Merge branch 'reject-encrypted-certificate-key'

This commit is contained in:
Davide De Rosa 2018-11-01 14:31:36 +01:00
commit 2a1a72e719
3 changed files with 17 additions and 6 deletions

View File

@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Added
- Explicit rejection of encrypted client certificate keys. [#15](https://github.com/keeshux/passepartout-ios/issues/15)
- Attach .ovpn when reporting a connectivity issue, stripped of sensitive data. [#13](https://github.com/keeshux/passepartout-ios/pull/13)
- iTunes File Sharing (skythedesu). [#14](https://github.com/keeshux/passepartout-ios/pull/14)
- Tunnel failure reporting in UI. [#8](https://github.com/keeshux/passepartout-ios/pull/8)

View File

@ -99,6 +99,10 @@ extension TunnelKitProvider.Configuration {
var tlsKeyLines: [Substring]?
var tlsWrap: SessionProxy.TLSWrap?
var currentBlockName: String?
var currentBlock: [String] = []
var unsupportedError: ApplicationError? = nil
log.verbose("Configuration file:")
for line in lines {
log.verbose(line)
@ -111,10 +115,6 @@ extension TunnelKitProvider.Configuration {
}
}
var currentBlockName: String?
var currentBlock: [String] = []
var unsupportedError: ApplicationError? = nil
Regex.blockBegin.enumerateComponents(in: line) {
isHandled = true
let tag = $0.first!
@ -145,7 +145,11 @@ extension TunnelKitProvider.Configuration {
clientCertificate = CryptoContainer(pem: currentBlock.joined(separator: "\n"))
case "key":
clientKey = CryptoContainer(pem: currentBlock.joined(separator: "\n"))
let container = CryptoContainer(pem: currentBlock.joined(separator: "\n"))
clientKey = container
if container.isEncrypted {
unsupportedError = ApplicationError.unsupportedConfiguration(option: "encrypted client certificate key")
}
case "tls-auth":
tlsKeyLines = currentBlock.map { Substring($0) }
@ -382,3 +386,9 @@ private extension NSRegularExpression {
}
}
}
extension CryptoContainer {
var isEncrypted: Bool {
return pem.contains("ENCRYPTED")
}
}

View File

@ -73,7 +73,7 @@ Unsupported:
- `--compress` other than empty
- Proxy
- External file references (inline `<block>` only)
- Encrypted certificate private key (will raise error TunnelKitNative Code=205)
- Encrypted client certificate keys
Ignored: