passepartoutvpn
/
tunnelkit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Take optional securityLevel field in TLSBox

This commit is contained in:
Davide De Rosa 2019-05-08 15:54:05 +02:00
parent 97f178cdac
commit 82f0431303
2 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
TunnelKit/Sources/Core/TLSBox.h
View File

@ -43,6 +43,8 @@ extern const NSInteger TLSBoxMaxBufferLength;
extern NSString *const TLSBoxPeerVerificationErrorNotification;
extern const NSInteger TLSBoxDefaultSecurityLevel;
//
// cipher text is safe within NSData
// plain text might be sensitive and must avoid NSData
@ -51,6 +53,8 @@ extern NSString *const TLSBoxPeerVerificationErrorNotification;
//
@interface TLSBox : NSObject
@property (nonatomic, assign) NSInteger securityLevel; // TLSBoxDefaultSecurityLevel for default
+ (nullable NSString *)md5ForCertificatePath:(NSString *)path error:(NSError **)error;
+ (nullable NSString *)decryptedPrivateKeyFromPath:(NSString *)path passphrase:(NSString *)passphrase error:(NSError **)error;
+ (nullable NSString *)decryptedPrivateKeyFromPEM:(NSString *)pem passphrase:(NSString *)passphrase error:(NSError **)error;

7
TunnelKit/Sources/Core/TLSBox.m
View File

@ -62,6 +62,8 @@ int TLSBoxVerifyPeer(int ok, X509_STORE_CTX *ctx) {
return ok;
}
const NSInteger TLSBoxDefaultSecurityLevel = -1;
@interface TLSBox ()
@property (nonatomic, strong) NSString *caPath;
@ -180,6 +182,7 @@ int TLSBoxVerifyPeer(int ok, X509_STORE_CTX *ctx) {
self.clientKeyPath = clientKeyPath;
self.checksEKU = checksEKU;
self.bufferCipherText = allocate_safely(TLSBoxMaxBufferLength);
self.securityLevel = TLSBoxDefaultSecurityLevel;
}
return self;
}
@ -205,7 +208,9 @@ int TLSBoxVerifyPeer(int ok, X509_STORE_CTX *ctx) {
self.ctx = SSL_CTX_new(TLS_client_method());
SSL_CTX_set_options(self.ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION);
SSL_CTX_set_verify(self.ctx, SSL_VERIFY_PEER, TLSBoxVerifyPeer);
SSL_CTX_set_security_level(self.ctx, 0);
if (self.securityLevel != TLSBoxDefaultSecurityLevel) {
SSL_CTX_set_security_level(self.ctx, (int)self.securityLevel);
}
if (!SSL_CTX_load_verify_locations(self.ctx, [self.caPath cStringUsingEncoding:NSASCIIStringEncoding], NULL)) {
ERR_print_errors_fp(stdout);
if (error) {