Commit Graph

280 Commits

Author SHA1 Message Date
Davide De Rosa a48bcc7261 Decrypt generic EVP private key
Why PKCS#8?
2019-04-27 10:54:32 +02:00
Davide De Rosa e0c06ece18 Drop extra EVP_PKEY_free call 2019-04-27 10:44:08 +02:00
Davide De Rosa 6fb409b112 Drop UDP packets on no buffer space available
Tolerate only on data channel. Control channel should never reach
high speeds.

Fixes #87
2019-04-25 17:29:10 +02:00
Davide De Rosa 31d9019f1a Read system-wide DNS servers
Add libresolv to podspec.
2019-04-25 16:36:16 +02:00
Davide De Rosa f9f642b64e Set as default gateway based on routing policies
Also fix IPv6 routes not properly set.
2019-04-25 14:39:40 +02:00
Davide De Rosa 224a76ac58 Parse --redirect-gateway from configuration
FIXME: for now only redirects ALL traffic when the option is found
in the configuration file, whatever the arguments.

Also drop unnecessary base options in tests as everything was made
optional recently.
2019-04-25 14:39:23 +02:00
Davide De Rosa 1b8647bcac Convert PacketSteram to Obj-C
For better TCP efficiency.
2019-04-25 12:42:29 +02:00
Davide De Rosa ef5180a4ed Set tls-auth/crypt timestamp once
Packets rejected due to replay protection.

Fixes #88
Fixes #61
2019-04-23 23:07:32 +02:00
Davide De Rosa 65af163aeb Do not resend non-acked packets if reliable
In control channel.
2019-04-23 23:06:39 +02:00
Davide De Rosa 707db2c6de Add keydir to local options 2019-04-20 17:20:45 +02:00
Davide De Rosa 9b8be02c2a Shut down when no IPv4/6 routing available
Would fake-connect without VPN icon otherwise.
2019-04-19 09:45:15 +02:00
Davide De Rosa c565e32dcd Add "dev-type tun" to local options
Plus other hardcoded options like key-method and tls-client.

Seems that older OpenVPN servers didn't send routing info in
PUSH_REPLY if dev-type is not specified explicitly.

Fixes #86
2019-04-18 13:10:57 +02:00
Davide De Rosa 887e2ae55d Consider stale if HARD_RESET while connected
Was disconnecting when more than one HARD_RESET_SERVER was
received during negotiation.
2019-04-17 09:24:16 +02:00
Davide De Rosa 28fd80f4e0 Treat empty DNS servers as nil
Empty local DNS array was pretty much hiding server-pushed DNS.
2019-04-17 00:50:53 +02:00
Davide De Rosa 6fd6d228bf Loop pulling plain text from TLS
There might be more data to read.

Fixes #71, #73
2019-04-17 00:18:02 +02:00
Davide De Rosa 88cd62064a Handle continuation in PUSH_REPLY 2019-04-16 23:59:56 +02:00
Davide De Rosa 380ac2beac Throw to exit PUSH_REPLY parsing on continuation 2019-04-16 23:59:56 +02:00
Davide De Rosa d097afccdc Resend PUSH_REQUEST every 2 seconds
Regardless of link reliability.
2019-04-16 23:43:33 +02:00
Davide De Rosa ad964e2041 Send local options with authentication
Fixes some obsolete servers requiring cipher keysize.
2019-04-15 17:37:57 +02:00
Davide De Rosa 322242de5c Fix malformed key generation message
Make nullTerminated argument explicit, easier to debug.

