andrei/amnezia-client
1
0
Fork 0
mirror of https://github.com/amnezia-vpn/amnezia-client.git synced 2026-06-24 02:00:24 +07:00
Code Issues Packages Projects Releases 10 Wiki Activity

remove comment

Browse Source
This commit is contained in:
dranik
2026-06-04 15:03:45 +03:00
parent 7fe6e283ba
commit e0c4e2d914
1 changed files with 0 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files
client/core/protocols/ikev2VpnProtocolMacos.mm
-44
View File
@@ -22,9 +22,6 @@
namespace {
// macOS rejects password-less PKCS#12 containers on import, so the client p12
// (exported by the Amnezia server without a password) is re-wrapped with a known
// password using legacy 3DES/SHA1 algorithms that Apple's importer accepts.
const char *kRepackedP12Password = "amnezia";
const char *kVpnSystemKeychainPath = "/Library/Keychains/System.keychain";
@@ -42,9 +39,6 @@ const char *vpnStatusName(int status)
}
}
// Parses the password-less client p12, re-wraps the identity with a password and
// also extracts the CA certificate (DER) bundled in the p12 chain, which is needed
// to validate the self-signed server certificate.
bool prepareIdentity(const QByteArray &source, const QString &friendlyName, QByteArray &repackedP12, QByteArray &caCertDer)
{
const unsigned char *cursor = reinterpret_cast<const unsigned char *>(source.constData());
@@ -113,7 +107,6 @@ bool prepareIdentity(const QByteArray &source, const QString &friendlyName, QByt
return true;
}
// Removes any previously imported identity with this label from the login keychain.
void removeIdentityFromLoginKeychain(const QString &label)
{
NSDictionary *query = @{
@@ -124,10 +117,6 @@ void removeIdentityFromLoginKeychain(const QString &label)
SecItemDelete((__bridge CFDictionaryRef)query);
}
// Imports the client identity into the user's login keychain with an access list
// that grants this app and the VPN agent (neagent) access. Setting the ACL at
// creation time (legacy SecAccess) avoids the System keychain admin prompt and the
// partition-list authorization that cannot be satisfied on the System keychain.
bool importIdentityToLoginKeychain(const QByteArray &p12, const QString &label)
{
SecKeychainRef loginKeychain = NULL;
@@ -179,9 +168,6 @@ bool importIdentityToLoginKeychain(const QByteArray &p12, const QString &label)
return true;
}
// Looks up the persistent reference of the client identity in the login keychain.
// The search is restricted to the login keychain so a stale identity that an earlier
// build left in the System keychain (same label) can never be picked instead.
NSData *copyIdentityPersistentRef(const QString &label)
{
SecKeychainRef loginKeychain = NULL;
@@ -211,7 +197,6 @@ NSData *copyIdentityPersistentRef(const QString &label)
return (NSData *)CFAutorelease(persistentRef);
}
// Runs /usr/bin/security as root through the privileged Amnezia service.
void runPrivilegedSecurity(const QString &label, const QStringList &arguments)
{
auto process = IpcClient::CreatePrivilegedProcess();
@@ -255,10 +240,6 @@ void runPrivilegedSecurity(const QString &label, const QStringList &arguments)
<< "| out:" << out.trimmed() << "| err:" << err.trimmed();
}
// Disables the VPN configuration so it cannot be turned on from the OS System
// Settings once the app has disconnected (mirrors the reference behaviour). It is
// self-contained (captures no C++ object), so it is safe even when called right
// before this protocol instance is destroyed.
void disableVpnConfiguration()
{
NEVPNManager *manager = [NEVPNManager sharedManager];
@@ -306,9 +287,6 @@ void Ikev2ProtocolMacos::readIkev2Configuration(const QJsonObject &configuration
bool Ikev2ProtocolMacos::storeClientIdentity()
{
// Already installed for this client: reuse it. Re-importing on every connect
// churns the key, re-triggers the neagent keychain prompt and disturbs the key
// an active (tearing-down) connection still references during a reconnect.
if (copyIdentityPersistentRef(m_clientId) != nil) {
qInfo() << "[IKEv2-mac] client identity already in login keychain, reusing it";
return true;
@@ -323,14 +301,11 @@ bool Ikev2ProtocolMacos::storeClientIdentity()
return false;
}
// Install the client identity into the user's login keychain with an ACL granting
// neagent access. No admin rights are needed and no System keychain prompt appears.
