Commit Graph

380 Commits

Author SHA1 Message Date
Davide De Rosa 9da7fa9667 Split Core into Core+OpenVPN
Two Obj-C modules:

- __TunnelKitCore
- __TunnelKitOpenVPN

Seems the only way to do it in multiple module maps.

Move OpenVPN specifics out of CoreConfiguration.
2019-05-19 12:22:32 +02:00
Davide De Rosa 491092f2a3 Drop extra header lines 2019-05-19 12:21:44 +02:00
Davide De Rosa 21b67fd9ff Make CoreConfiguration a class for bundle lookup 2019-05-19 11:36:26 +02:00
Davide De Rosa 470c50b037 Return just <masked> when masked description
Why bother with useless hashes?
2019-05-19 11:36:26 +02:00
Davide De Rosa d19e029131 Use guard 2019-05-19 11:36:26 +02:00
Davide De Rosa 713a46d817 Update GitHub URL
Move to passepartoutvpn org.
2019-05-14 10:58:47 +02:00
Davide De Rosa 7cbcfcd264 Fix condition for SOFT_RESET
May receive multiple packets while handling in progress.
2019-05-13 12:15:44 +02:00
Davide De Rosa d06b2e1928 Shut down if no default gateway 2019-05-11 17:40:46 +02:00
Davide De Rosa 5ce49953a0 Assume empty policies to override server settings
Empty != nil. When nil, pull from server.
2019-05-11 16:33:49 +02:00
Davide De Rosa 43c70b2673 Refine logging of some configuration
Log about routing entries.
2019-05-11 14:54:25 +02:00
Davide De Rosa ff0dfc450c Get TLS security level via AppExtension
Improves #97
2019-05-08 16:16:30 +02:00
Davide De Rosa 3a136bdce9 Make TLS security level an option
Default level by default.
2019-05-08 16:10:35 +02:00
Davide De Rosa 82f0431303 Take optional securityLevel field in TLSBox 2019-05-08 15:54:05 +02:00
Davide De Rosa 97f178cdac Tolerate weak certificates
Lower SSL security level.

Fixes #97
2019-05-05 17:51:24 +02:00
Davide De Rosa 273007cc59 Copy route.h from macOS
Missing on iOS.
2019-05-03 15:14:25 +02:00
Davide De Rosa a693075e90 Block LAN when redirect-gateway block-local
Fixes #81
2019-05-03 15:14:25 +02:00
Davide De Rosa 13cae06a49 Add method to partition a subnet 2019-05-03 15:14:25 +02:00
Davide De Rosa 03a1eb2203 Return IPv4 network mask for a route 2019-05-03 15:14:25 +02:00
Davide De Rosa 4295e63c98 Read relevant routing table 2019-05-03 15:14:25 +02:00
Davide De Rosa d44d08c95e Retain self weakly for shutdown on timeout 2019-05-02 13:13:43 +02:00
Davide De Rosa 1430241b0c Do not fake BF-CBC, pleae 2019-05-01 23:18:54 +02:00
Davide De Rosa 037f08ed62 Retry auth once without local options
Hack around picky server implementations.

Fixes #95
2019-05-01 11:14:52 +02:00
Davide De Rosa 14b7f08fb5 Use strict ordering in local options
And add TLS wrapping.
2019-05-01 11:14:38 +02:00
Davide De Rosa 7389d72f1f Fix mutable SessionProxy.Configuration 2019-05-01 11:14:38 +02:00
Davide De Rosa f799f47c25 Add direct routes to DNS servers
If VPN is not default gateway.

