Commit Graph

95 Commits

Author SHA1 Message Date
Davide De Rosa 0a1f33823a Return error in install completion handler
Fixes #206
2021-07-02 11:23:58 +02:00
Davide De Rosa 7f84d8338c Upgrade Xcode project 2021-06-26 11:00:24 +02:00
Roopesh Chander d8ed0c7d41 Cleanup cached PEMs at the end of a Session 2021-03-01 13:11:51 +05:30
Davide De Rosa 1620fb0f99
Merge pull request #201 from passepartoutvpn/reference-passwords-in-app-group
Keychain: Use app group when dereferencing a password reference
2021-02-11 22:44:50 +01:00
Davide De Rosa 3ba63e9a88 Extend peer info with IV_PLAT_VER
Will then make them conditional based on --push-peer-info

See #202
2021-02-11 22:23:47 +01:00
Roopesh Chander 2b3eb5412c Keychain: Use app group when dereferencing a password reference
Co-authored-by: Davide De Rosa <keeshux@gmail.com>

Better retain access group every time keychain is written to or
read from, there is no good reason to omit it. Requires Keychain
method to be reverted to non-static.

Partially revert 4490f0c116, based
on wrong assumptions about password references.
2021-02-11 13:44:00 +01:00
Davide De Rosa 1343fa592f Log time intervals better 2021-01-27 02:15:18 +01:00
Davide De Rosa 4490f0c116 Pick tunnel password reference from existing item
Assume that credentials already exist elsewhere for reuse as
password reference. Avoids a redundant keychain entry.
2021-01-27 01:28:27 +01:00
Jose Blaya 4b3f3dee5f
Check if cfg.sessionConfiguration.dnsServers is empty (#198) 2021-01-26 16:31:57 +01:00
Davide De Rosa 790ec276db Restrain DNS servers according to protocol
- Cleartext: pick any available
- HTTPS/TLS: only pick local servers, secure DNS may NEVER come
  from VPN server

Require for TLS, not for HTTPS (not even sure about their need).
2021-01-26 11:20:01 +01:00
Davide De Rosa 3abb7cbccc Fix up misleading log from condition in latest commit 2021-01-26 10:59:37 +01:00
Davide De Rosa 0f097d50af Fall back to network settings when no DNS servers
Rather than forcing CloudFlare (by default).

Fixes #197
2021-01-26 10:18:04 +01:00
Davide De Rosa fd9d34b49c Print description of new DNS settings 2021-01-22 21:14:38 +01:00
Davide De Rosa dd81ad7a99 Pick proper DNS settings according to protocol 2021-01-22 21:14:38 +01:00
Davide De Rosa 3c92e18c0e Add DNSProtocol 2021-01-22 21:14:38 +01:00
Davide De Rosa e388842d37 Add fallback compression algorithm
Disabled.
2021-01-13 08:10:33 +01:00
Davide De Rosa c15d6f521a Parse dataCiphersFallback as last resort
Prioritize over deprecate cipher.
2021-01-08 19:50:28 +01:00
Davide De Rosa 7ea088e4a1 Make peerInfo dynamic to add IV_CIPHERS
Fixes #193
2021-01-08 19:41:16 +01:00
Davide De Rosa 119d2f02e4 Add OpenVPN dataCiphers field 2021-01-08 19:26:20 +01:00
Davide De Rosa 80d99cab6c Refactor legacy parsing of provider configuration
Leverage Codable implementation of OpenVPN*.Configuration
2021-01-03 10:47:06 +01:00
Davide De Rosa e923382c81 Default to unspecified MTU
Hardcode control channel packets to 1000 bytes.
2020-12-28 16:04:15 +01:00
Davide De Rosa 1966143fe9 Parse MTU from --tun-mtu 2020-12-28 13:07:19 +01:00
Davide De Rosa 6cb04da05d Add MTU to OpenVPN layer 2020-12-28 13:02:09 +01:00
Davide De Rosa e3ce38e47e Remove MTU from AppExtension layer 2020-12-27 22:51:58 +01:00
Davide De Rosa ba3ead13a3 Update copyright 2020-12-27 17:29:39 +01:00
Davide De Rosa 663cab34c9 Centralize reconnection delay 2020-12-20 19:43:23 +01:00
Davide De Rosa 304d0215b6 Use keychain service as item context
Primary key = (context, username)
2020-12-20 10:57:06 +01:00
Davide De Rosa 6b8d88fef5 Consider last appearing DOMAIN option 2020-12-15 13:59:06 +01:00
Davide De Rosa 7535458339 Parse domain option 2020-12-11 17:09:15 +01:00
Davide De Rosa 44844cfd9c Update API to access current Wi-Fi SSID 2020-11-21 19:10:58 +01:00
Davide De Rosa e098117bf1 Drop StandardVPNProvider class name
Had only renamed file, not class.

