From 401d999b3df856cb16349833a416683a761e95cc Mon Sep 17 00:00:00 2001 From: Davide De Rosa Date: Mon, 10 Sep 2018 15:18:16 +0200 Subject: [PATCH 1/4] Expose HMAC digestLength where available --- TunnelKit/Sources/Core/CryptoAEAD.m | 5 +++++ TunnelKit/Sources/Core/CryptoBox.h | 2 ++ TunnelKit/Sources/Core/CryptoBox.m | 4 ++++ TunnelKit/Sources/Core/Encryption.h | 2 ++ 4 files changed, 13 insertions(+) diff --git a/TunnelKit/Sources/Core/CryptoAEAD.m b/TunnelKit/Sources/Core/CryptoAEAD.m index 5c7ccd7..45723e2 100644 --- a/TunnelKit/Sources/Core/CryptoAEAD.m +++ b/TunnelKit/Sources/Core/CryptoAEAD.m @@ -97,6 +97,11 @@ const NSInteger CryptoAEADTagLength = 16; self.cipher = NULL; } +- (int)digestLength +{ + return 0; +} + #pragma mark Encrypter - (void)configureEncryptionWithCipherKey:(ZeroingData *)cipherKey hmacKey:(ZeroingData *)hmacKey diff --git a/TunnelKit/Sources/Core/CryptoBox.h b/TunnelKit/Sources/Core/CryptoBox.h index d5c122f..3a5ff9a 100644 --- a/TunnelKit/Sources/Core/CryptoBox.h +++ b/TunnelKit/Sources/Core/CryptoBox.h @@ -68,4 +68,6 @@ - (nonnull id)encrypter; - (nonnull id)decrypter; +- (NSInteger)digestLength; + @end diff --git a/TunnelKit/Sources/Core/CryptoBox.m b/TunnelKit/Sources/Core/CryptoBox.m index 5f38187..89492f0 100644 --- a/TunnelKit/Sources/Core/CryptoBox.m +++ b/TunnelKit/Sources/Core/CryptoBox.m @@ -50,6 +50,7 @@ @property (nonatomic, strong) NSString *cipherAlgorithm; @property (nonatomic, strong) NSString *digestAlgorithm; +@property (nonatomic, assign) NSInteger digestLength; @property (nonatomic, strong) id encrypter; @property (nonatomic, strong) id decrypter; @@ -131,6 +132,9 @@ [self.encrypter configureEncryptionWithCipherKey:cipherEncKey hmacKey:hmacEncKey]; [self.decrypter configureDecryptionWithCipherKey:cipherDecKey hmacKey:hmacDecKey]; + NSAssert(self.encrypter.digestLength == self.decrypter.digestLength, @"Digest length mismatch in encrypter/decrypter"); + self.digestLength = self.encrypter.digestLength; + return YES; } diff --git a/TunnelKit/Sources/Core/Encryption.h b/TunnelKit/Sources/Core/Encryption.h index 0352c83..ca0bb2b 100644 --- a/TunnelKit/Sources/Core/Encryption.h +++ b/TunnelKit/Sources/Core/Encryption.h @@ -45,6 +45,7 @@ @protocol Encrypter - (void)configureEncryptionWithCipherKey:(nonnull ZeroingData *)cipherKey hmacKey:(nonnull ZeroingData *)hmacKey; +- (int)digestLength; - (int)overheadLength; - (int)extraLength; @@ -59,6 +60,7 @@ @protocol Decrypter - (void)configureDecryptionWithCipherKey:(nonnull ZeroingData *)cipherKey hmacKey:(nonnull ZeroingData *)hmacKey; +- (int)digestLength; - (int)overheadLength; - (int)extraLength; From d53e7add10e6c870e08207b440cacf3c4165e653 Mon Sep 17 00:00:00 2001 From: Davide De Rosa Date: Mon, 10 Sep 2018 16:02:01 +0200 Subject: [PATCH 2/4] Allow HMAC verify with nil cipher in CryptoCBC --- TunnelKit/Sources/Core/CryptoAEAD.m | 16 +++- TunnelKit/Sources/Core/CryptoBox.h | 10 +-- TunnelKit/Sources/Core/CryptoBox.m | 46 ++++++------ TunnelKit/Sources/Core/CryptoCBC.h | 3 +- TunnelKit/Sources/Core/CryptoCBC.m | 105 ++++++++++++++++++++------- TunnelKit/Sources/Core/Encryption.h | 6 +- TunnelKitTests/EncryptionTests.swift | 16 ++++ 7 files changed, 143 insertions(+), 59 deletions(-) diff --git a/TunnelKit/Sources/Core/CryptoAEAD.m b/TunnelKit/Sources/Core/CryptoAEAD.m index 45723e2..4d0fb12 100644 --- a/TunnelKit/Sources/Core/CryptoAEAD.m +++ b/TunnelKit/Sources/Core/CryptoAEAD.m @@ -107,6 +107,7 @@ const NSInteger CryptoAEADTagLength = 16; - (void)configureEncryptionWithCipherKey:(ZeroingData *)cipherKey hmacKey:(ZeroingData *)hmacKey { NSParameterAssert(cipherKey.count >= self.cipherKeyLength); + NSParameterAssert(hmacKey); EVP_CIPHER_CTX_reset(self.cipherCtxEnc); EVP_CipherInit(self.cipherCtxEnc, self.cipher, cipherKey.bytes, NULL, 1); @@ -170,7 +171,8 @@ const NSInteger CryptoAEADTagLength = 16; - (void)configureDecryptionWithCipherKey:(ZeroingData *)cipherKey hmacKey:(ZeroingData *)hmacKey { NSParameterAssert(cipherKey.count >= self.cipherKeyLength); - + NSParameterAssert(hmacKey); + EVP_CIPHER_CTX_reset(self.cipherCtxDec); EVP_CipherInit(self.cipherCtxDec, self.cipher, cipherKey.bytes, NULL, 0); @@ -223,6 +225,18 @@ const NSInteger CryptoAEADTagLength = 16; TUNNEL_CRYPTO_RETURN_STATUS(code) } +- (BOOL)verifyData:(NSData *)data offset:(NSInteger)offset extra:(const uint8_t *)extra error:(NSError *__autoreleasing *)error +{ + NSAssert(NO, @"Verification not supported"); + return NO; +} + +- (BOOL)verifyBytes:(const uint8_t *)bytes length:(NSInteger)length extra:(const uint8_t *)extra error:(NSError *__autoreleasing *)error +{ + NSAssert(NO, @"Verification not supported"); + return NO; +} + - (id)dataPathDecrypter { return [[DataPathCryptoAEAD alloc] initWithCrypto:self]; diff --git a/TunnelKit/Sources/Core/CryptoBox.h b/TunnelKit/Sources/Core/CryptoBox.h index 3a5ff9a..e66604a 100644 --- a/TunnelKit/Sources/Core/CryptoBox.h +++ b/TunnelKit/Sources/Core/CryptoBox.h @@ -45,13 +45,13 @@ + (BOOL)preparePRNGWithSeed:(nonnull const uint8_t *)seed length:(NSInteger)length; -- (nonnull instancetype)initWithCipherAlgorithm:(nonnull NSString *)cipherAlgorithm +- (nonnull instancetype)initWithCipherAlgorithm:(nullable