Parse EKU choice in .ovpn from remote-cert-tls

Fix unhandled extra spaces in dhcp-option DNS regex.
2019-02-23 11:51:37 +01:00 · 2019-02-23 11:51:37 +01:00 · 010da904fa
parent 265aca0829
commit 010da904fa
3 changed files with 25 additions and 2 deletions
--- a/TunnelKit/Sources/AppExtension/TunnelKitProvider+Configuration.swift
+++ b/TunnelKit/Sources/AppExtension/TunnelKitProvider+Configuration.swift
@ -60,6 +60,7 @@ extension TunnelKitProvider {
                ca: CryptoContainer(pem: ""),
                clientCertificate: nil,
                clientKey: nil,
+                checksEKU: false,
                compressionFraming: .disabled,
                tlsWrap: nil,
                keepAliveInterval: nil,
@ -465,6 +466,11 @@ extension TunnelKitProvider {
            } else {
                log.info("\tClient verification: disabled")
            }
+            if sessionConfiguration.checksEKU {
+                log.info("\tServer EKU verification: enabled")
+            } else {
+                log.info("\tServer EKU verification: disabled")
+            }
            log.info("\tMTU: \(mtu)")
            log.info("\tCompression framing: \(sessionConfiguration.compressionFraming)")
            if let keepAliveSeconds = sessionConfiguration.keepAliveInterval, keepAliveSeconds > 0 {
--- a/TunnelKit/Sources/Core/ConfigurationParser.swift
+++ b/TunnelKit/Sources/Core/ConfigurationParser.swift
@ -87,11 +87,13 @@ public class ConfigurationParser {

        static let keyDirection = NSRegularExpression("^key-direction +\\d")
        
+        static let eku = NSRegularExpression("^remote-cert-tls +server")
+
        static let blockBegin = NSRegularExpression("^<[\\w\\-]+>")
        
        static let blockEnd = NSRegularExpression("^<\\/[\\w\\-]+>")

-        static let dnsRegexp = NSRegularExpression("dhcp-option DNS6? [\\d\\.a-fA-F:]+")
+        static let dns = NSRegularExpression("^dhcp-option +DNS6? +[\\d\\.a-fA-F:]+")
        
        // unsupported

@ -139,6 +141,7 @@ public class ConfigurationParser {
        var optCA: CryptoContainer?
        var clientCertificate: CryptoContainer?
        var clientKey: CryptoContainer?
+        var checksEKU = false
        var keepAliveSeconds: TimeInterval?
        var renegotiateAfterSeconds: TimeInterval?
        var keyDirection: StaticKey.Direction?
@ -218,6 +221,9 @@ public class ConfigurationParser {
                continue
            }
            
+            Regex.eku.enumerateComponents(in: line) { (_) in
+                checksEKU = true
+            }
            Regex.proto.enumerateArguments(in: line) {
                isHandled = true
                guard let str = $0.first else {
@ -319,7 +325,7 @@ public class ConfigurationParser {
                }
                renegotiateAfterSeconds = TimeInterval(arg)
            }
-            Regex.dnsRegexp.enumerateArguments(in: line) {
+            Regex.dns.enumerateArguments(in: line) {
                isHandled = true
                guard $0.count == 2 else {
                    return
@ -399,6 +405,7 @@ public class ConfigurationParser {
        sessionBuilder.tlsWrap = tlsWrap
        sessionBuilder.clientCertificate = clientCertificate
        sessionBuilder.clientKey = clientKey
+        sessionBuilder.checksEKU = checksEKU
        sessionBuilder.keepAliveInterval = keepAliveSeconds
        sessionBuilder.renegotiatesAfter = renegotiateAfterSeconds
        sessionBuilder.dnsServers = dnsServers
--- a/TunnelKit/Sources/Core/SessionProxy+Configuration.swift
+++ b/TunnelKit/Sources/Core/SessionProxy+Configuration.swift
@ -150,6 +150,9 @@ extension SessionProxy {
        /// The private key for the certificate in `clientCertificate` (PEM format).
        public var clientKey: CryptoContainer?
        
+        /// If true, checks EKU of server certificate.
+        public var checksEKU: Bool
+        
        /// Sets compression framing, disabled by default.
        public var compressionFraming: CompressionFraming

@ -175,6 +178,7 @@ extension SessionProxy {
            self.ca = ca
            clientCertificate = nil
            clientKey = nil
+            checksEKU = false
            compressionFraming = .disabled
            tlsWrap = nil
            keepAliveInterval = nil
@ -195,6 +199,7 @@ extension SessionProxy {
                ca: ca,
                clientCertificate: clientCertificate,
                clientKey: clientKey,
+                checksEKU: checksEKU,
                compressionFraming: compressionFraming,
                tlsWrap: tlsWrap,
                keepAliveInterval: keepAliveInterval,
@ -223,6 +228,9 @@ extension SessionProxy {
        /// - Seealso: `SessionProxy.ConfigurationBuilder.clientKey`
        public let clientKey: CryptoContainer?
        
+        /// - Seealso: `SessionProxy.ConfigurationBuilder.checksEKU`
+        public let checksEKU: Bool
+
        /// - Seealso: `SessionProxy.ConfigurationBuilder.compressionFraming`
        public let compressionFraming: CompressionFraming

@ -252,6 +260,7 @@ extension SessionProxy {
            builder.digest = digest
            builder.clientCertificate = clientCertificate
            builder.clientKey = clientKey
+            builder.checksEKU = checksEKU
            builder.compressionFraming = compressionFraming
            builder.tlsWrap = tlsWrap
            builder.keepAliveInterval = keepAliveInterval
@ -271,6 +280,7 @@ extension SessionProxy {
                (lhs.ca == rhs.ca) &&
                (lhs.clientCertificate == rhs.clientCertificate) &&
                (lhs.clientKey == rhs.clientKey) &&
+                (lhs.checksEKU == rhs.checksEKU) &&
                (lhs.compressionFraming == rhs.compressionFraming) &&
                (lhs.keepAliveInterval == rhs.keepAliveInterval) &&
                (lhs.renegotiatesAfter == rhs.renegotiatesAfter) &&