Configuring of ikev2

.gitmodules

@@ -34,6 +34,9 @@
 [submodule "client/3rd/SortFilterProxyModel"]
 	path = client/3rd/SortFilterProxyModel
 	url = https://github.com/mitchcurtis/SortFilterProxyModel.git
+[submodule "client/3rd/strongswan/sources"]
+	path = client/3rd/strongswan/sources
+	url = https://github.com/kolobchanin/strongswan.git
 [submodule "client/3rd/mbedtls"]
 	path = client/3rd/mbedtls
 	url = https://github.com/Mbed-TLS/mbedtls.git

client/3rd/strongswan/strongswan.cmake

@@ -0,0 +1,20 @@
+include(ExternalProject)
+
+set(STRONGSWAN_SOURCES_ROOT ${CMAKE_CURRENT_LIST_DIR}/sources)
+
+ExternalProject_Add(
+    strongswan
+    UPDATE_DISCONNECTED true
+    CONFIGURE_HANDLED_BY_BUILD true
+    PREFIX ${STRONGSWAN_SOURCES_ROOT}
+    SOURCE_DIR ${STRONGSWAN_SOURCES_ROOT}
+    BINARY_DIR ${STRONGSWAN_SOURCES_ROOT}
+    INSTALL_DIR ${STRONGSWAN_SOURCES_ROOT}
+    STAMP_DIR ${STRONGSWAN_SOURCES_ROOT}/stamp
+    LOG_DIR ${STRONGSWAN_SOURCES_ROOT}/log
+    TMP_DIR ${STRONGSWAN_SOURCES_ROOT}/tmp
+    CONFIGURE_COMMAND ./autogen.sh
+    COMMAND ./configure --disable-kernel-netlink
+    BUILD_COMMAND make #dist
+    INSTALL_COMMAND ""
+)

client/CMakeLists.txt

@@ -273,6 +273,8 @@ if(ANDROID)
         ${CMAKE_CURRENT_LIST_DIR}/platforms/android/androidvpnactivity.cpp
         ${CMAKE_CURRENT_LIST_DIR}/protocols/android_vpnprotocol.cpp
     )
+
+    file(COPY ${CMAKE_CURRENT_LIST_DIR}/3rd/strongswan DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/3rd)
 endif()
 
 if(IOS)
@@ -507,7 +509,6 @@ if(ANDROID)
             ${CMAKE_CURRENT_LIST_DIR}/android/src/org/amnezia/vpn/VPNService.kt
             ${CMAKE_CURRENT_LIST_DIR}/android/src/org/amnezia/vpn/VPNServiceBinder.kt
             ${CMAKE_CURRENT_LIST_DIR}/android/src/org/amnezia/vpn/qt/AmneziaApp.kt
-            ${CMAKE_CURRENT_LIST_DIR}/android/src/org/amnezia/vpn/qt/PackageManagerHelper.java
             ${CMAKE_CURRENT_LIST_DIR}/android/src/org/amnezia/vpn/qt/VPNActivity.kt
             ${CMAKE_CURRENT_LIST_DIR}/android/src/org/amnezia/vpn/qt/VPNApplication.java
             ${CMAKE_CURRENT_LIST_DIR}/android/src/org/amnezia/vpn/qt/VPNClientBinder.kt

client/android/build.gradle

@@ -1,7 +1,7 @@
 apply plugin: 'com.github.ben-manes.versions'
 
 buildscript {
-   ext{
+   ext {
        kotlin_version = "1.7.22"
        //  for libwg
        appcompatVersion = '1.1.0'
@@ -11,6 +11,7 @@ buildscript {
        streamsupportVersion = '1.7.0'
        threetenabpVersion = '1.1.1'
        groupName = 'org.amnezia.vpn'
+       relativePathToStrongswan = '../3rd/strongswan/sources/src/frontends/android/app/src/main/jni'
    }
 
     repositories {
@@ -105,7 +106,7 @@ android {
             resources.srcDirs = ['resources']
             renderscript.srcDirs = ['src']
             assets.srcDirs = ['assets']
-            jniLibs.srcDirs = ['libs']
+            jniLibs.srcDirs = ['libs', relativePathToStrongswan]
             androidTest.assets.srcDirs += files("${qtAndroidDir}/schemas".toString())
        }
     }
@@ -138,33 +139,65 @@ android {
         targetSdkVersion = 31
         versionCode 10 // Change to a higher number
         versionName "2.0.10" // Change to a higher number
+        multiDexEnabled true
 
         javaCompileOptions.annotationProcessorOptions.arguments = [
             "room.schemaLocation": "${qtAndroidDir}/schemas".toString()
         ]
     }
 
-   buildTypes {
+    buildTypes {
        release {
            // That would enable treeshaking and remove java code that is just called from qt
            minifyEnabled false
+
            externalNativeBuild {
                cmake {
-                   arguments "-DANDROID_PACKAGE_NAME=${groupName}", "-DGRADLE_USER_HOME=${project.gradle.gradleUserHomeDir}"
+                   arguments "-DANDROID_PACKAGE_NAME=${groupName}",
+                                "-DGRADLE_USER_HOME=${project.gradle.gradleUserHomeDir}"
                }
            }
        }
+
        debug {
            //applicationIdSuffix ".debug"
            //versionNameSuffix "-debug"
            minifyEnabled false
+
            externalNativeBuild {
                cmake {
-                   arguments "-DANDROID_PACKAGE_NAME=${groupName}", "-DGRADLE_USER_HOME=${project.gradle.gradleUserHomeDir}"
+                   arguments "-DANDROID_PACKAGE_NAME=${groupName}",
+                                "-DGRADLE_USER_HOME=${project.gradle.gradleUserHomeDir}"
+
                }
            }
        }
-   }
+    }
+
+    task buildStrongSwanNative(type: Exec) {
+        environment = System.getenv() + ['JNI_PACKAGE': 'org_amnezia_vpn', 'JNI_PACKAGE_STRING': 'org/amnezia/vpn']
+        workingDir "${relativePathToStrongswan}"
+        commandLine "${android.ndkDirectory}/ndk-build", '-j', Runtime.runtime.availableProcessors()
+
+        doLast {
+            copy {
+                from "${workingDir} + /../libs"
+                into 'libs'
+            }
+        }
+    }
+
+    task cleanStrongSwanNative(type: Exec) {
+        workingDir "${relativePathToStrongswan}"
+        commandLine "${android.ndkDirectory}/ndk-build", 'clean'
+    }
+
+    tasks.withType(JavaCompile) {
+        compileTask -> compileTask.dependsOn buildStrongSwanNative
+            options.compilerArgs << "-Xlint:unchecked" << "-Xlint:deprecation"
+    }
+
+    clean.dependsOn 'cleanStrongSwanNative'
 