Further fix of #94
2019-04-28 15:51:16 +02:00
Davide De Rosa 0b72a30cdd Add full set of CloudFlare DNS servers 2019-04-28 10:56:39 +02:00
Davide De Rosa ebabf02eb5 Fix DNS in VPN when not default gateway
Awful API requires .matchDomains = [""]

Fixes #94
2019-04-28 10:39:55 +02:00
Davide De Rosa b331e3cfe6 Mask fallback DNS servers
Comment about fallback DNS being public
2019-04-28 10:39:25 +02:00
Davide De Rosa 7978398e1e Fix logging of routing policies 2019-04-27 22:55:20 +02:00
Davide De Rosa 0ee39c8fb0 Extend handling of redirect-gateway flags
- def1 (IPv4)
- ipv6 (IPv6)
- !ipv4 (IPv6 only)
2019-04-27 22:55:20 +02:00
Davide De Rosa 155bd5f1e7 Revert def1 trick
Not needed, routes are not persistent.

Revert 7d26323d3f
2019-04-27 22:55:19 +02:00
Davide De Rosa 7d26323d3f Use OpenVPN trick to retain default gateway
Override default gateway with 2 split routes.

- IPv4: 0.0.0.0/1, 128.0.0.0/1
- IPv6: 2000::/4, 3000::/4
2019-04-27 22:29:51 +02:00
Davide De Rosa 3505f68b04 Revert DNS merge
Revert 1d3660459e
2019-04-27 18:25:08 +02:00
Davide De Rosa a48bcc7261 Decrypt generic EVP private key
Why PKCS#8?
2019-04-27 10:54:32 +02:00
Davide De Rosa e0c06ece18 Drop extra EVP_PKEY_free call 2019-04-27 10:44:08 +02:00
Davide De Rosa 6fb409b112 Drop UDP packets on no buffer space available
Tolerate only on data channel. Control channel should never reach
high speeds.

Fixes #87
2019-04-25 17:29:10 +02:00
Davide De Rosa b8cd969a1a Fall back to configurable preset DNS servers
Default to CloudFlare 1.1.1.1

Hard time making it work with system DNS servers. Retry later.
2019-04-25 17:18:28 +02:00
Davide De Rosa 31d9019f1a Read system-wide DNS servers
Add libresolv to podspec.
2019-04-25 16:36:16 +02:00
Davide De Rosa 1d3660459e Merge local and remote DNS servers
- Local first
- Remote last
2019-04-25 16:18:54 +02:00
Davide De Rosa 82394e0433 Skip DNS settings if no servers are provided 2019-04-25 16:18:54 +02:00
Davide De Rosa 4ce2d78c5a Adjust log of routing policies
Consistent with print configuration.
2019-04-25 16:18:52 +02:00
Davide De Rosa 1b0c9979ce Log "default" DNS when servers are empty 2019-04-25 16:09:04 +02:00
Davide De Rosa 3f37489c13 Handle pushed routing policies 2019-04-25 16:02:19 +02:00
Davide De Rosa 7382616e8b Parse routing policies for TunnelKitProvider 2019-04-25 14:39:47 +02:00
Davide De Rosa f9f642b64e Set as default gateway based on routing policies
Also fix IPv6 routes not properly set.
2019-04-25 14:39:40 +02:00
Davide De Rosa 224a76ac58 Parse --redirect-gateway from configuration
FIXME: for now only redirects ALL traffic when the option is found
in the configuration file, whatever the arguments.

Also drop unnecessary base options in tests as everything was made
optional recently.
2019-04-25 14:39:23 +02:00
Davide De Rosa 1b8647bcac Convert PacketSteram to Obj-C
For better TCP efficiency.
2019-04-25 12:42:29 +02:00
Davide De Rosa ef5180a4ed Set tls-auth/crypt timestamp once
Packets rejected due to replay protection.

Fixes #88
Fixes #61
2019-04-23 23:07:32 +02:00
Davide De Rosa 65af163aeb Do not resend non-acked packets if reliable
In control channel.
2019-04-23 23:06:39 +02:00
Davide De Rosa 707db2c6de Add keydir to local options 2019-04-20 17:20:45 +02:00
Davide De Rosa 9b8be02c2a Shut down when no IPv4/6 routing available
Would fake-connect without VPN icon otherwise.
2019-04-19 09:45:15 +02:00
Davide De Rosa c565e32dcd Add "dev-type tun" to local options
Plus other hardcoded options like key-method and tls-client.

