448 | builder.setSmallIcon(R.drawable.ic_notification_warning); |
449 | builder.setColor(ContextCompat.getColor(this, R.color.error_text)); | |
2ec6ad71 TB |
450 | |
451 | if (!publicVersion && profile != null) | |
452 | { | |
453 | int retry = mService.getRetryIn(); | |
454 | if (retry > 0) | |
455 | { | |
456 | builder.setContentText(getResources().getQuantityString(R.plurals.retry_in, retry, retry)); | |
457 | builder.setProgress(mService.getRetryTimeout(), retry, false); | |
458 | } | |
459 | ||
460 | Intent intent = new Intent(getApplicationContext(), VpnProfileControlActivity.class); | |
461 | intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK); | |
462 | intent.setAction(VpnProfileControlActivity.START_PROFILE); | |
463 | intent.putExtra(VpnProfileControlActivity.EXTRA_VPN_PROFILE_ID, profile.getUUID().toString()); | |
464 | PendingIntent pending = PendingIntent.getActivity(getApplicationContext(), 0, intent, | |
465 | PendingIntent.FLAG_UPDATE_CURRENT); | |
466 | builder.addAction(R.drawable.ic_notification_connecting, getString(R.string.retry), pending); | |
467 | add_action = true; | |
468 | } | |
d5070425 TB |
469 | } |
470 | else | |
471 | { | |
2ec6ad71 TB |
472 | builder.setProgress(0, 0, false); |
473 | ||
d5070425 TB |
474 | switch (state) |
475 | { | |
476 | case CONNECTING: | |
477 | s = R.string.state_connecting; | |
52aaffde | 478 | builder.setSmallIcon(R.drawable.ic_notification_connecting); |
d5070425 | 479 | builder.setColor(ContextCompat.getColor(this, R.color.warning_text)); |
64c2d3ca | 480 | add_action = true; |
d5070425 TB |
481 | break; |
482 | case CONNECTED: | |
483 | s = R.string.state_connected; | |
484 | builder.setColor(ContextCompat.getColor(this, R.color.success_text)); | |
485 | builder.setUsesChronometer(true); | |
64c2d3ca | 486 | add_action = true; |
d5070425 TB |
487 | break; |
488 | case DISCONNECTING: | |
489 | s = R.string.state_disconnecting; | |
490 | break; | |
491 | } | |
492 | } | |
493 | builder.setContentTitle(getString(s)); | |
85059424 TB |
494 | if (!publicVersion) |
495 | { | |
64c2d3ca TB |
496 | if (add_action) |
497 | { | |
58d139da TB |
498 | Intent intent = new Intent(getApplicationContext(), VpnProfileControlActivity.class); |
499 | intent.setAction(VpnProfileControlActivity.DISCONNECT); | |
64c2d3ca TB |
500 | PendingIntent pending = PendingIntent.getActivity(getApplicationContext(), 0, intent, |
501 | PendingIntent.FLAG_UPDATE_CURRENT); | |
502 | builder.addAction(R.drawable.ic_notification_disconnect, getString(R.string.disconnect), pending); | |
503 | } | |
a7d679ff TB |
504 | if (error == ErrorState.NO_ERROR) |
505 | { | |
506 | builder.setContentText(name); | |
507 | } | |
85059424 TB |
508 | builder.setPublicVersion(buildNotification(true)); |
509 | } | |
d5070425 TB |
510 | |
511 | Intent intent = new Intent(getApplicationContext(), MainActivity.class); | |
512 | PendingIntent pending = PendingIntent.getActivity(getApplicationContext(), 0, intent, | |
513 | PendingIntent.FLAG_UPDATE_CURRENT); | |
514 | builder.setContentIntent(pending); | |
515 | return builder.build(); | |
516 | } | |
517 | ||
518 | @Override | |
519 | public void stateChanged() { | |
520 | if (mShowNotification) | |
521 | { | |
522 | NotificationManager manager = (NotificationManager) getSystemService(Context.NOTIFICATION_SERVICE); | |
85059424 | 523 | manager.notify(VPN_STATE_NOTIFICATION_ID, buildNotification(false)); |
d5070425 TB |
524 | } |
525 | } | |
526 | ||
03de55ad | 527 | /** |
38172313 TB |
528 | * Notify the state service about a new connection attempt. |
529 | * Called by the handler thread. | |
03de55ad TB |
530 | * |
531 | * @param profile currently active VPN profile | |
532 | */ | |
38172313 | 533 | private void startConnection(VpnProfile profile) |
03de55ad TB |
534 | { |
535 | synchronized (mServiceLock) | |
536 | { | |
537 | if (mService != null) | |
538 | { | |
38172313 | 539 | mService.startConnection(profile); |
03de55ad TB |
540 | } |
541 | } | |
542 | } | |
543 | ||
