Prepare API to enable TLS wrapping

Extensible TLSWrap parameter.

TunnelKit.xcodeproj/project.pbxproj

@@ -7,6 +7,8 @@
 	objects = {
 
 /* Begin PBXBuildFile section */
+		0E041D092152E6FE0025FE3C /* SessionProxy+TLSWrap.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0E041D082152E6FE0025FE3C /* SessionProxy+TLSWrap.swift */; };
+		0E041D0A2152E6FE0025FE3C /* SessionProxy+TLSWrap.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0E041D082152E6FE0025FE3C /* SessionProxy+TLSWrap.swift */; };
 		0E07595F20EF6D1400F38FD8 /* CryptoCBC.m in Sources */ = {isa = PBXBuildFile; fileRef = 0E07595C20EF6D1400F38FD8 /* CryptoCBC.m */; };
 		0E07596020EF6D1400F38FD8 /* CryptoCBC.m in Sources */ = {isa = PBXBuildFile; fileRef = 0E07595C20EF6D1400F38FD8 /* CryptoCBC.m */; };
 		0E07596320EF733F00F38FD8 /* CryptoMacros.h in Headers */ = {isa = PBXBuildFile; fileRef = 0E07596120EF733F00F38FD8 /* CryptoMacros.h */; };
@@ -188,6 +190,7 @@
 /* End PBXContainerItemProxy section */
 
 /* Begin PBXFileReference section */
+		0E041D082152E6FE0025FE3C /* SessionProxy+TLSWrap.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = "SessionProxy+TLSWrap.swift"; sourceTree = "<group>"; };
 		0E07595C20EF6D1400F38FD8 /* CryptoCBC.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = CryptoCBC.m; sourceTree = "<group>"; };
 		0E07596120EF733F00F38FD8 /* CryptoMacros.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CryptoMacros.h; sourceTree = "<group>"; };
 		0E07596A20EF79AB00F38FD8 /* Crypto.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Crypto.h; sourceTree = "<group>"; };
@@ -484,6 +487,7 @@
 				0E749F5E2178885500BB2701 /* SessionProxy+PIA.swift */,
 				0E3E0F202108A8CC00B371C1 /* SessionProxy+PushReply.swift */,
 				0EFEB42B2006D3C800F81029 /* SessionProxy+SessionKey.swift */,
+				0E041D082152E6FE0025FE3C /* SessionProxy+TLSWrap.swift */,
 				0EE3B3E321471C3A0027AB17 /* StaticKey.swift */,
 				0EFEB4442006D3C800F81029 /* TLSBox.h */,
 				0EFEB4302006D3C800F81029 /* TLSBox.m */,
@@ -909,6 +913,7 @@
 				0EFEB45B2006D3C800F81029 /* TLSBox.m in Sources */,
 				0EFEB4792006D3C800F81029 /* TunnelKitProvider+Interaction.swift in Sources */,
 				0EFEB4702006D3C800F81029 /* Allocation.m in Sources */,
+				0E041D092152E6FE0025FE3C /* SessionProxy+TLSWrap.swift in Sources */,
 				0EFEB4672006D3C800F81029 /* SessionProxy.swift in Sources */,
 				0ED9C8642138139000621BA3 /* SessionProxy+CompressionFraming.swift in Sources */,
 				0EFEB4722006D3C800F81029 /* ReplayProtector.m in Sources */,
@@ -966,6 +971,7 @@
 				0EFEB4902006D7F300F81029 /* TunnelInterface.swift in Sources */,
 				0EFEB49E2006D7F300F81029 /* Allocation.m in Sources */,
 				0EFEB4B02007627700F81029 /* Keychain.swift in Sources */,
+				0E041D0A2152E6FE0025FE3C /* SessionProxy+TLSWrap.swift in Sources */,
 				0EFEB48E2006D7F300F81029 /* SessionProxy+SessionKey.swift in Sources */,
 				0ED9C8652138139000621BA3 /* SessionProxy+CompressionFraming.swift in Sources */,
 				0EFEB4AF2007627700F81029 /* InterfaceObserver.swift in Sources */,

TunnelKit/Sources/AppExtension/TunnelKitProvider+Configuration.swift

@@ -140,6 +140,9 @@ extension TunnelKitProvider {
         /// Sets compression framing, disabled by default.
         public var compressionFraming: SessionProxy.CompressionFraming
 
+        /// The optional TLS wrapping.
+        public var tlsWrap: SessionProxy.TLSWrap?
+        
         /// Sends periodical keep-alive packets (ping) if set. Useful with stateful firewalls.
         public var keepAliveSeconds: Int?
 