Fixes #67
2019-04-13 23:55:18 +02:00
Davide De Rosa 0a956f5b9f Handle dhcp-option PROXY_BYPASS 2019-04-13 19:23:02 +02:00
Davide De Rosa 5fb70b5bab Parse dhcp-option PROXY_HTTP* into Configuration 2019-04-12 08:10:47 +02:00
Davide De Rosa 26cec205a7 Move builder() to extension 2019-04-11 16:46:52 +02:00
Davide De Rosa 3717136bd9 Move EndpointProtocol Codable to Core spec 2019-04-05 00:46:45 +02:00
Davide De Rosa 5e2f9b59f1 Rename ParsingResult to Result
No need to prefix an inner class.
2019-04-04 19:22:22 +02:00
Davide De Rosa 7333ea226c Document ignored settings client-side 2019-04-04 18:51:06 +02:00
Davide De Rosa 55534df6fa Work around cipher/digest/framing issues
- Make them optional
- Set default values inside SessionProxy

Fallback is not needed anywhere else.
2019-04-04 18:51:06 +02:00
Davide De Rosa 0d86bd20b6 Expose ConfigurationBuilder.init() 2019-04-04 18:51:06 +02:00
Davide De Rosa 4dc9539260 Rename OptionsError to ConfigurationError 2019-04-04 18:51:06 +02:00
Davide De Rosa a2250686b6 Merge OptionsBundle into Configuration
FIXME: issues with non-optional .cipher and .compressionFraming

Because:

- No pushed cipher (nil) is NOT .aes128cbc
- No pushed framing (nil) is NOT .disabled

Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 18:51:06 +02:00
Davide De Rosa 7aec0637b2 Move endpoints inside SessionProxy.Configuration
Make optional.

TunnelKitProvider still gets hostname from .serverAddress rather
than SessionProxy.Configuration

Also drop useless Equatable implementations.
2019-04-04 13:09:50 +02:00
Davide De Rosa e8396ec2cd Parse search domain from configuration
Fixes #77
2019-04-03 14:29:09 +02:00
Davide De Rosa 370e68aa3f Parse search domain from dhcp-option DOMAIN 2019-04-03 14:29:09 +02:00
Davide De Rosa fe2ad52df0 Document OptionsBundle
Move most from SessionProxy.Configuration.
2019-04-03 13:34:08 +02:00
Davide De Rosa f9ae3412a5 Move malformed error out of unrelated SessionError
Also give more detail about the reason.
2019-04-03 13:20:49 +02:00
Davide De Rosa 42232804ca Rename file to public entity 2019-04-03 13:19:47 +02:00
Davide De Rosa 49c805af52 Fix a few isHandled
Skip to exclude from strippedLines.
2019-04-03 13:19:47 +02:00
Davide De Rosa 9876c81de5 Parse PUSH_REPLY options in OptionsBundle
- auth-token
- peer-id
- Routing

Reorganize options by semantic.

Reuse OptionsBundle in PushReply.
2019-04-03 13:19:21 +02:00
Davide De Rosa b9b9c4db60 Parse basic options in OptionsBundle
- Handle isEncrypted inside CryptoContainer
- Rename ParsingError to OptionsError

Reuse OptionsBundle in ConfigurationParser.
2019-04-03 13:19:16 +02:00
Davide De Rosa e7dadefabb Generalize cipher regex 2019-04-03 12:20:53 +02:00
Davide De Rosa d72b583900 Improve parsing of PUSH_REPLY prefix 2019-04-03 12:20:53 +02:00
Davide De Rosa 27901c991b Skip deinit documentation 2019-04-02 19:18:23 +02:00
Davide De Rosa ccb6329f05 Don't parse a block begin while inside a block
If a PEM contained anything like <foobar>, the parser was doomed.

Fixes #78
2019-04-02 19:07:48 +02:00
Davide De Rosa 11fd418f82 Extend encrypted private key quick test
Test .ovpn didn't use an PKCS#8 key due to a slip-up. Fixing it
unveiled that isEncrypted returned false for PKCS#8 keys.

