Configuring of ikev2

Merge remote-tracking branch 'origin/feature/ikev2_android' into feature/ikev2_android
Start logic
2026-06-22 02:01:08 +07:00 · 2023-07-07 14:19:03 +03:00 · 2023-04-24 15:42:18 +03:00 · 2023-04-24 15:41:24 +03:00 · 2023-04-24 13:19:23 +03:00 · 2023-04-24 13:18:09 +03:00
21 changed files with 2544 additions and 207 deletions
@@ -34,6 +34,9 @@
 [submodule "client/3rd/SortFilterProxyModel"]
 	path = client/3rd/SortFilterProxyModel
 	url = https://github.com/mitchcurtis/SortFilterProxyModel.git
 [submodule "client/3rd/strongswan/sources"]
 	path = client/3rd/strongswan/sources
 	url = https://github.com/kolobchanin/strongswan.git
 [submodule "client/3rd/mbedtls"]
 	path = client/3rd/mbedtls
 	url = https://github.com/Mbed-TLS/mbedtls.git
@@ -0,0 +1,20 @@
 include(ExternalProject)
 set(STRONGSWAN_SOURCES_ROOT ${CMAKE_CURRENT_LIST_DIR}/sources)
 ExternalProject_Add(
    strongswan
    UPDATE_DISCONNECTED true
    CONFIGURE_HANDLED_BY_BUILD true
    PREFIX ${STRONGSWAN_SOURCES_ROOT}
    SOURCE_DIR ${STRONGSWAN_SOURCES_ROOT}
    BINARY_DIR ${STRONGSWAN_SOURCES_ROOT}
    INSTALL_DIR ${STRONGSWAN_SOURCES_ROOT}
    STAMP_DIR ${STRONGSWAN_SOURCES_ROOT}/stamp
    LOG_DIR ${STRONGSWAN_SOURCES_ROOT}/log
    TMP_DIR ${STRONGSWAN_SOURCES_ROOT}/tmp
    CONFIGURE_COMMAND ./autogen.sh
    COMMAND ./configure --disable-kernel-netlink
    BUILD_COMMAND make #dist
    INSTALL_COMMAND ""
 )
@@ -273,6 +273,8 @@ if(ANDROID)
        ${CMAKE_CURRENT_LIST_DIR}/platforms/android/androidvpnactivity.cpp
        ${CMAKE_CURRENT_LIST_DIR}/protocols/android_vpnprotocol.cpp
    )
    file(COPY ${CMAKE_CURRENT_LIST_DIR}/3rd/strongswan DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/3rd)
 endif()
 if(IOS)
@@ -507,7 +509,6 @@ if(ANDROID)
            ${CMAKE_CURRENT_LIST_DIR}/android/src/org/amnezia/vpn/VPNService.kt
            ${CMAKE_CURRENT_LIST_DIR}/android/src/org/amnezia/vpn/VPNServiceBinder.kt
            ${CMAKE_CURRENT_LIST_DIR}/android/src/org/amnezia/vpn/qt/AmneziaApp.kt
            ${CMAKE_CURRENT_LIST_DIR}/android/src/org/amnezia/vpn/qt/PackageManagerHelper.java
            ${CMAKE_CURRENT_LIST_DIR}/android/src/org/amnezia/vpn/qt/VPNActivity.kt
            ${CMAKE_CURRENT_LIST_DIR}/android/src/org/amnezia/vpn/qt/VPNApplication.java
            ${CMAKE_CURRENT_LIST_DIR}/android/src/org/amnezia/vpn/qt/VPNClientBinder.kt
@@ -11,6 +11,7 @@ buildscript {
       streamsupportVersion = '1.7.0'
       threetenabpVersion = '1.1.1'
       groupName = 'org.amnezia.vpn'
       relativePathToStrongswan = '../3rd/strongswan/sources/src/frontends/android/app/src/main/jni'
   }
    repositories {
@@ -105,7 +106,7 @@ android {
            resources.srcDirs = ['resources']
            renderscript.srcDirs = ['src']
            assets.srcDirs = ['assets']
-            jniLibs.srcDirs = ['libs']
+            jniLibs.srcDirs = ['libs', relativePathToStrongswan]
            androidTest.assets.srcDirs += files("${qtAndroidDir}/schemas".toString())
       }
    }
@@ -138,6 +139,7 @@ android {
        targetSdkVersion = 31
        versionCode 10 // Change to a higher number
        versionName "2.0.10" // Change to a higher number
        multiDexEnabled true
        javaCompileOptions.annotationProcessorOptions.arguments = [
            "room.schemaLocation": "${qtAndroidDir}/schemas".toString()
@@ -148,24 +150,55 @@ android {
       release {
           // That would enable treeshaking and remove java code that is just called from qt
           minifyEnabled false
           externalNativeBuild {
               cmake {
-                   arguments "-DANDROID_PACKAGE_NAME=${groupName}", "-DGRADLE_USER_HOME=${project.gradle.gradleUserHomeDir}"
+                   arguments "-DANDROID_PACKAGE_NAME=${groupName}",
                                "-DGRADLE_USER_HOME=${project.gradle.gradleUserHomeDir}"
               }
           }
       }
       debug {
           //applicationIdSuffix ".debug"
           //versionNameSuffix "-debug"
           minifyEnabled false
           externalNativeBuild {
               cmake {
-                   arguments "-DANDROID_PACKAGE_NAME=${groupName}", "-DGRADLE_USER_HOME=${project.gradle.gradleUserHomeDir}"
+                   arguments "-DANDROID_PACKAGE_NAME=${groupName}",
                                "-DGRADLE_USER_HOME=${project.gradle.gradleUserHomeDir}"
               }
           }
       }
    }
    task buildStrongSwanNative(type: Exec) {
        environment = System.getenv() + ['JNI_PACKAGE': 'org_amnezia_vpn', 'JNI_PACKAGE_STRING': 'org/amnezia/vpn']
        workingDir "${relativePathToStrongswan}"
        commandLine "${android.ndkDirectory}/ndk-build", '-j', Runtime.runtime.availableProcessors()
        doLast {
            copy {
                from "${workingDir} + /../libs"
                into 'libs'
            }
        }
    }
    task cleanStrongSwanNative(type: Exec) {
        workingDir "${relativePathToStrongswan}"
        commandLine "${android.ndkDirectory}/ndk-build", 'clean'
    }
    tasks.withType(JavaCompile) {
        compileTask -> compileTask.dependsOn buildStrongSwanNative
            options.compilerArgs << "-Xlint:unchecked" << "-Xlint:deprecation"
    }
    clean.dependsOn 'cleanStrongSwanNative'
 //   externalNativeBuild {
 //       cmake {
 //           path 'wireguard/CMakeLists.txt'
@@ -0,0 +1,761 @@
 package org.amnezia.vpn
 import android.annotation.TargetApi
 import android.content.pm.PackageManager
 import android.net.VpnService
 import android.net.VpnService.Builder
 import android.os.Build
 import android.os.ParcelFileDescriptor
 import android.system.OsConstants
 import java.lang.Runnable
 import org.amnezia.vpn.ikev2.VpnProfile
 import org.amnezia.vpn.ikev2.VpnProfile.SelectedAppsHandling
 import org.amnezia.vpn.ikev2.VpnType
 import org.amnezia.vpn.ikev2.VpnType.VpnTypeFeature
 import org.amnezia.vpn.ikev2.utils.IPRange
 import org.amnezia.vpn.ikev2.utils.IPRangeSet
 import org.amnezia.vpn.ikev2.utils.Utils
 import org.amnezia.vpn.ikev2.utils.Constants
 import org.amnezia.vpn.ikev2.utils.SettingsWriter
 import org.amnezia.vpn.ikev2.utils.SimpleFetcher
 const val PACKAGE_NAME = "org.amnezia.vpn"
 const val LOG_FILE = "charon.log"
 const val TAG = "amnezia_ikev2"
 class IKEv2Thread(
    val vpnServiceBuilder: android.net.VpnService.Builder,
    val filesDirAbsolutePath: String
 ): Runnable {
    private val mBuilderAdapter: BuilderAdapter = BuilderAdapter(vpnServiceBuilder)
    private var mCurrentProfile: VpnProfile? = null
    private var mNextProfile: VpnProfile? = null
    @kotlin.jvm.Volatile
    private var mCurrentCertificateAlias: String? = null
    @kotlin.jvm.Volatile
    private var mCurrentUserCertificateAlias: String? = null
    @kotlin.jvm.Volatile
    private var mProfileUpdated = false
    @kotlin.jvm.Volatile
    private var mTerminate = false
    @kotlin.jvm.Volatile
    private var mIsDisconnecting = false
    private val mLogFile: String
    private val mAppDir: String
    init {
        mLogFile = filesDirAbsolutePath + java.io.File.separator + LOG_FILE
        mAppDir = filesDirAbsolutePath
    }
    fun setNextProfile(profile: VpnProfile) {
        // TODO: take a look at "vpnprofileimportactivity" in starongswan repo 
        //       to understand how to pass the profile object before starting of ikev2 tunnel
        synchronized(this) {
            mNextProfile = profile
            mProfileUpdated = true
            notifyAll()
        }
    }
    override fun run() {
        while (true) {
            synchronized(this) {
                try {
                    while (!mProfileUpdated) {
                        Log.i(TAG, "charon contunue")
                        continue
                    }
                    mProfileUpdated = false
                    stopCurrentConnection()
                    if (mNextProfile == null) {
                        setState(State.DISABLED)
                        if (mTerminate) {
                            return@synchronized
                        }
                    } else {
                        mCurrentProfile = mNextProfile
                        mNextProfile = null
                        val currentProfile = mCurrentProfile
                        /* store this in a separate (volatile) variable to avoid
                         * a possible deadlock during deinitialization */
                        mCurrentCertificateAlias = currentProfile!!.certificateAlias
                        mCurrentUserCertificateAlias = currentProfile!!.userCertificateAlias
                        startConnection(currentProfile)
                        mIsDisconnecting = false
                        SimpleFetcher.enable()
                        addNotification()
                        mBuilderAdapter.setProfile(currentProfile)
                        val flags: Int = currentProfile!!.flags
                        if (initializeCharon(
                                mBuilderAdapter,
                                mLogFile,
                                mAppDir,
                                currentProfile.vpnType!!.has(VpnTypeFeature.BYOD),
                                flags and VpnProfile.FLAGS_IPv6_TRANSPORT !== 0
                            )
                        ) {
                            Log.i(TAG, "charon started")
                            if (currentProfile.vpnType!!.has(VpnTypeFeature.USER_PASS) &&
                                currentProfile.password == null
                            ) {    /* this can happen if Always-on VPN is enabled with an incomplete profile */
                                setError(ErrorState.PASSWORD_MISSING)
                                return@synchronized
                            }
                            val writer = SettingsWriter()
                            writer.setValue("global.language", java.util.Locale.getDefault().getLanguage())
                            writer.setValue("global.mtu", currentProfile.MTU)
                            writer.setValue("global.nat_keepalive", currentProfile.NATKeepAlive)
                            writer.setValue("global.rsa_pss", flags and VpnProfile.FLAGS_RSA_PSS !== 0)
                            writer.setValue("global.crl", flags and VpnProfile.FLAGS_DISABLE_CRL === 0)
                            writer.setValue("global.ocsp", flags and VpnProfile.FLAGS_DISABLE_OCSP === 0)
                            writer.setValue("connection.type", currentProfile.vpnType!!.identifier)
                            writer.setValue("connection.server", currentProfile.gateway)
                            writer.setValue("connection.port", currentProfile.port)
                            writer.setValue("connection.username", currentProfile.username)
                            writer.setValue("connection.password", currentProfile.password)
                            writer.setValue("connection.local_id", currentProfile.localId)
                            writer.setValue("connection.remote_id", currentProfile.remoteId)
                            writer.setValue("connection.certreq", flags and VpnProfile.FLAGS_SUPPRESS_CERT_REQS === 0)
                            writer.setValue("connection.strict_revocation", flags and VpnProfile.FLAGS_STRICT_REVOCATION !== 0)
                            writer.setValue("connection.ike_proposal", currentProfile.ikeProposal)
                            writer.setValue("connection.esp_proposal", currentProfile.espProposal)
                            initiate(writer.serialize())
                        } else {
                            Log.e(TAG, "failed to start charon")
                            setError(ErrorState.GENERIC_ERROR)
                            setState(State.DISABLED)
                            mCurrentProfile = null
                        }
                    }
                } catch (ex: java.lang.InterruptedException) {
                    stopCurrentConnection()
                    setState(State.DISABLED)
                }
            }
        }
    }
    /**
     * Notify the state service about a new connection attempt.
