Merge branch 'handle-server-restart'

CHANGELOG.md

@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 
 - Index out of range during negotiation (Grivus). [#143](https://github.com/passepartoutvpn/tunnelkit/pull/143)
+- Handle server shutdown/restart (remote `--explicit-exit-notify`). [#131](https://github.com/passepartoutvpn/tunnelkit/issues/131)
 
 ## 2.2.1 (2019-12-14)
 

TunnelKit/Sources/Protocols/OpenVPN/AppExtension/OpenVPNTunnelProvider+Interaction.swift

@@ -142,6 +142,9 @@ extension OpenVPNTunnelProvider {
         /// Default gateway could not be attained.
         case gatewayUnattainable
         
+        /// Remove server has shut down.
+        case serverShutdown
+        
         /// The server replied in an unexpected way.
         case unexpectedReply
     }

TunnelKit/Sources/Protocols/OpenVPN/AppExtension/OpenVPNTunnelProvider.swift

@@ -877,6 +877,9 @@ extension OpenVPNTunnelProvider {
             case .noRouting:
                 return .routing
                 
+            case .serverShutdown:
+                return .serverShutdown
+
             default:
                 return .unexpectedReply
             }

TunnelKit/Sources/Protocols/OpenVPN/Authenticator.swift

@@ -62,9 +62,9 @@ extension OpenVPN {
 
         private(set) var serverRandom2: ZeroingData?
 
-        let username: ZeroingData?
+        private(set) var username: ZeroingData?
         
-        let password: ZeroingData?
+        private(set) var password: ZeroingData?
         
         var withLocalOptions: Bool
         
@@ -87,6 +87,17 @@ extension OpenVPN {
             controlBuffer = Z()
         }
         
+        func reset() {
+            controlBuffer.zero()
+            preMaster.zero()
+            random1.zero()
+            random2.zero()
+            serverRandom1?.zero()
+            serverRandom2?.zero()
+            username = nil
+            password = nil
+        }
+        
         // MARK: Authentication request
 
         // Ruby: on_tls_connect

TunnelKit/Sources/Protocols/OpenVPN/OpenVPNError.swift

@@ -77,4 +77,7 @@ public enum OpenVPNError: String, Error {
 
     /// Missing routing information.
     case noRouting
+
+    /// Remote server shut down (--explicit-exit-notify).
+    case serverShutdown
 }

TunnelKit/Sources/Protocols/OpenVPN/OpenVPNSession.swift

@@ -745,7 +745,7 @@ public class OpenVPNSession: Session {
     
     private func completeConnection() {
         setupEncryption()
-        authenticator = nil
+        authenticator?.reset()
         negotiationKey.controlState = .connected
         connectedDate = Date()
         transitionKeys()
@@ -907,6 +907,11 @@ public class OpenVPNSession: Session {
 
     // Ruby: handle_ctrl_msg
     private func handleControlMessage(_ message: String) {
+        if CoreConfiguration.logsSensitiveData {
+            log.debug("Received control message: \"\(message)\"")
+        }
+
+        // disconnect on authentication failure
         guard !message.hasPrefix("AUTH_FAILED") else {
 
             // XXX: retry without client options
@@ -921,12 +926,16 @@ public class OpenVPNSession: Session {
             return
         }
         
-        guard (negotiationKey.controlState == .preIfConfig) else {
+        // disconnect on remote server restart (--explicit-exit-notify)
+        guard !message.hasPrefix("RESTART") else {
+            log.debug("Disconnecting due to server shutdown")
+            deferStop(.shutdown, OpenVPNError.serverShutdown)
             return
         }
         
-        if CoreConfiguration.logsSensitiveData {
+        // handle authentication from now on
-            log.debug("Received control message: \"\(message)\"")
+        guard negotiationKey.controlState == .preIfConfig else {
+            return
         }
 
         let completeMessage: String