Fixes #80
2019-04-02 11:41:18 +02:00
Davide De Rosa 22f80735ca Strip certificate preamble
Fixes #78
2019-04-02 00:55:58 +02:00
Davide De Rosa def622506b Check PKCS#1 via "Proc-Type" presence instead 2019-04-02 00:37:52 +02:00
Davide De Rosa 47b80d5361 Refactor to decrypt generic key 2019-04-02 00:31:54 +02:00
Davide De Rosa 0bfc1e08eb Fix retarded Swift pointer API somehow 2019-03-30 23:18:45 +01:00
Davide De Rosa 207a4f063a Replace deprecated Data(bytes:) 2019-03-30 23:18:45 +01:00
Davide De Rosa 8dfd5f23c1 Handle unknown enum defaults 2019-03-30 23:18:45 +01:00
Davide De Rosa f686a0aee4 Fix Xcode warnings 2019-03-30 20:16:04 +01:00
Davide De Rosa 44fb5a5b48 Track data count in shared UserDefaults
Default disabled (dataCountInterval = 0).
2019-03-30 19:56:26 +01:00
Davide De Rosa 00c76f707f Throw specific error if unable to decrypt
Normally a bad passphrase.
2019-03-25 19:24:35 +01:00
Davide De Rosa ffcccb5420 Throw specific error on missing passphrase
So that client can retry with a passphrase.
2019-03-25 18:49:53 +01:00
Davide De Rosa b07ec88ff2 Add passphrase parameter to ConfigurationParser
Use it to decrypt encrypted PEMs.
2019-03-25 18:48:59 +01:00
Davide De Rosa f37bfb3579 Implement RSA privkey decryption via OpenSSL 2019-03-25 18:45:00 +01:00
Davide De Rosa 53f3048674 Add missing documentation 2019-03-25 15:46:15 +01:00
Davide De Rosa 9c4d491a3b Make floating XXX a FIXME 2019-03-25 10:37:15 +01:00
Davide De Rosa 7ce31c3184 Parse randomize endpoints from --remote-random 2019-03-25 10:32:08 +01:00
Davide De Rosa 42227fcc00 Add SessionProxy.Configuration.randomizeEndpoint 2019-03-25 10:32:08 +01:00
Davide De Rosa 9c0205614b Disable rebind-on-float until a solid fix
Mitigates #75
2019-03-25 10:10:08 +01:00
Davide De Rosa 71d54e2dc3 Send IV_LZO only if supported 2019-03-25 10:07:57 +01:00
Davide De Rosa fad20668b0 Override masksPrivateData via AppExtension
Unmask in demo.

Fixes #62
2019-03-21 19:19:22 +01:00
Davide De Rosa 79509a1ea1 Fix execution queue in network handler 2019-03-20 18:01:57 +01:00
Davide De Rosa a5b8907918 Postpone shutdown until notification is written
Otherwise socket might be force-closed while sending the packet.
2019-03-20 17:57:56 +01:00
Davide De Rosa c93461b153 Send explicit exit notification if UDP
Implement --explicit-exit-notify by default.

Fixes #29
2019-03-20 17:57:56 +01:00
Davide De Rosa c6ab3b57db Fix a few return in wrong scope 2019-03-20 17:57:56 +01:00
Davide De Rosa 9d479a9aba Handle LZO compression in --compress framing
Share parse block between comp-lzo and compress.

It seems that --compress sends NO_COMPRESS w/o swapping.

Also suppress redundant LZOIsSupported(), implied by non-nil value
of self.lzo.
2019-03-20 09:04:27 +01:00
Davide De Rosa 4b9ffcfb4e Accept LZO regardless of framing 2019-03-20 09:04:27 +01:00
Davide De Rosa 9a6f3d638c Recognize "--compress lzo" option as legal 2019-03-20 09:04:27 +01:00
Davide De Rosa 7a449f90ee Advertise LZO support 2019-03-19 15:14:29 +01:00
Davide De Rosa 0eb0e3e478 Parse compression from several places
- PUSH_REPLY
- .ovpn configuration
- TunnelKitProvider
2019-03-19 15:14:29 +01:00
Davide De Rosa 4d6d51818d Compress/decompress LZO data packets
Return compressionHeader from parse blocks.
2019-03-19 15:14:27 +01:00
Davide De Rosa 197679057d Return NSData from parsePayloadWithBlock
More friendly to (de)compression stage.
2019-03-19 15:12:56 +01:00
Davide De Rosa 5cc32b1060 Wrap minilzo into dynamic Obj-C plugin
Handle library errors to some extent.
2019-03-19 15:12:46 +01:00
Davide De Rosa 08b04c8e02 Fix not propagated checksEKU flag 2019-03-18 17:27:48 +01:00
Davide De Rosa 7d69e09c53 Update copyright 2019-03-09 11:44:18 +01:00
Davide De Rosa e3b8a6b16b Shut down on link error
Because it doesn't seem to recover until the tunnel dies.
2019-03-08 13:08:54 +01:00
Davide De Rosa e849e6c0da Reject <connection> blocks in .ovpn
- Use enumerateComponents for boolean test.
- Fix a test compile error on the way.
2019-03-04 17:39:37 +01:00
Davide De Rosa 86420ba8ea Shut down on compressed data packet
Re-inforce #65 at the data path level. Should now cover all
compression scenarios.
2019-02-28 17:16:14 +01:00
Davide De Rosa 0f2a5e1e14 Check NULL when verifying EKU 2019-02-25 23:33:31 +01:00
Davide De Rosa 8fe43269ab Catch errors on CA MD5 calculation (PIA only) 2019-02-25 23:33:26 +01:00
Davide De Rosa d1b5c94be9 Fix potential overflow in AEAD IV length 2019-02-25 23:23:43 +01:00
Davide De Rosa 3aadaf0186 Shut down when server pushes compression enabled 2019-02-25 23:01:21 +01:00
Davide De Rosa 367e8b7e08 Track whether server pushed a compression option 2019-02-25 23:01:21 +01:00
Davide De Rosa 8c1b95eaa7 Group PushReply regexes 2019-02-25 23:01:21 +01:00
Davide De Rosa d6076b045a Make checksEKU optional to fall back on decoding 2019-02-25 11:16:26 +01:00
Davide De Rosa 010da904fa Parse EKU choice in .ovpn from remote-cert-tls
Fix unhandled extra spaces in dhcp-option DNS regex.
2019-02-25 11:16:26 +01:00
Davide De Rosa 265aca0829 Make EKU verification optional in TLSBox 2019-02-25 11:16:26 +01:00
Davide De Rosa c244b29a8f Parse DNS servers from configuration 2019-01-05 22:29:16 +01:00
Davide De Rosa 13c41d80e7 Allow overriding DNS servers
Fall back to those in PUSH_REPLY.
2019-01-05 22:25:58 +01:00
Davide De Rosa 03478b6fbf Add jazzy doc to ConfigurationParser 2018-11-12 10:42:04 +01:00
Davide De Rosa 40fd2c7ede Parse configuration from .ovpn file 2018-11-10 10:58:06 +01:00
Davide De Rosa f91db4cbf1 Move EndpointProtocol/SocketType to Core 2018-11-10 10:48:17 +01:00
Davide De Rosa 0800c943a8 Add shortcut extension for creating regexes
Also expose enumeration methods for internal reuse.
2018-11-10 10:47:58 +01:00
Davide De Rosa 36e93651ba Replace hardcoded 32 tag length in tls-crypt 2018-11-06 10:35:37 +01:00
Davide De Rosa b366925125 Hardcode digestLength to tagLength in CTR
Code is not using digestLength in any way.
2018-11-06 10:35:19 +01:00
Davide De Rosa 7ffbf41b30 Expose internal tag length, 0 if none 2018-11-06 10:31:55 +01:00
Davide De Rosa 2fde43b1fc Keep tag length constants private
Also AD length in AEAD was an unresolved relic.
2018-11-06 10:25:35 +01:00
Davide De Rosa caea6624fc Unmask IPv4 netmask and IPv6 prefix
Masking that is useless and paranoid. May help debugging.
2018-11-05 20:40:12 +01:00