     * Called by the handler thread.
     *
     * @param profile currently active VPN profile
     */
    private fun startConnection(profile: VpnProfile) {
 //        synchronized(mServiceLock) {
 //            if (mService != null) {
 //                mService.startConnection(profile)
 //            }
 //        }
    }
    /**
     * Stop any existing connection by deinitializing charon.
     */
    private fun stopCurrentConnection() {
        synchronized(this) {
            if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {
                mNextProfile?.let {
                    mBuilderAdapter.setProfile(it)
                    mBuilderAdapter.establishBlocking()
                }
            }
            if (mCurrentProfile != null) {
                setState(State.DISCONNECTING)
                mIsDisconnecting = true
                SimpleFetcher.disable()
                deinitializeCharon()
                Log.i(TAG, "charon stopped")
                mCurrentProfile = null
                if (mNextProfile == null) {    /* only do this if we are not connecting to another profile */
                    removeNotification()
                    mBuilderAdapter.closeBlocking()
                }
            }
        }
    }
    /**
     * Update the current VPN state on the state service. Called by the handler
     * thread and any of charon's threads.
     *
     * @param state current state
     */
    private fun setState(state: State) {
 //        synchronized(mServiceLock) {
 //            if (mService != null) {
 //                mService.setState(state)
 //            }
 //        }
    }
    /**
     * Initialization of charon, provided by libandroidbridge.so
     *
     * @param builder BuilderAdapter for this connection
     * @param logfile absolute path to the logfile
     * @param appdir absolute path to the data directory of the app
     * @param byod enable BYOD features
     * @param ipv6 enable IPv6 transport
     * @return TRUE if initialization was successful
     */
    external fun initializeCharon(
        builder: BuilderAdapter?,
        logfile: String?,
        appdir: String?,
        byod: Boolean,
        ipv6: Boolean
    ): Boolean
    /**
     * Deinitialize charon, provided by libandroidbridge.so
     */
    external fun deinitializeCharon()
    /**
     * Initiate VPN, provided by libandroidbridge.so
     */
    external fun initiate(config: String?)
    /**
     * Adapter for VpnService.Builder which is used to access it safely via JNI.
     * There is a corresponding C object to access it from native code.
     */
    class BuilderAdapter(val builder: VpnService.Builder) {
        private lateinit var mProfile: VpnProfile
        private lateinit var mBuilder: VpnService.Builder
        private lateinit var mCache: BuilderCache
        private lateinit var mEstablishedCache: BuilderCache
        private val mDropper: PacketDropper = PacketDropper()
        init {
            mBuilder = builder
        }
        @kotlin.jvm.Synchronized
        fun setProfile(profile: VpnProfile) {
            mProfile = profile
            mBuilder = createBuilder(mProfile.name ?: "")
            mCache = BuilderCache(mProfile)
        }
        private fun createBuilder(name: String): VpnService.Builder {
 //            val builder: VpnService.Builder = Builder()
            mBuilder.setSession(name)
            /* even though the option displayed in the system dialog says "Configure"
 			 * we just use our main Activity */
 //            val context: Context = getApplicationContext()
 //            val intent = Intent(context, MainActivity::class.java)
 //            var flags: Int = PendingIntent.FLAG_UPDATE_CURRENT
 //            if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
 //                flags = flags or PendingIntent.FLAG_IMMUTABLE
 //            }
 //            val pending: PendingIntent = PendingIntent.getActivity(context, 0, intent, flags)
 //            builder.setConfigureIntent(pending)
            /* mark all VPN connections as unmetered (default changed for Android 10) */
            if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) {
                mBuilder.setMetered(false)
            }
            return mBuilder
        }
        @kotlin.jvm.Synchronized
        fun addAddress(address: String?, prefixLength: Int): Boolean {
            try {
                mCache.addAddress(address, prefixLength)
            } catch (ex: java.lang.IllegalArgumentException) {
                return false
            }
            return true
        }
        @kotlin.jvm.Synchronized
        fun addDnsServer(address: String?): Boolean {
            try {
                mCache.addDnsServer(address)
            } catch (ex: java.lang.IllegalArgumentException) {
                return false
            }
            return true
        }
        @kotlin.jvm.Synchronized
        fun addRoute(address: String?, prefixLength: Int): Boolean {
            try {
                mCache.addRoute(address, prefixLength)
            } catch (ex: java.lang.IllegalArgumentException) {
                return false
            }
            return true
        }
        @kotlin.jvm.Synchronized
        fun addSearchDomain(domain: String): Boolean {
            try {
                mBuilder.addSearchDomain(domain)
            } catch (ex: java.lang.IllegalArgumentException) {
                return false
            }
            return true
        }
        @kotlin.jvm.Synchronized
        fun setMtu(mtu: Int): Boolean {
            try {
                mCache.setMtu(mtu)
            } catch (ex: java.lang.IllegalArgumentException) {
                return false
            }
            return true
        }
        @kotlin.jvm.Synchronized
        private fun establishIntern(): ParcelFileDescriptor? {
            val fd: ParcelFileDescriptor?
            try {
                mCache.applyData(mBuilder)
                fd = mBuilder.establish()
                if (fd != null) {
                    closeBlocking()
                }
            } catch (ex: java.lang.Exception) {
                ex.printStackTrace()
                return null
            }
            if (fd == null) {
                return null
            }
            /* now that the TUN device is created we don't need the current
 			 * builder anymore, but we might need another when reestablishing */
            mBuilder = createBuilder(mProfile.name ?: "")
            mEstablishedCache = mCache
            mCache = BuilderCache(mProfile)
            return fd
        }
        @kotlin.jvm.Synchronized
        fun establish(): Int {
            val fd: ParcelFileDescriptor? = establishIntern()
            return if (fd != null) fd.detachFd() else -1
        }
        @TargetApi(Build.VERSION_CODES.LOLLIPOP)
        @kotlin.jvm.Synchronized
        fun establishBlocking() {
            /* just choose some arbitrary values to block all traffic (except for what's configured in the profile) */
            mCache.addAddress("172.16.252.1", 32)
            mCache.addAddress("fd00::fd02:1", 128)
            mCache.addRoute("0.0.0.0", 0)
            mCache.addRoute("::", 0)
            /* set DNS servers to avoid DNS leak later */
            mBuilder.addDnsServer("8.8.8.8")
            mBuilder.addDnsServer("2001:4860:4860::8888")
            /* use blocking mode to simplify packet dropping */
            mBuilder.setBlocking(true)
            val fd: ParcelFileDescriptor? = establishIntern()
            if (fd != null) {
                mDropper.start(fd)
            }
        }
        @kotlin.jvm.Synchronized
        fun closeBlocking() {
            mDropper.stop()
        }
        @kotlin.jvm.Synchronized
        fun establishNoDns(): Int {
            val fd: ParcelFileDescriptor?
