tunnelkit/CHANGELOG.md

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Unreleased

Added

• OpenVPN: Parse authentication requirement from --auth-user-pass.
• OpenVPN: Handle multiple --remote options correctly.

Changed

• Manager package completely rewritten.
• WireGuard: Use entities from WireGuardKit directly.
• Only enable on-demand if at least one rule is provided.
• Dropped incomplete support for IPSec/IKEv2.

4.1.0 (2022-02-09)

Added

• WireGuard support. #236
• Handle --keepalive option.

Changed

• Relax deployment target for macOS down to 10.14
• Upgrade OpenSSL to 1.1.1m.

4.0.3 (2021-11-27)

Fixed

• Verify CA from on-disk file. #237

4.0.2 (2021-11-25)

Changed

• Revert to OpenSSL. #233

Fixed

• TLS fails on CA verification on some servers. #232
• TLS negotiation times out with ProtonVPN. #230

4.0.1 (2021-11-18)

Fixed

• Regression in TLS handshake (temporarily revert #213).

4.0.0 (2021-11-16)

Changed

• Migrate to SwiftPM. #210
• Replace OpenSSL with BoringSSL from SwiftNIO SSL.
• Drop support for TLS security level (not present in BoringSSL).

3.5.0 (2021-10-18)

Added

• Support for IPSec/IKEv2 providers.

Changed

• Avoid caching PEMs on disk (roop). #213
• Upgrade OpenSSL to 1.1.1l.

Fixed

• Avoid caching PEMs on disk. #213

3.4.0 (2021-08-07)

Added

• Support for XOR patch (Sam Foxman). #170

3.3.3 (2021-07-19)

Added

• Support for --compress stub-v2.

Fixed

• Return error in install completion handler. #206
• Relax handling of whitespaces in configuration file.

3.3.2 (2021-06-26)

Fixed

• Clean up cached PEMs at the end of a Session. #203

3.3.1 (2021-02-12)

Changed

• Skip keychain password prompt on macOS. #200

Fixed

• Restore app group in keychain queries about password references. #201

3.3.0 (2021-01-28)

Added

• Handle --data-ciphers and data-ciphers-fallback from OpenVPN 2.5
• Support DNS over HTTPS (DoH) and TLS (DoT).

Changed

• Pick tunnel password reference from an existing keychain item context.

Fixed

• Do not override network DNS settings when not provided by VPN. #197

3.2.0 (2021-01-07)

Changed

• Encoding of internal provider configuration.

3.1.0 (2020-12-28)

Added

• Parse --tun-mtu option.

Changed

• Update API to access current Wi-Fi SSID.
• Refactor access to keychain.

3.0.0 (2020-11-15)

Added

• Support for Apple Silicon (macOS arm64).
• Customize IV_UI_VER (pahnev). #178

Changed

• Deployment targets raised to iOS 12.0 and macOS 10.15
• Use active profile name in VPN configuration (device settings).

Fixed

• Incorrect tunnel bundle identifiers in Demo. #176
• IV_PLAT in peer info was hardcoded to "mac" (pahnev). #177

2.2.7 (2020-06-11)

Fixed

• Code cleanup.

2.2.6 (2020-05-12)

Fixed

• Address concerns from Guido Vranken fuzzers. #141

2.2.5 (2020-05-12)

Changed

• Improve IP Header parsing (roop). #171

2.2.4 (2020-05-10)

Added

• Support for SAN hostname in certificates (jaroslavas). #168

Fixed

• IPv6 traffic broken on Mojave. #146, #169
• Restore tunnel MTU setting (ueshiba). #148
• Transient connected state upon connection failure (rob-patchett). #128

2.2.3 (2020-04-21)

Changed

• Upgrade OpenSSL to 1.1.1g. #166

2.2.2 (2020-04-20)

Changed

• Upgrade OpenSSL to 1.1.1f. #165

Fixed

• Index out of range during negotiation (Grivus). #143
• Handle server shutdown/restart (remote --explicit-exit-notify). #131
• Abrupt disconnection upon unknown packet key id (johankool). #161
• Handle explicit IPv4/IPv6 protocols (4 or 6 suffix in --proto). #153
• Mitigate IP traffic breaking on Mojave. #146
• Pointer warnings from Xcode 11.4 upgrade.

2.2.1 (2019-12-14)

Fixed

• Keep-alive pings coalescing over time.
• Ping timeout not checked for if keep-alive is disabled.

2.2.0 (2019-12-11)

Changed

• Require explicit --ca and --cipher in .ovpn configuration file.

2.1.0 (2019-11-03)

Added

• Allow keep-alive timeout to be configured by the server or client (Robert Patchett). #122
• Support for proxy autoconfiguration URL (ThinkChaos). #125
• Support multiple DNS search domains. #127

Changed

• Upgrade OpenSSL to 1.1.1d. #123

Fixed

• Session negotiation succeeds too early (Robert Patchett). #124
• Handle vpn_gateway literal in --route.

2.0.5 (2019-09-26)

Fixed

• OpenSSL framework structure on macOS makes binary invalid when uploaded to App Store Connect.
• Potential OOB in memcmp() (Guido Vranken).

2.0.3 (2019-09-06)

Fixed

• Deadlock on shutdown (further fixes). #106
• Regression with negotiation failing due to .staleSession error. #120

2.0.2 (2019-07-27)

Fixed

• Deadlock on shutdown. #106
• Stuck on SOFT_RESET. #105
• Tunnel dies unexpectedly on macOS. #111
• Recover from ENOBUFS. #112

2.0.1 (2019-05-28)

Fixed

• Regression in LZO subspec.

2.0.0 (2019-05-28)

Changed

• Major refactoring.

