Commit Graph

385 Commits

Author SHA1 Message Date
Davide De Rosa
f9f642b64e Set as default gateway based on routing policies
Also fix IPv6 routes not properly set.
2019-04-25 14:39:40 +02:00
Davide De Rosa
224a76ac58 Parse --redirect-gateway from configuration
FIXME: for now only redirects ALL traffic when the option is found
in the configuration file, whatever the arguments.

Also drop unnecessary base options in tests as everything was made
optional recently.
2019-04-25 14:39:23 +02:00
Davide De Rosa
1b8647bcac Convert PacketSteram to Obj-C
For better TCP efficiency.
2019-04-25 12:42:29 +02:00
Davide De Rosa
ef5180a4ed Set tls-auth/crypt timestamp once
Packets rejected due to replay protection.

Fixes #88
Fixes #61
2019-04-23 23:07:32 +02:00
Davide De Rosa
65af163aeb Do not resend non-acked packets if reliable
In control channel.
2019-04-23 23:06:39 +02:00
Davide De Rosa
707db2c6de Add keydir to local options 2019-04-20 17:20:45 +02:00
Davide De Rosa
9b8be02c2a Shut down when no IPv4/6 routing available
Would fake-connect without VPN icon otherwise.
2019-04-19 09:45:15 +02:00
Davide De Rosa
c565e32dcd Add "dev-type tun" to local options
Plus other hardcoded options like key-method and tls-client.

Seems that older OpenVPN servers didn't send routing info in
PUSH_REPLY if dev-type is not specified explicitly.

Fixes #86
2019-04-18 13:10:57 +02:00
Davide De Rosa
95ba9dacdb Fix typo 2019-04-18 12:02:23 +02:00
Davide De Rosa
887e2ae55d Consider stale if HARD_RESET while connected
Was disconnecting when more than one HARD_RESET_SERVER was
received during negotiation.
2019-04-17 09:24:16 +02:00
Davide De Rosa
233aa02169 Add FIXME for default DNS from network interface 2019-04-17 00:50:53 +02:00
Davide De Rosa
b199064b94 Only override domain if non-nil 2019-04-17 00:50:53 +02:00
Davide De Rosa
28fd80f4e0 Treat empty DNS servers as nil
Empty local DNS array was pretty much hiding server-pushed DNS.
2019-04-17 00:50:53 +02:00
Davide De Rosa
6fd6d228bf Loop pulling plain text from TLS
There might be more data to read.

Fixes #71, #73
2019-04-17 00:18:02 +02:00
Davide De Rosa
88cd62064a Handle continuation in PUSH_REPLY 2019-04-16 23:59:56 +02:00
Davide De Rosa
380ac2beac Throw to exit PUSH_REPLY parsing on continuation 2019-04-16 23:59:56 +02:00
Davide De Rosa
23b6e3b98e Relax negotiation timeouts 2019-04-16 23:59:56 +02:00
Davide De Rosa
d097afccdc Resend PUSH_REQUEST every 2 seconds
Regardless of link reliability.
2019-04-16 23:43:33 +02:00
Davide De Rosa
ad964e2041 Send local options with authentication
Fixes some obsolete servers requiring cipher keysize.
2019-04-15 17:37:57 +02:00
Davide De Rosa
322242de5c Fix malformed key generation message
Make nullTerminated argument explicit, easier to debug.

Fixes #67
2019-04-13 23:55:18 +02:00
Davide De Rosa
0a956f5b9f Handle dhcp-option PROXY_BYPASS 2019-04-13 19:23:02 +02:00
Davide De Rosa
b118030d43 Enable both HTTP and HTTPS proxies 2019-04-13 17:55:08 +02:00
Davide De Rosa
904e7bae21 Apply proxy settings if present
Fixes #74
2019-04-12 08:21:04 +02:00
Davide De Rosa
ef9f3c6d0a Parse proxies into AppExtension configuration 2019-04-12 08:21:04 +02:00
Davide De Rosa
5fb70b5bab Parse dhcp-option PROXY_HTTP* into Configuration 2019-04-12 08:10:47 +02:00
Davide De Rosa
26cec205a7 Move builder() to extension 2019-04-11 16:46:52 +02:00
Davide De Rosa
5df614b5e2 Fix incomplete builder() from Configuration
Adding a Configuration field is error-prone beyond reason...
2019-04-11 15:30:14 +02:00
Davide De Rosa
914864c31a Infer serverAddress from sessionConfiguration 2019-04-09 20:45:28 +02:00
Davide De Rosa
3fe9c6de6d Make hostname optional in ConnectionStrategy
Assume preferring resolved addresses.
2019-04-09 20:34:03 +02:00
Davide De Rosa
9f358d6326 Accept nil cipher/digest in AppExtension
Reorganize code for clarity.
2019-04-07 08:35:40 +02:00
Davide De Rosa
3717136bd9 Move EndpointProtocol Codable to Core spec 2019-04-05 00:46:45 +02:00
Davide De Rosa
5e2f9b59f1 Rename ParsingResult to Result
No need to prefix an inner class.
2019-04-04 19:22:22 +02:00
Davide De Rosa
7333ea226c Document ignored settings client-side 2019-04-04 18:51:06 +02:00
Davide De Rosa
8394fd0676 Rely on default ConfigurationBuilder.init() 2019-04-04 18:51:06 +02:00
Davide De Rosa
55534df6fa Work around cipher/digest/framing issues
- Make them optional
- Set default values inside SessionProxy