 //   externalNativeBuild {
 //       cmake {

client/android/src/org/amnezia/vpn/IKEv2Thread.kt

@@ -0,0 +1,761 @@
+package org.amnezia.vpn
+
+import android.annotation.TargetApi
+import android.content.pm.PackageManager
+import android.net.VpnService
+import android.net.VpnService.Builder
+import android.os.Build
+import android.os.ParcelFileDescriptor
+import android.system.OsConstants
+
+import java.lang.Runnable
+
+import org.amnezia.vpn.ikev2.VpnProfile
+import org.amnezia.vpn.ikev2.VpnProfile.SelectedAppsHandling
+import org.amnezia.vpn.ikev2.VpnType
+import org.amnezia.vpn.ikev2.VpnType.VpnTypeFeature
+import org.amnezia.vpn.ikev2.utils.IPRange
+import org.amnezia.vpn.ikev2.utils.IPRangeSet
+import org.amnezia.vpn.ikev2.utils.Utils
+import org.amnezia.vpn.ikev2.utils.Constants
+import org.amnezia.vpn.ikev2.utils.SettingsWriter
+import org.amnezia.vpn.ikev2.utils.SimpleFetcher
+
+const val PACKAGE_NAME = "org.amnezia.vpn"
+const val LOG_FILE = "charon.log"
+const val TAG = "amnezia_ikev2"
+
+class IKEv2Thread(
+    val vpnServiceBuilder: android.net.VpnService.Builder,
+    val filesDirAbsolutePath: String
+): Runnable {
+
+    private val mBuilderAdapter: BuilderAdapter = BuilderAdapter(vpnServiceBuilder)
+
+    private var mCurrentProfile: VpnProfile? = null
+    private var mNextProfile: VpnProfile? = null
+
+    @kotlin.jvm.Volatile
+    private var mCurrentCertificateAlias: String? = null
+
+    @kotlin.jvm.Volatile
+    private var mCurrentUserCertificateAlias: String? = null
+
+    @kotlin.jvm.Volatile
+    private var mProfileUpdated = false
+
+    @kotlin.jvm.Volatile
+    private var mTerminate = false
+
+    @kotlin.jvm.Volatile
+    private var mIsDisconnecting = false
+
+    private val mLogFile: String
+    private val mAppDir: String
+
+    init {
+        mLogFile = filesDirAbsolutePath + java.io.File.separator + LOG_FILE
+        mAppDir = filesDirAbsolutePath
+    }
+
+    fun setNextProfile(profile: VpnProfile) {
+
+        // TODO: take a look at "vpnprofileimportactivity" in starongswan repo 
+        //       to understand how to pass the profile object before starting of ikev2 tunnel
+
+        synchronized(this) {
+            mNextProfile = profile
+            mProfileUpdated = true
+            notifyAll()
+        }
+    }
+
+    override fun run() {
+        while (true) {
+            synchronized(this) {
+                try {
+                    while (!mProfileUpdated) {
+                        Log.i(TAG, "charon contunue")
+                        continue
+                    }
+
+                    mProfileUpdated = false
+                    stopCurrentConnection()
+
+                    if (mNextProfile == null) {
+                        setState(State.DISABLED)
+                        if (mTerminate) {
+                            return@synchronized
+                        }
+                    } else {
+                        mCurrentProfile = mNextProfile
+                        mNextProfile = null
+
+                        val currentProfile = mCurrentProfile
+
+                        /* store this in a separate (volatile) variable to avoid
+                         * a possible deadlock during deinitialization */
+                        mCurrentCertificateAlias = currentProfile!!.certificateAlias
+                        mCurrentUserCertificateAlias = currentProfile!!.userCertificateAlias
+
+                        startConnection(currentProfile)
+
+                        mIsDisconnecting = false
+                        SimpleFetcher.enable()
+                        addNotification()
+                        mBuilderAdapter.setProfile(currentProfile)
+
+                        val flags: Int = currentProfile!!.flags
+
+                        if (initializeCharon(
+                                mBuilderAdapter,
+                                mLogFile,
+                                mAppDir,
+                                currentProfile.vpnType!!.has(VpnTypeFeature.BYOD),
+                                flags and VpnProfile.FLAGS_IPv6_TRANSPORT !== 0
+                            )
+                        ) {
+                            Log.i(TAG, "charon started")
+
+                            if (currentProfile.vpnType!!.has(VpnTypeFeature.USER_PASS) &&
+                                currentProfile.password == null
+                            ) {    /* this can happen if Always-on VPN is enabled with an incomplete profile */
+                                setError(ErrorState.PASSWORD_MISSING)
+                                return@synchronized
+                            }
+
+                            val writer = SettingsWriter()
+                            writer.setValue("global.language", java.util.Locale.getDefault().getLanguage())
+                            writer.setValue("global.mtu", currentProfile.MTU)
+                            writer.setValue("global.nat_keepalive", currentProfile.NATKeepAlive)
+                            writer.setValue("global.rsa_pss", flags and VpnProfile.FLAGS_RSA_PSS !== 0)
+                            writer.setValue("global.crl", flags and VpnProfile.FLAGS_DISABLE_CRL === 0)
+                            writer.setValue("global.ocsp", flags and VpnProfile.FLAGS_DISABLE_OCSP === 0)
+                            writer.setValue("connection.type", currentProfile.vpnType!!.identifier)
+                            writer.setValue("connection.server", currentProfile.gateway)
+                            writer.setValue("connection.port", currentProfile.port)
+                            writer.setValue("connection.username", currentProfile.username)
+                            writer.setValue("connection.password", currentProfile.password)
+                            writer.setValue("connection.local_id", currentProfile.localId)
+                            writer.setValue("connection.remote_id", currentProfile.remoteId)
+                            writer.setValue("connection.certreq", flags and VpnProfile.FLAGS_SUPPRESS_CERT_REQS === 0)
+                            writer.setValue("connection.strict_revocation", flags and VpnProfile.FLAGS_STRICT_REVOCATION !== 0)
+                            writer.setValue("connection.ike_proposal", currentProfile.ikeProposal)
+                            writer.setValue("connection.esp_proposal", currentProfile.espProposal)
+                            initiate(writer.serialize())
+                        } else {
+                            Log.e(TAG, "failed to start charon")
+                            setError(ErrorState.GENERIC_ERROR)
+                            setState(State.DISABLED)
+                            mCurrentProfile = null
+                        }
+                    }
+                } catch (ex: java.lang.InterruptedException) {
+                    stopCurrentConnection()
+                    setState(State.DISABLED)
+                }
+            }
+        }
+    }
+
+    /**
+     * Notify the state service about a new connection attempt.
+     * Called by the handler thread.
+     *
+     * @param profile currently active VPN profile
+     */
+    private fun startConnection(profile: VpnProfile) {
+//        synchronized(mServiceLock) {
+//            if (mService != null) {
+//                mService.startConnection(profile)
+//            }
+//        }
+    }
+
+    /**
+     * Stop any existing connection by deinitializing charon.
+     */
+    private fun stopCurrentConnection() {
+        synchronized(this) {
+            if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {
+                mNextProfile?.let {
+                    mBuilderAdapter.setProfile(it)
+                    mBuilderAdapter.establishBlocking()
+                }
+            }
+
+            if (mCurrentProfile != null) {
+                setState(State.DISCONNECTING)
+                mIsDisconnecting = true
+                SimpleFetcher.disable()
+                deinitializeCharon()
+                Log.i(TAG, "charon stopped")
+                mCurrentProfile = null
+                if (mNextProfile == null) {    /* only do this if we are not connecting to another profile */
+                    removeNotification()
+                    mBuilderAdapter.closeBlocking()
+                }
+            }
+        }
+    }
+
+    /**
+     * Update the current VPN state on the state service. Called by the handler
+     * thread and any of charon's threads.
+     *
+     * @param state current state
+     */
+    private fun setState(state: State) {
+//        synchronized(mServiceLock) {
+//            if (mService != null) {
+//                mService.setState(state)
+//            }
+//        }
+    }
+
+    /**
+     * Initialization of charon, provided by libandroidbridge.so
+     *
+     * @param builder BuilderAdapter for this connection
+     * @param logfile absolute path to the logfile
+     * @param appdir absolute path to the data directory of the app
+     * @param byod enable BYOD features
+     * @param ipv6 enable IPv6 transport
+     * @return TRUE if initialization was successful
+     */
+    external fun initializeCharon(
+        builder: BuilderAdapter?,
+        logfile: String?,
+        appdir: String?,
+        byod: Boolean,
+        ipv6: Boolean
+    ): Boolean
+
+    /**
+     * Deinitialize charon, provided by libandroidbridge.so
+     */
+    external fun deinitializeCharon()
+
+    /**
+     * Initiate VPN, provided by libandroidbridge.so
+     */
+    external fun initiate(config: String?)
+
+    /**
+     * Adapter for VpnService.Builder which is used to access it safely via JNI.
+     * There is a corresponding C object to access it from native code.
+     */
+    class BuilderAdapter(val builder: VpnService.Builder) {
+        private lateinit var mProfile: VpnProfile
+        private lateinit var mBuilder: VpnService.Builder
+        private lateinit var mCache: BuilderCache
+        private lateinit var mEstablishedCache: BuilderCache
+        private val mDropper: PacketDropper = PacketDropper()
+
+        init {
+            mBuilder = builder
+        }
+
+        @kotlin.jvm.Synchronized
+        fun setProfile(profile: VpnProfile) {
+            mProfile = profile
+            mBuilder = createBuilder(mProfile.name ?: "")
+            mCache = BuilderCache(mProfile)
+        }
+
+        private fun createBuilder(name: String): VpnService.Builder {
+//            val builder: VpnService.Builder = Builder()
+
+            mBuilder.setSession(name)
+
+            /* even though the option displayed in the system dialog says "Configure"
+			 * we just use our main Activity */
+//            val context: Context = getApplicationContext()
+//            val intent = Intent(context, MainActivity::class.java)
+//            var flags: Int = PendingIntent.FLAG_UPDATE_CURRENT
+//            if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
+//                flags = flags or PendingIntent.FLAG_IMMUTABLE
+//            }
+//            val pending: PendingIntent = PendingIntent.getActivity(context, 0, intent, flags)
+//            builder.setConfigureIntent(pending)
+
+            /* mark all VPN connections as unmetered (default changed for Android 10) */
+            if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) {
+                mBuilder.setMetered(false)
+            }
+            return mBuilder
+        }
+
+        @kotlin.jvm.Synchronized
+        fun addAddress(address: String?, prefixLength: Int): Boolean {
+            try {
+                mCache.addAddress(address, prefixLength)
+            } catch (ex: java.lang.IllegalArgumentException) {
+                return false
+            }
+            return true
+        }
+
+        @kotlin.jvm.Synchronized
+        fun addDnsServer(address: String?): Boolean {
+            try {
+                mCache.addDnsServer(address)
+            } catch (ex: java.lang.IllegalArgumentException) {
+                return false
+            }
+            return true
+        }
+
+        @kotlin.jvm.Synchronized
+        fun addRoute(address: String?, prefixLength: Int): Boolean {
+            try {
+                mCache.addRoute(address, prefixLength)
+            } catch (ex: java.lang.IllegalArgumentException) {
+                return false
+            }
+            return true
+        }
+
+        @kotlin.jvm.Synchronized
+        fun addSearchDomain(domain: String): Boolean {
+            try {
+                mBuilder.addSearchDomain(domain)
+            } catch (ex: java.lang.IllegalArgumentException) {
+                return false
+            }
+            return true
+        }
+
+        @kotlin.jvm.Synchronized
+        fun setMtu(mtu: Int): Boolean {
+            try {
+                mCache.setMtu(mtu)
+            } catch (ex: java.lang.IllegalArgumentException) {
+                return false
+            }
+            return true
+        }
+
+        @kotlin.jvm.Synchronized
+        private fun establishIntern(): ParcelFileDescriptor? {
+            val fd: ParcelFileDescriptor?
+            try {
+                mCache.applyData(mBuilder)
+                fd = mBuilder.establish()
+                if (fd != null) {
+                    closeBlocking()
+                }
+            } catch (ex: java.lang.Exception) {
+                ex.printStackTrace()
+                return null
+            }
+            if (fd == null) {
+                return null
+            }
+            /* now that the TUN device is created we don't need the current
+			 * builder anymore, but we might need another when reestablishing */
+            mBuilder = createBuilder(mProfile.name ?: "")
+            mEstablishedCache = mCache
+            mCache = BuilderCache(mProfile)
+            return fd
+        }
+
+        @kotlin.jvm.Synchronized
+        fun establish(): Int {
+            val fd: ParcelFileDescriptor? = establishIntern()
+            return if (fd != null) fd.detachFd() else -1
+        }
+
+        @TargetApi(Build.VERSION_CODES.LOLLIPOP)
+        @kotlin.jvm.Synchronized
+        fun establishBlocking() {
+            /* just choose some arbitrary values to block all traffic (except for what's configured in the profile) */
+            mCache.addAddress("172.16.252.1", 32)
+            mCache.addAddress("fd00::fd02:1", 128)
+            mCache.addRoute("0.0.0.0", 0)
+            mCache.addRoute("::", 0)
+            /* set DNS servers to avoid DNS leak later */
+            mBuilder.addDnsServer("8.8.8.8")
+            mBuilder.addDnsServer("2001:4860:4860::8888")
+            /* use blocking mode to simplify packet dropping */
+            mBuilder.setBlocking(true)
+            val fd: ParcelFileDescriptor? = establishIntern()
+            if (fd != null) {
+                mDropper.start(fd)
+            }
+        }
+
+        @kotlin.jvm.Synchronized
+        fun closeBlocking() {
+            mDropper.stop()
+        }
+
+        @kotlin.jvm.Synchronized
+        fun establishNoDns(): Int {
+            val fd: ParcelFileDescriptor?
+            if (mEstablishedCache == null) {
+                return -1
+            }
+            fd = try {
+                val builder: VpnService.Builder = createBuilder(mProfile.name ?: "")
+                mEstablishedCache.applyData(builder)
+                builder.establish()
+            } catch (ex: java.lang.Exception) {
+                ex.printStackTrace()
+                return -1
+            }
+            return if (fd == null) {
+                -1
+            } else fd.detachFd()
+        }
+
+        private inner class PacketDropper : java.lang.Runnable {
+            private var mFd: ParcelFileDescriptor? = null
+            private lateinit var mThread: java.lang.Thread
+
+            fun start(fd: ParcelFileDescriptor) {
+                mFd = fd
+                mThread = java.lang.Thread(this)
+                mThread.start()
+            }
+
+            fun stop() {
+                if (mFd != null) {
+                    try {
+                        mThread.interrupt()
+                        mThread.join()
+                        mFd?.close()
+                    } catch (e: java.lang.InterruptedException) {
+                        e.printStackTrace()
+                    } catch (e: java.io.IOException) {
+                        e.printStackTrace()
+                    }
+                    mFd = null
+                }
+            }
+
+            @kotlin.jvm.Synchronized
+            override fun run() {
+                try {
+                    val plain: java.io.FileInputStream = java.io.FileInputStream(mFd?.getFileDescriptor())
+                    val packet: java.nio.ByteBuffer = java.nio.ByteBuffer.allocate(mCache.mMtu)
+                    while (true) {
+                        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.N) {    /* just read and ignore all data, regular read() is not interruptible */
+                            val len: Int = plain.getChannel().read(packet)
+                            packet.clear()
+                            if (len < 0) {
+                                break
+                            }
+                        } else {    /* this is rather ugly but on older platforms not even the NIO version of read() is interruptible */
+                            var wait = true
+                            if (plain.available() > 0) {
+                                val len: Int = plain.read(packet.array())
+                                packet.clear()
+                                if (len < 0 || java.lang.Thread.interrupted()) {
+                                    break
+                                }
+                                /* check again right away, there may be another packet */wait = false
+                            }
+                            if (wait) {
+                                java.lang.Thread.sleep(250)
+                            }
+                        }
+                    }
+                } catch (e: java.nio.channels.ClosedByInterruptException) {
+                    /* regular interruption */
+                } catch (e: java.lang.InterruptedException) {
+                } catch (e: java.io.IOException) {
+                    e.printStackTrace()
+                }
+            }
+        }
+    }
+
+    /**
+     * Cache non DNS related information so we can recreate the builder without
+     * that information when reestablishing IKE_SAs
+     */
+    class BuilderCache(profile: VpnProfile) {
+        val mAddresses: MutableList<IPRange> = java.util.ArrayList<IPRange>()
+        val mRoutesIPv4: MutableList<IPRange> = java.util.ArrayList<IPRange>()
+        val mRoutesIPv6: MutableList<IPRange> = java.util.ArrayList<IPRange>()
+        val mIncludedSubnetsv4: IPRangeSet = IPRangeSet()
+        val mIncludedSubnetsv6: IPRangeSet = IPRangeSet()
+        val mExcludedSubnets: IPRangeSet
+        val mSplitTunneling: Int
+        val mAppHandling: SelectedAppsHandling
+        val mSelectedApps: java.util.SortedSet<String>
+        val mDnsServers: MutableList<java.net.InetAddress> = java.util.ArrayList<java.net.InetAddress>()
+        var mMtu: Int
+        var mIPv4Seen = false
+        var mIPv6Seen = false
+        var mDnsServersConfigured = false
+
+        init {
+            val included: IPRangeSet = IPRangeSet.fromString(profile?.includedSubnets)
+            for (range in included) {
+                if (range.getFrom() is java.net.Inet4Address) {
+                    mIncludedSubnetsv4.add(range)
+                } else if (range.getFrom() is java.net.Inet6Address) {
+                    mIncludedSubnetsv6.add(range)
+                }
+            }
+            mExcludedSubnets = IPRangeSet.fromString(profile.excludedSubnets ?: "")
+            val splitTunneling: Int? = profile.splitTunneling
+            mSplitTunneling = splitTunneling ?: 0
+            var appHandling: SelectedAppsHandling = profile.selectedAppsHandling
+            mSelectedApps = profile.selectedAppsSet
+
+            when (appHandling) {
+                SelectedAppsHandling.SELECTED_APPS_DISABLE -> {
+                    appHandling = SelectedAppsHandling.SELECTED_APPS_EXCLUDE
+                    mSelectedApps.clear()
+                    mSelectedApps.add(PACKAGE_NAME)
+                }
+
+                SelectedAppsHandling.SELECTED_APPS_EXCLUDE -> {
+                    mSelectedApps.add(PACKAGE_NAME)
+                }
+
+                SelectedAppsHandling.SELECTED_APPS_ONLY -> {
+                    mSelectedApps.remove(PACKAGE_NAME)
+                }
+            }
+            mAppHandling = appHandling
+
+            val dnsServers = profile.dnsServers
+            if (dnsServers != null) {
+                for (server in dnsServers.split("\\s+")) {
+                    try {
+                        mDnsServers.add(Utils.parseInetAddress(server))
+                        recordAddressFamily(server)
+                        mDnsServersConfigured = true
+                    } catch (e: java.net.UnknownHostException) {
+                        e.printStackTrace()
+                    }
+                }
+            }
+
+            /* set a default MTU, will be set by the daemon for regular interfaces */
+            val mtu: Int? = profile.MTU
+            mMtu = mtu ?: Constants.MTU_MAX
+        }
+
+        fun addAddress(address: String?, prefixLength: Int) {
+            try {
+                mAddresses.add(IPRange(address, prefixLength))
+                recordAddressFamily(address)
+            } catch (ex: java.net.UnknownHostException) {
+                ex.printStackTrace()
+            }
+        }
+
+        fun addDnsServer(address: String?) {
+            /* ignore received DNS servers if any were configured */
+            if (mDnsServersConfigured) {
+                return
+            }
+            try {
+                mDnsServers.add(Utils.parseInetAddress(address))
+                recordAddressFamily(address)
+            } catch (e: java.net.UnknownHostException) {
+                e.printStackTrace()
+            }
+        }
+
+        fun addRoute(address: String?, prefixLength: Int) {
+            try {
+                if (isIPv6(address)) {
+                    mRoutesIPv6.add(IPRange(address, prefixLength))
+                } else {
+                    mRoutesIPv4.add(IPRange(address, prefixLength))
+                }
+            } catch (ex: java.net.UnknownHostException) {
+                ex.printStackTrace()
+            }
+        }
+
+        fun setMtu(mtu: Int) {
+            mMtu = mtu
+        }
+
+        fun recordAddressFamily(address: String?) {
+            try {
+                if (isIPv6(address)) {
+                    mIPv6Seen = true
+                } else {
+                    mIPv4Seen = true
+                }
+            } catch (ex: java.net.UnknownHostException) {
+                ex.printStackTrace()
+            }
+        }
+
+        @TargetApi(Build.VERSION_CODES.LOLLIPOP)
+        fun applyData(builder: VpnService.Builder) {
+            for (address in mAddresses) {
+                builder.addAddress(address.getFrom(), address.getPrefix())
+            }
+            for (server in mDnsServers) {
+                builder.addDnsServer(server)
+            }
+            /* add routes depending on whether split tunneling is allowed or not,
+			 * that is, whether we have to handle and block non-VPN traffic */
+            if (mSplitTunneling and VpnProfile.SPLIT_TUNNELING_BLOCK_IPV4 === 0) {
+                if (mIPv4Seen) {    /* split tunneling is used depending on the routes and configuration */
+                    val ranges = IPRangeSet()
+                    if (mIncludedSubnetsv4.size() > 0) {
+                        ranges.add(mIncludedSubnetsv4)
+                    } else {
+                        ranges.addAll(mRoutesIPv4)
+                    }
+                    ranges.remove(mExcludedSubnets)
+                    for (subnet in ranges.subnets()) {
+                        try {
+                            builder.addRoute(subnet.getFrom(), subnet.getPrefix())
+                        } catch (e: java.lang.IllegalArgumentException) {    /* some Android versions don't seem to like multicast addresses here,
+							 * ignore it for now */
+                            if (!subnet.getFrom().isMulticastAddress()) {
+                                throw e
+                            }
+                        }
+                    }
+                } else if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {    /* allow traffic that would otherwise be blocked to bypass the VPN */
+                    builder.allowFamily(OsConstants.AF_INET)
+                }
+            } else if (mIPv4Seen) {    /* only needed if we've seen any addresses.  otherwise, traffic
+				 * is blocked by default (we also install no routes in that case) */
+                builder.addRoute("0.0.0.0", 0)
+            }
+            /* same thing for IPv6 */
+            if (mSplitTunneling and VpnProfile.SPLIT_TUNNELING_BLOCK_IPV6 === 0) {
+                if (mIPv6Seen) {
+                    val ranges = IPRangeSet()
+                    if (mIncludedSubnetsv6.size() > 0) {
+                        ranges.add(mIncludedSubnetsv6)
+                    } else {
+                        ranges.addAll(mRoutesIPv6)
+                    }
+                    ranges.remove(mExcludedSubnets)
+                    for (subnet in ranges.subnets()) {
+                        try {
+                            builder.addRoute(subnet.getFrom(), subnet.getPrefix())
+                        } catch (e: java.lang.IllegalArgumentException) {
+                            if (!subnet.getFrom().isMulticastAddress()) {
+                                throw e
+                            }
+                        }
+                    }
+                } else if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {
+                    builder.allowFamily(OsConstants.AF_INET6)
+                }
+            } else if (mIPv6Seen) {
+                builder.addRoute("::", 0)
+            }
+            /* apply selected applications */
+            if (mSelectedApps.size > 0 &&
+                Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP
+            ) {
+                when (mAppHandling) {
+                    SelectedAppsHandling.SELECTED_APPS_EXCLUDE -> for (app in mSelectedApps) {
+                        try {
+                            builder.addDisallowedApplication(app)
+                        } catch (e: PackageManager.NameNotFoundException) {
+                            // possible if not configured via GUI or app was uninstalled
+                        }
+                    }
+
+                    SelectedAppsHandling.SELECTED_APPS_ONLY -> for (app in mSelectedApps) {
+                        try {
+                            builder.addAllowedApplication(app)
+                        } catch (e: PackageManager.NameNotFoundException) {
+                            // possible if not configured via GUI or app was uninstalled
+                        }
+                    }
+
+                    else -> {}
+                }
+            }
+            builder.setMtu(mMtu)
+        }
+
+        @kotlin.Throws(java.net.UnknownHostException::class)
+        private fun isIPv6(address: String?): Boolean {
+            val addr: java.net.InetAddress = Utils.parseInetAddress(address)
+            if (addr is java.net.Inet4Address) {
+                return false
+            } else if (addr is java.net.Inet6Address) {
+                return true
+            }
+            return false
+        }
+    }
+
+    /**
+     * Function called via JNI to determine information about the Android version.
+     */
+    private fun getAndroidVersion(): String? {
+        var version = "Android " + Build.VERSION.RELEASE + " - " + Build.DISPLAY
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
+            version += "/" + Build.VERSION.SECURITY_PATCH
+        }
+        return version
+    }
+
+    /**
+     * Function called via JNI to determine information about the device.
+     */
+    private fun getDeviceString(): String? {
+        return ((Build.MODEL + " - " + Build.BRAND).toString() + "/" + Build.PRODUCT).toString() + "/" + Build.MANUFACTURER
+    }
+
+    /**
+     * Add a permanent notification while we are connected to avoid the service getting killed by
+     * the system when low on memory.
+     */
+    private fun addNotification() {
+//        mHandler.post(object : java.lang.Runnable {
+//            fun run() {
+//                mShowNotification = true
+//                startForeground(
+//                    org.strongswan.android.logic.CharonVpnService.VPN_STATE_NOTIFICATION_ID,
+//                    buildNotification(false)
+//                )
+//            }
+//        })
+    }
+
+    /**
+     * Remove the permanent notification.
+     */
+    private fun removeNotification() {
+//        mHandler.post(object : java.lang.Runnable {
+//            fun run() {
+//                mShowNotification = false
+//                stopForeground(true)
+//            }
+//        })
+    }
+
+    /**
+     * Set an error on the state service. Called by the handler thread and any
+     * of charon's threads.
+     *
+     * @param error error state
+     */
+    private fun setError(error: ErrorState) {
+//        synchronized(mServiceLock) {
+//            if (mService != null) {
+//                mService.setError(error)
+//            }
+//        }
+    }
+
+    enum class State {
+        DISABLED, CONNECTING, CONNECTED, DISCONNECTING
+    }
+
+    enum class ErrorState {
+        NO_ERROR, AUTH_FAILED, PEER_AUTH_FAILED, LOOKUP_FAILED, UNREACHABLE, GENERIC_ERROR, PASSWORD_MISSING, CERTIFICATE_UNAVAILABLE
+    }
+}

