diff --git a/TunnelKit/Sources/Core/SessionProxy.swift b/TunnelKit/Sources/Core/SessionProxy.swift index fa2d5f9..7df6ef2 100644 --- a/TunnelKit/Sources/Core/SessionProxy.swift +++ b/TunnelKit/Sources/Core/SessionProxy.swift @@ -613,7 +613,13 @@ public class SessionProxy { private func hardResetPayload() -> Data? { guard !(configuration.usesPIAPatches ?? false) else { - let caMD5 = TLSBox.md5(forCertificatePath: caURL.path) + let caMD5: String + do { + caMD5 = try TLSBox.md5(forCertificatePath: caURL.path) + } catch { + log.error("CA MD5 could not be computed, skipping custom HARD_RESET") + return nil + } log.debug("CA MD5 is: \(caMD5)") return try? PIAHardReset( caMd5Digest: caMD5, diff --git a/TunnelKit/Sources/Core/TLSBox.h b/TunnelKit/Sources/Core/TLSBox.h index 16194f5..f092f6c 100644 --- a/TunnelKit/Sources/Core/TLSBox.h +++ b/TunnelKit/Sources/Core/TLSBox.h @@ -51,7 +51,7 @@ extern NSString *const TLSBoxPeerVerificationErrorNotification; // @interface TLSBox : NSObject -+ (NSString *)md5ForCertificatePath:(NSString *)path; ++ (nullable NSString *)md5ForCertificatePath:(NSString *)path error:(NSError **)error; - (instancetype)initWithCAPath:(NSString *)caPath clientCertificatePath:(nullable NSString *)clientCertificatePath diff --git a/TunnelKit/Sources/Core/TLSBox.m b/TunnelKit/Sources/Core/TLSBox.m index 6a7a532..0ab0af2 100644 --- a/TunnelKit/Sources/Core/TLSBox.m +++ b/TunnelKit/Sources/Core/TLSBox.m @@ -80,14 +80,21 @@ int TLSBoxVerifyPeer(int ok, X509_STORE_CTX *ctx) { @implementation TLSBox -+ (NSString *)md5ForCertificatePath:(NSString *)path ++ (NSString *)md5ForCertificatePath:(NSString *)path error:(NSError * _Nullable __autoreleasing * _Nullable)error { const EVP_MD *alg = EVP_get_digestbyname("MD5"); uint8_t md[16]; unsigned int len; FILE *pem = fopen([path cStringUsingEncoding:NSASCIIStringEncoding], "r"); + if (!pem) { + return NULL; + } X509 *cert = PEM_read_X509(pem, NULL, NULL, NULL); + if (!cert) { + fclose(pem); + return NULL; + } X509_digest(cert, alg, md, &len); X509_free(cert); fclose(pem);