Prepare API to enable TLS wrapping

Extensible TLSWrap parameter.
This commit is contained in:
Davide De Rosa 2018-09-19 22:22:35 +02:00
parent 51720c1fbc
commit 66735ec118
6 changed files with 112 additions and 1 deletions

View File

@ -7,6 +7,8 @@
objects = { objects = {
/* Begin PBXBuildFile section */ /* Begin PBXBuildFile section */
0E041D092152E6FE0025FE3C /* SessionProxy+TLSWrap.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0E041D082152E6FE0025FE3C /* SessionProxy+TLSWrap.swift */; };
0E041D0A2152E6FE0025FE3C /* SessionProxy+TLSWrap.swift in Sources */ = {isa = PBXBuildFile; fileRef = 0E041D082152E6FE0025FE3C /* SessionProxy+TLSWrap.swift */; };
0E07595F20EF6D1400F38FD8 /* CryptoCBC.m in Sources */ = {isa = PBXBuildFile; fileRef = 0E07595C20EF6D1400F38FD8 /* CryptoCBC.m */; }; 0E07595F20EF6D1400F38FD8 /* CryptoCBC.m in Sources */ = {isa = PBXBuildFile; fileRef = 0E07595C20EF6D1400F38FD8 /* CryptoCBC.m */; };
0E07596020EF6D1400F38FD8 /* CryptoCBC.m in Sources */ = {isa = PBXBuildFile; fileRef = 0E07595C20EF6D1400F38FD8 /* CryptoCBC.m */; }; 0E07596020EF6D1400F38FD8 /* CryptoCBC.m in Sources */ = {isa = PBXBuildFile; fileRef = 0E07595C20EF6D1400F38FD8 /* CryptoCBC.m */; };
0E07596320EF733F00F38FD8 /* CryptoMacros.h in Headers */ = {isa = PBXBuildFile; fileRef = 0E07596120EF733F00F38FD8 /* CryptoMacros.h */; }; 0E07596320EF733F00F38FD8 /* CryptoMacros.h in Headers */ = {isa = PBXBuildFile; fileRef = 0E07596120EF733F00F38FD8 /* CryptoMacros.h */; };
@ -188,6 +190,7 @@
/* End PBXContainerItemProxy section */ /* End PBXContainerItemProxy section */
/* Begin PBXFileReference section */ /* Begin PBXFileReference section */
0E041D082152E6FE0025FE3C /* SessionProxy+TLSWrap.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = "SessionProxy+TLSWrap.swift"; sourceTree = "<group>"; };
0E07595C20EF6D1400F38FD8 /* CryptoCBC.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = CryptoCBC.m; sourceTree = "<group>"; }; 0E07595C20EF6D1400F38FD8 /* CryptoCBC.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = CryptoCBC.m; sourceTree = "<group>"; };
0E07596120EF733F00F38FD8 /* CryptoMacros.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CryptoMacros.h; sourceTree = "<group>"; }; 0E07596120EF733F00F38FD8 /* CryptoMacros.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CryptoMacros.h; sourceTree = "<group>"; };
0E07596A20EF79AB00F38FD8 /* Crypto.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Crypto.h; sourceTree = "<group>"; }; 0E07596A20EF79AB00F38FD8 /* Crypto.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Crypto.h; sourceTree = "<group>"; };
@ -484,6 +487,7 @@
0E749F5E2178885500BB2701 /* SessionProxy+PIA.swift */, 0E749F5E2178885500BB2701 /* SessionProxy+PIA.swift */,
0E3E0F202108A8CC00B371C1 /* SessionProxy+PushReply.swift */, 0E3E0F202108A8CC00B371C1 /* SessionProxy+PushReply.swift */,
0EFEB42B2006D3C800F81029 /* SessionProxy+SessionKey.swift */, 0EFEB42B2006D3C800F81029 /* SessionProxy+SessionKey.swift */,
0E041D082152E6FE0025FE3C /* SessionProxy+TLSWrap.swift */,
0EE3B3E321471C3A0027AB17 /* StaticKey.swift */, 0EE3B3E321471C3A0027AB17 /* StaticKey.swift */,
0EFEB4442006D3C800F81029 /* TLSBox.h */, 0EFEB4442006D3C800F81029 /* TLSBox.h */,
0EFEB4302006D3C800F81029 /* TLSBox.m */, 0EFEB4302006D3C800F81029 /* TLSBox.m */,
@ -909,6 +913,7 @@
0EFEB45B2006D3C800F81029 /* TLSBox.m in Sources */, 0EFEB45B2006D3C800F81029 /* TLSBox.m in Sources */,
0EFEB4792006D3C800F81029 /* TunnelKitProvider+Interaction.swift in Sources */, 0EFEB4792006D3C800F81029 /* TunnelKitProvider+Interaction.swift in Sources */,
0EFEB4702006D3C800F81029 /* Allocation.m in Sources */, 0EFEB4702006D3C800F81029 /* Allocation.m in Sources */,
0E041D092152E6FE0025FE3C /* SessionProxy+TLSWrap.swift in Sources */,
0EFEB4672006D3C800F81029 /* SessionProxy.swift in Sources */, 0EFEB4672006D3C800F81029 /* SessionProxy.swift in Sources */,
0ED9C8642138139000621BA3 /* SessionProxy+CompressionFraming.swift in Sources */, 0ED9C8642138139000621BA3 /* SessionProxy+CompressionFraming.swift in Sources */,
0EFEB4722006D3C800F81029 /* ReplayProtector.m in Sources */, 0EFEB4722006D3C800F81029 /* ReplayProtector.m in Sources */,
@ -966,6 +971,7 @@
0EFEB4902006D7F300F81029 /* TunnelInterface.swift in Sources */, 0EFEB4902006D7F300F81029 /* TunnelInterface.swift in Sources */,
0EFEB49E2006D7F300F81029 /* Allocation.m in Sources */, 0EFEB49E2006D7F300F81029 /* Allocation.m in Sources */,
0EFEB4B02007627700F81029 /* Keychain.swift in Sources */, 0EFEB4B02007627700F81029 /* Keychain.swift in Sources */,
0E041D0A2152E6FE0025FE3C /* SessionProxy+TLSWrap.swift in Sources */,
0EFEB48E2006D7F300F81029 /* SessionProxy+SessionKey.swift in Sources */, 0EFEB48E2006D7F300F81029 /* SessionProxy+SessionKey.swift in Sources */,
0ED9C8652138139000621BA3 /* SessionProxy+CompressionFraming.swift in Sources */, 0ED9C8652138139000621BA3 /* SessionProxy+CompressionFraming.swift in Sources */,
0EFEB4AF2007627700F81029 /* InterfaceObserver.swift in Sources */, 0EFEB4AF2007627700F81029 /* InterfaceObserver.swift in Sources */,