client/android/src/org/amnezia/vpn/VPNService.kt

@@ -150,6 +150,8 @@ class VPNService : BaseVpnService(), LocalDnsService.Interface {
     private var mOpenVPNThreadv3: OpenVPNThreadv3? = null
     var currentTunnelHandle = -1
 
+    private var ikev2VpnThread: IKEv2Thread? = null
+
     private var intent: Intent? = null
     private var flags = 0
     private var startId = 0
@@ -165,6 +167,7 @@ class VPNService : BaseVpnService(), LocalDnsService.Interface {
         Log.e(tag, "Wireguard Version ${wgVersion()}")
         mOpenVPNThreadv3 = OpenVPNThreadv3(this)
         mAlreadyInitialised = true
+        ikev2VpnThread = IKEv2Thread(mbuilder, getFilesDir().getAbsolutePath())
     }
 
     override fun onCreate() {
@@ -384,8 +387,11 @@ class VPNService : BaseVpnService(), LocalDnsService.Interface {
                 startShadowsocks()
                 startTest()
             }
+            "ikev2" -> {
+                startIPSEC()
+            }
             else -> {
-                Log.e(tag, "No protocol")
+                Log.e(tag, "Unknown protocol ($mProtocol)")
                 return 0
             }
         }
@@ -393,6 +399,18 @@ class VPNService : BaseVpnService(), LocalDnsService.Interface {
         return 1
     }
 
