Commit Graph

451 Commits

Author SHA1 Message Date
Johan Kool ffe7fc0a0a Continue instead of early return on unknown key id 2020-04-10 13:35:12 +02:00
Davide De Rosa deff855bbc Fix pointers to local buffers 2020-04-05 17:30:17 +02:00
Davide De Rosa a02857fdb9 Drop unused variable 2020-04-05 17:16:55 +02:00
Davide De Rosa 311015950e Shut down on server "RESTART" control message
Fixes #131
2020-02-29 19:23:26 +01:00
Davide De Rosa f6d915e6dd Reset rather than nil out Authenticator
For reuse in control channel.
2020-02-29 19:11:15 +01:00
Davide De Rosa a7aa78141e Update copyright clause 2020-01-11 09:26:41 +01:00
Davide De Rosa e3241f4f4d Fix potential OOB during negotiation
Reported by @Grivus with SoftEther.

Closes #143
2019-12-22 16:31:57 +01:00
Davide De Rosa 2c8c2d20f8 Add comment about read failure not shutting down 2019-12-12 20:37:10 +01:00
Davide De Rosa 63aa4b42d7 Use .utility QoS for tunnel queue
Fixes #138
2019-12-12 18:34:24 +01:00
Davide De Rosa 88a1bdac06 Schedule ping block even just for timeout check
In case keepAliveInterval is not set.
2019-12-12 18:34:20 +01:00
Davide De Rosa e6f2f3e85a Send pings at regular schedules
Also fixes coalescing schedules.
2019-12-12 18:34:20 +01:00
Davide De Rosa 2687dcf36e Debug wake/sleep signals 2019-12-12 15:05:21 +01:00
Davide De Rosa 8ae92d29db Log details about ping schedule 2019-12-12 14:00:43 +01:00
Davide De Rosa 5b0df2eada Allow customization of debug log level 2019-12-12 09:42:48 +01:00
Davide De Rosa 0f2bf8cf48 Fix non-existing variable in log 2019-12-12 09:34:08 +01:00
Davide De Rosa 90c118a3d0 Warn about discarded received packets 2019-12-12 09:32:34 +01:00
Davide De Rosa 66ae7973ae Discard data with missing key, do not shut down
Probably more resilient to DoS.
2019-12-07 09:43:47 +01:00
Davide De Rosa 8c4b0db301 Debug "reasserting" updates 2019-12-07 09:43:47 +01:00
Davide De Rosa 13027b8932 Only require --ca and --cipher from clients
Not in a PUSH_REPLY, for example.
2019-11-20 19:48:40 +01:00
Davide De Rosa b1c11e3e56 Make --ca and --cipher non-optional in .ovpn
Dodge those annoying scenarios where server cipher is not set
and defaults to BF-CBC, whereas default TunnelKit cipher
is AES-128-CBC. And data channel stalls.
2019-11-20 01:07:39 +01:00
Davide De Rosa 4ced1c499d Use modern structure for notifications 2019-11-02 11:32:16 +01:00
Davide De Rosa 3a38b0da15 Log effective search domains 2019-10-25 19:08:44 +02:00
Davide De Rosa 4e77f5b6b3 Parse multiple "dhcp-option DOMAIN" lines 2019-10-25 17:21:44 +02:00
Davide De Rosa 645f65ccd0 Adjust Configuration.searchDomain to searchDomains
XXX: "breaks" search domains in existing VPN profiles. Reinstall
to fix.
2019-10-25 17:17:48 +02:00
Davide De Rosa 495944297c
Merge pull request #126 from ThinkChaos/fix_pac_logging
Fix logging for Proxy Auto-Configuration (PAC)
2019-10-23 13:07:03 +02:00
Davide De Rosa e5a7a09b7f Parse PAC from provider configuration
Not propagated to AppExtension.
2019-10-23 13:02:29 +02:00
Davide De Rosa dcac7cb2d4 Fix hidden IPv4Settings fields 2019-10-23 10:55:37 +02:00
Davide De Rosa 7608ae2e3c Expose server configuration via provider message 2019-10-23 10:27:51 +02:00
ThinkChaos 907bbe20ae Fix logging for Proxy Auto-Configuration (PAC) 2019-10-23 01:08:39 +02:00
Davide De Rosa 7d0cba8df8
Merge pull request #125 from ThinkChaos/proxy_auto_conf
Add Proxy Auto-Configuration (PAC) support
2019-10-22 21:55:29 +02:00
ThinkChaos 26d7b9fe0f Address review comments 2019-10-22 21:03:25 +02:00
Davide De Rosa 98b9d71eb3 Assume VPN gateway when route gw is "vpn_gateway" 2019-10-22 13:53:36 +02:00
Davide De Rosa eb09493882
Merge pull request #122 from rob-patchett/ping-timeout
Allow keep-alive timeout to be configured by the server or client
2019-10-22 10:51:27 +02:00
Robert Patchett 87cb448d12 Fix comment typo 2019-10-22 10:43:57 +02:00
ThinkChaos c6cb5a646a Add Proxy Auto-Configuration (PAC) support 2019-10-21 21:47:45 +02:00
Robert Patchett bdf34f8882 Set tunnel provider's reasserting to false after the system starts using the tunnel 2019-10-17 14:23:16 +02:00
Robert Patchett 55f7e64f19 Allow keep alive timeout to be configured by the server or client 2019-09-30 11:54:29 -07:00
Davide De Rosa d22f40f7e9 Fix potential OOB in memcmp() 2019-09-17 23:41:35 +02:00
Davide De Rosa d815f5222f Change var to let
Xcode no more signals wrong side-effect in withUnsafeBytes.
2019-09-17 16:09:09 +02:00
Davide De Rosa e0ab2a1ddb Disconnect if HARD_RESET received while SOFT_RESET
Bad condition for .staleSession

