passepartoutvpn
/
passepartout-apple
mirror of https://github.com/passepartoutvpn/passepartout-apple.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'reject-encrypted-certificate-key'

This commit is contained in:
Davide De Rosa 2018-11-01 14:31:36 +01:00
parent a482da892a 25c2308c63
commit 2a1a72e719
3 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Added ### Added
- Explicit rejection of encrypted client certificate keys. [#15](https://github.com/keeshux/passepartout-ios/issues/15)
- Attach .ovpn when reporting a connectivity issue, stripped of sensitive data. [#13](https://github.com/keeshux/passepartout-ios/pull/13) - Attach .ovpn when reporting a connectivity issue, stripped of sensitive data. [#13](https://github.com/keeshux/passepartout-ios/pull/13)
- iTunes File Sharing (skythedesu). [#14](https://github.com/keeshux/passepartout-ios/pull/14) - iTunes File Sharing (skythedesu). [#14](https://github.com/keeshux/passepartout-ios/pull/14)
- Tunnel failure reporting in UI. [#8](https://github.com/keeshux/passepartout-ios/pull/8) - Tunnel failure reporting in UI. [#8](https://github.com/keeshux/passepartout-ios/pull/8)

20
Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift
View File

@ -99,6 +99,10 @@ extension TunnelKitProvider.Configuration {
var tlsKeyLines: [Substring]? var tlsKeyLines: [Substring]?
var tlsWrap: SessionProxy.TLSWrap? var tlsWrap: SessionProxy.TLSWrap?
var currentBlockName: String?
var currentBlock: [String] = []
var unsupportedError: ApplicationError? = nil
log.verbose("Configuration file:") log.verbose("Configuration file:")
for line in lines { for line in lines {
log.verbose(line) log.verbose(line)
@ -111,10 +115,6 @@ extension TunnelKitProvider.Configuration {
} }
} }
var currentBlockName: String?
var currentBlock: [String] = []
var unsupportedError: ApplicationError? = nil
Regex.blockBegin.enumerateComponents(in: line) { Regex.blockBegin.enumerateComponents(in: line) {
isHandled = true isHandled = true
let tag = $0.first! let tag = $0.first!
@ -145,7 +145,11 @@ extension TunnelKitProvider.Configuration {
clientCertificate = CryptoContainer(pem: currentBlock.joined(separator: "\n")) clientCertificate = CryptoContainer(pem: currentBlock.joined(separator: "\n"))
case "key": case "key":
clientKey = CryptoContainer(pem: currentBlock.joined(separator: "\n")) let container = CryptoContainer(pem: currentBlock.joined(separator: "\n"))
clientKey = container
if container.isEncrypted {
unsupportedError = ApplicationError.unsupportedConfiguration(option: "encrypted client certificate key")
}
case "tls-auth": case "tls-auth":
tlsKeyLines = currentBlock.map { Substring($0) } tlsKeyLines = currentBlock.map { Substring($0) }
@ -382,3 +386,9 @@ private extension NSRegularExpression {
} }
} }
} }
extension CryptoContainer {
var isEncrypted: Bool {
return pem.contains("ENCRYPTED")
}
}

2
README.md
View File

@ -73,7 +73,7 @@ Unsupported:
- `--compress` other than empty - `--compress` other than empty
- Proxy - Proxy
- External file references (inline `<block>` only) - External file references (inline `<block>` only)
- Encrypted certificate private key (will raise error TunnelKitNative Code=205) - Encrypted client certificate keys
Ignored: Ignored: