Move a few classes inside SessionProxy

- Authenticator - EncryptionBridge (formerly EncryptionProxy) - PushReply - SessionKey They only make sense there. Content unchanged.
2018-08-23 15:49:21 +02:00 · 2018-08-23 15:49:21 +02:00 · 2459fe1bfd
parent 6d5e9f68a9
commit 2459fe1bfd
13 changed files with 547 additions and 539 deletions
--- a/.jazzy.yaml
+++ b/.jazzy.yaml
@ -14,7 +14,6 @@ xcodebuild_arguments:
 custom_categories:
    - name: Core
      children:
        - EncryptionProxy
        - IOInterface
        - LinkInterface
        - TunnelInterface
--- a/TunnelKit.xcodeproj/project.pbxproj
+++ b/TunnelKit.xcodeproj/project.pbxproj
@ -29,8 +29,8 @@
 		0E1108B11F77B9F900A92462 /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 0E1108AF1F77B9F900A92462 /* Main.storyboard */; };
 		0E1108B31F77B9F900A92462 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 0E1108B21F77B9F900A92462 /* Assets.xcassets */; };
 		0E1108B61F77B9F900A92462 /* LaunchScreen.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 0E1108B41F77B9F900A92462 /* LaunchScreen.storyboard */; };
-		0E3E0F212108A8CC00B371C1 /* PushReply.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0E3E0F202108A8CC00B371C1 /* PushReply.swift */; };
+		0E3E0F212108A8CC00B371C1 /* SessionProxy+PushReply.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0E3E0F202108A8CC00B371C1 /* SessionProxy+PushReply.swift */; };
-		0E3E0F222108A8CC00B371C1 /* PushReply.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0E3E0F202108A8CC00B371C1 /* PushReply.swift */; };
+		0E3E0F222108A8CC00B371C1 /* SessionProxy+PushReply.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0E3E0F202108A8CC00B371C1 /* SessionProxy+PushReply.swift */; };
 		0E85A25A202CC5AF0059E9F9 /* AppExtensionTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0E85A259202CC5AE0059E9F9 /* AppExtensionTests.swift */; };
 		0E9379C91F819A4300CE91B6 /* TunnelKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 0E17D7F91F730D9F009EE129 /* TunnelKit.framework */; };
 		0EA8E2072024D4B200A92DB6 /* PIA-ECC-256k1.pem in Resources */ = {isa = PBXBuildFile; fileRef = 0EA8E2042024D4B100A92DB6 /* PIA-ECC-256k1.pem */; };
@ -83,8 +83,8 @@
 		0EEC49E820B5F7F6008FEB91 /* ReplayProtector.h in Headers */ = {isa = PBXBuildFile; fileRef = 0EFEB4392006D3C800F81029 /* ReplayProtector.h */; };
 		0EEC49E920B5F7F6008FEB91 /* TLSBox.h in Headers */ = {isa = PBXBuildFile; fileRef = 0EFEB4442006D3C800F81029 /* TLSBox.h */; };
 		0EEC49EA20B5F7F6008FEB91 /* ZeroingData.h in Headers */ = {isa = PBXBuildFile; fileRef = 0EFEB4412006D3C800F81029 /* ZeroingData.h */; };
-		0EFEB4552006D3C800F81029 /* EncryptionProxy.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42A2006D3C800F81029 /* EncryptionProxy.swift */; };
+		0EFEB4552006D3C800F81029 /* SessionProxy+EncryptionBridge.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42A2006D3C800F81029 /* SessionProxy+EncryptionBridge.swift */; };
-		0EFEB4562006D3C800F81029 /* SessionKey.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42B2006D3C800F81029 /* SessionKey.swift */; };
+		0EFEB4562006D3C800F81029 /* SessionProxy+SessionKey.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42B2006D3C800F81029 /* SessionProxy+SessionKey.swift */; };
 		0EFEB4582006D3C800F81029 /* MSS.h in Headers */ = {isa = PBXBuildFile; fileRef = 0EFEB42D2006D3C800F81029 /* MSS.h */; };
 		0EFEB4592006D3C800F81029 /* Allocation.h in Headers */ = {isa = PBXBuildFile; fileRef = 0EFEB42E2006D3C800F81029 /* Allocation.h */; };
 		0EFEB45A2006D3C800F81029 /* TunnelInterface.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42F2006D3C800F81029 /* TunnelInterface.swift */; };
@ -96,7 +96,7 @@
 		0EFEB4622006D3C800F81029 /* SecureRandom.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4372006D3C800F81029 /* SecureRandom.swift */; };
 		0EFEB4632006D3C800F81029 /* ProtocolMacros.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4382006D3C800F81029 /* ProtocolMacros.swift */; };
 		0EFEB4642006D3C800F81029 /* ReplayProtector.h in Headers */ = {isa = PBXBuildFile; fileRef = 0EFEB4392006D3C800F81029 /* ReplayProtector.h */; };
-		0EFEB4652006D3C800F81029 /* Authenticator.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43A2006D3C800F81029 /* Authenticator.swift */; };
+		0EFEB4652006D3C800F81029 /* SessionProxy+Authenticator.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43A2006D3C800F81029 /* SessionProxy+Authenticator.swift */; };
 		0EFEB4662006D3C800F81029 /* ZeroingData.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43B2006D3C800F81029 /* ZeroingData.swift */; };
 		0EFEB4672006D3C800F81029 /* SessionProxy.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43C2006D3C800F81029 /* SessionProxy.swift */; };
 		0EFEB4682006D3C800F81029 /* MSS.m in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43D2006D3C800F81029 /* MSS.m */; };
@ -121,15 +121,15 @@
 		0EFEB4872006D7C400F81029 /* TunnelKitProvider+Configuration.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB44F2006D3C800F81029 /* TunnelKitProvider+Configuration.swift */; };
 		0EFEB4882006D7C400F81029 /* TunnelKitProvider+Interaction.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4502006D3C800F81029 /* TunnelKitProvider+Interaction.swift */; };
 		0EFEB48A2006D7C400F81029 /* TunnelKitProvider.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4522006D3C800F81029 /* TunnelKitProvider.swift */; };
-		0EFEB48D2006D7F300F81029 /* EncryptionProxy.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42A2006D3C800F81029 /* EncryptionProxy.swift */; };
+		0EFEB48D2006D7F300F81029 /* SessionProxy+EncryptionBridge.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42A2006D3C800F81029 /* SessionProxy+EncryptionBridge.swift */; };
-		0EFEB48E2006D7F300F81029 /* SessionKey.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42B2006D3C800F81029 /* SessionKey.swift */; };
+		0EFEB48E2006D7F300F81029 /* SessionProxy+SessionKey.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42B2006D3C800F81029 /* SessionProxy+SessionKey.swift */; };
 		0EFEB4902006D7F300F81029 /* TunnelInterface.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB42F2006D3C800F81029 /* TunnelInterface.swift */; };
 		0EFEB4912006D7F300F81029 /* TLSBox.m in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4302006D3C800F81029 /* TLSBox.m */; };
 		0EFEB4922006D7F300F81029 /* ZeroingData.m in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4312006D3C800F81029 /* ZeroingData.m */; };
 		0EFEB4932006D7F300F81029 /* CryptoBox.m in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4322006D3C800F81029 /* CryptoBox.m */; };
 		0EFEB4952006D7F300F81029 /* SecureRandom.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4372006D3C800F81029 /* SecureRandom.swift */; };
 		0EFEB4962006D7F300F81029 /* ProtocolMacros.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB4382006D3C800F81029 /* ProtocolMacros.swift */; };
-		0EFEB4972006D7F300F81029 /* Authenticator.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43A2006D3C800F81029 /* Authenticator.swift */; };
+		0EFEB4972006D7F300F81029 /* SessionProxy+Authenticator.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43A2006D3C800F81029 /* SessionProxy+Authenticator.swift */; };
 		0EFEB4982006D7F300F81029 /* ZeroingData.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43B2006D3C800F81029 /* ZeroingData.swift */; };
 		0EFEB4992006D7F300F81029 /* SessionProxy.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43C2006D3C800F81029 /* SessionProxy.swift */; };
 		0EFEB49A2006D7F300F81029 /* MSS.m in Sources */ = {isa = PBXBuildFile; fileRef = 0EFEB43D2006D3C800F81029 /* MSS.m */; };
@ -197,7 +197,7 @@
 		0E1108B71F77B9F900A92462 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
 		0E17D7F91F730D9F009EE129 /* TunnelKit.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = TunnelKit.framework; sourceTree = BUILT_PRODUCTS_DIR; };
 		0E3251C51F95770D00C108D9 /* TunnelKit.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = TunnelKit.framework; sourceTree = BUILT_PRODUCTS_DIR; };
-		0E3E0F202108A8CC00B371C1 /* PushReply.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = PushReply.swift; sourceTree = "<group>"; };
+		0E3E0F202108A8CC00B371C1 /* SessionProxy+PushReply.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = "SessionProxy+PushReply.swift"; sourceTree = "<group>"; };
 		0E6479DD212EAC96008E6888 /* Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
 		0E6479E0212EACD6008E6888 /* Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
 		0E85A259202CC5AE0059E9F9 /* AppExtensionTests.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = AppExtensionTests.swift; sourceTree = "<group>"; };
@ -227,8 +227,8 @@
 		0EE7A79D20F6488400B42E6A /* DataPathEncryption.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = DataPathEncryption.h; sourceTree = "<group>"; };
 		0EE7A7A020F664AB00B42E6A /* DataPathEncryptionTests.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = DataPathEncryptionTests.swift; sourceTree = "<group>"; };
 		0EEC49DB20B5E732008FEB91 /* Utils.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Utils.swift; sourceTree = "<group>"; };
-		0EFEB42A2006D3C800F81029 /* EncryptionProxy.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = EncryptionProxy.swift; sourceTree = "<group>"; };
+		0EFEB42A2006D3C800F81029 /* SessionProxy+EncryptionBridge.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = "SessionProxy+EncryptionBridge.swift"; sourceTree = "<group>"; };
-		0EFEB42B2006D3C800F81029 /* SessionKey.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = SessionKey.swift; sourceTree = "<group>"; };
+		0EFEB42B2006D3C800F81029 /* SessionProxy+SessionKey.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = "SessionProxy+SessionKey.swift"; sourceTree = "<group>"; };
 		0EFEB42D2006D3C800F81029 /* MSS.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MSS.h; sourceTree = "<group>"; };
 		0EFEB42E2006D3C800F81029 /* Allocation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Allocation.h; sourceTree = "<group>"; };
 		0EFEB42F2006D3C800F81029 /* TunnelInterface.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = TunnelInterface.swift; sourceTree = "<group>"; };
@ -240,7 +240,7 @@
 		0EFEB4372006D3C800F81029 /* SecureRandom.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = SecureRandom.swift; sourceTree = "<group>"; };
 		0EFEB4382006D3C800F81029 /* ProtocolMacros.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = ProtocolMacros.swift; sourceTree = "<group>"; };
 		0EFEB4392006D3C800F81029 /* ReplayProtector.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ReplayProtector.h; sourceTree = "<group>"; };
-		0EFEB43A2006D3C800F81029 /* Authenticator.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = Authenticator.swift; sourceTree = "<group>"; };
+		0EFEB43A2006D3C800F81029 /* SessionProxy+Authenticator.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = "SessionProxy+Authenticator.swift"; sourceTree = "<group>"; };
 		0EFEB43B2006D3C800F81029 /* ZeroingData.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = ZeroingData.swift; sourceTree = "<group>"; };
 		0EFEB43C2006D3C800F81029 /* SessionProxy.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = SessionProxy.swift; sourceTree = "<group>"; };
 		0EFEB43D2006D3C800F81029 /* MSS.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = MSS.m; sourceTree = "<group>"; };
@ -422,7 +422,6 @@
 			children = (
 				0EFEB42E2006D3C800F81029 /* Allocation.h */,
 				0EFEB4462006D3C800F81029 /* Allocation.m */,
 				0EFEB43A2006D3C800F81029 /* Authenticator.swift */,
 				0EFEB44A2006D3C800F81029 /* CoreConfiguration.swift */,
 				0E07597C20F0060E00F38FD8 /* CryptoAEAD.h */,
 				0E07597D20F0060E00F38FD8 /* CryptoAEAD.m */,
@ -436,7 +435,6 @@
 				0EFEB44C2006D3C800F81029 /* DataPath.m */,
 				0EE7A79D20F6488400B42E6A /* DataPathEncryption.h */,
 				0E07596A20EF79AB00F38FD8 /* Encryption.h */,
 				0EFEB42A2006D3C800F81029 /* EncryptionProxy.swift */,
 				0EFEB4362006D3C800F81029 /* Errors.h */,
 				0EFEB44B2006D3C800F81029 /* Errors.m */,
 				0EFEB4452006D3C800F81029 /* IOInterface.swift */,
@ -448,14 +446,16 @@
 				0EE7A79420F61EDC00B42E6A /* PacketMacros.h */,
 				0EE7A79720F6296F00B42E6A /* PacketMacros.m */,
 				0EFEB4382006D3C800F81029 /* ProtocolMacros.swift */,
 				0E3E0F202108A8CC00B371C1 /* PushReply.swift */,
 				0EFEB4392006D3C800F81029 /* ReplayProtector.h */,
 				0EFEB4482006D3C800F81029 /* ReplayProtector.m */,
 				0EFEB4372006D3C800F81029 /* SecureRandom.swift */,
 				0E0C2123212ED29D008AB282 /* SessionError.swift */,
 				0EFEB42B2006D3C800F81029 /* SessionKey.swift */,
 				0EFEB43C2006D3C800F81029 /* SessionProxy.swift */,
 				0EFEB43A2006D3C800F81029 /* SessionProxy+Authenticator.swift */,
 				0E0C2124212ED29D008AB282 /* SessionProxy+Configuration.swift */,
 				0EFEB42A2006D3C800F81029 /* SessionProxy+EncryptionBridge.swift */,
 				0E3E0F202108A8CC00B371C1 /* SessionProxy+PushReply.swift */,
 				0EFEB42B2006D3C800F81029 /* SessionProxy+SessionKey.swift */,
 				0EFEB4442006D3C800F81029 /* TLSBox.h */,
 				0EFEB4302006D3C800F81029 /* TLSBox.m */,
 				0EFEB42F2006D3C800F81029 /* TunnelInterface.swift */,
@ -881,10 +881,10 @@
 				0EBBF2F5208505D700E36B40 /* NETunnelInterface.swift in Sources */,
 				0EFEB4732006D3C800F81029 /* LinkInterface.swift in Sources */,
 				0EBBF2F8208505DD00E36B40 /* NWUDPSessionState+Description.swift in Sources */,
-				0EFEB4652006D3C800F81029 /* Authenticator.swift in Sources */,
+				0EFEB4652006D3C800F81029 /* SessionProxy+Authenticator.swift in Sources */,
 				0EE7A79820F6296F00B42E6A /* PacketMacros.m in Sources */,
 				0EEC49DC20B5E732008FEB91 /* Utils.swift in Sources */,
-				0EFEB4562006D3C800F81029 /* SessionKey.swift in Sources */,
+				0EFEB4562006D3C800F81029 /* SessionProxy+SessionKey.swift in Sources */,
 				0EC1BBA520D71190007C4C7B /* DNSResolver.swift in Sources */,
 				0EFEB4AB200760EC00F81029 /* MemoryDestination.swift in Sources */,
 				0EFEB4AE2007625E00F81029 /* Keychain.swift in Sources */,
@ -894,7 +894,7 @@
 				0EFEB45D2006D3C800F81029 /* CryptoBox.m in Sources */,
 				0EBBF2FA2085061600E36B40 /* NETCPInterface.swift in Sources */,
 				0E0C2125212ED29D008AB282 /* SessionError.swift in Sources */,
-				0EFEB4552006D3C800F81029 /* EncryptionProxy.swift in Sources */,
+				0EFEB4552006D3C800F81029 /* SessionProxy+EncryptionBridge.swift in Sources */,
 				0EFEB45C2006D3C800F81029 /* ZeroingData.m in Sources */,
 				0EFEB4632006D3C800F81029 /* ProtocolMacros.swift in Sources */,
 				0EFEB4AC200760EC00F81029 /* InterfaceObserver.swift in Sources */,
@ -915,7 +915,7 @@
 				0EFEB4672006D3C800F81029 /* SessionProxy.swift in Sources */,
 				0EFEB4722006D3C800F81029 /* ReplayProtector.m in Sources */,
 				0EFEB4782006D3C800F81029 /* TunnelKitProvider+Configuration.swift in Sources */,
-				0E3E0F212108A8CC00B371C1 /* PushReply.swift in Sources */,
+				0E3E0F212108A8CC00B371C1 /* SessionProxy+PushReply.swift in Sources */,
 				0EFEB4752006D3C800F81029 /* Errors.m in Sources */,
 				0EBBF2E52084FE6F00E36B40 /* GenericSocket.swift in Sources */,
 				0EFEB4762006D3C800F81029 /* DataPath.m in Sources */,
@ -952,7 +952,7 @@
 				0EFEB4952006D7F300F81029 /* SecureRandom.swift in Sources */,
 				0EFEB49A2006D7F300F81029 /* MSS.m in Sources */,
 				0ECE352A212EB88E0040F253 /* Certificate.swift in Sources */,
-				0EFEB48D2006D7F300F81029 /* EncryptionProxy.swift in Sources */,
+				0EFEB48D2006D7F300F81029 /* SessionProxy+EncryptionBridge.swift in Sources */,
 				0EFEB4922006D7F300F81029 /* ZeroingData.m in Sources */,
 				0E07596020EF6D1400F38FD8 /* CryptoCBC.m in Sources */,
 				0EC1BBA920D7D803007C4C7B /* ConnectionStrategy.swift in Sources */,
@ -963,15 +963,15 @@
 				0EFEB4902006D7F300F81029 /* TunnelInterface.swift in Sources */,
 				0EFEB49E2006D7F300F81029 /* Allocation.m in Sources */,
 				0EFEB4B02007627700F81029 /* Keychain.swift in Sources */,
-				0EFEB48E2006D7F300F81029 /* SessionKey.swift in Sources */,
+				0EFEB48E2006D7F300F81029 /* SessionProxy+SessionKey.swift in Sources */,
 				0EFEB4AF2007627700F81029 /* InterfaceObserver.swift in Sources */,
 				0EFEB4A42006D7F300F81029 /* DataPath.m in Sources */,
 				0EBBF2E62084FE6F00E36B40 /* GenericSocket.swift in Sources */,
-				0E3E0F222108A8CC00B371C1 /* PushReply.swift in Sources */,
+				0E3E0F222108A8CC00B371C1 /* SessionProxy+PushReply.swift in Sources */,
 				0EFEB4912006D7F300F81029 /* TLSBox.m in Sources */,
 				0EFEB49D2006D7F300F81029 /* IOInterface.swift in Sources */,
 				0E0C2128212ED29D008AB282 /* SessionProxy+Configuration.swift in Sources */,
-				0EFEB4972006D7F300F81029 /* Authenticator.swift in Sources */,
+				0EFEB4972006D7F300F81029 /* SessionProxy+Authenticator.swift in Sources */,
 				0EFEB49B2006D7F300F81029 /* Packet.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
--- a/TunnelKit/Sources/AppExtension/TunnelKitProvider.swift
+++ b/TunnelKit/Sources/AppExtension/TunnelKitProvider.swift
@ -134,7 +134,7 @@ open class TunnelKitProvider: NEPacketTunnelProvider {
        log.info("Starting tunnel...")
-        guard EncryptionProxy.prepareRandomNumberGenerator(seedLength: prngSeedLength) else {
+        guard SessionProxy.EncryptionBridge.prepareRandomNumberGenerator(seedLength: prngSeedLength) else {
            completionHandler(ProviderError.prngInitialization)
            return
        }
--- a/TunnelKit/Sources/Core/Authenticator.swift
+++ b/TunnelKit/Sources/Core/Authenticator.swift
@ -1,150 +0,0 @@
 //
 //  Authenticator.swift
 //  TunnelKit
 //
 //  Created by Davide De Rosa on 2/9/17.
