Merge pull request #64 from keeshux/make-eku-optional

Make EKU optional

CHANGELOG.md

@@ -11,6 +11,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Override DNS servers client side. [#56](https://github.com/keeshux/tunnelkit/pull/56)
 
+### Changed
+
+- Enable or disable EKU according to `remote-cert-tls server` in .ovpn file. [#64](https://github.com/keeshux/tunnelkit/pull/64)
+
 ### Fixed
 
 - Compiling errors in demo target.

TunnelKit.xcodeproj/project.pbxproj

@@ -1348,7 +1348,7 @@
 				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
 				CODE_SIGN_IDENTITY = "iPhone Developer";
 				COPY_PHASE_STRIP = NO;
-				CURRENT_PROJECT_VERSION = 309;
+				CURRENT_PROJECT_VERSION = 329;
 				DEBUG_INFORMATION_FORMAT = dwarf;
 				ENABLE_STRICT_OBJC_MSGSEND = YES;
 				ENABLE_TESTABILITY = YES;
@@ -1412,7 +1412,7 @@
 				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
 				CODE_SIGN_IDENTITY = "iPhone Developer";
 				COPY_PHASE_STRIP = NO;
-				CURRENT_PROJECT_VERSION = 309;
+				CURRENT_PROJECT_VERSION = 329;
 				DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
 				ENABLE_NS_ASSERTIONS = NO;
 				ENABLE_STRICT_OBJC_MSGSEND = YES;
@@ -1445,7 +1445,7 @@
 				DEFINES_MODULE = YES;
 				DEVELOPMENT_TEAM = "";
 				DYLIB_COMPATIBILITY_VERSION = 1;
-				DYLIB_CURRENT_VERSION = 309;
+				DYLIB_CURRENT_VERSION = 329;
 				DYLIB_INSTALL_NAME_BASE = "@rpath";
 				FRAMEWORK_SEARCH_PATHS = "$(inherited)";
 				INFOPLIST_FILE = "$(SRCROOT)/TunnelKit-iOS/Info.plist";
@@ -1468,7 +1468,7 @@
 				DEFINES_MODULE = YES;
 				DEVELOPMENT_TEAM = "";
 				DYLIB_COMPATIBILITY_VERSION = 1;
-				DYLIB_CURRENT_VERSION = 309;
+				DYLIB_CURRENT_VERSION = 329;
 				DYLIB_INSTALL_NAME_BASE = "@rpath";
 				FRAMEWORK_SEARCH_PATHS = "$(inherited)";
 				INFOPLIST_FILE = "$(SRCROOT)/TunnelKit-iOS/Info.plist";
@@ -1491,7 +1491,7 @@
 				COMBINE_HIDPI_IMAGES = YES;
 				DEFINES_MODULE = YES;
 				DYLIB_COMPATIBILITY_VERSION = 1;
-				DYLIB_CURRENT_VERSION = 309;
+				DYLIB_CURRENT_VERSION = 329;
 				DYLIB_INSTALL_NAME_BASE = "@rpath";
 				FRAMEWORK_VERSION = A;
 				INFOPLIST_FILE = "$(SRCROOT)/TunnelKit-macOS/Info.plist";
@@ -1514,7 +1514,7 @@
 				COMBINE_HIDPI_IMAGES = YES;
 				DEFINES_MODULE = YES;
 				DYLIB_COMPATIBILITY_VERSION = 1;
-				DYLIB_CURRENT_VERSION = 309;
+				DYLIB_CURRENT_VERSION = 329;
 				DYLIB_INSTALL_NAME_BASE = "@rpath";
 				FRAMEWORK_VERSION = A;
 				INFOPLIST_FILE = "$(SRCROOT)/TunnelKit-macOS/Info.plist";

TunnelKit/Sources/AppExtension/TunnelKitProvider+Configuration.swift

@@ -60,6 +60,7 @@ extension TunnelKitProvider {
                 ca: CryptoContainer(pem: ""),
                 clientCertificate: nil,
                 clientKey: nil,
+                checksEKU: false,
                 compressionFraming: .disabled,
                 tlsWrap: nil,
                 keepAliveInterval: nil,
@@ -465,6 +466,11 @@ extension TunnelKitProvider {
             } else {
                 log.info("\tClient verification: disabled")
             }
+            if sessionConfiguration.checksEKU ?? false {
+                log.info("\tServer EKU verification: enabled")
+            } else {
+                log.info("\tServer EKU verification: disabled")
+            }
             log.info("\tMTU: \(mtu)")
             log.info("\tCompression framing: \(sessionConfiguration.compressionFraming)")
             if let keepAliveSeconds = sessionConfiguration.keepAliveInterval, keepAliveSeconds > 0 {

TunnelKit/Sources/Core/ConfigurationParser.swift

@@ -87,11 +87,13 @@ public class ConfigurationParser {
 
         static let keyDirection = NSRegularExpression("^key-direction +\\d")
 
+        static let eku = NSRegularExpression("^remote-cert-tls +server")
+
         static let blockBegin = NSRegularExpression("^<[\\w\\-]+>")
 
         static let blockEnd = NSRegularExpression("^<\\/[\\w\\-]+>")
 
-        static let dnsRegexp = NSRegularExpression("dhcp-option DNS6? [\\d\\.a-fA-F:]+")
+        static let dns = NSRegularExpression("^dhcp-option +DNS6? +[\\d\\.a-fA-F:]+")
 
         // unsupported
 
@@ -139,6 +141,7 @@ public class ConfigurationParser {
         var optCA: CryptoContainer?
         var clientCertificate: CryptoContainer?
         var clientKey: CryptoContainer?
+        var checksEKU = false
         var keepAliveSeconds: TimeInterval?
         var renegotiateAfterSeconds: TimeInterval?
         var keyDirection: StaticKey.Direction?
@@ -218,6 +221,9 @@ public class ConfigurationParser {
                 continue
             }
 
+            Regex.eku.enumerateComponents(in: line) { (_) in
+                checksEKU = true
+            }
             Regex.proto.enumerateArguments(in: line) {
                 isHandled = true
                 guard let str = $0.first else {
@@ -319,7 +325,7 @@ public class ConfigurationParser {
                 }
                 renegotiateAfterSeconds = TimeInterval(arg)
             }
-            Regex.dnsRegexp.enumerateArguments(in: line) {
+            Regex.dns.enumerateArguments(in: line) {
                 isHandled = true
                 guard $0.count == 2 else {
                     return
@@ -399,6 +405,7 @@ public class ConfigurationParser {
         sessionBuilder.tlsWrap = tlsWrap
         sessionBuilder.clientCertificate = clientCertificate
         sessionBuilder.clientKey = clientKey
+        sessionBuilder.checksEKU = checksEKU
         sessionBuilder.keepAliveInterval = keepAliveSeconds
         sessionBuilder.renegotiatesAfter = renegotiateAfterSeconds
         sessionBuilder.dnsServers = dnsServers

TunnelKit/Sources/Core/SessionProxy+Configuration.swift

@@ -150,6 +150,9 @@ extension SessionProxy {
         /// The private key for the certificate in `clientCertificate` (PEM format).
         public var clientKey: CryptoContainer?
 
+        /// If true, checks EKU of server certificate.
+        public var checksEKU: Bool?
+
         /// Sets compression framing, disabled by default.
         public var compressionFraming: CompressionFraming
 
@@ -175,6 +178,7 @@ extension SessionProxy {
             self.ca = ca
             clientCertificate = nil
             clientKey = nil
+            checksEKU = false
             compressionFraming = .disabled
             tlsWrap = nil
             keepAliveInterval = nil
@@ -195,6 +199,7 @@ extension SessionProxy {
                 ca: ca,
                 clientCertificate: clientCertificate,
                 clientKey: clientKey,
+                checksEKU: checksEKU,
                 compressionFraming: compressionFraming,
                 tlsWrap: tlsWrap,
                 keepAliveInterval: keepAliveInterval,
@@ -223,6 +228,9 @@ extension SessionProxy {
         /// - Seealso: `SessionProxy.ConfigurationBuilder.clientKey`
         public let clientKey: CryptoContainer?
 
+        /// - Seealso: `SessionProxy.ConfigurationBuilder.checksEKU`
+        public let checksEKU: Bool?
+
         /// - Seealso: `SessionProxy.ConfigurationBuilder.compressionFraming`
         public let compressionFraming: CompressionFraming
 
@@ -252,6 +260,7 @@ extension SessionProxy {
             builder.digest = digest
             builder.clientCertificate = clientCertificate
             builder.clientKey = clientKey
+            builder.checksEKU = checksEKU
             builder.compressionFraming = compressionFraming
             builder.tlsWrap = tlsWrap
             builder.keepAliveInterval = keepAliveInterval
@@ -271,6 +280,7 @@ extension SessionProxy {
                 (lhs.ca == rhs.ca) &&
                 (lhs.clientCertificate == rhs.clientCertificate) &&
                 (lhs.clientKey == rhs.clientKey) &&
+                (lhs.checksEKU == rhs.checksEKU) &&
                 (lhs.compressionFraming == rhs.compressionFraming) &&
                 (lhs.keepAliveInterval == rhs.keepAliveInterval) &&
                 (lhs.renegotiatesAfter == rhs.renegotiatesAfter) &&