544 | /** | |
545 | * Update the current VPN state on the state service. Called by the handler | |
546 | * thread and any of charon's threads. | |
547 | * | |
548 | * @param state current state | |
549 | */ | |
550 | private void setState(State state) | |
551 | { | |
552 | synchronized (mServiceLock) | |
553 | { | |
554 | if (mService != null) | |
555 | { | |
556 | mService.setState(state); | |
557 | } | |
558 | } | |
559 | } | |
560 | ||
561 | /** | |
562 | * Set an error on the state service. Called by the handler thread and any | |
563 | * of charon's threads. | |
564 | * | |
565 | * @param error error state | |
566 | */ | |
567 | private void setError(ErrorState error) | |
568 | { | |
569 | synchronized (mServiceLock) | |
570 | { | |
571 | if (mService != null) | |
572 | { | |
573 | mService.setError(error); | |
574 | } | |
575 | } | |
576 | } | |
577 | ||
dc52cfab TB |
578 | /** |
579 | * Set the IMC state on the state service. Called by the handler thread and | |
580 | * any of charon's threads. | |
581 | * | |
582 | * @param state IMC state | |
583 | */ | |
584 | private void setImcState(ImcState state) | |
585 | { | |
586 | synchronized (mServiceLock) | |
587 | { | |
588 | if (mService != null) | |
589 | { | |
590 | mService.setImcState(state); | |
591 | } | |
592 | } | |
593 | } | |
594 | ||
8c2af60c | 595 | /** |
394be2d5 TB |
596 | * Set an error on the state service. Called by the handler thread and any |
597 | * of charon's threads. | |
8c2af60c TB |
598 | * |
599 | * @param error error state | |
600 | */ | |
601 | private void setErrorDisconnect(ErrorState error) | |
602 | { | |
603 | synchronized (mServiceLock) | |
604 | { | |
605 | if (mService != null) | |
606 | { | |
a7c8b166 TB |
607 | if (!mIsDisconnecting) |
608 | { | |
38172313 | 609 | mService.setError(error); |
a7c8b166 | 610 | } |
8c2af60c TB |
611 | } |
612 | } | |
613 | } | |
614 | ||
615 | /** | |
616 | * Updates the state of the current connection. | |
617 | * Called via JNI by different threads (but not concurrently). | |
618 | * | |
619 | * @param status new state | |
620 | */ | |
621 | public void updateStatus(int status) | |
622 | { | |
623 | switch (status) | |
624 | { | |
625 | case STATE_CHILD_SA_DOWN: | |
1435bd2e TB |
626 | if (!mIsDisconnecting) |
627 | { | |
628 | setState(State.CONNECTING); | |
629 | } | |
8c2af60c TB |
630 | break; |
631 | case STATE_CHILD_SA_UP: | |
632 | setState(State.CONNECTED); | |
633 | break; | |
634 | case STATE_AUTH_ERROR: | |
635 | setErrorDisconnect(ErrorState.AUTH_FAILED); | |
636 | break; | |
637 | case STATE_PEER_AUTH_ERROR: | |
638 | setErrorDisconnect(ErrorState.PEER_AUTH_FAILED); | |
639 | break; | |
640 | case STATE_LOOKUP_ERROR: | |
641 | setErrorDisconnect(ErrorState.LOOKUP_FAILED); | |
642 | break; | |
643 | case STATE_UNREACHABLE_ERROR: | |
644 | setErrorDisconnect(ErrorState.UNREACHABLE); | |
645 | break; | |
ab5dbbc4 TB |
646 | case STATE_CERTIFICATE_UNAVAILABLE: |
647 | setErrorDisconnect(ErrorState.CERTIFICATE_UNAVAILABLE); | |
648 | break; | |
8c2af60c TB |
649 | case STATE_GENERIC_ERROR: |
650 | setErrorDisconnect(ErrorState.GENERIC_ERROR); | |
651 | break; | |
652 | default: | |
653 | Log.e(TAG, "Unknown status code received"); | |
654 | break; | |
655 | } | |
656 | } | |
657 | ||
dc52cfab TB |
658 | /** |
659 | * Updates the IMC state of the current connection. | |
660 | * Called via JNI by different threads (but not concurrently). | |
661 | * | |
662 | * @param value new state | |
663 | */ | |
664 | public void updateImcState(int value) | |
665 | { | |
666 | ImcState state = ImcState.fromValue(value); | |
667 | if (state != null) | |
668 | { | |
669 | setImcState(state); | |
670 | } | |
671 | } | |
672 | ||
a05acd76 TB |
673 | /** |
674 | * Add a remediation instruction to the VPN state service. | |
675 | * Called via JNI by different threads (but not concurrently). | |
676 | * | |
677 | * @param xml XML text | |
678 | */ | |
679 | public void addRemediationInstruction(String xml) | |
680 | { | |