 //  Copyright © 2018 London Trust Media. All rights reserved.
 //
 import Foundation
 import SwiftyBeaver
 import __TunnelKitNative
 private let log = SwiftyBeaver.self
 fileprivate extension ZeroingData {
    fileprivate func appendSized(_ buf: ZeroingData) {
        append(Z(UInt16(buf.count).bigEndian))
        append(buf)
    }
 }
 class Authenticator {
    private var controlBuffer: ZeroingData
    private(set) var preMaster: ZeroingData
    private(set) var random1: ZeroingData
    private(set) var random2: ZeroingData
    private(set) var serverRandom1: ZeroingData?
    private(set) var serverRandom2: ZeroingData?
    let username: ZeroingData
    let password: ZeroingData
    init(_ username: String, _ password: String) throws {
        preMaster = try SecureRandom.safeData(length: CoreConfiguration.preMasterLength)
        random1 = try SecureRandom.safeData(length: CoreConfiguration.randomLength)
        random2 = try SecureRandom.safeData(length: CoreConfiguration.randomLength)
        // XXX: not 100% secure, can't erase input username/password
        self.username = Z(username, nullTerminated: true)
        self.password = Z(password, nullTerminated: true)
        controlBuffer = Z()
    }
    // MARK: Authentication request
    // Ruby: on_tls_connect
    func putAuth(into: TLSBox) throws {
        let raw = Z(ProtocolMacros.tlsPrefix)
        // local keys
        raw.append(preMaster)
        raw.append(random1)
        raw.append(random2)
        // opts
        raw.appendSized(Z(UInt8(0)))
        // credentials
        raw.appendSized(username)
        raw.appendSized(password)
        // peer info
        raw.appendSized(Z(CoreConfiguration.peerInfo))
        if CoreConfiguration.logsSensitiveData {
            log.debug("TLS.auth: Put plaintext (\(raw.count) bytes): \(raw.toHex())")
        } else {
            log.debug("TLS.auth: Put plaintext (\(raw.count) bytes)")
        }
        try into.putRawPlainText(raw.bytes, length: raw.count)
    }
    // MARK: Server replies
    func appendControlData(_ data: ZeroingData) {
        controlBuffer.append(data)
    }
    func parseAuthReply() throws -> Bool {
        let prefixLength = ProtocolMacros.tlsPrefix.count
        // TLS prefix + random (x2) + opts length [+ opts]
        guard (controlBuffer.count >= prefixLength + 2 * CoreConfiguration.randomLength + 2) else {
            return false
        }
        let prefix = controlBuffer.withOffset(0, count: prefixLength)
        guard prefix.isEqual(to: ProtocolMacros.tlsPrefix) else {
            throw SessionError.wrongControlDataPrefix
        }
        var offset = ProtocolMacros.tlsPrefix.count
        let serverRandom1 = controlBuffer.withOffset(offset, count: CoreConfiguration.randomLength)
        offset += CoreConfiguration.randomLength
        let serverRandom2 = controlBuffer.withOffset(offset, count: CoreConfiguration.randomLength)
        offset += CoreConfiguration.randomLength
        let serverOptsLength = Int(controlBuffer.networkUInt16Value(fromOffset: offset))
        offset += 2
        guard controlBuffer.count >= offset + serverOptsLength else {
            return false
        }
        let serverOpts = controlBuffer.withOffset(offset, count: serverOptsLength)
        offset += serverOptsLength
        if CoreConfiguration.logsSensitiveData {
            log.debug("TLS.auth: Parsed server random: [\(serverRandom1.toHex()), \(serverRandom2.toHex())]")
        } else {
            log.debug("TLS.auth: Parsed server random")
        }
        if let serverOptsString = serverOpts.nullTerminatedString(fromOffset: 0) {
            log.debug("TLS.auth: Parsed server opts: \"\(serverOptsString)\"")
        }
        self.serverRandom1 = serverRandom1
        self.serverRandom2 = serverRandom2
        controlBuffer.remove(untilOffset: offset)
        return true
    }
    func parseMessages() -> [String] {
        var messages = [String]()
        var offset = 0
        while true {
            guard let msg = controlBuffer.nullTerminatedString(fromOffset: offset) else {
                break
            }
            messages.append(msg)
            offset += msg.count + 1
        }
        controlBuffer.remove(untilOffset: offset)
        return messages
    }
 }
--- a/TunnelKit/Sources/Core/EncryptionProxy.swift
+++ b/TunnelKit/Sources/Core/EncryptionProxy.swift
@ -1,150 +0,0 @@
 //
 //  EncryptionProxy.swift
 //  TunnelKit
 //
 //  Created by Davide De Rosa on 2/8/17.
 //  Copyright © 2018 London Trust Media. All rights reserved.
 //
 import Foundation
 import __TunnelKitNative
 /// Bridges native encryption for high-level operations.
 public class EncryptionProxy {
    private static let maxHmacLength = 100
    private let box: CryptoBox
    /**
     Initializes the PRNG. Must be issued before using `SessionProxy`.
     - Parameter seedLength: The length in bytes of the pseudorandom seed that will feed the PRNG.