            if (mEstablishedCache == null) {
                return -1
            }
            fd = try {
                val builder: VpnService.Builder = createBuilder(mProfile.name ?: "")
                mEstablishedCache.applyData(builder)
                builder.establish()
            } catch (ex: java.lang.Exception) {
                ex.printStackTrace()
                return -1
            }
            return if (fd == null) {
                -1
            } else fd.detachFd()
        }
        private inner class PacketDropper : java.lang.Runnable {
            private var mFd: ParcelFileDescriptor? = null
            private lateinit var mThread: java.lang.Thread
            fun start(fd: ParcelFileDescriptor) {
                mFd = fd
                mThread = java.lang.Thread(this)
                mThread.start()
            }
            fun stop() {
                if (mFd != null) {
                    try {
                        mThread.interrupt()
                        mThread.join()
                        mFd?.close()
                    } catch (e: java.lang.InterruptedException) {
                        e.printStackTrace()
                    } catch (e: java.io.IOException) {
                        e.printStackTrace()
                    }
                    mFd = null
                }
            }
            @kotlin.jvm.Synchronized
            override fun run() {
                try {
                    val plain: java.io.FileInputStream = java.io.FileInputStream(mFd?.getFileDescriptor())
                    val packet: java.nio.ByteBuffer = java.nio.ByteBuffer.allocate(mCache.mMtu)
                    while (true) {
                        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.N) {    /* just read and ignore all data, regular read() is not interruptible */
                            val len: Int = plain.getChannel().read(packet)
                            packet.clear()
                            if (len < 0) {
                                break
                            }
                        } else {    /* this is rather ugly but on older platforms not even the NIO version of read() is interruptible */
                            var wait = true
                            if (plain.available() > 0) {
                                val len: Int = plain.read(packet.array())
                                packet.clear()
                                if (len < 0 || java.lang.Thread.interrupted()) {
                                    break
                                }
                                /* check again right away, there may be another packet */wait = false
                            }
                            if (wait) {
                                java.lang.Thread.sleep(250)
                            }
                        }
                    }
                } catch (e: java.nio.channels.ClosedByInterruptException) {
                    /* regular interruption */
                } catch (e: java.lang.InterruptedException) {
                } catch (e: java.io.IOException) {
                    e.printStackTrace()
                }
            }
        }
    }
    /**
     * Cache non DNS related information so we can recreate the builder without
     * that information when reestablishing IKE_SAs
     */
    class BuilderCache(profile: VpnProfile) {
        val mAddresses: MutableList<IPRange> = java.util.ArrayList<IPRange>()
        val mRoutesIPv4: MutableList<IPRange> = java.util.ArrayList<IPRange>()
        val mRoutesIPv6: MutableList<IPRange> = java.util.ArrayList<IPRange>()
        val mIncludedSubnetsv4: IPRangeSet = IPRangeSet()
        val mIncludedSubnetsv6: IPRangeSet = IPRangeSet()
        val mExcludedSubnets: IPRangeSet
        val mSplitTunneling: Int
        val mAppHandling: SelectedAppsHandling
        val mSelectedApps: java.util.SortedSet<String>
        val mDnsServers: MutableList<java.net.InetAddress> = java.util.ArrayList<java.net.InetAddress>()
        var mMtu: Int
        var mIPv4Seen = false
        var mIPv6Seen = false
        var mDnsServersConfigured = false
        init {
            val included: IPRangeSet = IPRangeSet.fromString(profile?.includedSubnets)
            for (range in included) {
                if (range.getFrom() is java.net.Inet4Address) {
                    mIncludedSubnetsv4.add(range)
                } else if (range.getFrom() is java.net.Inet6Address) {
                    mIncludedSubnetsv6.add(range)
                }
            }
            mExcludedSubnets = IPRangeSet.fromString(profile.excludedSubnets ?: "")
            val splitTunneling: Int? = profile.splitTunneling
            mSplitTunneling = splitTunneling ?: 0
            var appHandling: SelectedAppsHandling = profile.selectedAppsHandling
            mSelectedApps = profile.selectedAppsSet
            when (appHandling) {
                SelectedAppsHandling.SELECTED_APPS_DISABLE -> {
                    appHandling = SelectedAppsHandling.SELECTED_APPS_EXCLUDE
                    mSelectedApps.clear()
                    mSelectedApps.add(PACKAGE_NAME)
                }
                SelectedAppsHandling.SELECTED_APPS_EXCLUDE -> {
                    mSelectedApps.add(PACKAGE_NAME)
                }
                SelectedAppsHandling.SELECTED_APPS_ONLY -> {
                    mSelectedApps.remove(PACKAGE_NAME)
                }
            }
            mAppHandling = appHandling
            val dnsServers = profile.dnsServers
            if (dnsServers != null) {
                for (server in dnsServers.split("\\s+")) {
                    try {
                        mDnsServers.add(Utils.parseInetAddress(server))
                        recordAddressFamily(server)
                        mDnsServersConfigured = true
                    } catch (e: java.net.UnknownHostException) {
                        e.printStackTrace()
                    }
                }
            }
            /* set a default MTU, will be set by the daemon for regular interfaces */
            val mtu: Int? = profile.MTU
            mMtu = mtu ?: Constants.MTU_MAX
        }
        fun addAddress(address: String?, prefixLength: Int) {
            try {
                mAddresses.add(IPRange(address, prefixLength))
                recordAddressFamily(address)
            } catch (ex: java.net.UnknownHostException) {
                ex.printStackTrace()
            }
        }
        fun addDnsServer(address: String?) {
            /* ignore received DNS servers if any were configured */
            if (mDnsServersConfigured) {
                return
            }
            try {
                mDnsServers.add(Utils.parseInetAddress(address))
                recordAddressFamily(address)
            } catch (e: java.net.UnknownHostException) {
                e.printStackTrace()
            }
        }
        fun addRoute(address: String?, prefixLength: Int) {
            try {
                if (isIPv6(address)) {
                    mRoutesIPv6.add(IPRange(address, prefixLength))
                } else {
                    mRoutesIPv4.add(IPRange(address, prefixLength))
                }
            } catch (ex: java.net.UnknownHostException) {
                ex.printStackTrace()
            }
        }
        fun setMtu(mtu: Int) {
            mMtu = mtu
        }
        fun recordAddressFamily(address: String?) {
            try {
                if (isIPv6(address)) {
                    mIPv6Seen = true
                } else {
                    mIPv4Seen = true
                }
            } catch (ex: java.net.UnknownHostException) {
                ex.printStackTrace()
            }
        }
        @TargetApi(Build.VERSION_CODES.LOLLIPOP)
        fun applyData(builder: VpnService.Builder) {
            for (address in mAddresses) {
                builder.addAddress(address.getFrom(), address.getPrefix())
            }
            for (server in mDnsServers) {
                builder.addDnsServer(server)
            }
            /* add routes depending on whether split tunneling is allowed or not,
 			 * that is, whether we have to handle and block non-VPN traffic */
            if (mSplitTunneling and VpnProfile.SPLIT_TUNNELING_BLOCK_IPV4 === 0) {
                if (mIPv4Seen) {    /* split tunneling is used depending on the routes and configuration */
                    val ranges = IPRangeSet()
                    if (mIncludedSubnetsv4.size() > 0) {
                        ranges.add(mIncludedSubnetsv4)
                    } else {
                        ranges.addAll(mRoutesIPv4)
                    }
                    ranges.remove(mExcludedSubnets)
                    for (subnet in ranges.subnets()) {
                        try {
                            builder.addRoute(subnet.getFrom(), subnet.getPrefix())
                        } catch (e: java.lang.IllegalArgumentException) {    /* some Android versions don't seem to like multicast addresses here,
 							 * ignore it for now */
                            if (!subnet.getFrom().isMulticastAddress()) {
                                throw e
                            }
                        }
                    }
                } else if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {    /* allow traffic that would otherwise be blocked to bypass the VPN */
                    builder.allowFamily(OsConstants.AF_INET)
                }
            } else if (mIPv4Seen) {    /* only needed if we've seen any addresses.  otherwise, traffic
 				 * is blocked by default (we also install no routes in that case) */
                builder.addRoute("0.0.0.0", 0)
            }
            /* same thing for IPv6 */
            if (mSplitTunneling and VpnProfile.SPLIT_TUNNELING_BLOCK_IPV6 === 0) {
                if (mIPv6Seen) {
                    val ranges = IPRangeSet()
                    if (mIncludedSubnetsv6.size() > 0) {
                        ranges.add(mIncludedSubnetsv6)
                    } else {
                        ranges.addAll(mRoutesIPv6)
                    }
                    ranges.remove(mExcludedSubnets)
                    for (subnet in ranges.subnets()) {
                        try {
                            builder.addRoute(subnet.getFrom(), subnet.getPrefix())
                        } catch (e: java.lang.IllegalArgumentException) {
                            if (!subnet.getFrom().isMulticastAddress()) {
                                throw e
                            }
                        }
                    }
                } else if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {
                    builder.allowFamily(OsConstants.AF_INET6)
                }
            } else if (mIPv6Seen) {
                builder.addRoute("::", 0)
            }
            /* apply selected applications */
            if (mSelectedApps.size > 0 &&
                Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP
            ) {
                when (mAppHandling) {
                    SelectedAppsHandling.SELECTED_APPS_EXCLUDE -> for (app in mSelectedApps) {
                        try {
                            builder.addDisallowedApplication(app)
                        } catch (e: PackageManager.NameNotFoundException) {
                            // possible if not configured via GUI or app was uninstalled
                        }
                    }
                    SelectedAppsHandling.SELECTED_APPS_ONLY -> for (app in mSelectedApps) {
                        try {
                            builder.addAllowedApplication(app)
                        } catch (e: PackageManager.NameNotFoundException) {
                            // possible if not configured via GUI or app was uninstalled
                        }
                    }
                    else -> {}
                }
            }
            builder.setMtu(mMtu)
        }
        @kotlin.Throws(java.net.UnknownHostException::class)
        private fun isIPv6(address: String?): Boolean {
            val addr: java.net.InetAddress = Utils.parseInetAddress(address)
            if (addr is java.net.Inet4Address) {
                return false
            } else if (addr is java.net.Inet6Address) {
                return true
            }
            return false
        }
    }
    /**
     * Function called via JNI to determine information about the Android version.
     */
    private fun getAndroidVersion(): String? {
        var version = "Android " + Build.VERSION.RELEASE + " - " + Build.DISPLAY
        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
            version += "/" + Build.VERSION.SECURITY_PATCH
        }
        return version
    }
    /**
     * Function called via JNI to determine information about the device.
     */
    private fun getDeviceString(): String? {
        return ((Build.MODEL + " - " + Build.BRAND).toString() + "/" + Build.PRODUCT).toString() + "/" + Build.MANUFACTURER
    }
    /**
     * Add a permanent notification while we are connected to avoid the service getting killed by
     * the system when low on memory.
     */
    private fun addNotification() {
 //        mHandler.post(object : java.lang.Runnable {
 //            fun run() {
 //                mShowNotification = true
 //                startForeground(
 //                    org.strongswan.android.logic.CharonVpnService.VPN_STATE_NOTIFICATION_ID,
 //                    buildNotification(false)
 //                )
 //            }
 //        })
    }
    /**
     * Remove the permanent notification.
     */
    private fun removeNotification() {
 //        mHandler.post(object : java.lang.Runnable {
 //            fun run() {
 //                mShowNotification = false
 //                stopForeground(true)
 //            }
 //        })
    }
    /**
     * Set an error on the state service. Called by the handler thread and any
     * of charon's threads.
     *
     * @param error error state
     */
    private fun setError(error: ErrorState) {
 //        synchronized(mServiceLock) {
 //            if (mService != null) {
 //                mService.setError(error)
 //            }
 //        }
    }
    enum class State {
        DISABLED, CONNECTING, CONNECTED, DISCONNECTING
    }
    enum class ErrorState {
        NO_ERROR, AUTH_FAILED, PEER_AUTH_FAILED, LOOKUP_FAILED, UNREACHABLE, GENERIC_ERROR, PASSWORD_MISSING, CERTIFICATE_UNAVAILABLE
    }
 }
@@ -150,6 +150,8 @@ class VPNService : BaseVpnService(), LocalDnsService.Interface {
    private var mOpenVPNThreadv3: OpenVPNThreadv3? = null
    var currentTunnelHandle = -1
    private var ikev2VpnThread: IKEv2Thread? = null
    private var intent: Intent? = null
    private var flags = 0
    private var startId = 0
@@ -165,6 +167,7 @@ class VPNService : BaseVpnService(), LocalDnsService.Interface {
        Log.e(tag, "Wireguard Version ${wgVersion()}")
        mOpenVPNThreadv3 = OpenVPNThreadv3(this)
        mAlreadyInitialised = true
        ikev2VpnThread = IKEv2Thread(mbuilder, getFilesDir().getAbsolutePath())
    }
    override fun onCreate() {
@@ -384,8 +387,11 @@ class VPNService : BaseVpnService(), LocalDnsService.Interface {
                startShadowsocks()
                startTest()
            }
            "ikev2" -> {
                startIPSEC()
            }
            else -> {
-                Log.e(tag, "No protocol")
+                Log.e(tag, "Unknown protocol ($mProtocol)")
                return 0
            }
        }
@@ -393,6 +399,18 @@ class VPNService : BaseVpnService(), LocalDnsService.Interface {
        return 1
    }
    private fun startIPSEC() {
        Log.v(tag, "start ipsec")
        ikev2VpnThread = IKEv2Thread(mbuilder, getFilesDir().getAbsolutePath())
        // TODO: pass the "vpnprofile" instance as a parameter
        // ikev2VpnThread.setNextProfile() 
        Thread({
            ikev2VpnThread?.run()
        }).start()
    }
    fun establish(): ParcelFileDescriptor? {
        Log.v(tag, "Aman: establish....................")
