feat: Add detection for invalid client cert

4o3F · Dec 3, 2023 · 67f0da4 · 67f0da4
1 parent fc17901
commit 67f0da4
Show file tree

Hide file tree

Showing 12 changed files with 48 additions and 19 deletions.
diff --git a/android/app/src/main/jniLibs/arm64-v8a/libnative.so b/android/app/src/main/jniLibs/arm64-v8a/libnative.so
diff --git a/android/app/src/main/jniLibs/armeabi-v7a/libnative.so b/android/app/src/main/jniLibs/armeabi-v7a/libnative.so
diff --git a/android/app/src/main/jniLibs/x86/libnative.so b/android/app/src/main/jniLibs/x86/libnative.so
diff --git a/android/app/src/main/jniLibs/x86_64/libnative.so b/android/app/src/main/jniLibs/x86_64/libnative.so
diff --git a/assets/translations/en-US.json b/assets/translations/en-US.json
@@ -55,7 +55,8 @@
       "connecting": "Wireless debug connecting, please enter port by clicking the button",
       "waiting": "Waiting for link",
       "success": "Success, please return to Ascent",
-      "fail": "Failed, please check port\n"
+      "fail": "Failed, please check port\n",
+      "repair": "Cert invalid, please redo pairing"
     },
     "notification_reply_button": "Enter data here",
     "link_action": {

diff --git a/assets/translations/zh-CN.json b/assets/translations/zh-CN.json
@@ -55,7 +55,8 @@
       "connecting": "连接无线调试中,请点击按钮输入无线调试端口",
       "waiting": "等待链接中",
       "success": "获取成功，请返回Ascent主程序",
-      "fail": "失败，请检查端口\n"
+      "fail": "失败，请检查端口\n",
+      "repair": "证书失效，请重新配对"
     },
     "notification_reply_button": "点此输入数据",
     "link_action": {

diff --git a/lib/foreground/connect.dart b/lib/foreground/connect.dart
@@ -1,4 +1,4 @@
-import 'dart:isolate';
+import 'dart:io';
 
 import 'package:ascent/ffi.dart';
 import 'package:ascent/global_state.dart';
@@ -88,20 +88,31 @@ class ConnectTaskHandler extends TaskHandler {
       } else {
         errorMessage = error.toString();
       }
-      sendPort?.send("error#$errorMessage");
-      return "";
+      if (errorMessage.contains("error.pair_cert_invalid")) {
+        sendPort?.send("error.pair_cert_invalid#$errorMessage");
+        return "error.pair_cert_invalid";
+      } else {
+        sendPort?.send("error.other#$errorMessage");
+        return "error.other";
+      }
     }).then((value) {
-      if (value.isNotEmpty) {
+      if (!value.startsWith("error")) {
         link = value;
         FlutterForegroundTask.updateService(
           notificationText: tr('connect.notification_description.success'),
         );
         sendPort?.send(link);
       } else {
-        FlutterForegroundTask.updateService(
-          notificationText:
-              tr('connect.notification_description.fail') + errorMessage,
-        );
+        if (value == "error.pair_cert_invalid") {
+          FlutterForegroundTask.updateService(
+            notificationText: tr('connect.notification_description.repair'),
+          );
+        } else {
+          FlutterForegroundTask.updateService(
+            notificationText:
+                tr('connect.notification_description.fail') + errorMessage,
+          );
+        }
       }
     });
   }
@@ -163,9 +174,9 @@ class ConnectForegroundTask {
     }
     receivePort.listen((dynamic data) {
       if (data is String) {
-        if (data.startsWith("error#")) {
+        if (data.startsWith("error.other#")) {
           logic.inProgress.value = false;
-          String errorMessage = data.replaceFirst("error#", "");
+          String errorMessage = data.replaceFirst("error.other#", "");
           Get.dialog(BrnScrollableTextDialog(
             title: tr("error.title"),
             contentText: errorMessage,
@@ -179,6 +190,11 @@ class ConnectForegroundTask {
               );
             },
           ));
+        } else if (data.startsWith("error.pair_cert_invalid#")) {
+          logic.inProgress.value = false;
+          File("${GlobalState.dataDir.path}/cert.pem").deleteSync();
+          File("${GlobalState.dataDir.path}/pkey.pem").deleteSync();
+          GlobalState.hasCert.value = false;
         } else {
           RegExp regex = RegExp(r'https://(.+)');
           Match? match = regex.firstMatch(data);

