Move a few classes inside SessionProxy
- Authenticator - EncryptionBridge (formerly EncryptionProxy) - PushReply - SessionKey They only make sense there. Content unchanged.
This commit is contained in:
parent
6d5e9f68a9
commit
2459fe1bfd
|
@ -14,7 +14,6 @@ xcodebuild_arguments:
|
|||
custom_categories:
|
||||
- name: Core
|
||||
children:
|
||||
- EncryptionProxy
|
||||
- IOInterface
|
||||
- LinkInterface
|
||||
- TunnelInterface
|
||||
|
|
|
@ -29,8 +29,8 @@
|
|||
0E1108B11F77B9F900A92462 /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 0E1108AF1F77B9F900A92462 /* Main.storyboard */; };
|
||||
0E1108B31F77B9F900A92462 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 0E1108B21F77B9F900A92462 /* Assets.xcassets */; };
|
||||
0E1108B61F77B9F900A92462 /* LaunchScreen.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 0E1108B41F77B9F900A92462 /* LaunchScreen.storyboard */; };
|
||||
0E3E0F212108A8CC00B371C1 /* PushReply.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0E3E0F202108A8CC00B371C1 /* PushReply.swift */; };
|
||||
0E3E0F222108A8CC00B371C1 /* PushReply.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0E3E0F202108A8CC00B371C1 /* PushReply.swift */; };
|
||||
0E3E0F212108A8CC00B371C1 /* SessionProxy+PushReply.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0E3E0F202108A8CC00B371C1 /* SessionProxy+PushReply.swift */; };
|
||||
0E3E0F222108A8CC00B371C1 /* SessionProxy+PushReply.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0E3E0F202108A8CC00B371C1 /* SessionProxy+PushReply.swift */; };
|
||||
0E85A25A202CC5AF0059E9F9 /* AppExtensionTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0E85A259202CC5AE0059E9F9 /* AppExtensionTests.swift */; };
|
||||
0E9379C91F819A4300CE91B6 /* TunnelKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 0E17D7F91F730D9F009EE129 /* TunnelKit.framework */; };
|
||||
0EA8E2072024D4B200A92DB6 /* PIA-ECC-256k1.pem in Resources */ = {isa = PBXBuildFile; fileRef = 0EA8E2042024D4B100A92DB6 /* PIA-ECC-256k1.pem */; };
|
||||
|
@ -83,8 +83,8 @@
|
|||
0EEC49E820B5F7F6008FEB91 /* ReplayProtector.h in Headers */ = {isa = PBXBuildFile; fileRef = 0EFEB4392006D3C800F81029 /* ReplayProtector.h */; };
|
||||
0EEC49E920B5F7F6008FEB91 /* TLSBox.h in Headers */ = {isa = PBXBuildFile; fileRef = 0EFEB4442006D3C800F81029 /* TLSBox.h */; };
|
||||
0EEC49EA20B5F7F6008FEB91 /* ZeroingData.h in Headers */ = {isa = PBXBuildFile; fileRef = 0EFEB4412006D3C800F81029 /* ZeroingData.h */; };
|
||||
0EFEB4552006D3C800F81029 /* EncryptionProxy.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42A2006D3C800F81029 /* EncryptionProxy.swift */; };
|
||||
0EFEB4562006D3C800F81029 /* SessionKey.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42B2006D3C800F81029 /* SessionKey.swift */; };
|
||||
0EFEB4552006D3C800F81029 /* SessionProxy+EncryptionBridge.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42A2006D3C800F81029 /* SessionProxy+EncryptionBridge.swift */; };
|
||||
0EFEB4562006D3C800F81029 /* SessionProxy+SessionKey.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42B2006D3C800F81029 /* SessionProxy+SessionKey.swift */; };
|
||||
0EFEB4582006D3C800F81029 /* MSS.h in Headers */ = {isa = PBXBuildFile; fileRef = 0EFEB42D2006D3C800F81029 /* MSS.h */; };
|
||||
0EFEB4592006D3C800F81029 /* Allocation.h in Headers */ = {isa = PBXBuildFile; fileRef = 0EFEB42E2006D3C800F81029 /* Allocation.h */; };
|
||||
0EFEB45A2006D3C800F81029 /* TunnelInterface.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42F2006D3C800F81029 /* TunnelInterface.swift */; };
|
||||
|
@ -96,7 +96,7 @@
|
|||
0EFEB4622006D3C800F81029 /* SecureRandom.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4372006D3C800F81029 /* SecureRandom.swift */; };
|
||||
0EFEB4632006D3C800F81029 /* ProtocolMacros.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4382006D3C800F81029 /* ProtocolMacros.swift */; };
|
||||
0EFEB4642006D3C800F81029 /* ReplayProtector.h in Headers */ = {isa = PBXBuildFile; fileRef = 0EFEB4392006D3C800F81029 /* ReplayProtector.h */; };
|
||||
0EFEB4652006D3C800F81029 /* Authenticator.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43A2006D3C800F81029 /* Authenticator.swift */; };
|
||||
0EFEB4652006D3C800F81029 /* SessionProxy+Authenticator.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43A2006D3C800F81029 /* SessionProxy+Authenticator.swift */; };
|
||||
0EFEB4662006D3C800F81029 /* ZeroingData.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43B2006D3C800F81029 /* ZeroingData.swift */; };
|
||||
0EFEB4672006D3C800F81029 /* SessionProxy.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43C2006D3C800F81029 /* SessionProxy.swift */; };
|
||||
0EFEB4682006D3C800F81029 /* MSS.m in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43D2006D3C800F81029 /* MSS.m */; };
|
||||
|
@ -121,15 +121,15 @@
|
|||
0EFEB4872006D7C400F81029 /* TunnelKitProvider+Configuration.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB44F2006D3C800F81029 /* TunnelKitProvider+Configuration.swift */; };
|
||||
0EFEB4882006D7C400F81029 /* TunnelKitProvider+Interaction.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4502006D3C800F81029 /* TunnelKitProvider+Interaction.swift */; };
|
||||
0EFEB48A2006D7C400F81029 /* TunnelKitProvider.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4522006D3C800F81029 /* TunnelKitProvider.swift */; };
|
||||
0EFEB48D2006D7F300F81029 /* EncryptionProxy.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42A2006D3C800F81029 /* EncryptionProxy.swift */; };
|
||||
0EFEB48E2006D7F300F81029 /* SessionKey.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42B2006D3C800F81029 /* SessionKey.swift */; };
|
||||
0EFEB48D2006D7F300F81029 /* SessionProxy+EncryptionBridge.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42A2006D3C800F81029 /* SessionProxy+EncryptionBridge.swift */; };
|
||||
0EFEB48E2006D7F300F81029 /* SessionProxy+SessionKey.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42B2006D3C800F81029 /* SessionProxy+SessionKey.swift */; };
|
||||
0EFEB4902006D7F300F81029 /* TunnelInterface.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42F2006D3C800F81029 /* TunnelInterface.swift */; };
|
||||
