Commit Graph

475 Commits

Author SHA1 Message Date
Davide De Rosa f424d4a064 Add missing entities from docs 2020-06-13 17:38:28 +02:00
Davide De Rosa a232af1100 Redefine generic Session.serverConfiguration()
For reuse in Session implementations.
2020-06-13 13:32:21 +02:00
Davide De Rosa 6c3e667f80 Add a few missing nodoc 2020-06-13 13:31:15 +02:00
Davide De Rosa 74ed3cb4cd Move some initialization after logging configuration
Logging and masking were not configured at Credentials and
ConnectionStrategy initialization time, hence the missing log
entries from e.g. ConnectionStrategy.init().
2020-06-11 16:37:20 +02:00
Davide De Rosa 1ff936895f Improve logging of ConnectionStrategy 2020-06-11 16:22:45 +02:00
Davide De Rosa 7a278dba69 Fix nullability of partitioned route 2020-05-23 17:07:59 +02:00
Davide De Rosa 17cb2601be Fix unused result warning 2020-05-23 17:05:46 +02:00
Davide De Rosa 9095ea250e
Address concerns from Guido Vranken fuzzers (#141)
* 002: Assert return value of snprintf/getnameinfo

* 003: Address OOB reads on decrypted data

* 004: Handle boundary prefixes in .partitioned()

* 005: Fix OOB read in matchesDestination()

* 006: Fix parsing in netname6()

* 007: Fix incorrect use of sizeof()

* 008: Add safety checks in MSSFix()

* 009: Fix bad usage of minilzo calls

* Add checks after RoutingTableEntryAddress4/6
2020-05-16 15:10:07 +02:00
Davide De Rosa 01554713b8 Move IP header logic to separate struct 2020-05-12 13:07:09 +02:00
Davide De Rosa f1a28a8d32 Revert to more efficient ternary op in IP header
See #169 and 753927f36b
2020-05-12 12:59:33 +02:00
Davide De Rosa 5285ba7aa8 Set reasserting to false if canRebindLink()
Code is currently disabled (canRebindLink() is hardcoded to false),
still it's good to stay consistent with semantics of
reasserting = false, i.e. "connection has become active again".
2020-05-09 15:01:11 +02:00
Davide De Rosa 9b82d7f9ec Evaluate reconnection without touching reasserting
Use a different variable to signal an upcoming reconnection. Make
sure that reasserting is never set to false with the meaning of
"do not reconnect", because doing so would trigger a transient
"connected" state in the VPN.

Reverts use of cancelTunnelWithError() in sessionDidStop.
2020-05-09 12:09:03 +02:00
Davide De Rosa 93c24a96cf Refactor with an error parameter in sessionDidStop
Both versions prevent clients from compiling, but this version
impacts less on existing codebase.
2020-05-09 12:09:03 +02:00
Robert Patchett 1cd00f9459 Call cancelTunnelWithError(_:) if a connection fails and won't be retried 2020-05-09 12:09:03 +02:00
Jose Blaya c22bfb3edd Set MTU value in Tunnel settings 2020-05-09 01:09:20 +02:00
Jaroslav_ 1ceeb8ddbb
SAN host check (#168)
* Check if host is present in certificates SAN list

