diff --git a/.jazzy.yaml b/.jazzy.yaml index a78374e..74df20c 100644 --- a/.jazzy.yaml +++ b/.jazzy.yaml @@ -14,7 +14,6 @@ xcodebuild_arguments: custom_categories: - name: Core children: - - EncryptionProxy - IOInterface - LinkInterface - TunnelInterface diff --git a/TunnelKit.xcodeproj/project.pbxproj b/TunnelKit.xcodeproj/project.pbxproj index ede5158..8991f42 100644 --- a/TunnelKit.xcodeproj/project.pbxproj +++ b/TunnelKit.xcodeproj/project.pbxproj @@ -29,8 +29,8 @@ 0E1108B11F77B9F900A92462 /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 0E1108AF1F77B9F900A92462 /* Main.storyboard */; }; 0E1108B31F77B9F900A92462 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 0E1108B21F77B9F900A92462 /* Assets.xcassets */; }; 0E1108B61F77B9F900A92462 /* LaunchScreen.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 0E1108B41F77B9F900A92462 /* LaunchScreen.storyboard */; }; - 0E3E0F212108A8CC00B371C1 /* PushReply.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0E3E0F202108A8CC00B371C1 /* PushReply.swift */; }; - 0E3E0F222108A8CC00B371C1 /* PushReply.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0E3E0F202108A8CC00B371C1 /* PushReply.swift */; }; + 0E3E0F212108A8CC00B371C1 /* SessionProxy+PushReply.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0E3E0F202108A8CC00B371C1 /* SessionProxy+PushReply.swift */; }; + 0E3E0F222108A8CC00B371C1 /* SessionProxy+PushReply.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0E3E0F202108A8CC00B371C1 /* SessionProxy+PushReply.swift */; }; 0E85A25A202CC5AF0059E9F9 /* AppExtensionTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0E85A259202CC5AE0059E9F9 /* AppExtensionTests.swift */; }; 0E9379C91F819A4300CE91B6 /* TunnelKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 0E17D7F91F730D9F009EE129 /* TunnelKit.framework */; }; 0EA8E2072024D4B200A92DB6 /* PIA-ECC-256k1.pem in Resources */ = {isa = PBXBuildFile; fileRef = 0EA8E2042024D4B100A92DB6 /* PIA-ECC-256k1.pem */; }; @@ -83,8 +83,8 @@ 0EEC49E820B5F7F6008FEB91 /* ReplayProtector.h in Headers */ = {isa = PBXBuildFile; fileRef = 0EFEB4392006D3C800F81029 /* ReplayProtector.h */; }; 0EEC49E920B5F7F6008FEB91 /* TLSBox.h in Headers */ = {isa = PBXBuildFile; fileRef = 0EFEB4442006D3C800F81029 /* TLSBox.h */; }; 0EEC49EA20B5F7F6008FEB91 /* ZeroingData.h in Headers */ = {isa = PBXBuildFile; fileRef = 0EFEB4412006D3C800F81029 /* ZeroingData.h */; }; - 0EFEB4552006D3C800F81029 /* EncryptionProxy.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42A2006D3C800F81029 /* EncryptionProxy.swift */; }; - 0EFEB4562006D3C800F81029 /* SessionKey.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42B2006D3C800F81029 /* SessionKey.swift */; }; + 0EFEB4552006D3C800F81029 /* SessionProxy+EncryptionBridge.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42A2006D3C800F81029 /* SessionProxy+EncryptionBridge.swift */; }; + 0EFEB4562006D3C800F81029 /* SessionProxy+SessionKey.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42B2006D3C800F81029 /* SessionProxy+SessionKey.swift */; }; 0EFEB4582006D3C800F81029 /* MSS.h in Headers */ = {isa = PBXBuildFile; fileRef = 0EFEB42D2006D3C800F81029 /* MSS.h */; }; 0EFEB4592006D3C800F81029 /* Allocation.h in Headers */ = {isa = PBXBuildFile; fileRef = 0EFEB42E2006D3C800F81029 /* Allocation.h */; }; 0EFEB45A2006D3C800F81029 /* TunnelInterface.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42F2006D3C800F81029 /* TunnelInterface.swift */; }; @@ -96,7 +96,7 @@ 0EFEB4622006D3C800F81029 /* SecureRandom.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4372006D3C800F81029 /* SecureRandom.swift */; }; 0EFEB4632006D3C800F81029 /* ProtocolMacros.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4382006D3C800F81029 /* ProtocolMacros.swift */; }; 0EFEB4642006D3C800F81029 /* ReplayProtector.h in Headers */ = {isa = PBXBuildFile; fileRef = 0EFEB4392006D3C800F81029 /* ReplayProtector.h */; }; - 0EFEB4652006D3C800F81029 /* Authenticator.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43A2006D3C800F81029 /* Authenticator.swift */; }; + 0EFEB4652006D3C800F81029 /* SessionProxy+Authenticator.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43A2006D3C800F81029 /* SessionProxy+Authenticator.swift */; }; 0EFEB4662006D3C800F81029 /* ZeroingData.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43B2006D3C800F81029 /* ZeroingData.swift */; }; 0EFEB4672006D3C800F81029 /* SessionProxy.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43C2006D3C800F81029 /* SessionProxy.swift */; }; 0EFEB4682006D3C800F81029 /* MSS.m in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43D2006D3C800F81029 /* MSS.m */; }; @@ -121,15 +121,15 @@ 0EFEB4872006D7C400F81029 /* TunnelKitProvider+Configuration.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB44F2006D3C800F81029 /* TunnelKitProvider+Configuration.swift */; }; 0EFEB4882006D7C400F81029 /* TunnelKitProvider+Interaction.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4502006D3C800F81029 /* TunnelKitProvider+Interaction.swift */; }; 0EFEB48A2006D7C400F81029 /* TunnelKitProvider.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4522006D3C800F81029 /* TunnelKitProvider.swift */; }; - 0EFEB48D2006D7F300F81029 /* EncryptionProxy.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42A2006D3C800F81029 /* EncryptionProxy.swift */; }; - 0EFEB48E2006D7F300F81029 /* SessionKey.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42B2006D3C800F81029 /* SessionKey.swift */; }; + 0EFEB48D2006D7F300F81029 /* SessionProxy+EncryptionBridge.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42A2006D3C800F81029 /* SessionProxy+EncryptionBridge.swift */; }; + 0EFEB48E2006D7F300F81029 /* SessionProxy+SessionKey.