0EFEB4912006D7F300F81029 /* TLSBox.m in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4302006D3C800F81029 /* TLSBox.m */; };
|
||||
0EFEB4922006D7F300F81029 /* ZeroingData.m in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4312006D3C800F81029 /* ZeroingData.m */; };
|
||||
0EFEB4932006D7F300F81029 /* CryptoBox.m in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4322006D3C800F81029 /* CryptoBox.m */; };
|
||||
0EFEB4952006D7F300F81029 /* SecureRandom.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4372006D3C800F81029 /* SecureRandom.swift */; };
|
||||
0EFEB4962006D7F300F81029 /* ProtocolMacros.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4382006D3C800F81029 /* ProtocolMacros.swift */; };
|
||||
0EFEB4972006D7F300F81029 /* Authenticator.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43A2006D3C800F81029 /* Authenticator.swift */; };
|
||||
0EFEB4972006D7F300F81029 /* SessionProxy+Authenticator.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43A2006D3C800F81029 /* SessionProxy+Authenticator.swift */; };
|
||||
0EFEB4982006D7F300F81029 /* ZeroingData.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43B2006D3C800F81029 /* ZeroingData.swift */; };
|
||||
0EFEB4992006D7F300F81029 /* SessionProxy.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43C2006D3C800F81029 /* SessionProxy.swift */; };
|
||||
0EFEB49A2006D7F300F81029 /* MSS.m in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43D2006D3C800F81029 /* MSS.m */; };
|
||||
|
@ -197,7 +197,7 @@
|
|||
0E1108B71F77B9F900A92462 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
|
||||
0E17D7F91F730D9F009EE129 /* TunnelKit.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = TunnelKit.framework; sourceTree = BUILT_PRODUCTS_DIR; };
|
||||
0E3251C51F95770D00C108D9 /* TunnelKit.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = TunnelKit.framework; sourceTree = BUILT_PRODUCTS_DIR; };
|
||||
0E3E0F202108A8CC00B371C1 /* PushReply.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = PushReply.swift; sourceTree = "<group>"; };
|
||||
0E3E0F202108A8CC00B371C1 /* SessionProxy+PushReply.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = "SessionProxy+PushReply.swift"; sourceTree = "<group>"; };
|
||||
0E6479DD212EAC96008E6888 /* Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
|
||||
0E6479E0212EACD6008E6888 /* Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
|
||||
0E85A259202CC5AE0059E9F9 /* AppExtensionTests.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = AppExtensionTests.swift; sourceTree = "<group>"; };
|
||||
|
@ -227,8 +227,8 @@
|
|||
0EE7A79D20F6488400B42E6A /* DataPathEncryption.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = DataPathEncryption.h; sourceTree = "<group>"; };
|
||||
0EE7A7A020F664AB00B42E6A /* DataPathEncryptionTests.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = DataPathEncryptionTests.swift; sourceTree = "<group>"; };
|
||||
0EEC49DB20B5E732008FEB91 /* Utils.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Utils.swift; sourceTree = "<group>"; };
|
||||
0EFEB42A2006D3C800F81029 /* EncryptionProxy.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = EncryptionProxy.swift; sourceTree = "<group>"; };
|
||||
0EFEB42B2006D3C800F81029 /* SessionKey.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = SessionKey.swift; sourceTree = "<group>"; };
|
||||
0EFEB42A2006D3C800F81029 /* SessionProxy+EncryptionBridge.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = "SessionProxy+EncryptionBridge.swift"; sourceTree = "<group>"; };
|
||||
0EFEB42B2006D3C800F81029 /* SessionProxy+SessionKey.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = "SessionProxy+SessionKey.swift"; sourceTree = "<group>"; };
|
||||
0EFEB42D2006D3C800F81029 /* MSS.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MSS.h; sourceTree = "<group>"; };
|
||||
0EFEB42E2006D3C800F81029 /* Allocation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Allocation.h; sourceTree = "<group>"; };
|
||||
0EFEB42F2006D3C800F81029 /* TunnelInterface.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = TunnelInterface.swift; sourceTree = "<group>"; };
|
||||
|
@ -240,7 +240,7 @@
|
|||
0EFEB4372006D3C800F81029 /* SecureRandom.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = SecureRandom.swift; sourceTree = "<group>"; };
|
||||
0EFEB4382006D3C800F81029 /* ProtocolMacros.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = ProtocolMacros.swift; sourceTree = "<group>"; };
|
||||
0EFEB4392006D3C800F81029 /* ReplayProtector.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ReplayProtector.h; sourceTree = "<group>"; };
|
||||
0EFEB43A2006D3C800F81029 /* Authenticator.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = Authenticator.swift; sourceTree = "<group>"; };
|
||||
0EFEB43A2006D3C800F81029 /* SessionProxy+Authenticator.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = "SessionProxy+Authenticator.swift"; sourceTree = "<group>"; };
|
||||
0EFEB43B2006D3C800F81029 /* ZeroingData.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = ZeroingData.swift; sourceTree = "<group>"; };
|
||||
0EFEB43C2006D3C800F81029 /* SessionProxy.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = SessionProxy.swift; sourceTree = "<group>"; };
|
||||
0EFEB43D2006D3C800F81029 /* MSS.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = MSS.m; sourceTree = "<group>"; };
|
||||
|
@ -422,7 +422,6 @@
|
|||
children = (
|
||||
0EFEB42E2006D3C800F81029 /* Allocation.h */,
|
||||
0EFEB4462006D3C800F81029 /* Allocation.m */,
|
||||
0EFEB43A2006D3C800F81029 /* Authenticator.swift */,
|
||||
0EFEB44A2006D3C800F81029 /* CoreConfiguration.swift */,
|
||||
0E07597C20F0060E00F38FD8 /* CryptoAEAD.h */,
|
||||
0E07597D20F0060E00F38FD8 /* CryptoAEAD.m */,
|
||||
|
@ -436,7 +435,6 @@
|
|||
0EFEB44C2006D3C800F81029 /* DataPath.m */,
|
||||
0EE7A79D20F6488400B42E6A /* DataPathEncryption.h */,
|
||||
0E07596A20EF79AB00F38FD8 /* Encryption.h */,
|
||||
0EFEB42A2006D3C800F81029 /* EncryptionProxy.swift */,
|
||||
0EFEB4362006D3C800F81029 /* Errors.h */,
|
||||
0EFEB44B2006D3C800F81029 /* Errors.m */,
|
||||
0EFEB4452006D3C800F81029 /* IOInterface.swift */,
|
||||
|
@ -448,14 +446,16 @@
|
|||
0EE7A79420F61EDC00B42E6A /* PacketMacros.h */,
|
||||