Fallback is not needed anywhere else.
2019-04-04 18:51:06 +02:00
Davide De Rosa
0d86bd20b6 Expose ConfigurationBuilder.init() 2019-04-04 18:51:06 +02:00
Davide De Rosa
4dc9539260 Rename OptionsError to ConfigurationError 2019-04-04 18:51:06 +02:00
Davide De Rosa
a2250686b6 Merge OptionsBundle into Configuration
FIXME: issues with non-optional .cipher and .compressionFraming

Because:

- No pushed cipher (nil) is NOT .aes128cbc
- No pushed framing (nil) is NOT .disabled

Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 18:51:06 +02:00
Davide De Rosa
cfe61d5d40 Retain .endpointProtocols for migration
For deserialization of old format.
2019-04-04 13:10:33 +02:00
Davide De Rosa
7aec0637b2 Move endpoints inside SessionProxy.Configuration
Make optional.

TunnelKitProvider still gets hostname from .serverAddress rather
than SessionProxy.Configuration

Also drop useless Equatable implementations.
2019-04-04 13:09:50 +02:00
Davide De Rosa
e8396ec2cd Parse search domain from configuration
Fixes #77
2019-04-03 14:29:09 +02:00
Davide De Rosa
370e68aa3f Parse search domain from dhcp-option DOMAIN 2019-04-03 14:29:09 +02:00
Davide De Rosa
fe2ad52df0 Document OptionsBundle
Move most from SessionProxy.Configuration.
2019-04-03 13:34:08 +02:00
Davide De Rosa
f9ae3412a5 Move malformed error out of unrelated SessionError
Also give more detail about the reason.
2019-04-03 13:20:49 +02:00
Davide De Rosa
42232804ca Rename file to public entity 2019-04-03 13:19:47 +02:00
Davide De Rosa
49c805af52 Fix a few isHandled
Skip to exclude from strippedLines.
2019-04-03 13:19:47 +02:00
Davide De Rosa
9876c81de5 Parse PUSH_REPLY options in OptionsBundle
- auth-token
- peer-id
- Routing

Reorganize options by semantic.

Reuse OptionsBundle in PushReply.
2019-04-03 13:19:21 +02:00
Davide De Rosa
b9b9c4db60 Parse basic options in OptionsBundle
- Handle isEncrypted inside CryptoContainer
- Rename ParsingError to OptionsError

Reuse OptionsBundle in ConfigurationParser.
2019-04-03 13:19:16 +02:00
Davide De Rosa
e7dadefabb Generalize cipher regex 2019-04-03 12:20:53 +02:00
Davide De Rosa
d72b583900 Improve parsing of PUSH_REPLY prefix 2019-04-03 12:20:53 +02:00
Davide De Rosa
27901c991b Skip deinit documentation 2019-04-02 19:18:23 +02:00
Davide De Rosa
ccb6329f05 Don't parse a block begin while inside a block
If a PEM contained anything like <foobar>, the parser was doomed.

Fixes #78
2019-04-02 19:07:48 +02:00
Davide De Rosa
11fd418f82 Extend encrypted private key quick test
Test .ovpn didn't use an PKCS#8 key due to a slip-up. Fixing it
unveiled that isEncrypted returned false for PKCS#8 keys.