See 945bb1b9b7
2020-11-15 22:09:02 +01:00
Davide De Rosa 945bb1b9b7 Fix context of StandardVPNProvider
Not generic, rather an OpenVPN implementation.

- Move to OpenVPN subspec
- Rename to OpenVPNProvider
- Depend OpenVPN on Manager
2020-11-15 21:12:53 +01:00
Kirill Pahnev 014f8aabbd Make IV_UI_VER flag overridable 2020-06-29 16:31:20 +03:00
Kirill Pahnev d3caa5c4ad Set IV_PLAT based on current OS 2020-06-29 13:00:17 +03:00
Davide De Rosa a232af1100 Redefine generic Session.serverConfiguration()
For reuse in Session implementations.
2020-06-13 13:32:21 +02:00
Davide De Rosa 6c3e667f80 Add a few missing nodoc 2020-06-13 13:31:15 +02:00
Davide De Rosa 74ed3cb4cd Move some initialization after logging configuration
Logging and masking were not configured at Credentials and
ConnectionStrategy initialization time, hence the missing log
entries from e.g. ConnectionStrategy.init().
2020-06-11 16:37:20 +02:00
Davide De Rosa 1ff936895f Improve logging of ConnectionStrategy 2020-06-11 16:22:45 +02:00
Davide De Rosa 7a278dba69 Fix nullability of partitioned route 2020-05-23 17:07:59 +02:00
Davide De Rosa 17cb2601be Fix unused result warning 2020-05-23 17:05:46 +02:00
Davide De Rosa 9095ea250e
Address concerns from Guido Vranken fuzzers (#141)
* 002: Assert return value of snprintf/getnameinfo

* 003: Address OOB reads on decrypted data

* 004: Handle boundary prefixes in .partitioned()

* 005: Fix OOB read in matchesDestination()

* 006: Fix parsing in netname6()

* 007: Fix incorrect use of sizeof()

* 008: Add safety checks in MSSFix()

* 009: Fix bad usage of minilzo calls

* Add checks after RoutingTableEntryAddress4/6
2020-05-16 15:10:07 +02:00
Davide De Rosa 5285ba7aa8 Set reasserting to false if canRebindLink()
Code is currently disabled (canRebindLink() is hardcoded to false),
still it's good to stay consistent with semantics of
reasserting = false, i.e. "connection has become active again".
2020-05-09 15:01:11 +02:00
Davide De Rosa 9b82d7f9ec Evaluate reconnection without touching reasserting
Use a different variable to signal an upcoming reconnection. Make
sure that reasserting is never set to false with the meaning of
"do not reconnect", because doing so would trigger a transient
"connected" state in the VPN.

Reverts use of cancelTunnelWithError() in sessionDidStop.
2020-05-09 12:09:03 +02:00
Davide De Rosa 93c24a96cf Refactor with an error parameter in sessionDidStop
Both versions prevent clients from compiling, but this version
impacts less on existing codebase.
2020-05-09 12:09:03 +02:00
Robert Patchett 1cd00f9459 Call cancelTunnelWithError(_:) if a connection fails and won't be retried 2020-05-09 12:09:03 +02:00
Jose Blaya c22bfb3edd Set MTU value in Tunnel settings 2020-05-09 01:09:20 +02:00
Jaroslav_ 1ceeb8ddbb
SAN host check (#168)
* Check if host is present in certificates SAN list

* Save .tlsServerHost error as .tlsServerVerification into last error

Co-authored-by: Davide De Rosa <keeshux@gmail.com>
2020-05-09 00:02:16 +02:00
Roopesh Chander 753927f36b Fix how NETunnelInterface handles IP protocol number
The IP protocol number passed to NEPacketTunnelFlow is determined per
packet based on the IP header, instead of determining it based on
whether IPv6 settings are available or not.
2020-05-06 09:37:24 +05:30
Davide De Rosa 4bdf6b7006 Redefine endpoint strategy according to IPv4/6 2020-04-14 22:57:23 +02:00
Davide De Rosa 6f235e9ea2 Handle IPv4/IPv6 variants in SocketType 2020-04-14 21:54:21 +02:00