0EE7A79720F6296F00B42E6A /* PacketMacros.m */,
|
||||
0EFEB4382006D3C800F81029 /* ProtocolMacros.swift */,
|
||||
0E3E0F202108A8CC00B371C1 /* PushReply.swift */,
|
||||
0EFEB4392006D3C800F81029 /* ReplayProtector.h */,
|
||||
0EFEB4482006D3C800F81029 /* ReplayProtector.m */,
|
||||
0EFEB4372006D3C800F81029 /* SecureRandom.swift */,
|
||||
0E0C2123212ED29D008AB282 /* SessionError.swift */,
|
||||
0EFEB42B2006D3C800F81029 /* SessionKey.swift */,
|
||||
0EFEB43C2006D3C800F81029 /* SessionProxy.swift */,
|
||||
0EFEB43A2006D3C800F81029 /* SessionProxy+Authenticator.swift */,
|
||||
0E0C2124212ED29D008AB282 /* SessionProxy+Configuration.swift */,
|
||||
0EFEB42A2006D3C800F81029 /* SessionProxy+EncryptionBridge.swift */,
|
||||
0E3E0F202108A8CC00B371C1 /* SessionProxy+PushReply.swift */,
|
||||
0EFEB42B2006D3C800F81029 /* SessionProxy+SessionKey.swift */,
|
||||
0EFEB4442006D3C800F81029 /* TLSBox.h */,
|
||||
0EFEB4302006D3C800F81029 /* TLSBox.m */,
|
||||
0EFEB42F2006D3C800F81029 /* TunnelInterface.swift */,
|
||||
|
@ -881,10 +881,10 @@
|
|||
0EBBF2F5208505D700E36B40 /* NETunnelInterface.swift in Sources */,
|
||||
0EFEB4732006D3C800F81029 /* LinkInterface.swift in Sources */,
|
||||
0EBBF2F8208505DD00E36B40 /* NWUDPSessionState+Description.swift in Sources */,
|
||||
0EFEB4652006D3C800F81029 /* Authenticator.swift in Sources */,
|
||||
0EFEB4652006D3C800F81029 /* SessionProxy+Authenticator.swift in Sources */,
|
||||
0EE7A79820F6296F00B42E6A /* PacketMacros.m in Sources */,
|
||||
0EEC49DC20B5E732008FEB91 /* Utils.swift in Sources */,
|
||||
0EFEB4562006D3C800F81029 /* SessionKey.swift in Sources */,
|
||||
0EFEB4562006D3C800F81029 /* SessionProxy+SessionKey.swift in Sources */,
|
||||
0EC1BBA520D71190007C4C7B /* DNSResolver.swift in Sources */,
|
||||
0EFEB4AB200760EC00F81029 /* MemoryDestination.swift in Sources */,
|
||||
0EFEB4AE2007625E00F81029 /* Keychain.swift in Sources */,
|
||||
|
@ -894,7 +894,7 @@
|
|||
0EFEB45D2006D3C800F81029 /* CryptoBox.m in Sources */,
|
||||
0EBBF2FA2085061600E36B40 /* NETCPInterface.swift in Sources */,
|
||||
0E0C2125212ED29D008AB282 /* SessionError.swift in Sources */,
|
||||
0EFEB4552006D3C800F81029 /* EncryptionProxy.swift in Sources */,
|
||||
0EFEB4552006D3C800F81029 /* SessionProxy+EncryptionBridge.swift in Sources */,
|
||||
0EFEB45C2006D3C800F81029 /* ZeroingData.m in Sources */,
|
||||
0EFEB4632006D3C800F81029 /* ProtocolMacros.swift in Sources */,
|
||||
0EFEB4AC200760EC00F81029 /* InterfaceObserver.swift in Sources */,
|
||||
|
@ -915,7 +915,7 @@
|
|||
0EFEB4672006D3C800F81029 /* SessionProxy.swift in Sources */,
|
||||
0EFEB4722006D3C800F81029 /* ReplayProtector.m in Sources */,
|
||||
0EFEB4782006D3C800F81029 /* TunnelKitProvider+Configuration.swift in Sources */,
|
||||
0E3E0F212108A8CC00B371C1 /* PushReply.swift in Sources */,
|
||||
0E3E0F212108A8CC00B371C1 /* SessionProxy+PushReply.swift in Sources */,
|
||||
0EFEB4752006D3C800F81029 /* Errors.m in Sources */,
|
||||
0EBBF2E52084FE6F00E36B40 /* GenericSocket.swift in Sources */,
|
||||
0EFEB4762006D3C800F81029 /* DataPath.m in Sources */,
|
||||
|
@ -952,7 +952,7 @@
|
|||
0EFEB4952006D7F300F81029 /* SecureRandom.swift in Sources */,
|
||||
0EFEB49A2006D7F300F81029 /* MSS.m in Sources */,
|
||||
0ECE352A212EB88E0040F253 /* Certificate.swift in Sources */,
|
||||
0EFEB48D2006D7F300F81029 /* EncryptionProxy.swift in Sources */,
|
||||
0EFEB48D2006D7F300F81029 /* SessionProxy+EncryptionBridge.swift in Sources */,
|
||||
0EFEB4922006D7F300F81029 /* ZeroingData.m in Sources */,
|
||||
0E07596020EF6D1400F38FD8 /* CryptoCBC.m in Sources */,
|
||||
0EC1BBA920D7D803007C4C7B /* ConnectionStrategy.swift in Sources */,
|
||||
|
@ -963,15 +963,15 @@
|
|||
0EFEB4902006D7F300F81029 /* TunnelInterface.swift in Sources */,
|
||||
0EFEB49E2006D7F300F81029 /* Allocation.m in Sources */,
|
||||
0EFEB4B02007627700F81029 /* Keychain.swift in Sources */,
|
||||
0EFEB48E2006D7F300F81029 /* SessionKey.swift in Sources */,
|
||||
0EFEB48E2006D7F300F81029 /* SessionProxy+SessionKey.swift in Sources */,
|
||||
0EFEB4AF2007627700F81029 /* InterfaceObserver.swift in Sources */,
|
||||
0EFEB4A42006D7F300F81029 /* DataPath.m in Sources */,
|
||||
0EBBF2E62084FE6F00E36B40 /* GenericSocket.swift in Sources */,
|
||||
0E3E0F222108A8CC00B371C1 /* PushReply.swift in Sources */,
|
||||
0E3E0F222108A8CC00B371C1 /* SessionProxy+PushReply.swift in Sources */,
|
||||
0EFEB4912006D7F300F81029 /* TLSBox.m in Sources */,
|
||||
0EFEB49D2006D7F300F81029 /* IOInterface.swift in Sources */,
|
||||
0E0C2128212ED29D008AB282 /* SessionProxy+Configuration.swift in Sources */,
|
||||
0EFEB4972006D7F300F81029 /* Authenticator.swift in Sources */,
|
||||
0EFEB4972006D7F300F81029 /* SessionProxy+Authenticator.swift in Sources */,
|
||||
0EFEB49B2006D7F300F81029 /* Packet.swift in Sources */,
|
||||
);
|
||||
runOnlyForDeploymentPostprocessing = 0;
|
||||
|
|
|
@ -134,7 +134,7 @@ open class TunnelKitProvider: NEPacketTunnelProvider {
|
|||
|
||||
log.info("Starting tunnel...")
|
||||
|
||||
guard EncryptionProxy.prepareRandomNumberGenerator(seedLength: prngSeedLength) else {
|
||||
guard SessionProxy.EncryptionBridge.prepareRandomNumberGenerator(seedLength: prngSeedLength) else {
|
||||
completionHandler(ProviderError.prngInitialization)
|
||||
return
|
||||
}
|
||||
|
|
|
@ -1,150 +0,0 @@
|
|||
//
|
||||
// Authenticator.swift
|
||||
// TunnelKit
|
||||
//
|
||||
// Created by Davide De Rosa on 2/9/17.
|
||||
// Copyright © 2018 London Trust Media. All rights reserved.
|
||||
//
|
||||
|
||||
import Foundation
|
||||
import SwiftyBeaver
|
||||
import __TunnelKitNative
|
||||
|
||||
private let log = SwiftyBeaver.self
|
||||
|
||||
fileprivate extension ZeroingData {
|
||||
fileprivate func appendSized(_ buf: ZeroingData) {
|
||||
append(Z(UInt16(buf.count).bigEndian))
|
||||
append(buf)
|
||||
}
|
||||
}
|
||||
|
||||
class Authenticator {
|
||||
private var controlBuffer: ZeroingData
|
||||
|
||||
private(set) var preMaster: ZeroingData
|
||||
|
||||
private(set) var random1: ZeroingData
|
||||
|
||||
private(set) var random2: ZeroingData
|
||||
|
||||
private(set) var serverRandom1: ZeroingData?
|
||||
|
||||
private(set) var serverRandom2: ZeroingData?