removeIdentityFromLoginKeychain(m_clientId);
if (!importIdentityToLoginKeychain(repackedP12, m_clientId)) {
return false;
}
// Install and trust the CA so the self-signed server certificate validates.
if (!caCertDer.isEmpty()) {
QTemporaryFile caFile(QDir::tempPath() + "/amnezia-ikev2-ca-XXXXXX.cer");
caFile.setAutoRemove(false);
@@ -481,9 +456,6 @@ ErrorCode Ikev2ProtocolMacos::start()
Qt::QueuedConnection);
}];
// If a previous connection is still active or tearing down, stop it first
// and start only once it reaches Disconnected. Otherwise our fresh start
// races with the old teardown and gets dropped immediately.
NEVPNStatus current = manager.connection.status;
if (current == NEVPNStatusDisconnected || current == NEVPNStatusInvalid) {
qInfo() << "[IKEv2-mac] preferences saved, connection is"
@@ -512,9 +484,6 @@ void Ikev2ProtocolMacos::stop()
stopHandshakeTimeoutTimer();
m_startWhenDisconnected = false;
// stop() runs synchronously because VpnConnection destroys this object right after
// it returns. Any async work (dispatch_async) would be dropped when the object dies,
// leaving the tunnel up and the UI stuck on "Disconnecting".
NEVPNManager *manager = [NEVPNManager sharedManager];
NEVPNStatus status = manager.connection.status;
qInfo() << "[IKEv2-mac] stop(): current NEVPNStatus =" << (int)status;
@@ -526,7 +495,6 @@ void Ikev2ProtocolMacos::stop()
qInfo() << "[IKEv2-mac] stop(): stopVPNTunnel issued";
}
// Disable the configuration so it cannot be switched on from OS System Settings.
disableVpnConfiguration();
setConnectionState(Vpn::ConnectionState::Disconnected);
@@ -546,9 +514,6 @@ void Ikev2ProtocolMacos::startTunnelNow()
return;
}
// A freshly created VPN configuration (the very first connection, right after the
// user authorises the new adapter) is often not ready yet and startVPNTunnel fails.
// Reload the preferences and retry a few times before giving up.
if (m_startRetries < MAX_START_RETRIES) {
m_startRetries++;
qWarning() << "[IKEv2-mac] startVPNTunnel failed, will retry (" << m_startRetries << "):"
@@ -580,8 +545,6 @@ void Ikev2ProtocolMacos::handleStatusChange(int rawStatus)
<< "| lastStatus:" << vpnStatusName(m_lastVpnStatus)
<< "| waitingToStart:" << m_startWhenDisconnected;
// While waiting for a previous connection to finish tearing down, swallow its
// teardown events and launch our tunnel only once it is fully Disconnected.
if (m_startWhenDisconnected) {
if (vpnStatus == NEVPNStatusDisconnecting) {
return;
@@ -616,8 +579,6 @@ void Ikev2ProtocolMacos::handleStatusChange(int rawStatus)
break;
case NEVPNStatusDisconnecting:
// Until the tunnel has actually started, transient teardown events are just the
// freshly created configuration settling — ignore them so the start retry survives.
if (!m_tunnelStarted) {
return;
}
@@ -626,8 +587,6 @@ void Ikev2ProtocolMacos::handleStatusChange(int rawStatus)
break;
case NEVPNStatusDisconnected: {
// Config-not-ready noise during the start-retry phase: keep retrying, do not
// treat it as a failure and do not disable the configuration.
if (!m_tunnelStarted) {
m_lastVpnStatus = vpnStatus;
return;
@@ -657,14 +616,11 @@ void Ikev2ProtocolMacos::handleStatusChange(int rawStatus)
}
m_lastVpnStatus = vpnStatus;
// The session is over: disable the adapter so it cannot be re-enabled from OS settings.
disableVpnConfiguration();
break;
}
case NEVPNStatusInvalid:
// The fresh configuration reports Invalid until it is fully realized. Ignore it
// while still starting; only treat it as fatal once the tunnel has started.
if (!m_tunnelStarted) {
m_lastVpnStatus = vpnStatus;
return;