Fix hash comparison when profile is base64 encoded. Allow going back to non-Alias config

schwabe · schwabe · commit 8bb986f5149f · 2023-05-05T16:48:44.000+02:00
diff --git a/main/src/main/java/de/blinkt/openvpn/api/AppRestrictions.java b/main/src/main/java/de/blinkt/openvpn/api/AppRestrictions.java
@@ -60,7 +60,8 @@ private void removeChangesListener(Context c) {
         c.unregisterReceiver(mRestrictionsReceiver);
     }
 
-    private String hashConfig(String config) {
+    private String hashConfig(String rawconfig) {
+        String config = prepare(rawconfig);
         MessageDigest digest;
         try {
             digest = MessageDigest.getInstance("SHA1");
@@ -121,6 +122,10 @@ private void applyRestrictions(Context c) {
                 continue;
             }
 
+            /* we always use lower case uuid since Android UUID class will use present
+             * them that way */
+            uuid = uuid.toLowerCase(Locale.US);
+
             if (uuid.equals(defaultprofile))
                 defaultprofileProvisioned = true;
 
@@ -188,22 +193,43 @@ private void applyRestrictions(Context c) {
      * the authentication method and will also set the keystore alias
      */
     private void addCertificateAlias(VpnProfile vpnProfile, String certAlias, Context c) {
-        if (certAlias == null || vpnProfile == null)
+        if (vpnProfile == null)
             return;
 
         int oldType = vpnProfile.mAuthenticationType;
         String oldAlias = vpnProfile.mAlias;
 
-        switch (vpnProfile.mAuthenticationType)
+        if (!TextUtils.isEmpty(certAlias)) {
+            switch (vpnProfile.mAuthenticationType)
+            {
+                case VpnProfile.TYPE_PKCS12:
+                case VpnProfile.TYPE_CERTIFICATES:
+                    vpnProfile.mAuthenticationType = VpnProfile.TYPE_KEYSTORE;
+                    break;
+                case VpnProfile.TYPE_USERPASS_CERTIFICATES:
+                case VpnProfile.TYPE_USERPASS_PKCS12:
+                    vpnProfile.mAuthenticationType = VpnProfile.TYPE_USERPASS_KEYSTORE;
+                    break;
+            }
+
+        } else
         {
-            case VpnProfile.TYPE_PKCS12:
-            case VpnProfile.TYPE_CERTIFICATES:
-                vpnProfile.mAuthenticationType = VpnProfile.TYPE_KEYSTORE;
-                break;
-            case VpnProfile.TYPE_USERPASS_CERTIFICATES:
-            case VpnProfile.TYPE_USERPASS_PKCS12:
-                vpnProfile.mAuthenticationType = VpnProfile.TYPE_USERPASS_KEYSTORE;
-                break;
+            /* Alias is null, return to non keystore method */
+            boolean pkcs12present = !TextUtils.isEmpty(vpnProfile.mPKCS12Filename);
+            switch (vpnProfile.mAuthenticationType) {
+                case VpnProfile.TYPE_USERPASS_KEYSTORE:
+                    if (pkcs12present)
+                        vpnProfile.mAuthenticationType = VpnProfile.TYPE_USERPASS_PKCS12;
+                    else
+                        vpnProfile.mAuthenticationType = VpnProfile.TYPE_USERPASS_CERTIFICATES;
+                    break;
+                case VpnProfile.TYPE_KEYSTORE:
+                    if (pkcs12present)
+                        vpnProfile.mAuthenticationType = VpnProfile.TYPE_PKCS12;
+                    else
+                        vpnProfile.mAuthenticationType = VpnProfile.TYPE_CERTIFICATES;
+                    break;
+             }
         }
         vpnProfile.mAlias = certAlias;
 
