From 2fc3e139119970d84549f01e832662fba963801d Mon Sep 17 00:00:00 2001 From: Sergey Abramchuk Date: Mon, 24 Apr 2017 13:34:50 +0300 Subject: [PATCH] Wrap force ciphersuite and min tbs version properties --- OpenVPN Adapter/OpenVPNConfiguration.h | 30 ++++++++++++++ OpenVPN Adapter/OpenVPNConfiguration.mm | 54 +++++++++++++++++++++++++ 2 files changed, 84 insertions(+) diff --git a/OpenVPN Adapter/OpenVPNConfiguration.h b/OpenVPN Adapter/OpenVPNConfiguration.h index 4e51949..9e81e8f 100644 --- a/OpenVPN Adapter/OpenVPNConfiguration.h +++ b/OpenVPN Adapter/OpenVPNConfiguration.h @@ -50,6 +50,22 @@ typedef NS_ENUM(NSInteger, OpenVPNCompressionMode) { OpenVPNCompressionModeDefault }; +/** + Minimum TLS version options + */ +typedef NS_ENUM(NSInteger, OpenVPNMinTLSVersion) { + /// Don't specify a minimum, and disable any minimum specified in profile + OpenVPNMinTLSVersionDisabled, + /// Use TLS 1.0 minimum (overrides profile) + OpenVPNMinTLSVersion10, + /// Use TLS 1.1 minimum (overrides profile) + OpenVPNMinTLSVersion11, + /// Use TLS 1.2 minimum (overrides profile) + OpenVPNMinTLSVersion12, + /// Use profile minimum + OpenVPNMinTLSVersionDefault +}; + @interface OpenVPNConfiguration : NSObject /** @@ -134,4 +150,18 @@ typedef NS_ENUM(NSInteger, OpenVPNCompressionMode) { */ @property (nonatomic) NSInteger keyDirection; +/** + If YES, force ciphersuite to be one of: + 1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA, or + 2. TLS_DHE_RSA_WITH_AES_128_CBC_SHA + and disable setting TLS minimum version. + This is intended for compatibility with legacy systems. + */ +@property (nonatomic) BOOL forceCiphersuitesAESCBC; + +/** + Override the minimum TLS version + */ +@property (nonatomic) OpenVPNMinTLSVersion minTLSVersion; + @end diff --git a/OpenVPN Adapter/OpenVPNConfiguration.mm b/OpenVPN Adapter/OpenVPNConfiguration.mm index d62bac9..2626a4a 100644 --- a/OpenVPN Adapter/OpenVPNConfiguration.mm +++ b/OpenVPN Adapter/OpenVPNConfiguration.mm @@ -261,4 +261,58 @@ using namespace openvpn; _config.defaultKeyDirection = keyDirection; } +- (BOOL)forceCiphersuitesAESCBC { + return _config.forceAesCbcCiphersuites; +} + +-(void)setForceCiphersuitesAESCBC:(BOOL)forceCiphersuitesAESCBC { + _config.forceAesCbcCiphersuites = forceCiphersuitesAESCBC; +} + +- (OpenVPNMinTLSVersion)minTLSVersion { + NSDictionary *options = @{ + @"disabled": @(OpenVPNMinTLSVersionDisabled), + @"tls_1_0": @(OpenVPNMinTLSVersion10), + @"tls_1_1": @(OpenVPNMinTLSVersion11), + @"tls_1_2": @(OpenVPNMinTLSVersion12), + @"default": @(OpenVPNMinTLSVersionDefault), + @"": @(OpenVPNMinTLSVersionDefault) + }; + + NSString *currentValue = [NSString stringWithUTF8String:_config.tlsVersionMinOverride.c_str()]; + + NSNumber *preference = options[currentValue]; + NSAssert(preference != nil, @"Incorrect minTLSVersion value"); + + return (OpenVPNMinTLSVersion)[preference integerValue]; +} + +- (void)setMinTLSVersion:(OpenVPNMinTLSVersion)minTLSVersion { + switch (minTLSVersion) { + case OpenVPNMinTLSVersionDisabled: + _config.tlsVersionMinOverride = "disabled"; + break; + + case OpenVPNMinTLSVersion10: + _config.tlsVersionMinOverride = "tls_1_0"; + break; + + case OpenVPNMinTLSVersion11: + _config.tlsVersionMinOverride = "tls_1_1"; + break; + + case OpenVPNMinTLSVersion12: + _config.tlsVersionMinOverride = "tls_1_2"; + break; + + case OpenVPNMinTLSVersionDefault: + _config.tlsVersionMinOverride = "default"; + break; + + default: + NSAssert(NO, @"Incorrect OpenVPNMinTLSVersion value"); + break; + } +} + @end