Fixes #120

See 0f2234f1d1
2019-09-03 00:27:54 +02:00
Davide De Rosa de21adfef6 Beware of execution queue in write callbacks
self.link was not checked against in tunnel queue.
2019-08-23 09:15:59 +02:00
Davide De Rosa 6b281711c7 Ignore errors from outdated link writes
Prevents async delegation after cleanup.
2019-08-23 09:15:57 +02:00
Davide De Rosa a4333eaafe Revert ENOBUFS mitigation, do disconnect instead
Reverts #87 "fix"
2019-07-26 21:14:57 +02:00
Davide De Rosa aefeb252b3 Do not defer stop more than once
May cause multiple delegation and queue deadlock when a
reconnection is scheduled to trigger.

Fixes #106
2019-07-09 14:09:02 +02:00
Davide De Rosa 2c56a8ea95 Send PUSH_REQUEST immediately after auth
First call would always fail otherwise.
2019-07-09 12:40:10 +02:00
Davide De Rosa 40139cbef0 Replace key flag with session-wide isRenegotiating
Prevent new if one in progress.

Fixes #105
2019-07-09 12:17:12 +02:00
Davide De Rosa 0f2234f1d1 Assume stale session if server sends HARD_RESET
When unsolicited.
2019-07-09 11:42:12 +02:00
Davide De Rosa 1dcf4d7745 Shut down abruptly to work around macOS bug
Fixes #111
2019-07-07 23:36:06 +02:00
Davide De Rosa b04f7f20d4 Log info about DNS servers in use 2019-07-03 19:04:53 +02:00
Davide De Rosa eb56a9a56c Optimize [Data].flatCount 2019-06-05 14:14:15 +02:00
Davide De Rosa 2ddf712176 Update jazzy YAML 2019-05-24 16:04:19 +02:00
Davide De Rosa be1081aad6 Nest subspecs by purpose
- Protocols
- Extra
2019-05-24 16:02:59 +02:00
Davide De Rosa 21eee24e7c Add missing documentation 2019-05-24 16:02:06 +02:00
Davide De Rosa 72ce14b676 Make AppExtension entities public 2019-05-24 16:02:06 +02:00
Davide De Rosa 3edd00b2da Drop deprecated endpointProtocols 2019-05-24 10:59:20 +02:00
Davide De Rosa 185f0707cf Move OpenVPN configuration part on top 2019-05-24 10:59:20 +02:00
Davide De Rosa 1f8c51c126 Parse OpenVPN.Configuration from defaults 2019-05-24 10:59:20 +02:00
Davide De Rosa 5561c7adc6 Group OpenVPN.Configuration funcs into extension
- with (creation)
- store (convert to dict)
- print (log)
2019-05-24 10:54:25 +02:00
Davide De Rosa a85404e951 Rename provider class to OpenVPNTunnelProvider 2019-05-24 10:41:30 +02:00
Davide De Rosa 9445b825d0 Make AppExtension generic
- Make AppExtension a standalone util subspec
- Move OpenVPN tunnel provider to OpenVPN subspec
- Move Utils to Core subspec
- Depend OpenVPN on Core + AppExtension
2019-05-24 10:41:26 +02:00
Davide De Rosa b6da3f2d13 Rename proxy to session
According to SessionProxy -> OpenVPNSession.
2019-05-19 15:56:44 +02:00
Davide De Rosa 8be0f14aa9 Move PRNG initialization to namespace level 2019-05-19 15:52:55 +02:00
Davide De Rosa d057e9645b Restore AppExtension with recent changes 2019-05-19 15:50:12 +02:00
Davide De Rosa 6ebf025859 Take Session protocol out of OpenVPNSession
Fix some doc.
2019-05-19 15:08:43 +02:00
Davide De Rosa 313d076ddf Move Error extension to Core 2019-05-19 14:34:27 +02:00
Davide De Rosa c4a84a5ade Prefix top-level entities with OpenVPN* 2019-05-19 14:34:23 +02:00
Davide De Rosa 9c7ae47679 Make SessionProxy* top level
Drop redundant SessionReply.
2019-05-19 14:17:18 +02:00
Davide De Rosa 465e08e42f Wrap OpenVPN entities in pseudonamespace
Temporarily exclude AppExtension and tests.
2019-05-19 14:05:02 +02:00
Davide De Rosa 50d492096f Move a few generic entities to Core
- IPv4Settings
- IPv6Settings
- Proxy
- EndpointProtocol (Codable)
2019-05-19 12:40:20 +02:00
Davide De Rosa 930f05c984 Move OpenVPN timeouts out of Core 2019-05-19 12:39:51 +02:00
Davide De Rosa 5b81aa6a78 Drop "Box" from error codes 2019-05-19 12:22:32 +02:00
Davide De Rosa 9da7fa9667 Split Core into Core+OpenVPN
Two Obj-C modules:

