Support TLS wrapping via TunnelKit
tls-auth and tls-crypt.
This commit is contained in:
Davide De Rosa
parent
3ca9659942
commit
0954de3322
|
|
@ -195,7 +195,17 @@ extension ConfigurationViewController: UITableViewDataSource, UITableViewDelegat
|
|||
case .tlsWrapping:
|
||||
cell.leftText = L10n.Configuration.Cells.TlsWrapping.caption
|
||||
let V = L10n.Configuration.Cells.TlsWrapping.Value.self
|
||||
if let strategy = configuration.tlsWrap?.strategy {
|
||||
switch strategy {
|
||||
case .auth:
|
||||
cell.rightText = V.auth
|
||||
|
||||
case .crypt:
|
||||
cell.rightText = V.crypt
|
||||
}
|
||||
} else {
|
||||
cell.rightText = V.disabled
|
||||
}
|
||||
cell.accessoryType = .none
|
||||
cell.isTappable = false
|
||||
|
||||
|
|
|
|||
|
|
@ -74,6 +74,10 @@ extension TunnelKitProvider.Configuration {
|
|||
var clientKey: CryptoContainer?
|
||||
var keepAliveSeconds: Int?
|
||||
var renegotiateAfterSeconds: Int?
|
||||
var keyDirection: StaticKey.Direction?
|
||||
var tlsStrategy: SessionProxy.TLSWrap.Strategy?
|
||||
var tlsKeyLines: [Substring]?
|
||||
var tlsWrap: SessionProxy.TLSWrap?
|
||||
|
||||
var currentBlockName: String?
|
||||
var currentBlock: [String] = []
|
||||
|
|
@ -113,8 +117,13 @@ extension TunnelKitProvider.Configuration {
|
|||
case "key":
|
||||
clientKey = CryptoContainer(pem: currentBlock.joined(separator: "\n"))
|
||||
|
||||
case "tls-auth", "tls-crypt":
|
||||
unsupportedError = ApplicationError.unsupportedConfiguration(option: blockName)
|
||||
case "tls-auth":
|
||||
tlsKeyLines = currentBlock.map { Substring($0) }
|
||||
tlsStrategy = .auth
|
||||
|
||||
case "tls-crypt":
|
||||
tlsKeyLines = currentBlock.map { Substring($0) }
|
||||
tlsStrategy = .crypt
|
||||
|
||||
default:
|
||||
break
|
||||
|
|
@ -180,6 +189,12 @@ extension TunnelKitProvider.Configuration {
|
|||
Regex.compress.enumerateComponents(in: line) { _ in
|
||||
compressionFraming = .compress
|
||||
}
|
||||
Regex.keyDirection.enumerateArguments(in: line) {
|
||||
guard let arg = $0.first, let value = Int(arg) else {
|
||||
return
|
||||
}
|
||||
keyDirection = StaticKey.Direction(rawValue: value)
|
||||
}
|
||||
Regex.ping.enumerateArguments(in: line) {
|
||||
guard let arg = $0.first else {
|
||||
return
|
||||
|
|
@ -232,11 +247,26 @@ extension TunnelKitProvider.Configuration {
|
|||
|
||||
assert(!endpointProtocols.isEmpty, "Must define an endpoint protocol")
|
||||
|
||||
if let keyLines = tlsKeyLines, let strategy = tlsStrategy {
|
||||
let optKey: StaticKey?
|
||||
switch strategy {
|
||||
case .auth:
|
||||
optKey = StaticKey(lines: keyLines, direction: keyDirection)
|
||||
|
||||
case .crypt:
|
||||
optKey = StaticKey(lines: keyLines, direction: .client)
|
||||
}
|
||||
if let key = optKey {
|
||||
tlsWrap = SessionProxy.TLSWrap(strategy: strategy, key: key)
|
||||
}
|
||||
}
|
||||
|
||||
var builder = TunnelKitProvider.ConfigurationBuilder(ca: ca)
|
||||
builder.endpointProtocols = endpointProtocols
|
||||
builder.cipher = cipher ?? .aes128cbc
|
||||
builder.digest = digest ?? .sha1
|
||||
builder.compressionFraming = compressionFraming
|
||||
builder.tlsWrap = tlsWrap
|
||||
builder.clientCertificate = clientCertificate
|
||||
builder.clientKey = clientKey
|
||||
builder.keepAliveSeconds = keepAliveSeconds
|
||||
|
|
|
|||
|
|
@ -67,11 +67,8 @@ In preset mode, you can pick pre-resolved IPv4 endpoints when DNS is problematic
|
|||
|
||||
Passepartout can import .ovpn configuration files. This way you can fine-tune encryption without tweaking and reimporting a new configuration. Below are a few limitations worth mentioning.
|
||||
|
||||
Unsupported (yet):
|
||||
Unsupported:
|
||||
|
||||
- TLS wrapping
|
||||
- `--tls-auth`
|
||||
- `--tls-crypt`
|
||||
- UDP fragmentation, i.e. `--fragment`
|
||||
|
||||
Unsupported (probably ever):
|
||||
|
|
|
|||
Loading…
Reference in New Issue