Catch errors on CA MD5 calculation (PIA only)

TunnelKit/Sources/Core/SessionProxy.swift

@@ -613,7 +613,13 @@ public class SessionProxy {
     
     private func hardResetPayload() -> Data? {
         guard !(configuration.usesPIAPatches ?? false) else {
-            let caMD5 = TLSBox.md5(forCertificatePath: caURL.path)
+            let caMD5: String
+            do {
+                caMD5 = try TLSBox.md5(forCertificatePath: caURL.path)
+            } catch {
+                log.error("CA MD5 could not be computed, skipping custom HARD_RESET")
+                return nil
+            }
             log.debug("CA MD5 is: \(caMD5)")
             return try? PIAHardReset(
                 caMd5Digest: caMD5,

TunnelKit/Sources/Core/TLSBox.h

@@ -51,7 +51,7 @@ extern NSString *const TLSBoxPeerVerificationErrorNotification;
 //
 @interface TLSBox : NSObject
 
-+ (NSString *)md5ForCertificatePath:(NSString *)path;
++ (nullable NSString *)md5ForCertificatePath:(NSString *)path error:(NSError **)error;
 
 - (instancetype)initWithCAPath:(NSString *)caPath
          clientCertificatePath:(nullable NSString *)clientCertificatePath

TunnelKit/Sources/Core/TLSBox.m

@@ -80,14 +80,21 @@ int TLSBoxVerifyPeer(int ok, X509_STORE_CTX *ctx) {
 
 @implementation TLSBox
 
-+ (NSString *)md5ForCertificatePath:(NSString *)path
++ (NSString *)md5ForCertificatePath:(NSString *)path error:(NSError * _Nullable __autoreleasing * _Nullable)error
 {
     const EVP_MD *alg = EVP_get_digestbyname("MD5");
     uint8_t md[16];
     unsigned int len;
 
     FILE *pem = fopen([path cStringUsingEncoding:NSASCIIStringEncoding], "r");
+    if (!pem) {
+        return NULL;
+    }
     X509 *cert = PEM_read_X509(pem, NULL, NULL, NULL);
+    if (!cert) {
+        fclose(pem);
+        return NULL;
+    }
     X509_digest(cert, alg, md, &len);
     X509_free(cert);
     fclose(pem);