+    private fun startIPSEC() {
+        Log.v(tag, "start ipsec")
+        ikev2VpnThread = IKEv2Thread(mbuilder, getFilesDir().getAbsolutePath())
+        
+        // TODO: pass the "vpnprofile" instance as a parameter
+        // ikev2VpnThread.setNextProfile() 
+
+        Thread({
+            ikev2VpnThread?.run()
+        }).start()
+    }
+
     fun establish(): ParcelFileDescriptor? {
         Log.v(tag, "Aman: establish....................")
         mbuilder.allowFamily(OsConstants.AF_INET)

client/android/src/org/amnezia/vpn/ikev2/VpnProfile.kt

@@ -0,0 +1,111 @@
+package org.amnezia.vpn.ikev2
+
+import android.text.TextUtils
+
+class VpnProfile : kotlin.Cloneable {
+    var name: String? = null
+    var gateway: String? = null
+    var username: String? = null
+    var password: String? = null
+    var certificateAlias: String? = null
+    var userCertificateAlias: String? = null
+    var remoteId: String? = null
+    var localId: String? = null
+    var excludedSubnets: String? = null
+    var includedSubnets: String? = null
+    var selectedApps: String? = null
+    var ikeProposal: String? = null
+    var espProposal: String? = null
+    var dnsServers: String? = null
+    var MTU: Int? = null
+    var port: Int? = null
+    var splitTunneling: Int? = null
+    var NATKeepAlive: Int? = null
+    private var mFlags: Int? = null
+    var selectedAppsHandling = SelectedAppsHandling.SELECTED_APPS_DISABLE
+    private var mVpnType: VpnType? = null
+    private var mUUID: java.util.UUID?
+    var id: Long = -1
+
+    enum class SelectedAppsHandling(val value: Int) {
+        SELECTED_APPS_DISABLE(0), SELECTED_APPS_EXCLUDE(1), SELECTED_APPS_ONLY(2);
+
+    }
+
+    init {
+        mUUID = java.util.UUID.randomUUID()
+    }
+
+    var uUID: java.util.UUID?
+        get() = mUUID
+        set(uuid) {
+            mUUID = uuid
+        }
+    var vpnType: VpnType?
+        get() = mVpnType
+        set(type) {
+            mVpnType = type
+        }
+
+    fun setSelectedApps(selectedApps: java.util.SortedSet<String?>) {
+        this.selectedApps = if (selectedApps.size > 0) TextUtils.join(" ", selectedApps) else null
+    }
+
+    val selectedAppsSet: java.util.SortedSet<String>
+        get() {
+            val set: java.util.TreeSet<String> = java.util.TreeSet<String>()
+            if (!TextUtils.isEmpty(selectedApps)) {
+                set.addAll(
+                    java.util.Arrays.asList<String>(
+                        *selectedApps!!.split("\\s+".toRegex()).dropLastWhile { it.isEmpty() }
+                            .toTypedArray()))
+            }
+            return set
+        }
+
+    fun setSelectedAppsHandling(value: Int) {
+        selectedAppsHandling = SelectedAppsHandling.SELECTED_APPS_DISABLE
+        for (handling in VpnProfile.SelectedAppsHandling.values()) {
+            if (handling.value == value) {
+                selectedAppsHandling = handling
+                break
+            }
+        }
+    }
+
+    var flags: Int = 0
+
+    override fun toString(): String {
+        return name!!
+    }
+
+    override fun equals(o: Any?): Boolean {
+        if (o != null && o is VpnProfile) {
+            val other = o
+            return if (mUUID != null && other.uUID != null) {
+                mUUID == other.uUID
+            } else id == other.id
+        }
+        return false
+    }
+
+    override fun clone(): VpnProfile {
+        return try {
+            super.clone() as VpnProfile
+        } catch (e: java.lang.CloneNotSupportedException) {
+            throw java.lang.AssertionError()
+        }
+    }
+
+    companion object {
+        /* While storing this as EnumSet would be nicer this simplifies storing it in a database */
+        const val SPLIT_TUNNELING_BLOCK_IPV4 = 1
+        const val SPLIT_TUNNELING_BLOCK_IPV6 = 2
+        const val FLAGS_SUPPRESS_CERT_REQS = 1 shl 0
+        const val FLAGS_DISABLE_CRL = 1 shl 1
+        const val FLAGS_DISABLE_OCSP = 1 shl 2
+        const val FLAGS_STRICT_REVOCATION = 1 shl 3
+        const val FLAGS_RSA_PSS = 1 shl 4
+        const val FLAGS_IPv6_TRANSPORT = 1 shl 5
+    }
+}

client/android/src/org/amnezia/vpn/ikev2/VpnType.kt

@@ -0,0 +1,79 @@
+package org.amnezia.vpn.ikev2
+
+enum class VpnType(
+    /**
+     * The identifier used to store this value in the database
+     * @return identifier
+     */
+    val identifier: String, features: java.util.EnumSet<VpnTypeFeature>
+) {
+    /* the order here must match the items in R.array.vpn_types */
+    IKEV2_EAP("ikev2-eap", java.util.EnumSet.of(VpnTypeFeature.USER_PASS)), IKEV2_CERT(
+        "ikev2-cert", java.util.EnumSet.of(
+            VpnTypeFeature.CERTIFICATE
+        )
+    ),
+    IKEV2_CERT_EAP(
+        "ikev2-cert-eap",
+        java.util.EnumSet.of(VpnTypeFeature.USER_PASS, VpnTypeFeature.CERTIFICATE)
+    ),
+    IKEV2_EAP_TLS(
+        "ikev2-eap-tls", java.util.EnumSet.of(
+            VpnTypeFeature.CERTIFICATE
+        )
+    ),
+    IKEV2_BYOD_EAP("ikev2-byod-eap", java.util.EnumSet.of(VpnTypeFeature.USER_PASS, VpnTypeFeature.BYOD));
+
+    /**
+     * Features of a VPN type.
+     */
+    enum class VpnTypeFeature {
+        /** client certificate is required  */
+        CERTIFICATE,
+
+        /** username and password are required  */
+        USER_PASS,
+
+        /** enable BYOD features  */
+        BYOD
+    }
+
+    private val mFeatures: java.util.EnumSet<VpnTypeFeature>
+
+    /**
+     * Enum which provides additional information about the supported VPN types.
+     *
+     * @param id identifier used to store and transmit this specific type
+     * @param features of the given VPN type
+     * @param certificate true if a client certificate is required
+     */
+    init {
+        mFeatures = features
+    }
+
+    /**
+     * Checks whether a feature is supported/required by this type of VPN.
+     *
+     * @return true if the feature is supported/required
+     */
+    fun has(feature: VpnTypeFeature?): Boolean {
+        return mFeatures.contains(feature)
+    }
+
+    companion object {
+        /**
+         * Get the enum entry with the given identifier.
+         *
+         * @param identifier get the enum entry with this identifier
+         * @return the enum entry, or the default if not found
+         */
+        fun fromIdentifier(identifier: String): VpnType {
+            for (type in VpnType.values()) {
+                if (identifier == type.identifier) {
+                    return type
+                }
+            }
+            return IKEV2_EAP
+        }
+    }
+}

client/android/src/org/amnezia/vpn/ikev2/utils/BufferedByteWriter.java

@@ -0,0 +1,272 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ *
+ * Copyright (C) secunet Security Networks AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+package org.amnezia.vpn.ikev2.utils;
+
+import java.nio.ByteBuffer;
+
+/**
+ * Very similar to ByteBuffer (although with a stripped interface) but it
+ * automatically resizes the underlying buffer.
+ */
+public class BufferedByteWriter
+{
+	/**
+	 * The underlying byte buffer
+	 */
+	private byte[] mBuffer;
+
+	/**
+	 * ByteBuffer used as wrapper around the buffer to easily convert values
+	 */
+	private ByteBuffer mWriter;
+
+	/**
+	 * Create a writer with a default initial capacity
+	 */
+	public BufferedByteWriter()
+	{
+		this(0);
+	}
+
+	/**
+	 * Create a writer with the given initial capacity (helps avoid expensive
+	 * resizing if known).
+	 * @param capacity initial capacity
+	 */
+	public BufferedByteWriter(int capacity)
+	{
+		capacity = capacity > 4 ? capacity : 32;
+		mBuffer = new byte[capacity];
+		mWriter = ByteBuffer.wrap(mBuffer);
+	}
+
+	/**
+	 * Ensure that there is enough space available to write the requested
+	 * number of bytes. If necessary the internal buffer is resized.
+	 * @param required required number of bytes
+	 */
+	private void ensureCapacity(int required)
+	{
+		if (mWriter.remaining() >= required)
+		{
+			return;
+		}
+		byte[] buffer = new byte[(mBuffer.length + required) * 2];
+		System.arraycopy(mBuffer, 0, buffer, 0, mWriter.position());
+		mBuffer = buffer;
+		ByteBuffer writer = ByteBuffer.wrap(buffer);
+		writer.position(mWriter.position());
+		mWriter = writer;
+	}
+
+	/**
+	 * Write the given byte array to the buffer
+	 * @param value
+	 * @return the writer
+	 */
+	public BufferedByteWriter put(byte[] value)
+	{
+		ensureCapacity(value.length);
+		mWriter.put(value);
+		return this;
+	}
+
+	/**
+	 * Write the given byte to the buffer
+	 * @param value
+	 * @return the writer
+	 */
+	public BufferedByteWriter put(byte value)
+	{
+		ensureCapacity(1);
+		mWriter.put(value);
+		return this;
+	}
+
+	/**
+	 * Write the 8-bit length of the given data followed by the data itself
+	 * @param value
+	 * @return the writer
+	 */
+	public BufferedByteWriter putLen8(byte[] value)
+	{
+		ensureCapacity(1 + value.length);
+		mWriter.put((byte)value.length);
+		mWriter.put(value);
+		return this;
+	}
+
+	/**
+	 * Write the 16-bit length of the given data followed by the data itself
+	 * @param value
+	 * @return the writer
+	 */
+	public BufferedByteWriter putLen16(byte[] value)
+	{
+		ensureCapacity(2 + value.length);
+		mWriter.putShort((short)value.length);
+		mWriter.put(value);
+		return this;
+	}
+
+	/**
+	 * Write the given short value (16-bit) in big-endian order to the buffer
+	 * @param value
+	 * @return the writer
+	 */
+	public BufferedByteWriter put16(byte value)
+	{
+		return this.put16((short)(value & 0xFF));
+	}
+
+	/**
+	 * Write the given short value (16-bit) in big-endian order to the buffer
+	 * @param value
+	 * @return the writer
+	 */
+	public BufferedByteWriter put16(short value)
+	{
+		ensureCapacity(2);
+		mWriter.putShort(value);
+		return this;
+	}
+
+	/**
+	 * Write 24-bit of the given value in big-endian order to the buffer
+	 * @param value
+	 * @return the writer
+	 */
+	public BufferedByteWriter put24(byte value)
+	{
+		ensureCapacity(3);
+		mWriter.putShort((short)0);
+		mWriter.put(value);
+		return this;
+	}
+
+	/**
+	 * Write 24-bit of the given value in big-endian order to the buffer
+	 * @param value
+	 * @return the writer
+	 */
+	public BufferedByteWriter put24(short value)
+	{
+		ensureCapacity(3);
+		mWriter.put((byte)0);
+		mWriter.putShort(value);
+		return this;
+	}
+
+	/**
+	 * Write 24-bit of the given value in big-endian order to the buffer
+	 * @param value
+	 * @return the writer
+	 */
+	public BufferedByteWriter put24(int value)
+	{
+		ensureCapacity(3);
+		mWriter.put((byte)(value >> 16));
+		mWriter.putShort((short)value);
+		return this;
+	}
+
+	/**
+	 * Write the given int value (32-bit) in big-endian order to the buffer
+	 * @param value
+	 * @return the writer
+	 */
+	public BufferedByteWriter put32(byte value)
+	{
+		return put32(value & 0xFF);
+	}
+
+	/**
+	 * Write the given int value (32-bit) in big-endian order to the buffer
+	 * @param value
+	 * @return the writer
+	 */
+	public BufferedByteWriter put32(short value)
+	{
+		return put32(value & 0xFFFF);
+	}
+
+	/**
+	 * Write the given int value (32-bit) in big-endian order to the buffer
+	 * @param value
+	 * @return the writer
+	 */
+	public BufferedByteWriter put32(int value)
+	{
+		ensureCapacity(4);
+		mWriter.putInt(value);
+		return this;
+	}
+
+	/**
+	 * Write the given long value (64-bit) in big-endian order to the buffer
+	 * @param value
+	 * @return the writer
+	 */
+	public BufferedByteWriter put64(byte value)
+	{
+		return put64(value & 0xFFL);
+	}
+
+	/**
+	 * Write the given long value (64-bit) in big-endian order to the buffer
+	 * @param value
+	 * @return the writer
+	 */
+	public BufferedByteWriter put64(short value)
+	{
+		return put64(value & 0xFFFFL);
+	}
+
+	/**
+	 * Write the given long value (64-bit) in big-endian order to the buffer
+	 * @param value
+	 * @return the writer
+	 */
+	public BufferedByteWriter put64(int value)
+	{
+		return put64(value & 0xFFFFFFFFL);
+	}
+
+	/**
+	 * Write the given long value (64-bit) in big-endian order to the buffer
+	 * @param value
+	 * @return the writer
+	 */
+	public BufferedByteWriter put64(long value)
+	{
+		ensureCapacity(8);
+		mWriter.putLong(value);
+		return this;
+	}
+
+	/**
+	 * Convert the internal buffer to a new byte array.
+	 * @return byte array
+	 */
+	public byte[] toByteArray()
+	{
+		int length = mWriter.position();
+		byte[] bytes = new byte[length];
+		System.arraycopy(mBuffer, 0, bytes, 0, length);
+		return bytes;
+	}
+}