|
||||
|
||||
let username: ZeroingData
|
||||
|
||||
let password: ZeroingData
|
||||
|
||||
init(_ username: String, _ password: String) throws {
|
||||
preMaster = try SecureRandom.safeData(length: CoreConfiguration.preMasterLength)
|
||||
random1 = try SecureRandom.safeData(length: CoreConfiguration.randomLength)
|
||||
random2 = try SecureRandom.safeData(length: CoreConfiguration.randomLength)
|
||||
|
||||
// XXX: not 100% secure, can't erase input username/password
|
||||
self.username = Z(username, nullTerminated: true)
|
||||
self.password = Z(password, nullTerminated: true)
|
||||
|
||||
controlBuffer = Z()
|
||||
}
|
||||
|
||||
// MARK: Authentication request
|
||||
|
||||
// Ruby: on_tls_connect
|
||||
func putAuth(into: TLSBox) throws {
|
||||
let raw = Z(ProtocolMacros.tlsPrefix)
|
||||
|
||||
// local keys
|
||||
raw.append(preMaster)
|
||||
raw.append(random1)
|
||||
raw.append(random2)
|
||||
|
||||
// opts
|
||||
raw.appendSized(Z(UInt8(0)))
|
||||
|
||||
// credentials
|
||||
raw.appendSized(username)
|
||||
raw.appendSized(password)
|
||||
|
||||
// peer info
|
||||
raw.appendSized(Z(CoreConfiguration.peerInfo))
|
||||
|
||||
if CoreConfiguration.logsSensitiveData {
|
||||
log.debug("TLS.auth: Put plaintext (\(raw.count) bytes): \(raw.toHex())")
|
||||
} else {
|
||||
log.debug("TLS.auth: Put plaintext (\(raw.count) bytes)")
|
||||
}
|
||||
|
||||
try into.putRawPlainText(raw.bytes, length: raw.count)
|
||||
}
|
||||
|
||||
// MARK: Server replies
|
||||
|
||||
func appendControlData(_ data: ZeroingData) {
|
||||
controlBuffer.append(data)
|
||||
}
|
||||
|
||||
func parseAuthReply() throws -> Bool {
|
||||
let prefixLength = ProtocolMacros.tlsPrefix.count
|
||||
|
||||
// TLS prefix + random (x2) + opts length [+ opts]
|
||||
guard (controlBuffer.count >= prefixLength + 2 * CoreConfiguration.randomLength + 2) else {
|
||||
return false
|
||||
}
|
||||
|
||||
let prefix = controlBuffer.withOffset(0, count: prefixLength)
|
||||
guard prefix.isEqual(to: ProtocolMacros.tlsPrefix) else {
|
||||
throw SessionError.wrongControlDataPrefix
|
||||
}
|
||||
|
||||
var offset = ProtocolMacros.tlsPrefix.count
|
||||
|
||||
let serverRandom1 = controlBuffer.withOffset(offset, count: CoreConfiguration.randomLength)
|
||||
offset += CoreConfiguration.randomLength
|
||||
|
||||
let serverRandom2 = controlBuffer.withOffset(offset, count: CoreConfiguration.randomLength)
|
||||
offset += CoreConfiguration.randomLength
|
||||
|
||||
let serverOptsLength = Int(controlBuffer.networkUInt16Value(fromOffset: offset))
|
||||
offset += 2
|
||||
|
||||
guard controlBuffer.count >= offset + serverOptsLength else {
|
||||
return false
|
||||
}
|
||||
let serverOpts = controlBuffer.withOffset(offset, count: serverOptsLength)
|
||||
offset += serverOptsLength
|
||||
|
||||
if CoreConfiguration.logsSensitiveData {
|
||||
log.debug("TLS.auth: Parsed server random: [\(serverRandom1.toHex()), \(serverRandom2.toHex())]")
|
||||
} else {
|
||||
log.debug("TLS.auth: Parsed server random")
|
||||
}
|
||||
|
||||
if let serverOptsString = serverOpts.nullTerminatedString(fromOffset: 0) {
|
||||
log.debug("TLS.auth: Parsed server opts: \"\(serverOptsString)\"")
|
||||
}
|
||||
|
||||
self.serverRandom1 = serverRandom1
|
||||
self.serverRandom2 = serverRandom2
|
||||
controlBuffer.remove(untilOffset: offset)
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
func parseMessages() -> [String] {
|
||||
var messages = [String]()
|
||||
var offset = 0
|
||||
|
||||
while true {
|
||||
guard let msg = controlBuffer.nullTerminatedString(fromOffset: offset) else {
|
||||
break
|
||||
}
|
||||
messages.append(msg)
|
||||
offset += msg.count + 1
|
||||
}
|
||||
|
||||
controlBuffer.remove(untilOffset: offset)
|
||||
|
||||
return messages
|
||||
}
|
||||
}
|
|
@ -1,150 +0,0 @@
|
|||
//
|
||||
// EncryptionProxy.swift
|
||||
// TunnelKit
|
||||
//
|
||||
// Created by Davide De Rosa on 2/8/17.
|
||||
// Copyright © 2018 London Trust Media. All rights reserved.
|
||||
//
|
||||
|
||||
import Foundation
|
||||
import __TunnelKitNative
|
||||
|
||||
/// Bridges native encryption for high-level operations.
|
||||
public class EncryptionProxy {
|
||||
private static let maxHmacLength = 100
|
||||
|
||||
private let box: CryptoBox
|
||||
|
||||
/**
|
||||
Initializes the PRNG. Must be issued before using `SessionProxy`.
|
||||
|
||||
- Parameter seedLength: The length in bytes of the pseudorandom seed that will feed the PRNG.
|
||||
*/
|
||||
public static func prepareRandomNumberGenerator(seedLength: Int) -> Bool {
|
||||
let seed: ZeroingData
|
||||
do {
|
||||
seed = try SecureRandom.safeData(length: seedLength)
|
||||
} catch {
|
||||
return false
|
||||
}
|
||||
return CryptoBox.preparePRNG(withSeed: seed.bytes, length: seed.count)
|
||||
}
|
||||
|
||||
// Ruby: keys_prf
|
||||
private static func keysPRF(
|
||||
_ label: String,
|
||||
_ secret: ZeroingData,
|
||||
_ clientSeed: ZeroingData,
|
||||
_ serverSeed: ZeroingData,
|
||||
_ clientSessionId: Data?,
|
||||
_ serverSessionId: Data?,
|
||||
_ size: Int) throws -> ZeroingData {
|
||||
|
||||
let seed = Z(label)
|
||||
seed.append(clientSeed)
|
||||
seed.append(serverSeed)
|
||||
if let csi = clientSessionId {
|
||||
seed.append(Z(csi))
|
||||
}
|
||||
if let ssi = serverSessionId {
|
||||
seed.append(Z(ssi))
|
||||
}
|
||||
let len = secret.count / 2
|
||||
let lenx = len + (secret.count & 1)
|
||||
let secret1 = secret.withOffset(0, count: lenx)
|
||||
let secret2 = secret.withOffset(len, count: lenx)
|
||||
|
||||
let hash1 = try keysHash("md5", secret1, seed, size)
|
||||
let hash2 = try keysHash("sha1", secret2, seed, size)
|
||||
|
||||
let prf = Z()
|
||||
for i in 0..<hash1.count {
|
||||
let h1 = hash1.bytes[i]
|
||||
let h2 = hash2.bytes[i]
|
||||
|
||||
prf.append(Z(h1 ^ h2))
|
||||
}
|
||||
return prf
|
||||
}
|
||||
|
||||
// Ruby: keys_hash
|
||||
private static func keysHash(_ digestName: String, _ secret: ZeroingData, _ seed: ZeroingData, _ size: Int) throws -> ZeroingData {
|
||||
let out = Z()
|
||||
let buffer = Z(count: EncryptionProxy.maxHmacLength)
|
||||
var chain = try EncryptionProxy.hmac(buffer, digestName, secret, seed)
|
||||
while (out.count < size) {
|
||||
out.append(try EncryptionProxy.hmac(buffer, digestName, secret, chain.appending(seed)))
|
||||
chain = try EncryptionProxy.hmac(buffer, digestName, secret, chain)
|
||||
}
|
||||
return out.withOffset(0, count: size)
|
||||
}
|
||||
|
||||
// Ruby: hmac
|
||||
private static func hmac(_ buffer: ZeroingData, _ digestName: String, _ secret: ZeroingData, _ data: ZeroingData) throws -> ZeroingData {
|
||||
var length = 0
|
||||
|
||||
try CryptoBox.hmac(
|
||||
withDigestName: digestName,
|
||||
secret: secret.bytes,
|
||||
secretLength: secret.count,
|
||||
data: data.bytes,
|
||||
dataLength: data.count,
|
||||
hmac: buffer.mutableBytes,
|
||||
hmacLength: &length
|
||||
)
|
||||
|
||||
return buffer.withOffset(0, count: length)
|
||||
}
|
||||
|
||||
convenience init(_ cipher: SessionProxy.Cipher, _ digest: SessionProxy.Digest, _ auth: Authenticator,
|
||||
_ sessionId: Data, _ remoteSessionId: Data) throws {
|
||||
|
||||
guard let serverRandom1 = auth.serverRandom1, let serverRandom2 = auth.serverRandom2 else {
|
||||
fatalError("Configuring encryption without server randoms")
|
||||
}
|
||||
|
||||
let masterData = try EncryptionProxy.keysPRF(
|
||||
CoreConfiguration.label1, auth.preMaster, auth.random1,
|
||||
serverRandom1, nil, nil,
|
||||
CoreConfiguration.preMasterLength
|
||||
)
|
||||
|
||||
let keysData = try EncryptionProxy.keysPRF(
|
||||
CoreConfiguration.label2, masterData, auth.random2,
|
||||
serverRandom2, sessionId, remoteSessionId,
|
||||
CoreConfiguration.keysCount * CoreConfiguration.keyLength
|
||||
)
|
||||
|
||||
var keysArray = [ZeroingData]()
|
||||
for i in 0..<CoreConfiguration.keysCount {
|
||||
let offset = i * CoreConfiguration.keyLength
|
||||
let zbuf = keysData.withOffset(offset, count: CoreConfiguration.keyLength)
|
||||
keysArray.append(zbuf)
|
||||
}
|
||||
|
||||
let cipherEncKey = keysArray[0]
|
||||
let hmacEncKey = keysArray[1]
|
||||
let cipherDecKey = keysArray[2]
|
||||
let hmacDecKey = keysArray[3]
|
||||
|
||||
try self.init(cipher, digest, cipherEncKey, cipherDecKey, hmacEncKey, hmacDecKey)
|
||||
}
|
||||
|
||||
init(_ cipher: SessionProxy.Cipher, _ digest: SessionProxy.Digest, _ cipherEncKey: ZeroingData, _ cipherDecKey: ZeroingData, _ hmacEncKey: ZeroingData, _ hmacDecKey: ZeroingData) throws {
|
||||
box = CryptoBox(cipherAlgorithm: cipher.rawValue, digestAlgorithm: digest.rawValue)
|
||||
try box.configure(
|
||||
withCipherEncKey: cipherEncKey,
|
||||
cipherDecKey: cipherDecKey,
|
||||
hmacEncKey: hmacEncKey,
|
||||
hmacDecKey: hmacDecKey
|
||||
)
|
||||
}
|
||||
|
||||
func encrypter() -> DataPathEncrypter {
|
||||
return box.encrypter().dataPathEncrypter()
|
||||
}
|
||||
|
||||
func decrypter() -> DataPathDecrypter {
|
||||
return box.decrypter().dataPathDecrypter()
|
||||
}
|
||||
}
|
|
@ -1,88 +0,0 @@
|
|||
//
|
||||
// PushReply.swift
|
||||
// TunnelKit
|
||||
//
|
||||
// Created by Davide De Rosa on 25/07/2018.
