From: Tobias Brunner Date: Thu, 14 Jun 2018 13:20:57 +0000 (+0200) Subject: android: Show an error if client certificate is unavailable X-Git-Tag: 5.7.0dr5~20^2~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ab5dbbc4ab2e5239edd1860d0ff365f0b4d94e73;p=thirdparty%2Fstrongswan.git android: Show an error if client certificate is unavailable This can happen on systems (e.g. Android 7.x) where Always-on VPNs are triggered right after booting before the KeyChain is unlocked by the user. Retrieving the certificate chain or private key then fails with "KeyChainException: IllegalStateException: keystore is LOCKED" until the user unlocks the screen once. The built-in client actually also fails in this situation (e.g. with XAuth RSA), it tries three times then stops and shows an error notification. --- diff --git a/src/frontends/android/app/src/main/java/org/strongswan/android/logic/CharonVpnService.java b/src/frontends/android/app/src/main/java/org/strongswan/android/logic/CharonVpnService.java index 458204c533..9b1bcff299 100644 --- a/src/frontends/android/app/src/main/java/org/strongswan/android/logic/CharonVpnService.java +++ b/src/frontends/android/app/src/main/java/org/strongswan/android/logic/CharonVpnService.java @@ -128,7 +128,8 @@ public class CharonVpnService extends VpnService implements Runnable, VpnStateSe static final int STATE_PEER_AUTH_ERROR = 4; static final int STATE_LOOKUP_ERROR = 5; static final int STATE_UNREACHABLE_ERROR = 6; - static final int STATE_GENERIC_ERROR = 7; + static final int STATE_CERTIFICATE_UNAVAILABLE = 7; + static final int STATE_GENERIC_ERROR = 8; @Override public int onStartCommand(Intent intent, int flags, int startId) @@ -589,6 +590,9 @@ public class CharonVpnService extends VpnService implements Runnable, VpnStateSe case STATE_UNREACHABLE_ERROR: setErrorDisconnect(ErrorState.UNREACHABLE); break; + case STATE_CERTIFICATE_UNAVAILABLE: + setErrorDisconnect(ErrorState.CERTIFICATE_UNAVAILABLE); + break; case STATE_GENERIC_ERROR: setErrorDisconnect(ErrorState.GENERIC_ERROR); break; @@ -707,7 +711,6 @@ public class CharonVpnService extends VpnService implements Runnable, VpnStateSe * @return the private key * @throws InterruptedException * @throws KeyChainException - * @throws CertificateEncodingException */ private PrivateKey getUserKey() throws KeyChainException, InterruptedException { diff --git a/src/frontends/android/app/src/main/java/org/strongswan/android/logic/VpnStateService.java b/src/frontends/android/app/src/main/java/org/strongswan/android/logic/VpnStateService.java index 4f3073691a..f9eb82263a 100644 --- a/src/frontends/android/app/src/main/java/org/strongswan/android/logic/VpnStateService.java +++ b/src/frontends/android/app/src/main/java/org/strongswan/android/logic/VpnStateService.java @@ -62,6 +62,7 @@ public class VpnStateService extends Service UNREACHABLE, GENERIC_ERROR, PASSWORD_MISSING, + CERTIFICATE_UNAVAILABLE, } /** @@ -194,6 +195,8 @@ public class VpnStateService extends Service return R.string.error_unreachable; case PASSWORD_MISSING: return R.string.error_password_missing; + case CERTIFICATE_UNAVAILABLE: + return R.string.error_certificate_unavailable; default: return R.string.error_generic; } diff --git a/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c index b1a095bcdf..f4418bd882 100644 --- a/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c +++ b/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c @@ -794,7 +794,7 @@ static job_requeue_t initiate(private_android_service_t *this) { peer_cfg->destroy(peer_cfg); charonservice->update_status(charonservice, - CHARONSERVICE_GENERIC_ERROR); + CHARONSERVICE_CERTIFICATE_UNAVAILABLE); return JOB_REQUEUE_NONE; } } diff --git a/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.h b/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.h index fa2fb42b24..12353777be 100644 --- a/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.h +++ b/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.h @@ -59,6 +59,7 @@ enum android_vpn_state_t { CHARONSERVICE_PEER_AUTH_ERROR, CHARONSERVICE_LOOKUP_ERROR, CHARONSERVICE_UNREACHABLE_ERROR, + CHARONSERVICE_CERTIFICATE_UNAVAILABLE, CHARONSERVICE_GENERIC_ERROR, }; diff --git a/src/frontends/android/app/src/main/res/values-de/strings.xml b/src/frontends/android/app/src/main/res/values-de/strings.xml index 2dbe13fb2f..3f9ff83f82 100644 --- a/src/frontends/android/app/src/main/res/values-de/strings.xml +++ b/src/frontends/android/app/src/main/res/values-de/strings.xml @@ -188,6 +188,7 @@ Sicherheitsassessment ist fehlgeschlagen Unbekannter Fehler während des Verbindens Passwort nicht verfügbar + Benutzer-Zertifikat nicht verfügbar VPN verbunden Dieses VPN Profil ist momentan verbunden! Neu verbinden diff --git a/src/frontends/android/app/src/main/res/values-pl/strings.xml b/src/frontends/android/app/src/main/res/values-pl/strings.xml index f9a88b825d..fa34739c4a 100644 --- a/src/frontends/android/app/src/main/res/values-pl/strings.xml +++ b/src/frontends/android/app/src/main/res/values-pl/strings.xml @@ -188,6 +188,7 @@ Security assessment failed Nieznany błąd w czasie połączenia Password unavailable + Client certificate unavailable Połączenie z VPN Ten profil VPN jest obecnie połaczony! Połączyć ponownie diff --git a/src/frontends/android/app/src/main/res/values-ru/strings.xml b/src/frontends/android/app/src/main/res/values-ru/strings.xml index 8fec5a1d72..9d3bb8eb2f 100644 --- a/src/frontends/android/app/src/main/res/values-ru/strings.xml +++ b/src/frontends/android/app/src/main/res/values-ru/strings.xml @@ -185,6 +185,7 @@ Security assessment failed Неизвестная ошибка Password unavailable + Client certificate unavailable Соединение с VPN установлено Подключение к этому профилю VPN уже существует! Переподключить diff --git a/src/frontends/android/app/src/main/res/values-ua/strings.xml b/src/frontends/android/app/src/main/res/values-ua/strings.xml index d9525223b1..7d87b4b94e 100644 --- a/src/frontends/android/app/src/main/res/values-ua/strings.xml +++ b/src/frontends/android/app/src/main/res/values-ua/strings.xml @@ -186,6 +186,7 @@ Security assessment failed Невідома помилка під час підключення Password unavailable + Client certificate unavailable VPN підключено Цей VPN профіль зараз підключений! Перепідключитися diff --git a/src/frontends/android/app/src/main/res/values-zh-rCN/strings.xml b/src/frontends/android/app/src/main/res/values-zh-rCN/strings.xml index 00e6e8ba23..54487793e6 100644 --- a/src/frontends/android/app/src/main/res/values-zh-rCN/strings.xml +++ b/src/frontends/android/app/src/main/res/values-zh-rCN/strings.xml @@ -185,6 +185,7 @@ 可靠性评估失败 连接中遭遇未知失败 Password unavailable + Client certificate unavailable VPN已连接 此VPN配置目前已连接。 重连 diff --git a/src/frontends/android/app/src/main/res/values-zh-rTW/strings.xml b/src/frontends/android/app/src/main/res/values-zh-rTW/strings.xml index cb7b3438d1..d0e9065aa3 100644 --- a/src/frontends/android/app/src/main/res/values-zh-rTW/strings.xml +++ b/src/frontends/android/app/src/main/res/values-zh-rTW/strings.xml @@ -185,6 +185,7 @@ 穩定性評估失敗 連線中遇到不明錯誤 Password unavailable + Client certificate unavailable VPN已連線 這個VPN設定檔目前已經連線。 重新連線 diff --git a/src/frontends/android/app/src/main/res/values/strings.xml b/src/frontends/android/app/src/main/res/values/strings.xml index a86a1b5111..475fcd91ea 100644 --- a/src/frontends/android/app/src/main/res/values/strings.xml +++ b/src/frontends/android/app/src/main/res/values/strings.xml @@ -188,6 +188,7 @@ Security assessment failed Unspecified failure while connecting Password unavailable + Client certificate unavailable VPN connected This VPN profile is currently connected! Reconnect