        mbuilder.allowFamily(OsConstants.AF_INET)
@@ -0,0 +1,111 @@
 package org.amnezia.vpn.ikev2
 import android.text.TextUtils
 class VpnProfile : kotlin.Cloneable {
    var name: String? = null
    var gateway: String? = null
    var username: String? = null
    var password: String? = null
    var certificateAlias: String? = null
    var userCertificateAlias: String? = null
    var remoteId: String? = null
    var localId: String? = null
    var excludedSubnets: String? = null
    var includedSubnets: String? = null
    var selectedApps: String? = null
    var ikeProposal: String? = null
    var espProposal: String? = null
    var dnsServers: String? = null
    var MTU: Int? = null
    var port: Int? = null
    var splitTunneling: Int? = null
    var NATKeepAlive: Int? = null
    private var mFlags: Int? = null
    var selectedAppsHandling = SelectedAppsHandling.SELECTED_APPS_DISABLE
    private var mVpnType: VpnType? = null
    private var mUUID: java.util.UUID?
    var id: Long = -1
    enum class SelectedAppsHandling(val value: Int) {
        SELECTED_APPS_DISABLE(0), SELECTED_APPS_EXCLUDE(1), SELECTED_APPS_ONLY(2);
    }
    init {
        mUUID = java.util.UUID.randomUUID()
    }
    var uUID: java.util.UUID?
        get() = mUUID
        set(uuid) {
            mUUID = uuid
        }
    var vpnType: VpnType?
        get() = mVpnType
        set(type) {
            mVpnType = type
        }
    fun setSelectedApps(selectedApps: java.util.SortedSet<String?>) {
        this.selectedApps = if (selectedApps.size > 0) TextUtils.join(" ", selectedApps) else null
    }
    val selectedAppsSet: java.util.SortedSet<String>
        get() {
            val set: java.util.TreeSet<String> = java.util.TreeSet<String>()
            if (!TextUtils.isEmpty(selectedApps)) {
                set.addAll(
                    java.util.Arrays.asList<String>(
                        *selectedApps!!.split("\\s+".toRegex()).dropLastWhile { it.isEmpty() }
                            .toTypedArray()))
            }
            return set
        }
    fun setSelectedAppsHandling(value: Int) {
        selectedAppsHandling = SelectedAppsHandling.SELECTED_APPS_DISABLE
        for (handling in VpnProfile.SelectedAppsHandling.values()) {
            if (handling.value == value) {
                selectedAppsHandling = handling
                break
            }
        }
    }
    var flags: Int = 0
    override fun toString(): String {
        return name!!
    }
    override fun equals(o: Any?): Boolean {
        if (o != null && o is VpnProfile) {
            val other = o
            return if (mUUID != null && other.uUID != null) {
                mUUID == other.uUID
            } else id == other.id
        }
        return false
    }
    override fun clone(): VpnProfile {
        return try {
            super.clone() as VpnProfile
        } catch (e: java.lang.CloneNotSupportedException) {
            throw java.lang.AssertionError()
        }
    }
    companion object {
        /* While storing this as EnumSet would be nicer this simplifies storing it in a database */
        const val SPLIT_TUNNELING_BLOCK_IPV4 = 1
        const val SPLIT_TUNNELING_BLOCK_IPV6 = 2
        const val FLAGS_SUPPRESS_CERT_REQS = 1 shl 0
        const val FLAGS_DISABLE_CRL = 1 shl 1
        const val FLAGS_DISABLE_OCSP = 1 shl 2
        const val FLAGS_STRICT_REVOCATION = 1 shl 3
        const val FLAGS_RSA_PSS = 1 shl 4
        const val FLAGS_IPv6_TRANSPORT = 1 shl 5
    }
 }
@@ -0,0 +1,79 @@
 package org.amnezia.vpn.ikev2
 enum class VpnType(
    /**
     * The identifier used to store this value in the database
     * @return identifier
     */
    val identifier: String, features: java.util.EnumSet<VpnTypeFeature>
 ) {
    /* the order here must match the items in R.array.vpn_types */
    IKEV2_EAP("ikev2-eap", java.util.EnumSet.of(VpnTypeFeature.USER_PASS)), IKEV2_CERT(
        "ikev2-cert", java.util.EnumSet.of(
            VpnTypeFeature.CERTIFICATE
        )
    ),
    IKEV2_CERT_EAP(
        "ikev2-cert-eap",
        java.util.EnumSet.of(VpnTypeFeature.USER_PASS, VpnTypeFeature.CERTIFICATE)
    ),
    IKEV2_EAP_TLS(
        "ikev2-eap-tls", java.util.EnumSet.of(
            VpnTypeFeature.CERTIFICATE
        )
    ),
    IKEV2_BYOD_EAP("ikev2-byod-eap", java.util.EnumSet.of(VpnTypeFeature.USER_PASS, VpnTypeFeature.BYOD));
    /**
     * Features of a VPN type.
     */
    enum class VpnTypeFeature {
        /** client certificate is required  */
        CERTIFICATE,
        /** username and password are required  */
        USER_PASS,
        /** enable BYOD features  */
        BYOD
    }
    private val mFeatures: java.util.EnumSet<VpnTypeFeature>
    /**
     * Enum which provides additional information about the supported VPN types.
     *
     * @param id identifier used to store and transmit this specific type
     * @param features of the given VPN type
     * @param certificate true if a client certificate is required
     */
    init {
        mFeatures = features
    }
    /**
     * Checks whether a feature is supported/required by this type of VPN.
     *
     * @return true if the feature is supported/required
     */
    fun has(feature: VpnTypeFeature?): Boolean {
        return mFeatures.contains(feature)
    }
    companion object {
        /**
         * Get the enum entry with the given identifier.
         *
         * @param identifier get the enum entry with this identifier
         * @return the enum entry, or the default if not found
         */
        fun fromIdentifier(identifier: String): VpnType {
            for (type in VpnType.values()) {
                if (identifier == type.identifier) {
                    return type
                }
            }
            return IKEV2_EAP
        }
    }
 }
@@ -0,0 +1,272 @@
 /*
 * Copyright (C) 2013 Tobias Brunner
 *
 * Copyright (C) secunet Security Networks AG
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */
 package org.amnezia.vpn.ikev2.utils;
 import java.nio.ByteBuffer;
 /**
 * Very similar to ByteBuffer (although with a stripped interface) but it
 * automatically resizes the underlying buffer.
 */
 public class BufferedByteWriter
 {
 	/**
 	 * The underlying byte buffer
 	 */
 	private byte[] mBuffer;
 	/**
 	 * ByteBuffer used as wrapper around the buffer to easily convert values
 	 */
 	private ByteBuffer mWriter;
 	/**
 	 * Create a writer with a default initial capacity
 	 */
 	public BufferedByteWriter()
 	{
 		this(0);
 	}
 	/**
 	 * Create a writer with the given initial capacity (helps avoid expensive
 	 * resizing if known).
 	 * @param capacity initial capacity
 	 */
 	public BufferedByteWriter(int capacity)
 	{
 		capacity = capacity > 4 ? capacity : 32;
 		mBuffer = new byte[capacity];
 		mWriter = ByteBuffer.wrap(mBuffer);
 	}
 	/**
 	 * Ensure that there is enough space available to write the requested
 	 * number of bytes. If necessary the internal buffer is resized.
 	 * @param required required number of bytes
 	 */
 	private void ensureCapacity(int required)
 	{
 		if (mWriter.remaining() >= required)
 		{
 			return;
 		}
 		byte[] buffer = new byte[(mBuffer.length + required) * 2];
 		System.arraycopy(mBuffer, 0, buffer, 0, mWriter.position());
 		mBuffer = buffer;
 		ByteBuffer writer = ByteBuffer.wrap(buffer);
 		writer.position(mWriter.position());
 		mWriter = writer;
 	}
 	/**
 	 * Write the given byte array to the buffer
 	 * @param value
 	 * @return the writer
 	 */
 	public BufferedByteWriter put(byte[] value)
 	{
 		ensureCapacity(value.length);
 		mWriter.put(value);
 		return this;
 	}
 	/**
 	 * Write the given byte to the buffer
 	 * @param value
 	 * @return the writer
 	 */
 	public BufferedByteWriter put(byte value)
 	{
 		ensureCapacity(1);
 		mWriter.put(value);
 		return this;
 	}
 	/**
 	 * Write the 8-bit length of the given data followed by the data itself
 	 * @param value
 	 * @return the writer
 	 */
 	public BufferedByteWriter putLen8(byte[] value)
 	{
 		ensureCapacity(1 + value.length);
 		mWriter.put((byte)value.length);
 		mWriter.put(value);
 		return this;
 	}
 	/**
 	 * Write the 16-bit length of the given data followed by the data itself
 	 * @param value
 	 * @return the writer
 	 */
 	public BufferedByteWriter putLen16(byte[] value)
 	{
 		ensureCapacity(2 + value.length);
 		mWriter.putShort((short)value.length);
 		mWriter.put(value);
 		return this;
 	}
 	/**
 	 * Write the given short value (16-bit) in big-endian order to the buffer
 	 * @param value
 	 * @return the writer
 	 */
 	public BufferedByteWriter put16(byte value)
 	{
 		return this.put16((short)(value & 0xFF));
 	}
 	/**
 	 * Write the given short value (16-bit) in big-endian order to the buffer
 	 * @param value
 	 * @return the writer
 	 */
 	public BufferedByteWriter put16(short value)
 	{
 		ensureCapacity(2);
 		mWriter.putShort(value);
 		return this;
 	}
 	/**
 	 * Write 24-bit of the given value in big-endian order to the buffer
 	 * @param value
 	 * @return the writer
 	 */
 	public BufferedByteWriter put24(byte value)
 	{
 		ensureCapacity(3);
 		mWriter.putShort((short)0);
 		mWriter.put(value);
 		return this;
 	}
 	/**
 	 * Write 24-bit of the given value in big-endian order to the buffer
 	 * @param value
 	 * @return the writer
 	 */
 	public BufferedByteWriter put24(short value)
 	{
 		ensureCapacity(3);
 		mWriter.put((byte)0);
 		mWriter.putShort(value);
 		return this;
 	}
 	/**
 	 * Write 24-bit of the given value in big-endian order to the buffer
 	 * @param value
 	 * @return the writer
 	 */
 	public BufferedByteWriter put24(int value)
 	{
 		ensureCapacity(3);
 		mWriter.put((byte)(value >> 16));
 		mWriter.putShort((short)value);
 		return this;
 	}
 	/**
 	 * Write the given int value (32-bit) in big-endian order to the buffer
 	 * @param value
 	 * @return the writer
 	 */
 	public BufferedByteWriter put32(byte value)
 	{
 		return put32(value & 0xFF);
 	}
 	/**
 	 * Write the given int value (32-bit) in big-endian order to the buffer
 	 * @param value
 	 * @return the writer
 	 */
 	public BufferedByteWriter put32(short value)
 	{
 		return put32(value & 0xFFFF);
 	}
 	/**
 	 * Write the given int value (32-bit) in big-endian order to the buffer
 	 * @param value
 	 * @return the writer
 	 */
 	public BufferedByteWriter put32(int value)
 	{
 		ensureCapacity(4);
 		mWriter.putInt(value);
 		return this;
 	}
 	/**
 	 * Write the given long value (64-bit) in big-endian order to the buffer
 	 * @param value
 	 * @return the writer
 	 */
 	public BufferedByteWriter put64(byte value)
 	{
 		return put64(value & 0xFFL);
 	}
 	/**
 	 * Write the given long value (64-bit) in big-endian order to the buffer
 	 * @param value
 	 * @return the writer
 	 */
 	public BufferedByteWriter put64(short value)
 	{
 		return put64(value & 0xFFFFL);
 	}
 	/**
 	 * Write the given long value (64-bit) in big-endian order to the buffer
 	 * @param value
 	 * @return the writer
 	 */
 	public BufferedByteWriter put64(int value)
 	{
 		return put64(value & 0xFFFFFFFFL);
 	}
 	/**
 	 * Write the given long value (64-bit) in big-endian order to the buffer
 	 * @param value
 	 * @return the writer
 	 */
 	public BufferedByteWriter put64(long value)
 	{
 		ensureCapacity(8);
 		mWriter.putLong(value);
 		return this;
 	}
 	/**
 	 * Convert the internal buffer to a new byte array.
