Davide De Rosa
3f37489c13
Handle pushed routing policies
2019-04-25 16:02:19 +02:00
Davide De Rosa
7382616e8b
Parse routing policies for TunnelKitProvider
2019-04-25 14:39:47 +02:00
Davide De Rosa
f9f642b64e
Set as default gateway based on routing policies
...
Also fix IPv6 routes not properly set.
2019-04-25 14:39:40 +02:00
Davide De Rosa
224a76ac58
Parse --redirect-gateway from configuration
...
FIXME: for now only redirects ALL traffic when the option is found
in the configuration file, whatever the arguments.
Also drop unnecessary base options in tests as everything was made
optional recently.
2019-04-25 14:39:23 +02:00
Davide De Rosa
1b8647bcac
Convert PacketSteram to Obj-C
...
For better TCP efficiency.
2019-04-25 12:42:29 +02:00
Davide De Rosa
ef5180a4ed
Set tls-auth/crypt timestamp once
...
Packets rejected due to replay protection.
Fixes #88
Fixes #61
2019-04-23 23:07:32 +02:00
Davide De Rosa
65af163aeb
Do not resend non-acked packets if reliable
...
In control channel.
2019-04-23 23:06:39 +02:00
Davide De Rosa
707db2c6de
Add keydir to local options
2019-04-20 17:20:45 +02:00
Davide De Rosa
9b8be02c2a
Shut down when no IPv4/6 routing available
...
Would fake-connect without VPN icon otherwise.
2019-04-19 09:45:15 +02:00
Davide De Rosa
c565e32dcd
Add "dev-type tun" to local options
...
Plus other hardcoded options like key-method and tls-client.
Seems that older OpenVPN servers didn't send routing info in
PUSH_REPLY if dev-type is not specified explicitly.
Fixes #86
2019-04-18 13:10:57 +02:00
Davide De Rosa
95ba9dacdb
Fix typo
2019-04-18 12:02:23 +02:00
Davide De Rosa
887e2ae55d
Consider stale if HARD_RESET while connected
...
Was disconnecting when more than one HARD_RESET_SERVER was
received during negotiation.
2019-04-17 09:24:16 +02:00
Davide De Rosa
233aa02169
Add FIXME for default DNS from network interface
2019-04-17 00:50:53 +02:00
Davide De Rosa
b199064b94
Only override domain if non-nil
2019-04-17 00:50:53 +02:00
Davide De Rosa
28fd80f4e0
Treat empty DNS servers as nil
...
Empty local DNS array was pretty much hiding server-pushed DNS.
2019-04-17 00:50:53 +02:00
Davide De Rosa
6fd6d228bf
Loop pulling plain text from TLS
...
There might be more data to read.
Fixes #71 , #73
2019-04-17 00:18:02 +02:00
Davide De Rosa
88cd62064a
Handle continuation in PUSH_REPLY
2019-04-16 23:59:56 +02:00
Davide De Rosa
380ac2beac
Throw to exit PUSH_REPLY parsing on continuation
2019-04-16 23:59:56 +02:00
Davide De Rosa
23b6e3b98e
Relax negotiation timeouts
2019-04-16 23:59:56 +02:00
Davide De Rosa
d097afccdc
Resend PUSH_REQUEST every 2 seconds
...
Regardless of link reliability.
2019-04-16 23:43:33 +02:00
Davide De Rosa
ad964e2041
Send local options with authentication
...
Fixes some obsolete servers requiring cipher keysize.
2019-04-15 17:37:57 +02:00
Davide De Rosa
322242de5c
Fix malformed key generation message
...
Make nullTerminated argument explicit, easier to debug.
Fixes #67
2019-04-13 23:55:18 +02:00
Davide De Rosa
0a956f5b9f
Handle dhcp-option PROXY_BYPASS
2019-04-13 19:23:02 +02:00
Davide De Rosa
b118030d43
Enable both HTTP and HTTPS proxies
2019-04-13 17:55:08 +02:00
Davide De Rosa
904e7bae21
Apply proxy settings if present
...
Fixes #74
2019-04-12 08:21:04 +02:00
Davide De Rosa
ef9f3c6d0a
Parse proxies into AppExtension configuration
2019-04-12 08:21:04 +02:00
Davide De Rosa
5fb70b5bab
Parse dhcp-option PROXY_HTTP* into Configuration
2019-04-12 08:10:47 +02:00
Davide De Rosa
26cec205a7
Move builder() to extension
2019-04-11 16:46:52 +02:00
Davide De Rosa
5df614b5e2
Fix incomplete builder() from Configuration
...
Adding a Configuration field is error-prone beyond reason...
2019-04-11 15:30:14 +02:00
Davide De Rosa
914864c31a
Infer serverAddress from sessionConfiguration
2019-04-09 20:45:28 +02:00
Davide De Rosa
3fe9c6de6d
Make hostname optional in ConnectionStrategy
...
Assume preferring resolved addresses.
2019-04-09 20:34:03 +02:00
Davide De Rosa
9f358d6326
Accept nil cipher/digest in AppExtension
...
Reorganize code for clarity.
2019-04-07 08:35:40 +02:00
Davide De Rosa
3717136bd9
Move EndpointProtocol Codable to Core spec
2019-04-05 00:46:45 +02:00
Davide De Rosa
5e2f9b59f1
Rename ParsingResult to Result
...
No need to prefix an inner class.
2019-04-04 19:22:22 +02:00
Davide De Rosa
7333ea226c
Document ignored settings client-side
2019-04-04 18:51:06 +02:00
Davide De Rosa
8394fd0676
Rely on default ConfigurationBuilder.init()
2019-04-04 18:51:06 +02:00
Davide De Rosa
55534df6fa
Work around cipher/digest/framing issues
...
- Make them optional
- Set default values inside SessionProxy
Fallback is not needed anywhere else.
2019-04-04 18:51:06 +02:00
Davide De Rosa
0d86bd20b6
Expose ConfigurationBuilder.init()
2019-04-04 18:51:06 +02:00
Davide De Rosa
4dc9539260
Rename OptionsError to ConfigurationError
2019-04-04 18:51:06 +02:00
Davide De Rosa
a2250686b6
Merge OptionsBundle into Configuration
...
FIXME: issues with non-optional .cipher and .compressionFraming
Because:
- No pushed cipher (nil) is NOT .aes128cbc
- No pushed framing (nil) is NOT .disabled
Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 18:51:06 +02:00
Davide De Rosa
cfe61d5d40
Retain .endpointProtocols for migration
...
For deserialization of old format.
2019-04-04 13:10:33 +02:00
Davide De Rosa
7aec0637b2
Move endpoints inside SessionProxy.Configuration
...
Make optional.
TunnelKitProvider still gets hostname from .serverAddress rather
than SessionProxy.Configuration
Also drop useless Equatable implementations.
2019-04-04 13:09:50 +02:00
Davide De Rosa
e8396ec2cd
Parse search domain from configuration
...
Fixes #77
2019-04-03 14:29:09 +02:00
Davide De Rosa
370e68aa3f
Parse search domain from dhcp-option DOMAIN
2019-04-03 14:29:09 +02:00
Davide De Rosa
fe2ad52df0
Document OptionsBundle
...
Move most from SessionProxy.Configuration.
2019-04-03 13:34:08 +02:00
Davide De Rosa
f9ae3412a5
Move malformed error out of unrelated SessionError
...
Also give more detail about the reason.
2019-04-03 13:20:49 +02:00
Davide De Rosa
42232804ca
Rename file to public entity
2019-04-03 13:19:47 +02:00
Davide De Rosa
49c805af52
Fix a few isHandled
...
Skip to exclude from strippedLines.