client/android/src/org/amnezia/vpn/ikev2/utils/Constants.java

@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2016-2020 Tobias Brunner
+ *
+ * Copyright (C) secunet Security Networks AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+package org.amnezia.vpn.ikev2.utils;
+
+public final class Constants
+{
+	/**
+	 * Intent action used to notify about changes to the VPN profiles
+	 */
+	public static final String VPN_PROFILES_CHANGED = "org.strongswan.android.VPN_PROFILES_CHANGED";
+
+	/**
+	 * Used in the intent above to notify about edits or inserts of a VPN profile (long)
+	 */
+	public static final String VPN_PROFILES_SINGLE = "org.strongswan.android.VPN_PROFILES_SINGLE";
+
+	/**
+	 * Used in the intent above to notify about the deletion of multiple VPN profiles (array of longs)
+	 */
+	public static final String VPN_PROFILES_MULTIPLE = "org.strongswan.android.VPN_PROFILES_MULTIPLE";
+
+	/**
+	 * Limits for MTU
+	 */
+	public static final int MTU_MAX = 1500;
+	public static final int MTU_MIN = 1280;
+
+	/**
+	 * Limits for NAT-T keepalive
+	 */
+	public static final int NAT_KEEPALIVE_MAX = 120;
+	public static final int NAT_KEEPALIVE_MIN = 10;
+
+	/**
+	 * Preference key for default VPN profile
+	 */
+	public static final String PREF_DEFAULT_VPN_PROFILE = "pref_default_vpn_profile";
+
+	/**
+	 * Value used to signify that the most recently used profile should be used as default
+	 */
+	public static final String PREF_DEFAULT_VPN_PROFILE_MRU = "pref_default_vpn_profile_mru";
+
+	/**
+	 * Preference key to store the most recently used VPN profile
+	 */
+	public static final String PREF_MRU_VPN_PROFILE = "pref_mru_vpn_profile";
+
+	/**
+	 * Preference key to store whether the user permanently dismissed our warning to add the app to the power whitelist
+	 */
+	public static final String PREF_IGNORE_POWER_WHITELIST = "pref_ignore_power_whitelist";
+}