1.7.1 (2019-05-14)

Added

• Partially support --redirect-gateway block-local. #81

Fixed

• Authentication failure due to local options. #95
• Customize security level (to tolerate weak certificates). #97
• Connection stalls on server-initiated SOFT_RESET.
• Wrong configuration mutability.

1.7.0 (2019-04-28)

Changed

• Do not redirect all traffic to VPN unless --redirect-gateway specified. #90
• Upgrade OpenSSL to 1.1.0j.

Fixed

• SoftEther sends an incomplete PUSH_REPLY. #86
• Authentication/Decrypt errors with TLS wrapping. #88, #61
• Broken DNS when no servers provided. #84
• UDP may disconnect on high-speed upload link. #87
• Client certificate may fail when private key in .ovpn is encrypted. #91
• DNS is unreachable when VPN is not default gateway. #94

1.6.2 (2019-04-17)

Added

• Basic support for proxy settings (no PAC). #74

Changed

• Make hostname optional and pick resolvedAddresses if nil.

Fixed

• Negotiation times out with SoftEther. #67
• Unable to handle continuated PUSH_REPLY. #71
• TCP requiring multiple PUSH_REQUEST. #73
• DNS inconsistencies. #85

1.6.1 (2019-04-07)

Fixed

• Cipher/digest erroneously required by AppExtension.

1.6.0 (2019-04-06)

Added

• Handle dhcp-option DOMAIN. #77

Changed

• Refactor configuration parser for reuse.

Fixed

• Unrecognized PKCS#8 encrypted private keys. #80
• Handle PEM with preamble. #78

1.5.2 (2019-04-01)

Added

• Optional data count report via TunnelKitProvider.Configuration.dataCount(in:).

Changed

• Upgraded to Swift 5.

Fixed

• checksEKU not propagated to TunnelKitProvider.

1.5.1 (2019-03-25)

Added

• Scramble endpoints via --remote-random. #76
• Support for encrypted certificate private keys. #72

Fixed

• Send explicit exit notification if UDP. #29
• Broken reconnection on network change (mitigated). #75

1.5.0 (2019-03-20)

Added

• Support for legacy --comp-lzo compression. #69
• Support for newer --compress lzo option. #70

1.4.3 (2019-03-18)

Fixed

• Several reconnection issues.
• Missing EKU flag evaluation.

1.4.2 (2019-03-05)

Added

• Shut down if server pushes a compressed data packet.

Fixed

• Custom DNS servers were not applied.
• Reject <connection> blocks as unsupported.

1.4.1 (2019-02-25)

Added

• Override DNS servers client side. #56
• Shut down if server pushes a compression directive. #65

Changed

• Enable or disable EKU according to remote-cert-tls server in .ovpn file. #64

Fixed

• Compiling errors in demo target.
• Linking errors with OpenSSL.
• A few potential vulnerabilities.

1.4.0 (2018-11-12)

Added

• Parser for .ovpn configuration files. #47

Changed

• Due to #47, SocketType and EndpointProtocol were moved to Core subspec.

1.3.1 (2018-11-07)

Fixed

• IPv4/UInt32 conversions are not endianness-agnostic. #46

1.3.0 (2018-10-28)

Changed

• Refactored tunnel configuration API for increased code reuse. #44

Deprecated

• Use high-level accessories instead of debugLogKey and lastErrorKey. #45

Fixed

• IPv4/UInt32 calculations were wrong.

1.2.2 (2018-10-25)

Changed

• Debug log is saved to group container rather than UserDefaults. #43

Fixed

• Handle server-initiated renegotiation. #41
• Potentially private data (e.g. Internet addresses) is now masked in debug log. #42

1.2.1 (2018-10-24)

Added

• Configuration key lastErrorKey for reporting errors to host app. #40
• Server extended key usage validation (EKU). #27

Fixed

• CA file was not closed after MD5 calculation when using PIA patches.
• Mitigated an issue with MTU in TCP mode during negotiation. #39

1.2.0 (2018-10-20)

Added

• Support for --tls-auth wrapping. #34
• Support for --tls-crypt wrapping. #35
• Parser for static OpenVPN keys from file. #36

Fixed

• Handling of mixed DATA_V1/DATA_V2 packets. #30

1.1.2 (2018-10-18)

Added

• Restored support for PIA patches. #32

1.1.1 (2018-10-10)

Fixed

• Make CA non-optional. #28

1.1.0 (2018-09-26)

Added

• Client certificate verification. #3
• Support for both --comp-lzo and --compress compression framing. #2, #5, #10
• Routes setup from PUSH_REPLY. #7
• Support for IPv6. #8
• Support for server-side NCP. #11
• Property to mark ciphers not requiring digest auth (e.g. GCM). #13
• Codable implementations for native Swift serialization. #15
• More cipher and digest algorithms. #16
• Negotiated compression framing from PUSH_REPLY. #19
• Customizable keep-alive. #20
• Negotiated keep-alive from PUSH_REPLY. #22
• Peer-info metadata.

Changed

• Raised iOS target to 11 (drops 32-bit support).
• Upgraded OpenSSL from 1.1.0h to 1.1.0i.
• Minor adjustments for Xcode 10 / Swift 4.2.
• Deep refactoring of control channel for future extensibility.
• App group moved out of tunnel configuration, to make it more platform-agnostic and coherent to serialize.
• Keep-alive is disabled by default.
• Several internal renamings.

Fixed

• Sensitive data logged in PUSH_REPLY. #12
• Bad interpretation of 0 seconds between renegotiations. #18
• Incorrect behavior on data-related failures. #21

1.0.0 (2018-08-23)

Added

• Initial fork from https://github.com/pia-foss/tunnel-apple

Removed

• Non-standard PIA patches.