     */
    public static func prepareRandomNumberGenerator(seedLength: Int) -> Bool {
        let seed: ZeroingData
        do {
            seed = try SecureRandom.safeData(length: seedLength)
        } catch {
            return false
        }
        return CryptoBox.preparePRNG(withSeed: seed.bytes, length: seed.count)
    }
    // Ruby: keys_prf
    private static func keysPRF(
        _ label: String,
        _ secret: ZeroingData,
        _ clientSeed: ZeroingData,
        _ serverSeed: ZeroingData,
        _ clientSessionId: Data?,
        _ serverSessionId: Data?,
        _ size: Int) throws -> ZeroingData {
        let seed = Z(label)
        seed.append(clientSeed)
        seed.append(serverSeed)
        if let csi = clientSessionId {
            seed.append(Z(csi))
        }
        if let ssi = serverSessionId {
            seed.append(Z(ssi))
        }
        let len = secret.count / 2
        let lenx = len + (secret.count & 1)
        let secret1 = secret.withOffset(0, count: lenx)
        let secret2 = secret.withOffset(len, count: lenx)
        let hash1 = try keysHash("md5", secret1, seed, size)
        let hash2 = try keysHash("sha1", secret2, seed, size)
        let prf = Z()
        for i in 0..<hash1.count {
            let h1 = hash1.bytes[i]
            let h2 = hash2.bytes[i]
            prf.append(Z(h1 ^ h2))
        }
        return prf
    }
    // Ruby: keys_hash
    private static func keysHash(_ digestName: String, _ secret: ZeroingData, _ seed: ZeroingData, _ size: Int) throws -> ZeroingData {
        let out = Z()
        let buffer = Z(count: EncryptionProxy.maxHmacLength)
        var chain = try EncryptionProxy.hmac(buffer, digestName, secret, seed)
        while (out.count < size) {
            out.append(try EncryptionProxy.hmac(buffer, digestName, secret, chain.appending(seed)))
            chain = try EncryptionProxy.hmac(buffer, digestName, secret, chain)
        }
        return out.withOffset(0, count: size)
    }
    // Ruby: hmac
    private static func hmac(_ buffer: ZeroingData, _ digestName: String, _ secret: ZeroingData, _ data: ZeroingData) throws -> ZeroingData {
        var length = 0
        try CryptoBox.hmac(
            withDigestName: digestName,
            secret: secret.bytes,
            secretLength: secret.count,
            data: data.bytes,
            dataLength: data.count,
            hmac: buffer.mutableBytes,
            hmacLength: &length
        )
        return buffer.withOffset(0, count: length)
    }
    convenience init(_ cipher: SessionProxy.Cipher, _ digest: SessionProxy.Digest, _ auth: Authenticator,
                     _ sessionId: Data, _ remoteSessionId: Data) throws {
        guard let serverRandom1 = auth.serverRandom1, let serverRandom2 = auth.serverRandom2 else {
            fatalError("Configuring encryption without server randoms")
        }
        let masterData = try EncryptionProxy.keysPRF(
            CoreConfiguration.label1, auth.preMaster, auth.random1,
            serverRandom1, nil, nil,
            CoreConfiguration.preMasterLength
        )
        let keysData = try EncryptionProxy.keysPRF(
            CoreConfiguration.label2, masterData, auth.random2,
            serverRandom2, sessionId, remoteSessionId,
            CoreConfiguration.keysCount * CoreConfiguration.keyLength
        )
        var keysArray = [ZeroingData]()
        for i in 0..<CoreConfiguration.keysCount {
            let offset = i * CoreConfiguration.keyLength
            let zbuf = keysData.withOffset(offset, count: CoreConfiguration.keyLength)
            keysArray.append(zbuf)
        }
        let cipherEncKey = keysArray[0]
        let hmacEncKey = keysArray[1]
        let cipherDecKey = keysArray[2]
        let hmacDecKey = keysArray[3]
        try self.init(cipher, digest, cipherEncKey, cipherDecKey, hmacEncKey, hmacDecKey)
    }
    init(_ cipher: SessionProxy.Cipher, _ digest: SessionProxy.Digest, _ cipherEncKey: ZeroingData, _ cipherDecKey: ZeroingData, _ hmacEncKey: ZeroingData, _ hmacDecKey: ZeroingData) throws {
        box = CryptoBox(cipherAlgorithm: cipher.rawValue, digestAlgorithm: digest.rawValue)
        try box.configure(
            withCipherEncKey: cipherEncKey,
            cipherDecKey: cipherDecKey,
            hmacEncKey: hmacEncKey,
            hmacDecKey: hmacDecKey
        )
    }
    func encrypter() -> DataPathEncrypter {
        return box.encrypter().dataPathEncrypter()
    }
    func decrypter() -> DataPathDecrypter {
        return box.decrypter().dataPathDecrypter()
    }
 }
--- a/TunnelKit/Sources/Core/PushReply.swift
+++ b/TunnelKit/Sources/Core/PushReply.swift
@ -1,88 +0,0 @@
 //
 //  PushReply.swift
 //  TunnelKit
 //
 //  Created by Davide De Rosa on 25/07/2018.
 //  Copyright © 2018 London Trust Media. All rights reserved.
 //
 import Foundation
 struct PushReply {
    private static let ifconfigRegexp = try! NSRegularExpression(pattern: "ifconfig [\\d\\.]+ [\\d\\.]+", options: [])
    private static let dnsRegexp = try! NSRegularExpression(pattern: "dhcp-option DNS [\\d\\.]+", options: [])
    private static let authTokenRegexp = try! NSRegularExpression(pattern: "auth-token [a-zA-Z0-9/=+]+", options: [])
    private static let peerIdRegexp = try! NSRegularExpression(pattern: "peer-id [0-9]+", options: [])
    let address: String
    let gatewayAddress: String
    let dnsServers: [String]
    let authToken: String?
    let peerId: UInt32?
    init?(message: String) throws {
        guard message.hasPrefix("PUSH_REPLY") else {
            return nil
        }
        var ifconfigComponents: [String]?
        var dnsServers = [String]()
        var authToken: String?
        var peerId: UInt32?
        PushReply.ifconfigRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in
            guard let range = result?.range else { return }
            let match = (message as NSString).substring(with: range)
            ifconfigComponents = match.components(separatedBy: " ")
        }
        guard let addresses = ifconfigComponents, addresses.count >= 2 else {
            throw SessionError.malformedPushReply
        }
        PushReply.dnsRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in
            guard let range = result?.range else { return }
            let match = (message as NSString).substring(with: range)
            let dnsEntryComponents = match.components(separatedBy: " ")
            dnsServers.append(dnsEntryComponents[2])
        }
        PushReply.authTokenRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in
            guard let range = result?.range else { return }
            let match = (message as NSString).substring(with: range)
            let tokenComponents = match.components(separatedBy: " ")
            if (tokenComponents.count > 1) {
                authToken = tokenComponents[1]
            }
        }
        PushReply.peerIdRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in
            guard let range = result?.range else { return }
            let match = (message as NSString).substring(with: range)
            let tokenComponents = match.components(separatedBy: " ")
            if (tokenComponents.count > 1) {
                peerId = UInt32(tokenComponents[1])
            }
        }
        address = addresses[1]
        gatewayAddress = addresses[2]
        self.dnsServers = dnsServers
        self.authToken = authToken
        self.peerId = peerId
    }
 }
--- a/TunnelKit/Sources/Core/SessionKey.swift
+++ b/TunnelKit/Sources/Core/SessionKey.swift
@ -1,120 +0,0 @@
 //
 //  SessionKey.swift
 //  TunnelKit
 //
 //  Created by Davide De Rosa on 4/12/17.
 //  Copyright © 2018 London Trust Media. All rights reserved.