 	 * @return byte array
 	 */
 	public byte[] toByteArray()
 	{
 		int length = mWriter.position();
 		byte[] bytes = new byte[length];
 		System.arraycopy(mBuffer, 0, bytes, 0, length);
 		return bytes;
 	}
 }
@@ -0,0 +1,67 @@
 /*
 * Copyright (C) 2016-2020 Tobias Brunner
 *
 * Copyright (C) secunet Security Networks AG
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */
 package org.amnezia.vpn.ikev2.utils;
 public final class Constants
 {
 	/**
 	 * Intent action used to notify about changes to the VPN profiles
 	 */
 	public static final String VPN_PROFILES_CHANGED = "org.strongswan.android.VPN_PROFILES_CHANGED";
 	/**
 	 * Used in the intent above to notify about edits or inserts of a VPN profile (long)
 	 */
 	public static final String VPN_PROFILES_SINGLE = "org.strongswan.android.VPN_PROFILES_SINGLE";
 	/**
 	 * Used in the intent above to notify about the deletion of multiple VPN profiles (array of longs)
 	 */
 	public static final String VPN_PROFILES_MULTIPLE = "org.strongswan.android.VPN_PROFILES_MULTIPLE";
 	/**
 	 * Limits for MTU
 	 */
 	public static final int MTU_MAX = 1500;
 	public static final int MTU_MIN = 1280;
 	/**
 	 * Limits for NAT-T keepalive
 	 */
 	public static final int NAT_KEEPALIVE_MAX = 120;
 	public static final int NAT_KEEPALIVE_MIN = 10;
 	/**
 	 * Preference key for default VPN profile
 	 */
 	public static final String PREF_DEFAULT_VPN_PROFILE = "pref_default_vpn_profile";
 	/**
 	 * Value used to signify that the most recently used profile should be used as default
 	 */
 	public static final String PREF_DEFAULT_VPN_PROFILE_MRU = "pref_default_vpn_profile_mru";
 	/**
 	 * Preference key to store the most recently used VPN profile
 	 */
 	public static final String PREF_MRU_VPN_PROFILE = "pref_mru_vpn_profile";
 	/**
 	 * Preference key to store whether the user permanently dismissed our warning to add the app to the power whitelist
 	 */
 	public static final String PREF_IGNORE_POWER_WHITELIST = "pref_ignore_power_whitelist";
 }
@@ -0,0 +1,510 @@
 /*
 * Copyright (C) 2012-2017 Tobias Brunner
 *
 * Copyright (C) secunet Security Networks AG
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */
 package org.amnezia.vpn.ikev2.utils;
 import java.net.InetAddress;
 import java.net.UnknownHostException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import androidx.annotation.NonNull;
 /**
 * Class that represents a range of IP addresses. This range could be a proper subnet, but that's
 * not necessarily the case (see {@code getPrefix} and {@code toSubnets}).
 */
 public class IPRange implements Comparable<IPRange>
 {
 	private final byte[] mBitmask = { (byte)0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
 	private byte[] mFrom;
 	private byte[] mTo;
 	private Integer mPrefix;
 	/**
 	 * Determine if the range is a proper subnet and, if so, what the network prefix is.
 	 */
 	private void determinePrefix()
 	{
 		boolean matching = true;
 		mPrefix = mFrom.length * 8;
 		for (int i = 0; i < mFrom.length; i++)
 		{
 			for (int bit = 0; bit < 8; bit++)
 			{
 				if (matching)
 				{
 					if ((mFrom[i] & mBitmask[bit]) != (mTo[i] & mBitmask[bit]))
 					{
 						mPrefix = (i * 8) + bit;
 						matching = false;
 					}
 				}
 				else
 				{
 					if ((mFrom[i] & mBitmask[bit]) != 0 || (mTo[i] & mBitmask[bit]) == 0)
 					{
 						mPrefix = null;
 						return;
 					}
 				}
 			}
 		}
 	}
 	private IPRange(byte[] from, byte[] to)
 	{
 		mFrom = from;
 		mTo = to;
 		determinePrefix();
 	}
 	public IPRange(String from, String to) throws UnknownHostException
 	{
 		this(Utils.parseInetAddress(from), Utils.parseInetAddress(to));
 	}
 	public IPRange(InetAddress from, InetAddress to)
 	{
 		initializeFromRange(from, to);
 	}
 	private void initializeFromRange(InetAddress from, InetAddress to)
 	{
 		byte[] fa = from.getAddress(), ta = to.getAddress();
 		if (fa.length != ta.length)
 		{
 			throw new IllegalArgumentException("Invalid range");
 		}
 		if (compareAddr(fa, ta) < 0)
 		{
 			mFrom = fa;
 			mTo = ta;
 		}
 		else
 		{
 			mTo = fa;
 			mFrom = ta;
 		}
 		determinePrefix();
 	}
 	public IPRange(String base, int prefix) throws UnknownHostException
 	{
 		this(Utils.parseInetAddress(base), prefix);
 	}
 	public IPRange(InetAddress base, int prefix)
 	{
 		this(base.getAddress(), prefix);
 	}
 	private IPRange(byte[] from, int prefix)
 	{
 		initializeFromCIDR(from, prefix);
 	}
 	private void initializeFromCIDR(byte[] from, int prefix)
 	{
 		if (from.length != 4 && from.length != 16)
 		{
 			throw new IllegalArgumentException("Invalid address");
 		}
 		if (prefix < 0 || prefix > from.length * 8)
 		{
 			throw new IllegalArgumentException("Invalid prefix");
 		}
 		byte[] to = from.clone();
 		byte mask = (byte)(0xff << (8 - prefix % 8));
 		int i = prefix / 8;
 		if (i < from.length)
 		{
 			from[i] = (byte)(from[i] & mask);
 			to[i] = (byte)(to[i] | ~mask);
 			Arrays.fill(from, i+1, from.length, (byte)0);
 			Arrays.fill(to, i+1, to.length, (byte)0xff);
 		}
 		mFrom = from;
 		mTo = to;
 		mPrefix = prefix;
 	}
 	public IPRange(String cidr) throws UnknownHostException
 	{
 		/* only verify the basic structure */
 		if (!cidr.matches("(?i)^(([0-9.]+)|([0-9a-f:]+))(-(([0-9.]+)|([0-9a-f:]+))|(/\\d+))?$"))
 		{
 			throw new IllegalArgumentException("Invalid CIDR or range notation");
 		}
 		if (cidr.contains("-"))
 		{
 			String[] parts = cidr.split("-");
 			InetAddress from = InetAddress.getByName(parts[0]);
 			InetAddress to = InetAddress.getByName(parts[1]);
 			initializeFromRange(from, to);
 		}
 		else
 		{
 			String[] parts = cidr.split("/");
 			InetAddress addr = InetAddress.getByName(parts[0]);
 			byte[] base = addr.getAddress();
 			int prefix = base.length * 8;
 			if (parts.length > 1)
 			{
 				prefix = Integer.parseInt(parts[1]);
 			}
 			initializeFromCIDR(base, prefix);
 		}
 	}
 	/**
 	 * Returns the first address of the range. The network ID in case this is a proper subnet.
 	 */
 	public InetAddress getFrom()
 	{
 		try
 		{
 			return InetAddress.getByAddress(mFrom);
 		}
 		catch (UnknownHostException ignored)
 		{
 			return null;
 		}
 	}
 	/**
 	 * Returns the last address of the range.
 	 */
 	public InetAddress getTo()
 	{
 		try
 		{
 			return InetAddress.getByAddress(mTo);
 		}
 		catch (UnknownHostException ignored)
 		{
 			return null;
 		}
 	}
 	/**
 	 * If this range is a proper subnet returns its prefix, otherwise returns null.
 	 */
 	public Integer getPrefix()
 	{
 		return mPrefix;
 	}
 	@Override
 	public int compareTo(@NonNull IPRange other)
 	{
 		int cmp = compareAddr(mFrom, other.mFrom);
 		if (cmp == 0)
 		{	/* smaller ranges first */
 			cmp = compareAddr(mTo, other.mTo);
 		}
 		return cmp;
 	}
 	@Override
 	public boolean equals(Object o)
 	{
 		if (o == null || !(o instanceof IPRange))
 		{
 			return false;
 		}
 		return this == o || compareTo((IPRange)o) == 0;
 	}
 	@Override
 	public String toString()
 	{
 		try
 		{
 			if (mPrefix != null)
 			{
 				return InetAddress.getByAddress(mFrom).getHostAddress() + "/" + mPrefix;
 			}
 			return InetAddress.getByAddress(mFrom).getHostAddress() + "-" +
 				   InetAddress.getByAddress(mTo).getHostAddress();
 		}
 		catch (UnknownHostException ignored)
 		{
 			return super.toString();
 		}
 	}
 	private int compareAddr(byte a[], byte b[])
 	{
 		if (a.length != b.length)
 		{
 			return (a.length < b.length) ? -1 : 1;
 		}
 		for (int i = 0; i < a.length; i++)
 		{
 			if (a[i] != b[i])
 			{
 				if (((int)a[i] & 0xff) < ((int)b[i] & 0xff))
 				{
 					return -1;
 				}
 				else
 				{
 					return 1;
 				}
 			}
 		}
 		return 0;
 	}
 	/**
 	 * Check if this range fully contains the given range.
 	 */
 	public boolean contains(IPRange range)
 	{
 		return compareAddr(mFrom, range.mFrom) <= 0 && compareAddr(range.mTo, mTo) <= 0;
 	}
 	/**
 	 * Check if this and the given range overlap.
 	 */
 	public boolean overlaps(IPRange range)
 	{
 		return !(compareAddr(mTo, range.mFrom) < 0 || compareAddr(range.mTo, mFrom) < 0);
 	}
 	private byte[] dec(byte[] addr)
 	{
 		for (int i = addr.length - 1; i >= 0; i--)
 		{
 			if (--addr[i] != (byte)0xff)
 			{
 				break;
 			}
 		}
 		return addr;
 	}
 	private byte[] inc(byte[] addr)
 	{
 		for (int i = addr.length - 1; i >= 0; i--)
 		{
 			if (++addr[i] != 0)
 			{
 				break;
 			}
 		}
 		return addr;
 	}
 	/**
 	 * Remove the given range from the current range.  Returns a list of resulting ranges (these are
 	 * not proper subnets). At most two ranges are returned, in case the given range is contained in
 	 * this but does not equal it, which would result in an empty list (which is also the case if
 	 * this range is fully contained in the given range).