* Save .tlsServerHost error as .tlsServerVerification into last error

Co-authored-by: Davide De Rosa <keeshux@gmail.com>
2020-05-09 00:02:16 +02:00
Davide De Rosa 60213bafb8 Fix and improve #169
- Use constants
- Check packet length for OOB read
- Replace assertion with logging
2020-05-08 21:01:36 +02:00
Roopesh Chander 753927f36b Fix how NETunnelInterface handles IP protocol number
The IP protocol number passed to NEPacketTunnelFlow is determined per
packet based on the IP header, instead of determining it based on
whether IPv6 settings are available or not.
2020-05-06 09:37:24 +05:30
Davide De Rosa d74a7bf637
Merge pull request #162 from johankool/feature/mojave
Mitigate IP traffic breaking on Mojave
2020-04-15 11:21:18 +02:00
Davide De Rosa 4bdf6b7006 Redefine endpoint strategy according to IPv4/6 2020-04-14 22:57:23 +02:00
Davide De Rosa 40eb98fd72 Return IP version-aware records from DNSResolver
FIXME: compilation errors in ConnectionStrategy and related.
2020-04-14 22:57:08 +02:00
Davide De Rosa 6f235e9ea2 Handle IPv4/IPv6 variants in SocketType 2020-04-14 21:54:21 +02:00
Davide De Rosa c7595ed295 Rewrite IPv4-to-String conversion
Flaky Swift pointer API.
2020-04-14 21:54:19 +02:00
Johan Kool 78e332d48b Force IPv4 on Mojave otherwise it breaks 2020-04-10 13:37:15 +02:00
Johan Kool ffe7fc0a0a Continue instead of early return on unknown key id 2020-04-10 13:35:12 +02:00
Davide De Rosa deff855bbc Fix pointers to local buffers 2020-04-05 17:30:17 +02:00
Davide De Rosa a02857fdb9 Drop unused variable 2020-04-05 17:16:55 +02:00
Davide De Rosa 311015950e Shut down on server "RESTART" control message
Fixes #131
2020-02-29 19:23:26 +01:00
Davide De Rosa f6d915e6dd Reset rather than nil out Authenticator
For reuse in control channel.
2020-02-29 19:11:15 +01:00
Davide De Rosa a7aa78141e Update copyright clause 2020-01-11 09:26:41 +01:00
Davide De Rosa e3241f4f4d Fix potential OOB during negotiation
Reported by @Grivus with SoftEther.

