From 5e2469f0f17ca25a065f59975994e125df954eed Mon Sep 17 00:00:00 2001
From: Diego Rey Mendez <dreymendez@duckduckgo.com>
Date: Tue, 12 Mar 2024 22:52:18 +0100
Subject: [PATCH 1/2] Makes some changes so that the tunnel will have less
 issues becoming enabled

---
 .../NetworkProtectionDeviceManager.swift           | 14 +++++++-------
 .../NetworkProtection/PacketTunnelProvider.swift   |  2 +-
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/Sources/NetworkProtection/NetworkProtectionDeviceManager.swift b/Sources/NetworkProtection/NetworkProtectionDeviceManager.swift
index 58e3055ce..47264327a 100644
--- a/Sources/NetworkProtection/NetworkProtectionDeviceManager.swift
+++ b/Sources/NetworkProtection/NetworkProtectionDeviceManager.swift
@@ -146,7 +146,11 @@ public actor NetworkProtectionDeviceManager: NetworkProtectionDeviceManagement {
 
         keyStore.updateKeyPair(keyPair)
 
-        if let newExpiration {
+        // We only update the expiration date if it happens before our client-set expiration date.
+        // This way we respect the client-set expiration date, unless the server has set an earlier
+        // expiration for whatever reason (like if the subscription is known to expire).
+        //
+        if let newExpiration, newExpiration < keyPair.expirationDate {
             keyPair = KeyPair(privateKey: keyPair.privateKey, expirationDate: newExpiration)
             keyStore.updateKeyPair(keyPair)
         }
@@ -224,9 +228,7 @@ public actor NetworkProtectionDeviceManager: NetworkProtectionDeviceManagement {
                 // If we're looking to exclude a server we should have a few other options available.  If we can't find any
                 // then it means theres an inconsistency in the server list that was returned.
                 errorEvents?.fire(NetworkProtectionError.serverListInconsistency)
-
-                let cachedServer = try cachedServer(registeredWith: keyPair)
-                return (cachedServer, nil)
+                throw NetworkProtectionError.serverListInconsistency
             }
 
             selectedServer = registeredServer
@@ -238,9 +240,7 @@ public actor NetworkProtectionDeviceManager: NetworkProtectionDeviceManagement {
             }
 
             handle(clientError: error)
-
-            let cachedServer = try cachedServer(registeredWith: keyPair)
-            return (cachedServer, nil)
+            throw error
         }
     }
 
diff --git a/Sources/NetworkProtection/PacketTunnelProvider.swift b/Sources/NetworkProtection/PacketTunnelProvider.swift
index 0c40f6041..09a9e7f12 100644
--- a/Sources/NetworkProtection/PacketTunnelProvider.swift
+++ b/Sources/NetworkProtection/PacketTunnelProvider.swift
@@ -595,7 +595,7 @@ open class PacketTunnelProvider: NEPacketTunnelProvider {
                                                                                 serverSelectionMethod: currentServerSelectionMethod,
                                                                                 includedRoutes: includedRoutes ?? [],
                                                                                 excludedRoutes: settings.excludedRanges,
-                                                                                regenerateKey: false)
+                                                                                regenerateKey: true)
                 startTunnel(with: tunnelConfiguration, onDemand: onDemand, completionHandler: completionHandler)
                 os_log("🔵 Done generating tunnel config", log: .networkProtection, type: .info)
             } catch {

From 4fabd076cc65b15d7442c89cc570e0e4df0b07ca Mon Sep 17 00:00:00 2001
From: Diego Rey Mendez <dreymendez@duckduckgo.com>
Date: Tue, 12 Mar 2024 23:30:23 +0100
Subject: [PATCH 2/2] Adds a check to shorten the expiration date for users
 with a long auth token expiration date

---
 .../NetworkProtectionDeviceManager.swift              | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/Sources/NetworkProtection/NetworkProtectionDeviceManager.swift b/Sources/NetworkProtection/NetworkProtectionDeviceManager.swift
index 47264327a..f54bfec38 100644
--- a/Sources/NetworkProtection/NetworkProtectionDeviceManager.swift
+++ b/Sources/NetworkProtection/NetworkProtectionDeviceManager.swift
@@ -138,7 +138,16 @@ public actor NetworkProtectionDeviceManager: NetworkProtectionDeviceManagement {
         if regenerateKey {
             keyPair = keyStore.newKeyPair()
         } else {
-            keyPair = keyStore.currentKeyPair() ?? keyStore.newKeyPair()
+            // Temporary code added on 2024-03-12 to fix a previous issue where users had a really long
+            // key expiration date.  We should remove this after a month or so.
+            if let existingKeyPair = keyStore.currentKeyPair(),
+               existingKeyPair.expirationDate > Date().addingTimeInterval(TimeInterval.day) {
+
+                keyPair = keyStore.newKeyPair()
+            } else {
+                // This is the regular code to restore when the above code is removed.
+                keyPair = keyStore.currentKeyPair() ?? keyStore.newKeyPair()
+            }
         }
 
         let (selectedServer, newExpiration) = try await register(keyPair: keyPair, selectionMethod: selectionMethod)