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42B2006D3C800F81029 /* SessionProxy+SessionKey.swift */; }; 0EFEB4902006D7F300F81029 /* TunnelInterface.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42F2006D3C800F81029 /* TunnelInterface.swift */; }; 0EFEB4912006D7F300F81029 /* TLSBox.m in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4302006D3C800F81029 /* TLSBox.m */; }; 0EFEB4922006D7F300F81029 /* ZeroingData.m in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4312006D3C800F81029 /* ZeroingData.m */; }; 0EFEB4932006D7F300F81029 /* CryptoBox.m in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4322006D3C800F81029 /* CryptoBox.m */; }; 0EFEB4952006D7F300F81029 /* SecureRandom.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4372006D3C800F81029 /* SecureRandom.swift */; }; 0EFEB4962006D7F300F81029 /* ProtocolMacros.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4382006D3C800F81029 /* ProtocolMacros.swift */; }; - 0EFEB4972006D7F300F81029 /* Authenticator.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43A2006D3C800F81029 /* Authenticator.swift */; }; + 0EFEB4972006D7F300F81029 /* SessionProxy+Authenticator.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43A2006D3C800F81029 /* SessionProxy+Authenticator.swift */; }; 0EFEB4982006D7F300F81029 /* ZeroingData.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43B2006D3C800F81029 /* ZeroingData.swift */; }; 0EFEB4992006D7F300F81029 /* SessionProxy.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43C2006D3C800F81029 /* SessionProxy.swift */; }; 0EFEB49A2006D7F300F81029 /* MSS.m in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43D2006D3C800F81029 /* MSS.m */; }; @@ -197,7 +197,7 @@ 0E1108B71F77B9F900A92462 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; 0E17D7F91F730D9F009EE129 /* TunnelKit.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = TunnelKit.framework; sourceTree = BUILT_PRODUCTS_DIR; }; 0E3251C51F95770D00C108D9 /* TunnelKit.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = TunnelKit.framework; sourceTree = BUILT_PRODUCTS_DIR; }; - 0E3E0F202108A8CC00B371C1 /* PushReply.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = PushReply.swift; sourceTree = ""; }; + 0E3E0F202108A8CC00B371C1 /* SessionProxy+PushReply.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = "SessionProxy+PushReply.swift"; sourceTree = ""; }; 0E6479DD212EAC96008E6888 /* Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; 0E6479E0212EACD6008E6888 /* Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; 0E85A259202CC5AE0059E9F9 /* AppExtensionTests.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = AppExtensionTests.swift; sourceTree = ""; }; @@ -227,8 +227,8 @@ 0EE7A79D20F6488400B42E6A /* DataPathEncryption.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = DataPathEncryption.h; sourceTree = ""; }; 0EE7A7A020F664AB00B42E6A /* DataPathEncryptionTests.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = DataPathEncryptionTests.swift; sourceTree = ""; }; 0EEC49DB20B5E732008FEB91 /* Utils.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Utils.swift; sourceTree = ""; }; - 0EFEB42A2006D3C800F81029 /* EncryptionProxy.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = EncryptionProxy.swift; sourceTree = ""; }; - 0EFEB42B2006D3C800F81029 /* SessionKey.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = SessionKey.swift; sourceTree = ""; }; + 0EFEB42A2006D3C800F81029 /* SessionProxy+EncryptionBridge.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = "SessionProxy+EncryptionBridge.swift"; sourceTree = ""; }; + 0EFEB42B2006D3C800F81029 /* SessionProxy+SessionKey.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = "SessionProxy+SessionKey.swift"; sourceTree = ""; }; 0EFEB42D2006D3C800F81029 /* MSS.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MSS.h; sourceTree = ""; }; 0EFEB42E2006D3C800F81029 /* Allocation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Allocation.h; sourceTree = ""; }; 0EFEB42F2006D3C800F81029 /* TunnelInterface.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = TunnelInterface.swift; sourceTree = ""; }; @@ -240,7 +240,7 @@ 0EFEB4372006D3C800F81029 /* SecureRandom.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = SecureRandom.swift; sourceTree = ""; }; 0EFEB4382006D3C800F81029 /* ProtocolMacros.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = ProtocolMacros.swift; sourceTree = ""; }; 0EFEB4392006D3C800F81029 /* ReplayProtector.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ReplayProtector.h; sourceTree = ""; }; - 0EFEB43A2006D3C800F81029 /* Authenticator.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = Authenticator.swift; sourceTree = ""; }; + 0EFEB43A2006D3C800F81029 /* SessionProxy+Authenticator.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = "SessionProxy+Authenticator.swift"; sourceTree = ""; }; 0EFEB43B2006D3C800F81029 /* ZeroingData.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = ZeroingData.swift; sourceTree = ""; }; 0EFEB43C2006D3C800F81029 /* SessionProxy.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = SessionProxy.swift; sourceTree = ""; }; 0EFEB43D2006D3C800F81029 /* MSS.