 	 */
 	public List<IPRange> remove(IPRange range)
 	{
 		ArrayList<IPRange> list = new ArrayList<>();
 		if (!overlaps(range))
 		{	/*           | this | or | this |
 		     * | range |                     | range | */
 			list.add(this);
 		}
 		else if (!range.contains(this))
 		{	/* we are not completely removed, so none of these cases applies:
 			 * | this  | or  | this  |   or   | this  |
 		     * | range |     | range   |    |   range | */
 			if (compareAddr(mFrom, range.mFrom) < 0 && compareAddr(range.mTo, mTo) < 0)
 			{	/* the removed range is completely within our boundaries:
 				 * |    this    |
 				 *   | range |   */
 				list.add(new IPRange(mFrom, dec(range.mFrom.clone())));
 				list.add(new IPRange(inc(range.mTo.clone()), mTo));
 			}
 			else
 			{	/* one end is within our boundaries the other at or outside it:
 			     * | this     | or    | this     | or | this    |  or  | this    |
 			     * | range |       | range |            | range |           | range | */
 				byte[] from = compareAddr(mFrom, range.mFrom) < 0 ? mFrom : inc(range.mTo.clone());
 				byte[] to = compareAddr(mTo, range.mTo) > 0 ? mTo : dec(range.mFrom.clone());
 				list.add(new IPRange(from, to));
 			}
 		}
 		return list;
 	}
 	private boolean adjacent(IPRange range)
 	{
 		if (compareAddr(mTo, range.mFrom) < 0)
 		{
 			byte[] to = inc(mTo.clone());
 			return compareAddr(to, range.mFrom) == 0;
 		}
 		byte[] from = dec(mFrom.clone());
 		return compareAddr(from, range.mTo) == 0;
 	}
 	/**
 	 * Merge two adjacent or overlapping ranges, returns null if it's not possible to merge them.
 	 */
 	public IPRange merge(IPRange range)
 	{
 		if (overlaps(range))
 		{
 			if (contains(range))
 			{
 				return this;
 			}
 			else if (range.contains(this))
 			{
 				return range;
 			}
 		}
 		else if (!adjacent(range))
 		{
 			return null;
 		}
 		byte[] from = compareAddr(mFrom, range.mFrom) < 0 ? mFrom : range.mFrom;
 		byte[] to = compareAddr(mTo, range.mTo) > 0 ? mTo : range.mTo;
 		return new IPRange(from, to);
 	}
 	/**
 	 * Split the given range into a sorted list of proper subnets.
 	 */
 	public List<IPRange> toSubnets()
 	{
 		ArrayList<IPRange> list = new ArrayList<>();
 		if (mPrefix != null)
 		{
 			list.add(this);
 		}
 		else
 		{
 			int i = 0, bit = 0, prefix, netmask, common_byte, common_bit;
 			int from_cur, from_prev = 0, to_cur, to_prev = 1;
 			boolean from_full = true, to_full = true;
 			byte[] from = mFrom.clone();
 			byte[] to = mTo.clone();
 			/* find a common prefix */
 			while (i < from.length && (from[i] & mBitmask[bit]) == (to[i] & mBitmask[bit]))
 			{
 				if (++bit == 8)
 				{
 					bit = 0;
 					i++;
 				}
 			}
 			prefix = i * 8 + bit;
 			/* at this point we know that the addresses are either equal, or that the
 			 * current bits in the 'from' and 'to' addresses are 0 and 1, respectively.
 			 * we now look at the rest of the bits as two binary trees (0=left, 1=right)
 			 * where 'from' and 'to' are both leaf nodes.  all leaf nodes between these
 			 * nodes are addresses contained in the range.  to collect them as subnets
 			 * we follow the trees from both leaf nodes to their root node and record
 			 * all complete subtrees (right for from, left for to) we come across as
 			 * subnets.  in that process host bits are zeroed out.  if both addresses
 			 * are equal we won't enter the loop below.
 			 *      0_____|_____1       for the 'from' address we assume we start on a
 			 *   0__|__ 1    0__|__1    left subtree (0) and follow the left edges until
 			 *  _|_   _|_   _|_   _|_   we reach the root of this subtree, which is
 			 * |   | |   | |   | |   |  either the root of this whole 'from'-subtree
 			 * 0   1 0   1 0   1 0   1  (causing us to leave the loop) or the root node
 			 * of the right subtree (1) of another node (which actually could be the
 			 * leaf node we start from).  that whole subtree gets recorded as subnet.
 			 * next we follow the right edges to the root of that subtree which again is
 			 * either the 'from'-root or the root node in the left subtree (0) of
 			 * another node.  the complete right subtree of that node is the next subnet
 			 * we record.  from there we assume that we are in that right subtree and
 			 * recursively follow right edges to its root.  for the 'to' address the
 			 * procedure is exactly the same but with left and right reversed.
 			 */
 			if (++bit == 8)
 			{
 				bit = 0;
 				i++;
 			}
 			common_byte = i;
 			common_bit = bit;
 			netmask = from.length * 8;
 			for (i = from.length - 1; i >= common_byte; i--)
 			{
 				int bit_min = (i == common_byte) ? common_bit : 0;
 				for (bit = 7; bit >= bit_min; bit--)
 				{
 					byte mask = mBitmask[bit];
 					from_cur = from[i] & mask;
 					if (from_prev == 0 && from_cur != 0)
 					{	/* 0 -> 1: subnet is the whole current (right) subtree */
 						list.add(new IPRange(from.clone(), netmask));
 						from_full = false;
 					}
 					else if (from_prev != 0 && from_cur == 0)
 					{	/* 1 -> 0: invert bit to switch to right subtree and add it */
 						from[i] ^= mask;
 						list.add(new IPRange(from.clone(), netmask));
 						from_cur = 1;
 					}
 					/* clear the current bit */
 					from[i] &= ~mask;
 					from_prev = from_cur;
 					to_cur = to[i] & mask;
 					if (to_prev != 0 && to_cur == 0)
 					{	/* 1 -> 0: subnet is the whole current (left) subtree */
 						list.add(new IPRange(to.clone(), netmask));
 						to_full = false;
 					}
 					else if (to_prev == 0 && to_cur != 0)
 					{	/* 0 -> 1: invert bit to switch to left subtree and add it */
 						to[i] ^= mask;
 						list.add(new IPRange(to.clone(), netmask));
 						to_cur = 0;
 					}
 					/* clear the current bit */
 					to[i] &= ~mask;
 					to_prev = to_cur;
 					netmask--;
 				}
 			}
 			if (from_full && to_full)
 			{	/* full subnet (from=to or from=0.. and to=1.. after common prefix) - not reachable
 				 * due to the shortcut at the top */
 				list.add(new IPRange(from.clone(), prefix));
 			}
 			else if (from_full)
 			{	/* full from subnet (from=0.. after prefix) */
 				list.add(new IPRange(from.clone(), prefix + 1));
 			}
 			else if (to_full)
 			{	/* full to subnet (to=1.. after prefix) */
 				list.add(new IPRange(to.clone(), prefix + 1));
 			}
 		}
 		Collections.sort(list);
 		return list;
 	}
 }
@@ -0,0 +1,224 @@
 /*
 * Copyright (C) 2012-2017 Tobias Brunner
 *
 * Copyright (C) secunet Security Networks AG
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */
 package org.amnezia.vpn.ikev2.utils;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Iterator;
 import java.util.List;
 import java.util.TreeSet;
 /**
 * Class that represents a set of IP address ranges (not necessarily proper subnets) and allows
 * modifying the set and enumerating the resulting subnets.
 */
 public class IPRangeSet implements Iterable<IPRange>
 {
 	private TreeSet<IPRange> mRanges = new TreeSet<>();
 	/**
 	 * Parse the given string (space separated ranges in CIDR or range notation) and return the
 	 * resulting set or {@code null} if the string was invalid. An empty set is returned if the given string
 	 * is {@code null}.
 	 */
 	public static IPRangeSet fromString(String ranges)
 	{
 		IPRangeSet set = new IPRangeSet();
 		if (ranges != null)
 		{
 			for (String range : ranges.split("\\s+"))
 			{
 				try
 				{
 					set.add(new IPRange(range));
 				}
 				catch (Exception unused)
 				{	/* besides due to invalid strings exceptions might get thrown if the string
 					 * contains a hostname (NetworkOnMainThreadException) */
 					return null;
 				}
 			}
 		}
 		return set;
 	}
 	/**
 	 * Add a range to this set. Automatically gets merged with existing ranges.
 	 */
 	public void add(IPRange range)
 	{
 		if (mRanges.contains(range))
 		{
 			return;
 		}
 		reinsert:
 		while (true)
 		{
 			Iterator<IPRange> iterator = mRanges.iterator();
 			while (iterator.hasNext())
 			{
 				IPRange existing = iterator.next();
 				IPRange replacement = existing.merge(range);
 				if (replacement != null)
 				{
 					iterator.remove();
 					range = replacement;
 					continue reinsert;
 				}
 			}
 			mRanges.add(range);
 			break;
 		}
 	}
 	/**
 	 * Add all ranges from the given set.
 	 */
 	public void add(IPRangeSet ranges)
 	{
 		if (ranges == this)
 		{
 			return;
 		}
 		for (IPRange range : ranges.mRanges)
 		{
 			add(range);
 		}
 	}
 	/**
 	 * Add all ranges from the given collection to this set.
 	 */
 	public void addAll(Collection<? extends IPRange> coll)
 	{
 		for (IPRange range : coll)
 		{
 			add(range);
 		}
 	}
 	/**
 	 * Remove the given range from this set. Existing ranges are automatically adjusted.
 	 */
 	public void remove(IPRange range)
 	{
 		ArrayList <IPRange> additions = new ArrayList<>();
 		Iterator<IPRange> iterator = mRanges.iterator();
 		while (iterator.hasNext())
 		{
 			IPRange existing = iterator.next();
 			List<IPRange> result = existing.remove(range);
 			if (result.size() == 0)
 			{
 				iterator.remove();
 			}
 			else if (!result.get(0).equals(existing))
 			{
 				iterator.remove();
 				additions.addAll(result);
 			}
 		}
 		mRanges.addAll(additions);
 	}
 	/**
 	 * Remove the given ranges from ranges in this set.
 	 */
 	public void remove(IPRangeSet ranges)
 	{
 		if (ranges == this)
 		{
 			mRanges.clear();
 			return;
 		}
 		for (IPRange range : ranges.mRanges)
 		{
 			remove(range);
 		}
 	}
 	/**
 	 * Get all the subnets derived from all the ranges in this set.