Closes #143
2019-12-22 16:31:57 +01:00
Davide De Rosa 2c8c2d20f8 Add comment about read failure not shutting down 2019-12-12 20:37:10 +01:00
Davide De Rosa 63aa4b42d7 Use .utility QoS for tunnel queue
Fixes #138
2019-12-12 18:34:24 +01:00
Davide De Rosa 88a1bdac06 Schedule ping block even just for timeout check
In case keepAliveInterval is not set.
2019-12-12 18:34:20 +01:00
Davide De Rosa e6f2f3e85a Send pings at regular schedules
Also fixes coalescing schedules.
2019-12-12 18:34:20 +01:00
Davide De Rosa 2687dcf36e Debug wake/sleep signals 2019-12-12 15:05:21 +01:00
Davide De Rosa 8ae92d29db Log details about ping schedule 2019-12-12 14:00:43 +01:00
Davide De Rosa 5b0df2eada Allow customization of debug log level 2019-12-12 09:42:48 +01:00
Davide De Rosa 0f2bf8cf48 Fix non-existing variable in log 2019-12-12 09:34:08 +01:00
Davide De Rosa 90c118a3d0 Warn about discarded received packets 2019-12-12 09:32:34 +01:00
Davide De Rosa 66ae7973ae Discard data with missing key, do not shut down
Probably more resilient to DoS.
2019-12-07 09:43:47 +01:00
Davide De Rosa 8c4b0db301 Debug "reasserting" updates 2019-12-07 09:43:47 +01:00
Davide De Rosa 13027b8932 Only require --ca and --cipher from clients
Not in a PUSH_REPLY, for example.
2019-11-20 19:48:40 +01:00
Davide De Rosa b1c11e3e56 Make --ca and --cipher non-optional in .ovpn
Dodge those annoying scenarios where server cipher is not set
and defaults to BF-CBC, whereas default TunnelKit cipher
is AES-128-CBC. And data channel stalls.
2019-11-20 01:07:39 +01:00
Davide De Rosa 4ced1c499d Use modern structure for notifications 2019-11-02 11:32:16 +01:00
Davide De Rosa 3a38b0da15 Log effective search domains 2019-10-25 19:08:44 +02:00
Davide De Rosa 4e77f5b6b3 Parse multiple "dhcp-option DOMAIN" lines 2019-10-25 17:21:44 +02:00
Davide De Rosa 645f65ccd0 Adjust Configuration.searchDomain to searchDomains
XXX: "breaks" search domains in existing VPN profiles. Reinstall
to fix.
2019-10-25 17:17:48 +02:00
Davide De Rosa 495944297c
Merge pull request #126 from ThinkChaos/fix_pac_logging
Fix logging for Proxy Auto-Configuration (PAC)
2019-10-23 13:07:03 +02:00
Davide De Rosa e5a7a09b7f Parse PAC from provider configuration
Not propagated to AppExtension.
2019-10-23 13:02:29 +02:00
Davide De Rosa dcac7cb2d4 Fix hidden IPv4Settings fields 2019-10-23 10:55:37 +02:00
Davide De Rosa 7608ae2e3c Expose server configuration via provider message 2019-10-23 10:27:51 +02:00
ThinkChaos 907bbe20ae Fix logging for Proxy Auto-Configuration (PAC) 2019-10-23 01:08:39 +02:00
Davide De Rosa 7d0cba8df8
Merge pull request #125 from ThinkChaos/proxy_auto_conf
Add Proxy Auto-Configuration (PAC) support
2019-10-22 21:55:29 +02:00
ThinkChaos 26d7b9fe0f Address review comments 2019-10-22 21:03:25 +02:00
Davide De Rosa 98b9d71eb3 Assume VPN gateway when route gw is "vpn_gateway" 2019-10-22 13:53:36 +02:00
Davide De Rosa eb09493882
Merge pull request #122 from rob-patchett/ping-timeout
Allow keep-alive timeout to be configured by the server or client
2019-10-22 10:51:27 +02:00
Robert Patchett 87cb448d12 Fix comment typo 2019-10-22 10:43:57 +02:00
ThinkChaos c6cb5a646a Add Proxy Auto-Configuration (PAC) support 2019-10-21 21:47:45 +02:00
Robert Patchett bdf34f8882 Set tunnel provider's reasserting to false after the system starts using the tunnel 2019-10-17 14:23:16 +02:00
Robert Patchett 55f7e64f19 Allow keep alive timeout to be configured by the server or client 2019-09-30 11:54:29 -07:00
Davide De Rosa d22f40f7e9 Fix potential OOB in memcmp() 2019-09-17 23:41:35 +02:00
Davide De Rosa d815f5222f Change var to let
Xcode no more signals wrong side-effect in withUnsafeBytes.
2019-09-17 16:09:09 +02:00
Davide De Rosa e0ab2a1ddb Disconnect if HARD_RESET received while SOFT_RESET
Bad condition for .staleSession

Fixes #120

See 0f2234f1d1
2019-09-03 00:27:54 +02:00
Davide De Rosa de21adfef6 Beware of execution queue in write callbacks
self.link was not checked against in tunnel queue.
2019-08-23 09:15:59 +02:00
Davide De Rosa 6b281711c7 Ignore errors from outdated link writes
Prevents async delegation after cleanup.
2019-08-23 09:15:57 +02:00
Davide De Rosa a4333eaafe Revert ENOBUFS mitigation, do disconnect instead
Reverts #87 "fix"
2019-07-26 21:14:57 +02:00
Davide De Rosa aefeb252b3 Do not defer stop more than once
May cause multiple delegation and queue deadlock when a
reconnection is scheduled to trigger.

Fixes #106
2019-07-09 14:09:02 +02:00
Davide De Rosa 2c56a8ea95 Send PUSH_REQUEST immediately after auth
First call would always fail otherwise.
2019-07-09 12:40:10 +02:00
Davide De Rosa 40139cbef0 Replace key flag with session-wide isRenegotiating
Prevent new if one in progress.