 //
 import Foundation
 import __TunnelKitNative
 import SwiftyBeaver
 private let log = SwiftyBeaver.self
 class SessionKey {
    enum State {
        case invalid, hardReset, softReset, tls
    }
    enum ControlState {
        case preAuth, preIfConfig, connected
    }
    let id: UInt8 // 3-bit
    let startTime: Date
    var state = State.invalid
    var controlState: ControlState?
    var tlsOptional: TLSBox?
    var tls: TLSBox {
        guard let tls = tlsOptional else {
            fatalError("TLSBox accessed when nil")
        }
        return tls
    }
    var dataPath: DataPath?
    var softReset: Bool
    private var isTLSConnected: Bool
    private var canHandlePackets: Bool
    init(id: UInt8) {
        self.id = id
        startTime = Date()
        state = .invalid
        softReset = false
        isTLSConnected = false
        canHandlePackets = false
    }
    // Ruby: Key.hard_reset_timeout
    func didHardResetTimeOut(link: LinkInterface) -> Bool {
        return ((state == .hardReset) && (-startTime.timeIntervalSinceNow > link.hardResetTimeout))
    }
    // Ruby: Key.negotiate_timeout
    func didNegotiationTimeOut(link: LinkInterface) -> Bool {
        let timeout = (softReset ? CoreConfiguration.softNegotiationTimeout : link.negotiationTimeout)
        return ((controlState != .connected) && (-startTime.timeIntervalSinceNow > timeout))
    }
    // Ruby: Key.on_tls_connect
    func shouldOnTLSConnect() -> Bool {
        guard !isTLSConnected else {
            return false
        }
        if tls.isConnected() {
            isTLSConnected = true
        }
        return isTLSConnected
    }
    func startHandlingPackets(withPeerId peerId: UInt32? = nil) {
        dataPath?.setPeerId(peerId ?? PacketPeerIdDisabled)
        canHandlePackets = true
    }
    func encrypt(packets: [Data]) throws -> [Data]? {
        guard let dataPath = dataPath else {
            log.warning("Data: Set dataPath first")
            return nil
        }
        guard canHandlePackets else {
            log.warning("Data: Invoke startHandlingPackets() before encrypting")
            return nil
        }
        return try dataPath.encryptPackets(packets, key: id)
    }
    func decrypt(packets: [Data]) throws -> [Data]? {
        guard let dataPath = dataPath else {
            log.warning("Data: Set dataPath first")
            return nil
        }
        guard canHandlePackets else {
            log.warning("Data: Invoke startHandlingPackets() before decrypting")
            return nil
        }
        var keepAlive = false
        let decrypted = try dataPath.decryptPackets(packets, keepAlive: &keepAlive)
        if keepAlive {
            log.debug("Data: Received ping, do nothing")
        }
        return decrypted
    }
 //    func dispose() {
 //        tlsOptional = nil
 //        dataPath = nil
 //    }
 }
--- a/TunnelKit/Sources/Core/SessionProxy+Authenticator.swift
+++ b/TunnelKit/Sources/Core/SessionProxy+Authenticator.swift
@ -0,0 +1,152 @@
 //
 //  SessionProxy+Authenticator.swift
 //  TunnelKit
 //
 //  Created by Davide De Rosa on 2/9/17.
 //  Copyright © 2018 London Trust Media. All rights reserved.
 //
 import Foundation
 import SwiftyBeaver
 import __TunnelKitNative
 private let log = SwiftyBeaver.self
 fileprivate extension ZeroingData {
    fileprivate func appendSized(_ buf: ZeroingData) {
        append(Z(UInt16(buf.count).bigEndian))
        append(buf)
    }
 }
 extension SessionProxy {
    class Authenticator {
        private var controlBuffer: ZeroingData
        private(set) var preMaster: ZeroingData
        private(set) var random1: ZeroingData
        private(set) var random2: ZeroingData
        private(set) var serverRandom1: ZeroingData?
        private(set) var serverRandom2: ZeroingData?
        let username: ZeroingData
        let password: ZeroingData
        init(_ username: String, _ password: String) throws {
            preMaster = try SecureRandom.safeData(length: CoreConfiguration.preMasterLength)
            random1 = try SecureRandom.safeData(length: CoreConfiguration.randomLength)
            random2 = try SecureRandom.safeData(length: CoreConfiguration.randomLength)
            // XXX: not 100% secure, can't erase input username/password
            self.username = Z(username, nullTerminated: true)
            self.password = Z(password, nullTerminated: true)
            controlBuffer = Z()
        }
        // MARK: Authentication request
        // Ruby: on_tls_connect
        func putAuth(into: TLSBox) throws {
            let raw = Z(ProtocolMacros.tlsPrefix)
            // local keys
            raw.append(preMaster)
            raw.append(random1)
            raw.append(random2)
            // opts
            raw.appendSized(Z(UInt8(0)))
            // credentials
            raw.appendSized(username)
            raw.appendSized(password)
            // peer info
            raw.appendSized(Z(CoreConfiguration.peerInfo))
            if CoreConfiguration.logsSensitiveData {
                log.debug("TLS.auth: Put plaintext (\(raw.count) bytes): \(raw.toHex())")
            } else {
                log.debug("TLS.auth: Put plaintext (\(raw.count) bytes)")
            }
            try into.putRawPlainText(raw.bytes, length: raw.count)
        }
        // MARK: Server replies
        func appendControlData(_ data: ZeroingData) {
            controlBuffer.append(data)
        }
        func parseAuthReply() throws -> Bool {
            let prefixLength = ProtocolMacros.tlsPrefix.count
            // TLS prefix + random (x2) + opts length [+ opts]
            guard (controlBuffer.count >= prefixLength + 2 * CoreConfiguration.randomLength + 2) else {
                return false
            }
            let prefix = controlBuffer.withOffset(0, count: prefixLength)
            guard prefix.isEqual(to: ProtocolMacros.tlsPrefix) else {
                throw SessionError.wrongControlDataPrefix
            }
            var offset = ProtocolMacros.tlsPrefix.count
            let serverRandom1 = controlBuffer.withOffset(offset, count: CoreConfiguration.randomLength)
            offset += CoreConfiguration.randomLength
            let serverRandom2 = controlBuffer.withOffset(offset, count: CoreConfiguration.randomLength)
            offset += CoreConfiguration.randomLength
            let serverOptsLength = Int(controlBuffer.networkUInt16Value(fromOffset: offset))
            offset += 2
            guard controlBuffer.count >= offset + serverOptsLength else {
                return false
            }
            let serverOpts = controlBuffer.withOffset(offset, count: serverOptsLength)
            offset += serverOptsLength
            if CoreConfiguration.logsSensitiveData {
                log.debug("TLS.auth: Parsed server random: [\(serverRandom1.toHex()), \(serverRandom2.toHex())]")
            } else {
                log.debug("TLS.auth: Parsed server random")
            }
            if let serverOptsString = serverOpts.nullTerminatedString(fromOffset: 0) {
                log.debug("TLS.auth: Parsed server opts: \"\(serverOptsString)\"")
            }
            self.serverRandom1 = serverRandom1
            self.serverRandom2 = serverRandom2
            controlBuffer.remove(untilOffset: offset)
            return true
        }
        func parseMessages() -> [String] {
            var messages = [String]()
            var offset = 0
            while true {
                guard let msg = controlBuffer.nullTerminatedString(fromOffset: offset) else {
                    break
                }
                messages.append(msg)
                offset += msg.count + 1
            }
            controlBuffer.remove(untilOffset: offset)
            return messages
        }
    }
 }
--- a/TunnelKit/Sources/Core/SessionProxy+EncryptionBridge.swift
+++ b/TunnelKit/Sources/Core/SessionProxy+EncryptionBridge.swift
@ -0,0 +1,153 @@
 //
 //  SessionProxy+EncryptionBridge.swift
 //  TunnelKit
 //
 //  Created by Davide De Rosa on 2/8/17.