2019-04-03 13:19:47 +02:00
Davide De Rosa
9876c81de5
Parse PUSH_REPLY options in OptionsBundle
...
- auth-token
- peer-id
- Routing
Reorganize options by semantic.
Reuse OptionsBundle in PushReply.
2019-04-03 13:19:21 +02:00
Davide De Rosa
b9b9c4db60
Parse basic options in OptionsBundle
...
- Handle isEncrypted inside CryptoContainer
- Rename ParsingError to OptionsError
Reuse OptionsBundle in ConfigurationParser.
2019-04-03 13:19:16 +02:00
Davide De Rosa
e7dadefabb
Generalize cipher regex
2019-04-03 12:20:53 +02:00
Davide De Rosa
d72b583900
Improve parsing of PUSH_REPLY prefix
2019-04-03 12:20:53 +02:00
Davide De Rosa
27901c991b
Skip deinit documentation
2019-04-02 19:18:23 +02:00
Davide De Rosa
ccb6329f05
Don't parse a block begin while inside a block
...
If a PEM contained anything like <foobar>, the parser was doomed.
Fixes #78
2019-04-02 19:07:48 +02:00
Davide De Rosa
11fd418f82
Extend encrypted private key quick test
...
Test .ovpn didn't use an PKCS#8 key due to a slip-up. Fixing it
unveiled that isEncrypted returned false for PKCS#8 keys.
Fixes #80
2019-04-02 11:41:18 +02:00
Davide De Rosa
22f80735ca
Strip certificate preamble
...
Fixes #78
2019-04-02 00:55:58 +02:00
Davide De Rosa
def622506b
Check PKCS#1 via "Proc-Type" presence instead
2019-04-02 00:37:52 +02:00
Davide De Rosa
47b80d5361
Refactor to decrypt generic key
2019-04-02 00:31:54 +02:00
Davide De Rosa
a6387679f1
Update data count as soon as tunnel is up
...
Zero is better than nil.
2019-03-30 23:35:50 +01:00
Davide De Rosa
0bfc1e08eb
Fix retarded Swift pointer API somehow
2019-03-30 23:18:45 +01:00
Davide De Rosa
207a4f063a
Replace deprecated Data(bytes:)
2019-03-30 23:18:45 +01:00
Davide De Rosa
8dfd5f23c1
Handle unknown enum defaults
2019-03-30 23:18:45 +01:00
Davide De Rosa
5120bcae0a
Migrate to Swift 5
2019-03-30 23:18:45 +01:00
Davide De Rosa
f686a0aee4
Fix Xcode warnings
2019-03-30 20:16:04 +01:00
Davide De Rosa
44fb5a5b48
Track data count in shared UserDefaults
...
Default disabled (dataCountInterval = 0).
2019-03-30 19:56:26 +01:00
Davide De Rosa
d03f1bd9af
Fix checksEKU not propagated to TunnelKitProvider
2019-03-26 00:37:35 +01:00
Davide De Rosa
00c76f707f
Throw specific error if unable to decrypt
...
Normally a bad passphrase.
2019-03-25 19:24:35 +01:00
Davide De Rosa
ffcccb5420
Throw specific error on missing passphrase
...
So that client can retry with a passphrase.
2019-03-25 18:49:53 +01:00
Davide De Rosa
b07ec88ff2
Add passphrase parameter to ConfigurationParser
...
Use it to decrypt encrypted PEMs.
2019-03-25 18:48:59 +01:00
Davide De Rosa
f37bfb3579
Implement RSA privkey decryption via OpenSSL
2019-03-25 18:45:00 +01:00
Davide De Rosa
53f3048674
Add missing documentation
2019-03-25 15:46:15 +01:00
Davide De Rosa
9c4d491a3b
Make floating XXX a FIXME
2019-03-25 10:37:15 +01:00
Davide De Rosa
54a477ce67
Randomize endpoints in ConnectionStrategy
...