client/android/src/org/amnezia/vpn/ikev2/utils/IPRange.java

@@ -0,0 +1,510 @@
+/*
+ * Copyright (C) 2012-2017 Tobias Brunner
+ *
+ * Copyright (C) secunet Security Networks AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+package org.amnezia.vpn.ikev2.utils;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+import androidx.annotation.NonNull;
+
+/**
+ * Class that represents a range of IP addresses. This range could be a proper subnet, but that's
+ * not necessarily the case (see {@code getPrefix} and {@code toSubnets}).
+ */
+public class IPRange implements Comparable<IPRange>
+{
+	private final byte[] mBitmask = { (byte)0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
+	private byte[] mFrom;
+	private byte[] mTo;
+	private Integer mPrefix;
+
+	/**
+	 * Determine if the range is a proper subnet and, if so, what the network prefix is.
+	 */
+	private void determinePrefix()
+	{
+		boolean matching = true;
+
+		mPrefix = mFrom.length * 8;
+		for (int i = 0; i < mFrom.length; i++)
+		{
+			for (int bit = 0; bit < 8; bit++)
+			{
+				if (matching)
+				{
+					if ((mFrom[i] & mBitmask[bit]) != (mTo[i] & mBitmask[bit]))
+					{
+						mPrefix = (i * 8) + bit;
+						matching = false;
+					}
+				}
+				else
+				{
+					if ((mFrom[i] & mBitmask[bit]) != 0 || (mTo[i] & mBitmask[bit]) == 0)
+					{
+						mPrefix = null;
+						return;
+					}
+				}
+			}
+		}
+	}
+
+	private IPRange(byte[] from, byte[] to)
+	{
+		mFrom = from;
+		mTo = to;
+		determinePrefix();
+	}
+
+	public IPRange(String from, String to) throws UnknownHostException
+	{
+		this(Utils.parseInetAddress(from), Utils.parseInetAddress(to));
+	}
+
+	public IPRange(InetAddress from, InetAddress to)
+	{
+		initializeFromRange(from, to);
+	}
+
+	private void initializeFromRange(InetAddress from, InetAddress to)
+	{
+		byte[] fa = from.getAddress(), ta = to.getAddress();
+		if (fa.length != ta.length)
+		{
+			throw new IllegalArgumentException("Invalid range");
+		}
+		if (compareAddr(fa, ta) < 0)
+		{
+			mFrom = fa;
+			mTo = ta;
+		}
+		else
+		{
+			mTo = fa;
+			mFrom = ta;
+		}
+		determinePrefix();
+	}
+
+	public IPRange(String base, int prefix) throws UnknownHostException
+	{
+		this(Utils.parseInetAddress(base), prefix);
+	}
+
+	public IPRange(InetAddress base, int prefix)
+	{
+		this(base.getAddress(), prefix);
+	}
+
+	private IPRange(byte[] from, int prefix)
+	{
+		initializeFromCIDR(from, prefix);
+	}
+
+	private void initializeFromCIDR(byte[] from, int prefix)
+	{
+		if (from.length != 4 && from.length != 16)
+		{
+			throw new IllegalArgumentException("Invalid address");
+		}
+		if (prefix < 0 || prefix > from.length * 8)
+		{
+			throw new IllegalArgumentException("Invalid prefix");
+		}
+		byte[] to = from.clone();
+		byte mask = (byte)(0xff << (8 - prefix % 8));
+		int i = prefix / 8;
+
+		if (i < from.length)
+		{
+			from[i] = (byte)(from[i] & mask);
+			to[i] = (byte)(to[i] | ~mask);
+			Arrays.fill(from, i+1, from.length, (byte)0);
+			Arrays.fill(to, i+1, to.length, (byte)0xff);
+		}
+		mFrom = from;
+		mTo = to;
+		mPrefix = prefix;
+	}
+
+	public IPRange(String cidr) throws UnknownHostException
+	{
+		/* only verify the basic structure */
+		if (!cidr.matches("(?i)^(([0-9.]+)|([0-9a-f:]+))(-(([0-9.]+)|([0-9a-f:]+))|(/\\d+))?$"))
+		{
+			throw new IllegalArgumentException("Invalid CIDR or range notation");
+		}
+		if (cidr.contains("-"))
+		{
+			String[] parts = cidr.split("-");
+			InetAddress from = InetAddress.getByName(parts[0]);
+			InetAddress to = InetAddress.getByName(parts[1]);
+			initializeFromRange(from, to);
+		}
+		else
+		{
+			String[] parts = cidr.split("/");
+			InetAddress addr = InetAddress.getByName(parts[0]);
+			byte[] base = addr.getAddress();
+			int prefix = base.length * 8;
+			if (parts.length > 1)
+			{
+				prefix = Integer.parseInt(parts[1]);
+			}
+			initializeFromCIDR(base, prefix);
+		}
+	}
+
+	/**
+	 * Returns the first address of the range. The network ID in case this is a proper subnet.
+	 */
+	public InetAddress getFrom()
+	{
+		try
+		{
+			return InetAddress.getByAddress(mFrom);
+		}
+		catch (UnknownHostException ignored)
+		{
+			return null;
+		}
+	}
+
+	/**
+	 * Returns the last address of the range.
+	 */
+	public InetAddress getTo()
+	{
+		try
+		{
+			return InetAddress.getByAddress(mTo);
+		}
+		catch (UnknownHostException ignored)
+		{
+			return null;
+		}
+	}
+
+	/**
+	 * If this range is a proper subnet returns its prefix, otherwise returns null.
+	 */
+	public Integer getPrefix()
+	{
+		return mPrefix;
+	}
+
+	@Override
+	public int compareTo(@NonNull IPRange other)
+	{
+		int cmp = compareAddr(mFrom, other.mFrom);
+		if (cmp == 0)
+		{	/* smaller ranges first */
+			cmp = compareAddr(mTo, other.mTo);
+		}
+		return cmp;
+	}
+
+	@Override
+	public boolean equals(Object o)
+	{
+		if (o == null || !(o instanceof IPRange))
+		{
+			return false;
+		}
+		return this == o || compareTo((IPRange)o) == 0;
+	}
+
+	@Override
+	public String toString()
+	{
+		try
+		{
+			if (mPrefix != null)
+			{
+				return InetAddress.getByAddress(mFrom).getHostAddress() + "/" + mPrefix;
+			}
+			return InetAddress.getByAddress(mFrom).getHostAddress() + "-" +
+				   InetAddress.getByAddress(mTo).getHostAddress();
+		}
+		catch (UnknownHostException ignored)
+		{
+			return super.toString();
+		}
+	}
+
+	private int compareAddr(byte a[], byte b[])
+	{
+		if (a.length != b.length)
+		{
+			return (a.length < b.length) ? -1 : 1;
+		}
+		for (int i = 0; i < a.length; i++)
+		{
+			if (a[i] != b[i])
+			{
+				if (((int)a[i] & 0xff) < ((int)b[i] & 0xff))
+				{
+					return -1;
+				}
+				else
+				{
+					return 1;
+				}
+			}
+		}
+		return 0;
+	}
+
+	/**
+	 * Check if this range fully contains the given range.
+	 */
+	public boolean contains(IPRange range)
+	{
+		return compareAddr(mFrom, range.mFrom) <= 0 && compareAddr(range.mTo, mTo) <= 0;
+	}
+
+	/**
+	 * Check if this and the given range overlap.
+	 */
+	public boolean overlaps(IPRange range)
+	{
+		return !(compareAddr(mTo, range.mFrom) < 0 || compareAddr(range.mTo, mFrom) < 0);
+	}
+
+	private byte[] dec(byte[] addr)
+	{
+		for (int i = addr.length - 1; i >= 0; i--)
+		{
+			if (--addr[i] != (byte)0xff)
+			{
+				break;
+			}
+		}
+		return addr;
+	}
+
+	private byte[] inc(byte[] addr)
+	{
+		for (int i = addr.length - 1; i >= 0; i--)
+		{
+			if (++addr[i] != 0)
+			{
+				break;
+			}
+		}
+		return addr;
+	}
+
+	/**
+	 * Remove the given range from the current range.  Returns a list of resulting ranges (these are
+	 * not proper subnets). At most two ranges are returned, in case the given range is contained in
+	 * this but does not equal it, which would result in an empty list (which is also the case if
+	 * this range is fully contained in the given range).
+	 */
+	public List<IPRange> remove(IPRange range)
+	{
+		ArrayList<IPRange> list = new ArrayList<>();
+		if (!overlaps(range))
+		{	/*           | this | or | this |
+		     * | range |                     | range | */
+			list.add(this);
+		}
+		else if (!range.contains(this))
+		{	/* we are not completely removed, so none of these cases applies:
+			 * | this  | or  | this  |   or   | this  |
+		     * | range |     | range   |    |   range | */
+			if (compareAddr(mFrom, range.mFrom) < 0 && compareAddr(range.mTo, mTo) < 0)
+			{	/* the removed range is completely within our boundaries:
+				 * |    this    |
+				 *   | range |   */
+				list.add(new IPRange(mFrom, dec(range.mFrom.clone())));
+				list.add(new IPRange(inc(range.mTo.clone()), mTo));
+			}
+			else
+			{	/* one end is within our boundaries the other at or outside it:
+			     * | this     | or    | this     | or | this    |  or  | this    |
+			     * | range |       | range |            | range |           | range | */
+				byte[] from = compareAddr(mFrom, range.mFrom) < 0 ? mFrom : inc(range.mTo.clone());
+				byte[] to = compareAddr(mTo, range.mTo) > 0 ? mTo : dec(range.mFrom.clone());
+				list.add(new IPRange(from, to));
+			}
+		}
+		return list;
+	}
+
+	private boolean adjacent(IPRange range)
+	{
+		if (compareAddr(mTo, range.mFrom) < 0)
+		{
+			byte[] to = inc(mTo.clone());
+			return compareAddr(to, range.mFrom) == 0;
+		}
+		byte[] from = dec(mFrom.clone());
+		return compareAddr(from, range.mTo) == 0;
+	}
+
+	/**
+	 * Merge two adjacent or overlapping ranges, returns null if it's not possible to merge them.
+	 */
+	public IPRange merge(IPRange range)
+	{
+		if (overlaps(range))
+		{
+			if (contains(range))
+			{
+				return this;
+			}
+			else if (range.contains(this))
+			{
+				return range;
+			}
+		}
+		else if (!adjacent(range))
+		{
+			return null;
+		}
+		byte[] from = compareAddr(mFrom, range.mFrom) < 0 ? mFrom : range.mFrom;
+		byte[] to = compareAddr(mTo, range.mTo) > 0 ? mTo : range.mTo;
+		return new IPRange(from, to);
+	}
+
+	/**
+	 * Split the given range into a sorted list of proper subnets.
+	 */
+	public List<IPRange> toSubnets()
+	{
+		ArrayList<IPRange> list = new ArrayList<>();
+		if (mPrefix != null)
+		{
+			list.add(this);
+		}
+		else
+		{
+			int i = 0, bit = 0, prefix, netmask, common_byte, common_bit;
+			int from_cur, from_prev = 0, to_cur, to_prev = 1;
+			boolean from_full = true, to_full = true;
+
+			byte[] from = mFrom.clone();
+			byte[] to = mTo.clone();
+
+			/* find a common prefix */
+			while (i < from.length && (from[i] & mBitmask[bit]) == (to[i] & mBitmask[bit]))
+			{
+				if (++bit == 8)
+				{
+					bit = 0;
+					i++;
+				}
+			}
+			prefix = i * 8 + bit;
+
+			/* at this point we know that the addresses are either equal, or that the
+			 * current bits in the 'from' and 'to' addresses are 0 and 1, respectively.
+			 * we now look at the rest of the bits as two binary trees (0=left, 1=right)
+			 * where 'from' and 'to' are both leaf nodes.  all leaf nodes between these
+			 * nodes are addresses contained in the range.  to collect them as subnets
+			 * we follow the trees from both leaf nodes to their root node and record
+			 * all complete subtrees (right for from, left for to) we come across as
+			 * subnets.  in that process host bits are zeroed out.  if both addresses
+			 * are equal we won't enter the loop below.
+			 *      0_____|_____1       for the 'from' address we assume we start on a
+			 *   0__|__ 1    0__|__1    left subtree (0) and follow the left edges until
+			 *  _|_   _|_   _|_   _|_   we reach the root of this subtree, which is
+			 * |   | |   | |   | |   |  either the root of this whole 'from'-subtree
+			 * 0   1 0   1 0   1 0   1  (causing us to leave the loop) or the root node
+			 * of the right subtree (1) of another node (which actually could be the
+			 * leaf node we start from).  that whole subtree gets recorded as subnet.
+			 * next we follow the right edges to the root of that subtree which again is
+			 * either the 'from'-root or the root node in the left subtree (0) of
+			 * another node.  the complete right subtree of that node is the next subnet
+			 * we record.  from there we assume that we are in that right subtree and
+			 * recursively follow right edges to its root.  for the 'to' address the
+			 * procedure is exactly the same but with left and right reversed.
+			 */
+			if (++bit == 8)
+			{
+				bit = 0;
+				i++;
+			}
+			common_byte = i;
+			common_bit = bit;
+			netmask = from.length * 8;
+			for (i = from.length - 1; i >= common_byte; i--)
+			{
+				int bit_min = (i == common_byte) ? common_bit : 0;
+				for (bit = 7; bit >= bit_min; bit--)
+				{
+					byte mask = mBitmask[bit];
+
+					from_cur = from[i] & mask;
+					if (from_prev == 0 && from_cur != 0)
+					{	/* 0 -> 1: subnet is the whole current (right) subtree */
+						list.add(new IPRange(from.clone(), netmask));
+						from_full = false;
+					}
+					else if (from_prev != 0 && from_cur == 0)
+					{	/* 1 -> 0: invert bit to switch to right subtree and add it */
+						from[i] ^= mask;
+						list.add(new IPRange(from.clone(), netmask));
+						from_cur = 1;
+					}
+					/* clear the current bit */
+					from[i] &= ~mask;
+					from_prev = from_cur;
+
+					to_cur = to[i] & mask;
+					if (to_prev != 0 && to_cur == 0)
+					{	/* 1 -> 0: subnet is the whole current (left) subtree */
+						list.add(new IPRange(to.clone(), netmask));
+						to_full = false;
+					}
+					else if (to_prev == 0 && to_cur != 0)
+					{	/* 0 -> 1: invert bit to switch to left subtree and add it */
+						to[i] ^= mask;
+						list.add(new IPRange(to.clone(), netmask));
+						to_cur = 0;
+					}
+					/* clear the current bit */
+					to[i] &= ~mask;
+					to_prev = to_cur;
+					netmask--;
+				}
+			}
+
+			if (from_full && to_full)
+			{	/* full subnet (from=to or from=0.. and to=1.. after common prefix) - not reachable
+				 * due to the shortcut at the top */
+				list.add(new IPRange(from.clone(), prefix));
+			}
+			else if (from_full)
+			{	/* full from subnet (from=0.. after prefix) */
+				list.add(new IPRange(from.clone(), prefix + 1));
+			}
+			else if (to_full)
+			{	/* full to subnet (to=1.. after prefix) */
+				list.add(new IPRange(to.clone(), prefix + 1));
+			}
+		}
+		Collections.sort(list);
+		return list;
+	}
+}

client/android/src/org/amnezia/vpn/ikev2/utils/IPRangeSet.java

@@ -0,0 +1,224 @@
+/*
+ * Copyright (C) 2012-2017 Tobias Brunner
+ *
+ * Copyright (C) secunet Security Networks AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+package org.amnezia.vpn.ikev2.utils;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.List;
+import java.util.TreeSet;
+
+/**
+ * Class that represents a set of IP address ranges (not necessarily proper subnets) and allows
+ * modifying the set and enumerating the resulting subnets.
+ */
+public class IPRangeSet implements Iterable<IPRange>
+{
+	private TreeSet<IPRange> mRanges = new TreeSet<>();
+
+	/**
+	 * Parse the given string (space separated ranges in CIDR or range notation) and return the
+	 * resulting set or {@code null} if the string was invalid. An empty set is returned if the given string
+	 * is {@code null}.
+	 */
+	public static IPRangeSet fromString(String ranges)
+	{
+		IPRangeSet set = new IPRangeSet();
+		if (ranges != null)
+		{
+			for (String range : ranges.split("\\s+"))
+			{
+				try
+				{
+					set.add(new IPRange(range));
+				}
+				catch (Exception unused)
+				{	/* besides due to invalid strings exceptions might get thrown if the string
+					 * contains a hostname (NetworkOnMainThreadException) */
+					return null;
+				}
+			}
+		}
+		return set;
+	}
+
+	/**
+	 * Add a range to this set. Automatically gets merged with existing ranges.
+	 */
+	public void add(IPRange range)
+	{
+		if (mRanges.contains(range))
+		{
+			return;
+		}
+		reinsert:
+		while (true)
+		{
+			Iterator<IPRange> iterator = mRanges.iterator();
+			while (iterator.hasNext())
+			{
+				IPRange existing = iterator.next();
+				IPRange replacement = existing.merge(range);
+				if (replacement != null)
+				{
+					iterator.remove();
+					range = replacement;
+					continue reinsert;
+				}
+			}
+			mRanges.add(range);
+			break;
+		}
+	}
+
+	/**
+	 * Add all ranges from the given set.
+	 */
+	public void add(IPRangeSet ranges)
+	{
+		if (ranges == this)
+		{
+			return;
+		}
+		for (IPRange range : ranges.mRanges)
+		{
+			add(range);
+		}
+	}
+
+	/**
+	 * Add all ranges from the given collection to this set.
+	 */
+	public void addAll(Collection<? extends IPRange> coll)
+	{
+		for (IPRange range : coll)
+		{
+			add(range);
+		}
+	}
+
+	/**
+	 * Remove the given range from this set. Existing ranges are automatically adjusted.
+	 */
+	public void remove(IPRange range)
+	{
+		ArrayList <IPRange> additions = new ArrayList<>();
+		Iterator<IPRange> iterator = mRanges.iterator();
+		while (iterator.hasNext())
+		{
+			IPRange existing = iterator.next();
+			List<IPRange> result = existing.remove(range);
+			if (result.size() == 0)
+			{
+				iterator.remove();
+			}
+			else if (!result.get(0).equals(existing))
+			{
+				iterator.remove();
+				additions.addAll(result);
+			}
+		}
+		mRanges.addAll(additions);
+	}
+
+	/**
+	 * Remove the given ranges from ranges in this set.
+	 */
+	public void remove(IPRangeSet ranges)
+	{
+		if (ranges == this)
+		{
+			mRanges.clear();
+			return;
+		}
+		for (IPRange range : ranges.mRanges)
+		{
+			remove(range);
+		}
+	}
+
+	/**
+	 * Get all the subnets derived from all the ranges in this set.
+	 */
+	public Iterable<IPRange> subnets()
+	{
+		return new Iterable<IPRange>()
+		{
+			@Override
+			public Iterator<IPRange> iterator()
+			{
+				return new Iterator<IPRange>()
+				{
+					private Iterator<IPRange> mIterator = mRanges.iterator();
+					private List<IPRange> mSubnets;
+
+					@Override
+					public boolean hasNext()
+					{
+						return (mSubnets != null && mSubnets.size() > 0) || mIterator.hasNext();
+					}
+
+					@Override
+					public IPRange next()
+					{
+						if (mSubnets == null || mSubnets.size() == 0)
+						{
+							IPRange range = mIterator.next();
+							mSubnets = range.toSubnets();
+						}
+						return mSubnets.remove(0);
+					}
+
+					@Override
+					public void remove()
+					{
+						throw new UnsupportedOperationException();
+					}
+				};
+			}
+		};
+	}
+
+	@Override
+	public Iterator<IPRange> iterator()
+	{
+		return mRanges.iterator();
+	}
+
+	/**
+	 * Returns the number of ranges, not subnets.
+	 */
+	public int size()
+	{
+		return mRanges.size();
+	}
+
+	@Override
+	public String toString()
+	{	/* we could use TextUtils, but that causes the unit tests to fail */
+		StringBuilder sb = new StringBuilder();
+		for (IPRange range : mRanges)
+		{
+			if (sb.length() > 0)
+			{
+				sb.append(" ");
+			}
+			sb.append(range.toString());
+		}
+		return sb.toString();
+	}
+}

