From 265aca0829adcd64d281322650f9a6a4473d38f9 Mon Sep 17 00:00:00 2001 From: Davide De Rosa Date: Sat, 23 Feb 2019 11:39:37 +0100 Subject: [PATCH] Make EKU verification optional in TLSBox --- TunnelKit/Sources/Core/SessionProxy.swift | 3 ++- TunnelKit/Sources/Core/TLSBox.h | 3 ++- TunnelKit/Sources/Core/TLSBox.m | 9 +++++++-- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/TunnelKit/Sources/Core/SessionProxy.swift b/TunnelKit/Sources/Core/SessionProxy.swift index e045c68..3a45bf3 100644 --- a/TunnelKit/Sources/Core/SessionProxy.swift +++ b/TunnelKit/Sources/Core/SessionProxy.swift @@ -771,7 +771,8 @@ public class SessionProxy { negotiationKey.tlsOptional = TLSBox( caPath: caURL.path, clientCertificatePath: (configuration.clientCertificate != nil) ? clientCertificateURL.path : nil, - clientKeyPath: (configuration.clientKey != nil) ? clientKeyURL.path : nil + clientKeyPath: (configuration.clientKey != nil) ? clientKeyURL.path : nil, + checksEKU: true ) do { try negotiationKey.tls.start() diff --git a/TunnelKit/Sources/Core/TLSBox.h b/TunnelKit/Sources/Core/TLSBox.h index 76e6d54..16194f5 100644 --- a/TunnelKit/Sources/Core/TLSBox.h +++ b/TunnelKit/Sources/Core/TLSBox.h @@ -55,7 +55,8 @@ extern NSString *const TLSBoxPeerVerificationErrorNotification; - (instancetype)initWithCAPath:(NSString *)caPath clientCertificatePath:(nullable NSString *)clientCertificatePath - clientKeyPath:(nullable NSString *)clientKeyPath; + clientKeyPath:(nullable NSString *)clientKeyPath + checksEKU:(BOOL)checksEKU; - (BOOL)startWithError:(NSError **)error; diff --git a/TunnelKit/Sources/Core/TLSBox.m b/TunnelKit/Sources/Core/TLSBox.m index 65f9a78..6a7a532 100644 --- a/TunnelKit/Sources/Core/TLSBox.m +++ b/TunnelKit/Sources/Core/TLSBox.m @@ -65,6 +65,7 @@ int TLSBoxVerifyPeer(int ok, X509_STORE_CTX *ctx) { @property (nonatomic, strong) NSString *caPath; @property (nonatomic, strong) NSString *clientCertificatePath; @property (nonatomic, strong) NSString *clientKeyPath; +@property (nonatomic, assign) BOOL checksEKU; @property (nonatomic, assign) BOOL isConnected; @property (nonatomic, unsafe_unretained) SSL_CTX *ctx; @@ -105,12 +106,16 @@ int TLSBoxVerifyPeer(int ok, X509_STORE_CTX *ctx) { return nil; } -- (instancetype)initWithCAPath:(NSString *)caPath clientCertificatePath:(NSString *)clientCertificatePath clientKeyPath:(NSString *)clientKeyPath +- (instancetype)initWithCAPath:(NSString *)caPath + clientCertificatePath:(NSString *)clientCertificatePath + clientKeyPath:(NSString *)clientKeyPath + checksEKU:(BOOL)checksEKU { if ((self = [super init])) { self.caPath = caPath; self.clientCertificatePath = clientCertificatePath; self.clientKeyPath = clientKeyPath; + self.checksEKU = checksEKU; self.bufferCipherText = allocate_safely(TLSBoxMaxBufferLength); } return self; @@ -196,7 +201,7 @@ int TLSBoxVerifyPeer(int ok, X509_STORE_CTX *ctx) { if (!self.isConnected && SSL_is_init_finished(self.ssl)) { self.isConnected = YES; - if (![self verifyEKUWithSSL:self.ssl]) { + if (self.checksEKU && ![self verifyEKUWithSSL:self.ssl]) { if (error) { *error = TunnelKitErrorWithCode(TunnelKitErrorCodeTLSBoxServerEKU); }