Fixes #76
2019-03-25 10:32:23 +01:00
Davide De Rosa
7ce31c3184
Parse randomize endpoints from --remote-random
2019-03-25 10:32:08 +01:00
Davide De Rosa
42227fcc00
Add SessionProxy.Configuration.randomizeEndpoint
2019-03-25 10:32:08 +01:00
Davide De Rosa
9c0205614b
Disable rebind-on-float until a solid fix
...
Mitigates #75
2019-03-25 10:10:08 +01:00
Davide De Rosa
71d54e2dc3
Send IV_LZO only if supported
2019-03-25 10:07:57 +01:00
Davide De Rosa
04fbbb1fe1
XXX: Fix log glitch
2019-03-21 19:40:42 +01:00
Davide De Rosa
ac418f414a
Make masksPrivateData optional
...
Do not break Codable compatibility.
2019-03-21 19:32:06 +01:00
Davide De Rosa
fad20668b0
Override masksPrivateData via AppExtension
...
Unmask in demo.
Fixes #62
2019-03-21 19:19:22 +01:00
Davide De Rosa
f32c231b90
Remove deprecated API
...
Should have done so in 1.5.0
2019-03-21 18:30:40 +01:00
Davide De Rosa
79509a1ea1
Fix execution queue in network handler
2019-03-20 18:01:57 +01:00
Davide De Rosa
a5b8907918
Postpone shutdown until notification is written
...
Otherwise socket might be force-closed while sending the packet.
2019-03-20 17:57:56 +01:00
Davide De Rosa
c93461b153
Send explicit exit notification if UDP
...
Implement --explicit-exit-notify by default.
Fixes #29
2019-03-20 17:57:56 +01:00
Davide De Rosa
c6ab3b57db
Fix a few return in wrong scope
2019-03-20 17:57:56 +01:00
Davide De Rosa
9d479a9aba
Handle LZO compression in --compress framing
...
Share parse block between comp-lzo and compress.
It seems that --compress sends NO_COMPRESS w/o swapping.
Also suppress redundant LZOIsSupported(), implied by non-nil value
of self.lzo.
2019-03-20 09:04:27 +01:00
Davide De Rosa
4b9ffcfb4e
Accept LZO regardless of framing
2019-03-20 09:04:27 +01:00
Davide De Rosa
9a6f3d638c
Recognize "--compress lzo" option as legal
2019-03-20 09:04:27 +01:00
Davide De Rosa
7a449f90ee
Advertise LZO support
2019-03-19 15:14:29 +01:00
Davide De Rosa
0eb0e3e478
Parse compression from several places
...
- PUSH_REPLY
- .ovpn configuration
- TunnelKitProvider
2019-03-19 15:14:29 +01:00
Davide De Rosa
4d6d51818d
Compress/decompress LZO data packets
...
Return compressionHeader from parse blocks.
2019-03-19 15:14:27 +01:00
Davide De Rosa
197679057d
Return NSData from parsePayloadWithBlock
...
More friendly to (de)compression stage.
2019-03-19 15:12:56 +01:00
Davide De Rosa
5cc32b1060
Wrap minilzo into dynamic Obj-C plugin
...
Handle library errors to some extent.
2019-03-19 15:12:46 +01:00
Davide De Rosa
08b04c8e02
Fix not propagated checksEKU flag
2019-03-18 17:27:48 +01:00
Davide De Rosa
7d69e09c53
Update copyright
2019-03-09 11:44:18 +01:00
Davide De Rosa
6b29c9e06c
Double check reasserting during reconnection
...
A forced shutdown might happen during the recovery interval (1s).
2019-03-08 13:19:52 +01:00
Davide De Rosa
70ed2a4d83
Reset reasserting flag on plain shutdown
2019-03-08 13:16:03 +01:00
Davide De Rosa
e3b8a6b16b
Shut down on link error
...