Fixes #80
2019-04-02 11:41:18 +02:00
Davide De Rosa
22f80735ca Strip certificate preamble
Fixes #78
2019-04-02 00:55:58 +02:00
Davide De Rosa
def622506b Check PKCS#1 via "Proc-Type" presence instead 2019-04-02 00:37:52 +02:00
Davide De Rosa
47b80d5361 Refactor to decrypt generic key 2019-04-02 00:31:54 +02:00
Davide De Rosa
a6387679f1 Update data count as soon as tunnel is up
Zero is better than nil.
2019-03-30 23:35:50 +01:00
Davide De Rosa
0bfc1e08eb Fix retarded Swift pointer API somehow 2019-03-30 23:18:45 +01:00
Davide De Rosa
207a4f063a Replace deprecated Data(bytes:) 2019-03-30 23:18:45 +01:00
Davide De Rosa
8dfd5f23c1 Handle unknown enum defaults 2019-03-30 23:18:45 +01:00
Davide De Rosa
5120bcae0a Migrate to Swift 5 2019-03-30 23:18:45 +01:00
Davide De Rosa
f686a0aee4 Fix Xcode warnings 2019-03-30 20:16:04 +01:00
Davide De Rosa
44fb5a5b48 Track data count in shared UserDefaults
Default disabled (dataCountInterval = 0).
2019-03-30 19:56:26 +01:00
Davide De Rosa
d03f1bd9af Fix checksEKU not propagated to TunnelKitProvider 2019-03-26 00:37:35 +01:00
Davide De Rosa
00c76f707f Throw specific error if unable to decrypt
Normally a bad passphrase.
2019-03-25 19:24:35 +01:00
Davide De Rosa
ffcccb5420 Throw specific error on missing passphrase
So that client can retry with a passphrase.
2019-03-25 18:49:53 +01:00
Davide De Rosa
b07ec88ff2 Add passphrase parameter to ConfigurationParser
Use it to decrypt encrypted PEMs.
2019-03-25 18:48:59 +01:00
Davide De Rosa
f37bfb3579 Implement RSA privkey decryption via OpenSSL 2019-03-25 18:45:00 +01:00
Davide De Rosa
53f3048674 Add missing documentation 2019-03-25 15:46:15 +01:00
Davide De Rosa
9c4d491a3b Make floating XXX a FIXME 2019-03-25 10:37:15 +01:00
Davide De Rosa
54a477ce67 Randomize endpoints in ConnectionStrategy
Fixes #76
2019-03-25 10:32:23 +01:00
Davide De Rosa
7ce31c3184 Parse randomize endpoints from --remote-random 2019-03-25 10:32:08 +01:00
Davide De Rosa
42227fcc00 Add SessionProxy.Configuration.randomizeEndpoint 2019-03-25 10:32:08 +01:00
Davide De Rosa
9c0205614b Disable rebind-on-float until a solid fix
Mitigates #75
2019-03-25 10:10:08 +01:00
Davide De Rosa
71d54e2dc3 Send IV_LZO only if supported 2019-03-25 10:07:57 +01:00
Davide De Rosa
04fbbb1fe1 XXX: Fix log glitch 2019-03-21 19:40:42 +01:00
Davide De Rosa
ac418f414a Make masksPrivateData optional
Do not break Codable compatibility.
2019-03-21 19:32:06 +01:00
Davide De Rosa
fad20668b0 Override masksPrivateData via AppExtension
Unmask in demo.

Fixes #62
2019-03-21 19:19:22 +01:00
Davide De Rosa
f32c231b90 Remove deprecated API
Should have done so in 1.5.0
2019-03-21 18:30:40 +01:00
Davide De Rosa
79509a1ea1 Fix execution queue in network handler 2019-03-20 18:01:57 +01:00
Davide De Rosa
a5b8907918 Postpone shutdown until notification is written
Otherwise socket might be force-closed while sending the packet.
2019-03-20 17:57:56 +01:00
Davide De Rosa
c93461b153 Send explicit exit notification if UDP
Implement --explicit-exit-notify by default.

Fixes #29
2019-03-20 17:57:56 +01:00
Davide De Rosa
c6ab3b57db Fix a few return in wrong scope 2019-03-20 17:57:56 +01:00
Davide De Rosa
9d479a9aba Handle LZO compression in --compress framing
Share parse block between comp-lzo and compress.

It seems that --compress sends NO_COMPRESS w/o swapping.