681 | for (RemediationInstruction instruction : RemediationInstruction.fromXml(xml)) | |
682 | { | |
683 | synchronized (mServiceLock) | |
684 | { | |
685 | if (mService != null) | |
686 | { | |
687 | mService.addRemediationInstruction(instruction); | |
688 | } | |
689 | } | |
690 | } | |
691 | } | |
692 | ||
2bec193a TB |
693 | /** |
694 | * Function called via JNI to generate a list of DER encoded CA certificates | |
695 | * as byte array. | |
696 | * | |
2bec193a TB |
697 | * @return a list of DER encoded CA certificates |
698 | */ | |
9d994ba5 | 699 | private byte[][] getTrustedCertificates() |
2bec193a TB |
700 | { |
701 | ArrayList<byte[]> certs = new ArrayList<byte[]>(); | |
3e85b5a4 | 702 | TrustedCertificateManager certman = TrustedCertificateManager.getInstance().load(); |
2bec193a TB |
703 | try |
704 | { | |
9d994ba5 TB |
705 | String alias = this.mCurrentCertificateAlias; |
706 | if (alias != null) | |
2bec193a | 707 | { |
2bec193a TB |
708 | X509Certificate cert = certman.getCACertificateFromAlias(alias); |
709 | if (cert == null) | |
2bec193a TB |
710 | { |
711 | return null; | |
712 | } | |
713 | certs.add(cert.getEncoded()); | |
714 | } | |
715 | else | |
716 | { | |
9d994ba5 | 717 | for (X509Certificate cert : certman.getAllCACertificates().values()) |
2bec193a | 718 | { |
2bec193a TB |
719 | certs.add(cert.getEncoded()); |
720 | } | |
2bec193a TB |
721 | } |
722 | } | |
723 | catch (CertificateEncodingException e) | |
724 | { | |
725 | e.printStackTrace(); | |
726 | return null; | |
727 | } | |
728 | return certs.toArray(new byte[certs.size()][]); | |
729 | } | |
730 | ||
3aba3386 | 731 | /** |
64595464 TB |
732 | * Function called via JNI to get a list containing the DER encoded certificates |
733 | * of the user selected certificate chain (beginning with the user certificate). | |
3aba3386 TB |
734 | * |
735 | * Since this method is called from a thread of charon's thread pool we are safe | |
736 | * to call methods on KeyChain directly. | |
737 | * | |
64595464 | 738 | * @return list containing the certificates (first element is the user certificate) |
3aba3386 TB |
739 | * @throws InterruptedException |
740 | * @throws KeyChainException | |
741 | * @throws CertificateEncodingException | |
742 | */ | |
743 | private byte[][] getUserCertificate() throws KeyChainException, InterruptedException, CertificateEncodingException | |
744 | { | |
745 | ArrayList<byte[]> encodings = new ArrayList<byte[]>(); | |
64595464 | 746 | X509Certificate[] chain = KeyChain.getCertificateChain(getApplicationContext(), mCurrentUserCertificateAlias); |
3aba3386 TB |
747 | if (chain == null || chain.length == 0) |
748 | { | |
749 | return null; | |
750 | } | |
751 | for (X509Certificate cert : chain) | |
752 | { | |
753 | encodings.add(cert.getEncoded()); | |
754 | } | |
755 | return encodings.toArray(new byte[encodings.size()][]); | |
756 | } | |
757 | ||
406d680e TB |
758 | /** |
759 | * Function called via JNI to get the private key the user selected. | |
760 | * | |
761 | * Since this method is called from a thread of charon's thread pool we are safe | |
762 | * to call methods on KeyChain directly. | |
763 | * | |
764 | * @return the private key | |
765 | * @throws InterruptedException | |
766 | * @throws KeyChainException | |
406d680e TB |
767 | */ |
768 | private PrivateKey getUserKey() throws KeyChainException, InterruptedException | |
769 | { | |
770 | return KeyChain.getPrivateKey(getApplicationContext(), mCurrentUserCertificateAlias); | |
406d680e TB |
771 | } |
772 | ||
4a208143 TB |
773 | /** |
774 | * Initialization of charon, provided by libandroidbridge.so | |
ae4f1ea1 TB |
775 | * |
776 | * @param builder BuilderAdapter for this connection | |
fe05f1f0 | 777 | * @param logfile absolute path to the logfile |
3fe9a436 | 778 | * @param appdir absolute path to the data directory of the app |
d5070425 | 779 | * @param byod enable BYOD features |
35819143 | 780 | * @param ipv6 enable IPv6 transport |
c3ee829e | 781 | * @return TRUE if initialization was successful |