 	 */
 	public Iterable<IPRange> subnets()
 	{
 		return new Iterable<IPRange>()
 		{
 			@Override
 			public Iterator<IPRange> iterator()
 			{
 				return new Iterator<IPRange>()
 				{
 					private Iterator<IPRange> mIterator = mRanges.iterator();
 					private List<IPRange> mSubnets;
 					@Override
 					public boolean hasNext()
 					{
 						return (mSubnets != null && mSubnets.size() > 0) || mIterator.hasNext();
 					}
 					@Override
 					public IPRange next()
 					{
 						if (mSubnets == null || mSubnets.size() == 0)
 						{
 							IPRange range = mIterator.next();
 							mSubnets = range.toSubnets();
 						}
 						return mSubnets.remove(0);
 					}
 					@Override
 					public void remove()
 					{
 						throw new UnsupportedOperationException();
 					}
 				};
 			}
 		};
 	}
 	@Override
 	public Iterator<IPRange> iterator()
 	{
 		return mRanges.iterator();
 	}
 	/**
 	 * Returns the number of ranges, not subnets.
 	 */
 	public int size()
 	{
 		return mRanges.size();
 	}
 	@Override
 	public String toString()
 	{	/* we could use TextUtils, but that causes the unit tests to fail */
 		StringBuilder sb = new StringBuilder();
 		for (IPRange range : mRanges)
 		{
 			if (sb.length() > 0)
 			{
 				sb.append(" ");
 			}
 			sb.append(range.toString());
 		}
 		return sb.toString();
 	}
 }
@@ -0,0 +1,161 @@
 /*
 * Copyright (C) 2015 Tobias Brunner
 *
 * Copyright (C) secunet Security Networks AG
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */
 package org.amnezia.vpn.ikev2.utils;
 import java.util.Arrays;
 import java.util.LinkedHashMap;
 import java.util.Map.Entry;
 import java.util.regex.Pattern;
 /**
 * Simple generator for data/files that may be parsed by libstrongswan's
 * settings_t class.
 */
 public class SettingsWriter
 {
 	/**
 	 * Top-level section
 	 */
 	private final SettingsSection mTop = new SettingsSection();
 	/**
 	 * Set a string value
 	 * @param key
 	 * @param value
 	 * @return the writer
 	 */
 	public SettingsWriter setValue(String key, String value)
 	{
 		Pattern pattern = Pattern.compile("[^#{}=\"\\n\\t ]+");
 		if (key == null || !pattern.matcher(key).matches())
 		{
 			return this;
 		}
 		String[] keys = key.split("\\.");
 		SettingsSection section = mTop;
 		section = findOrCreateSection(Arrays.copyOfRange(keys, 0, keys.length-1));
 		section.Settings.put(keys[keys.length-1], value);
 		return this;
 	}
 	/**
 	 * Set an integer value
 	 * @param key
 	 * @param value
 	 * @return the writer
 	 */
 	public SettingsWriter setValue(String key, Integer value)
 	{
 		return setValue(key, value == null ? null : value.toString());
 	}
 	/**
 	 * Set a boolean value
 	 * @param key
 	 * @param value
 	 * @return the writer
 	 */
 	public SettingsWriter setValue(String key, Boolean value)
 	{
 		return setValue(key, value == null ? null : value ? "1" : "0");
 	}
 	/**
 	 * Serializes the settings to a string in the format understood by
 	 * libstrongswan's settings_t parser.
 	 * @return serialized settings
 	 */
 	public String serialize()
 	{
 		StringBuilder builder = new StringBuilder();
 		serializeSection(mTop, builder);
 		return builder.toString();
 	}
 	/**
 	 * Serialize the settings in a section and recursively serialize sub-sections
 	 * @param section
 	 * @param builder
 	 */
 	private void serializeSection(SettingsSection section, StringBuilder builder)
 	{
 		for (Entry<String, String> setting : section.Settings.entrySet())
 		{
 			builder.append(setting.getKey()).append('=');
 			if (setting.getValue() != null)
 			{
 				builder.append("\"").append(escapeValue(setting.getValue())).append("\"");
 			}
 			builder.append('\n');
 		}
 		for (Entry<String, SettingsSection> subsection : section.Sections.entrySet())
 		{
 			builder.append(subsection.getKey()).append(" {\n");
 			serializeSection(subsection.getValue(), builder);
 			builder.append("}\n");
 		}
 	}
 	/**
 	 * Escape value so it may be wrapped in "
 	 * @param value
 	 * @return
 	 */
 	private String escapeValue(String value)
 	{
 		return value.replace("\\", "\\\\").replace("\"", "\\\"");
 	}
 	/**
 	 * Find or create the nested sections with the given names
 	 * @param sections list of section names
 	 * @return final section
 	 */
 	private SettingsSection findOrCreateSection(String[] sections)
 	{
 		SettingsSection section = mTop;
 		for (String name : sections)
 		{
 			SettingsSection subsection = section.Sections.get(name);
 			if (subsection == null)
 			{
 				subsection = new SettingsSection();
 				section.Sections.put(name, subsection);
 			}
 			section = subsection;
 		}
 		return section;
 	}
 	/**
 	 * A section containing sub-sections and settings.
 	 */
 	private class SettingsSection
 	{
 		/**
 		 * Assigned key/value pairs
 		 */
 		LinkedHashMap<String,String> Settings = new LinkedHashMap<String, String>();
 		/**
 		 * Assigned sub-sections
 		 */
 		LinkedHashMap<String,SettingsSection> Sections = new LinkedHashMap<String, SettingsWriter.SettingsSection>();
 	}
 }
@@ -0,0 +1,167 @@
 /*
 * Copyright (C) 2017-2018 Tobias Brunner
 *
 * Copyright (C) secunet Security Networks AG
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */
 package org.amnezia.vpn.ikev2.utils;
 import java.io.BufferedOutputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.net.HttpURLConnection;
 import java.net.SocketTimeoutException;
 import java.net.URL;
 import java.util.ArrayList;
 import java.util.concurrent.CancellationException;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import java.util.concurrent.Future;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.TimeoutException;
 import androidx.annotation.Keep;
@Keep
 public class SimpleFetcher
 {
 	private static ExecutorService mExecutor = Executors.newCachedThreadPool();
 	private static Object mLock = new Object();
 	private static ArrayList<Future> mFutures = new ArrayList<>();
 	private static boolean mDisabled;
 	public static byte[] fetch(String uri, byte[] data, String contentType)
 	{
 		Future<byte[]> future;
 		synchronized (mLock)
 		{
 			if (mDisabled)
 			{
 				return null;
 			}
 			future = mExecutor.submit(() -> {
 				URL url = new URL(uri);
 				HttpURLConnection conn = (HttpURLConnection) url.openConnection();
 				conn.setConnectTimeout(10000);
 				conn.setReadTimeout(10000);
 				conn.setRequestProperty("Connection", "close");
 				try
 				{
 					if (contentType != null)
 					{
 						conn.setRequestProperty("Content-Type", contentType);
 					}
 					if (data != null)
 					{
 						conn.setDoOutput(true);
 						conn.setFixedLengthStreamingMode(data.length);
 						OutputStream out = new BufferedOutputStream(conn.getOutputStream());
 						out.write(data);
 						out.close();
 					}
 					return streamToArray(conn.getInputStream());
 				}
 				catch (SocketTimeoutException e)
 				{
 					return null;
 				}
 				finally
 				{
 					conn.disconnect();
 				}
 			});
 			mFutures.add(future);
 		}
 		try
 		{
 			/* this enforces a timeout as the ones set on HttpURLConnection might not work reliably */
 			return future.get(10000, TimeUnit.MILLISECONDS);
 		}
 		catch (InterruptedException|ExecutionException|TimeoutException|CancellationException e)
 		{
 			return null;
 		}
 		finally
 		{
 			synchronized (mLock)
 			{
 				mFutures.remove(future);
 			}
 		}
 	}
 	/**
 	 * Enable fetching after it has been disabled.
 	 */
 	public static void enable()
 	{
 		synchronized (mLock)
 		{
 			mDisabled = false;
 		}
 	}
 	/**
 	 * Disable the fetcher and abort any future requests.
 	 *
 	 * The native thread is not cancelable as it is working on an IKE_SA (canceling the methods of
 	 * HttpURLConnection is not reliably possible anyway), so to abort while fetching we cancel the
 	 * Future (causing a return from fetch() immediately) and let the executor thread continue its
 	 * thing in the background.
 	 *
 	 * Also prevents future fetches until enabled again (e.g. if we aborted OCSP but would then
 	 * block in the subsequent fetch for a CRL).
 	 */
 	public static void disable()
 	{
 		synchronized (mLock)
 		{
 			mDisabled = true;
 			for (Future future : mFutures)
 			{
 				future.cancel(true);
 			}
 		}
 	}
 	private static byte[] streamToArray(InputStream in) throws IOException
 	{
 		ByteArrayOutputStream out = new ByteArrayOutputStream();
 		byte[] buf = new byte[1024];
 		int len;
 		try
 		{
 			while ((len = in.read(buf)) != -1)
 			{
 				out.write(buf, 0, len);
 			}
 			return out.toByteArray();
 		}
 		catch (IOException e)
 		{
 			e.printStackTrace();
 		}
 		finally
 		{
 			in.close();
 		}
 		return null;
 	}
 }
@@ -0,0 +1,78 @@
 /*
 * Copyright (C) 2014-2019 Tobias Brunner
 *
 * Copyright (C) secunet Security Networks AG
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */
 package org.amnezia.vpn.ikev2.utils;
 import java.net.InetAddress;
 import java.net.UnknownHostException;
 public class Utils
 {
 	static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
 	/**
 	 * Converts the given byte array to a hexadecimal string encoding.