|
||||
// Copyright © 2018 London Trust Media. All rights reserved.
|
||||
//
|
||||
|
||||
import Foundation
|
||||
|
||||
struct PushReply {
|
||||
private static let ifconfigRegexp = try! NSRegularExpression(pattern: "ifconfig [\\d\\.]+ [\\d\\.]+", options: [])
|
||||
|
||||
private static let dnsRegexp = try! NSRegularExpression(pattern: "dhcp-option DNS [\\d\\.]+", options: [])
|
||||
|
||||
private static let authTokenRegexp = try! NSRegularExpression(pattern: "auth-token [a-zA-Z0-9/=+]+", options: [])
|
||||
|
||||
private static let peerIdRegexp = try! NSRegularExpression(pattern: "peer-id [0-9]+", options: [])
|
||||
|
||||
let address: String
|
||||
|
||||
let gatewayAddress: String
|
||||
|
||||
let dnsServers: [String]
|
||||
|
||||
let authToken: String?
|
||||
|
||||
let peerId: UInt32?
|
||||
|
||||
init?(message: String) throws {
|
||||
guard message.hasPrefix("PUSH_REPLY") else {
|
||||
return nil
|
||||
}
|
||||
|
||||
var ifconfigComponents: [String]?
|
||||
var dnsServers = [String]()
|
||||
var authToken: String?
|
||||
var peerId: UInt32?
|
||||
|
||||
PushReply.ifconfigRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in
|
||||
guard let range = result?.range else { return }
|
||||
|
||||
let match = (message as NSString).substring(with: range)
|
||||
ifconfigComponents = match.components(separatedBy: " ")
|
||||
}
|
||||
|
||||
guard let addresses = ifconfigComponents, addresses.count >= 2 else {
|
||||
throw SessionError.malformedPushReply
|
||||
}
|
||||
|
||||
PushReply.dnsRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in
|
||||
guard let range = result?.range else { return }
|
||||
|
||||
let match = (message as NSString).substring(with: range)
|
||||
let dnsEntryComponents = match.components(separatedBy: " ")
|
||||
|
||||
dnsServers.append(dnsEntryComponents[2])
|
||||
}
|
||||
|
||||
PushReply.authTokenRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in
|
||||
guard let range = result?.range else { return }
|
||||
|
||||
let match = (message as NSString).substring(with: range)
|
||||
let tokenComponents = match.components(separatedBy: " ")
|
||||
|
||||
if (tokenComponents.count > 1) {
|
||||
authToken = tokenComponents[1]
|
||||
}
|
||||
}
|
||||
|
||||
PushReply.peerIdRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in
|
||||
guard let range = result?.range else { return }
|
||||
|
||||
let match = (message as NSString).substring(with: range)
|
||||
let tokenComponents = match.components(separatedBy: " ")
|
||||
|
||||
if (tokenComponents.count > 1) {
|
||||
peerId = UInt32(tokenComponents[1])
|
||||
}
|
||||
}
|
||||
|
||||
address = addresses[1]
|
||||
gatewayAddress = addresses[2]
|
||||
self.dnsServers = dnsServers
|
||||
self.authToken = authToken
|
||||
self.peerId = peerId
|
||||
}
|
||||
}
|
|
@ -1,120 +0,0 @@
|
|||
//
|
||||
// SessionKey.swift
|
||||
// TunnelKit
|
||||
//
|
||||
// Created by Davide De Rosa on 4/12/17.
|
||||
// Copyright © 2018 London Trust Media. All rights reserved.
|
||||
//
|
||||
|
||||
import Foundation
|
||||
import __TunnelKitNative
|
||||
import SwiftyBeaver
|
||||
|
||||
private let log = SwiftyBeaver.self
|
||||
|
||||
class SessionKey {
|
||||
enum State {
|
||||
case invalid, hardReset, softReset, tls
|
||||
}
|
||||
|
||||
enum ControlState {
|
||||
case preAuth, preIfConfig, connected
|
||||
}
|
||||
|
||||
let id: UInt8 // 3-bit
|
||||
|
||||
let startTime: Date
|
||||
|
||||
var state = State.invalid
|
||||
|
||||
var controlState: ControlState?
|
||||
|
||||
var tlsOptional: TLSBox?
|
||||
|
||||
var tls: TLSBox {
|
||||
guard let tls = tlsOptional else {
|
||||
fatalError("TLSBox accessed when nil")
|
||||
}
|
||||
return tls
|
||||
}
|
||||
|
||||
var dataPath: DataPath?