4a208143 | 782 | */ |
35819143 | 783 | public native boolean initializeCharon(BuilderAdapter builder, String logfile, String appdir, boolean byod, boolean ipv6); |
4a208143 TB |
784 | |
785 | /** | |
786 | * Deinitialize charon, provided by libandroidbridge.so | |
787 | */ | |
788 | public native void deinitializeCharon(); | |
789 | ||
c6c39c78 TB |
790 | /** |
791 | * Initiate VPN, provided by libandroidbridge.so | |
792 | */ | |
79af70c6 | 793 | public native void initiate(String config); |
dffee9e2 | 794 | |
5215d512 TB |
795 | /** |
796 | * Adapter for VpnService.Builder which is used to access it safely via JNI. | |
ae4f1ea1 | 797 | * There is a corresponding C object to access it from native code. |
5215d512 TB |
798 | */ |
799 | public class BuilderAdapter | |
800 | { | |
fe1f1432 | 801 | private VpnProfile mProfile; |
0326ceda | 802 | private VpnService.Builder mBuilder; |
36aab70a TB |
803 | private BuilderCache mCache; |
804 | private BuilderCache mEstablishedCache; | |
fe1f1432 | 805 | private PacketDropper mDropper = new PacketDropper(); |
5215d512 | 806 | |
fe1f1432 | 807 | public synchronized void setProfile(VpnProfile profile) |
5215d512 | 808 | { |
f2e7156d TB |
809 | mProfile = profile; |
810 | mBuilder = createBuilder(mProfile.getName()); | |
811 | mCache = new BuilderCache(mProfile); | |
0326ceda TB |
812 | } |
813 | ||
814 | private VpnService.Builder createBuilder(String name) | |
815 | { | |
816 | VpnService.Builder builder = new CharonVpnService.Builder(); | |
f2e7156d | 817 | builder.setSession(name); |
9c0be3ac TB |
818 | |
819 | /* even though the option displayed in the system dialog says "Configure" | |
820 | * we just use our main Activity */ | |
821 | Context context = getApplicationContext(); | |
822 | Intent intent = new Intent(context, MainActivity.class); | |
823 | PendingIntent pending = PendingIntent.getActivity(context, 0, intent, | |
c3bce1aa | 824 | PendingIntent.FLAG_UPDATE_CURRENT); |
9c0be3ac | 825 | builder.setConfigureIntent(pending); |
b32a9be4 TB |
826 | |
827 | /* mark all VPN connections as unmetered (default changed for Android 10) */ | |
828 | if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) | |
829 | { | |
830 | builder.setMetered(false); | |
831 | } | |
0326ceda | 832 | return builder; |
5215d512 TB |
833 | } |
834 | ||
835 | public synchronized boolean addAddress(String address, int prefixLength) | |
836 | { | |
837 | try | |
838 | { | |
36aab70a | 839 | mCache.addAddress(address, prefixLength); |
5215d512 TB |
840 | } |
841 | catch (IllegalArgumentException ex) | |
842 | { | |
843 | return false; | |
844 | } | |
845 | return true; | |
846 | } | |
847 | ||
848 | public synchronized boolean addDnsServer(String address) | |
849 | { | |
850 | try | |
851 | { | |
dd5de792 | 852 | mCache.addDnsServer(address); |
5215d512 TB |
853 | } |
854 | catch (IllegalArgumentException ex) | |
855 | { | |
856 | return false; | |
857 | } | |
858 | return true; | |
859 | } | |
860 | ||
861 | public synchronized boolean addRoute(String address, int prefixLength) | |
862 | { | |
863 | try | |
864 | { | |
36aab70a | 865 | mCache.addRoute(address, prefixLength); |
5215d512 TB |
866 | } |
867 | catch (IllegalArgumentException ex) | |
868 | { | |
869 | return false; | |
870 | } | |
871 | return true; | |
872 | } | |
873 | ||
874 | public synchronized boolean addSearchDomain(String domain) | |
875 | { | |
876 | try | |
877 | { | |
0326ceda | 878 | mBuilder.addSearchDomain(domain); |
5215d512 TB |
879 | } |
880 | catch (IllegalArgumentException ex) | |
881 | { | |
882 | return false; | |
883 | } | |
884 | return true; | |
885 | } | |
886 | ||
887 | public synchronized boolean setMtu(int mtu) | |
888 | { | |
889 | try | |
890 | { | |
36aab70a | 891 | mCache.setMtu(mtu); |
5215d512 TB |
892 | } |
893 | catch (IllegalArgumentException ex) | |
894 | { | |
895 | return false; | |
896 | } | |
897 | return true; | |
898 | } | |
899 | ||
fe1f1432 | 900 | private synchronized ParcelFileDescriptor establishIntern() |