Fixes #105
2019-07-09 12:17:12 +02:00
Davide De Rosa 0f2234f1d1 Assume stale session if server sends HARD_RESET
When unsolicited.
2019-07-09 11:42:12 +02:00
Davide De Rosa 1dcf4d7745 Shut down abruptly to work around macOS bug
Fixes #111
2019-07-07 23:36:06 +02:00
Davide De Rosa b04f7f20d4 Log info about DNS servers in use 2019-07-03 19:04:53 +02:00
Davide De Rosa eb56a9a56c Optimize [Data].flatCount 2019-06-05 14:14:15 +02:00
Davide De Rosa 2ddf712176 Update jazzy YAML 2019-05-24 16:04:19 +02:00
Davide De Rosa be1081aad6 Nest subspecs by purpose
- Protocols
- Extra
2019-05-24 16:02:59 +02:00
Davide De Rosa 21eee24e7c Add missing documentation 2019-05-24 16:02:06 +02:00
Davide De Rosa 72ce14b676 Make AppExtension entities public 2019-05-24 16:02:06 +02:00
Davide De Rosa 3edd00b2da Drop deprecated endpointProtocols 2019-05-24 10:59:20 +02:00
Davide De Rosa 185f0707cf Move OpenVPN configuration part on top 2019-05-24 10:59:20 +02:00
Davide De Rosa 1f8c51c126 Parse OpenVPN.Configuration from defaults 2019-05-24 10:59:20 +02:00
Davide De Rosa 5561c7adc6 Group OpenVPN.Configuration funcs into extension
- with (creation)
- store (convert to dict)
- print (log)
2019-05-24 10:54:25 +02:00
Davide De Rosa a85404e951 Rename provider class to OpenVPNTunnelProvider 2019-05-24 10:41:30 +02:00
Davide De Rosa 9445b825d0 Make AppExtension generic
- Make AppExtension a standalone util subspec
- Move OpenVPN tunnel provider to OpenVPN subspec
- Move Utils to Core subspec
- Depend OpenVPN on Core + AppExtension
2019-05-24 10:41:26 +02:00
Davide De Rosa b6da3f2d13 Rename proxy to session
According to SessionProxy -> OpenVPNSession.
2019-05-19 15:56:44 +02:00
Davide De Rosa 8be0f14aa9 Move PRNG initialization to namespace level 2019-05-19 15:52:55 +02:00
Davide De Rosa d057e9645b Restore AppExtension with recent changes 2019-05-19 15:50:12 +02:00
Davide De Rosa 6ebf025859 Take Session protocol out of OpenVPNSession
Fix some doc.
2019-05-19 15:08:43 +02:00
Davide De Rosa 313d076ddf Move Error extension to Core 2019-05-19 14:34:27 +02:00
Davide De Rosa c4a84a5ade Prefix top-level entities with OpenVPN* 2019-05-19 14:34:23 +02:00
Davide De Rosa 9c7ae47679 Make SessionProxy* top level
Drop redundant SessionReply.
2019-05-19 14:17:18 +02:00
Davide De Rosa 465e08e42f Wrap OpenVPN entities in pseudonamespace
Temporarily exclude AppExtension and tests.
2019-05-19 14:05:02 +02:00
Davide De Rosa 50d492096f Move a few generic entities to Core
- IPv4Settings
- IPv6Settings
- Proxy
- EndpointProtocol (Codable)
2019-05-19 12:40:20 +02:00
Davide De Rosa 930f05c984 Move OpenVPN timeouts out of Core 2019-05-19 12:39:51 +02:00
Davide De Rosa 5b81aa6a78 Drop "Box" from error codes 2019-05-19 12:22:32 +02:00
Davide De Rosa 9da7fa9667 Split Core into Core+OpenVPN
Two Obj-C modules:

- __TunnelKitCore
- __TunnelKitOpenVPN

Seems the only way to do it in multiple module maps.

Move OpenVPN specifics out of CoreConfiguration.
2019-05-19 12:22:32 +02:00
Davide De Rosa 491092f2a3 Drop extra header lines 2019-05-19 12:21:44 +02:00
Davide De Rosa 21b67fd9ff Make CoreConfiguration a class for bundle lookup 2019-05-19 11:36:26 +02:00
Davide De Rosa 470c50b037 Return just <masked> when masked description
Why bother with useless hashes?
2019-05-19 11:36:26 +02:00
Davide De Rosa d19e029131 Use guard 2019-05-19 11:36:26 +02:00