197d29042c
Take a cache URL in SessionProxy to store PEMs
2018-10-25 18:34:03 +02:00
3fd0329736
Use CryptoContainer in SessionConfiguration
...
Instead of paths.
2018-10-25 18:34:02 +02:00
ca77858bf0
Move CryptoContainer to Core
2018-10-25 18:34:02 +02:00
b35fb34da5
Cap masked hash to 16 hexes
2018-10-24 18:50:36 +02:00
ae85337e91
Mask log.debug
2018-10-24 18:47:41 +02:00
033763f372
Mask log.info
2018-10-24 18:47:41 +02:00
25d84f6530
Add internal flag for masking private data
...
Hardcoded to true. Private data is mostly hostname/IP addresses
and routing information.
2018-10-24 18:23:10 +02:00
b1a79d6451
Shut down on server-initiated HARD_RESET
...
Session is stale and not recoverable (lame duck).
2018-10-24 12:31:37 +02:00
0b79ce4194
Handle server-initiated SOFT_RESET
2018-10-24 12:22:47 +02:00
e3a5302e06
Check NULL EKU and simplify OID comparison
2018-10-24 00:43:01 +02:00
3a95568d0b
Remove unused code
2018-10-24 00:36:18 +02:00
440a7f7da8
Verify server cert EKU
...
Fixes #27
2018-10-23 23:46:37 +02:00
c32185b524
Review/complete mapping to ProviderError
...
Errors from TunnelKitNative were not mapped. Also, move TLS CA
verification error to TLSBox domain.
2018-10-23 23:44:25 +02:00
f5d9720b01
Halt TLS on internal failure
2018-10-23 23:44:25 +02:00
f725779e0e
Convert ct pulling to try/catch
2018-10-23 22:47:04 +02:00
4bf7f1a1fc
Bridge SessionError to public ProviderError
2018-10-22 01:04:36 +02:00
26fc12c2ef
Add missing fclose() after fopen()
...
Slip-up from #32
2018-10-21 00:22:36 +02:00
fbd3f977d5
Parse static key from file
2018-10-19 17:22:26 +02:00
28d9f3ee68
Add crypt strategy
2018-10-19 17:06:29 +02:00
55e0aa5c5a
Implement and test crypt serializer
2018-10-19 17:06:26 +02:00
3ec4a7d292
Implement AES-CTR encryption
2018-10-19 16:56:20 +02:00
a430beb35f
Improve Swift bridging of CryptoFlags
2018-10-19 16:56:20 +02:00
8ccc4c08a5
Add auth strategy
2018-10-19 16:20:56 +02:00
0fce5abdde
Implement auth serializer
2018-10-19 16:20:56 +02:00
a974646558
Add macros for replay packet id
2018-10-19 16:12:07 +02:00
66735ec118
Prepare API to enable TLS wrapping
...
Extensible TLSWrap parameter.
2018-10-19 16:11:35 +02:00
51720c1fbc
Split ControlPacket header/content serialization
...
rawSerializeTo: does not include opcode|session_id.
2018-10-19 16:11:35 +02:00
372fa194a5
Parse indexed keys from StaticKey
2018-10-19 16:11:35 +02:00
5c8c361fce
Add StaticKey class for static OpenVPN keys
2018-10-19 16:11:35 +02:00
a85c4ea6da
Rename packetId flag to more proper IV
2018-10-19 15:55:16 +02:00
bff9352c6e
Handle encryption/peer-id in a stateless manner
...
Fixes #30
2018-10-19 15:54:55 +02:00
70b50a7a2e
Parse data opcode when decrypting
...
Assume it could be DATA_V1/V2 regardless of peer-id.
2018-10-19 11:33:12 +02:00
9b785084e2
Customize HARD_RESET payload when PIA-patched
2018-10-18 13:31:11 +02:00
eb8a8b38c2
Restore PIA HARD_RESET code
2018-10-18 12:45:32 +02:00
872e20a95a
Add function to compute MD5 from certificate
2018-10-18 12:32:22 +02:00
98c5a015f3
Split endpoint and credentials
...
Basically drop AuthenticatedEndpoint.