|
||||
|
||||
var softReset: Bool
|
||||
|
||||
private var isTLSConnected: Bool
|
||||
|
||||
private var canHandlePackets: Bool
|
||||
|
||||
init(id: UInt8) {
|
||||
self.id = id
|
||||
|
||||
startTime = Date()
|
||||
state = .invalid
|
||||
softReset = false
|
||||
isTLSConnected = false
|
||||
canHandlePackets = false
|
||||
}
|
||||
|
||||
// Ruby: Key.hard_reset_timeout
|
||||
func didHardResetTimeOut(link: LinkInterface) -> Bool {
|
||||
return ((state == .hardReset) && (-startTime.timeIntervalSinceNow > link.hardResetTimeout))
|
||||
}
|
||||
|
||||
// Ruby: Key.negotiate_timeout
|
||||
func didNegotiationTimeOut(link: LinkInterface) -> Bool {
|
||||
let timeout = (softReset ? CoreConfiguration.softNegotiationTimeout : link.negotiationTimeout)
|
||||
|
||||
return ((controlState != .connected) && (-startTime.timeIntervalSinceNow > timeout))
|
||||
}
|
||||
|
||||
// Ruby: Key.on_tls_connect
|
||||
func shouldOnTLSConnect() -> Bool {
|
||||
guard !isTLSConnected else {
|
||||
return false
|
||||
}
|
||||
if tls.isConnected() {
|
||||
isTLSConnected = true
|
||||
}
|
||||
return isTLSConnected
|
||||
}
|
||||
|
||||
func startHandlingPackets(withPeerId peerId: UInt32? = nil) {
|
||||
dataPath?.setPeerId(peerId ?? PacketPeerIdDisabled)
|
||||
canHandlePackets = true
|
||||
}
|
||||
|
||||
func encrypt(packets: [Data]) throws -> [Data]? {
|
||||
guard let dataPath = dataPath else {
|
||||
log.warning("Data: Set dataPath first")
|
||||
return nil
|
||||
}
|
||||
guard canHandlePackets else {
|
||||
log.warning("Data: Invoke startHandlingPackets() before encrypting")
|
||||
return nil
|
||||
}
|
||||
return try dataPath.encryptPackets(packets, key: id)
|
||||
}
|
||||
|
||||
func decrypt(packets: [Data]) throws -> [Data]? {
|
||||
guard let dataPath = dataPath else {
|
||||
log.warning("Data: Set dataPath first")
|
||||
return nil
|
||||
}
|
||||
guard canHandlePackets else {
|
||||
log.warning("Data: Invoke startHandlingPackets() before decrypting")
|
||||
return nil
|
||||
}
|
||||
var keepAlive = false
|
||||
let decrypted = try dataPath.decryptPackets(packets, keepAlive: &keepAlive)
|
||||
if keepAlive {
|
||||
log.debug("Data: Received ping, do nothing")
|
||||
}
|
||||
return decrypted
|
||||
}
|
||||
|
||||
// func dispose() {
|
||||
// tlsOptional = nil
|
||||
// dataPath = nil
|
||||
// }
|
||||
}
|
|
@ -0,0 +1,152 @@
|
|||
//
|
||||
// SessionProxy+Authenticator.swift
|
||||
// TunnelKit
|
||||
//
|
||||
// Created by Davide De Rosa on 2/9/17.
|
||||
// Copyright © 2018 London Trust Media. All rights reserved.
|
||||
//
|
||||
|
||||
import Foundation
|
||||
import SwiftyBeaver
|
||||
import __TunnelKitNative
|
||||
|
||||
private let log = SwiftyBeaver.self
|
||||
|
||||
fileprivate extension ZeroingData {
|
||||
fileprivate func appendSized(_ buf: ZeroingData) {
|
||||
append(Z(UInt16(buf.count).bigEndian))
|
||||
append(buf)
|
||||
}
|
||||
}
|
||||
|
||||
extension SessionProxy {
|
||||
class Authenticator {
|
||||
private var controlBuffer: ZeroingData
|
||||
|
||||
private(set) var preMaster: ZeroingData
|
||||
|
||||
private(set) var random1: ZeroingData
|
||||
|
||||
private(set) var random2: ZeroingData
|
||||
|
||||
private(set) var serverRandom1: ZeroingData?
|
||||
|
||||
private(set) var serverRandom2: ZeroingData?
|
||||
|
||||
let username: ZeroingData
|
||||
|
||||
let password: ZeroingData
|
||||
|
||||
init(_ username: String, _ password: String) throws {
|
||||
preMaster = try SecureRandom.safeData(length: CoreConfiguration.preMasterLength)
|
||||
random1 = try SecureRandom.safeData(length: CoreConfiguration.randomLength)
|
||||
random2 = try SecureRandom.safeData(length: CoreConfiguration.randomLength)
|
||||
|
||||
// XXX: not 100% secure, can't erase input username/password
|
||||
self.username = Z(username, nullTerminated: true)
|
||||
self.password = Z(password, nullTerminated: true)
|
||||
|
||||
controlBuffer = Z()
|
||||
}
|
||||
|
||||
// MARK: Authentication request
|
||||
|
||||
// Ruby: on_tls_connect
|
||||
func putAuth(into: TLSBox) throws {
|
||||
let raw = Z(ProtocolMacros.tlsPrefix)
|
||||
|
||||
// local keys
|
||||
raw.append(preMaster)
|
||||
raw.append(random1)
|
||||
raw.append(random2)
|
||||
|
||||
// opts
|
||||
raw.appendSized(Z(UInt8(0)))
|
||||
|
||||
// credentials
|
||||
raw.appendSized(username)
|
||||
raw.appendSized(password)
|
||||
|
||||
// peer info
|
||||
raw.appendSized(Z(CoreConfiguration.peerInfo))
|
||||
|
||||
if CoreConfiguration.logsSensitiveData {
|
||||
log.debug("TLS.auth: Put plaintext (\(raw.count) bytes): \(raw.toHex())")
|
||||
} else {
|
||||
log.debug("TLS.auth: Put plaintext (\(raw.count) bytes)")
|
||||
}
|
||||
|
||||
try into.putRawPlainText(raw.bytes, length: raw.count)
|
||||
}
|
||||
|
||||
// MARK: Server replies
|
||||
|
||||
func appendControlData(_ data: ZeroingData) {
|
||||
controlBuffer.append(data)
|
||||
}
|
||||
|
||||
func parseAuthReply() throws -> Bool {
|
||||
let prefixLength = ProtocolMacros.tlsPrefix.count
|
||||
|
||||
// TLS prefix + random (x2) + opts length [+ opts]
|
||||
guard (controlBuffer.count >= prefixLength + 2 * CoreConfiguration.randomLength + 2) else {
|
||||
return false
|
||||
}
|
||||
|
||||
let prefix = controlBuffer.withOffset(0, count: prefixLength)
|
||||
guard prefix.isEqual(to: ProtocolMacros.tlsPrefix) else {
|
||||
throw SessionError.wrongControlDataPrefix
|
||||
}
|
||||
|
||||
var offset = ProtocolMacros.tlsPrefix.count
|
||||
|
||||
let serverRandom1 = controlBuffer.withOffset(offset, count: CoreConfiguration.randomLength)
|
||||
offset += CoreConfiguration.randomLength
|
||||
|
||||
let serverRandom2 = controlBuffer.withOffset(offset, count: CoreConfiguration.randomLength)
|
||||
offset += CoreConfiguration.randomLength
|
||||
|
||||
let serverOptsLength = Int(controlBuffer.networkUInt16Value(fromOffset: offset))
|
||||
offset += 2
|
||||
|
||||
guard controlBuffer.count >= offset + serverOptsLength else {
|
||||
return false
|
||||
}
|
||||
let serverOpts = controlBuffer.withOffset(offset, count: serverOptsLength)
|
||||
offset += serverOptsLength
|
||||
|
||||
if CoreConfiguration.logsSensitiveData {
|
||||
log.debug("TLS.auth: Parsed server random: [\(serverRandom1.toHex()), \(serverRandom2.toHex())]")
|
||||
} else {
|
||||
log.debug("TLS.auth: Parsed server random")
|
||||
}
|
||||
|
||||
if let serverOptsString = serverOpts.nullTerminatedString(fromOffset: 0) {
|
||||
log.debug("TLS.auth: Parsed server opts: \"\(serverOptsString)\"")
|
||||
}
|
||||
|
||||
self.serverRandom1 = serverRandom1
|
||||
self.serverRandom2 = serverRandom2
|
||||
controlBuffer.remove(untilOffset: offset)
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
func parseMessages() -> [String] {
|
||||
var messages = [String]()
|
||||
var offset = 0
|
||||
|
||||
while true {
|
||||
guard let msg = controlBuffer.nullTerminatedString(fromOffset: offset) else {
|
||||
break
|
||||
}
|
||||
messages.append(msg)
|
||||
offset += msg.count + 1
|
||||
}
|
||||
|
||||
controlBuffer.remove(untilOffset: offset)
|
||||
|
||||
return messages
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,153 @@
|
|||
//
|
||||
// SessionProxy+EncryptionBridge.swift
|
||||
// TunnelKit
|
||||
//
|
||||
// Created by Davide De Rosa on 2/8/17.
|
||||
// Copyright © 2018 London Trust Media. All rights reserved.