@@ -178,6 +181,7 @@ extension TunnelKitProvider {
             clientKey = nil
             mtu = 1500
             compressionFraming = .disabled
+            tlsWrap = nil
             keepAliveSeconds = nil
             renegotiatesAfterSeconds = nil
             usesPIAPatches = false
@@ -234,6 +238,13 @@ extension TunnelKitProvider {
             } else {
                 compressionFraming = .disabled
             }
+            if let tlsWrapData = providerConfiguration[S.tlsWrap] as? Data {
+                do {
+                    tlsWrap = try SessionProxy.TLSWrap.deserialized(tlsWrapData)
+                } catch {
+                    throw ProviderError.configuration(field: "protocolConfiguration.providerConfiguration[\(S.tlsWrap)]")
+                }
+            }
             keepAliveSeconds = providerConfiguration[S.keepAlive] as? Int
             renegotiatesAfterSeconds = providerConfiguration[S.renegotiatesAfter] as? Int
             usesPIAPatches = providerConfiguration[S.usesPIAPatches] as? Bool ?? false
@@ -271,6 +282,7 @@ extension TunnelKitProvider {
                 clientKey: clientKey,
                 mtu: mtu,
                 compressionFraming: compressionFraming,
+                tlsWrap: tlsWrap,
                 keepAliveSeconds: keepAliveSeconds,
                 renegotiatesAfterSeconds: renegotiatesAfterSeconds,
                 usesPIAPatches: usesPIAPatches,
@@ -306,6 +318,8 @@ extension TunnelKitProvider {
             
             static let compressionFraming = "CompressionFraming"
             
+            static let tlsWrap = "TLSWrap"
+
             static let keepAlive = "KeepAlive"
             
             static let renegotiatesAfter = "RenegotiatesAfter"
@@ -349,6 +363,9 @@ extension TunnelKitProvider {
         /// - Seealso: `TunnelKitProvider.ConfigurationBuilder.compressionFraming`
         public let compressionFraming: SessionProxy.CompressionFraming
         
+        /// - Seealso: `TunnelKitProvider.ConfigurationBuilder.tlsWrap`
+        public let tlsWrap: SessionProxy.TLSWrap?
+
         /// - Seealso: `TunnelKitProvider.ConfigurationBuilder.keepAliveSeconds`
         public let keepAliveSeconds: Int?
 
@@ -433,6 +450,9 @@ extension TunnelKitProvider {
                 dict[S.resolvedAddresses] = resolvedAddresses
             }
             dict[S.compressionFraming] = compressionFraming.rawValue
+            if let tlsWrapData = tlsWrap?.serialized() {
+                dict[S.tlsWrap] = tlsWrapData
+            }
             if let keepAliveSeconds = keepAliveSeconds {
                 dict[S.keepAlive] = keepAliveSeconds
             }
@@ -507,6 +527,11 @@ extension TunnelKitProvider {
             } else {
                 log.info("\tRenegotiation: never")
             }
+            if let tlsWrap = tlsWrap {
+                log.info("\tTLS wrapping: \(tlsWrap.strategy)")
+            } else {
+                log.info("\tTLS wrapping: disabled")
+            }
             log.info("\tDebug: \(shouldDebug)")
         }
     }
@@ -530,6 +555,7 @@ extension TunnelKitProvider.Configuration: Equatable {
         builder.clientKey = clientKey
         builder.mtu = mtu
         builder.compressionFraming = compressionFraming
+        builder.tlsWrap = tlsWrap
         builder.keepAliveSeconds = keepAliveSeconds
         builder.renegotiatesAfterSeconds = renegotiatesAfterSeconds
         builder.usesPIAPatches = usesPIAPatches
@@ -552,6 +578,7 @@ extension TunnelKitProvider.Configuration: Equatable {
             (lhs.compressionFraming == rhs.compressionFraming) &&
             (lhs.keepAliveSeconds == rhs.keepAliveSeconds) &&
             (lhs.renegotiatesAfterSeconds == rhs.renegotiatesAfterSeconds)
+            // XXX: tlsWrap not copied
         )
     }
 }