client/android/src/org/amnezia/vpn/ikev2/utils/SettingsWriter.java

@@ -0,0 +1,161 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ *
+ * Copyright (C) secunet Security Networks AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+package org.amnezia.vpn.ikev2.utils;
+
+import java.util.Arrays;
+import java.util.LinkedHashMap;
+import java.util.Map.Entry;
+import java.util.regex.Pattern;
+
+
+/**
+ * Simple generator for data/files that may be parsed by libstrongswan's
+ * settings_t class.
+ */
+public class SettingsWriter
+{
+	/**
+	 * Top-level section
+	 */
+	private final SettingsSection mTop = new SettingsSection();
+
+	/**
+	 * Set a string value
+	 * @param key
+	 * @param value
+	 * @return the writer
+	 */
+	public SettingsWriter setValue(String key, String value)
+	{
+		Pattern pattern = Pattern.compile("[^#{}=\"\\n\\t ]+");
+		if (key == null || !pattern.matcher(key).matches())
+		{
+			return this;
+		}
+		String[] keys = key.split("\\.");
+		SettingsSection section = mTop;
+		section = findOrCreateSection(Arrays.copyOfRange(keys, 0, keys.length-1));
+		section.Settings.put(keys[keys.length-1], value);
+		return this;
+	}
+
+	/**
+	 * Set an integer value
+	 * @param key
+	 * @param value
+	 * @return the writer
+	 */
+	public SettingsWriter setValue(String key, Integer value)
+	{
+		return setValue(key, value == null ? null : value.toString());
+	}
+
+	/**
+	 * Set a boolean value
+	 * @param key
+	 * @param value
+	 * @return the writer
+	 */
+	public SettingsWriter setValue(String key, Boolean value)
+	{
+		return setValue(key, value == null ? null : value ? "1" : "0");
+	}
+
+	/**
+	 * Serializes the settings to a string in the format understood by
+	 * libstrongswan's settings_t parser.
+	 * @return serialized settings
+	 */
+	public String serialize()
+	{
+		StringBuilder builder = new StringBuilder();
+		serializeSection(mTop, builder);
+		return builder.toString();
+	}
+
+	/**
+	 * Serialize the settings in a section and recursively serialize sub-sections
+	 * @param section
+	 * @param builder
+	 */
+	private void serializeSection(SettingsSection section, StringBuilder builder)
+	{
+		for (Entry<String, String> setting : section.Settings.entrySet())
+		{
+			builder.append(setting.getKey()).append('=');
+			if (setting.getValue() != null)
+			{
+				builder.append("\"").append(escapeValue(setting.getValue())).append("\"");
+			}
+			builder.append('\n');
+		}
+
+		for (Entry<String, SettingsSection> subsection : section.Sections.entrySet())
+		{
+			builder.append(subsection.getKey()).append(" {\n");
+			serializeSection(subsection.getValue(), builder);
+			builder.append("}\n");
+		}
+	}
+
+	/**
+	 * Escape value so it may be wrapped in "
+	 * @param value
+	 * @return
+	 */
+	private String escapeValue(String value)
+	{
+		return value.replace("\\", "\\\\").replace("\"", "\\\"");
+	}
+
+	/**
+	 * Find or create the nested sections with the given names
+	 * @param sections list of section names
+	 * @return final section
+	 */
+	private SettingsSection findOrCreateSection(String[] sections)
+	{
+		SettingsSection section = mTop;
+		for (String name : sections)
+		{
+			SettingsSection subsection = section.Sections.get(name);
+			if (subsection == null)
+			{
+				subsection = new SettingsSection();
+				section.Sections.put(name, subsection);
+			}
+			section = subsection;
+		}
+		return section;
+	}
+
+	/**
+	 * A section containing sub-sections and settings.
+	 */
+	private class SettingsSection
+	{
+		/**
+		 * Assigned key/value pairs
+		 */
+		LinkedHashMap<String,String> Settings = new LinkedHashMap<String, String>();
+
+		/**
+		 * Assigned sub-sections
+		 */
+		LinkedHashMap<String,SettingsSection> Sections = new LinkedHashMap<String, SettingsWriter.SettingsSection>();
+	}
+}

client/android/src/org/amnezia/vpn/ikev2/utils/SimpleFetcher.java

@@ -0,0 +1,167 @@
+/*
+ * Copyright (C) 2017-2018 Tobias Brunner
+ *
+ * Copyright (C) secunet Security Networks AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+package org.amnezia.vpn.ikev2.utils;
+
+import java.io.BufferedOutputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.HttpURLConnection;
+import java.net.SocketTimeoutException;
+import java.net.URL;
+import java.util.ArrayList;
+import java.util.concurrent.CancellationException;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+
+import androidx.annotation.Keep;
+
+@Keep
+public class SimpleFetcher
+{
+	private static ExecutorService mExecutor = Executors.newCachedThreadPool();
+	private static Object mLock = new Object();
+	private static ArrayList<Future> mFutures = new ArrayList<>();
+	private static boolean mDisabled;
+
+	public static byte[] fetch(String uri, byte[] data, String contentType)
+	{
+		Future<byte[]> future;
+
+		synchronized (mLock)
+		{
+			if (mDisabled)
+			{
+				return null;
+			}
+			future = mExecutor.submit(() -> {
+				URL url = new URL(uri);
+				HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+				conn.setConnectTimeout(10000);
+				conn.setReadTimeout(10000);
+				conn.setRequestProperty("Connection", "close");
+				try
+				{
+					if (contentType != null)
+					{
+						conn.setRequestProperty("Content-Type", contentType);
+					}
+					if (data != null)
+					{
+						conn.setDoOutput(true);
+						conn.setFixedLengthStreamingMode(data.length);
+						OutputStream out = new BufferedOutputStream(conn.getOutputStream());
+						out.write(data);
+						out.close();
+					}
+					return streamToArray(conn.getInputStream());
+				}
+				catch (SocketTimeoutException e)
+				{
+					return null;
+				}
+				finally
+				{
+					conn.disconnect();
+				}
+			});
+
+			mFutures.add(future);
+		}
+
+		try
+		{
+			/* this enforces a timeout as the ones set on HttpURLConnection might not work reliably */
+			return future.get(10000, TimeUnit.MILLISECONDS);
+		}
+		catch (InterruptedException|ExecutionException|TimeoutException|CancellationException e)
+		{
+			return null;
+		}
+		finally
+		{
+			synchronized (mLock)
+			{
+				mFutures.remove(future);
+			}
+		}
+	}
+
+	/**
+	 * Enable fetching after it has been disabled.
+	 */
+	public static void enable()
+	{
+		synchronized (mLock)
+		{
+			mDisabled = false;
+		}
+	}
+
+	/**
+	 * Disable the fetcher and abort any future requests.
+	 *
+	 * The native thread is not cancelable as it is working on an IKE_SA (canceling the methods of
+	 * HttpURLConnection is not reliably possible anyway), so to abort while fetching we cancel the
+	 * Future (causing a return from fetch() immediately) and let the executor thread continue its
+	 * thing in the background.
+	 *
+	 * Also prevents future fetches until enabled again (e.g. if we aborted OCSP but would then
+	 * block in the subsequent fetch for a CRL).
+	 */
+	public static void disable()
+	{
+		synchronized (mLock)
+		{
+			mDisabled = true;
+			for (Future future : mFutures)
+			{
+				future.cancel(true);
+			}
+		}
+	}
+
+	private static byte[] streamToArray(InputStream in) throws IOException
+	{
+		ByteArrayOutputStream out = new ByteArrayOutputStream();
+		byte[] buf = new byte[1024];
+		int len;
+
+		try
+		{
+			while ((len = in.read(buf)) != -1)
+			{
+				out.write(buf, 0, len);
+			}
+			return out.toByteArray();
+		}
+		catch (IOException e)
+		{
+			e.printStackTrace();
+		}
+		finally
+		{
+			in.close();
+		}
+		return null;
+	}
+}

client/android/src/org/amnezia/vpn/ikev2/utils/Utils.java

@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2014-2019 Tobias Brunner
+ *
+ * Copyright (C) secunet Security Networks AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+package org.amnezia.vpn.ikev2.utils;
+
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+
+public class Utils
+{
+	static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
+
+	/**
+	 * Converts the given byte array to a hexadecimal string encoding.
+	 *
+	 * @param bytes byte array to convert
+	 * @return hex string
+	 */
+	public static String bytesToHex(byte[] bytes)
+	{
+		char[] hex = new char[bytes.length * 2];
+		for (int i = 0; i < bytes.length; i++)
+		{
+			int value = bytes[i];
+			hex[i*2]   = HEXDIGITS[(value & 0xf0) >> 4];
+			hex[i*2+1] = HEXDIGITS[ value & 0x0f];
+		}
+		return new String(hex);
+	}
+
+	/**
+	 * Validate the given proposal string
+	 *
+	 * @param ike true for IKE, false for ESP
+	 * @param proposal proposal string
+	 * @return true if valid
+	 */
+	public native static boolean isProposalValid(boolean ike, String proposal);
+
+	/**
+	 * Parse an IP address without doing a name lookup
+	 *
+	 * @param address IP address string
+	 * @return address bytes if valid
+	 */
+	private native static byte[] parseInetAddressBytes(String address);
+
+	/**
+	 * Parse an IP address without doing a name lookup (as compared to InetAddress.fromName())
+	 *
+	 * @param address IP address string
+	 * @return address if valid
+	 * @throws UnknownHostException if address is invalid
+	 */
+	public static InetAddress parseInetAddress(String address) throws UnknownHostException
+	{
+		byte[] bytes = parseInetAddressBytes(address);
+		if (bytes == null)
+		{
+			throw new UnknownHostException();
+		}
+		return InetAddress.getByAddress(bytes);
+	}
+}

