Davide De Rosa
f424d4a064
Add missing entities from docs
2020-06-13 17:38:28 +02:00
Davide De Rosa
a232af1100
Redefine generic Session.serverConfiguration()
...
For reuse in Session implementations.
2020-06-13 13:32:21 +02:00
Davide De Rosa
6c3e667f80
Add a few missing nodoc
2020-06-13 13:31:15 +02:00
Davide De Rosa
74ed3cb4cd
Move some initialization after logging configuration
...
Logging and masking were not configured at Credentials and
ConnectionStrategy initialization time, hence the missing log
entries from e.g. ConnectionStrategy.init().
2020-06-11 16:37:20 +02:00
Davide De Rosa
1ff936895f
Improve logging of ConnectionStrategy
2020-06-11 16:22:45 +02:00
Davide De Rosa
7a278dba69
Fix nullability of partitioned route
2020-05-23 17:07:59 +02:00
Davide De Rosa
17cb2601be
Fix unused result warning
2020-05-23 17:05:46 +02:00
Davide De Rosa
9095ea250e
Address concerns from Guido Vranken fuzzers ( #141 )
...
* 002: Assert return value of snprintf/getnameinfo
* 003: Address OOB reads on decrypted data
* 004: Handle boundary prefixes in .partitioned()
* 005: Fix OOB read in matchesDestination()
* 006: Fix parsing in netname6()
* 007: Fix incorrect use of sizeof()
* 008: Add safety checks in MSSFix()
* 009: Fix bad usage of minilzo calls
* Add checks after RoutingTableEntryAddress4/6
2020-05-16 15:10:07 +02:00
Davide De Rosa
01554713b8
Move IP header logic to separate struct
2020-05-12 13:07:09 +02:00
Davide De Rosa
f1a28a8d32
Revert to more efficient ternary op in IP header
...
See #169 and 753927f36b
2020-05-12 12:59:33 +02:00
Davide De Rosa
5285ba7aa8
Set reasserting to false if canRebindLink()
...
Code is currently disabled (canRebindLink() is hardcoded to false),
still it's good to stay consistent with semantics of
reasserting = false, i.e. "connection has become active again".
2020-05-09 15:01:11 +02:00
Davide De Rosa
9b82d7f9ec
Evaluate reconnection without touching reasserting
...
Use a different variable to signal an upcoming reconnection. Make
sure that reasserting is never set to false with the meaning of
"do not reconnect", because doing so would trigger a transient
"connected" state in the VPN.
Reverts use of cancelTunnelWithError() in sessionDidStop.
2020-05-09 12:09:03 +02:00
Davide De Rosa
93c24a96cf
Refactor with an error parameter in sessionDidStop
...
Both versions prevent clients from compiling, but this version
impacts less on existing codebase.
2020-05-09 12:09:03 +02:00
Robert Patchett
1cd00f9459
Call cancelTunnelWithError(_:) if a connection fails and won't be retried
2020-05-09 12:09:03 +02:00
Jose Blaya
c22bfb3edd
Set MTU value in Tunnel settings
2020-05-09 01:09:20 +02:00
Jaroslav_
1ceeb8ddbb
SAN host check ( #168 )
...
* Check if host is present in certificates SAN list
* Save .tlsServerHost error as .tlsServerVerification into last error
Co-authored-by: Davide De Rosa <keeshux@gmail.com>
2020-05-09 00:02:16 +02:00
Davide De Rosa
60213bafb8
Fix and improve #169
...
- Use constants
- Check packet length for OOB read
- Replace assertion with logging
2020-05-08 21:01:36 +02:00
Roopesh Chander
753927f36b
Fix how NETunnelInterface handles IP protocol number
...
The IP protocol number passed to NEPacketTunnelFlow is determined per
packet based on the IP header, instead of determining it based on
whether IPv6 settings are available or not.
2020-05-06 09:37:24 +05:30
Davide De Rosa
d74a7bf637
Merge pull request #162 from johankool/feature/mojave
...
Mitigate IP traffic breaking on Mojave
2020-04-15 11:21:18 +02:00
Davide De Rosa
4bdf6b7006
Redefine endpoint strategy according to IPv4/6
2020-04-14 22:57:23 +02:00
Davide De Rosa
40eb98fd72
Return IP version-aware records from DNSResolver
...
FIXME: compilation errors in ConnectionStrategy and related.
2020-04-14 22:57:08 +02:00
Davide De Rosa
6f235e9ea2
Handle IPv4/IPv6 variants in SocketType
2020-04-14 21:54:21 +02:00
Davide De Rosa
c7595ed295
Rewrite IPv4-to-String conversion
...
Flaky Swift pointer API.
2020-04-14 21:54:19 +02:00
Johan Kool
78e332d48b
Force IPv4 on Mojave otherwise it breaks
2020-04-10 13:37:15 +02:00
Johan Kool
ffe7fc0a0a
Continue instead of early return on unknown key id
2020-04-10 13:35:12 +02:00
Davide De Rosa
deff855bbc
Fix pointers to local buffers
2020-04-05 17:30:17 +02:00
Davide De Rosa
a02857fdb9
Drop unused variable
2020-04-05 17:16:55 +02:00
Davide De Rosa
311015950e
Shut down on server "RESTART" control message
...
Fixes #131
2020-02-29 19:23:26 +01:00
Davide De Rosa
f6d915e6dd
Reset rather than nil out Authenticator
...
For reuse in control channel.
2020-02-29 19:11:15 +01:00
Davide De Rosa
a7aa78141e
Update copyright clause
2020-01-11 09:26:41 +01:00
Davide De Rosa
e3241f4f4d
Fix potential OOB during negotiation
...
Reported by @Grivus with SoftEther.
Closes #143
2019-12-22 16:31:57 +01:00
Davide De Rosa
2c8c2d20f8
Add comment about read failure not shutting down
2019-12-12 20:37:10 +01:00
Davide De Rosa
63aa4b42d7
Use .utility QoS for tunnel queue
...
Fixes #138
2019-12-12 18:34:24 +01:00
Davide De Rosa
88a1bdac06
Schedule ping block even just for timeout check
...
In case keepAliveInterval is not set.
2019-12-12 18:34:20 +01:00
Davide De Rosa
e6f2f3e85a
Send pings at regular schedules
...
Also fixes coalescing schedules.
2019-12-12 18:34:20 +01:00
Davide De Rosa
2687dcf36e
Debug wake/sleep signals
2019-12-12 15:05:21 +01:00
Davide De Rosa
8ae92d29db
Log details about ping schedule
2019-12-12 14:00:43 +01:00
Davide De Rosa
5b0df2eada
Allow customization of debug log level
2019-12-12 09:42:48 +01:00
Davide De Rosa
0f2bf8cf48
Fix non-existing variable in log
2019-12-12 09:34:08 +01:00
Davide De Rosa
90c118a3d0
Warn about discarded received packets
2019-12-12 09:32:34 +01:00
Davide De Rosa
66ae7973ae
Discard data with missing key, do not shut down
...
Probably more resilient to DoS.
2019-12-07 09:43:47 +01:00
Davide De Rosa
8c4b0db301
Debug "reasserting" updates
2019-12-07 09:43:47 +01:00
Davide De Rosa
13027b8932
Only require --ca and --cipher from clients
...
Not in a PUSH_REPLY, for example.
2019-11-20 19:48:40 +01:00
Davide De Rosa
b1c11e3e56
Make --ca and --cipher non-optional in .ovpn
...
Dodge those annoying scenarios where server cipher is not set
and defaults to BF-CBC, whereas default TunnelKit cipher
is AES-128-CBC. And data channel stalls.
2019-11-20 01:07:39 +01:00
Davide De Rosa
4ced1c499d
Use modern structure for notifications
2019-11-02 11:32:16 +01:00
Davide De Rosa
3a38b0da15
Log effective search domains
2019-10-25 19:08:44 +02:00
Davide De Rosa
4e77f5b6b3
Parse multiple "dhcp-option DOMAIN" lines
2019-10-25 17:21:44 +02:00
Davide De Rosa
645f65ccd0
Adjust Configuration.searchDomain to searchDomains
...