TunnelKit/Sources/Core/SessionProxy.swift

@@ -771,7 +771,8 @@ public class SessionProxy {
             negotiationKey.tlsOptional = TLSBox(
                 caPath: caURL.path,
                 clientCertificatePath: (configuration.clientCertificate != nil) ? clientCertificateURL.path : nil,
-                clientKeyPath: (configuration.clientKey != nil) ? clientKeyURL.path : nil
+                clientKeyPath: (configuration.clientKey != nil) ? clientKeyURL.path : nil,
+                checksEKU: true
             )
             do {
                 try negotiationKey.tls.start()

TunnelKit/Sources/Core/TLSBox.h

@@ -55,7 +55,8 @@ extern NSString *const TLSBoxPeerVerificationErrorNotification;
 
 - (instancetype)initWithCAPath:(NSString *)caPath
          clientCertificatePath:(nullable NSString *)clientCertificatePath
-                 clientKeyPath:(nullable NSString *)clientKeyPath;
+                 clientKeyPath:(nullable NSString *)clientKeyPath
+                     checksEKU:(BOOL)checksEKU;
 
 - (BOOL)startWithError:(NSError **)error;
 

TunnelKit/Sources/Core/TLSBox.m

@@ -65,6 +65,7 @@ @interface TLSBox ()
 @property (nonatomic, strong) NSString *caPath;
 @property (nonatomic, strong) NSString *clientCertificatePath;
 @property (nonatomic, strong) NSString *clientKeyPath;
+@property (nonatomic, assign) BOOL checksEKU;
 @property (nonatomic, assign) BOOL isConnected;
 
 @property (nonatomic, unsafe_unretained) SSL_CTX *ctx;
@@ -105,12 +106,16 @@ - (instancetype)init
     return nil;
 }
 
-- (instancetype)initWithCAPath:(NSString *)caPath clientCertificatePath:(NSString *)clientCertificatePath clientKeyPath:(NSString *)clientKeyPath
+- (instancetype)initWithCAPath:(NSString *)caPath
+         clientCertificatePath:(NSString *)clientCertificatePath
+                 clientKeyPath:(NSString *)clientKeyPath
+                     checksEKU:(BOOL)checksEKU
 {
     if ((self = [super init])) {
         self.caPath = caPath;
         self.clientCertificatePath = clientCertificatePath;
         self.clientKeyPath = clientKeyPath;
+        self.checksEKU = checksEKU;
         self.bufferCipherText = allocate_safely(TLSBoxMaxBufferLength);
     }
     return self;
@@ -196,7 +201,7 @@ - (NSData *)pullCipherTextWithError:(NSError *__autoreleasing *)error
     if (!self.isConnected && SSL_is_init_finished(self.ssl)) {
         self.isConnected = YES;
 
-        if (![self verifyEKUWithSSL:self.ssl]) {
+        if (self.checksEKU && ![self verifyEKUWithSSL:self.ssl]) {
             if (error) {
                 *error = TunnelKitErrorWithCode(TunnelKitErrorCodeTLSBoxServerEKU);
             }

TunnelKitHost/Info.plist

@@ -15,7 +15,7 @@
 	<key>CFBundlePackageType</key>
 	<string>APPL</string>
 	<key>CFBundleShortVersionString</key>
-	<string>1.4.0</string>
+	<string>1.4.1</string>
 	<key>CFBundleVersion</key>
 	<string>1</string>
 	<key>LSRequiresIPhoneOS</key>

TunnelKitTests-iOS/Info.plist

@@ -15,7 +15,7 @@
 	<key>CFBundlePackageType</key>
 	<string>BNDL</string>
 	<key>CFBundleShortVersionString</key>
-	<string>1.4.0</string>
+	<string>1.4.1</string>
 	<key>CFBundleVersion</key>
 	<string>1</string>
 </dict>

TunnelKitTests-macOS/Info.plist

@@ -15,7 +15,7 @@
 	<key>CFBundlePackageType</key>
 	<string>BNDL</string>
 	<key>CFBundleShortVersionString</key>
-	<string>1.4.0</string>
+	<string>1.4.1</string>
 	<key>CFBundleVersion</key>
 	<string>1</string>
 </dict>