TunnelKit/Sources/AppExtension/TunnelKitProvider.swift

@@ -228,6 +228,7 @@ open class TunnelKitProvider: NEPacketTunnelProvider {
         sessionConfiguration.clientCertificatePath = clientCertificatePath
         sessionConfiguration.clientKeyPath = clientKeyPath
         sessionConfiguration.compressionFraming = cfg.compressionFraming
+        sessionConfiguration.tlsWrap = cfg.tlsWrap
         if let keepAliveSeconds = cfg.keepAliveSeconds {
             sessionConfiguration.keepAliveInterval = TimeInterval(keepAliveSeconds)
         }

TunnelKit/Sources/Core/SessionProxy+Configuration.swift

@@ -156,6 +156,9 @@ extension SessionProxy {
         /// Sets compression framing, disabled by default.
         public var compressionFraming: CompressionFraming
 
+        /// The optional TLS wrapping.
+        public var tlsWrap: TLSWrap?
+
         /// Sends periodical keep-alive packets if set.
         public var keepAliveInterval: TimeInterval?
         
@@ -174,6 +177,7 @@ extension SessionProxy {
             clientCertificatePath = nil
             clientKeyPath = nil
             compressionFraming = .disabled
+            tlsWrap = nil
             keepAliveInterval = nil
             renegotiatesAfter = nil
             usesPIAPatches = false
@@ -193,6 +197,7 @@ extension SessionProxy {
                 clientCertificatePath: clientCertificatePath,
                 clientKeyPath: clientKeyPath,
                 compressionFraming: compressionFraming,
+                tlsWrap: tlsWrap,
                 keepAliveInterval: keepAliveInterval,
                 renegotiatesAfter: renegotiatesAfter,
                 usesPIAPatches: usesPIAPatches
@@ -224,6 +229,9 @@ extension SessionProxy {
         /// - Seealso: `SessionProxy.ConfigurationBuilder.compressionFraming`
         public let compressionFraming: CompressionFraming
 
+        /// - Seealso: `SessionProxy.ConfigurationBuilder.tlsWrap`
+        public var tlsWrap: TLSWrap?
+
         /// - Seealso: `SessionProxy.ConfigurationBuilder.keepAliveInterval`
         public let keepAliveInterval: TimeInterval?
 

TunnelKit/Sources/Core/SessionProxy+TLSWrap.swift

@@ -0,0 +1,60 @@
+//
+//  SessionProxy+TLSWrap.swift
+//  TunnelKit
+//
+//  Created by Davide De Rosa on 9/11/18.
+//  Copyright (c) 2018 Davide De Rosa. All rights reserved.
+//
+//  https://github.com/keeshux
+//
+//  This file is part of TunnelKit.
+//
+//  TunnelKit is free software: you can redistribute it and/or modify
+//  it under the terms of the GNU General Public License as published by
+//  the Free Software Foundation, either version 3 of the License, or
+//  (at your option) any later version.
+//
+//  TunnelKit is distributed in the hope that it will be useful,
+//  but WITHOUT ANY WARRANTY; without even the implied warranty of
+//  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//  GNU General Public License for more details.
+//
+//  You should have received a copy of the GNU General Public License
+//  along with TunnelKit.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+import Foundation
+
+extension SessionProxy {
+
+    /// Holds parameters for TLS wrapping.
+    public class TLSWrap: Codable {
+
+        /// The wrapping strategy.
+        public enum Strategy: String, Codable {
+            case none
+        }
+
+        /// The wrapping strategy.
+        public let strategy: Strategy
+        
+        /// The static encryption key.
+        public let key: StaticKey
+        
+        /// :nodoc:
+        public init(strategy: Strategy, key: StaticKey) {
+            self.strategy = strategy
+            self.key = key
+        }
+
+        /// :nodoc:
+        public static func deserialized(_ data: Data) throws -> SessionProxy.TLSWrap {
+            return try JSONDecoder().decode(SessionProxy.TLSWrap.self, from: data)
+        }
+        
+        /// :nodoc:
+        public func serialized() -> Data? {
+            return try? JSONEncoder().encode(self)
+        }
+    }
+}

TunnelKit/Sources/Core/SessionProxy.swift

@@ -173,7 +173,16 @@ public class SessionProxy {
         lastPing = BidirectionalState(withResetValue: Date.distantPast)
         isStopping = false
         
-        controlChannel = ControlChannel()
+        if let tlsWrap = configuration.tlsWrap {
+
+            // TODO: select strategy
+            switch tlsWrap.strategy {
+            default:
+                controlChannel = ControlChannel()
+            }
+        } else {
+            controlChannel = ControlChannel()
+        }
     }
     
     deinit {