passepartoutvpn
/
passepartout-apple
mirror of https://github.com/passepartoutvpn/passepartout-apple.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Support TLS wrapping via TunnelKit 

tls-auth and tls-crypt.
This commit is contained in:
Davide De Rosa 2018-10-18 23:40:38 +02:00
parent 3ca9659942
commit 0954de3322
3 changed files with 44 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Passepartout-iOS/Scenes/ConfigurationViewController.swift
View File

@ -195,7 +195,17 @@ extension ConfigurationViewController: UITableViewDataSource, UITableViewDelegat
case .tlsWrapping: case .tlsWrapping:
cell.leftText = L10n.Configuration.Cells.TlsWrapping.caption cell.leftText = L10n.Configuration.Cells.TlsWrapping.caption
let V = L10n.Configuration.Cells.TlsWrapping.Value.self let V = L10n.Configuration.Cells.TlsWrapping.Value.self
cell.rightText = V.disabled if let strategy = configuration.tlsWrap?.strategy {
switch strategy {
case .auth:
cell.rightText = V.auth
case .crypt:
cell.rightText = V.crypt
}
} else {
cell.rightText = V.disabled
}
cell.accessoryType = .none cell.accessoryType = .none
cell.isTappable = false cell.isTappable = false

34
Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift
View File

@ -74,6 +74,10 @@ extension TunnelKitProvider.Configuration {
var clientKey: CryptoContainer? var clientKey: CryptoContainer?
var keepAliveSeconds: Int? var keepAliveSeconds: Int?
var renegotiateAfterSeconds: Int? var renegotiateAfterSeconds: Int?
var keyDirection: StaticKey.Direction?
var tlsStrategy: SessionProxy.TLSWrap.Strategy?
var tlsKeyLines: [Substring]?
var tlsWrap: SessionProxy.TLSWrap?
var currentBlockName: String? var currentBlockName: String?
var currentBlock: [String] = [] var currentBlock: [String] = []
@ -113,8 +117,13 @@ extension TunnelKitProvider.Configuration {
case "key": case "key":
clientKey = CryptoContainer(pem: currentBlock.joined(separator: "\n")) clientKey = CryptoContainer(pem: currentBlock.joined(separator: "\n"))
case "tls-auth", "tls-crypt": case "tls-auth":
unsupportedError = ApplicationError.unsupportedConfiguration(option: blockName) tlsKeyLines = currentBlock.map { Substring($0) }
tlsStrategy = .auth
case "tls-crypt":
tlsKeyLines = currentBlock.map { Substring($0) }
tlsStrategy = .crypt
default: default:
break break
@ -180,6 +189,12 @@ extension TunnelKitProvider.Configuration {
Regex.compress.enumerateComponents(in: line) { _ in Regex.compress.enumerateComponents(in: line) { _ in
compressionFraming = .compress compressionFraming = .compress
} }
Regex.keyDirection.enumerateArguments(in: line) {
guard let arg = $0.first, let value = Int(arg) else {
return
}
keyDirection = StaticKey.Direction(rawValue: value)
}
Regex.ping.enumerateArguments(in: line) { Regex.ping.enumerateArguments(in: line) {
guard let arg = $0.first else { guard let arg = $0.first else {
return return
@ -232,11 +247,26 @@ extension TunnelKitProvider.Configuration {
assert(!endpointProtocols.isEmpty, "Must define an endpoint protocol") assert(!endpointProtocols.isEmpty, "Must define an endpoint protocol")
if let keyLines = tlsKeyLines, let strategy = tlsStrategy {
let optKey: StaticKey?
switch strategy {
case .auth:
optKey = StaticKey(lines: keyLines, direction: keyDirection)
case .crypt:
optKey = StaticKey(lines: keyLines, direction: .client)
}
if let key = optKey {
tlsWrap = SessionProxy.TLSWrap(strategy: strategy, key: key)
}
}
var builder = TunnelKitProvider.ConfigurationBuilder(ca: ca) var builder = TunnelKitProvider.ConfigurationBuilder(ca: ca)
builder.endpointProtocols = endpointProtocols builder.endpointProtocols = endpointProtocols
builder.cipher = cipher ?? .aes128cbc builder.cipher = cipher ?? .aes128cbc
builder.digest = digest ?? .sha1 builder.digest = digest ?? .sha1
builder.compressionFraming = compressionFraming builder.compressionFraming = compressionFraming
builder.tlsWrap = tlsWrap
builder.clientCertificate = clientCertificate builder.clientCertificate = clientCertificate
builder.clientKey = clientKey builder.clientKey = clientKey
builder.keepAliveSeconds = keepAliveSeconds builder.keepAliveSeconds = keepAliveSeconds

5
README.md
View File

@ -67,11 +67,8 @@ In preset mode, you can pick pre-resolved IPv4 endpoints when DNS is problematic
Passepartout can import .ovpn configuration files. This way you can fine-tune encryption without tweaking and reimporting a new configuration. Below are a few limitations worth mentioning. Passepartout can import .ovpn configuration files. This way you can fine-tune encryption without tweaking and reimporting a new configuration. Below are a few limitations worth mentioning.
Unsupported (yet): Unsupported:
- TLS wrapping
- `--tls-auth`
- `--tls-crypt`
- UDP fragmentation, i.e. `--fragment` - UDP fragmentation, i.e. `--fragment`
Unsupported (probably ever): Unsupported (probably ever):