Seems that older OpenVPN servers didn't send routing info in
PUSH_REPLY if dev-type is not specified explicitly.

Fixes #86
2019-04-18 13:10:57 +02:00
Davide De Rosa 95ba9dacdb Fix typo 2019-04-18 12:02:23 +02:00
Davide De Rosa 887e2ae55d Consider stale if HARD_RESET while connected
Was disconnecting when more than one HARD_RESET_SERVER was
received during negotiation.
2019-04-17 09:24:16 +02:00
Davide De Rosa 233aa02169 Add FIXME for default DNS from network interface 2019-04-17 00:50:53 +02:00
Davide De Rosa b199064b94 Only override domain if non-nil 2019-04-17 00:50:53 +02:00
Davide De Rosa 28fd80f4e0 Treat empty DNS servers as nil
Empty local DNS array was pretty much hiding server-pushed DNS.
2019-04-17 00:50:53 +02:00
Davide De Rosa 6fd6d228bf Loop pulling plain text from TLS
There might be more data to read.

Fixes #71, #73
2019-04-17 00:18:02 +02:00
Davide De Rosa 88cd62064a Handle continuation in PUSH_REPLY 2019-04-16 23:59:56 +02:00
Davide De Rosa 380ac2beac Throw to exit PUSH_REPLY parsing on continuation 2019-04-16 23:59:56 +02:00
Davide De Rosa 23b6e3b98e Relax negotiation timeouts 2019-04-16 23:59:56 +02:00
Davide De Rosa d097afccdc Resend PUSH_REQUEST every 2 seconds
Regardless of link reliability.
2019-04-16 23:43:33 +02:00
Davide De Rosa ad964e2041 Send local options with authentication
Fixes some obsolete servers requiring cipher keysize.
2019-04-15 17:37:57 +02:00
Davide De Rosa 322242de5c Fix malformed key generation message
Make nullTerminated argument explicit, easier to debug.

Fixes #67
2019-04-13 23:55:18 +02:00
Davide De Rosa 0a956f5b9f Handle dhcp-option PROXY_BYPASS 2019-04-13 19:23:02 +02:00
Davide De Rosa b118030d43 Enable both HTTP and HTTPS proxies 2019-04-13 17:55:08 +02:00
Davide De Rosa 904e7bae21 Apply proxy settings if present
Fixes #74
2019-04-12 08:21:04 +02:00
Davide De Rosa ef9f3c6d0a Parse proxies into AppExtension configuration 2019-04-12 08:21:04 +02:00
Davide De Rosa 5fb70b5bab Parse dhcp-option PROXY_HTTP* into Configuration 2019-04-12 08:10:47 +02:00
Davide De Rosa 26cec205a7 Move builder() to extension 2019-04-11 16:46:52 +02:00
Davide De Rosa 5df614b5e2 Fix incomplete builder() from Configuration
Adding a Configuration field is error-prone beyond reason...
2019-04-11 15:30:14 +02:00
Davide De Rosa 914864c31a Infer serverAddress from sessionConfiguration 2019-04-09 20:45:28 +02:00
Davide De Rosa 3fe9c6de6d Make hostname optional in ConnectionStrategy
Assume preferring resolved addresses.
2019-04-09 20:34:03 +02:00
Davide De Rosa 9f358d6326 Accept nil cipher/digest in AppExtension
Reorganize code for clarity.
2019-04-07 08:35:40 +02:00
Davide De Rosa 3717136bd9 Move EndpointProtocol Codable to Core spec 2019-04-05 00:46:45 +02:00
Davide De Rosa 5e2f9b59f1 Rename ParsingResult to Result
No need to prefix an inner class.
2019-04-04 19:22:22 +02:00
Davide De Rosa 7333ea226c Document ignored settings client-side 2019-04-04 18:51:06 +02:00
Davide De Rosa 8394fd0676 Rely on default ConfigurationBuilder.init() 2019-04-04 18:51:06 +02:00
Davide De Rosa 55534df6fa Work around cipher/digest/framing issues
- Make them optional
- Set default values inside SessionProxy