- __TunnelKitCore
- __TunnelKitOpenVPN

Seems the only way to do it in multiple module maps.

Move OpenVPN specifics out of CoreConfiguration.
2019-05-19 12:22:32 +02:00
Davide De Rosa 491092f2a3 Drop extra header lines 2019-05-19 12:21:44 +02:00
Davide De Rosa 21b67fd9ff Make CoreConfiguration a class for bundle lookup 2019-05-19 11:36:26 +02:00
Davide De Rosa 470c50b037 Return just <masked> when masked description
Why bother with useless hashes?
2019-05-19 11:36:26 +02:00
Davide De Rosa d19e029131 Use guard 2019-05-19 11:36:26 +02:00
Davide De Rosa 713a46d817 Update GitHub URL
Move to passepartoutvpn org.
2019-05-14 10:58:47 +02:00
Davide De Rosa 7cbcfcd264 Fix condition for SOFT_RESET
May receive multiple packets while handling in progress.
2019-05-13 12:15:44 +02:00
Davide De Rosa d06b2e1928 Shut down if no default gateway 2019-05-11 17:40:46 +02:00
Davide De Rosa 5ce49953a0 Assume empty policies to override server settings
Empty != nil. When nil, pull from server.
2019-05-11 16:33:49 +02:00
Davide De Rosa 43c70b2673 Refine logging of some configuration
Log about routing entries.
2019-05-11 14:54:25 +02:00
Davide De Rosa ff0dfc450c Get TLS security level via AppExtension
Improves #97
2019-05-08 16:16:30 +02:00
Davide De Rosa 3a136bdce9 Make TLS security level an option
Default level by default.
2019-05-08 16:10:35 +02:00
Davide De Rosa 82f0431303 Take optional securityLevel field in TLSBox 2019-05-08 15:54:05 +02:00
Davide De Rosa 97f178cdac Tolerate weak certificates
Lower SSL security level.

Fixes #97
2019-05-05 17:51:24 +02:00
Davide De Rosa 273007cc59 Copy route.h from macOS
Missing on iOS.
2019-05-03 15:14:25 +02:00
Davide De Rosa a693075e90 Block LAN when redirect-gateway block-local
Fixes #81
2019-05-03 15:14:25 +02:00
Davide De Rosa 13cae06a49 Add method to partition a subnet 2019-05-03 15:14:25 +02:00
Davide De Rosa 03a1eb2203 Return IPv4 network mask for a route 2019-05-03 15:14:25 +02:00
Davide De Rosa 4295e63c98 Read relevant routing table 2019-05-03 15:14:25 +02:00
Davide De Rosa d44d08c95e Retain self weakly for shutdown on timeout 2019-05-02 13:13:43 +02:00
Davide De Rosa 1430241b0c Do not fake BF-CBC, pleae 2019-05-01 23:18:54 +02:00
Davide De Rosa 037f08ed62 Retry auth once without local options
Hack around picky server implementations.

Fixes #95
2019-05-01 11:14:52 +02:00
Davide De Rosa 14b7f08fb5 Use strict ordering in local options
And add TLS wrapping.
2019-05-01 11:14:38 +02:00
Davide De Rosa 7389d72f1f Fix mutable SessionProxy.Configuration 2019-05-01 11:14:38 +02:00
Davide De Rosa f799f47c25 Add direct routes to DNS servers
If VPN is not default gateway.

Further fix of #94
2019-04-28 15:51:16 +02:00
Davide De Rosa 0b72a30cdd Add full set of CloudFlare DNS servers 2019-04-28 10:56:39 +02:00
Davide De Rosa ebabf02eb5 Fix DNS in VPN when not default gateway
Awful API requires .matchDomains = [""]

Fixes #94
2019-04-28 10:39:55 +02:00
Davide De Rosa b331e3cfe6 Mask fallback DNS servers
Comment about fallback DNS being public
2019-04-28 10:39:25 +02:00
Davide De Rosa 7978398e1e Fix logging of routing policies 2019-04-27 22:55:20 +02:00