|
||||
//
|
||||
|
||||
import Foundation
|
||||
import __TunnelKitNative
|
||||
|
||||
extension SessionProxy {
|
||||
|
||||
/// Bridges native encryption for high-level operations.
|
||||
public class EncryptionBridge {
|
||||
private static let maxHmacLength = 100
|
||||
|
||||
private let box: CryptoBox
|
||||
|
||||
/**
|
||||
Initializes the PRNG. Must be issued before using `SessionProxy`.
|
||||
|
||||
- Parameter seedLength: The length in bytes of the pseudorandom seed that will feed the PRNG.
|
||||
*/
|
||||
public static func prepareRandomNumberGenerator(seedLength: Int) -> Bool {
|
||||
let seed: ZeroingData
|
||||
do {
|
||||
seed = try SecureRandom.safeData(length: seedLength)
|
||||
} catch {
|
||||
return false
|
||||
}
|
||||
return CryptoBox.preparePRNG(withSeed: seed.bytes, length: seed.count)
|
||||
}
|
||||
|
||||
// Ruby: keys_prf
|
||||
private static func keysPRF(
|
||||
_ label: String,
|
||||
_ secret: ZeroingData,
|
||||
_ clientSeed: ZeroingData,
|
||||
_ serverSeed: ZeroingData,
|
||||
_ clientSessionId: Data?,
|
||||
_ serverSessionId: Data?,
|
||||
_ size: Int) throws -> ZeroingData {
|
||||
|
||||
let seed = Z(label)
|
||||
seed.append(clientSeed)
|
||||
seed.append(serverSeed)
|
||||
if let csi = clientSessionId {
|
||||
seed.append(Z(csi))
|
||||
}
|
||||
if let ssi = serverSessionId {
|
||||
seed.append(Z(ssi))
|
||||
}
|
||||
let len = secret.count / 2
|
||||
let lenx = len + (secret.count & 1)
|
||||
let secret1 = secret.withOffset(0, count: lenx)
|
||||
let secret2 = secret.withOffset(len, count: lenx)
|
||||
|
||||
let hash1 = try keysHash("md5", secret1, seed, size)
|
||||
let hash2 = try keysHash("sha1", secret2, seed, size)
|
||||
|
||||
let prf = Z()
|
||||
for i in 0..<hash1.count {
|
||||
let h1 = hash1.bytes[i]
|
||||
let h2 = hash2.bytes[i]
|
||||
|
||||
prf.append(Z(h1 ^ h2))
|
||||
}
|
||||
return prf
|
||||
}
|
||||
|
||||
// Ruby: keys_hash
|
||||
private static func keysHash(_ digestName: String, _ secret: ZeroingData, _ seed: ZeroingData, _ size: Int) throws -> ZeroingData {
|
||||
let out = Z()
|
||||
let buffer = Z(count: EncryptionBridge.maxHmacLength)
|
||||
var chain = try EncryptionBridge.hmac(buffer, digestName, secret, seed)
|
||||
while (out.count < size) {
|
||||
out.append(try EncryptionBridge.hmac(buffer, digestName, secret, chain.appending(seed)))
|
||||
chain = try EncryptionBridge.hmac(buffer, digestName, secret, chain)
|
||||
}
|
||||
return out.withOffset(0, count: size)
|
||||
}
|
||||
|
||||
// Ruby: hmac
|
||||
private static func hmac(_ buffer: ZeroingData, _ digestName: String, _ secret: ZeroingData, _ data: ZeroingData) throws -> ZeroingData {
|
||||
var length = 0
|
||||
|
||||
try CryptoBox.hmac(
|
||||
withDigestName: digestName,
|
||||
secret: secret.bytes,
|
||||
secretLength: secret.count,
|
||||
data: data.bytes,
|
||||
dataLength: data.count,
|
||||
hmac: buffer.mutableBytes,
|
||||
hmacLength: &length
|
||||
)
|
||||
|
||||
return buffer.withOffset(0, count: length)
|
||||
}
|
||||
|
||||
convenience init(_ cipher: SessionProxy.Cipher, _ digest: SessionProxy.Digest, _ auth: SessionProxy.Authenticator,
|
||||
_ sessionId: Data, _ remoteSessionId: Data) throws {
|
||||
|
||||
guard let serverRandom1 = auth.serverRandom1, let serverRandom2 = auth.serverRandom2 else {
|
||||
fatalError("Configuring encryption without server randoms")
|
||||
}
|
||||
|
||||
let masterData = try EncryptionBridge.keysPRF(
|
||||
CoreConfiguration.label1, auth.preMaster, auth.random1,
|
||||
serverRandom1, nil, nil,
|
||||
CoreConfiguration.preMasterLength
|
||||
)
|
||||
|
||||
let keysData = try EncryptionBridge.keysPRF(
|
||||
CoreConfiguration.label2, masterData, auth.random2,
|
||||
serverRandom2, sessionId, remoteSessionId,
|
||||
CoreConfiguration.keysCount * CoreConfiguration.keyLength
|
||||
)
|
||||
|
||||
var keysArray = [ZeroingData]()
|
||||
for i in 0..<CoreConfiguration.keysCount {
|
||||
let offset = i * CoreConfiguration.keyLength
|
||||
let zbuf = keysData.withOffset(offset, count: CoreConfiguration.keyLength)
|
||||
keysArray.append(zbuf)
|
||||
}
|
||||
|
||||
let cipherEncKey = keysArray[0]
|
||||
let hmacEncKey = keysArray[1]
|
||||
let cipherDecKey = keysArray[2]
|
||||
let hmacDecKey = keysArray[3]
|
||||
|
||||
try self.init(cipher, digest, cipherEncKey, cipherDecKey, hmacEncKey, hmacDecKey)
|
||||
}
|
||||
|
||||
init(_ cipher: SessionProxy.Cipher, _ digest: SessionProxy.Digest, _ cipherEncKey: ZeroingData, _ cipherDecKey: ZeroingData, _ hmacEncKey: ZeroingData, _ hmacDecKey: ZeroingData) throws {
|
||||
box = CryptoBox(cipherAlgorithm: cipher.rawValue, digestAlgorithm: digest.rawValue)
|
||||
try box.configure(
|
||||
withCipherEncKey: cipherEncKey,
|
||||
cipherDecKey: cipherDecKey,
|
||||
hmacEncKey: hmacEncKey,
|
||||
hmacDecKey: hmacDecKey
|
||||
)
|
||||
}
|
||||
|
||||
func encrypter() -> DataPathEncrypter {
|
||||
return box.encrypter().dataPathEncrypter()
|
||||
}
|
||||
|
||||
func decrypter() -> DataPathDecrypter {
|
||||
return box.decrypter().dataPathDecrypter()
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,90 @@
|
|||
//
|
||||
// SessionProxy+PushReply.swift
|
||||
// TunnelKit
|
||||
//
|
||||
// Created by Davide De Rosa on 25/07/2018.
|
||||
// Copyright © 2018 London Trust Media. All rights reserved.
|
||||
//
|
||||
|
||||
import Foundation
|
||||
|
||||
extension SessionProxy {
|
||||
struct PushReply {
|
||||
private static let ifconfigRegexp = try! NSRegularExpression(pattern: "ifconfig [\\d\\.]+ [\\d\\.]+", options: [])
|
||||
|
||||
private static let dnsRegexp = try! NSRegularExpression(pattern: "dhcp-option DNS [\\d\\.]+", options: [])
|
||||
|
||||
private static let authTokenRegexp = try! NSRegularExpression(pattern: "auth-token [a-zA-Z0-9/=+]+", options: [])
|
||||
|
||||
private static let peerIdRegexp = try! NSRegularExpression(pattern: "peer-id [0-9]+", options: [])
|
||||
|
||||
let address: String
|
||||
|
||||
let gatewayAddress: String
|
||||
|
||||
let dnsServers: [String]
|
||||
|
||||
let authToken: String?
|
||||
|
||||
let peerId: UInt32?
|
||||
|
||||
init?(message: String) throws {
|
||||
guard message.hasPrefix("PUSH_REPLY") else {
|
||||
return nil
|
||||
}
|
||||
|
||||
var ifconfigComponents: [String]?