Because it doesn't seem to recover until the tunnel dies.
2019-03-08 13:08:54 +01:00
Davide De Rosa
e849e6c0da
Reject <connection> blocks in .ovpn
...
- Use enumerateComponents for boolean test.
- Fix a test compile error on the way.
2019-03-04 17:39:37 +01:00
Davide De Rosa
1c1547fc8f
Fix DNS servers not serialized to AppExtension
2019-03-03 10:51:36 +01:00
Davide De Rosa
86420ba8ea
Shut down on compressed data packet
...
Re-inforce #65 at the data path level. Should now cover all
compression scenarios.
2019-02-28 17:16:14 +01:00
Davide De Rosa
0f2a5e1e14
Check NULL when verifying EKU
2019-02-25 23:33:31 +01:00
Davide De Rosa
8fe43269ab
Catch errors on CA MD5 calculation (PIA only)
2019-02-25 23:33:26 +01:00
Davide De Rosa
d1b5c94be9
Fix potential overflow in AEAD IV length
2019-02-25 23:23:43 +01:00
Davide De Rosa
06a872c448
Add ProviderError.serverCompression mapping
2019-02-25 23:09:06 +01:00
Davide De Rosa
3aadaf0186
Shut down when server pushes compression enabled
2019-02-25 23:01:21 +01:00
Davide De Rosa
367e8b7e08
Track whether server pushed a compression option
2019-02-25 23:01:21 +01:00
Davide De Rosa
8c1b95eaa7
Group PushReply regexes
2019-02-25 23:01:21 +01:00
Davide De Rosa
d6076b045a
Make checksEKU optional to fall back on decoding
2019-02-25 11:16:26 +01:00
Davide De Rosa
010da904fa
Parse EKU choice in .ovpn from remote-cert-tls
...
Fix unhandled extra spaces in dhcp-option DNS regex.
2019-02-25 11:16:26 +01:00
Davide De Rosa
265aca0829
Make EKU verification optional in TLSBox
2019-02-25 11:16:26 +01:00
Davide De Rosa
c244b29a8f
Parse DNS servers from configuration
2019-01-05 22:29:16 +01:00
Davide De Rosa
13c41d80e7
Allow overriding DNS servers
...
Fall back to those in PUSH_REPLY.
2019-01-05 22:25:58 +01:00
Davide De Rosa
03478b6fbf
Add jazzy doc to ConfigurationParser
2018-11-12 10:42:04 +01:00
Davide De Rosa
40fd2c7ede
Parse configuration from .ovpn file
2018-11-10 10:58:06 +01:00
Davide De Rosa
f91db4cbf1
Move EndpointProtocol/SocketType to Core
2018-11-10 10:48:17 +01:00
Davide De Rosa
0800c943a8
Add shortcut extension for creating regexes
...
Also expose enumeration methods for internal reuse.
2018-11-10 10:47:58 +01:00
Davide De Rosa
36e93651ba
Replace hardcoded 32 tag length in tls-crypt
2018-11-06 10:35:37 +01:00
Davide De Rosa
b366925125
Hardcode digestLength to tagLength in CTR
...
Code is not using digestLength in any way.
2018-11-06 10:35:19 +01:00
Davide De Rosa
7ffbf41b30
Expose internal tag length, 0 if none
2018-11-06 10:31:55 +01:00
Davide De Rosa
2fde43b1fc
Keep tag length constants private
...
Also AD length in AEAD was an unresolved relic.
2018-11-06 10:25:35 +01:00
Davide De Rosa
caea6624fc
Unmask IPv4 netmask and IPv6 prefix
...
Masking that is useless and paranoid. May help debugging.
2018-11-05 20:40:12 +01:00
Davide De Rosa
e198e80595
Use standard inet_ntop/pton for IPv4 conversion
...
Swap endianness internally.