NSString *)cipherAlgorithm digestAlgorithm:(nullable NSString *)digestAlgorithm; -- (BOOL)configureWithCipherEncKey:(nonnull ZeroingData *)cipherEncKey - cipherDecKey:(nonnull ZeroingData *)cipherDecKey - hmacEncKey:(nonnull ZeroingData *)hmacEncKey - hmacDecKey:(nonnull ZeroingData *)hmacDecKey +- (BOOL)configureWithCipherEncKey:(nullable ZeroingData *)cipherEncKey + cipherDecKey:(nullable ZeroingData *)cipherDecKey + hmacEncKey:(nullable ZeroingData *)hmacEncKey + hmacDecKey:(nullable ZeroingData *)hmacDecKey error:(NSError **)error; // WARNING: hmac must be able to hold HMAC result diff --git a/TunnelKit/Sources/Core/CryptoBox.m b/TunnelKit/Sources/Core/CryptoBox.m index 89492f0..73ba6c9 100644 --- a/TunnelKit/Sources/Core/CryptoBox.m +++ b/TunnelKit/Sources/Core/CryptoBox.m @@ -76,8 +76,7 @@ - (instancetype)initWithCipherAlgorithm:(NSString *)cipherAlgorithm digestAlgorithm:(NSString *)digestAlgorithm { - NSParameterAssert(cipherAlgorithm); -// NSParameterAssert(digestAlgorithm); + NSParameterAssert(cipherAlgorithm || digestAlgorithm); if ((self = [super init])) { self.cipherAlgorithm = [cipherAlgorithm lowercaseString]; @@ -99,35 +98,38 @@ hmacDecKey:(ZeroingData *)hmacDecKey error:(NSError *__autoreleasing *)error { - NSParameterAssert(cipherEncKey); - NSParameterAssert(cipherDecKey); - NSParameterAssert(hmacEncKey); - NSParameterAssert(hmacDecKey); + NSParameterAssert((cipherEncKey && cipherDecKey) || (hmacEncKey && hmacDecKey)); - if ([self.cipherAlgorithm hasSuffix:@"-cbc"]) { - if (!self.digestAlgorithm) { + if (self.cipherAlgorithm) { + if ([self.cipherAlgorithm hasSuffix:@"-cbc"]) { + if (!self.digestAlgorithm) { + if (error) { + *error = TunnelKitErrorWithCode(TunnelKitErrorCodeCryptoBoxAlgorithm); + } + return NO; + } + CryptoCBC *cbc = [[CryptoCBC alloc] initWithCipherName:self.cipherAlgorithm digestName:self.digestAlgorithm]; + self.encrypter = cbc; + self.decrypter = cbc; + } + else if ([self.cipherAlgorithm hasSuffix:@"-gcm"]) { + CryptoAEAD *gcm = [[CryptoAEAD alloc] initWithCipherName:self.cipherAlgorithm]; + self.encrypter = gcm; + self.decrypter = gcm; + } + // not supported + else { if (error) { *error = TunnelKitErrorWithCode(TunnelKitErrorCodeCryptoBoxAlgorithm); } return NO; } - CryptoCBC *cbc = [[CryptoCBC alloc] initWithCipherName:self.cipherAlgorithm - digestName:self.digestAlgorithm]; + } + else { + CryptoCBC *cbc = [[CryptoCBC alloc] initWithCipherName:nil digestName:self.digestAlgorithm]; self.encrypter = cbc; self.decrypter = cbc; } - else if ([self.cipherAlgorithm hasSuffix:@"-gcm"]) { - CryptoAEAD *gcm = [[CryptoAEAD alloc] initWithCipherName:self.cipherAlgorithm]; - self.encrypter = gcm; - self.decrypter = gcm; - } - // not supported - else { - if (error) { - *error = TunnelKitErrorWithCode(TunnelKitErrorCodeCryptoBoxAlgorithm); - } - return NO; - } [self.encrypter configureEncryptionWithCipherKey:cipherEncKey hmacKey:hmacEncKey]; [self.decrypter configureDecryptionWithCipherKey:cipherDecKey hmacKey:hmacDecKey]; diff --git a/TunnelKit/Sources/Core/CryptoCBC.h b/TunnelKit/Sources/Core/CryptoCBC.h index 89af6ff..40d494f 100644 --- a/TunnelKit/Sources/Core/CryptoCBC.h +++ b/TunnelKit/Sources/Core/CryptoCBC.h @@ -43,8 +43,7 @@ NS_ASSUME_NONNULL_BEGIN @interface CryptoCBC : NSObject -- (instancetype)initWithCipherName:(nonnull NSString *)cipherName - digestName:(nonnull NSString *)digestName; +- (instancetype)initWithCipherName:(nullable NSString *)cipherName digestName:(nonnull NSString *)digestName; @end diff --git a/TunnelKit/Sources/Core/CryptoCBC.m b/TunnelKit/Sources/Core/CryptoCBC.m index 12b9c46..40e97b6 100644 --- a/TunnelKit/Sources/Core/CryptoCBC.m +++ b/TunnelKit/Sources/Core/CryptoCBC.m @@ -67,22 +67,29 @@ const NSInteger CryptoCBCMaxHMACLength = 100; - (instancetype)initWithCipherName:(NSString *)cipherName digestName:(NSString *)digestName { - NSParameterAssert([[cipherName uppercaseString] hasSuffix:@"CBC"]); - + NSParameterAssert(!cipherName || [[cipherName uppercaseString] hasSuffix:@"CBC"]); + NSParameterAssert(digestName); + self = [super init]; if (self) { - self.cipher = EVP_get_cipherbyname([cipherName cStringUsingEncoding:NSASCIIStringEncoding]); - NSAssert(self.cipher, @"Unknown cipher '%@'", cipherName); + if (cipherName) { + self.cipher = EVP_get_cipherbyname([cipherName cStringUsingEncoding:NSASCIIStringEncoding]); + NSAssert(self.cipher, @"Unknown cipher '%@'", cipherName); + } self.digest = EVP_get_digestbyname([digestName cStringUsingEncoding:NSASCIIStringEncoding]); NSAssert(self.digest, @"Unknown digest '%@'", digestName); - self.cipherKeyLength = EVP_CIPHER_key_length(self.cipher); - self.cipherIVLength = EVP_CIPHER_iv_length(self.cipher); + if (cipherName) { + self.cipherKeyLength = EVP_CIPHER_key_length(self.cipher); + self.cipherIVLength = EVP_CIPHER_iv_length(self.cipher); + } self.digestLength = EVP_MD_size(self.digest); self.overheadLength = self.cipherIVLength + self.digestLength; - self.cipherCtxEnc = EVP_CIPHER_CTX_new(); - self.cipherCtxDec = EVP_CIPHER_CTX_new(); + if (cipherName) { + self.cipherCtxEnc = EVP_CIPHER_CTX_new(); + self.cipherCtxDec = EVP_CIPHER_CTX_new(); + } self.hmacCtxEnc = HMAC_CTX_new(); self.hmacCtxDec = HMAC_CTX_new(); self.bufferDecHMAC = allocate_safely(CryptoCBCMaxHMACLength); @@ -92,8 +99,10 @@ const NSInteger CryptoCBCMaxHMACLength = 100; - (void)dealloc { - EVP_CIPHER_CTX_free(self.cipherCtxEnc); - EVP_CIPHER_CTX_free(self.cipherCtxDec); + if (self.cipher) { + EVP_CIPHER_CTX_free(self.cipherCtxEnc); + EVP_CIPHER_CTX_free(self.cipherCtxDec); + } HMAC_CTX_free(self.hmacCtxEnc); HMAC_CTX_free(self.hmacCtxDec); bzero(self.bufferDecHMAC, CryptoCBCMaxHMACLength); @@ -112,10 +121,14 @@ const NSInteger CryptoCBCMaxHMACLength = 100; - (void)configureEncryptionWithCipherKey:(ZeroingData *)cipherKey hmacKey:(ZeroingData *)hmacKey { - NSParameterAssert(cipherKey.count >= self.cipherKeyLength); + NSParameterAssert(hmacKey); - EVP_CIPHER_CTX_reset(self.cipherCtxEnc); - EVP_CipherInit(self.cipherCtxEnc, self.cipher, cipherKey.bytes, NULL, 1); + if (self.cipher) { + NSParameterAssert(cipherKey.count >= self.cipherKeyLength); + + EVP_CIPHER_CTX_reset(self.cipherCtxEnc); + EVP_CipherInit(self.cipherCtxEnc, self.cipher, cipherKey.bytes, NULL, 1); + } HMAC_CTX_reset(self.hmacCtxEnc); HMAC_Init_ex(self.hmacCtxEnc, hmacKey.bytes, self.digestLength, self.digest, NULL); @@ -145,17 +158,25 @@ const NSInteger CryptoCBCMaxHMACLength = 100; int l1 = 0, l2 = 0; unsigned int l3 = 0; int code = 1; - - if (RAND_bytes(outIV, self.cipherIVLength) != 1) { - if (error) { - *error = TunnelKitErrorWithCode(TunnelKitErrorCodeCryptoBoxRandomGenerator); + + if (self.cipher) { + if (RAND_bytes(outIV, self.cipherIVLength) != 1) { + if (error) { + *error = TunnelKitErrorWithCode(TunnelKitErrorCodeCryptoBoxRandomGenerator); + } + return NO; } - return NO; + + TUNNEL_CRYPTO_TRACK_STATUS(code) EVP_CipherInit(self.cipherCtxEnc, NULL, NULL, outIV, -1); + TUNNEL_CRYPTO_TRACK_STATUS(code) EVP_CipherUpdate(self.cipherCtxEnc, outEncrypted, &l1, bytes, (int)length); + TUNNEL_CRYPTO_TRACK_STATUS(code) EVP_CipherFinal(self.cipherCtxEnc, outEncrypted + l1, &l2); + } + else { + NSAssert(outEncrypted == outIV, @"cipherIVLength is non-zero"); + + memcpy(outEncrypted, bytes, length); + l1 = (int)length; } - - TUNNEL_CRYPTO_TRACK_STATUS(code) EVP_CipherInit(self.cipherCtxEnc, NULL, NULL, outIV, -1); - TUNNEL_CRYPTO_TRACK_STATUS(code) EVP_CipherUpdate(self.cipherCtxEnc, outEncrypted, &l1, bytes, (int)length); - TUNNEL_CRYPTO_TRACK_STATUS(code) EVP_CipherFinal(self.cipherCtxEnc, outEncrypted + l1, &l2); TUNNEL_CRYPTO_TRACK_STATUS(code) HMAC_Init_ex(self.hmacCtxEnc, NULL, 0, NULL, NULL); TUNNEL_CRYPTO_TRACK_STATUS(code) HMAC_Update(self.hmacCtxEnc, outIV, l1 + l2 + self.cipherIVLength); @@ -175,10 +196,14 @@ const NSInteger CryptoCBCMaxHMACLength = 100; - (void)configureDecryptionWithCipherKey:(ZeroingData *)cipherKey hmacKey:(ZeroingData *)hmacKey { - NSParameterAssert(cipherKey.count >= self.cipherKeyLength); + NSParameterAssert(hmacKey); - EVP_CIPHER_CTX_reset(self.cipherCtxDec); - EVP_CipherInit(self.cipherCtxDec, self.cipher, cipherKey.bytes, NULL, 0); + if (self.cipher) { + NSParameterAssert(cipherKey.count >= self.cipherKeyLength); + + EVP_CIPHER_CTX_reset(self.cipherCtxDec); + EVP_CipherInit(self.cipherCtxDec, self.cipher, cipherKey.bytes, NULL, 0); + } HMAC_CTX_reset(self.hmacCtxDec); HMAC_Init_ex(self.hmacCtxDec, hmacKey.bytes, self.digestLength, self.digest, NULL); @@ -186,6 +211,7 @@ const NSInteger CryptoCBCMaxHMACLength = 100; - (NSData *)decryptData:(NSData *)data offset:(NSInteger)offset extra:(const uint8_t *)extra error:(NSError *__autoreleasing *)error { + NSAssert(self.cipher, @"No cipher provided"); NSParameterAssert(data); const uint8_t *bytes = data.bytes + offset; @@ -203,6 +229,8 @@ const NSInteger CryptoCBCMaxHMACLength = 100; - (BOOL)decryptBytes:(const uint8_t *)bytes length:(NSInteger)length dest:(uint8_t *)dest destLength:(NSInteger *)destLength extra:(const uint8_t *)extra error:(NSError *__autoreleasing *)error { + NSAssert(self.cipher, @"No cipher provided"); + const uint8_t *iv = bytes + self.digestLength; const uint8_t *encrypted = bytes + self.digestLength + self.cipherIVLength; int l1 = 0, l2 = 0; @@ -222,12 +250,35 @@ const NSInteger CryptoCBCMaxHMACLength = 100; TUNNEL_CRYPTO_TRACK_STATUS(code) EVP_CipherInit(self.cipherCtxDec, NULL, NULL, iv, -1); TUNNEL_CRYPTO_TRACK_STATUS(code) EVP_CipherUpdate(self.cipherCtxDec, dest, &l1, encrypted, (int)length - self.digestLength - self.cipherIVLength); TUNNEL_CRYPTO_TRACK_STATUS(code) EVP_CipherFinal(self.cipherCtxDec, dest + l1, &l2); - + *destLength = l1 + l2; - + TUNNEL_CRYPTO_RETURN_STATUS(code) } +- (BOOL)verifyData:(NSData *)data offset:(NSInteger)offset extra:(const uint8_t *)extra error:(NSError *__autoreleasing *)error +{ + return [self verifyBytes:data.bytes length:data.length extra:extra error:error]; +} + +- (BOOL)verifyBytes:(const uint8_t *)bytes length:(NSInteger)length extra:(const uint8_t *)extra error:(NSError *__autoreleasing *)error +{ + int l1 = 0; + int code = 1; + + TUNNEL_CRYPTO_TRACK_STATUS(code) HMAC_Init_ex(self.hmacCtxDec, NULL, 0, NULL, NULL); + TUNNEL_CRYPTO_TRACK_STATUS(code) HMAC_Update(self.hmacCtxDec, bytes + self.digestLength, length - self.digestLength); + TUNNEL_CRYPTO_TRACK_STATUS(code) HMAC_Final(self.hmacCtxDec, self.bufferDecHMAC, (unsigned *)&l1); + + if (TUNNEL_CRYPTO_SUCCESS(code) && CRYPTO_memcmp(self.bufferDecHMAC, bytes, self.digestLength) != 0) { + if (error) { + *error = TunnelKitErrorWithCode(TunnelKitErrorCodeCryptoBoxHMAC); + } + return NO; + } + return YES; +} + - (id)dataPathDecrypter { return [[DataPathCryptoCBC alloc] initWithCrypto:self]; diff --git a/TunnelKit/Sources/Core/Encryption.h b/TunnelKit/Sources/Core/Encryption.h index ca0bb2b..098b692 100644 --- a/TunnelKit/Sources/Core/Encryption.h +++ b/TunnelKit/Sources/Core/Encryption.h @@ -44,7 +44,7 @@ // WARNING: dest must be able to hold ciphertext @protocol Encrypter -- (void)configureEncryptionWithCipherKey:(nonnull ZeroingData *)cipherKey hmacKey:(nonnull ZeroingData *)hmacKey; +- (void)configureEncryptionWithCipherKey:(nullable ZeroingData *)cipherKey hmacKey:(nullable ZeroingData *)hmacKey; - (int)digestLength; - (int)overheadLength; - (int)extraLength; @@ -59,13 +59,15 @@ // WARNING: dest must be able to hold plaintext @protocol Decrypter -- (void)configureDecryptionWithCipherKey:(nonnull ZeroingData *)cipherKey hmacKey:(nonnull ZeroingData *)hmacKey; +- (void)configureDecryptionWithCipherKey:(nullable ZeroingData *)cipherKey hmacKey:(nullable ZeroingData *)hmacKey; - (int)digestLength; - (int)overheadLength; - (int)extraLength; - (NSData *)decryptData:(nonnull NSData *)data offset:(NSInteger)offset extra:(const uint8_t *)extra error:(NSError **)error; - (BOOL)decryptBytes:(nonnull const uint8_t *)bytes length:(NSInteger)length dest:(nonnull uint8_t *)dest destLength:(nonnull NSInteger *)destLength extra:(const uint8_t *)extra error:(NSError **)error; +- (BOOL)verifyData:(nonnull NSData *)data offset:(NSInteger)offset extra:(const uint8_t *)extra error:(NSError **)error; +- (BOOL)verifyBytes:(nonnull const uint8_t *)bytes length:(NSInteger)length extra:(const uint8_t *)extra error:(NSError **)error; - (nonnull id)dataPathDecrypter; diff --git a/TunnelKitTests/EncryptionTests.swift b/TunnelKitTests/EncryptionTests.swift index b448355..aa1899d 100644 --- a/TunnelKitTests/EncryptionTests.swift +++ b/TunnelKitTests/EncryptionTests.swift @@ -65,6 +65,22 @@ class EncryptionTests: XCTestCase { XCTAssertEqual(plain, decrypted) } + func testHMAC() { + let cbc = CryptoBox(cipherAlgorithm: nil, digestAlgorithm: "sha256") + try! cbc.configure(withCipherEncKey: nil, cipherDecKey: nil, hmacEncKey: hmacKey, hmacDecKey: hmacKey) + let enc = cbc.encrypter() + let dec = cbc.decrypter() + + let plain = Data(hex: "00112233445566778899") + let encrypted = try! enc.encryptData(plain, offset: 0, extra: nil) + do { + try dec.verifyData(encrypted, offset: 0, extra: nil) + XCTAssert(true) + } catch { + XCTAssert(false) + } + } + func testGCM() { let gcm = CryptoBox(cipherAlgorithm: "aes-256-gcm", digestAlgorithm: nil) try! gcm.configure(withCipherEncKey: cipherKey, cipherDecKey: cipherKey, hmacEncKey: hmacKey, hmacDecKey: hmacKey) From a3fe740ad9f6ce781ff2565be098bf878008b4ea Mon Sep 17 00:00:00 2001 From: Davide De Rosa Date: Mon, 10 Sep 2018 20:28:31 +0200 Subject: [PATCH 3/4] Assert ambiguity about HMAC key length --- TunnelKit/Sources/Core/CryptoCBC.m | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/TunnelKit/Sources/Core/CryptoCBC.m b/TunnelKit/Sources/Core/CryptoCBC.m index 40e97b6..7645a45 100644 --- a/TunnelKit/Sources/Core/CryptoCBC.m +++ b/TunnelKit/Sources/Core/CryptoCBC.m @@ -52,6 +52,7 @@ const NSInteger CryptoCBCMaxHMACLength = 100; @property (nonatomic, unsafe_unretained) const EVP_MD *digest; @property (nonatomic, assign) int cipherKeyLength; @property (nonatomic, assign) int cipherIVLength; +@property (nonatomic, assign) int hmacKeyLength; @property (nonatomic, assign) int digestLength; @property (nonatomic, assign) int overheadLength; @@ -83,6 +84,8 @@ const NSInteger CryptoCBCMaxHMACLength = 100; self.cipherKeyLength = EVP_CIPHER_key_length(self.cipher); self.cipherIVLength = EVP_CIPHER_iv_length(self.cipher); } + // as seen in OpenVPN's crypto_openssl.c:md_kt_size() + self.hmacKeyLength = EVP_MD_size(self.digest); self.digestLength = EVP_MD_size(self.digest); self.overheadLength = self.cipherIVLength + self.digestLength; @@ -122,6 +125,7 @@ const NSInteger CryptoCBCMaxHMACLength = 100; - (void)configureEncryptionWithCipherKey:(ZeroingData *)cipherKey hmacKey:(ZeroingData *)hmacKey { NSParameterAssert(hmacKey); + NSParameterAssert(hmacKey.count >= self.hmacKeyLength); if (self.cipher) { NSParameterAssert(cipherKey.count >= self.cipherKeyLength); @@ -131,7 +135,7 @@ const NSInteger CryptoCBCMaxHMACLength = 100; } HMAC_CTX_reset(self.hmacCtxEnc); - HMAC_Init_ex(self.hmacCtxEnc, hmacKey.bytes, self.digestLength, self.digest, NULL); + HMAC_Init_ex(self.hmacCtxEnc, hmacKey.bytes, self.hmacKeyLength, self.digest, NULL); } - (NSData *)encryptData:(NSData *)data offset:(NSInteger)offset extra:(nonnull const uint8_t *)extra error:(NSError *__autoreleasing *)error @@ -197,6 +201,7 @@ const NSInteger CryptoCBCMaxHMACLength = 100; - (void)configureDecryptionWithCipherKey:(ZeroingData *)cipherKey hmacKey:(ZeroingData *)hmacKey { NSParameterAssert(hmacKey); + NSParameterAssert(hmacKey.count >= self.hmacKeyLength); if (self.cipher) { NSParameterAssert(cipherKey.count >= self.cipherKeyLength); @@ -206,7 +211,7 @@ const NSInteger CryptoCBCMaxHMACLength = 100; } HMAC_CTX_reset(self.hmacCtxDec); - HMAC_Init_ex(self.hmacCtxDec, hmacKey.bytes, self.digestLength, self.digest, NULL); + HMAC_Init_ex(self.hmacCtxDec, hmacKey.bytes, self.hmacKeyLength, self.digest, NULL); } - (NSData *)decryptData:(NSData *)data offset:(NSInteger)offset extra:(const uint8_t *)extra error:(NSError *__autoreleasing *)error From aef7daec51e749d7702524a6f006c072209b7e83 Mon Sep 17 00:00:00 2001 From: Davide De Rosa Date: Wed, 12 Sep 2018 15:24:14 +0200 Subject: [PATCH 4/4] Fix and clean up redundant nullability specifiers --- TunnelKit/Sources/Core/CryptoAEAD.h | 4 ++-- TunnelKit/Sources/Core/CryptoAEAD.m | 8 ++++---- TunnelKit/Sources/Core/CryptoBox.h | 22 ++++++++++++--------- TunnelKit/Sources/Core/CryptoCBC.h | 4 ++-- TunnelKit/Sources/Core/CryptoCBC.m | 4 ++-- TunnelKit/Sources/Core/DataPath.h | 12 +++++++---- TunnelKit/Sources/Core/DataPath.m | 12 +++++------ TunnelKit/Sources/Core/DataPathEncryption.h | 16 +++++++++------ TunnelKit/Sources/Core/Encryption.h | 20 +++++++++++-------- TunnelKit/Sources/Core/PacketMacros.h | 15 +++++++++----- TunnelKit/Sources/Core/TLSBox.h | 2 +- TunnelKit/Sources/Core/ZeroingData.h | 14 ++++++++----- 12 files changed, 79 insertions(+), 54 deletions(-) diff --git a/TunnelKit/Sources/Core/CryptoAEAD.h b/TunnelKit/Sources/Core/CryptoAEAD.h index b735221..49809fe 100644 --- a/TunnelKit/Sources/Core/CryptoAEAD.h +++ b/TunnelKit/Sources/Core/CryptoAEAD.h @@ -45,13 +45,13 @@ NS_ASSUME_NONNULL_BEGIN @property (nonatomic, assign) int extraLength; -- (instancetype)initWithCipherName:(nonnull NSString *)cipherName; +- (instancetype)initWithCipherName:(NSString *)cipherName; @end @interface DataPathCryptoAEAD : NSObject -- (instancetype)initWithCrypto:(nonnull CryptoAEAD *)crypto; +- (instancetype)initWithCrypto:(CryptoAEAD *)crypto; @end diff --git a/TunnelKit/Sources/Core/CryptoAEAD.m b/TunnelKit/Sources/Core/CryptoAEAD.m index 4d0fb12..2e6db35 100644 --- a/TunnelKit/Sources/Core/CryptoAEAD.m +++ b/TunnelKit/Sources/Core/CryptoAEAD.m @@ -115,7 +115,7 @@ const NSInteger CryptoAEADTagLength = 16; [self prepareIV:self.cipherIVEnc withHMACKey:hmacKey]; } -- (NSData *)encryptData:(NSData *)data offset:(NSInteger)offset extra:(nonnull const uint8_t *)extra error:(NSError *__autoreleasing *)error +- (NSData *)encryptData:(NSData *)data offset:(NSInteger)offset extra:(const uint8_t *)extra error:(NSError *__autoreleasing *)error { NSParameterAssert(data); NSParameterAssert(extra); @@ -133,7 +133,7 @@ const NSInteger CryptoAEADTagLength = 16; return dest; } -- (BOOL)encryptBytes:(const uint8_t *)bytes length:(NSInteger)length dest:(uint8_t *)dest destLength:(NSInteger *)destLength extra:(nonnull const uint8_t *)extra error:(NSError *__autoreleasing *)error +- (BOOL)encryptBytes:(const uint8_t *)bytes length:(NSInteger)length dest:(uint8_t *)dest destLength:(NSInteger *)destLength extra:(const uint8_t *)extra error:(NSError *__autoreleasing *)error { NSParameterAssert(extra); @@ -179,7 +179,7 @@ const NSInteger CryptoAEADTagLength = 16; [self prepareIV:self.cipherIVDec withHMACKey:hmacKey]; } -- (NSData *)decryptData:(NSData *)data offset:(NSInteger)offset extra:(nonnull const uint8_t *)extra error:(NSError *__autoreleasing *)error +- (NSData *)decryptData:(NSData *)data offset:(NSInteger)offset extra:(const uint8_t *)extra error:(NSError *__autoreleasing *)error { NSParameterAssert(data); NSParameterAssert(extra); @@ -197,7 +197,7 @@ const NSInteger CryptoAEADTagLength = 16; return dest; } -- (BOOL)decryptBytes:(const uint8_t *)bytes length:(NSInteger)length dest:(uint8_t *)dest destLength:(NSInteger *)destLength extra:(nonnull const uint8_t *)extra error:(NSError *__autoreleasing *)error +- (BOOL)decryptBytes:(const uint8_t *)bytes length:(NSInteger)length dest:(uint8_t *)dest destLength:(NSInteger *)destLength extra:(const uint8_t *)extra error:(NSError *__autoreleasing *)error { NSParameterAssert(extra); diff --git a/TunnelKit/Sources/Core/CryptoBox.h b/TunnelKit/Sources/Core/CryptoBox.h index e66604a..ac959a9 100644 --- a/TunnelKit/Sources/Core/CryptoBox.h +++ b/TunnelKit/Sources/Core/CryptoBox.h @@ -38,14 +38,16 @@ #import "ZeroingData.h" +NS_ASSUME_NONNULL_BEGIN + @protocol Encrypter; @protocol Decrypter; @interface CryptoBox : NSObject -+ (BOOL)preparePRNGWithSeed:(nonnull const uint8_t *)seed length:(NSInteger)length; ++ (BOOL)preparePRNGWithSeed:(const uint8_t *)seed length:(NSInteger)length; -- (nonnull instancetype)initWithCipherAlgorithm:(nullable NSString *)cipherAlgorithm +- (instancetype)initWithCipherAlgorithm:(nullable NSString *)cipherAlgorithm digestAlgorithm:(nullable NSString *)digestAlgorithm; - (BOOL)configureWithCipherEncKey:(nullable ZeroingData *)cipherEncKey @@ -55,19 +57,21 @@ error:(NSError **)error; // WARNING: hmac must be able to hold HMAC result -+ (BOOL)hmacWithDigestName:(nonnull NSString *)digestName - secret:(nonnull const uint8_t *)secret ++ (BOOL)hmacWithDigestName:(NSString *)digestName + secret:(const uint8_t *)secret secretLength:(NSInteger)secretLength - data:(nonnull const uint8_t *)data + data:(const uint8_t *)data dataLength:(NSInteger)dataLength - hmac:(nonnull uint8_t *)hmac - hmacLength:(nonnull NSInteger *)hmacLength + hmac:(uint8_t *)hmac + hmacLength:(NSInteger *)hmacLength error:(NSError **)error; // encrypt/decrypt are mutually thread-safe -- (nonnull id)encrypter; -- (nonnull id)decrypter; +- (id)encrypter; +- (id)decrypter; - (NSInteger)digestLength; @end + +NS_ASSUME_NONNULL_END diff --git a/TunnelKit/Sources/Core/CryptoCBC.h b/TunnelKit/Sources/Core/CryptoCBC.h index 40d494f..9ef8c29 100644 --- a/TunnelKit/Sources/Core/CryptoCBC.h +++ b/TunnelKit/Sources/Core/CryptoCBC.h @@ -43,13 +43,13 @@ NS_ASSUME_NONNULL_BEGIN @interface CryptoCBC : NSObject -- (instancetype)initWithCipherName:(nullable NSString *)cipherName digestName:(nonnull NSString *)digestName; +- (instancetype)initWithCipherName:(nullable NSString *)cipherName digestName:(NSString *)digestName; @end @interface DataPathCryptoCBC : NSObject -- (instancetype)initWithCrypto:(nonnull CryptoCBC *)crypto; +- (instancetype)initWithCrypto:(CryptoCBC *)crypto; @end diff --git a/TunnelKit/Sources/Core/CryptoCBC.m b/TunnelKit/Sources/Core/CryptoCBC.m index 7645a45..350a228 100644 --- a/TunnelKit/Sources/Core/CryptoCBC.m +++ b/TunnelKit/Sources/Core/CryptoCBC.m @@ -138,7 +138,7 @@ const NSInteger CryptoCBCMaxHMACLength = 100; HMAC_Init_ex(self.hmacCtxEnc, hmacKey.bytes, self.hmacKeyLength, self.digest, NULL); } -- (NSData *)encryptData:(NSData *)data offset:(NSInteger)offset extra:(nonnull const uint8_t *)extra error:(NSError *__autoreleasing *)error +- (NSData *)encryptData:(NSData *)data offset:(NSInteger)offset extra:(const uint8_t *)extra error:(NSError *__autoreleasing *)error { NSParameterAssert(data); @@ -155,7 +155,7 @@ const NSInteger CryptoCBCMaxHMACLength = 100; return dest; } -- (BOOL)encryptBytes:(const uint8_t *)bytes length:(NSInteger)length dest:(uint8_t *)dest destLength:(NSInteger *)destLength extra:(nonnull const uint8_t *)extra error:(NSError *__autoreleasing *)error +- (BOOL)encryptBytes:(const uint8_t *)bytes length:(NSInteger)length dest:(uint8_t *)dest destLength:(NSInteger *)destLength extra:(const uint8_t *)extra error:(NSError *__autoreleasing *)error { uint8_t *outIV = dest + self.digestLength; uint8_t *outEncrypted = dest + self.digestLength + self.cipherIVLength; diff --git a/TunnelKit/Sources/Core/DataPath.h b/TunnelKit/Sources/Core/DataPath.h index 037e130..3e0b719 100644 --- a/TunnelKit/Sources/Core/DataPath.h +++ b/TunnelKit/Sources/Core/DataPath.h @@ -36,6 +36,8 @@ #import +NS_ASSUME_NONNULL_BEGIN + @protocol DataPathEncrypter; @protocol DataPathDecrypter; @@ -45,14 +47,16 @@ @property (nonatomic, assign) uint32_t maxPacketId; -- (nonnull instancetype)initWithEncrypter:(nonnull id)encrypter - decrypter:(nonnull id)decrypter +- (instancetype)initWithEncrypter:(id)encrypter + decrypter:(id)decrypter peerId:(uint32_t)peerId // 24-bit, discard most significant byte compressionFraming:(CompressionFramingNative)compressionFraming maxPackets:(NSInteger)maxPackets usesReplayProtection:(BOOL)usesReplayProtection; -- (NSArray *)encryptPackets:(nonnull NSArray *)packets key:(uint8_t)key error:(NSError **)error; -- (NSArray *)decryptPackets:(nonnull NSArray *)packets keepAlive:(nullable bool *)keepAlive error:(NSError **)error; +- (nullable NSArray *)encryptPackets:(NSArray *)packets key:(uint8_t)key error:(NSError **)error; +- (nullable NSArray *)decryptPackets:(NSArray *)packets keepAlive:(nullable bool *)keepAlive error:(NSError **)error; @end + +NS_ASSUME_NONNULL_END diff --git a/TunnelKit/Sources/Core/DataPath.m b/TunnelKit/Sources/Core/DataPath.m index 7ba3661..233918b 100644 --- a/TunnelKit/Sources/Core/DataPath.m +++ b/TunnelKit/Sources/Core/DataPath.m @@ -156,24 +156,24 @@ { switch (compressionFraming) { case CompressionFramingNativeDisabled: { - self.assemblePayloadBlock = ^(uint8_t * _Nonnull packetDest, NSInteger * _Nonnull packetLengthOffset, NSData * _Nonnull payload) { + self.assemblePayloadBlock = ^(uint8_t * packetDest, NSInteger * packetLengthOffset, NSData * payload) { memcpy(packetDest, payload.bytes, payload.length); *packetLengthOffset = 0; }; - self.parsePayloadBlock = ^(uint8_t * _Nonnull payload, NSInteger *payloadOffset, NSInteger * _Nonnull headerLength, const uint8_t * _Nonnull packet, NSInteger packetLength) { + self.parsePayloadBlock = ^(uint8_t * payload, NSInteger *payloadOffset, NSInteger * headerLength, const uint8_t * packet, NSInteger packetLength) { *payloadOffset = 0; *headerLength = 0; }; break; } case CompressionFramingNativeCompress: { - self.assemblePayloadBlock = ^(uint8_t * _Nonnull packetDest, NSInteger * _Nonnull packetLengthOffset, NSData * _Nonnull payload) { + self.assemblePayloadBlock = ^(uint8_t * packetDest, NSInteger * packetLengthOffset, NSData * payload) { memcpy(packetDest, payload.bytes, payload.length); packetDest[payload.length] = packetDest[0]; packetDest[0] = DataPacketNoCompressSwap; *packetLengthOffset = 1; }; - self.parsePayloadBlock = ^(uint8_t * _Nonnull payload, NSInteger *payloadOffset, NSInteger * _Nonnull headerLength, const uint8_t * _Nonnull packet, NSInteger packetLength) { + self.parsePayloadBlock = ^(uint8_t * payload, NSInteger *payloadOffset, NSInteger * headerLength, const uint8_t * packet, NSInteger packetLength) { NSCAssert(payload[0] == DataPacketNoCompressSwap, @"Expected NO_COMPRESS_SWAP (found %X != %X)", payload[0], DataPacketNoCompressSwap); payload[0] = packet[packetLength - 1]; *payloadOffset = 0; @@ -182,12 +182,12 @@ break; } case CompressionFramingNativeCompLZO: { - self.assemblePayloadBlock = ^(uint8_t * _Nonnull packetDest, NSInteger * _Nonnull packetLengthOffset, NSData * _Nonnull payload) { + self.assemblePayloadBlock = ^(uint8_t * packetDest, NSInteger * packetLengthOffset, NSData * payload) { memcpy(packetDest + 1, payload.bytes, payload.length); packetDest[0] = DataPacketNoCompress; *packetLengthOffset = 1; }; - self.parsePayloadBlock = ^(uint8_t * _Nonnull payload, NSInteger *payloadOffset, NSInteger * _Nonnull headerLength, const uint8_t * _Nonnull packet, NSInteger packetLength) { + self.parsePayloadBlock = ^(uint8_t * payload, NSInteger *payloadOffset, NSInteger * headerLength, const uint8_t * packet, NSInteger packetLength) { NSCAssert(payload[0] == DataPacketNoCompress, @"Expected NO_COMPRESS (found %X != %X)", payload[0], DataPacketNoCompress); *payloadOffset = 1; *headerLength = 1; diff --git a/TunnelKit/Sources/Core/DataPathEncryption.h b/TunnelKit/Sources/Core/DataPathEncryption.h index f3e4fdd..e84d1f8 100644 --- a/TunnelKit/Sources/Core/DataPathEncryption.h +++ b/TunnelKit/Sources/Core/DataPathEncryption.h @@ -36,8 +36,10 @@ #import -typedef void (^DataPathAssembleBlock)(uint8_t *_Nonnull packetDest, NSInteger *_Nonnull packetLengthOffset, NSData *_Nonnull payload); -typedef void (^DataPathParseBlock)(uint8_t *_Nonnull payload, NSInteger *_Nonnull payloadOffset, NSInteger *_Nonnull headerLength, const uint8_t *_Nonnull packet, NSInteger packetLength); +NS_ASSUME_NONNULL_BEGIN + +typedef void (^DataPathAssembleBlock)(uint8_t *packetDest, NSInteger *packetLengthOffset, NSData *payload); +typedef void (^DataPathParseBlock)(uint8_t *payload, NSInteger *payloadOffset, NSInteger *headerLength, const uint8_t *packet, NSInteger packetLength); @protocol DataPathChannel @@ -48,14 +50,16 @@ typedef void (^DataPathParseBlock)(uint8_t *_Nonnull payload, NSInteger *_Nonnul @protocol DataPathEncrypter -- (void)assembleDataPacketWithBlock:(DataPathAssembleBlock)block packetId:(uint32_t)packetId payload:(NSData *)payload into:(nonnull uint8_t *)packetBytes length:(nonnull NSInteger *)packetLength; -- (NSData *)encryptedDataPacketWithKey:(uint8_t)key packetId:(uint32_t)packetId packetBytes:(const uint8_t *)packetBytes packetLength:(NSInteger)packetLength error:(NSError **)error; +- (void)assembleDataPacketWithBlock:(nullable DataPathAssembleBlock)block packetId:(uint32_t)packetId payload:(NSData *)payload into:(uint8_t *)packetBytes length:(NSInteger *)packetLength; +- (nullable NSData *)encryptedDataPacketWithKey:(uint8_t)key packetId:(uint32_t)packetId packetBytes:(const uint8_t *)packetBytes packetLength:(NSInteger)packetLength error:(NSError **)error; @end @protocol DataPathDecrypter -- (BOOL)decryptDataPacket:(nonnull NSData *)packet into:(nonnull uint8_t *)packetBytes length:(nonnull NSInteger *)packetLength packetId:(nonnull uint32_t *)packetId error:(NSError **)error; -- (nonnull const uint8_t *)parsePayloadWithBlock:(DataPathParseBlock)block length:(nonnull NSInteger *)length packetBytes:(nonnull uint8_t *)packetBytes packetLength:(NSInteger)packetLength; +- (BOOL)decryptDataPacket:(NSData *)packet into:(uint8_t *)packetBytes length:(NSInteger *)packetLength packetId:(uint32_t *)packetId error:(NSError **)error; +- (const uint8_t *)parsePayloadWithBlock:(nullable DataPathParseBlock)block length:(NSInteger *)length packetBytes:(uint8_t *)packetBytes packetLength:(NSInteger)packetLength; @end + +NS_ASSUME_NONNULL_END diff --git a/TunnelKit/Sources/Core/Encryption.h b/TunnelKit/Sources/Core/Encryption.h index 098b692..333544c 100644 --- a/TunnelKit/Sources/Core/Encryption.h +++ b/TunnelKit/Sources/Core/Encryption.h @@ -38,6 +38,8 @@ #import "ZeroingData.h" +NS_ASSUME_NONNULL_BEGIN + @protocol DataPathEncrypter; @protocol DataPathDecrypter; @@ -49,10 +51,10 @@ - (int)overheadLength; - (int)extraLength; -- (NSData *)encryptData:(nonnull NSData *)data offset:(NSInteger)offset extra:(const uint8_t *)extra error:(NSError **)error; -- (BOOL)encryptBytes:(nonnull const uint8_t *)bytes length:(NSInteger)length dest:(nonnull uint8_t *)dest destLength:(nonnull NSInteger *)destLength extra:(const uint8_t *)extra error:(NSError **)error; +- (nullable NSData *)encryptData:(NSData *)data offset:(NSInteger)offset extra:(nullable const uint8_t *)extra error:(NSError **)error; +- (BOOL)encryptBytes:(const uint8_t *)bytes length:(NSInteger)length dest:(uint8_t *)dest destLength:(NSInteger *)destLength extra:(nullable const uint8_t *)extra error:(NSError **)error; -- (nonnull id)dataPathEncrypter; +- (id)dataPathEncrypter; @end @@ -64,11 +66,13 @@ - (int)overheadLength; - (int)extraLength; -- (NSData *)decryptData:(nonnull NSData *)data offset:(NSInteger)offset extra:(const uint8_t *)extra error:(NSError **)error; -- (BOOL)decryptBytes:(nonnull const uint8_t *)bytes length:(NSInteger)length