|
||||
var dnsServers = [String]()
|
||||
var authToken: String?
|
||||
var peerId: UInt32?
|
||||
|
||||
PushReply.ifconfigRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in
|
||||
guard let range = result?.range else { return }
|
||||
|
||||
let match = (message as NSString).substring(with: range)
|
||||
ifconfigComponents = match.components(separatedBy: " ")
|
||||
}
|
||||
|
||||
guard let addresses = ifconfigComponents, addresses.count >= 2 else {
|
||||
throw SessionError.malformedPushReply
|
||||
}
|
||||
|
||||
PushReply.dnsRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in
|
||||
guard let range = result?.range else { return }
|
||||
|
||||
let match = (message as NSString).substring(with: range)
|
||||
let dnsEntryComponents = match.components(separatedBy: " ")
|
||||
|
||||
dnsServers.append(dnsEntryComponents[2])
|
||||
}
|
||||
|
||||
PushReply.authTokenRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in
|
||||
guard let range = result?.range else { return }
|
||||
|
||||
let match = (message as NSString).substring(with: range)
|
||||
let tokenComponents = match.components(separatedBy: " ")
|
||||
|
||||
if (tokenComponents.count > 1) {
|
||||
authToken = tokenComponents[1]
|
||||
}
|
||||
}
|
||||
|
||||
PushReply.peerIdRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in
|
||||
guard let range = result?.range else { return }
|
||||
|
||||
let match = (message as NSString).substring(with: range)
|
||||
let tokenComponents = match.components(separatedBy: " ")
|
||||
|
||||
if (tokenComponents.count > 1) {
|
||||
peerId = UInt32(tokenComponents[1])
|
||||
}
|
||||
}
|
||||
|
||||
address = addresses[1]
|
||||
gatewayAddress = addresses[2]
|
||||
self.dnsServers = dnsServers
|
||||
self.authToken = authToken
|
||||
self.peerId = peerId
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,122 @@
|
|||
//
|
||||
// SessionProxy+SessionKey.swift
|
||||
// TunnelKit
|
||||
//
|
||||
// Created by Davide De Rosa on 4/12/17.
|
||||
// Copyright © 2018 London Trust Media. All rights reserved.
|
||||
//
|
||||
|
||||
import Foundation
|
||||
import __TunnelKitNative
|
||||
import SwiftyBeaver
|
||||
|
||||
private let log = SwiftyBeaver.self
|
||||
|
||||
extension SessionProxy {
|
||||
class SessionKey {
|
||||
enum State {
|
||||
case invalid, hardReset, softReset, tls
|
||||
}
|
||||
|
||||
enum ControlState {
|
||||
case preAuth, preIfConfig, connected
|
||||
}
|
||||
|
||||
let id: UInt8 // 3-bit
|
||||
|
||||
let startTime: Date
|
||||
|
||||
var state = State.invalid
|
||||
|
||||
var controlState: ControlState?
|
||||
|
||||
var tlsOptional: TLSBox?
|
||||
|
||||
var tls: TLSBox {
|
||||
guard let tls = tlsOptional else {
|
||||
fatalError("TLSBox accessed when nil")
|
||||
}
|
||||
return tls
|
||||
}
|
||||
|
||||
var dataPath: DataPath?
|
||||
|
||||
var softReset: Bool
|
||||
|
||||
private var isTLSConnected: Bool
|
||||
|
||||
private var canHandlePackets: Bool
|
||||
|
||||
init(id: UInt8) {
|
||||
self.id = id
|
||||
|
||||
startTime = Date()
|
||||
state = .invalid
|
||||
softReset = false
|
||||
isTLSConnected = false
|
||||
canHandlePackets = false
|
||||
}
|
||||
|
||||
// Ruby: Key.hard_reset_timeout
|
||||
func didHardResetTimeOut(link: LinkInterface) -> Bool {
|
||||
return ((state == .hardReset) && (-startTime.timeIntervalSinceNow > link.hardResetTimeout))
|
||||
}
|
||||
|
||||
// Ruby: Key.negotiate_timeout
|
||||
func didNegotiationTimeOut(link: LinkInterface) -> Bool {
|
||||
let timeout = (softReset ? CoreConfiguration.softNegotiationTimeout : link.negotiationTimeout)
|
||||
|
||||
return ((controlState != .connected) && (-startTime.timeIntervalSinceNow > timeout))
|
||||
}
|
||||
|
||||
// Ruby: Key.on_tls_connect
|
||||
func shouldOnTLSConnect() -> Bool {
|
||||
guard !isTLSConnected else {
|
||||
return false
|
||||
}
|
||||
if tls.isConnected() {
|
||||
isTLSConnected = true
|
||||
}
|
||||
return isTLSConnected
|
||||
}
|
||||
|
||||
func startHandlingPackets(withPeerId peerId: UInt32? = nil) {
|
||||
dataPath?.setPeerId(peerId ?? PacketPeerIdDisabled)
|
||||
canHandlePackets = true
|
||||
}
|
||||
|
||||
func encrypt(packets: [Data]) throws -> [Data]? {
|
||||
guard let dataPath = dataPath else {
|
||||
log.warning("Data: Set dataPath first")
|
||||
return nil
|
||||
}
|
||||
guard canHandlePackets else {
|
||||
log.warning("Data: Invoke startHandlingPackets() before encrypting")
|
||||
return nil
|
||||
}
|
||||
return try dataPath.encryptPackets(packets, key: id)
|
||||
}
|
||||
|
||||
func decrypt(packets: [Data]) throws -> [Data]? {
|
||||
guard let dataPath = dataPath else {
|
||||
log.warning("Data: Set dataPath first")
|
||||
return nil
|
||||
}
|
||||
guard canHandlePackets else {
|
||||
log.warning("Data: Invoke startHandlingPackets() before decrypting")
|
||||
return nil
|
||||
}
|
||||
var keepAlive = false
|
||||
let decrypted = try dataPath.decryptPackets(packets, keepAlive: &keepAlive)
|
||||
if keepAlive {
|
||||
log.debug("Data: Received ping, do nothing")
|
||||
}
|
||||
return decrypted
|
||||
}
|
||||
|
||||
// func dispose() {
|
||||
// tlsOptional = nil
|
||||
// dataPath = nil
|
||||
// }
|
||||
}
|
||||
}
|
|
@ -1008,9 +1008,9 @@ public class SessionProxy {
|
|||
log.debug("Setup keys")
|
||||
}
|
||||
|
||||
let proxy: EncryptionProxy
|
||||
let bridge: EncryptionBridge
|
||||
do {
|
||||
proxy = try EncryptionProxy(
|
||||
bridge = try EncryptionBridge(
|
||||
configuration.cipher,
|
||||
configuration.digest,
|
||||
auth,
|
||||
|
@ -1023,8 +1023,8 @@ public class SessionProxy {
|
|||
}
|
||||
|
||||
negotiationKey.dataPath = DataPath(
|
||||
encrypter: proxy.encrypter(),
|
||||
decrypter: proxy.decrypter(),
|
||||
encrypter: bridge.encrypter(),
|
||||
decrypter: bridge.decrypter(),
|
||||
maxPackets: link?.packetBufferSize ?? 200,
|
||||
usesReplayProtection: CoreConfiguration.usesReplayProtection
|
||||
)
|
||||
|
|
|
@ -21,7 +21,7 @@ class DataPathPerformanceTests: XCTestCase {
|
|||
let ck = try! SecureRandom.safeData(length: 32)
|
||||
let hk = try! SecureRandom.safeData(length: 32)
|
||||
|
||||
let crypto = try! EncryptionProxy(.aes128cbc, .sha1, ck, ck, hk, hk)
|
||||
let crypto = try! SessionProxy.EncryptionBridge(.aes128cbc, .sha1, ck, ck, hk, hk)
|
||||
encrypter = crypto.encrypter()
|
||||
decrypter = crypto.decrypter()
|
||||
|
||||
|
|
Loading…
Reference in New Issue