passepartoutvpn
/
tunnelkit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make EKU verification optional in TLSBox

This commit is contained in:
Davide De Rosa 2019-02-23 11:39:37 +01:00
parent 0e891a1029
commit 265aca0829
3 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
TunnelKit/Sources/Core/SessionProxy.swift
View File

@ -771,7 +771,8 @@ public class SessionProxy {
negotiationKey.tlsOptional = TLSBox( negotiationKey.tlsOptional = TLSBox(
caPath: caURL.path, caPath: caURL.path,
clientCertificatePath: (configuration.clientCertificate != nil) ? clientCertificateURL.path : nil, clientCertificatePath: (configuration.clientCertificate != nil) ? clientCertificateURL.path : nil,
clientKeyPath: (configuration.clientKey != nil) ? clientKeyURL.path : nil clientKeyPath: (configuration.clientKey != nil) ? clientKeyURL.path : nil,
checksEKU: true
) )
do { do {
try negotiationKey.tls.start() try negotiationKey.tls.start()

3
TunnelKit/Sources/Core/TLSBox.h
View File

@ -55,7 +55,8 @@ extern NSString *const TLSBoxPeerVerificationErrorNotification;
- (instancetype)initWithCAPath:(NSString *)caPath - (instancetype)initWithCAPath:(NSString *)caPath
clientCertificatePath:(nullable NSString *)clientCertificatePath clientCertificatePath:(nullable NSString *)clientCertificatePath
clientKeyPath:(nullable NSString *)clientKeyPath; clientKeyPath:(nullable NSString *)clientKeyPath
checksEKU:(BOOL)checksEKU;
- (BOOL)startWithError:(NSError **)error; - (BOOL)startWithError:(NSError **)error;

9
TunnelKit/Sources/Core/TLSBox.m
View File

@ -65,6 +65,7 @@ int TLSBoxVerifyPeer(int ok, X509_STORE_CTX *ctx) {
@property (nonatomic, strong) NSString *caPath; @property (nonatomic, strong) NSString *caPath;
@property (nonatomic, strong) NSString *clientCertificatePath; @property (nonatomic, strong) NSString *clientCertificatePath;
@property (nonatomic, strong) NSString *clientKeyPath; @property (nonatomic, strong) NSString *clientKeyPath;
@property (nonatomic, assign) BOOL checksEKU;
@property (nonatomic, assign) BOOL isConnected; @property (nonatomic, assign) BOOL isConnected;
@property (nonatomic, unsafe_unretained) SSL_CTX *ctx; @property (nonatomic, unsafe_unretained) SSL_CTX *ctx;
@ -105,12 +106,16 @@ int TLSBoxVerifyPeer(int ok, X509_STORE_CTX *ctx) {
return nil; return nil;
} }
- (instancetype)initWithCAPath:(NSString *)caPath clientCertificatePath:(NSString *)clientCertificatePath clientKeyPath:(NSString *)clientKeyPath - (instancetype)initWithCAPath:(NSString *)caPath
clientCertificatePath:(NSString *)clientCertificatePath
clientKeyPath:(NSString *)clientKeyPath
checksEKU:(BOOL)checksEKU
{ {
if ((self = [super init])) { if ((self = [super init])) {
self.caPath = caPath; self.caPath = caPath;
self.clientCertificatePath = clientCertificatePath; self.clientCertificatePath = clientCertificatePath;
self.clientKeyPath = clientKeyPath; self.clientKeyPath = clientKeyPath;
self.checksEKU = checksEKU;
self.bufferCipherText = allocate_safely(TLSBoxMaxBufferLength); self.bufferCipherText = allocate_safely(TLSBoxMaxBufferLength);
} }
return self; return self;
@ -196,7 +201,7 @@ int TLSBoxVerifyPeer(int ok, X509_STORE_CTX *ctx) {
if (!self.isConnected && SSL_is_init_finished(self.ssl)) { if (!self.isConnected && SSL_is_init_finished(self.ssl)) {
self.isConnected = YES; self.isConnected = YES;
if (![self verifyEKUWithSSL:self.ssl]) { if (self.checksEKU && ![self verifyEKUWithSSL:self.ssl]) {
if (error) { if (error) {
*error = TunnelKitErrorWithCode(TunnelKitErrorCodeTLSBoxServerEKU); *error = TunnelKitErrorWithCode(TunnelKitErrorCodeTLSBoxServerEKU);
} }