5215d512 TB |
901 | { |
902 | ParcelFileDescriptor fd; | |
903 | try | |
904 | { | |
acc8948f | 905 | mCache.applyData(mBuilder); |
0326ceda | 906 | fd = mBuilder.establish(); |
fe1f1432 TB |
907 | if (fd != null) |
908 | { | |
909 | closeBlocking(); | |
910 | } | |
5215d512 TB |
911 | } |
912 | catch (Exception ex) | |
913 | { | |
914 | ex.printStackTrace(); | |
fe1f1432 | 915 | return null; |
5215d512 TB |
916 | } |
917 | if (fd == null) | |
918 | { | |
fe1f1432 | 919 | return null; |
5215d512 | 920 | } |
0326ceda TB |
921 | /* now that the TUN device is created we don't need the current |
922 | * builder anymore, but we might need another when reestablishing */ | |
f2e7156d | 923 | mBuilder = createBuilder(mProfile.getName()); |
36aab70a | 924 | mEstablishedCache = mCache; |
f2e7156d | 925 | mCache = new BuilderCache(mProfile); |
fe1f1432 TB |
926 | return fd; |
927 | } | |
928 | ||
929 | public synchronized int establish() | |
930 | { | |
931 | ParcelFileDescriptor fd = establishIntern(); | |
932 | return fd != null ? fd.detachFd() : -1; | |
933 | } | |
934 | ||
935 | @TargetApi(Build.VERSION_CODES.LOLLIPOP) | |
936 | public synchronized void establishBlocking() | |
937 | { | |
938 | /* just choose some arbitrary values to block all traffic (except for what's configured in the profile) */ | |
939 | mCache.addAddress("172.16.252.1", 32); | |
940 | mCache.addAddress("fd00::fd02:1", 128); | |
941 | mCache.addRoute("0.0.0.0", 0); | |
942 | mCache.addRoute("::", 0); | |
84ee9577 TB |
943 | /* set DNS servers to avoid DNS leak later */ |
944 | mBuilder.addDnsServer("8.8.8.8"); | |
945 | mBuilder.addDnsServer("2001:4860:4860::8888"); | |
fe1f1432 TB |
946 | /* use blocking mode to simplify packet dropping */ |
947 | mBuilder.setBlocking(true); | |
948 | ParcelFileDescriptor fd = establishIntern(); | |
949 | if (fd != null) | |
950 | { | |
951 | mDropper.start(fd); | |
952 | } | |
953 | } | |
954 | ||
955 | public synchronized void closeBlocking() | |
956 | { | |
957 | mDropper.stop(); | |
5215d512 | 958 | } |
36aab70a TB |
959 | |
960 | public synchronized int establishNoDns() | |
961 | { | |
962 | ParcelFileDescriptor fd; | |
963 | ||
964 | if (mEstablishedCache == null) | |
965 | { | |
966 | return -1; | |
967 | } | |
968 | try | |
969 | { | |
f2e7156d | 970 | Builder builder = createBuilder(mProfile.getName()); |
36aab70a TB |
971 | mEstablishedCache.applyData(builder); |
972 | fd = builder.establish(); | |
973 | } | |
974 | catch (Exception ex) | |
975 | { | |
976 | ex.printStackTrace(); | |
977 | return -1; | |
978 | } | |
979 | if (fd == null) | |
980 | { | |
981 | return -1; | |
982 | } | |
983 | return fd.detachFd(); | |
984 | } | |
fe1f1432 TB |
985 | |
986 | private class PacketDropper implements Runnable | |
987 | { | |
988 | private ParcelFileDescriptor mFd; | |
989 | private Thread mThread; | |
990 | ||
991 | public void start(ParcelFileDescriptor fd) | |
992 | { | |
993 | mFd = fd; | |
994 | mThread = new Thread(this); | |
995 | mThread.start(); | |
996 | } | |
997 | ||
998 | public void stop() | |
999 | { | |
1000 | if (mFd != null) | |
1001 | { | |
1002 | try | |
1003 | { | |
1004 | mThread.interrupt(); | |
1005 | mThread.join(); | |
1006 | mFd.close(); | |
1007 | } | |
1008 | catch (InterruptedException e) | |
1009 | { | |
1010 | e.printStackTrace(); | |
1011 | } | |
1012 | catch (IOException e) | |
1013 | { | |
1014 | e.printStackTrace(); | |
1015 | } | |
1016 | mFd = null; | |
1017 | } | |
1018 | } | |
1019 | ||
1020 | @Override | |
1021 | public synchronized void run() | |
1022 | { | |
1023 | try | |
1024 | { | |
1025 | FileInputStream plain = new FileInputStream(mFd.getFileDescriptor()); | |
1026 | ByteBuffer packet = ByteBuffer.allocate(mCache.mMtu); | |
1027 | while (true) | |
4e905b96 TB |
1028 | { |
1029 | if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.N) | |
1030 | { /* just read and ignore all data, regular read() is not interruptible */ | |
1031 | int len = plain.getChannel().read(packet); | |
