passepartoutvpn
/
tunnelkit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Parse EKU choice in .ovpn from remote-cert-tls 

Fix unhandled extra spaces in dhcp-option DNS regex.
This commit is contained in:
Davide De Rosa 2019-02-23 11:51:37 +01:00
parent 265aca0829
commit 010da904fa
3 changed files with 25 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
TunnelKit/Sources/AppExtension/TunnelKitProvider+Configuration.swift
View File

@ -60,6 +60,7 @@ extension TunnelKitProvider {
ca: CryptoContainer(pem: ""), ca: CryptoContainer(pem: ""),
clientCertificate: nil, clientCertificate: nil,
clientKey: nil, clientKey: nil,
checksEKU: false,
compressionFraming: .disabled, compressionFraming: .disabled,
tlsWrap: nil, tlsWrap: nil,
keepAliveInterval: nil, keepAliveInterval: nil,
@ -465,6 +466,11 @@ extension TunnelKitProvider {
} else { } else {
log.info("\tClient verification: disabled") log.info("\tClient verification: disabled")
} }
if sessionConfiguration.checksEKU {
log.info("\tServer EKU verification: enabled")
} else {
log.info("\tServer EKU verification: disabled")
}
log.info("\tMTU: \(mtu)") log.info("\tMTU: \(mtu)")
log.info("\tCompression framing: \(sessionConfiguration.compressionFraming)") log.info("\tCompression framing: \(sessionConfiguration.compressionFraming)")
if let keepAliveSeconds = sessionConfiguration.keepAliveInterval, keepAliveSeconds > 0 { if let keepAliveSeconds = sessionConfiguration.keepAliveInterval, keepAliveSeconds > 0 {

11
TunnelKit/Sources/Core/ConfigurationParser.swift
View File

@ -87,11 +87,13 @@ public class ConfigurationParser {
static let keyDirection = NSRegularExpression("^key-direction +\\d") static let keyDirection = NSRegularExpression("^key-direction +\\d")
static let eku = NSRegularExpression("^remote-cert-tls +server")
static let blockBegin = NSRegularExpression("^<[\\w\\-]+>") static let blockBegin = NSRegularExpression("^<[\\w\\-]+>")
static let blockEnd = NSRegularExpression("^<\\/[\\w\\-]+>") static let blockEnd = NSRegularExpression("^<\\/[\\w\\-]+>")
static let dnsRegexp = NSRegularExpression("dhcp-option DNS6? [\\d\\.a-fA-F:]+") static let dns = NSRegularExpression("^dhcp-option +DNS6? +[\\d\\.a-fA-F:]+")
// unsupported // unsupported
@ -139,6 +141,7 @@ public class ConfigurationParser {
var optCA: CryptoContainer? var optCA: CryptoContainer?
var clientCertificate: CryptoContainer? var clientCertificate: CryptoContainer?
var clientKey: CryptoContainer? var clientKey: CryptoContainer?
var checksEKU = false
var keepAliveSeconds: TimeInterval? var keepAliveSeconds: TimeInterval?
var renegotiateAfterSeconds: TimeInterval? var renegotiateAfterSeconds: TimeInterval?
var keyDirection: StaticKey.Direction? var keyDirection: StaticKey.Direction?
@ -218,6 +221,9 @@ public class ConfigurationParser {
continue continue
} }
Regex.eku.enumerateComponents(in: line) { (_) in
checksEKU = true
}
Regex.proto.enumerateArguments(in: line) { Regex.proto.enumerateArguments(in: line) {
isHandled = true isHandled = true
guard let str = $0.first else { guard let str = $0.first else {
@ -319,7 +325,7 @@ public class ConfigurationParser {
} }
renegotiateAfterSeconds = TimeInterval(arg) renegotiateAfterSeconds = TimeInterval(arg)
} }
Regex.dnsRegexp.enumerateArguments(in: line) { Regex.dns.enumerateArguments(in: line) {
isHandled = true isHandled = true
guard $0.count == 2 else { guard $0.count == 2 else {
return return
@ -399,6 +405,7 @@ public class ConfigurationParser {
sessionBuilder.tlsWrap = tlsWrap sessionBuilder.tlsWrap = tlsWrap
sessionBuilder.clientCertificate = clientCertificate sessionBuilder.clientCertificate = clientCertificate
sessionBuilder.clientKey = clientKey sessionBuilder.clientKey = clientKey
sessionBuilder.checksEKU = checksEKU
sessionBuilder.keepAliveInterval = keepAliveSeconds sessionBuilder.keepAliveInterval = keepAliveSeconds
sessionBuilder.renegotiatesAfter = renegotiateAfterSeconds sessionBuilder.renegotiatesAfter = renegotiateAfterSeconds
sessionBuilder.dnsServers = dnsServers sessionBuilder.dnsServers = dnsServers