 //  Copyright © 2018 London Trust Media. All rights reserved.
 //
 import Foundation
 import __TunnelKitNative
 extension SessionProxy {
    /// Bridges native encryption for high-level operations.
    public class EncryptionBridge {
        private static let maxHmacLength = 100
        private let box: CryptoBox
        /**
         Initializes the PRNG. Must be issued before using `SessionProxy`.
         - Parameter seedLength: The length in bytes of the pseudorandom seed that will feed the PRNG.
         */
        public static func prepareRandomNumberGenerator(seedLength: Int) -> Bool {
            let seed: ZeroingData
            do {
                seed = try SecureRandom.safeData(length: seedLength)
            } catch {
                return false
            }
            return CryptoBox.preparePRNG(withSeed: seed.bytes, length: seed.count)
        }
        // Ruby: keys_prf
        private static func keysPRF(
            _ label: String,
            _ secret: ZeroingData,
            _ clientSeed: ZeroingData,
            _ serverSeed: ZeroingData,
            _ clientSessionId: Data?,
            _ serverSessionId: Data?,
            _ size: Int) throws -> ZeroingData {
            let seed = Z(label)
            seed.append(clientSeed)
            seed.append(serverSeed)
            if let csi = clientSessionId {
                seed.append(Z(csi))
            }
            if let ssi = serverSessionId {
                seed.append(Z(ssi))
            }
            let len = secret.count / 2
            let lenx = len + (secret.count & 1)
            let secret1 = secret.withOffset(0, count: lenx)
            let secret2 = secret.withOffset(len, count: lenx)
            let hash1 = try keysHash("md5", secret1, seed, size)
            let hash2 = try keysHash("sha1", secret2, seed, size)
            let prf = Z()
            for i in 0..<hash1.count {
                let h1 = hash1.bytes[i]
                let h2 = hash2.bytes[i]
                prf.append(Z(h1 ^ h2))
            }
            return prf
        }
        // Ruby: keys_hash
        private static func keysHash(_ digestName: String, _ secret: ZeroingData, _ seed: ZeroingData, _ size: Int) throws -> ZeroingData {
            let out = Z()
            let buffer = Z(count: EncryptionBridge.maxHmacLength)
            var chain = try EncryptionBridge.hmac(buffer, digestName, secret, seed)
            while (out.count < size) {
                out.append(try EncryptionBridge.hmac(buffer, digestName, secret, chain.appending(seed)))
                chain = try EncryptionBridge.hmac(buffer, digestName, secret, chain)
            }
            return out.withOffset(0, count: size)
        }
        // Ruby: hmac
        private static func hmac(_ buffer: ZeroingData, _ digestName: String, _ secret: ZeroingData, _ data: ZeroingData) throws -> ZeroingData {
            var length = 0
            try CryptoBox.hmac(
                withDigestName: digestName,
                secret: secret.bytes,
                secretLength: secret.count,
                data: data.bytes,
                dataLength: data.count,
                hmac: buffer.mutableBytes,
                hmacLength: &length
            )
            return buffer.withOffset(0, count: length)
        }
        convenience init(_ cipher: SessionProxy.Cipher, _ digest: SessionProxy.Digest, _ auth: SessionProxy.Authenticator,
                         _ sessionId: Data, _ remoteSessionId: Data) throws {
            guard let serverRandom1 = auth.serverRandom1, let serverRandom2 = auth.serverRandom2 else {
                fatalError("Configuring encryption without server randoms")
            }
            let masterData = try EncryptionBridge.keysPRF(
                CoreConfiguration.label1, auth.preMaster, auth.random1,
                serverRandom1, nil, nil,
                CoreConfiguration.preMasterLength
            )
            let keysData = try EncryptionBridge.keysPRF(
                CoreConfiguration.label2, masterData, auth.random2,
                serverRandom2, sessionId, remoteSessionId,
                CoreConfiguration.keysCount * CoreConfiguration.keyLength
            )
            var keysArray = [ZeroingData]()
            for i in 0..<CoreConfiguration.keysCount {
                let offset = i * CoreConfiguration.keyLength
                let zbuf = keysData.withOffset(offset, count: CoreConfiguration.keyLength)
                keysArray.append(zbuf)
            }
            let cipherEncKey = keysArray[0]
            let hmacEncKey = keysArray[1]
            let cipherDecKey = keysArray[2]
            let hmacDecKey = keysArray[3]
            try self.init(cipher, digest, cipherEncKey, cipherDecKey, hmacEncKey, hmacDecKey)
        }
        init(_ cipher: SessionProxy.Cipher, _ digest: SessionProxy.Digest, _ cipherEncKey: ZeroingData, _ cipherDecKey: ZeroingData, _ hmacEncKey: ZeroingData, _ hmacDecKey: ZeroingData) throws {
            box = CryptoBox(cipherAlgorithm: cipher.rawValue, digestAlgorithm: digest.rawValue)
            try box.configure(
                withCipherEncKey: cipherEncKey,
                cipherDecKey: cipherDecKey,
                hmacEncKey: hmacEncKey,
                hmacDecKey: hmacDecKey
            )
        }
        func encrypter() -> DataPathEncrypter {
            return box.encrypter().dataPathEncrypter()
        }
        func decrypter() -> DataPathDecrypter {
            return box.decrypter().dataPathDecrypter()
        }
    }
 }
--- a/TunnelKit/Sources/Core/SessionProxy+PushReply.swift
+++ b/TunnelKit/Sources/Core/SessionProxy+PushReply.swift
@ -0,0 +1,90 @@
 //
 //  SessionProxy+PushReply.swift
 //  TunnelKit
 //
 //  Created by Davide De Rosa on 25/07/2018.
 //  Copyright © 2018 London Trust Media. All rights reserved.
 //
 import Foundation
 extension SessionProxy {
    struct PushReply {
        private static let ifconfigRegexp = try! NSRegularExpression(pattern: "ifconfig [\\d\\.]+ [\\d\\.]+", options: [])
        private static let dnsRegexp = try! NSRegularExpression(pattern: "dhcp-option DNS [\\d\\.]+", options: [])
        private static let authTokenRegexp = try! NSRegularExpression(pattern: "auth-token [a-zA-Z0-9/=+]+", options: [])
        private static let peerIdRegexp = try! NSRegularExpression(pattern: "peer-id [0-9]+", options: [])
        let address: String
        let gatewayAddress: String
        let dnsServers: [String]
        let authToken: String?
        let peerId: UInt32?
        init?(message: String) throws {
            guard message.hasPrefix("PUSH_REPLY") else {
                return nil
            }
            var ifconfigComponents: [String]?
            var dnsServers = [String]()
            var authToken: String?
            var peerId: UInt32?