1032 | packet.clear(); | |
1033 | if (len < 0) | |
1034 | { | |
1035 | break; | |
1036 | } | |
1037 | } | |
1038 | else | |
1039 | { /* this is rather ugly but on older platforms not even the NIO version of read() is interruptible */ | |
1040 | boolean wait = true; | |
1041 | if (plain.available() > 0) | |
1042 | { | |
1043 | int len = plain.read(packet.array()); | |
1044 | packet.clear(); | |
1045 | if (len < 0 || Thread.interrupted()) | |
1046 | { | |
1047 | break; | |
1048 | } | |
1049 | /* check again right away, there may be another packet */ | |
1050 | wait = false; | |
1051 | } | |
1052 | if (wait) | |
1053 | { | |
1054 | Thread.sleep(250); | |
1055 | } | |
fe1f1432 TB |
1056 | } |
1057 | } | |
1058 | } | |
4e905b96 | 1059 | catch (ClosedByInterruptException|InterruptedException e) |
fe1f1432 TB |
1060 | { |
1061 | /* regular interruption */ | |
1062 | } | |
4e905b96 | 1063 | catch (IOException e) |
fe1f1432 TB |
1064 | { |
1065 | e.printStackTrace(); | |
1066 | } | |
1067 | } | |
1068 | } | |
36aab70a TB |
1069 | } |
1070 | ||
1071 | /** | |
1072 | * Cache non DNS related information so we can recreate the builder without | |
1073 | * that information when reestablishing IKE_SAs | |
1074 | */ | |
1075 | public class BuilderCache | |
1076 | { | |
72b7c289 TB |
1077 | private final List<IPRange> mAddresses = new ArrayList<>(); |
1078 | private final List<IPRange> mRoutesIPv4 = new ArrayList<>(); | |
1079 | private final List<IPRange> mRoutesIPv6 = new ArrayList<>(); | |
4471a934 TB |
1080 | private final IPRangeSet mIncludedSubnetsv4 = new IPRangeSet(); |
1081 | private final IPRangeSet mIncludedSubnetsv6 = new IPRangeSet(); | |
72b7c289 | 1082 | private final IPRangeSet mExcludedSubnets; |
acc8948f | 1083 | private final int mSplitTunneling; |
f2e7156d | 1084 | private final SelectedAppsHandling mAppHandling; |
800f881a | 1085 | private final SortedSet<String> mSelectedApps; |
dd5de792 | 1086 | private final List<InetAddress> mDnsServers = new ArrayList<>(); |
36aab70a | 1087 | private int mMtu; |
dd5de792 | 1088 | private boolean mIPv4Seen, mIPv6Seen, mDnsServersConfigured; |
acc8948f | 1089 | |
f2e7156d | 1090 | public BuilderCache(VpnProfile profile) |
acc8948f | 1091 | { |
f2e7156d | 1092 | IPRangeSet included = IPRangeSet.fromString(profile.getIncludedSubnets()); |
4471a934 TB |
1093 | for (IPRange range : included) |
1094 | { | |
1095 | if (range.getFrom() instanceof Inet4Address) | |
1096 | { | |
1097 | mIncludedSubnetsv4.add(range); | |
1098 | } | |
1099 | else if (range.getFrom() instanceof Inet6Address) | |
1100 | { | |
1101 | mIncludedSubnetsv6.add(range); | |
1102 | } | |
1103 | } | |
f2e7156d TB |
1104 | mExcludedSubnets = IPRangeSet.fromString(profile.getExcludedSubnets()); |
1105 | Integer splitTunneling = profile.getSplitTunneling(); | |
acc8948f | 1106 | mSplitTunneling = splitTunneling != null ? splitTunneling : 0; |
99cc2d82 | 1107 | SelectedAppsHandling appHandling = profile.getSelectedAppsHandling(); |
800f881a | 1108 | mSelectedApps = profile.getSelectedAppsSet(); |
99cc2d82 TB |
1109 | /* exclude our own app, otherwise the fetcher is blocked */ |
1110 | switch (appHandling) | |
1111 | { | |
1112 | case SELECTED_APPS_DISABLE: | |
1113 | appHandling = SelectedAppsHandling.SELECTED_APPS_EXCLUDE; | |
1114 | mSelectedApps.clear(); | |
1115 | /* fall-through */ | |
1116 | case SELECTED_APPS_EXCLUDE: | |
1117 | mSelectedApps.add(getPackageName()); | |
1118 | break; | |
1119 | case SELECTED_APPS_ONLY: | |
1120 | mSelectedApps.remove(getPackageName()); | |
1121 | break; | |
1122 | } | |
1123 | mAppHandling = appHandling; | |
fe1f1432 | 1124 | |
dd5de792 TB |
1125 | if (profile.getDnsServers() != null) |
1126 | { | |
1127 | for (String server : profile.getDnsServers().split("\\s+")) | |
1128 | { | |
1129 | try | |
1130 | { | |
2ef473be | 1131 | mDnsServers.add(Utils.parseInetAddress(server)); |
dd5de792 TB |
1132 | recordAddressFamily(server); |
1133 | mDnsServersConfigured = true; | |
1134 | } | |