 	 *
 	 * @param bytes byte array to convert
 	 * @return hex string
 	 */
 	public static String bytesToHex(byte[] bytes)
 	{
 		char[] hex = new char[bytes.length * 2];
 		for (int i = 0; i < bytes.length; i++)
 		{
 			int value = bytes[i];
 			hex[i*2]   = HEXDIGITS[(value & 0xf0) >> 4];
 			hex[i*2+1] = HEXDIGITS[ value & 0x0f];
 		}
 		return new String(hex);
 	}
 	/**
 	 * Validate the given proposal string
 	 *
 	 * @param ike true for IKE, false for ESP
 	 * @param proposal proposal string
 	 * @return true if valid
 	 */
 	public native static boolean isProposalValid(boolean ike, String proposal);
 	/**
 	 * Parse an IP address without doing a name lookup
 	 *
 	 * @param address IP address string
 	 * @return address bytes if valid
 	 */
 	private native static byte[] parseInetAddressBytes(String address);
 	/**
 	 * Parse an IP address without doing a name lookup (as compared to InetAddress.fromName())
 	 *
 	 * @param address IP address string
 	 * @return address if valid
 	 * @throws UnknownHostException if address is invalid
 	 */
 	public static InetAddress parseInetAddress(String address) throws UnknownHostException
 	{
 		byte[] bytes = parseInetAddressBytes(address);
 		if (bytes == null)
 		{
 			throw new UnknownHostException();
 		}
 		return InetAddress.getByAddress(bytes);
 	}
 }
@@ -1,189 +0,0 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 package org.amnezia.vpn.qt;
 import android.Manifest;
 import android.content.Context;
 import android.content.Intent;
 import android.content.pm.ApplicationInfo;
 import android.content.pm.PackageInfo;
 import android.content.pm.PackageManager;
 import android.content.pm.ResolveInfo;
 import android.graphics.Color;
 import android.graphics.drawable.ColorDrawable;
 import android.graphics.drawable.Drawable;
 import android.Manifest.permission;
 import android.net.Uri;
 import android.os.Build;
 import android.util.Log;
 import android.webkit.WebView;
 import org.json.JSONException;
 import org.json.JSONObject;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 import java.util.regex.Pattern;
 // Gets used by /platforms/android/androidAppListProvider.cpp
 public class PackageManagerHelper {
  final static String TAG = "PackageManagerHelper";
  final static int MIN_CHROME_VERSION = 65;
  final static List<String> CHROME_BROWSERS = Arrays.asList(
      new String[] {"com.google.android.webview", "com.android.webview", "com.google.chrome"});
  private static String getAllAppNames(Context ctx) {
    JSONObject output = new JSONObject();
    PackageManager pm = ctx.getPackageManager();
    List<String> browsers = getBrowserIDs(pm);
    List<PackageInfo> packs = pm.getInstalledPackages(PackageManager.GET_PERMISSIONS);
    for (int i = 0; i < packs.size(); i++) {
      PackageInfo p = packs.get(i);
      // Do not add ourselves and System Apps to the list, unless it might be a browser
      if ((!isSystemPackage(p,pm) || browsers.contains(p.packageName))
          && !isSelf(p)) {
        String appid = p.packageName;
        String appName = p.applicationInfo.loadLabel(pm).toString();
        try {
          output.put(appid, appName);
        } catch (JSONException e) {
          e.printStackTrace();
        }
      }
    }
    return output.toString();
  }
  private static Drawable getAppIcon(Context ctx, String id) {
    try {
      return ctx.getPackageManager().getApplicationIcon(id);
    } catch (PackageManager.NameNotFoundException e) {
      e.printStackTrace();
    }
    return new ColorDrawable(Color.TRANSPARENT);
  }
  private static boolean isSystemPackage(PackageInfo pkgInfo, PackageManager pm) {
    if( (pkgInfo.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) == 0){
      // no system app
      return false;
    }
    // For Systems Packages there are Cases where we want to add it anyway:
    // Has the use Internet permission (otherwise makes no sense)
    // Had at least 1 update (this means it's probably on any AppStore)
    // Has a a launch activity (has a ui and is not just a system service)
    if(!usesInternet(pkgInfo)){
      return true;
    }
    if(!hadUpdate(pkgInfo)){
      return true;
    }
    if(pm.getLaunchIntentForPackage(pkgInfo.packageName) == null){
      // If there is no way to launch this from a homescreen, def a sys package
      return true;
    }
    return false;
  }
  private static boolean isSelf(PackageInfo pkgInfo) {
    return pkgInfo.packageName.equals("org.amnezia.vpn")
        || pkgInfo.packageName.equals("org.amnezia.vpn.debug");
  }
  private static boolean usesInternet(PackageInfo pkgInfo){
    if(pkgInfo.requestedPermissions == null){
      return false;
    }
    for(int i=0; i < pkgInfo.requestedPermissions.length; i++) {
      String permission = pkgInfo.requestedPermissions[i];
      if(Manifest.permission.INTERNET.equals(permission)){
        return true;
      }
    }
    return false;
  }
  private static boolean hadUpdate(PackageInfo pkgInfo){
    return pkgInfo.lastUpdateTime > pkgInfo.firstInstallTime;
  }
  // Returns List of all Packages that can classify themselves as browsers
  private static List<String> getBrowserIDs(PackageManager pm) {
    Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse("https://www.mozilla.org/"));
    intent.addCategory(Intent.CATEGORY_BROWSABLE);
    // We've tried using PackageManager.MATCH_DEFAULT_ONLY flag and found that browsers that
    // are not set as the default browser won't be matched even if they had CATEGORY_DEFAULT set
    // in the intent filter
    List<ResolveInfo> resolveInfos = pm.queryIntentActivities(intent, PackageManager.MATCH_ALL);
    List<String> browsers = new ArrayList<String>();
    for (int i = 0; i < resolveInfos.size(); i++) {
      ResolveInfo info = resolveInfos.get(i);
      String browserID = info.activityInfo.packageName;
      browsers.add(browserID);
    }
    return browsers;
  }
  // Gets called in AndroidAuthenticationListener;
  public static boolean isWebViewSupported(Context ctx) {
    Log.v(TAG, "Checking if installed Webview is compatible with FxA");
    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
      // The default Webview is able do to FXA
      return true;
    }
    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
      PackageInfo pi = WebView.getCurrentWebViewPackage();
      if (CHROME_BROWSERS.contains(pi.packageName)) {
        return isSupportedChromeBrowser(pi);
      }
      return isNotAncientBrowser(pi);
    }
    // Before O the webview is hardcoded, but we dont know which package it is.
    // Check if com.google.android.webview is installed
    PackageManager pm = ctx.getPackageManager();
    try {
      PackageInfo pi = pm.getPackageInfo("com.google.android.webview", 0);
      return isSupportedChromeBrowser(pi);
    } catch (PackageManager.NameNotFoundException e) {
    }
    // Otherwise check com.android.webview
    try {
      PackageInfo pi = pm.getPackageInfo("com.android.webview", 0);
      return isSupportedChromeBrowser(pi);
    } catch (PackageManager.NameNotFoundException e) {
    }
    Log.e(TAG, "Android System WebView is not found");
    // Giving up :(
    return false;
  }
  private static boolean isSupportedChromeBrowser(PackageInfo pi) {
    Log.d(TAG, "Checking Chrome Based Browser: " + pi.packageName);
    Log.d(TAG, "version name: " + pi.versionName);
    Log.d(TAG, "version code: " + pi.versionCode);
    try {
      String versionCode = pi.versionName.split(Pattern.quote(" "))[0];
      String majorVersion = versionCode.split(Pattern.quote("."))[0];
      int version = Integer.parseInt(majorVersion);
      return version >= MIN_CHROME_VERSION;
    } catch (Exception e) {
      Log.e(TAG, "Failed to check Chrome Version Code " + pi.versionName);
      return false;
    }
  }
  private static boolean isNotAncientBrowser(PackageInfo pi) {
    // Not a google chrome - So the version name is worthless
    // Lets just make sure the WebView
    // used is not ancient ==> Was updated in at least the last 365 days
    Log.d(TAG, "Checking Chrome Based Browser: " + pi.packageName);
    Log.d(TAG, "version name: " + pi.versionName);
    Log.d(TAG, "version code: " + pi.versionCode);
    double oneYearInMillis = 31536000000L;
    return pi.lastUpdateTime > (System.currentTimeMillis() - oneYearInMillis);
  }
 }
@@ -12,16 +12,16 @@ set(LIBS ${LIBS} SortFilterProxyModel)
 include(${CLIENT_ROOT_DIR}/3rd/qrcodegen/qrcodegen.cmake)
 include(${CLIENT_ROOT_DIR}/3rd/QSimpleCrypto/QSimpleCrypto.cmake)
-set(BUILD_SHARED_LIBS ON CACHE BOOL "" FORCE)
+#set(BUILD_SHARED_LIBS ON CACHE BOOL "" FORCE)
-add_subdirectory(${CLIENT_ROOT_DIR}/3rd/zlib)
+#add_subdirectory(${CLIENT_ROOT_DIR}/3rd/zlib)
-if(WIN32)
+#if(WIN32)
-    set(ZLIB_LIBRARY $<IF:$<CONFIG:Debug>,zlibd,zlib>)
+#    set(ZLIB_LIBRARY $<IF:$<CONFIG:Debug>,zlibd,zlib>)
-else()
+#else()
-    set(ZLIB_LIBRARY z)
+#    set(ZLIB_LIBRARY z)
-endif()
+#endif()
-set(ZLIB_INCLUDE_DIR "${CLIENT_ROOT_DIR}/3rd/zlib" "${CMAKE_CURRENT_BINARY_DIR}/3rd/zlib")
+#set(ZLIB_INCLUDE_DIR "${CLIENT_ROOT_DIR}/3rd/zlib" "${CMAKE_CURRENT_BINARY_DIR}/3rd/zlib")
-link_directories(${CMAKE_CURRENT_BINARY_DIR}/3rd/zlib)
+#link_directories(${CMAKE_CURRENT_BINARY_DIR}/3rd/zlib)
-link_libraries(${ZLIB_LIBRARY})
+#link_libraries(${ZLIB_LIBRARY})
 if(IOS)
    set(ENABLE_PROGRAMS OFF CACHE BOOL "" FORCE)
@@ -105,6 +105,9 @@ set(BUILD_WITH_QT6 ON)
 add_subdirectory(${CLIENT_ROOT_DIR}/3rd/qtkeychain)
 set(LIBS ${LIBS} qt6keychain)
 include(${CLIENT_ROOT_DIR}/3rd/strongswan/strongswan.cmake)
 include_directories(
    ${CLIENT_ROOT_DIR}/3rd/OpenSSL/include
    ${CLIENT_ROOT_DIR}/3rd/libssh/include
@@ -170,6 +170,7 @@ bool ContainerProps::isSupportedByCurrentPlatform(DockerContainer c)
    case DockerContainer::WireGuard: return true;
    case DockerContainer::OpenVpn: return true;
    case DockerContainer::ShadowSocks: return true;
    case DockerContainer::Ipsec: return true;
    default: return false;
    }
@@ -176,6 +176,21 @@ ErrorCode AndroidController::start()
                appContext.object());
    QJsonDocument doc(m_vpnConfig);
    /*** The following code snippet needs to correct displaying of config in debug console
     * (Android's stdout limits length of output message)
     * 
     * QString string(doc.toJson(QJsonDocument::Compact));
     * 
     * qDebug() << "*** config: ";
     * for (int i = 0; i <= string.length()/100; i++) {
     *  int start = i*100;
     *  qDebug() << string.mid(start, 100);
     * }
     * 
     * qDebug() << "*** config: " << m_vpnConfig;
     ***/
    AndroidVPNActivity::sendToService(ServiceAction::ACTION_ACTIVATE, doc.toJson());
    return NoError;
Author	SHA1	Message	Date
Dmitriy Karpushin	aef20430f2	Configuring of ikev2	2023-07-07 14:19:03 +03:00
Dmitriy Karpushin	b818de3378	Merge remote-tracking branch 'origin/feature/ikev2_android' into feature/ikev2_android	2023-04-24 15:42:18 +03:00
Dmitriy Karpushin	cf86c6e912	Start logic	2023-04-24 15:41:24 +03:00
Dmitry Karpushin	483263171b	Merge branch 'dev' into feature/ikev2_android	2023-04-24 13:19:23 +03:00
Dmitriy Karpushin	5fb91d8f5b	Update of strongswan submodule	2023-04-24 13:18:09 +03:00
Dmitriy Karpushin	100f8ad95d	Refactoring of build process + utility classes	2023-04-24 13:05:56 +03:00
Dmitriy Karpushin	e43041572e	Strongswan submodule fixes	2023-04-13 09:55:58 +03:00
Dmitriy Karpushin	4b103a1622	Pre-configuring of StrongSwan from project cmake file	2023-04-13 09:14:56 +03:00
Dmitriy Karpushin	b6c7ef415d	strongswan submodule for IKEv2 support	2023-04-05 16:07:31 +03:00