XXX: "breaks" search domains in existing VPN profiles. Reinstall
to fix.
2019-10-25 17:17:48 +02:00
Davide De Rosa
495944297c
Merge pull request #126 from ThinkChaos/fix_pac_logging
...
Fix logging for Proxy Auto-Configuration (PAC)
2019-10-23 13:07:03 +02:00
Davide De Rosa
e5a7a09b7f
Parse PAC from provider configuration
...
Not propagated to AppExtension.
2019-10-23 13:02:29 +02:00
Davide De Rosa
dcac7cb2d4
Fix hidden IPv4Settings fields
2019-10-23 10:55:37 +02:00
Davide De Rosa
7608ae2e3c
Expose server configuration via provider message
2019-10-23 10:27:51 +02:00
ThinkChaos
907bbe20ae
Fix logging for Proxy Auto-Configuration (PAC)
2019-10-23 01:08:39 +02:00
Davide De Rosa
7d0cba8df8
Merge pull request #125 from ThinkChaos/proxy_auto_conf
...
Add Proxy Auto-Configuration (PAC) support
2019-10-22 21:55:29 +02:00
ThinkChaos
26d7b9fe0f
Address review comments
2019-10-22 21:03:25 +02:00
Davide De Rosa
98b9d71eb3
Assume VPN gateway when route gw is "vpn_gateway"
2019-10-22 13:53:36 +02:00
Davide De Rosa
eb09493882
Merge pull request #122 from rob-patchett/ping-timeout
...
Allow keep-alive timeout to be configured by the server or client
2019-10-22 10:51:27 +02:00
Robert Patchett
87cb448d12
Fix comment typo
2019-10-22 10:43:57 +02:00
ThinkChaos
c6cb5a646a
Add Proxy Auto-Configuration (PAC) support
2019-10-21 21:47:45 +02:00
Robert Patchett
bdf34f8882
Set tunnel provider's reasserting to false after the system starts using the tunnel
2019-10-17 14:23:16 +02:00
Robert Patchett
55f7e64f19
Allow keep alive timeout to be configured by the server or client
2019-09-30 11:54:29 -07:00
Davide De Rosa
d22f40f7e9
Fix potential OOB in memcmp()
2019-09-17 23:41:35 +02:00
Davide De Rosa
d815f5222f
Change var to let
...
Xcode no more signals wrong side-effect in withUnsafeBytes.
2019-09-17 16:09:09 +02:00
Davide De Rosa
e0ab2a1ddb
Disconnect if HARD_RESET received while SOFT_RESET
...
Bad condition for .staleSession
Fixes #120
See 0f2234f1d1
2019-09-03 00:27:54 +02:00
Davide De Rosa
de21adfef6
Beware of execution queue in write callbacks
...
self.link was not checked against in tunnel queue.
2019-08-23 09:15:59 +02:00
Davide De Rosa
6b281711c7
Ignore errors from outdated link writes
...
Prevents async delegation after cleanup.
2019-08-23 09:15:57 +02:00
Davide De Rosa
a4333eaafe
Revert ENOBUFS mitigation, do disconnect instead
...
Reverts #87 "fix"
2019-07-26 21:14:57 +02:00
Davide De Rosa
aefeb252b3
Do not defer stop more than once
...
May cause multiple delegation and queue deadlock when a
reconnection is scheduled to trigger.
Fixes #106
2019-07-09 14:09:02 +02:00
Davide De Rosa
2c56a8ea95
Send PUSH_REQUEST immediately after auth
...
First call would always fail otherwise.
2019-07-09 12:40:10 +02:00
Davide De Rosa
40139cbef0
Replace key flag with session-wide isRenegotiating
...
Prevent new if one in progress.
Fixes #105
2019-07-09 12:17:12 +02:00
Davide De Rosa
0f2234f1d1
Assume stale session if server sends HARD_RESET
...
When unsolicited.
2019-07-09 11:42:12 +02:00
Davide De Rosa
1dcf4d7745
Shut down abruptly to work around macOS bug
...