2018-11-05 20:21:10 +01:00
Davide De Rosa
b32c1848be
Unmask harmless destination port
2018-11-05 15:48:34 +01:00
Davide De Rosa
9c989dabf5
Fix IPv4/UInt32 calculations
2018-10-28 00:26:15 +02:00
Davide De Rosa
9e2bdd22ac
Pick default values from static constant
2018-10-26 11:07:46 +02:00
Davide De Rosa
84e216f56d
Deprecate lastErrorKey, encapsulate access
2018-10-25 22:36:31 +02:00
Davide De Rosa
3cc511822d
Deprecate debugLogKey, hardcode filename
2018-10-25 22:36:31 +02:00
Davide De Rosa
8f328709c8
Wrap TKP.Configuration fields in SP.Configuration
...
Take credentials out of SP.Configuration. Makes sense as they
never appear in e.g. an .ovpn file.
2018-10-25 18:34:03 +02:00
Davide De Rosa
e962603098
Allow SP.Configuration customization via builder
2018-10-25 18:34:03 +02:00
Davide De Rosa
d6e27938bc
Make usesPIAPatches optional
...
For compatible decoding.
2018-10-25 18:34:03 +02:00
Davide De Rosa
197d29042c
Take a cache URL in SessionProxy to store PEMs
2018-10-25 18:34:03 +02:00
Davide De Rosa
3fd0329736
Use CryptoContainer in SessionConfiguration
...
Instead of paths.
2018-10-25 18:34:02 +02:00
Davide De Rosa
ca77858bf0
Move CryptoContainer to Core
2018-10-25 18:34:02 +02:00
Davide De Rosa
f1efac073c
Export and document log shortcuts in Configuration
2018-10-24 21:06:04 +02:00
Davide De Rosa
f5d12300f9
Save debug log to file in app group container
...
Don't bog UserDefaults. Reuse debugLogKey for the log filename.
2018-10-24 21:06:04 +02:00
Davide De Rosa
b35fb34da5
Cap masked hash to 16 hexes
2018-10-24 18:50:36 +02:00
Davide De Rosa
ae85337e91
Mask log.debug
2018-10-24 18:47:41 +02:00
Davide De Rosa
033763f372
Mask log.info
2018-10-24 18:47:41 +02:00
Davide De Rosa
25d84f6530
Add internal flag for masking private data
...
Hardcoded to true. Private data is mostly hostname/IP addresses
and routing information.
2018-10-24 18:23:10 +02:00
Davide De Rosa
b1a79d6451
Shut down on server-initiated HARD_RESET
...
Session is stale and not recoverable (lame duck).
2018-10-24 12:31:37 +02:00
Davide De Rosa
0b79ce4194
Handle server-initiated SOFT_RESET
2018-10-24 12:22:47 +02:00
Davide De Rosa
d829247e6e
Simplify socket shutdown code
...
Drop weird (old?) linkFailures check.
2018-10-24 09:42:18 +02:00
Davide De Rosa
91349fd780
Take shouldChangeProtocol out of GenericSocket
...
Behavior is not exactly similar in UDP and TCP.
2018-10-24 09:42:03 +02:00
Davide De Rosa
8b59fe6f4c
Use RawRepresentable where adequate
2018-10-24 09:19:50 +02:00
Davide De Rosa
e3a5302e06
Check NULL EKU and simplify OID comparison
2018-10-24 00:43:01 +02:00
Davide De Rosa
3a95568d0b
Remove unused code
2018-10-24 00:36:18 +02:00
Davide De Rosa
440a7f7da8
Verify server cert EKU
...
Fixes #27
2018-10-23 23:46:37 +02:00
Davide De Rosa
c32185b524
Review/complete mapping to ProviderError
...
Errors from TunnelKitNative were not mapped. Also, move TLS CA
verification error to TLSBox domain.
2018-10-23 23:44:25 +02:00
Davide De Rosa
f5d9720b01
Halt TLS on internal failure
2018-10-23 23:44:25 +02:00