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = MSS.m; sourceTree = ""; }; @@ -422,7 +422,6 @@ children = ( 0EFEB42E2006D3C800F81029 /* Allocation.h */, 0EFEB4462006D3C800F81029 /* Allocation.m */, - 0EFEB43A2006D3C800F81029 /* Authenticator.swift */, 0EFEB44A2006D3C800F81029 /* CoreConfiguration.swift */, 0E07597C20F0060E00F38FD8 /* CryptoAEAD.h */, 0E07597D20F0060E00F38FD8 /* CryptoAEAD.m */, @@ -436,7 +435,6 @@ 0EFEB44C2006D3C800F81029 /* DataPath.m */, 0EE7A79D20F6488400B42E6A /* DataPathEncryption.h */, 0E07596A20EF79AB00F38FD8 /* Encryption.h */, - 0EFEB42A2006D3C800F81029 /* EncryptionProxy.swift */, 0EFEB4362006D3C800F81029 /* Errors.h */, 0EFEB44B2006D3C800F81029 /* Errors.m */, 0EFEB4452006D3C800F81029 /* IOInterface.swift */, @@ -448,14 +446,16 @@ 0EE7A79420F61EDC00B42E6A /* PacketMacros.h */, 0EE7A79720F6296F00B42E6A /* PacketMacros.m */, 0EFEB4382006D3C800F81029 /* ProtocolMacros.swift */, - 0E3E0F202108A8CC00B371C1 /* PushReply.swift */, 0EFEB4392006D3C800F81029 /* ReplayProtector.h */, 0EFEB4482006D3C800F81029 /* ReplayProtector.m */, 0EFEB4372006D3C800F81029 /* SecureRandom.swift */, 0E0C2123212ED29D008AB282 /* SessionError.swift */, - 0EFEB42B2006D3C800F81029 /* SessionKey.swift */, 0EFEB43C2006D3C800F81029 /* SessionProxy.swift */, + 0EFEB43A2006D3C800F81029 /* SessionProxy+Authenticator.swift */, 0E0C2124212ED29D008AB282 /* SessionProxy+Configuration.swift */, + 0EFEB42A2006D3C800F81029 /* SessionProxy+EncryptionBridge.swift */, + 0E3E0F202108A8CC00B371C1 /* SessionProxy+PushReply.swift */, + 0EFEB42B2006D3C800F81029 /* SessionProxy+SessionKey.swift */, 0EFEB4442006D3C800F81029 /* TLSBox.h */, 0EFEB4302006D3C800F81029 /* TLSBox.m */, 0EFEB42F2006D3C800F81029 /* TunnelInterface.swift */, @@ -881,10 +881,10 @@ 0EBBF2F5208505D700E36B40 /* NETunnelInterface.swift in Sources */, 0EFEB4732006D3C800F81029 /* LinkInterface.swift in Sources */, 0EBBF2F8208505DD00E36B40 /* NWUDPSessionState+Description.swift in Sources */, - 0EFEB4652006D3C800F81029 /* Authenticator.swift in Sources */, + 0EFEB4652006D3C800F81029 /* SessionProxy+Authenticator.swift in Sources */, 0EE7A79820F6296F00B42E6A /* PacketMacros.m in Sources */, 0EEC49DC20B5E732008FEB91 /* Utils.swift in Sources */, - 0EFEB4562006D3C800F81029 /* SessionKey.swift in Sources */, + 0EFEB4562006D3C800F81029 /* SessionProxy+SessionKey.swift in Sources */, 0EC1BBA520D71190007C4C7B /* DNSResolver.swift in Sources */, 0EFEB4AB200760EC00F81029 /* MemoryDestination.swift in Sources */, 0EFEB4AE2007625E00F81029 /* Keychain.swift in Sources */, @@ -894,7 +894,7 @@ 0EFEB45D2006D3C800F81029 /* CryptoBox.m in Sources */, 0EBBF2FA2085061600E36B40 /* NETCPInterface.swift in Sources */, 0E0C2125212ED29D008AB282 /* SessionError.swift in Sources */, - 0EFEB4552006D3C800F81029 /* EncryptionProxy.swift in Sources */, + 0EFEB4552006D3C800F81029 /* SessionProxy+EncryptionBridge.swift in Sources */, 0EFEB45C2006D3C800F81029 /* ZeroingData.m in Sources */, 0EFEB4632006D3C800F81029 /* ProtocolMacros.swift in Sources */, 0EFEB4AC200760EC00F81029 /* InterfaceObserver.swift in Sources */, @@ -915,7 +915,7 @@ 0EFEB4672006D3C800F81029 /* SessionProxy.swift in Sources */, 0EFEB4722006D3C800F81029 /* ReplayProtector.m in Sources */, 0EFEB4782006D3C800F81029 /* TunnelKitProvider+Configuration.swift in Sources */, - 0E3E0F212108A8CC00B371C1 /* PushReply.swift in Sources */, + 0E3E0F212108A8CC00B371C1 /* SessionProxy+PushReply.swift in Sources */, 0EFEB4752006D3C800F81029 /* Errors.m in Sources */, 0EBBF2E52084FE6F00E36B40 /* GenericSocket.swift in Sources */, 0EFEB4762006D3C800F81029 /* DataPath.m in Sources */, @@ -952,7 +952,7 @@ 0EFEB4952006D7F300F81029 /* SecureRandom.swift in Sources */, 0EFEB49A2006D7F300F81029 /* MSS.m in Sources */, 0ECE352A212EB88E0040F253 /* Certificate.swift in Sources */, - 0EFEB48D2006D7F300F81029 /* EncryptionProxy.swift in Sources */, + 0EFEB48D2006D7F300F81029 /* SessionProxy+EncryptionBridge.swift in Sources */, 0EFEB4922006D7F300F81029 /* ZeroingData.m in Sources */, 0E07596020EF6D1400F38FD8 /* CryptoCBC.m in Sources */, 0EC1BBA920D7D803007C4C7B /* ConnectionStrategy.swift in Sources */, @@ -963,15 +963,15 @@ 0EFEB4902006D7F300F81029 /* TunnelInterface.swift in Sources */, 0EFEB49E2006D7F300F81029 /* Allocation.m in Sources */, 0EFEB4B02007627700F81029 /* Keychain.swift in Sources */, - 0EFEB48E2006D7F300F81029 /* SessionKey.swift in Sources */, + 0EFEB48E2006D7F300F81029 /* SessionProxy+SessionKey.swift in Sources */, 0EFEB4AF2007627700F81029 /* InterfaceObserver.swift in Sources */, 0EFEB4A42006D7F300F81029 /* DataPath.m in Sources */, 0EBBF2E62084FE6F00E36B40 /* GenericSocket.swift in Sources */, - 0E3E0F222108A8CC00B371C1 /* PushReply.swift in Sources */, + 0E3E0F222108A8CC00B371C1 /* SessionProxy+PushReply.swift in Sources */, 0EFEB4912006D7F300F81029 /* TLSBox.m in Sources */, 0EFEB49D2006D7F300F81029 /* IOInterface.swift in Sources */, 0E0C2128212ED29D008AB282 /* SessionProxy+Configuration.swift in Sources */, - 0EFEB4972006D7F300F81029 /* Authenticator.swift in Sources */, + 0EFEB4972006D7F300F81029 /* SessionProxy+Authenticator.swift in Sources */, 0EFEB49B2006D7F300F81029 /* Packet.swift in Sources */, ); runOnlyForDeploymentPostprocessing = 0; diff --git a/TunnelKit/Sources/AppExtension/TunnelKitProvider.swift b/TunnelKit/Sources/AppExtension/TunnelKitProvider.swift index 84ba6f9..963947e 100644 --- a/TunnelKit/Sources/AppExtension/TunnelKitProvider.swift +++ b/TunnelKit/Sources/AppExtension/TunnelKitProvider.swift @@ -134,7 +134,7 @@ open class TunnelKitProvider: NEPacketTunnelProvider { log.info("Starting tunnel...") - guard EncryptionProxy.prepareRandomNumberGenerator(seedLength: prngSeedLength) else { + guard SessionProxy.EncryptionBridge.prepareRandomNumberGenerator(seedLength: prngSeedLength) else { completionHandler(ProviderError.prngInitialization) return } diff --git a/TunnelKit/Sources/Core/Authenticator.swift b/TunnelKit/Sources/Core/Authenticator.swift deleted file mode 100644 index e6e4cc3..0000000 --- a/TunnelKit/Sources/Core/Authenticator.swift +++ /dev/null @@ -1,150 +0,0 @@ -// -// Authenticator.swift -// TunnelKit -// -// Created by Davide De Rosa on 2/9/17. -// Copyright © 2018 London Trust Media. All rights reserved. -// - -import Foundation -import SwiftyBeaver -import __TunnelKitNative - -private let log = SwiftyBeaver.self - -fileprivate extension ZeroingData { - fileprivate func appendSized(_ buf: ZeroingData) { - append(Z(UInt16(buf.count).bigEndian)) - append(buf) - } -} - -class Authenticator { - private var controlBuffer: ZeroingData - - private(set) var preMaster: ZeroingData - - private(set) var random1: ZeroingData - - private(set) var random2: ZeroingData - - private(set) var serverRandom1: ZeroingData? - - private(set) var serverRandom2: ZeroingData? - - let username: ZeroingData - - let password: ZeroingData - - init(_ username: String, _ password: String) throws { - preMaster = try SecureRandom.safeData(length: CoreConfiguration.preMasterLength) - random1 = try SecureRandom.safeData(length: CoreConfiguration.randomLength) - random2 = try SecureRandom.safeData(length: CoreConfiguration.randomLength) - - // XXX: not 100% secure, can't erase input username/password - self.username = Z(username, nullTerminated: true) - self.password = Z(password, nullTerminated: true) - - controlBuffer = Z() - } - - // MARK: Authentication request - - // Ruby: on_tls_connect - func putAuth(into: TLSBox) throws { - let raw = Z(ProtocolMacros.tlsPrefix) - - // local keys - raw.append(preMaster) - raw.append(random1) - raw.append(random2) - - // opts - raw.appendSized(Z(UInt8(0))) - - // credentials - raw.appendSized(username) - raw.appendSized(password) - - // peer info - raw.appendSized(Z(CoreConfiguration.peerInfo)) - - if CoreConfiguration.logsSensitiveData { - log.debug("TLS.auth: Put plaintext (\(raw.count) bytes): \(raw.toHex())") - } else { - log.debug("TLS.auth: Put plaintext (\(raw.count) bytes)") - } - - try into.putRawPlainText(raw.bytes, length: raw.count) - } - - // MARK: Server replies - - func appendControlData(_ data: ZeroingData) { - controlBuffer.append(data) - } - - func parseAuthReply() throws -> Bool { - let prefixLength = ProtocolMacros.tlsPrefix.count - - // TLS prefix + random (x2) + opts length [+ opts] - guard (controlBuffer.count >= prefixLength + 2 * CoreConfiguration.randomLength + 2) else { - return false - } - - let prefix = controlBuffer.withOffset(0, count: prefixLength) - guard prefix.isEqual(to: ProtocolMacros.tlsPrefix) else { - throw SessionError.wrongControlDataPrefix - } - - var offset = ProtocolMacros.tlsPrefix.count - - let serverRandom1 = controlBuffer.withOffset(offset, count: CoreConfiguration.randomLength) - offset += CoreConfiguration.randomLength - - let serverRandom2 = controlBuffer.withOffset(offset, count: CoreConfiguration.randomLength) - offset += CoreConfiguration.randomLength - - let serverOptsLength = Int(controlBuffer.networkUInt16Value(fromOffset: offset)) - offset += 2 - - guard controlBuffer.count >= offset + serverOptsLength else { - return false - } - let serverOpts = controlBuffer.withOffset(offset, count: serverOptsLength) - offset += serverOptsLength - - if CoreConfiguration.logsSensitiveData { - log.debug("TLS.auth: Parsed server random: [\(serverRandom1.toHex()), \(serverRandom2.toHex())]") - } else { - log.debug("TLS.auth: Parsed server random") - } - - if let serverOptsString = serverOpts.nullTerminatedString(fromOffset: 0) { - log.debug("TLS.auth: Parsed server opts: \"\(serverOptsString)\"") - } - - self.serverRandom1 = serverRandom1 - self.serverRandom2 = serverRandom2 - controlBuffer.remove(untilOffset: offset) - - return true - } - - func parseMessages() -> [String] { - var messages = [String]() - var offset = 0 - - while true { - guard let msg = controlBuffer.nullTerminatedString(fromOffset: offset) else { - break - } - messages.append(msg) - offset += msg.count + 1 - } - - controlBuffer.remove(untilOffset: offset) - - return messages - } -} diff --git a/TunnelKit/Sources/Core/EncryptionProxy.swift b/TunnelKit/Sources/Core/EncryptionProxy.swift deleted file mode 100644 index fb7b8ed..0000000 --- a/TunnelKit/Sources/Core/EncryptionProxy.swift +++ /dev/null @@ -1,150 +0,0 @@ -// -// EncryptionProxy.swift -// TunnelKit -// -// Created by Davide De Rosa on 2/8/17. -// Copyright © 2018 London Trust Media. All rights reserved. -// - -import Foundation -import __TunnelKitNative - -/// Bridges native encryption for high-level operations. -public class EncryptionProxy { - private static let maxHmacLength = 100 - - private let box: CryptoBox - - /** - Initializes the PRNG. Must be issued before using `SessionProxy`. - - - Parameter seedLength: The length in bytes of the pseudorandom seed that will feed the PRNG. - */ - public static func prepareRandomNumberGenerator(seedLength: Int) -> Bool { - let seed: ZeroingData - do { - seed = try SecureRandom.safeData(length: seedLength) - } catch { - return false - } - return CryptoBox.preparePRNG(withSeed: seed.bytes, length: seed.count) - } - - // Ruby: keys_prf - private static func keysPRF( - _ label: String, - _ secret: ZeroingData, - _ clientSeed: ZeroingData, - _ serverSeed: ZeroingData, - _ clientSessionId: Data?, - _ serverSessionId: Data?, - _ size: Int) throws -> ZeroingData { - - let seed = Z(label) - seed.append(clientSeed) - seed.append(serverSeed) - if let csi = clientSessionId { - seed.append(Z(csi)) - } - if let ssi = serverSessionId { - seed.append(Z(ssi)) - } - let len = secret.count / 2 - let lenx = len + (secret.count & 1) - let secret1 = secret.withOffset(0, count: lenx) - let secret2 = secret.withOffset(len, count: lenx) - - let hash1 = try keysHash("md5", secret1, seed, size) - let hash2 = try keysHash("sha1", secret2, seed, size) - - let prf = Z() - for i in 0.. ZeroingData { - let out = Z() - let buffer = Z(count: EncryptionProxy.maxHmacLength) - var chain = try EncryptionProxy.hmac(buffer, digestName, secret, seed) - while (out.count < size) { - out.append(try EncryptionProxy.hmac(buffer, digestName, secret, chain.appending(seed))) - chain = try EncryptionProxy.hmac(buffer, digestName, secret, chain) - } - return out.withOffset(0, count: size) - } - - // Ruby: hmac - private static func hmac(_ buffer: ZeroingData, _ digestName: String, _ secret: ZeroingData, _ data: ZeroingData) throws -> ZeroingData { - var length = 0 - - try CryptoBox.hmac( - withDigestName: digestName, - secret: secret.bytes, - secretLength: secret.count, - data: data.bytes, - dataLength: data.count, - hmac: buffer.mutableBytes, - hmacLength: &length - ) - - return buffer.withOffset(0, count: length) - } - - convenience init(_ cipher: SessionProxy.Cipher, _ digest: SessionProxy.Digest, _ auth: Authenticator, - _ sessionId: Data, _ remoteSessionId: Data) throws { - - guard let serverRandom1 = auth.serverRandom1, let serverRandom2 = auth.serverRandom2 else { - fatalError("Configuring encryption without server randoms") - } - - let masterData = try EncryptionProxy.keysPRF( - CoreConfiguration.label1, auth.preMaster, auth.random1, - serverRandom1, nil, nil, - CoreConfiguration.preMasterLength - ) - - let keysData = try EncryptionProxy.keysPRF( - CoreConfiguration.label2, masterData, auth.random2, - serverRandom2, sessionId, remoteSessionId, - CoreConfiguration.keysCount * CoreConfiguration.keyLength - ) - - var keysArray = [ZeroingData]() - for i in 0.. DataPathEncrypter { - return box.encrypter().dataPathEncrypter() - } - - func decrypter() -> DataPathDecrypter { - return box.decrypter().dataPathDecrypter() - } -} diff --git a/TunnelKit/Sources/Core/PushReply.swift b/TunnelKit/Sources/Core/PushReply.swift deleted file mode 100644 index ddb248a..0000000 --- a/TunnelKit/Sources/Core/PushReply.swift +++ /dev/null @@ -1,88 +0,0 @@ -// -// PushReply.swift -// TunnelKit -// -// Created by Davide De Rosa on 25/07/2018. -// Copyright © 2018 London Trust Media. All rights reserved. -// - -import Foundation - -struct PushReply { - private static let ifconfigRegexp = try! NSRegularExpression(pattern: "ifconfig [\\d\\.]+ [\\d\\.]+", options: []) - - private static let dnsRegexp = try! NSRegularExpression(pattern: "dhcp-option DNS [\\d\\.]+", options: []) - - private static let authTokenRegexp = try! NSRegularExpression(pattern: "auth-token [a-zA-Z0-9/=+]+", options: []) - - private static let peerIdRegexp = try! NSRegularExpression(pattern: "peer-id [0-9]+", options: []) - - let address: String - - let gatewayAddress: String - - let dnsServers: [String] - - let authToken: String? - - let peerId: UInt32? - - init?(message: String) throws { - guard message.hasPrefix("PUSH_REPLY") else { - return nil - } - - var ifconfigComponents: [String]? - var dnsServers = [String]() - var authToken: String? - var peerId: UInt32? - - PushReply.ifconfigRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in - guard let range = result?.range else { return } - - let match = (message as NSString).substring(with: range) - ifconfigComponents = match.components(separatedBy: " ") - } - - guard let addresses = ifconfigComponents, addresses.count >= 2 else { - throw SessionError.malformedPushReply - } - - PushReply.dnsRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in - guard let range = result?.range else { return } - - let match = (message as NSString).substring(with: range) - let dnsEntryComponents = match.components(separatedBy: " ") - - dnsServers.append(dnsEntryComponents[2]) - } - - PushReply.authTokenRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in - guard let range = result?.range else { return } - - let match = (message as NSString).substring(with: range) - let tokenComponents = match.components(separatedBy: " ") - - if (tokenComponents.count > 1) { - authToken = tokenComponents[1] - } - } - - PushReply.peerIdRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in - guard let range = result?.range else { return } - - let match = (message as NSString).substring(with: range) - let tokenComponents = match.components(separatedBy: " ") - - if (tokenComponents.count > 1) { - peerId = UInt32(tokenComponents[1]) - } - } - - address = addresses[1] - gatewayAddress = addresses[2] - self.dnsServers = dnsServers - self.authToken = authToken - self.peerId = peerId - } -} diff --git a/TunnelKit/Sources/Core/SessionKey.swift b/TunnelKit/Sources/Core/SessionKey.swift deleted file mode 100644 index 5380bf4..0000000 --- a/TunnelKit/Sources/Core/SessionKey.swift +++ /dev/null @@ -1,120 +0,0 @@ -// -// SessionKey.swift -// TunnelKit -// -// Created by Davide De Rosa on 4/12/17. -// Copyright © 2018 London Trust Media. All rights reserved. -// - -import Foundation -import __TunnelKitNative -import SwiftyBeaver - -private let log = SwiftyBeaver.self - -class SessionKey { - enum State { - case invalid, hardReset, softReset, tls - } - - enum ControlState { - case preAuth, preIfConfig, connected - } - - let id: UInt8 // 3-bit - - let startTime: Date - - var state = State.invalid - - var controlState: ControlState? - - var tlsOptional: TLSBox? - - var tls: TLSBox { - guard let tls = tlsOptional else { - fatalError("TLSBox accessed when nil") - } - return tls - } - - var dataPath: DataPath? - - var softReset: Bool - - private var isTLSConnected: Bool - - private var canHandlePackets: Bool - - init(id: UInt8) { - self.id = id - - startTime = Date() - state = .invalid - softReset = false - isTLSConnected = false - canHandlePackets = false - } - - // Ruby: Key.hard_reset_timeout - func didHardResetTimeOut(link: LinkInterface) -> Bool { - return ((state == .hardReset) && (-startTime.timeIntervalSinceNow > link.hardResetTimeout)) - } - - // Ruby: Key.negotiate_timeout - func didNegotiationTimeOut(link: LinkInterface) -> Bool { - let timeout = (softReset ? CoreConfiguration.softNegotiationTimeout : link.negotiationTimeout) - - return ((controlState != .connected) && (-startTime.timeIntervalSinceNow > timeout)) - } - - // Ruby: Key.on_tls_connect - func shouldOnTLSConnect() -> Bool { - guard !isTLSConnected else { - return false - } - if tls.isConnected() { - isTLSConnected = true - } - return isTLSConnected - } - - func startHandlingPackets(withPeerId peerId: UInt32? = nil) { - dataPath?.setPeerId(peerId ?? PacketPeerIdDisabled) - canHandlePackets = true - } - - func encrypt(packets: [Data]) throws -> [Data]? { - guard let dataPath = dataPath else { - log.warning("Data: Set dataPath first") - return nil - } - guard canHandlePackets else { - log.warning("Data: Invoke startHandlingPackets() before encrypting") - return nil - } - return try dataPath.encryptPackets(packets, key: id) - } - - func decrypt(packets: [Data]) throws -> [Data]? { - guard let dataPath = dataPath else { - log.warning("Data: Set dataPath first") - return nil - } - guard canHandlePackets else { - log.warning("Data: Invoke startHandlingPackets() before decrypting") - return nil - } - var keepAlive = false - let decrypted = try dataPath.decryptPackets(packets, keepAlive: &keepAlive) - if keepAlive { - log.debug("Data: Received ping, do nothing") - } - return decrypted - } - -// func dispose() { -// tlsOptional = nil -// dataPath = nil -// } -} diff --git a/TunnelKit/Sources/Core/SessionProxy+Authenticator.swift b/TunnelKit/Sources/Core/SessionProxy+Authenticator.swift new file mode 100644 index 0000000..03de6f8 --- /dev/null +++ b/TunnelKit/Sources/Core/SessionProxy+Authenticator.swift @@ -0,0 +1,152 @@ +// +// SessionProxy+Authenticator.swift +// TunnelKit +// +// Created by Davide De Rosa on 2/9/17. +// Copyright © 2018 London Trust Media. All rights reserved. +// + +import Foundation +import SwiftyBeaver +import __TunnelKitNative + +private let log = SwiftyBeaver.self + +fileprivate extension ZeroingData { + fileprivate func appendSized(_ buf: ZeroingData) { + append(Z(UInt16(buf.count).bigEndian)) + append(buf) + } +} + +extension SessionProxy { + class Authenticator { + private var controlBuffer: ZeroingData + + private(set) var preMaster: ZeroingData + + private(set) var random1: ZeroingData + + private(set) var random2: ZeroingData + + private(set) var serverRandom1: ZeroingData? + + private(set) var serverRandom2: ZeroingData? + + let username: ZeroingData + + let password: ZeroingData + + init(_ username: String, _ password: String) throws { + preMaster = try SecureRandom.safeData(length: CoreConfiguration.preMasterLength) + random1 = try SecureRandom.safeData(length: CoreConfiguration.randomLength) + random2 = try SecureRandom.safeData(length: CoreConfiguration.randomLength) + + // XXX: not 100% secure, can't erase input username/password + self.username = Z(username, nullTerminated: true) + self.password = Z(password, nullTerminated: true) + + controlBuffer = Z() + } + + // MARK: Authentication request + + // Ruby: on_tls_connect + func putAuth(into: TLSBox) throws { + let raw = Z(ProtocolMacros.tlsPrefix) + + // local keys + raw.append(preMaster) + raw.append(random1) + raw.append(random2) + + // opts + raw.appendSized(Z(UInt8(0))) + + // credentials + raw.appendSized(username) + raw.appendSized(password) + + // peer info + raw.appendSized(Z(CoreConfiguration.peerInfo)) + + if CoreConfiguration.logsSensitiveData { + log.debug("TLS.auth: Put plaintext (\(raw.count) bytes): \(raw.toHex())") + } else { + log.debug("TLS.auth: Put plaintext (\(raw.count) bytes)") + } + + try into.putRawPlainText(raw.bytes, length: raw.count) + } + + // MARK: Server replies + + func appendControlData(_ data: ZeroingData) { + controlBuffer.append(data) + } + + func parseAuthReply() throws -> Bool { + let prefixLength = ProtocolMacros.tlsPrefix.count + + // TLS prefix + random (x2) + opts length [+ opts] + guard (controlBuffer.count >= prefixLength + 2 * CoreConfiguration.randomLength + 2) else { + return false + } + + let prefix = controlBuffer.withOffset(0, count: prefixLength) + guard prefix.isEqual(to: ProtocolMacros.tlsPrefix) else { + throw SessionError.wrongControlDataPrefix + } + + var offset = ProtocolMacros.tlsPrefix.count + + let serverRandom1 = controlBuffer.withOffset(offset, count: CoreConfiguration.randomLength) + offset += CoreConfiguration.randomLength + + let serverRandom2 = controlBuffer.withOffset(offset, count: CoreConfiguration.randomLength) + offset += CoreConfiguration.randomLength + + let serverOptsLength = Int(controlBuffer.networkUInt16Value(fromOffset: offset)) + offset += 2 + + guard controlBuffer.count >= offset + serverOptsLength else { + return false + } + let serverOpts = controlBuffer.withOffset(offset, count: serverOptsLength) + offset += serverOptsLength + + if CoreConfiguration.logsSensitiveData { + log.debug("TLS.auth: Parsed server random: [\(serverRandom1.toHex()), \(serverRandom2.toHex())]") + } else { + log.debug("TLS.auth: Parsed server random") + } + + if let serverOptsString = serverOpts.nullTerminatedString(fromOffset: 0) { + log.debug("TLS.auth: Parsed server opts: \"\(serverOptsString)\"") + } + + self.serverRandom1 = serverRandom1 + self.serverRandom2 = serverRandom2 + controlBuffer.remove(untilOffset: offset) + + return true + } + + func parseMessages() -> [String] { + var messages = [String]() + var offset = 0 + + while true { + guard let msg = controlBuffer.nullTerminatedString(fromOffset: offset) else { + break + } + messages.append(msg) + offset += msg.count + 1 + } + + controlBuffer.remove(untilOffset: offset) + + return messages + } + } +} diff --git a/TunnelKit/Sources/Core/SessionProxy+EncryptionBridge.swift b/TunnelKit/Sources/Core/SessionProxy+EncryptionBridge.swift new file mode 100644 index 0000000..dde9aa0 --- /dev/null +++ b/TunnelKit/Sources/Core/SessionProxy+EncryptionBridge.swift @@ -0,0 +1,153 @@ +// +// SessionProxy+EncryptionBridge.swift +// TunnelKit +// +// Created by Davide De Rosa on 2/8/17. +// Copyright © 2018 London Trust Media. All rights reserved. +// + +import Foundation +import __TunnelKitNative + +extension SessionProxy { + + /// Bridges native encryption for high-level operations. + public class EncryptionBridge { + private static let maxHmacLength = 100 + + private let box: CryptoBox + + /** + Initializes the PRNG. Must be issued before using `SessionProxy`. + + - Parameter seedLength: The length in bytes of the pseudorandom seed that will feed the PRNG. + */ + public static func prepareRandomNumberGenerator(seedLength: Int) -> Bool { + let seed: ZeroingData + do { + seed = try SecureRandom.safeData(length: seedLength) + } catch { + return false + } + return CryptoBox.preparePRNG(withSeed: seed.bytes, length: seed.count) + } + + // Ruby: keys_prf + private static func keysPRF( + _ label: String, + _ secret: ZeroingData, + _ clientSeed: ZeroingData, + _ serverSeed: ZeroingData, + _ clientSessionId: Data?, + _ serverSessionId: Data?, + _ size: Int) throws -> ZeroingData { + + let seed = Z(label) + seed.append(clientSeed) + seed.append(serverSeed) + if let csi = clientSessionId { + seed.append(Z(csi)) + } + if let ssi = serverSessionId { + seed.append(Z(ssi)) + } + let len = secret.count / 2 + let lenx = len + (secret.count & 1) + let secret1 = secret.withOffset(0, count: lenx) + let secret2 = secret.withOffset(len, count: lenx) + + let hash1 = try keysHash("md5", secret1, seed, size) + let hash2 = try keysHash("sha1", secret2, seed, size) + + let prf = Z() + for i in 0.. ZeroingData { + let out = Z() + let buffer = Z(count: EncryptionBridge.maxHmacLength) + var chain = try EncryptionBridge.hmac(buffer, digestName, secret, seed) + while (out.count < size) { + out.append(try EncryptionBridge.hmac(buffer, digestName, secret, chain.appending(seed))) + chain = try EncryptionBridge.hmac(buffer, digestName, secret, chain) + } + return out.withOffset(0, count: size) + } + + // Ruby: hmac + private static func hmac(_ buffer: ZeroingData, _ digestName: String, _ secret: ZeroingData, _ data: ZeroingData) throws -> ZeroingData { + var length = 0 + + try CryptoBox.hmac( + withDigestName: digestName, + secret: secret.bytes, + secretLength: secret.count, + data: data.bytes, + dataLength: data.count, + hmac: buffer.mutableBytes, + hmacLength: &length + ) + + return buffer.withOffset(0, count: length) + } + + convenience init(_ cipher: SessionProxy.Cipher, _ digest: SessionProxy.Digest, _ auth: SessionProxy.Authenticator, + _ sessionId: Data, _ remoteSessionId: Data) throws { + + guard let serverRandom1 = auth.serverRandom1, let serverRandom2 = auth.serverRandom2 else { + fatalError("Configuring encryption without server randoms") + } + + let masterData = try EncryptionBridge.keysPRF( + CoreConfiguration.label1, auth.preMaster, auth.random1, + serverRandom1, nil, nil, + CoreConfiguration.preMasterLength + ) + + let keysData = try EncryptionBridge.keysPRF( + CoreConfiguration.label2, masterData, auth.random2, + serverRandom2, sessionId, remoteSessionId, + CoreConfiguration.keysCount * CoreConfiguration.keyLength + ) + + var keysArray = [ZeroingData]() + for i in 0.. DataPathEncrypter { + return box.encrypter().dataPathEncrypter() + } + + func decrypter() -> DataPathDecrypter { + return box.decrypter().dataPathDecrypter() + } + } +} diff --git a/TunnelKit/Sources/Core/SessionProxy+PushReply.swift b/TunnelKit/Sources/Core/SessionProxy+PushReply.swift new file mode 100644 index 0000000..ef7617e --- /dev/null +++ b/TunnelKit/Sources/Core/SessionProxy+PushReply.swift @@ -0,0 +1,90 @@ +// +// SessionProxy+PushReply.swift +// TunnelKit +// +// Created by Davide De Rosa on 25/07/2018. +// Copyright © 2018 London Trust Media. All rights reserved. +// + +import Foundation + +extension SessionProxy { + struct PushReply { + private static let ifconfigRegexp = try! NSRegularExpression(pattern: "ifconfig [\\d\\.]+ [\\d\\.]+", options: []) + + private static let dnsRegexp = try! NSRegularExpression(pattern: "dhcp-option DNS [\\d\\.]+", options: []) + + private static let authTokenRegexp = try! NSRegularExpression(pattern: "auth-token [a-zA-Z0-9/=+]+", options: []) + + private static let peerIdRegexp = try! NSRegularExpression(pattern: "peer-id [0-9]+", options: []) + + let address: String + + let gatewayAddress: String + + let dnsServers: [String] + + let authToken: String? + + let peerId: UInt32? + + init?