diff --git a/lib/global_state.dart b/lib/global_state.dart
@@ -9,7 +9,7 @@ import 'package:mixpanel_flutter/mixpanel_flutter.dart';
 import 'package:path_provider/path_provider.dart';
 
 class GlobalState {
-  static const version = "2.1.1";
+  static const version = "2.1.2";
 
   static const platform = MethodChannel('cafe.f403.ascent/main');
   static Rx<String> currentRoute = "/home".obs;

diff --git a/native/Cargo.lock b/native/Cargo.lock
diff --git a/native/Cargo.toml b/native/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "native"
-version = "2.1.1"
+version = "2.1.2"
 edition = "2021"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

diff --git a/native/src/connect.rs b/native/src/connect.rs
@@ -126,7 +126,7 @@ pub async fn connect(port: String, data_folder: String) -> Result<String> {
 
     let method = boring::ssl::SslMethod::tls();
     let mut connector = boring::ssl::SslConnector::builder(method).unwrap();
-    connector.set_verify(boring::ssl::SslVerifyMode::NONE);
+    connector.set_verify(boring::ssl::SslVerifyMode::PEER);
     connector.set_certificate(x509.clone().unwrap().as_ref()).unwrap();
     connector.set_private_key(pkey.clone().unwrap().as_ref()).unwrap();
     connector.set_options(boring::ssl::SslOptions::NO_TLSV1);
@@ -138,13 +138,24 @@ pub async fn connect(port: String, data_folder: String) -> Result<String> {
     let mut config = connector.build().configure().unwrap();
     //config.set_verify_hostname(false);
     config.set_use_server_name_indication(false);
-    //config.set_verify_callback(boring::ssl::SslVerifyMode::PEER, |_, _| true);
+    config.set_verify_callback(boring::ssl::SslVerifyMode::PEER, |_, _| {
+        return true;
+    });
     let mut stream = tokio_boring::connect(config, host, stream).await.with_context(|| format!("Open TLS stream"))?;
     debug!("TLS Handshake success");
     // Read CNXN
     {
         let mut message_raw = vec![0u8; ADB_HEADER_LENGTH];
-        stream.read_exact(message_raw.as_mut_slice()).await.with_context(|| format!("Read CNXN header"))?;
+        match stream.read_exact(message_raw.as_mut_slice()).await.with_context(|| format!("Read CNXN header")) {
+            Ok(_) => {}
+            Err(e) => {
+                debug!("Read CNXN header failed: {:?}", e.source().unwrap().to_string());
+                if e.source().unwrap().to_string().contains("SSLV3_ALERT_CERTIFICATE_UNKNOWN") {
+                    return Err(anyhow!("error.pair_cert_invalid"));
+                }
+                return Err(anyhow!("Read CNXN header failed \n {}", e.root_cause()));
+            }
+        }
         let mut header = bytebuffer::ByteBuffer::from_vec(message_raw); // CNXN header
         header.resize(ADB_HEADER_LENGTH);
         header.set_endian(bytebuffer::Endian::LittleEndian);

diff --git a/pubspec.yaml b/pubspec.yaml
@@ -16,7 +16,7 @@ publish_to: 'none' # Remove this line if you wish to publish to pub.dev
 # https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/CoreFoundationKeys.html
 # In Windows, build-name is used as the major, minor, and patch parts
 # of the product and file versions while build-number is used as the build suffix.
-version: 2.1.1
+version: 2.1.2
 
 environment:
   sdk: '>=3.1.3 <4.0.0'