Also suppress redundant LZOIsSupported(), implied by non-nil value
of self.lzo.
2019-03-20 09:04:27 +01:00
Davide De Rosa
4b9ffcfb4e Accept LZO regardless of framing 2019-03-20 09:04:27 +01:00
Davide De Rosa
9a6f3d638c Recognize "--compress lzo" option as legal 2019-03-20 09:04:27 +01:00
Davide De Rosa
7a449f90ee Advertise LZO support 2019-03-19 15:14:29 +01:00
Davide De Rosa
0eb0e3e478 Parse compression from several places
- PUSH_REPLY
- .ovpn configuration
- TunnelKitProvider
2019-03-19 15:14:29 +01:00
Davide De Rosa
4d6d51818d Compress/decompress LZO data packets
Return compressionHeader from parse blocks.
2019-03-19 15:14:27 +01:00
Davide De Rosa
197679057d Return NSData from parsePayloadWithBlock
More friendly to (de)compression stage.
2019-03-19 15:12:56 +01:00
Davide De Rosa
5cc32b1060 Wrap minilzo into dynamic Obj-C plugin
Handle library errors to some extent.
2019-03-19 15:12:46 +01:00
Davide De Rosa
08b04c8e02 Fix not propagated checksEKU flag 2019-03-18 17:27:48 +01:00
Davide De Rosa
7d69e09c53 Update copyright 2019-03-09 11:44:18 +01:00
Davide De Rosa
6b29c9e06c Double check reasserting during reconnection
A forced shutdown might happen during the recovery interval (1s).
2019-03-08 13:19:52 +01:00
Davide De Rosa
70ed2a4d83 Reset reasserting flag on plain shutdown 2019-03-08 13:16:03 +01:00
Davide De Rosa
e3b8a6b16b Shut down on link error
Because it doesn't seem to recover until the tunnel dies.
2019-03-08 13:08:54 +01:00
Davide De Rosa
e849e6c0da Reject <connection> blocks in .ovpn
- Use enumerateComponents for boolean test.
- Fix a test compile error on the way.
2019-03-04 17:39:37 +01:00
Davide De Rosa
1c1547fc8f Fix DNS servers not serialized to AppExtension 2019-03-03 10:51:36 +01:00
Davide De Rosa
86420ba8ea Shut down on compressed data packet
Re-inforce #65 at the data path level. Should now cover all
compression scenarios.
2019-02-28 17:16:14 +01:00
Davide De Rosa
0f2a5e1e14 Check NULL when verifying EKU 2019-02-25 23:33:31 +01:00
Davide De Rosa
8fe43269ab Catch errors on CA MD5 calculation (PIA only) 2019-02-25 23:33:26 +01:00
Davide De Rosa
d1b5c94be9 Fix potential overflow in AEAD IV length 2019-02-25 23:23:43 +01:00
Davide De Rosa
06a872c448 Add ProviderError.serverCompression mapping 2019-02-25 23:09:06 +01:00
Davide De Rosa
3aadaf0186 Shut down when server pushes compression enabled 2019-02-25 23:01:21 +01:00
Davide De Rosa
367e8b7e08 Track whether server pushed a compression option 2019-02-25 23:01:21 +01:00
Davide De Rosa
8c1b95eaa7 Group PushReply regexes 2019-02-25 23:01:21 +01:00
Davide De Rosa
d6076b045a Make checksEKU optional to fall back on decoding 2019-02-25 11:16:26 +01:00
Davide De Rosa
010da904fa Parse EKU choice in .ovpn from remote-cert-tls
Fix unhandled extra spaces in dhcp-option DNS regex.
2019-02-25 11:16:26 +01:00
Davide De Rosa
265aca0829 Make EKU verification optional in TLSBox 2019-02-25 11:16:26 +01:00
Davide De Rosa
c244b29a8f Parse DNS servers from configuration 2019-01-05 22:29:16 +01:00
Davide De Rosa
13c41d80e7 Allow overriding DNS servers
Fall back to those in PUSH_REPLY.
2019-01-05 22:25:58 +01:00
Davide De Rosa
03478b6fbf Add jazzy doc to ConfigurationParser 2018-11-12 10:42:04 +01:00
Davide De Rosa
40fd2c7ede Parse configuration from .ovpn file 2018-11-10 10:58:06 +01:00
Davide De Rosa
f91db4cbf1 Move EndpointProtocol/SocketType to Core 2018-11-10 10:48:17 +01:00
Davide De Rosa
0800c943a8 Add shortcut extension for creating regexes
Also expose enumeration methods for internal reuse.
2018-11-10 10:47:58 +01:00
Davide De Rosa
36e93651ba Replace hardcoded 32 tag length in tls-crypt 2018-11-06 10:35:37 +01:00
Davide De Rosa
b366925125 Hardcode digestLength to tagLength in CTR
Code is not using digestLength in any way.
