From 0ab2244c365ac73cc1748073e0cd3bba69f80887 Mon Sep 17 00:00:00 2001 From: Davide De Rosa Date: Thu, 1 Nov 2018 14:27:33 +0100 Subject: [PATCH 1/2] Revert "Move variable declaration to proper scope" This reverts commit 49b86c2888844b647eb640ae4b5f891c8931754f. ...because it was VERY WRONG. --- .../Sources/VPN/TunnelKitProvider+FileConfiguration.swift | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift b/Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift index 99558147..77a7a633 100644 --- a/Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift +++ b/Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift @@ -99,6 +99,10 @@ extension TunnelKitProvider.Configuration { var tlsKeyLines: [Substring]? var tlsWrap: SessionProxy.TLSWrap? + var currentBlockName: String? + var currentBlock: [String] = [] + var unsupportedError: ApplicationError? = nil + log.verbose("Configuration file:") for line in lines { log.verbose(line) @@ -111,10 +115,6 @@ extension TunnelKitProvider.Configuration { } } - var currentBlockName: String? - var currentBlock: [String] = [] - var unsupportedError: ApplicationError? = nil - Regex.blockBegin.enumerateComponents(in: line) { isHandled = true let tag = $0.first! From 25c2308c63af0b386898e0860c05dba970967620 Mon Sep 17 00:00:00 2001 From: Davide De Rosa Date: Thu, 1 Nov 2018 14:08:02 +0100 Subject: [PATCH 2/2] Reject encrypted certificate key Do at least a poor-man check on the PEM header. Fixes #15 --- CHANGELOG.md | 1 + .../VPN/TunnelKitProvider+FileConfiguration.swift | 12 +++++++++++- README.md | 2 +- 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a6554886..e5914488 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added +- Explicit rejection of encrypted client certificate keys. [#15](https://github.com/keeshux/passepartout-ios/issues/15) - Attach .ovpn when reporting a connectivity issue, stripped of sensitive data. [#13](https://github.com/keeshux/passepartout-ios/pull/13) - iTunes File Sharing (skythedesu). [#14](https://github.com/keeshux/passepartout-ios/pull/14) - Tunnel failure reporting in UI. [#8](https://github.com/keeshux/passepartout-ios/pull/8) diff --git a/Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift b/Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift index 77a7a633..a38bdb55 100644 --- a/Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift +++ b/Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift @@ -145,7 +145,11 @@ extension TunnelKitProvider.Configuration { clientCertificate = CryptoContainer(pem: currentBlock.joined(separator: "\n")) case "key": - clientKey = CryptoContainer(pem: currentBlock.joined(separator: "\n")) + let container = CryptoContainer(pem: currentBlock.joined(separator: "\n")) + clientKey = container + if container.isEncrypted { + unsupportedError = ApplicationError.unsupportedConfiguration(option: "encrypted client certificate key") + } case "tls-auth": tlsKeyLines = currentBlock.map { Substring($0) } @@ -382,3 +386,9 @@ private extension NSRegularExpression { } } } + +extension CryptoContainer { + var isEncrypted: Bool { + return pem.contains("ENCRYPTED") + } +} diff --git a/README.md b/README.md index 2d0e4617..15467013 100644 --- a/README.md +++ b/README.md @@ -73,7 +73,7 @@ Unsupported: - `--compress` other than empty - Proxy - External file references (inline `` only) -- Encrypted certificate private key (will raise error TunnelKitNative Code=205) +- Encrypted client certificate keys Ignored: