passepartoutvpn/tunnelkit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
859 Commits 1 Branch 58 Tags 3.2 MiB
2b3eb5412c
Commit Graph

468 Commits

Author SHA1 Message Date
Robert Patchett
87cb448d12 Fix comment typo 2019-10-22 10:43:57 +02:00
ThinkChaos
c6cb5a646a Add Proxy Auto-Configuration (PAC) support 2019-10-21 21:47:45 +02:00
Robert Patchett
bdf34f8882 Set tunnel provider's reasserting to false after the system starts using the tunnel 2019-10-17 14:23:16 +02:00
Robert Patchett
55f7e64f19 Allow keep alive timeout to be configured by the server or client 2019-09-30 11:54:29 -07:00
Davide De Rosa
d22f40f7e9 Fix potential OOB in memcmp() 2019-09-17 23:41:35 +02:00
Davide De Rosa
d815f5222f Change var to let 
Xcode no more signals wrong side-effect in withUnsafeBytes.
 2019-09-17 16:09:09 +02:00
Davide De Rosa
e0ab2a1ddb Disconnect if HARD_RESET received while SOFT_RESET 
Bad condition for .staleSession

Fixes #120

See 0f2234f1d1
 2019-09-03 00:27:54 +02:00
Davide De Rosa
de21adfef6 Beware of execution queue in write callbacks 
self.link was not checked against in tunnel queue.
 2019-08-23 09:15:59 +02:00
Davide De Rosa
6b281711c7 Ignore errors from outdated link writes 
Prevents async delegation after cleanup.
 2019-08-23 09:15:57 +02:00
Davide De Rosa
a4333eaafe Revert ENOBUFS mitigation, do disconnect instead 
Reverts #87 "fix"
 2019-07-26 21:14:57 +02:00
Davide De Rosa
aefeb252b3 Do not defer stop more than once 
May cause multiple delegation and queue deadlock when a
reconnection is scheduled to trigger.

Fixes #106
 2019-07-09 14:09:02 +02:00
Davide De Rosa
2c56a8ea95 Send PUSH_REQUEST immediately after auth 
First call would always fail otherwise.
 2019-07-09 12:40:10 +02:00
Davide De Rosa
40139cbef0 Replace key flag with session-wide isRenegotiating 
Prevent new if one in progress.

Fixes #105
 2019-07-09 12:17:12 +02:00
Davide De Rosa
0f2234f1d1 Assume stale session if server sends HARD_RESET 
When unsolicited.
 2019-07-09 11:42:12 +02:00
Davide De Rosa
1dcf4d7745 Shut down abruptly to work around macOS bug 
Fixes #111
 2019-07-07 23:36:06 +02:00
Davide De Rosa
b04f7f20d4 Log info about DNS servers in use 2019-07-03 19:04:53 +02:00
Davide De Rosa
eb56a9a56c Optimize [Data].flatCount 2019-06-05 14:14:15 +02:00
Davide De Rosa
2ddf712176 Update jazzy YAML 2019-05-24 16:04:19 +02:00
Davide De Rosa
be1081aad6 Nest subspecs by purpose 
- Protocols
- Extra
 2019-05-24 16:02:59 +02:00
Davide De Rosa
21eee24e7c Add missing documentation 2019-05-24 16:02:06 +02:00
Davide De Rosa
72ce14b676 Make AppExtension entities public 2019-05-24 16:02:06 +02:00
Davide De Rosa
3edd00b2da Drop deprecated endpointProtocols 2019-05-24 10:59:20 +02:00
Davide De Rosa
185f0707cf Move OpenVPN configuration part on top 2019-05-24 10:59:20 +02:00
Davide De Rosa
1f8c51c126 Parse OpenVPN.Configuration from defaults 2019-05-24 10:59:20 +02:00
Davide De Rosa
5561c7adc6 Group OpenVPN.Configuration funcs into extension 
- with (creation)
- store (convert to dict)
- print (log)
 2019-05-24 10:54:25 +02:00
Davide De Rosa
a85404e951 Rename provider class to OpenVPNTunnelProvider 2019-05-24 10:41:30 +02:00
Davide De Rosa
9445b825d0 Make AppExtension generic 
- Make AppExtension a standalone util subspec
- Move OpenVPN tunnel provider to OpenVPN subspec
- Move Utils to Core subspec
- Depend OpenVPN on Core + AppExtension
 2019-05-24 10:41:26 +02:00
Davide De Rosa
b6da3f2d13 Rename proxy to session 
According to SessionProxy -> OpenVPNSession.
 2019-05-19 15:56:44 +02:00
Davide De Rosa
8be0f14aa9 Move PRNG initialization to namespace level 2019-05-19 15:52:55 +02:00
Davide De Rosa
d057e9645b Restore AppExtension with recent changes 2019-05-19 15:50:12 +02:00
Davide De Rosa
6ebf025859 Take Session protocol out of OpenVPNSession 
Fix some doc.
 2019-05-19 15:08:43 +02:00
Davide De Rosa
313d076ddf Move Error extension to Core 2019-05-19 14:34:27 +02:00
Davide De Rosa
c4a84a5ade Prefix top-level entities with OpenVPN* 2019-05-19 14:34:23 +02:00
Davide De Rosa
9c7ae47679 Make SessionProxy* top level 
Drop redundant SessionReply.
 2019-05-19 14:17:18 +02:00
Davide De Rosa
465e08e42f Wrap OpenVPN entities in pseudonamespace 
Temporarily exclude AppExtension and tests.
 2019-05-19 14:05:02 +02:00
Davide De Rosa
50d492096f Move a few generic entities to Core 
- IPv4Settings
- IPv6Settings
- Proxy
- EndpointProtocol (Codable)
 2019-05-19 12:40:20 +02:00
Davide De Rosa
930f05c984 Move OpenVPN timeouts out of Core 2019-05-19 12:39:51 +02:00
Davide De Rosa
5b81aa6a78 Drop "Box" from error codes 2019-05-19 12:22:32 +02:00
Davide De Rosa
9da7fa9667 Split Core into Core+OpenVPN 
Two Obj-C modules:

- __TunnelKitCore
- __TunnelKitOpenVPN

Seems the only way to do it in multiple module maps.

Move OpenVPN specifics out of CoreConfiguration.
 2019-05-19 12:22:32 +02:00
Davide De Rosa
491092f2a3 Drop extra header lines 2019-05-19 12:21:44 +02:00
Davide De Rosa
21b67fd9ff Make CoreConfiguration a class for bundle lookup 2019-05-19 11:36:26 +02:00
Davide De Rosa
470c50b037 Return just <masked> when masked description 
Why bother with useless hashes?
 2019-05-19 11:36:26 +02:00
Davide De Rosa
d19e029131 Use guard 2019-05-19 11:36:26 +02:00
Davide De Rosa
713a46d817 Update GitHub URL 
Move to passepartoutvpn org.
 2019-05-14 10:58:47 +02:00
Davide De Rosa
7cbcfcd264 Fix condition for SOFT_RESET 
May receive multiple packets while handling in progress.
 2019-05-13 12:15:44 +02:00
Davide De Rosa
d06b2e1928 Shut down if no default gateway 2019-05-11 17:40:46 +02:00
Davide De Rosa
5ce49953a0 Assume empty policies to override server settings 
Empty != nil. When nil, pull from server.
 2019-05-11 16:33:49 +02:00
Davide De Rosa
43c70b2673 Refine logging of some configuration 
Log about routing entries.
 2019-05-11 14:54:25 +02:00
Davide De Rosa
ff0dfc450c Get TLS security level via AppExtension 
Improves #97
 2019-05-08 16:16:30 +02:00
Davide De Rosa
3a136bdce9 Make TLS security level an option 
Default level by default.
 2019-05-08 16:10:35 +02:00
Davide De Rosa
82f0431303 Take optional securityLevel field in TLSBox 2019-05-08 15:54:05 +02:00
Davide De Rosa
97f178cdac Tolerate weak certificates 
Lower SSL security level.

Fixes #97
 2019-05-05 17:51:24 +02:00
Davide De Rosa
273007cc59 Copy route.h from macOS 
Missing on iOS.
 2019-05-03 15:14:25 +02:00
Davide De Rosa
a693075e90 Block LAN when redirect-gateway block-local 
Fixes #81
 2019-05-03 15:14:25 +02:00
Davide De Rosa
13cae06a49 Add method to partition a subnet 2019-05-03 15:14:25 +02:00
Davide De Rosa
03a1eb2203 Return IPv4 network mask for a route 2019-05-03 15:14:25 +02:00
Davide De Rosa
4295e63c98 Read relevant routing table 2019-05-03 15:14:25 +02:00
Davide De Rosa
d44d08c95e Retain self weakly for shutdown on timeout 2019-05-02 13:13:43 +02:00
Davide De Rosa
1430241b0c Do not fake BF-CBC, pleae 2019-05-01 23:18:54 +02:00
Davide De Rosa
037f08ed62 Retry auth once without local options 
Hack around picky server implementations.

Fixes #95
 2019-05-01 11:14:52 +02:00
Davide De Rosa
14b7f08fb5 Use strict ordering in local options 
And add TLS wrapping.
 2019-05-01 11:14:38 +02:00
Davide De Rosa
7389d72f1f Fix mutable SessionProxy.Configuration 2019-05-01 11:14:38 +02:00
Davide De Rosa
f799f47c25 Add direct routes to DNS servers 
If VPN is not default gateway.

Further fix of #94
 2019-04-28 15:51:16 +02:00
Davide De Rosa
0b72a30cdd Add full set of CloudFlare DNS servers 2019-04-28 10:56:39 +02:00
Davide De Rosa
ebabf02eb5 Fix DNS in VPN when not default gateway 
Awful API requires .matchDomains = [""]

Fixes #94
 2019-04-28 10:39:55 +02:00
Davide De Rosa
b331e3cfe6 Mask fallback DNS servers 
Comment about fallback DNS being public
 2019-04-28 10:39:25 +02:00
Davide De Rosa
7978398e1e Fix logging of routing policies 2019-04-27 22:55:20 +02:00
Davide De Rosa
0ee39c8fb0 Extend handling of redirect-gateway flags 
- def1 (IPv4)
- ipv6 (IPv6)
- !ipv4 (IPv6 only)
 2019-04-27 22:55:20 +02:00
Davide De Rosa
155bd5f1e7 Revert def1 trick 
Not needed, routes are not persistent.

Revert 7d26323d3f
 2019-04-27 22:55:19 +02:00
Davide De Rosa
7d26323d3f Use OpenVPN trick to retain default gateway 
Override default gateway with 2 split routes.

- IPv4: 0.0.0.0/1, 128.0.0.0/1
- IPv6: 2000::/4, 3000::/4
 2019-04-27 22:29:51 +02:00
Davide De Rosa
3505f68b04 Revert DNS merge 
Revert 1d3660459e
 2019-04-27 18:25:08 +02:00
Davide De Rosa
a48bcc7261 Decrypt generic EVP private key 
Why PKCS#8?
 2019-04-27 10:54:32 +02:00
Davide De Rosa
e0c06ece18 Drop extra EVP_PKEY_free call 2019-04-27 10:44:08 +02:00
Davide De Rosa
6fb409b112 Drop UDP packets on no buffer space available 
Tolerate only on data channel. Control channel should never reach
high speeds.

Fixes #87
 2019-04-25 17:29:10 +02:00
Davide De Rosa
b8cd969a1a Fall back to configurable preset DNS servers 
Default to CloudFlare 1.1.1.1

Hard time making it work with system DNS servers. Retry later.
 2019-04-25 17:18:28 +02:00
Davide De Rosa
31d9019f1a Read system-wide DNS servers 
Add libresolv to podspec.
 2019-04-25 16:36:16 +02:00
Davide De Rosa
1d3660459e Merge local and remote DNS servers 
- Local first
- Remote last
 2019-04-25 16:18:54 +02:00
Davide De Rosa
82394e0433 Skip DNS settings if no servers are provided 2019-04-25 16:18:54 +02:00
Davide De Rosa
4ce2d78c5a Adjust log of routing policies 
Consistent with print configuration.
 2019-04-25 16:18:52 +02:00
Davide De Rosa
1b0c9979ce Log "default" DNS when servers are empty 2019-04-25 16:09:04 +02:00
Davide De Rosa
3f37489c13 Handle pushed routing policies 2019-04-25 16:02:19 +02:00
Davide De Rosa
7382616e8b Parse routing policies for TunnelKitProvider 2019-04-25 14:39:47 +02:00
Davide De Rosa
f9f642b64e Set as default gateway based on routing policies 
Also fix IPv6 routes not properly set.
 2019-04-25 14:39:40 +02:00
Davide De Rosa
224a76ac58 Parse --redirect-gateway from configuration 
FIXME: for now only redirects ALL traffic when the option is found
in the configuration file, whatever the arguments.

Also drop unnecessary base options in tests as everything was made
optional recently.
 2019-04-25 14:39:23 +02:00
Davide De Rosa
1b8647bcac Convert PacketSteram to Obj-C 
For better TCP efficiency.
 2019-04-25 12:42:29 +02:00
Davide De Rosa
ef5180a4ed Set tls-auth/crypt timestamp once 
Packets rejected due to replay protection.

Fixes #88
Fixes #61
 2019-04-23 23:07:32 +02:00
Davide De Rosa
65af163aeb Do not resend non-acked packets if reliable 
In control channel.
 2019-04-23 23:06:39 +02:00
Davide De Rosa
707db2c6de Add keydir to local options 2019-04-20 17:20:45 +02:00
Davide De Rosa
9b8be02c2a Shut down when no IPv4/6 routing available 
Would fake-connect without VPN icon otherwise.
 2019-04-19 09:45:15 +02:00
Davide De Rosa
c565e32dcd Add "dev-type tun" to local options 
Plus other hardcoded options like key-method and tls-client.

Seems that older OpenVPN servers didn't send routing info in
PUSH_REPLY if dev-type is not specified explicitly.

Fixes #86
 2019-04-18 13:10:57 +02:00
Davide De Rosa
95ba9dacdb Fix typo 2019-04-18 12:02:23 +02:00
Davide De Rosa
887e2ae55d Consider stale if HARD_RESET while connected 
Was disconnecting when more than one HARD_RESET_SERVER was
received during negotiation.
 2019-04-17 09:24:16 +02:00
Davide De Rosa
233aa02169 Add FIXME for default DNS from network interface 2019-04-17 00:50:53 +02:00
Davide De Rosa
b199064b94 Only override domain if non-nil 2019-04-17 00:50:53 +02:00
Davide De Rosa
28fd80f4e0 Treat empty DNS servers as nil 
Empty local DNS array was pretty much hiding server-pushed DNS.
 2019-04-17 00:50:53 +02:00
Davide De Rosa
6fd6d228bf Loop pulling plain text from TLS 
There might be more data to read.

Fixes #71, #73
 2019-04-17 00:18:02 +02:00
Davide De Rosa
88cd62064a Handle continuation in PUSH_REPLY 2019-04-16 23:59:56 +02:00
Davide De Rosa
380ac2beac Throw to exit PUSH_REPLY parsing on continuation 2019-04-16 23:59:56 +02:00
Davide De Rosa
23b6e3b98e Relax negotiation timeouts 2019-04-16 23:59:56 +02:00
Davide De Rosa
d097afccdc Resend PUSH_REQUEST every 2 seconds 
Regardless of link reliability.
 2019-04-16 23:43:33 +02:00
Davide De Rosa
ad964e2041 Send local options with authentication 
Fixes some obsolete servers requiring cipher keysize.
 2019-04-15 17:37:57 +02:00
Davide De Rosa
322242de5c Fix malformed key generation message 
Make nullTerminated argument explicit, easier to debug.

Fixes #67
 2019-04-13 23:55:18 +02:00
Davide De Rosa
0a956f5b9f Handle dhcp-option PROXY_BYPASS 2019-04-13 19:23:02 +02:00
Davide De Rosa
b118030d43 Enable both HTTP and HTTPS proxies 2019-04-13 17:55:08 +02:00
Davide De Rosa
904e7bae21 Apply proxy settings if present 
Fixes #74
 2019-04-12 08:21:04 +02:00
Davide De Rosa
ef9f3c6d0a Parse proxies into AppExtension configuration 2019-04-12 08:21:04 +02:00
Davide De Rosa
5fb70b5bab Parse dhcp-option PROXY_HTTP* into Configuration 2019-04-12 08:10:47 +02:00
Davide De Rosa
26cec205a7 Move builder() to extension 2019-04-11 16:46:52 +02:00
Davide De Rosa
5df614b5e2 Fix incomplete builder() from Configuration 
Adding a Configuration field is error-prone beyond reason...
 2019-04-11 15:30:14 +02:00
Davide De Rosa
914864c31a Infer serverAddress from sessionConfiguration 2019-04-09 20:45:28 +02:00
Davide De Rosa
3fe9c6de6d Make hostname optional in ConnectionStrategy 
Assume preferring resolved addresses.
 2019-04-09 20:34:03 +02:00
Davide De Rosa
9f358d6326 Accept nil cipher/digest in AppExtension 
Reorganize code for clarity.
 2019-04-07 08:35:40 +02:00
Davide De Rosa
3717136bd9 Move EndpointProtocol Codable to Core spec 2019-04-05 00:46:45 +02:00
Davide De Rosa
5e2f9b59f1 Rename ParsingResult to Result 
No need to prefix an inner class.
 2019-04-04 19:22:22 +02:00
Davide De Rosa
7333ea226c Document ignored settings client-side 2019-04-04 18:51:06 +02:00
Davide De Rosa
8394fd0676 Rely on default ConfigurationBuilder.init() 2019-04-04 18:51:06 +02:00
Davide De Rosa
55534df6fa Work around cipher/digest/framing issues 
- Make them optional
- Set default values inside SessionProxy

Fallback is not needed anywhere else.
 2019-04-04 18:51:06 +02:00
Davide De Rosa
0d86bd20b6 Expose ConfigurationBuilder.init() 2019-04-04 18:51:06 +02:00
Davide De Rosa
4dc9539260 Rename OptionsError to ConfigurationError 2019-04-04 18:51:06 +02:00
Davide De Rosa
a2250686b6 Merge OptionsBundle into Configuration 
FIXME: issues with non-optional .cipher and .compressionFraming

Because:

- No pushed cipher (nil) is NOT .aes128cbc
- No pushed framing (nil) is NOT .disabled

Breaks conditions on pushed cipher/framing via PUSH_REPLY.
 2019-04-04 18:51:06 +02:00
Davide De Rosa
cfe61d5d40 Retain .endpointProtocols for migration 
For deserialization of old format.
 2019-04-04 13:10:33 +02:00
Davide De Rosa
7aec0637b2 Move endpoints inside SessionProxy.Configuration 
Make optional.