1135 | catch (UnknownHostException e) | |
1136 | { | |
1137 | e.printStackTrace(); | |
1138 | } | |
1139 | } | |
1140 | } | |
1141 | ||
fe1f1432 TB |
1142 | /* set a default MTU, will be set by the daemon for regular interfaces */ |
1143 | Integer mtu = profile.getMTU(); | |
1144 | mMtu = mtu == null ? Constants.MTU_MAX : mtu; | |
acc8948f | 1145 | } |
36aab70a TB |
1146 | |
1147 | public void addAddress(String address, int prefixLength) | |
1148 | { | |
72b7c289 TB |
1149 | try |
1150 | { | |
1151 | mAddresses.add(new IPRange(address, prefixLength)); | |
1152 | recordAddressFamily(address); | |
1153 | } | |
1154 | catch (UnknownHostException ex) | |
1155 | { | |
1156 | ex.printStackTrace(); | |
1157 | } | |
36aab70a TB |
1158 | } |
1159 | ||
dd5de792 TB |
1160 | public void addDnsServer(String address) |
1161 | { | |
1162 | /* ignore received DNS servers if any were configured */ | |
1163 | if (mDnsServersConfigured) | |
1164 | { | |
1165 | return; | |
1166 | } | |
1167 | ||
1168 | try | |
1169 | { | |
2ef473be | 1170 | mDnsServers.add(Utils.parseInetAddress(address)); |
dd5de792 TB |
1171 | recordAddressFamily(address); |
1172 | } | |
1173 | catch (UnknownHostException e) | |
1174 | { | |
1175 | e.printStackTrace(); | |
1176 | } | |
1177 | } | |
1178 | ||
36aab70a TB |
1179 | public void addRoute(String address, int prefixLength) |
1180 | { | |
acc8948f TB |
1181 | try |
1182 | { | |
1183 | if (isIPv6(address)) | |
1184 | { | |
72b7c289 | 1185 | mRoutesIPv6.add(new IPRange(address, prefixLength)); |
acc8948f TB |
1186 | } |
1187 | else | |
1188 | { | |
72b7c289 | 1189 | mRoutesIPv4.add(new IPRange(address, prefixLength)); |
acc8948f TB |
1190 | } |
1191 | } | |
1192 | catch (UnknownHostException ex) | |
1193 | { | |
1194 | ex.printStackTrace(); | |
1195 | } | |
36aab70a TB |
1196 | } |
1197 | ||
1198 | public void setMtu(int mtu) | |
1199 | { | |
1200 | mMtu = mtu; | |
1201 | } | |
1202 | ||
acc8948f TB |
1203 | public void recordAddressFamily(String address) |
1204 | { | |
1205 | try | |
1206 | { | |
1207 | if (isIPv6(address)) | |
1208 | { | |
1209 | mIPv6Seen = true; | |
1210 | } | |
1211 | else | |
1212 | { | |
1213 | mIPv4Seen = true; | |
1214 | } | |
1215 | } | |
1216 | catch (UnknownHostException ex) | |
1217 | { | |
1218 | ex.printStackTrace(); | |
1219 | } | |
1220 | } | |
1221 | ||
1222 | @TargetApi(Build.VERSION_CODES.LOLLIPOP) | |
36aab70a TB |
1223 | public void applyData(VpnService.Builder builder) |
1224 | { | |
72b7c289 | 1225 | for (IPRange address : mAddresses) |
36aab70a | 1226 | { |
72b7c289 | 1227 | builder.addAddress(address.getFrom(), address.getPrefix()); |
36aab70a | 1228 | } |
dd5de792 TB |
1229 | for (InetAddress server : mDnsServers) |
1230 | { | |
1231 | builder.addDnsServer(server); | |
1232 | } | |
acc8948f TB |
1233 | /* add routes depending on whether split tunneling is allowed or not, |
1234 | * that is, whether we have to handle and block non-VPN traffic */ | |
1235 | if ((mSplitTunneling & VpnProfile.SPLIT_TUNNELING_BLOCK_IPV4) == 0) | |
1236 | { | |
1237 | if (mIPv4Seen) | |
72b7c289 TB |
1238 | { /* split tunneling is used depending on the routes and configuration */ |
1239 | IPRangeSet ranges = new IPRangeSet(); | |
4471a934 TB |
1240 | if (mIncludedSubnetsv4.size() > 0) |
1241 | { | |
1242 | ranges.add(mIncludedSubnetsv4); | |
1243 | } | |
1244 | else | |
1245 | { | |
1246 | ranges.addAll(mRoutesIPv4); | |
1247 | } | |
72b7c289 TB |
1248 | ranges.remove(mExcludedSubnets); |
1249 | for (IPRange subnet : ranges.subnets()) | |
acc8948f | 1250 | { |
66b7a088 TB |
1251 | try |
1252 | { | |
1253 | builder.addRoute(subnet.getFrom(), subnet.getPrefix()); | |
1254 | } | |
1255 | catch (IllegalArgumentException e) | |
1256 | { /* some Android versions don't seem to like multicast addresses here, | |
1257 | * ignore it for now */ | |
1258 | if (!subnet.getFrom().isMulticastAddress()) | |
1259 | { | |
1260 | throw e; | |
1261 | } | |
1262 | } | |
acc8948f TB |
1263 | } |
1264 | } | |
1265 | else if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) | |