Fallback is not needed anywhere else.
2019-04-04 18:51:06 +02:00
Davide De Rosa 0d86bd20b6 Expose ConfigurationBuilder.init() 2019-04-04 18:51:06 +02:00
Davide De Rosa 4dc9539260 Rename OptionsError to ConfigurationError 2019-04-04 18:51:06 +02:00
Davide De Rosa a2250686b6 Merge OptionsBundle into Configuration
FIXME: issues with non-optional .cipher and .compressionFraming

Because:

- No pushed cipher (nil) is NOT .aes128cbc
- No pushed framing (nil) is NOT .disabled

Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 18:51:06 +02:00
Davide De Rosa cfe61d5d40 Retain .endpointProtocols for migration
For deserialization of old format.
2019-04-04 13:10:33 +02:00
Davide De Rosa 7aec0637b2 Move endpoints inside SessionProxy.Configuration
Make optional.

TunnelKitProvider still gets hostname from .serverAddress rather
than SessionProxy.Configuration

Also drop useless Equatable implementations.
2019-04-04 13:09:50 +02:00
Davide De Rosa e8396ec2cd Parse search domain from configuration
Fixes #77
2019-04-03 14:29:09 +02:00
Davide De Rosa 370e68aa3f Parse search domain from dhcp-option DOMAIN 2019-04-03 14:29:09 +02:00
Davide De Rosa fe2ad52df0 Document OptionsBundle
Move most from SessionProxy.Configuration.
2019-04-03 13:34:08 +02:00
Davide De Rosa f9ae3412a5 Move malformed error out of unrelated SessionError
Also give more detail about the reason.
2019-04-03 13:20:49 +02:00
Davide De Rosa 42232804ca Rename file to public entity 2019-04-03 13:19:47 +02:00
Davide De Rosa 49c805af52 Fix a few isHandled
Skip to exclude from strippedLines.
2019-04-03 13:19:47 +02:00
Davide De Rosa 9876c81de5 Parse PUSH_REPLY options in OptionsBundle
- auth-token
- peer-id
- Routing

Reorganize options by semantic.

Reuse OptionsBundle in PushReply.
2019-04-03 13:19:21 +02:00
Davide De Rosa b9b9c4db60 Parse basic options in OptionsBundle
- Handle isEncrypted inside CryptoContainer
- Rename ParsingError to OptionsError

Reuse OptionsBundle in ConfigurationParser.
2019-04-03 13:19:16 +02:00
Davide De Rosa e7dadefabb Generalize cipher regex 2019-04-03 12:20:53 +02:00
Davide De Rosa d72b583900 Improve parsing of PUSH_REPLY prefix 2019-04-03 12:20:53 +02:00
Davide De Rosa 27901c991b Skip deinit documentation 2019-04-02 19:18:23 +02:00
Davide De Rosa ccb6329f05 Don't parse a block begin while inside a block
If a PEM contained anything like <foobar>, the parser was doomed.

Fixes #78
2019-04-02 19:07:48 +02:00
Davide De Rosa 11fd418f82 Extend encrypted private key quick test
Test .ovpn didn't use an PKCS#8 key due to a slip-up. Fixing it
unveiled that isEncrypted returned false for PKCS#8 keys.

Fixes #80
2019-04-02 11:41:18 +02:00
Davide De Rosa 22f80735ca Strip certificate preamble
Fixes #78
2019-04-02 00:55:58 +02:00
Davide De Rosa def622506b Check PKCS#1 via "Proc-Type" presence instead 2019-04-02 00:37:52 +02:00
Davide De Rosa 47b80d5361 Refactor to decrypt generic key 2019-04-02 00:31:54 +02:00