            PushReply.ifconfigRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in
                guard let range = result?.range else { return }
                let match = (message as NSString).substring(with: range)
                ifconfigComponents = match.components(separatedBy: " ")
            }
            guard let addresses = ifconfigComponents, addresses.count >= 2 else {
                throw SessionError.malformedPushReply
            }
            PushReply.dnsRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in
                guard let range = result?.range else { return }
                let match = (message as NSString).substring(with: range)
                let dnsEntryComponents = match.components(separatedBy: " ")
                dnsServers.append(dnsEntryComponents[2])
            }
            PushReply.authTokenRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in
                guard let range = result?.range else { return }
                let match = (message as NSString).substring(with: range)
                let tokenComponents = match.components(separatedBy: " ")
                if (tokenComponents.count > 1) {
                    authToken = tokenComponents[1]
                }
            }
            PushReply.peerIdRegexp.enumerateMatches(in: message, options: [], range: NSMakeRange(0, message.count)) { (result, flags, _) in
                guard let range = result?.range else { return }
                let match = (message as NSString).substring(with: range)
                let tokenComponents = match.components(separatedBy: " ")
                if (tokenComponents.count > 1) {
                    peerId = UInt32(tokenComponents[1])
                }
            }
            address = addresses[1]
            gatewayAddress = addresses[2]
            self.dnsServers = dnsServers
            self.authToken = authToken
            self.peerId = peerId
        }
    }
 }
--- a/TunnelKit/Sources/Core/SessionProxy+SessionKey.swift
+++ b/TunnelKit/Sources/Core/SessionProxy+SessionKey.swift
@ -0,0 +1,122 @@
 //
 //  SessionProxy+SessionKey.swift
 //  TunnelKit
 //
 //  Created by Davide De Rosa on 4/12/17.
 //  Copyright © 2018 London Trust Media. All rights reserved.
 //
 import Foundation
 import __TunnelKitNative
 import SwiftyBeaver
 private let log = SwiftyBeaver.self
 extension SessionProxy {
    class SessionKey {
        enum State {
            case invalid, hardReset, softReset, tls
        }
        enum ControlState {
            case preAuth, preIfConfig, connected
        }
        let id: UInt8 // 3-bit
        let startTime: Date
        var state = State.invalid
        var controlState: ControlState?
        var tlsOptional: TLSBox?
        var tls: TLSBox {
            guard let tls = tlsOptional else {
                fatalError("TLSBox accessed when nil")
            }
            return tls
        }
        var dataPath: DataPath?
        var softReset: Bool
        private var isTLSConnected: Bool
        private var canHandlePackets: Bool
        init(id: UInt8) {
            self.id = id
            startTime = Date()
            state = .invalid
            softReset = false
            isTLSConnected = false
            canHandlePackets = false
        }
        // Ruby: Key.hard_reset_timeout
        func didHardResetTimeOut(link: LinkInterface) -> Bool {
            return ((state == .hardReset) && (-startTime.timeIntervalSinceNow > link.hardResetTimeout))
        }
        // Ruby: Key.negotiate_timeout
        func didNegotiationTimeOut(link: LinkInterface) -> Bool {
            let timeout = (softReset ? CoreConfiguration.softNegotiationTimeout : link.negotiationTimeout)
            return ((controlState != .connected) && (-startTime.timeIntervalSinceNow > timeout))
        }
        // Ruby: Key.on_tls_connect
        func shouldOnTLSConnect() -> Bool {
            guard !isTLSConnected else {
                return false
            }
            if tls.isConnected() {
                isTLSConnected = true
            }
            return isTLSConnected
        }
        func startHandlingPackets(withPeerId peerId: UInt32? = nil) {
            dataPath?.setPeerId(peerId ?? PacketPeerIdDisabled)
            canHandlePackets = true
        }
        func encrypt(packets: [Data]) throws -> [Data]? {
            guard let dataPath = dataPath else {
                log.warning("Data: Set dataPath first")
                return nil
            }
            guard canHandlePackets else {
                log.warning("Data: Invoke startHandlingPackets() before encrypting")
                return nil
            }
            return try dataPath.encryptPackets(packets, key: id)
        }
        func decrypt(packets: [Data]) throws -> [Data]? {
            guard let dataPath = dataPath else {
                log.warning("Data: Set dataPath first")
                return nil
            }
            guard canHandlePackets else {
                log.warning("Data: Invoke startHandlingPackets() before decrypting")
                return nil
            }
            var keepAlive = false
            let decrypted = try dataPath.decryptPackets(packets, keepAlive: &keepAlive)
            if keepAlive {
                log.debug("Data: Received ping, do nothing")
            }
            return decrypted
        }
    //    func dispose() {
    //        tlsOptional = nil
    //        dataPath = nil
    //    }
    }
 }
--- a/TunnelKit/Sources/Core/SessionProxy.swift
+++ b/TunnelKit/Sources/Core/SessionProxy.swift
@ -1008,9 +1008,9 @@ public class SessionProxy {
            log.debug("Setup keys")
        }
-        let proxy: EncryptionProxy
+        let bridge: EncryptionBridge
        do {
-            proxy = try EncryptionProxy(
+            bridge = try EncryptionBridge(
                configuration.cipher,
                configuration.digest,
                auth,
@ -1023,8 +1023,8 @@ public class SessionProxy {
        }
        negotiationKey.dataPath = DataPath(
-            encrypter: proxy.encrypter(),
+            encrypter: bridge.encrypter(),
-            decrypter: proxy.decrypter(),
+            decrypter: bridge.decrypter(),
            maxPackets: link?.packetBufferSize ?? 200,
            usesReplayProtection: CoreConfiguration.usesReplayProtection
        )
--- a/TunnelKitTests/DataPathPerformanceTests.swift
+++ b/TunnelKitTests/DataPathPerformanceTests.swift
@ -21,7 +21,7 @@ class DataPathPerformanceTests: XCTestCase {
        let ck = try! SecureRandom.safeData(length: 32)
        let hk = try! SecureRandom.safeData(length: 32)
-        let crypto = try! EncryptionProxy(.aes128cbc, .sha1, ck, ck, hk, hk)
+        let crypto = try! SessionProxy.EncryptionBridge(.aes128cbc, .sha1, ck, ck, hk, hk)
        encrypter = crypto.encrypter()
        decrypter = crypto.decrypter()