1266 | { /* allow traffic that would otherwise be blocked to bypass the VPN */ | |
1267 | builder.allowFamily(OsConstants.AF_INET); | |
1268 | } | |
1269 | } | |
1270 | else if (mIPv4Seen) | |
1271 | { /* only needed if we've seen any addresses. otherwise, traffic | |
1272 | * is blocked by default (we also install no routes in that case) */ | |
1273 | builder.addRoute("0.0.0.0", 0); | |
1274 | } | |
1275 | /* same thing for IPv6 */ | |
1276 | if ((mSplitTunneling & VpnProfile.SPLIT_TUNNELING_BLOCK_IPV6) == 0) | |
1277 | { | |
1278 | if (mIPv6Seen) | |
1279 | { | |
72b7c289 | 1280 | IPRangeSet ranges = new IPRangeSet(); |
4471a934 TB |
1281 | if (mIncludedSubnetsv6.size() > 0) |
1282 | { | |
1283 | ranges.add(mIncludedSubnetsv6); | |
1284 | } | |
1285 | else | |
1286 | { | |
1287 | ranges.addAll(mRoutesIPv6); | |
1288 | } | |
72b7c289 TB |
1289 | ranges.remove(mExcludedSubnets); |
1290 | for (IPRange subnet : ranges.subnets()) | |
acc8948f | 1291 | { |
66b7a088 TB |
1292 | try |
1293 | { | |
1294 | builder.addRoute(subnet.getFrom(), subnet.getPrefix()); | |
1295 | } | |
1296 | catch (IllegalArgumentException e) | |
1297 | { | |
1298 | if (!subnet.getFrom().isMulticastAddress()) | |
1299 | { | |
1300 | throw e; | |
1301 | } | |
1302 | } | |
acc8948f TB |
1303 | } |
1304 | } | |
1305 | else if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) | |
1306 | { | |
1307 | builder.allowFamily(OsConstants.AF_INET6); | |
1308 | } | |
1309 | } | |
1310 | else if (mIPv6Seen) | |
36aab70a | 1311 | { |
acc8948f | 1312 | builder.addRoute("::", 0); |
36aab70a | 1313 | } |
f2e7156d | 1314 | /* apply selected applications */ |
0b4f7d64 TB |
1315 | if (mSelectedApps.size() > 0 && |
1316 | Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) | |
f2e7156d TB |
1317 | { |
1318 | switch (mAppHandling) | |
1319 | { | |
1320 | case SELECTED_APPS_EXCLUDE: | |
1321 | for (String app : mSelectedApps) | |
1322 | { | |
1323 | try | |
1324 | { | |
1325 | builder.addDisallowedApplication(app); | |
1326 | } | |
1327 | catch (PackageManager.NameNotFoundException e) | |
1328 | { | |
1329 | // possible if not configured via GUI or app was uninstalled | |
1330 | } | |
1331 | } | |
1332 | break; | |
1333 | case SELECTED_APPS_ONLY: | |
1334 | for (String app : mSelectedApps) | |
1335 | { | |
1336 | try | |
1337 | { | |
1338 | builder.addAllowedApplication(app); | |
1339 | } | |
1340 | catch (PackageManager.NameNotFoundException e) | |
1341 | { | |
1342 | // possible if not configured via GUI or app was uninstalled | |
1343 | } | |
1344 | } | |
1345 | break; | |
1346 | default: | |
1347 | break; | |
1348 | } | |
1349 | } | |
36aab70a TB |
1350 | builder.setMtu(mMtu); |
1351 | } | |
1352 | ||
acc8948f TB |
1353 | private boolean isIPv6(String address) throws UnknownHostException |
1354 | { | |
2ef473be | 1355 | InetAddress addr = Utils.parseInetAddress(address); |
acc8948f TB |
1356 | if (addr instanceof Inet4Address) |
1357 | { | |
1358 | return false; | |
1359 | } | |
1360 | else if (addr instanceof Inet6Address) | |
1361 | { | |
1362 | return true; | |
1363 | } | |
1364 | return false; | |
1365 | } | |
5215d512 TB |
1366 | } |
1367 | ||
c5ba3817 TB |
1368 | /** |
1369 | * Function called via JNI to determine information about the Android version. | |
1370 | */ | |
1371 | private static String getAndroidVersion() | |
1372 | { | |
a63b0f99 TB |
1373 | String version = "Android " + Build.VERSION.RELEASE + " - " + Build.DISPLAY; |
1374 | if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) | |
1375 | { | |
1376 | version += "/" + Build.VERSION.SECURITY_PATCH; | |
1377 | } | |
1378 | return version; | |
c5ba3817 TB |
1379 | } |
1380 | ||
1381 | /** | |
1382 | * Function called via JNI to determine information about the device. | |
1383 | */ | |
1384 | private static String getDeviceString() | |
1385 | { | |
1386 | return Build.MODEL + " - " + Build.BRAND + "/" + Build.PRODUCT + "/" + Build.MANUFACTURER; | |
1387 | } | |
4a208143 | 1388 | } |