From b04d9581adb3e3176586f31ffdba123125546201 Mon Sep 17 00:00:00 2001
From: pacien
Date: Mon, 20 Jan 2020 19:18:12 +0100
Subject: use private temp files to pass decrypted private keys

Android 10 (API 29) doesn't allow us to pass them by sharing file
descriptors anymore, making the use of temp files mandatory.

GitHub: https://github.com/pacien/tincapp/issues/92
---
 .../java/org/pacien/tincapp/service/TincVpnService.kt    | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

(limited to 'app/src/main/java/org/pacien/tincapp/service/TincVpnService.kt')

diff --git a/app/src/main/java/org/pacien/tincapp/service/TincVpnService.kt b/app/src/main/java/org/pacien/tincapp/service/TincVpnService.kt
index 48cb1df..c688742 100644
--- a/app/src/main/java/org/pacien/tincapp/service/TincVpnService.kt
+++ b/app/src/main/java/org/pacien/tincapp/service/TincVpnService.kt
@@ -102,12 +102,17 @@ class TincVpnService : VpnService() {
     log.info("Starting tinc daemon for network \"$netName\".")
     if (isConnected() || getCurrentNetName() != null) stopVpn().join()
 
-    // FIXME: pass decrypted private keys via temp file
     val privateKeys = try {
       TincConfiguration.fromTincConfiguration(AppPaths.existing(AppPaths.tincConfFile(netName))).let { tincCfg ->
         Pair(
-          TincKeyring.openPrivateKey(tincCfg.ed25519PrivateKeyFile ?: AppPaths.defaultEd25519PrivateKeyFile(netName), passphrase),
-          TincKeyring.openPrivateKey(tincCfg.privateKeyFile ?: AppPaths.defaultRsaPrivateKeyFile(netName), passphrase))
+          TincKeyring.unlockKey(
+            AppPaths.NET_DEFAULT_ED25519_PRIVATE_KEY_FILE,
+            tincCfg.ed25519PrivateKeyFile ?: AppPaths.defaultEd25519PrivateKeyFile(netName),
+            passphrase),
+          TincKeyring.unlockKey(
+            AppPaths.NET_DEFAULT_RSA_PRIVATE_KEY_FILE,
+            tincCfg.privateKeyFile ?: AppPaths.defaultRsaPrivateKeyFile(netName),
+            passphrase))
       }
     } catch (e: FileNotFoundException) {
       Pair(null, null)
@@ -143,15 +148,12 @@ class TincVpnService : VpnService() {
     val serverSocket = LocalServerSocket(DEVICE_FD_ABSTRACT_SOCKET)
     Executor.runAsyncTask { serveDeviceFd(serverSocket, deviceFd) }
 
-    // FIXME: pass decrypted private keys via temp file
-    val daemon = Tincd.start(netName, DEVICE_FD_ABSTRACT_SOCKET, null, null)
+    val daemon = Tincd.start(netName, DEVICE_FD_ABSTRACT_SOCKET, privateKeys.first, privateKeys.second)
     setState(netName, passphrase, interfaceCfg, deviceFd, daemon)
 
     waitForDaemonStartup().whenComplete { _, exception ->
       serverSocket.close()
       deviceFd.close()
-      privateKeys.first?.close()
-      privateKeys.second?.close()
 
       if (exception != null) {
         reportError(resources.getString(R.string.notification_error_message_daemon_exited, exception.cause!!.defaultMessage()), exception)
-- 
cgit v1.2.3