Fixes #111
2019-07-07 23:36:06 +02:00
Davide De Rosa
b04f7f20d4
Log info about DNS servers in use
2019-07-03 19:04:53 +02:00
Davide De Rosa
eb56a9a56c
Optimize [Data].flatCount
2019-06-05 14:14:15 +02:00
Davide De Rosa
2ddf712176
Update jazzy YAML
2019-05-24 16:04:19 +02:00
Davide De Rosa
be1081aad6
Nest subspecs by purpose
...
- Protocols
- Extra
2019-05-24 16:02:59 +02:00
Davide De Rosa
21eee24e7c
Add missing documentation
2019-05-24 16:02:06 +02:00
Davide De Rosa
72ce14b676
Make AppExtension entities public
2019-05-24 16:02:06 +02:00
Davide De Rosa
3edd00b2da
Drop deprecated endpointProtocols
2019-05-24 10:59:20 +02:00
Davide De Rosa
185f0707cf
Move OpenVPN configuration part on top
2019-05-24 10:59:20 +02:00
Davide De Rosa
1f8c51c126
Parse OpenVPN.Configuration from defaults
2019-05-24 10:59:20 +02:00
Davide De Rosa
5561c7adc6
Group OpenVPN.Configuration funcs into extension
...
- with (creation)
- store (convert to dict)
- print (log)
2019-05-24 10:54:25 +02:00
Davide De Rosa
a85404e951
Rename provider class to OpenVPNTunnelProvider
2019-05-24 10:41:30 +02:00
Davide De Rosa
9445b825d0
Make AppExtension generic
...
- Make AppExtension a standalone util subspec
- Move OpenVPN tunnel provider to OpenVPN subspec
- Move Utils to Core subspec
- Depend OpenVPN on Core + AppExtension
2019-05-24 10:41:26 +02:00
Davide De Rosa
b6da3f2d13
Rename proxy to session
...
According to SessionProxy -> OpenVPNSession.
2019-05-19 15:56:44 +02:00
Davide De Rosa
8be0f14aa9
Move PRNG initialization to namespace level
2019-05-19 15:52:55 +02:00
Davide De Rosa
d057e9645b
Restore AppExtension with recent changes
2019-05-19 15:50:12 +02:00
Davide De Rosa
6ebf025859
Take Session protocol out of OpenVPNSession
...
Fix some doc.
2019-05-19 15:08:43 +02:00
Davide De Rosa
313d076ddf
Move Error extension to Core
2019-05-19 14:34:27 +02:00
Davide De Rosa
c4a84a5ade
Prefix top-level entities with OpenVPN*
2019-05-19 14:34:23 +02:00
Davide De Rosa
9c7ae47679
Make SessionProxy* top level
...
Drop redundant SessionReply.
2019-05-19 14:17:18 +02:00
Davide De Rosa
465e08e42f
Wrap OpenVPN entities in pseudonamespace
...
Temporarily exclude AppExtension and tests.
2019-05-19 14:05:02 +02:00
Davide De Rosa
50d492096f
Move a few generic entities to Core
...
- IPv4Settings
- IPv6Settings
- Proxy
- EndpointProtocol (Codable)
2019-05-19 12:40:20 +02:00
Davide De Rosa
930f05c984
Move OpenVPN timeouts out of Core
2019-05-19 12:39:51 +02:00
Davide De Rosa
5b81aa6a78
Drop "Box" from error codes
2019-05-19 12:22:32 +02:00
Davide De Rosa
9da7fa9667
Split Core into Core+OpenVPN
...
Two Obj-C modules:
- __TunnelKitCore
- __TunnelKitOpenVPN
Seems the only way to do it in multiple module maps.
Move OpenVPN specifics out of CoreConfiguration.
2019-05-19 12:22:32 +02:00
Davide De Rosa
491092f2a3
Drop extra header lines
2019-05-19 12:21:44 +02:00
Davide De Rosa
21b67fd9ff
Make CoreConfiguration a class for bundle lookup
2019-05-19 11:36:26 +02:00
Davide De Rosa
470c50b037
Return just <masked> when masked description
...
Why bother with useless hashes?
2019-05-19 11:36:26 +02:00
Davide De Rosa
d19e029131
Use guard
2019-05-19 11:36:26 +02:00