2018-11-06 10:35:19 +01:00
Davide De Rosa
7ffbf41b30 Expose internal tag length, 0 if none 2018-11-06 10:31:55 +01:00
Davide De Rosa
2fde43b1fc Keep tag length constants private
Also AD length in AEAD was an unresolved relic.
2018-11-06 10:25:35 +01:00
Davide De Rosa
caea6624fc Unmask IPv4 netmask and IPv6 prefix
Masking that is useless and paranoid. May help debugging.
2018-11-05 20:40:12 +01:00
Davide De Rosa
e198e80595 Use standard inet_ntop/pton for IPv4 conversion
Swap endianness internally.
2018-11-05 20:21:10 +01:00
Davide De Rosa
b32c1848be Unmask harmless destination port 2018-11-05 15:48:34 +01:00
Davide De Rosa
9c989dabf5 Fix IPv4/UInt32 calculations 2018-10-28 00:26:15 +02:00
Davide De Rosa
9e2bdd22ac Pick default values from static constant 2018-10-26 11:07:46 +02:00
Davide De Rosa
84e216f56d Deprecate lastErrorKey, encapsulate access 2018-10-25 22:36:31 +02:00
Davide De Rosa
3cc511822d Deprecate debugLogKey, hardcode filename 2018-10-25 22:36:31 +02:00
Davide De Rosa
8f328709c8 Wrap TKP.Configuration fields in SP.Configuration
Take credentials out of SP.Configuration. Makes sense as they
never appear in e.g. an .ovpn file.
2018-10-25 18:34:03 +02:00
Davide De Rosa
e962603098 Allow SP.Configuration customization via builder 2018-10-25 18:34:03 +02:00
Davide De Rosa
d6e27938bc Make usesPIAPatches optional
For compatible decoding.
2018-10-25 18:34:03 +02:00
Davide De Rosa
197d29042c Take a cache URL in SessionProxy to store PEMs 2018-10-25 18:34:03 +02:00
Davide De Rosa
3fd0329736 Use CryptoContainer in SessionConfiguration
Instead of paths.
2018-10-25 18:34:02 +02:00
Davide De Rosa
ca77858bf0 Move CryptoContainer to Core 2018-10-25 18:34:02 +02:00
Davide De Rosa
f1efac073c Export and document log shortcuts in Configuration 2018-10-24 21:06:04 +02:00
Davide De Rosa
f5d12300f9 Save debug log to file in app group container
Don't bog UserDefaults. Reuse debugLogKey for the log filename.
2018-10-24 21:06:04 +02:00
Davide De Rosa
b35fb34da5 Cap masked hash to 16 hexes 2018-10-24 18:50:36 +02:00
Davide De Rosa
ae85337e91 Mask log.debug 2018-10-24 18:47:41 +02:00
Davide De Rosa
033763f372 Mask log.info 2018-10-24 18:47:41 +02:00
Davide De Rosa
25d84f6530 Add internal flag for masking private data
Hardcoded to true. Private data is mostly hostname/IP addresses
and routing information.
2018-10-24 18:23:10 +02:00
Davide De Rosa
b1a79d6451 Shut down on server-initiated HARD_RESET
Session is stale and not recoverable (lame duck).
2018-10-24 12:31:37 +02:00
Davide De Rosa
0b79ce4194 Handle server-initiated SOFT_RESET 2018-10-24 12:22:47 +02:00
Davide De Rosa
d829247e6e Simplify socket shutdown code
Drop weird (old?) linkFailures check.
2018-10-24 09:42:18 +02:00
Davide De Rosa
91349fd780 Take shouldChangeProtocol out of GenericSocket
Behavior is not exactly similar in UDP and TCP.
2018-10-24 09:42:03 +02:00
Davide De Rosa
8b59fe6f4c Use RawRepresentable where adequate 2018-10-24 09:19:50 +02:00
Davide De Rosa
e3a5302e06 Check NULL EKU and simplify OID comparison 2018-10-24 00:43:01 +02:00
Davide De Rosa
3a95568d0b Remove unused code 2018-10-24 00:36:18 +02:00
Davide De Rosa
440a7f7da8 Verify server cert EKU
Fixes #27
2018-10-23 23:46:37 +02:00
Davide De Rosa
c32185b524 Review/complete mapping to ProviderError
Errors from TunnelKitNative were not mapped. Also, move TLS CA
verification error to TLSBox domain.
2018-10-23 23:44:25 +02:00
Davide De Rosa
f5d9720b01 Halt TLS on internal failure 2018-10-23 23:44:25 +02:00
Davide De Rosa
f725779e0e Convert ct pulling to try/catch 2018-10-23 22:47:04 +02:00
Davide De Rosa
1ad4a62593 Report error status to shared defaults
Retain after disposal, unless manually stopped.
2018-10-22 01:04:36 +02:00