TunnelKitProvider still gets hostname from .serverAddress rather
than SessionProxy.Configuration

Also drop useless Equatable implementations.
 2019-04-04 13:09:50 +02:00
Davide De Rosa
e8396ec2cd Parse search domain from configuration 
Fixes #77
 2019-04-03 14:29:09 +02:00
Davide De Rosa
370e68aa3f Parse search domain from dhcp-option DOMAIN 2019-04-03 14:29:09 +02:00
Davide De Rosa
fe2ad52df0 Document OptionsBundle 
Move most from SessionProxy.Configuration.
 2019-04-03 13:34:08 +02:00
Davide De Rosa
f9ae3412a5 Move malformed error out of unrelated SessionError 
Also give more detail about the reason.
 2019-04-03 13:20:49 +02:00
Davide De Rosa
42232804ca Rename file to public entity 2019-04-03 13:19:47 +02:00
Davide De Rosa
49c805af52 Fix a few isHandled 
Skip to exclude from strippedLines.
 2019-04-03 13:19:47 +02:00
Davide De Rosa
9876c81de5 Parse PUSH_REPLY options in OptionsBundle 
- auth-token
- peer-id
- Routing

Reorganize options by semantic.

Reuse OptionsBundle in PushReply.
 2019-04-03 13:19:21 +02:00
Davide De Rosa
b9b9c4db60 Parse basic options in OptionsBundle 
- Handle isEncrypted inside CryptoContainer
- Rename ParsingError to OptionsError

Reuse OptionsBundle in ConfigurationParser.
 2019-04-03 13:19:16 +02:00
Davide De Rosa
e7dadefabb Generalize cipher regex 2019-04-03 12:20:53 +02:00
Davide De Rosa
d72b583900 Improve parsing of PUSH_REPLY prefix 2019-04-03 12:20:53 +02:00
Davide De Rosa
27901c991b Skip deinit documentation 2019-04-02 19:18:23 +02:00
Davide De Rosa
ccb6329f05 Don't parse a block begin while inside a block 
If a PEM contained anything like <foobar>, the parser was doomed.

Fixes #78
 2019-04-02 19:07:48 +02:00
Davide De Rosa
11fd418f82 Extend encrypted private key quick test 
Test .ovpn didn't use an PKCS#8 key due to a slip-up. Fixing it
unveiled that isEncrypted returned false for PKCS#8 keys.

Fixes #80
 2019-04-02 11:41:18 +02:00
Davide De Rosa
22f80735ca Strip certificate preamble 
Fixes #78
 2019-04-02 00:55:58 +02:00
Davide De Rosa
def622506b Check PKCS#1 via "Proc-Type" presence instead 2019-04-02 00:37:52 +02:00
Davide De Rosa
47b80d5361 Refactor to decrypt generic key 2019-04-02 00:31:54 +02:00
Davide De Rosa
a6387679f1 Update data count as soon as tunnel is up 
Zero is better than nil.
 2019-03-30 23:35:50 +01:00
Davide De Rosa
0bfc1e08eb Fix retarded Swift pointer API somehow 2019-03-30 23:18:45 +01:00
Davide De Rosa
207a4f063a Replace deprecated Data(bytes:) 2019-03-30 23:18:45 +01:00
Davide De Rosa
8dfd5f23c1 Handle unknown enum defaults 2019-03-30 23:18:45 +01:00
Davide De Rosa
5120bcae0a Migrate to Swift 5 2019-03-30 23:18:45 +01:00
Davide De Rosa
f686a0aee4 Fix Xcode warnings 2019-03-30 20:16:04 +01:00
Davide De Rosa
44fb5a5b48 Track data count in shared UserDefaults 
Default disabled (dataCountInterval = 0).
 2019-03-30 19:56:26 +01:00
Davide De Rosa
d03f1bd9af Fix checksEKU not propagated to TunnelKitProvider 2019-03-26 00:37:35 +01:00
Davide De Rosa
00c76f707f Throw specific error if unable to decrypt 
Normally a bad passphrase.
 2019-03-25 19:24:35 +01:00
Davide De Rosa
ffcccb5420 Throw specific error on missing passphrase 
So that client can retry with a passphrase.
 2019-03-25 18:49:53 +01:00
Davide De Rosa
b07ec88ff2 Add passphrase parameter to ConfigurationParser 
Use it to decrypt encrypted PEMs.
 2019-03-25 18:48:59 +01:00
Davide De Rosa
f37bfb3579 Implement RSA privkey decryption via OpenSSL 2019-03-25 18:45:00 +01:00