Merge pull request #5 from keeshux/integrate-tls-wrapping

Integrate TLS wrapping
This commit is contained in:
Davide De Rosa 2018-10-19 17:50:05 +02:00 committed by GitHub
commit b38f033a13
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 60 additions and 19 deletions

View File

@ -7,10 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
### Added
- Support for TLS wrapping (tls-auth and tls-crypt). [#5](https://github.com/keeshux/passepartout-ios/pull/5)
### Fixed
- Credentials are now optional for host profiles. [#4](https://github.com/keeshux/passepartout-ios/pull/4)
- Fixed Mullvad abrupt disconnection. [tunnelkit#30](https://github.com/keeshux/tunnelkit/issues/30)
- Credentials are now optional for host profiles. [#4](https://github.com/keeshux/passepartout-ios/pull/4)
## 1.0 beta 1018 (2018-10-18)

View File

@ -195,7 +195,17 @@ extension ConfigurationViewController: UITableViewDataSource, UITableViewDelegat
case .tlsWrapping:
cell.leftText = L10n.Configuration.Cells.TlsWrapping.caption
let V = L10n.Configuration.Cells.TlsWrapping.Value.self
if let strategy = configuration.tlsWrap?.strategy {
switch strategy {
case .auth:
cell.rightText = V.auth
case .crypt:
cell.rightText = V.crypt
}
} else {
cell.rightText = V.disabled
}
cell.accessoryType = .none
cell.isTappable = false

View File

@ -74,6 +74,10 @@ extension TunnelKitProvider.Configuration {
var clientKey: CryptoContainer?
var keepAliveSeconds: Int?
var renegotiateAfterSeconds: Int?
var keyDirection: StaticKey.Direction?
var tlsStrategy: SessionProxy.TLSWrap.Strategy?
var tlsKeyLines: [Substring]?
var tlsWrap: SessionProxy.TLSWrap?
var currentBlockName: String?
var currentBlock: [String] = []
@ -113,8 +117,13 @@ extension TunnelKitProvider.Configuration {
case "key":
clientKey = CryptoContainer(pem: currentBlock.joined(separator: "\n"))
case "tls-auth", "tls-crypt":
unsupportedError = ApplicationError.unsupportedConfiguration(option: blockName)
case "tls-auth":
tlsKeyLines = currentBlock.map { Substring($0) }
tlsStrategy = .auth
case "tls-crypt":
tlsKeyLines = currentBlock.map { Substring($0) }
tlsStrategy = .crypt
default:
break
@ -180,6 +189,12 @@ extension TunnelKitProvider.Configuration {
Regex.compress.enumerateComponents(in: line) { _ in
compressionFraming = .compress
}
Regex.keyDirection.enumerateArguments(in: line) {
guard let arg = $0.first, let value = Int(arg) else {
return
}
keyDirection = StaticKey.Direction(rawValue: value)
}
Regex.ping.enumerateArguments(in: line) {
guard let arg = $0.first else {
return
@ -232,11 +247,26 @@ extension TunnelKitProvider.Configuration {
assert(!endpointProtocols.isEmpty, "Must define an endpoint protocol")
if let keyLines = tlsKeyLines, let strategy = tlsStrategy {
let optKey: StaticKey?
switch strategy {
case .auth:
optKey = StaticKey(lines: keyLines, direction: keyDirection)
case .crypt:
optKey = StaticKey(lines: keyLines, direction: .client)
}
if let key = optKey {
tlsWrap = SessionProxy.TLSWrap(strategy: strategy, key: key)
}
}
var builder = TunnelKitProvider.ConfigurationBuilder(ca: ca)
builder.endpointProtocols = endpointProtocols
builder.cipher = cipher ?? .aes128cbc
builder.digest = digest ?? .sha1
builder.compressionFraming = compressionFraming
builder.tlsWrap = tlsWrap
builder.clientCertificate = clientCertificate
builder.clientKey = clientKey
builder.keepAliveSeconds = keepAliveSeconds

View File

@ -3,7 +3,7 @@ use_frameworks!
def shared_pods
#pod 'TunnelKit', '~> 1.1.2'
pod 'TunnelKit', :git => 'https://github.com/keeshux/tunnelkit', :commit => 'ca192e4'
pod 'TunnelKit', :git => 'https://github.com/keeshux/tunnelkit', :commit => '29ec39f'
#pod 'TunnelKit', :path => '../tunnelkit'
end

View File

@ -2,19 +2,19 @@ PODS:
- MBProgressHUD (1.1.0)
- OpenSSL-Apple (1.1.0i-v2)
- SwiftyBeaver (1.6.1)
- TunnelKit (1.1.2):
- TunnelKit/AppExtension (= 1.1.2)
- TunnelKit/Core (= 1.1.2)
- TunnelKit/AppExtension (1.1.2):
- TunnelKit (1.2.0):
- TunnelKit/AppExtension (= 1.2.0)
- TunnelKit/Core (= 1.2.0)
- TunnelKit/AppExtension (1.2.0):
- SwiftyBeaver
- TunnelKit/Core
- TunnelKit/Core (1.1.2):
- TunnelKit/Core (1.2.0):
- OpenSSL-Apple (~> 1.1.0h)
- SwiftyBeaver
DEPENDENCIES:
- MBProgressHUD
- TunnelKit (from `https://github.com/keeshux/tunnelkit`, commit `ca192e4`)
- TunnelKit (from `https://github.com/keeshux/tunnelkit`, commit `29ec39f`)
SPEC REPOS:
https://github.com/cocoapods/specs.git:
@ -24,20 +24,20 @@ SPEC REPOS:
EXTERNAL SOURCES:
TunnelKit:
:commit: ca192e4
:commit: 29ec39f
:git: https://github.com/keeshux/tunnelkit
CHECKOUT OPTIONS:
TunnelKit:
:commit: ca192e4
:commit: 29ec39f
:git: https://github.com/keeshux/tunnelkit
SPEC CHECKSUMS:
MBProgressHUD: e7baa36a220447d8aeb12769bf0585582f3866d9
OpenSSL-Apple: a93b8f2eec8783ff40d9a9304de180ab68bb647c
SwiftyBeaver: ccfcdf85a04d429f1633f668650b0ce8020bda3a
TunnelKit: 8167e45290d15e2c7c789d8d4c0d5f084f532335
TunnelKit: aad1982c96ba0eace1494d4020ecdd1a34c5a788
PODFILE CHECKSUM: a720594d8829c15b76e9ea32e2bd98a4854961cf
PODFILE CHECKSUM: 3d7c4db47830b499bdcf24c498e36b5c619e2ad1
COCOAPODS: 1.6.0.beta.2

View File

@ -67,11 +67,8 @@ In preset mode, you can pick pre-resolved IPv4 endpoints when DNS is problematic
Passepartout can import .ovpn configuration files. This way you can fine-tune encryption without tweaking and reimporting a new configuration. Below are a few limitations worth mentioning.
Unsupported (yet):
Unsupported:
- TLS wrapping
- `--tls-auth`
- `--tls-crypt`
- UDP fragmentation, i.e. `--fragment`
Unsupported (probably ever):