SC Lee [Mon, 9 Jul 2018 09:54:25 +0000 (17:54 +0800)]
charon-nm: Parse any type of private key in need_secrets
Previously, when the user supplied an ECDSA key for public key authentication,
the user was always asked to provide a password, even if the key was not
encrypted.
Related: 954f73ea6e7e ("charon-nm: Parse any type of private key not only RSA")
Closes strongswan/strongswan#108.
android: Move hint from TextInputEditText to TextInputLayout
This avoids a NullPointerException on Android 8 related to the optional
Autofill functionality. The bug has been fixed in Android 8.1 [1] but there
is no fix for Android 8.
This is hopefully a bit more efficient for large log files than the previous
single TextView. The ListView widget also provides an auto-scroll mechanism.
Tobias Brunner [Fri, 29 Jun 2018 14:42:18 +0000 (16:42 +0200)]
android: Simplify error handling in VPN state fragment
Always reset the error state when disconnecting via state service. This
way the error state is also cleared when the connection is terminated
directly via control activity.
Tobias Brunner [Fri, 22 Jun 2018 11:57:51 +0000 (13:57 +0200)]
android: Handle restarts of the control Activity better
For instance, rotating a device will restart it and this previously
could have started the wrong profile or shown the system's VPN
confirmation dialog twice.
Tobias Brunner [Fri, 22 Jun 2018 09:22:23 +0000 (11:22 +0200)]
android: Properly handle pressing home when VPN confirmation dialog is shown
As documented, onActivityResult() is called right before onResume() when
the activity is reactivated. However, if the system's VPN confirmation
dialog is shown and the home button is pressed, the activity is stopped
and not just paused, so its state is saved. And onActivityResult() is
actually also called before onStart(). This means that no fragment
transactions may be committed (i.e. no dialog may be shown) when the
activity is later restarted (e.g. because there is another attempt to
connect the VPN) until onStart() has been called. So if we'd try to show
the error dialog in onActivityResult() after returning to the launcher
it would result in an IllegalStateException.
However, showing the dialog for the previous confirmation dialog is not
ideal anyway, so we just ignore that result.
Tobias Brunner [Thu, 21 Jun 2018 09:17:22 +0000 (11:17 +0200)]
android: Make fetching OCSP/CRL interruptible
This allows cancelling connecting if e.g. the OCSP server is not
reachable. Previously this caused some delay in disconnecting state but
even worse it cause an ANR if the user tried reconnecting during that
time as the main thread would get struck in setNextProfile() (we could
probably find a better solution there too in the future).
Tobias Brunner [Tue, 19 Jun 2018 15:14:17 +0000 (17:14 +0200)]
android: Install a blocking TUN device until the VPN is established
It's reinstalled when reconnecting (or during error recovery) and
eventually uninstalled after disconnecting.
Only on Android 5+, otherwise we'd block our fetcher (and Android 4.4 is
stupid in regards to overlapping TUN devices anyway).
Note that Android 8's blocking feature blocks everything that passes by
the VPN, so this only works when tunneling everything (i.e. neither subnets,
nor apps can be excluded from the VPN if that feature is enabled).
Tobias Brunner [Tue, 19 Jun 2018 15:01:21 +0000 (17:01 +0200)]
android: Exclude our own app from the VPN
Otherwise, a blocking VPN interface would prevent our fetcher from working
as we currently rely on an interface that doesn't allow access to the
underlying socket/FD, which would be required to call VpnService.protect().
Tobias Brunner [Fri, 15 Jun 2018 10:34:15 +0000 (12:34 +0200)]
ike-sa-manager: Fix races when changing initiator SPI of an IKE_SA
Removing and readding the entry to a potentially different row/segment,
while driving out waiting and new threads, could prevent threads from
acquiring the SA even if they were waiting to check it out by unique
ID (which doesn't change), or if they were just trying to enumerate it.
With this change the row and segment doesn't change anymore and waiting
threads may acquire the SA. However, those looking for an IKE_SA by SPIs
might get one back that has a different SPI (but that's probably not
something that happens very often this early).
This was noticed because we check out SAs by unique ID in the Android
app to terminate them after failed retransmits if we are not reestablishing
the SA (otherwise we continue), and this sometimes failed.
Fixes: eaedcf8c0054 ("ike-sa-manager: Add method to change the initiator SPI of an IKE_SA")
Tobias Brunner [Fri, 15 Jun 2018 09:00:08 +0000 (11:00 +0200)]
android: Show a retry button in the error banner
The button to view the log is now below the status info. And since the
IMC results are just below that we don't need a special handling for
that anymore.
Tobias Brunner [Thu, 14 Jun 2018 13:20:57 +0000 (15:20 +0200)]
android: Show an error if client certificate is unavailable
This can happen on systems (e.g. Android 7.x) where Always-on VPNs are
triggered right after booting before the KeyChain is unlocked by the user.
Retrieving the certificate chain or private key then fails with
"KeyChainException: IllegalStateException: keystore is LOCKED" until the
user unlocks the screen once.
The built-in client actually also fails in this situation (e.g. with XAuth
RSA), it tries three times then stops and shows an error notification.
Tobias Brunner [Tue, 12 Jun 2018 15:46:08 +0000 (17:46 +0200)]
android: Initiate configured default profile when triggered as Always-on VPN
With Android 8.1 this isn't triggered after a reboot until the device
has been unlocked once (solving the issue with the key store) and traffic
may optionally be blocked by the user until the VPN is established.
There are still some issues (e.g. password prompts and fatal errors), and we
might need some workaround for older Android releases.
Tobias Brunner [Fri, 8 Jun 2018 12:22:52 +0000 (14:22 +0200)]
android: Add Quick Settings tile to toggle VPN state
Only if there is no currently active (or previously active) profile does
this currently operate on the configured (or stored most recently used)
profile. This way it's possible to use a different connection and
quickly disable and re-enable it again. When unlocked the profile name
is shown, when locked a generic text is used (this detection doesn't seem
to work 100% reliably). To disconnect, the user is forced to unlock the
device, connecting is possible without, if the credentials are available
and no fatal error occurs (it even works with the system credential store,
at least on Android 8.1).
Note that the tile is not available right after a reboot. It seems that
the system has to be unlocked once to activate third-party tiles (will
be interesting to see how this works together with Always-on VPN).
Tobias Brunner [Wed, 6 Jun 2018 16:55:45 +0000 (18:55 +0200)]
android: Add notification channel for API level 26+
Unfortunately, setLockscreenVisibility() doesn't seem to have any
effect. So the full notification is shown unless the user manually
configures the notification settings.
Tobias Brunner [Wed, 6 Jun 2018 14:57:31 +0000 (16:57 +0200)]
android: Set compile-/targetSdkVersion to 26
This allows us to add tiles to Quick Settings and enabling the Always-on
VPN feature in the VPN settings (both require API level 24, but 26 will
be required as targetSdkVersion later this year).
Tobias Brunner [Tue, 5 Jun 2018 13:42:09 +0000 (15:42 +0200)]
android: UUID is now mandatory
Unless there are profiles created with old versions of the app (< 1.8.0)
that were never updated since, all profiles should already have a UUID
assigned. If not, we do that now with a DB migration.
Tobias Brunner [Mon, 4 Jun 2018 14:46:25 +0000 (16:46 +0200)]
android: Show an error dialog if we can't get permission for VPNs
This is either because a third-party VPN app has the always-on feature
enabled, or because the user denied the permission in the system's confirmation
dialog.
If the always-on feature is enabled for a connection of the built-in VPN
client we get an IllegalStateException, for which we show an updated and
clearer error message.
Tobias Brunner [Fri, 22 Jun 2018 08:25:25 +0000 (10:25 +0200)]
atomics: Use type of destination in CAS implementation
The type of the value was incorrect (void**) if NULL was passed to cas_ptr()
as expected value, which caused a compiler warning with Clang because
__atomic_compare_exchange_n() expects the types of the first two arguments
to be the same.
Tobias Brunner [Mon, 4 Jun 2018 13:36:20 +0000 (15:36 +0200)]
android: Build native libraries for all non-deprecated ABIs
armeabi has been superseded by armeabi-v7a and the MIPS ABIs were removed
with the latest NDK (r17), after being marked deprecated for a while.
By not specifying APP_ABI we build for all non-deprecated ABIs.
Tobias Brunner [Thu, 28 Jun 2018 16:47:15 +0000 (18:47 +0200)]
Merge branch 'ike-proposal-switch'
This allows switching the originally selected IKE config (based on the
IPs and IKE version) to a different one if no matching proposal is found.
This way we don't rely that much on the order of configs anymore and it's
possible to configure separate configs for clients that require weak
algorithms.