(message: String) throws { + guard message.hasPrefix("PUSH_REPLY") else { + return nil + } + + var ifconfigComponents: [String]? + var dnsServers = [String]() + var authToken: String? + var peerId: UInt32? + + PushReply.ifconfigRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in + guard let range = result?.range else { return } + + let match = (message as NSString).substring(with: range) + ifconfigComponents = match.components(separatedBy: " ") + } + + guard let addresses = ifconfigComponents, addresses.count >= 2 else { + throw SessionError.malformedPushReply + } + + PushReply.dnsRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in + guard let range = result?.range else { return } + + let match = (message as NSString).substring(with: range) + let dnsEntryComponents = match.components(separatedBy: " ") + + dnsServers.append(dnsEntryComponents[2]) + } + + PushReply.authTokenRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in + guard let range = result?.range else { return } + + let match = (message as NSString).substring(with: range) + let tokenComponents = match.components(separatedBy: " ") + + if (tokenComponents.count > 1) { + authToken = tokenComponents[1] + } + } + + PushReply.peerIdRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in + guard let range = result?.range else { return } + + let match = (message as NSString).substring(with: range) + let tokenComponents = match.components(separatedBy: " ") + + if (tokenComponents.count > 1) { + peerId = UInt32(tokenComponents[1]) + } + } + + address = addresses[1] + gatewayAddress = addresses[2] + self.dnsServers = dnsServers + self.authToken = authToken + self.peerId = peerId + } + } +} diff --git a/TunnelKit/Sources/Core/SessionProxy+SessionKey.swift b/TunnelKit/Sources/Core/SessionProxy+SessionKey.swift new file mode 100644 index 0000000..1e48370 --- /dev/null +++ b/TunnelKit/Sources/Core/SessionProxy+SessionKey.swift @@ -0,0 +1,122 @@ +// +// SessionProxy+SessionKey.swift +// TunnelKit +// +// Created by Davide De Rosa on 4/12/17. +// Copyright © 2018 London Trust Media. All rights reserved. +// + +import Foundation +import __TunnelKitNative +import SwiftyBeaver + +private let log = SwiftyBeaver.self + +extension SessionProxy { + class SessionKey { + enum State { + case invalid, hardReset, softReset, tls + } + + enum ControlState { + case preAuth, preIfConfig, connected + } + + let id: UInt8 // 3-bit + + let startTime: Date + + var state = State.invalid + + var controlState: ControlState? + + var tlsOptional: TLSBox? + + var tls: TLSBox { + guard let tls = tlsOptional else { + fatalError("TLSBox accessed when nil") + } + return tls + } + + var dataPath: DataPath? + + var softReset: Bool + + private var isTLSConnected: Bool + + private var canHandlePackets: Bool + + init(id: UInt8) { + self.id = id + + startTime = Date() + state = .invalid + softReset = false + isTLSConnected = false + canHandlePackets = false + } + + // Ruby: Key.hard_reset_timeout + func didHardResetTimeOut(link: LinkInterface) -> Bool { + return ((state == .hardReset) && (-startTime.timeIntervalSinceNow > link.hardResetTimeout)) + } + + // Ruby: Key.negotiate_timeout + func didNegotiationTimeOut(link: LinkInterface) -> Bool { + let timeout = (softReset ? CoreConfiguration.softNegotiationTimeout : link.negotiationTimeout) + + return ((controlState != .connected) && (-startTime.timeIntervalSinceNow > timeout)) + } + + // Ruby: Key.on_tls_connect + func shouldOnTLSConnect() -> Bool { + guard !isTLSConnected else { + return false + } + if tls.isConnected() { + isTLSConnected = true + } + return isTLSConnected + } + + func startHandlingPackets(withPeerId peerId: UInt32? = nil) { + dataPath?.setPeerId(peerId ?? PacketPeerIdDisabled) + canHandlePackets = true + } + + func encrypt(packets: [Data]) throws -> [Data]? { + guard let dataPath = dataPath else { + log.warning("Data: Set dataPath first") + return nil + } + guard canHandlePackets else { + log.warning("Data: Invoke startHandlingPackets() before encrypting") + return nil + } + return try dataPath.encryptPackets(packets, key: id) + } + + func decrypt(packets: [Data]) throws -> [Data]? { + guard let dataPath = dataPath else { + log.warning("Data: Set dataPath first") + return nil + } + guard canHandlePackets else { + log.warning("Data: Invoke startHandlingPackets() before decrypting") + return nil + } + var keepAlive = false + let decrypted = try dataPath.decryptPackets(packets, keepAlive: &keepAlive) + if keepAlive { + log.debug("Data: Received ping, do nothing") + } + return decrypted + } + + // func dispose() { + // tlsOptional = nil + // dataPath = nil + // } + } +} diff --git a/TunnelKit/Sources/Core/SessionProxy.swift b/TunnelKit/Sources/Core/SessionProxy.swift index 6300a25..604dec5 100644 --- a/TunnelKit/Sources/Core/SessionProxy.swift +++ b/TunnelKit/Sources/Core/SessionProxy.swift @@ -1008,9 +1008,9 @@ public class SessionProxy { log.debug("Setup keys") } - let proxy: EncryptionProxy + let bridge: EncryptionBridge do { - proxy = try EncryptionProxy( + bridge = try EncryptionBridge( configuration.cipher, configuration.digest, auth, @@ -1023,8 +1023,8 @@ public class SessionProxy { } negotiationKey.dataPath = DataPath( - encrypter: proxy.encrypter(), - decrypter: proxy.decrypter(), + encrypter: bridge.encrypter(), + decrypter: bridge.decrypter(), maxPackets: link?.packetBufferSize ?? 200, usesReplayProtection: CoreConfiguration.usesReplayProtection ) diff --git a/TunnelKitTests/DataPathPerformanceTests.swift b/TunnelKitTests/DataPathPerformanceTests.swift index 664077d..9e23aba 100644 --- a/TunnelKitTests/DataPathPerformanceTests.swift +++ b/TunnelKitTests/DataPathPerformanceTests.swift @@ -21,7 +21,7 @@ class DataPathPerformanceTests: XCTestCase { let ck = try! SecureRandom.safeData(length: 32) let hk = try! SecureRandom.safeData(length: 32) - let crypto = try! EncryptionProxy(.aes128cbc, .sha1, ck, ck, hk, hk) + let crypto = try! SessionProxy.EncryptionBridge(.aes128cbc, .sha1, ck, ck, hk, hk) encrypter = crypto.encrypter() decrypter = crypto.decrypter()