2018-10-06 16:22:02 +02:00
40b733db57
Make credentials optional
2018-10-06 16:21:59 +02:00
093774535d
Make CA non-optional
...
Fix up nullability qualifiers in TLSBox.
Fixes #26
2018-10-06 15:53:22 +02:00
09210b727a
Use compression framing description
2018-09-28 08:40:14 +02:00
24dabe2739
Set peer-info version from bundle
...
Omit build number for now, seems more complex than expected to
accomplish with CocoaPods.
2018-09-24 10:26:43 +02:00
d6958ed28d
Revert LZO deprecation, still widely used
2018-09-23 14:23:52 +02:00
668474d75c
Indent negotiated parameters in log
2018-09-21 19:53:38 +02:00
44fc38e8ef
Rename encryption headers for consistency
...
The shared prefix makes it easier to associate them with
implementation files.
2018-09-20 09:03:33 +02:00
600c93be55
Drop overheadLength, only used in one place
2018-09-20 09:03:33 +02:00
dd02c92aa5
Expose methods for capacity prediction
...
Encapsulate encrypt/decrypt buffer capacity calculation.
2018-09-20 09:03:33 +02:00
f6ee187db7
Use symbolic data header length
2018-09-20 09:03:33 +02:00
aa39414a77
Rename packet header to opcode (first byte)
2018-09-20 09:03:31 +02:00
fe92fcd91c
Remove NSData versions from Encrypter/Decrypter
...
Move to test target. Conversely, bring ZeroingData.data extension
into main targets.
2018-09-20 09:01:44 +02:00
1099d9adbf
Improve control channel log readability
...
- Use consistent convention in id logging.
- Describe packet codes.
- Encapsulate packet logging.
2018-09-20 09:00:11 +02:00
ce94a594f9
Bring code/key deserialization into serializer
...
Duplicates first byte parsing but makes testing more meaningful,
because there's no need to provide a bogus code/key pair.
2018-09-20 08:59:50 +02:00
11cb312c02
Move control channel logic to PlainSerializer
2018-09-19 22:04:52 +02:00
595cae3563
Add strategy for control channel serialization
2018-09-19 22:04:52 +02:00
3608860b9d
Move sessionId and remoteSessionId
2018-09-19 22:04:52 +02:00
1573b2070a
Move control queue management
...
- Out packets
- In packets
- Acks
2018-09-19 22:04:52 +02:00
e6dd4de472
Move control data parsing
2018-09-19 22:04:52 +02:00
19ce7de819
Encapsulate control state into ControlChannel
...
First step: variables + mutating funcs.
2018-09-19 22:04:52 +02:00
d80c0b5460
Move in/out states to a generic struct
2018-09-19 22:04:52 +02:00
2bd9484a43
Move ControlPacket serialization to Obj-C
...
Additionally, make sessionId non-optional in control packets. They
must have it, therefore treat a missing sessionId as a programming
error instead.
Reuse routines for acks to make PacketMacros the only point of
packets serialization.
2018-09-19 22:04:52 +02:00
92dbb57666
Revert CommonPacket name to ControlPacket
2018-09-19 22:04:52 +02:00
856fa9e12e
Take PacketStream out and make public
...
Useful for reuse in TCP streams.
2018-09-19 22:04:52 +02:00
cba6f6f959
Clean up some documentation metadata
...
- Reorder fields in SessionProxy.Configuration*
- Add new classes to .yml
2018-09-19 22:04:52 +02:00
ac3582c0fa
Fix ignored OpenSSL code
2018-09-14 02:04:36 +02:00
b9243c9f0b
Add some more peer-info
...
- IV_PLAT
- IV_UI_VER
- IV_SSL
2018-09-12 15:50:36 +02:00
915638b163
Log negotiated parms at info level
...
Useful when debug disabled.
2018-09-12 15:48:47 +02:00
aef7daec51
Fix and clean up redundant nullability specifiers
2018-09-12 15:38:52 +02:00
a3fe740ad9
Assert ambiguity about HMAC key length
2018-09-12 15:21:25 +02:00
d53e7add10
Allow HMAC verify with nil cipher in CryptoCBC
2018-09-12 15:21:25 +02:00
401d999b3d
Expose HMAC digestLength where available
2018-09-12 15:21:25 +02:00
4af0ce8739
Refactor duplicate keep-alive code
2018-09-09 00:52:16 +02:00
3a02557b5e
Override keep-alive with pushed interval
2018-09-09 00:52:16 +02:00
4bf02198d1
Parse ping from PUSH_REPLY
2018-09-09 00:52:16 +02:00
66864da51b
Default to no keep-alive if unset
...