client/android/src/org/amnezia/vpn/qt/PackageManagerHelper.java

@@ -1,189 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-package org.amnezia.vpn.qt;
-
-import android.Manifest;
-import android.content.Context;
-import android.content.Intent;
-import android.content.pm.ApplicationInfo;
-import android.content.pm.PackageInfo;
-import android.content.pm.PackageManager;
-import android.content.pm.ResolveInfo;
-import android.graphics.Color;
-import android.graphics.drawable.ColorDrawable;
-import android.graphics.drawable.Drawable;
-import android.Manifest.permission;
-import android.net.Uri;
-import android.os.Build;
-import android.util.Log;
-import android.webkit.WebView;
-
-import org.json.JSONException;
-import org.json.JSONObject;
-
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-import java.util.regex.Pattern;
-
-// Gets used by /platforms/android/androidAppListProvider.cpp
-public class PackageManagerHelper {
-  final static String TAG = "PackageManagerHelper";
-  final static int MIN_CHROME_VERSION = 65;
-
-  final static List<String> CHROME_BROWSERS = Arrays.asList(
-      new String[] {"com.google.android.webview", "com.android.webview", "com.google.chrome"});
-
-  private static String getAllAppNames(Context ctx) {
-    JSONObject output = new JSONObject();
-    PackageManager pm = ctx.getPackageManager();
-    List<String> browsers = getBrowserIDs(pm);
-    List<PackageInfo> packs = pm.getInstalledPackages(PackageManager.GET_PERMISSIONS);
-    for (int i = 0; i < packs.size(); i++) {
-      PackageInfo p = packs.get(i);
-      // Do not add ourselves and System Apps to the list, unless it might be a browser
-      if ((!isSystemPackage(p,pm) || browsers.contains(p.packageName))
-          && !isSelf(p)) {
-        String appid = p.packageName;
-        String appName = p.applicationInfo.loadLabel(pm).toString();
-        try {
-          output.put(appid, appName);
-        } catch (JSONException e) {
-          e.printStackTrace();
-        }
-      }
-    }
-    return output.toString();
-  }
-
-  private static Drawable getAppIcon(Context ctx, String id) {
-    try {
-      return ctx.getPackageManager().getApplicationIcon(id);
-    } catch (PackageManager.NameNotFoundException e) {
-      e.printStackTrace();
-    }
-    return new ColorDrawable(Color.TRANSPARENT);
-  }
-
-  private static boolean isSystemPackage(PackageInfo pkgInfo, PackageManager pm) {
-    if( (pkgInfo.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) == 0){
-      // no system app
-      return false;
-    }
-    // For Systems Packages there are Cases where we want to add it anyway:
-    // Has the use Internet permission (otherwise makes no sense)
-    // Had at least 1 update (this means it's probably on any AppStore)
-    // Has a a launch activity (has a ui and is not just a system service)
-
-    if(!usesInternet(pkgInfo)){
-      return true;
-    }
-    if(!hadUpdate(pkgInfo)){
-      return true;
-    }
-    if(pm.getLaunchIntentForPackage(pkgInfo.packageName) == null){
-      // If there is no way to launch this from a homescreen, def a sys package
-      return true;
-    }
-    return false;
-  }
-  private static boolean isSelf(PackageInfo pkgInfo) {
-    return pkgInfo.packageName.equals("org.amnezia.vpn")
-        || pkgInfo.packageName.equals("org.amnezia.vpn.debug");
-  }
-  private static boolean usesInternet(PackageInfo pkgInfo){
-    if(pkgInfo.requestedPermissions == null){
-      return false;
-    }
-    for(int i=0; i < pkgInfo.requestedPermissions.length; i++) {
-      String permission = pkgInfo.requestedPermissions[i];
-      if(Manifest.permission.INTERNET.equals(permission)){
-        return true;
-      }
-    }
-    return false;
-  }
-  private static boolean hadUpdate(PackageInfo pkgInfo){
-    return pkgInfo.lastUpdateTime > pkgInfo.firstInstallTime;
-  }
-
-  // Returns List of all Packages that can classify themselves as browsers
-  private static List<String> getBrowserIDs(PackageManager pm) {
-    Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse("https://www.mozilla.org/"));
-    intent.addCategory(Intent.CATEGORY_BROWSABLE);
-    // We've tried using PackageManager.MATCH_DEFAULT_ONLY flag and found that browsers that
-    // are not set as the default browser won't be matched even if they had CATEGORY_DEFAULT set
-    // in the intent filter
-
-    List<ResolveInfo> resolveInfos = pm.queryIntentActivities(intent, PackageManager.MATCH_ALL);
-    List<String> browsers = new ArrayList<String>();
-    for (int i = 0; i < resolveInfos.size(); i++) {
-      ResolveInfo info = resolveInfos.get(i);
-      String browserID = info.activityInfo.packageName;
-      browsers.add(browserID);
-    }
-    return browsers;
-  }
-
-  // Gets called in AndroidAuthenticationListener;
-  public static boolean isWebViewSupported(Context ctx) {
-    Log.v(TAG, "Checking if installed Webview is compatible with FxA");
-    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
-      // The default Webview is able do to FXA
-      return true;
-    }
-    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
-      PackageInfo pi = WebView.getCurrentWebViewPackage();
-      if (CHROME_BROWSERS.contains(pi.packageName)) {
-        return isSupportedChromeBrowser(pi);
-      }
-      return isNotAncientBrowser(pi);
-    }
-
-    // Before O the webview is hardcoded, but we dont know which package it is.
-    // Check if com.google.android.webview is installed
-    PackageManager pm = ctx.getPackageManager();
-    try {
-      PackageInfo pi = pm.getPackageInfo("com.google.android.webview", 0);
-      return isSupportedChromeBrowser(pi);
-    } catch (PackageManager.NameNotFoundException e) {
-    }
-    // Otherwise check com.android.webview
-    try {
-      PackageInfo pi = pm.getPackageInfo("com.android.webview", 0);
-      return isSupportedChromeBrowser(pi);
-    } catch (PackageManager.NameNotFoundException e) {
-    }
-    Log.e(TAG, "Android System WebView is not found");
-    // Giving up :(
-    return false;
-  }
-
-  private static boolean isSupportedChromeBrowser(PackageInfo pi) {
-    Log.d(TAG, "Checking Chrome Based Browser: " + pi.packageName);
-    Log.d(TAG, "version name: " + pi.versionName);
-    Log.d(TAG, "version code: " + pi.versionCode);
-    try {
-      String versionCode = pi.versionName.split(Pattern.quote(" "))[0];
-      String majorVersion = versionCode.split(Pattern.quote("."))[0];
-      int version = Integer.parseInt(majorVersion);
-      return version >= MIN_CHROME_VERSION;
-    } catch (Exception e) {
-      Log.e(TAG, "Failed to check Chrome Version Code " + pi.versionName);
-      return false;
-    }
-  }
-
-  private static boolean isNotAncientBrowser(PackageInfo pi) {
-    // Not a google chrome - So the version name is worthless
-    // Lets just make sure the WebView
-    // used is not ancient ==> Was updated in at least the last 365 days
-    Log.d(TAG, "Checking Chrome Based Browser: " + pi.packageName);
-    Log.d(TAG, "version name: " + pi.versionName);
-    Log.d(TAG, "version code: " + pi.versionCode);
-    double oneYearInMillis = 31536000000L;
-    return pi.lastUpdateTime > (System.currentTimeMillis() - oneYearInMillis);
-  }
-}

client/cmake/3rdparty.cmake

@@ -12,16 +12,16 @@ set(LIBS ${LIBS} SortFilterProxyModel)
 include(${CLIENT_ROOT_DIR}/3rd/qrcodegen/qrcodegen.cmake)
 include(${CLIENT_ROOT_DIR}/3rd/QSimpleCrypto/QSimpleCrypto.cmake)
 
-set(BUILD_SHARED_LIBS ON CACHE BOOL "" FORCE)
-add_subdirectory(${CLIENT_ROOT_DIR}/3rd/zlib)
-if(WIN32)
-    set(ZLIB_LIBRARY $<IF:$<CONFIG:Debug>,zlibd,zlib>)
-else()
-    set(ZLIB_LIBRARY z)
-endif()
-set(ZLIB_INCLUDE_DIR "${CLIENT_ROOT_DIR}/3rd/zlib" "${CMAKE_CURRENT_BINARY_DIR}/3rd/zlib")
-link_directories(${CMAKE_CURRENT_BINARY_DIR}/3rd/zlib)
-link_libraries(${ZLIB_LIBRARY})
+#set(BUILD_SHARED_LIBS ON CACHE BOOL "" FORCE)
+#add_subdirectory(${CLIENT_ROOT_DIR}/3rd/zlib)
+#if(WIN32)
+#    set(ZLIB_LIBRARY $<IF:$<CONFIG:Debug>,zlibd,zlib>)
+#else()
+#    set(ZLIB_LIBRARY z)
+#endif()
+#set(ZLIB_INCLUDE_DIR "${CLIENT_ROOT_DIR}/3rd/zlib" "${CMAKE_CURRENT_BINARY_DIR}/3rd/zlib")
+#link_directories(${CMAKE_CURRENT_BINARY_DIR}/3rd/zlib)
+#link_libraries(${ZLIB_LIBRARY})
 
 if(IOS)
     set(ENABLE_PROGRAMS OFF CACHE BOOL "" FORCE)
@@ -105,6 +105,9 @@ set(BUILD_WITH_QT6 ON)
 add_subdirectory(${CLIENT_ROOT_DIR}/3rd/qtkeychain)
 set(LIBS ${LIBS} qt6keychain)
 
+
+include(${CLIENT_ROOT_DIR}/3rd/strongswan/strongswan.cmake)
+
 include_directories(
     ${CLIENT_ROOT_DIR}/3rd/OpenSSL/include
     ${CLIENT_ROOT_DIR}/3rd/libssh/include

client/containers/containers_defs.cpp

@@ -170,6 +170,7 @@ bool ContainerProps::isSupportedByCurrentPlatform(DockerContainer c)
     case DockerContainer::WireGuard: return true;
     case DockerContainer::OpenVpn: return true;
     case DockerContainer::ShadowSocks: return true;
+    case DockerContainer::Ipsec: return true;
     default: return false;
     }
 

client/platforms/android/android_controller.cpp

@@ -176,6 +176,21 @@ ErrorCode AndroidController::start()
                 appContext.object());
 
     QJsonDocument doc(m_vpnConfig);
+
+    /*** The following code snippet needs to correct displaying of config in debug console
+     * (Android's stdout limits length of output message)
+     * 
+     * QString string(doc.toJson(QJsonDocument::Compact));
+     * 
+     * qDebug() << "*** config: ";
+     * for (int i = 0; i <= string.length()/100; i++) {
+     *  int start = i*100;
+     *  qDebug() << string.mid(start, 100);
+     * }
+     * 
+     * qDebug() << "*** config: " << m_vpnConfig;
+     ***/
+
     AndroidVPNActivity::sendToService(ServiceAction::ACTION_ACTIVATE, doc.toJson());
 
     return NoError;