dest:(nonnull uint8_t *)dest destLength:(nonnull NSInteger *)destLength extra:(const uint8_t *)extra error:(NSError **)error; -- (BOOL)verifyData:(nonnull NSData *)data offset:(NSInteger)offset extra:(const uint8_t *)extra error:(NSError **)error; -- (BOOL)verifyBytes:(nonnull const uint8_t *)bytes length:(NSInteger)length extra:(const uint8_t *)extra error:(NSError **)error; +- (nullable NSData *)decryptData:(NSData *)data offset:(NSInteger)offset extra:(nullable const uint8_t *)extra error:(NSError **)error; +- (BOOL)decryptBytes:(const uint8_t *)bytes length:(NSInteger)length dest:(uint8_t *)dest destLength:(NSInteger *)destLength extra:(nullable const uint8_t *)extra error:(NSError **)error; +- (BOOL)verifyData:(NSData *)data offset:(NSInteger)offset extra:(nullable const uint8_t *)extra error:(NSError **)error; +- (BOOL)verifyBytes:(const uint8_t *)bytes length:(NSInteger)length extra:(const uint8_t *)extra error:(NSError **)error; -- (nonnull id)dataPathDecrypter; +- (id)dataPathDecrypter; @end + +NS_ASSUME_NONNULL_END diff --git a/TunnelKit/Sources/Core/PacketMacros.h b/TunnelKit/Sources/Core/PacketMacros.h index fcb4f95..1faeb89 100644 --- a/TunnelKit/Sources/Core/PacketMacros.h +++ b/TunnelKit/Sources/Core/PacketMacros.h @@ -37,6 +37,8 @@ #import +NS_ASSUME_NONNULL_BEGIN + #define PacketPeerIdDisabled 0xffffffu #define PacketIdLength 4 @@ -56,14 +58,15 @@ typedef NS_ENUM(uint8_t, PacketCode) { extern const uint8_t DataPacketPingData[16]; -static inline int PacketHeaderSet(uint8_t *_Nonnull to, PacketCode code, uint8_t key) +// Ruby: header +static inline int PacketHeaderSet(uint8_t *to, PacketCode code, uint8_t key) { *(uint8_t *)to = (code << 3) | (key & 0b111); return sizeof(uint8_t); } // Ruby: header -static inline NSData *_Nonnull PacketWithHeader(PacketCode code, uint8_t key, NSData *sessionId) +static inline NSData *PacketWithHeader(PacketCode code, uint8_t key, NSData *_Nullable sessionId) { NSMutableData *to = [[NSMutableData alloc] initWithLength:(sizeof(uint8_t) + (sessionId ? sessionId.length : 0))]; const int offset = PacketHeaderSet(to.mutableBytes, code, key); @@ -73,18 +76,18 @@ static inline NSData *_Nonnull PacketWithHeader(PacketCode code, uint8_t key, NS return to; } -static inline int PacketHeaderSetDataV2(uint8_t *_Nonnull to, uint8_t key, uint32_t peerId) +static inline int PacketHeaderSetDataV2(uint8_t *to, uint8_t key, uint32_t peerId) { *(uint32_t *)to = ((PacketCodeDataV2 << 3) | (key & 0b111)) | htonl(peerId & 0xffffff); return sizeof(uint32_t); } -static inline int PacketHeaderGetDataV2PeerId(const uint8_t *_Nonnull from) +static inline int PacketHeaderGetDataV2PeerId(const uint8_t *from) { return ntohl(*(const uint32_t *)from & 0xffffff00); } -static inline NSData *_Nonnull PacketWithHeaderDataV2(uint8_t key, uint32_t peerId, NSData *sessionId) +static inline NSData *PacketWithHeaderDataV2(uint8_t key, uint32_t peerId, NSData *sessionId) { NSMutableData *to = [[NSMutableData alloc] initWithLength:(sizeof(uint32_t) + (sessionId ? sessionId.length : 0))]; const int offset = PacketHeaderSetDataV2(to.mutableBytes, key, peerId); @@ -93,3 +96,5 @@ static inline NSData *_Nonnull PacketWithHeaderDataV2(uint8_t key, uint32_t peer } return to; } + +NS_ASSUME_NONNULL_END diff --git a/TunnelKit/Sources/Core/TLSBox.h b/TunnelKit/Sources/Core/TLSBox.h index 291f33b..7895d93 100644 --- a/TunnelKit/Sources/Core/TLSBox.h +++ b/TunnelKit/Sources/Core/TLSBox.h @@ -49,7 +49,7 @@ extern NSString *const TLSBoxPeerVerificationErrorNotification; // @interface TLSBox : NSObject -- (nonnull instancetype)initWithCAPath:(NSString *)caPath +- (instancetype)initWithCAPath:(NSString *)caPath clientCertificatePath:(NSString *)clientCertificatePath clientKeyPath:(NSString *)clientKeyPath; diff --git a/TunnelKit/Sources/Core/ZeroingData.h b/TunnelKit/Sources/Core/ZeroingData.h index cbc8236..3e2fe3d 100644 --- a/TunnelKit/Sources/Core/ZeroingData.h +++ b/TunnelKit/Sources/Core/ZeroingData.h @@ -37,6 +37,8 @@ #import +NS_ASSUME_NONNULL_BEGIN + @interface ZeroingData : NSObject @property (nonatomic, readonly) const uint8_t *bytes; @@ -44,7 +46,7 @@ @property (nonatomic, readonly) NSInteger count; - (instancetype)initWithCount:(NSInteger)count; -- (instancetype)initWithBytes:(const uint8_t *)bytes count:(NSInteger)count; +- (instancetype)initWithBytes:(nullable const uint8_t *)bytes count:(NSInteger)count; - (instancetype)initWithUInt8:(uint8_t)uint8; - (instancetype)initWithUInt16:(uint16_t)uint16; @@ -57,13 +59,15 @@ - (void)removeUntilOffset:(NSInteger)until; - (void)zero; -- (nonnull ZeroingData *)appendingData:(ZeroingData *)other; -- (nonnull ZeroingData *)withOffset:(NSInteger)offset count:(NSInteger)count; +- (ZeroingData *)appendingData:(ZeroingData *)other; +- (ZeroingData *)withOffset:(NSInteger)offset count:(NSInteger)count; - (uint16_t)UInt16ValueFromOffset:(NSInteger)from; - (uint16_t)networkUInt16ValueFromOffset:(NSInteger)from; -- (NSString *)nullTerminatedStringFromOffset:(NSInteger)from; +- (nullable NSString *)nullTerminatedStringFromOffset:(NSInteger)from; - (BOOL)isEqualToData:(NSData *)data; -- (nonnull NSString *)toHex; +- (NSString *)toHex; @end + +NS_ASSUME_NONNULL_END