For consistency with other optional flags.
Updates #20
2018-09-08 12:56:40 +02:00
01f65b2a7e
Always shut down on known tunnel error
...
Not recoverable by default (e.g algorithm mismatch).
2018-09-08 00:10:35 +02:00
ecbad85b4a
Discard 0 keep-alive interval
2018-09-08 00:06:19 +02:00
582ef4875d
Move default pingInterval to constructor
...
Use CoreConfiguration only within Core.
2018-09-08 00:00:07 +02:00
e9032e5490
Leave nil if push option parsed but unrecognized
...
For whatever reason. Do not override with .disabled when not
necessarily intended.
2018-09-07 15:22:03 +02:00
e5918d1b05
Override framing with pushed if available
2018-09-07 15:11:44 +02:00
0304c4a5eb
Parse compression framing from PUSH_REPLY
2018-09-07 15:10:19 +02:00
55cdd6227c
Interpret 0 reneg seconds as never
2018-09-07 14:58:56 +02:00
1fbfe5b844
Document genericName method
2018-09-06 11:16:48 +02:00
5b638ea5f6
Use different genericName for CBC/GCM
2018-09-06 11:16:14 +02:00
0b28eacf0d
Add more metadata to Cipher/Digest
...
- Ciphers are AES.
- Digests are HMAC.
2018-09-06 10:55:56 +02:00
ce6a41a218
Add more ciphers/digests
...
No-brainer, OpenSSL EVP supports them.
2018-09-06 10:38:18 +02:00
d6b80ea449
Implement Codable in public entities
...
Also rename CompressionFraming for being an extension of
SessionProxy.
2018-09-06 10:34:10 +02:00
43a5972737
Fix cipher regex in PUSH_REPLY
...
Breaks with NCP enabled when cipher is not last. Trailing comma
was erroneously included in parsed cipher name.
Fixes #11
2018-09-05 03:54:40 +02:00
e121555f82
Add Cipher.embedsDigest to signal digest embedding
...
Currently GCM ciphers do.
2018-09-04 15:57:07 +02:00
3543f7aab3
Omit sensitive data from PUSH_REPLY log
...
Namely auth-token.
2018-09-02 12:48:45 +02:00
201da9b69b
Bump IV_VER to 2.4
...
Enough to claim.
2018-09-02 02:09:20 +02:00
bcc95ad510
Send NCP in peer-info
2018-09-02 02:09:20 +02:00
81eb18619d
Pick cipher from PUSH_REPLY if present
2018-09-02 02:09:20 +02:00
31e694859f
Cache aggregated PushReply object
...
- authToken
- peerId
- cipher
Retain across soft resets.
2018-09-02 02:09:20 +02:00
cff359fceb
Parse pushed cipher if any
2018-09-02 02:09:20 +02:00
e900454504
Share connection completion code
...
Across hard and soft reset.
2018-09-02 02:09:20 +02:00
c930cda065
Consolidate DataPath with new flow
2018-09-02 02:09:20 +02:00
c01ac7e1e3
Postpone keys setup until after PUSH_REPLY
...
And rename to setupEncryption() for ambiguity with SessionKey.
2018-09-02 02:09:20 +02:00
474e633e48
Parse arguments from regexp extension
...
Further code simplification.
2018-09-02 01:14:37 +02:00
208fc48dd7
Drop unused DataPath protocols array
2018-08-31 01:59:08 +02:00
235c485cae
Simplify regex matching with private extension
2018-08-31 01:59:08 +02:00
e6036095c9
Describe routes in IPv*Settings
2018-08-31 01:59:08 +02:00
373a36b9c1
Parse and apply IPv6 settings when available
...
IPv4 currently mandatory in PushReply (exception otherwise).
2018-08-31 01:59:08 +02:00
Davide De Rosa