10
TunnelKit/Sources/Core/SessionProxy+Configuration.swift
View File

@ -150,6 +150,9 @@ extension SessionProxy {
/// The private key for the certificate in `clientCertificate` (PEM format). /// The private key for the certificate in `clientCertificate` (PEM format).
public var clientKey: CryptoContainer? public var clientKey: CryptoContainer?
/// If true, checks EKU of server certificate.
public var checksEKU: Bool
/// Sets compression framing, disabled by default. /// Sets compression framing, disabled by default.
public var compressionFraming: CompressionFraming public var compressionFraming: CompressionFraming
@ -175,6 +178,7 @@ extension SessionProxy {
self.ca = ca self.ca = ca
clientCertificate = nil clientCertificate = nil
clientKey = nil clientKey = nil
checksEKU = false
compressionFraming = .disabled compressionFraming = .disabled
tlsWrap = nil tlsWrap = nil
keepAliveInterval = nil keepAliveInterval = nil
@ -195,6 +199,7 @@ extension SessionProxy {
ca: ca, ca: ca,
clientCertificate: clientCertificate, clientCertificate: clientCertificate,
clientKey: clientKey, clientKey: clientKey,
checksEKU: checksEKU,
compressionFraming: compressionFraming, compressionFraming: compressionFraming,
tlsWrap: tlsWrap, tlsWrap: tlsWrap,
keepAliveInterval: keepAliveInterval, keepAliveInterval: keepAliveInterval,
@ -223,6 +228,9 @@ extension SessionProxy {
/// - Seealso: `SessionProxy.ConfigurationBuilder.clientKey` /// - Seealso: `SessionProxy.ConfigurationBuilder.clientKey`
public let clientKey: CryptoContainer? public let clientKey: CryptoContainer?
/// - Seealso: `SessionProxy.ConfigurationBuilder.checksEKU`
public let checksEKU: Bool
/// - Seealso: `SessionProxy.ConfigurationBuilder.compressionFraming` /// - Seealso: `SessionProxy.ConfigurationBuilder.compressionFraming`
public let compressionFraming: CompressionFraming public let compressionFraming: CompressionFraming
@ -252,6 +260,7 @@ extension SessionProxy {
builder.digest = digest builder.digest = digest
builder.clientCertificate = clientCertificate builder.clientCertificate = clientCertificate
builder.clientKey = clientKey builder.clientKey = clientKey
builder.checksEKU = checksEKU
builder.compressionFraming = compressionFraming builder.compressionFraming = compressionFraming
builder.tlsWrap = tlsWrap builder.tlsWrap = tlsWrap
builder.keepAliveInterval = keepAliveInterval builder.keepAliveInterval = keepAliveInterval
@ -271,6 +280,7 @@ extension SessionProxy {
(lhs.ca == rhs.ca) && (lhs.ca == rhs.ca) &&
(lhs.clientCertificate == rhs.clientCertificate) && (lhs.clientCertificate == rhs.clientCertificate) &&
(lhs.clientKey == rhs.clientKey) && (lhs.clientKey == rhs.clientKey) &&
(lhs.checksEKU == rhs.checksEKU) &&
(lhs.compressionFraming == rhs.compressionFraming) && (lhs.compressionFraming == rhs.compressionFraming) &&
(lhs.keepAliveInterval == rhs.keepAliveInterval) && (lhs.keepAliveInterval == rhs.keepAliveInterval) &&
(lhs.renegotiatesAfter == rhs.renegotiatesAfter) && (lhs.renegotiatesAfter == rhs.renegotiatesAfter) &&