diff --git a/Passepartout-iOS/Scenes/ConfigurationViewController.swift b/Passepartout-iOS/Scenes/ConfigurationViewController.swift index bed347b3..f7b50bd0 100644 --- a/Passepartout-iOS/Scenes/ConfigurationViewController.swift +++ b/Passepartout-iOS/Scenes/ConfigurationViewController.swift @@ -195,7 +195,17 @@ extension ConfigurationViewController: UITableViewDataSource, UITableViewDelegat case .tlsWrapping: cell.leftText = L10n.Configuration.Cells.TlsWrapping.caption let V = L10n.Configuration.Cells.TlsWrapping.Value.self - cell.rightText = V.disabled + if let strategy = configuration.tlsWrap?.strategy { + switch strategy { + case .auth: + cell.rightText = V.auth + + case .crypt: + cell.rightText = V.crypt + } + } else { + cell.rightText = V.disabled + } cell.accessoryType = .none cell.isTappable = false diff --git a/Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift b/Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift index d93bbe5d..dcd4a56a 100644 --- a/Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift +++ b/Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift @@ -74,6 +74,10 @@ extension TunnelKitProvider.Configuration { var clientKey: CryptoContainer? var keepAliveSeconds: Int? var renegotiateAfterSeconds: Int? + var keyDirection: StaticKey.Direction? + var tlsStrategy: SessionProxy.TLSWrap.Strategy? + var tlsKeyLines: [Substring]? + var tlsWrap: SessionProxy.TLSWrap? var currentBlockName: String? var currentBlock: [String] = [] @@ -113,8 +117,13 @@ extension TunnelKitProvider.Configuration { case "key": clientKey = CryptoContainer(pem: currentBlock.joined(separator: "\n")) - case "tls-auth", "tls-crypt": - unsupportedError = ApplicationError.unsupportedConfiguration(option: blockName) + case "tls-auth": + tlsKeyLines = currentBlock.map { Substring($0) } + tlsStrategy = .auth + + case "tls-crypt": + tlsKeyLines = currentBlock.map { Substring($0) } + tlsStrategy = .crypt default: break @@ -180,6 +189,12 @@ extension TunnelKitProvider.Configuration { Regex.compress.enumerateComponents(in: line) { _ in compressionFraming = .compress } + Regex.keyDirection.enumerateArguments(in: line) { + guard let arg = $0.first, let value = Int(arg) else { + return + } + keyDirection = StaticKey.Direction(rawValue: value) + } Regex.ping.enumerateArguments(in: line) { guard let arg = $0.first else { return @@ -232,11 +247,26 @@ extension TunnelKitProvider.Configuration { assert(!endpointProtocols.isEmpty, "Must define an endpoint protocol") + if let keyLines = tlsKeyLines, let strategy = tlsStrategy { + let optKey: StaticKey? + switch strategy { + case .auth: + optKey = StaticKey(lines: keyLines, direction: keyDirection) + + case .crypt: + optKey = StaticKey(lines: keyLines, direction: .client) + } + if let key = optKey { + tlsWrap = SessionProxy.TLSWrap(strategy: strategy, key: key) + } + } + var builder = TunnelKitProvider.ConfigurationBuilder(ca: ca) builder.endpointProtocols = endpointProtocols builder.cipher = cipher ?? .aes128cbc builder.digest = digest ?? .sha1 builder.compressionFraming = compressionFraming + builder.tlsWrap = tlsWrap builder.clientCertificate = clientCertificate builder.clientKey = clientKey builder.keepAliveSeconds = keepAliveSeconds diff --git a/README.md b/README.md index 404d61b0..e6d09be2 100644 --- a/README.md +++ b/README.md @@ -67,11 +67,8 @@ In preset mode, you can pick pre-resolved IPv4 endpoints when DNS is problematic Passepartout can import .ovpn configuration files. This way you can fine-tune encryption without tweaking and reimporting a new configuration. Below are a few limitations worth mentioning. -Unsupported (yet): +Unsupported: -- TLS wrapping - - `--tls-auth` - - `--tls-crypt` - UDP fragmentation, i.e. `--fragment` Unsupported (probably ever):