View File

@ -140,6 +140,9 @@ extension TunnelKitProvider {
/// Sets compression framing, disabled by default. /// Sets compression framing, disabled by default.
public var compressionFraming: SessionProxy.CompressionFraming public var compressionFraming: SessionProxy.CompressionFraming
/// The optional TLS wrapping.
public var tlsWrap: SessionProxy.TLSWrap?
/// Sends periodical keep-alive packets (ping) if set. Useful with stateful firewalls. /// Sends periodical keep-alive packets (ping) if set. Useful with stateful firewalls.
public var keepAliveSeconds: Int? public var keepAliveSeconds: Int?
@ -178,6 +181,7 @@ extension TunnelKitProvider {
clientKey = nil clientKey = nil
mtu = 1500 mtu = 1500
compressionFraming = .disabled compressionFraming = .disabled
tlsWrap = nil
keepAliveSeconds = nil keepAliveSeconds = nil
renegotiatesAfterSeconds = nil renegotiatesAfterSeconds = nil
usesPIAPatches = false usesPIAPatches = false
@ -234,6 +238,13 @@ extension TunnelKitProvider {
} else { } else {
compressionFraming = .disabled compressionFraming = .disabled
} }
if let tlsWrapData = providerConfiguration[S.tlsWrap] as? Data {
do {
tlsWrap = try SessionProxy.TLSWrap.deserialized(tlsWrapData)
} catch {
throw ProviderError.configuration(field: "protocolConfiguration.providerConfiguration[\(S.tlsWrap)]")
}
}
keepAliveSeconds = providerConfiguration[S.keepAlive] as? Int keepAliveSeconds = providerConfiguration[S.keepAlive] as? Int
renegotiatesAfterSeconds = providerConfiguration[S.renegotiatesAfter] as? Int renegotiatesAfterSeconds = providerConfiguration[S.renegotiatesAfter] as? Int
usesPIAPatches = providerConfiguration[S.usesPIAPatches] as? Bool ?? false usesPIAPatches = providerConfiguration[S.usesPIAPatches] as? Bool ?? false
@ -271,6 +282,7 @@ extension TunnelKitProvider {
clientKey: clientKey, clientKey: clientKey,
mtu: mtu, mtu: mtu,
compressionFraming: compressionFraming, compressionFraming: compressionFraming,
tlsWrap: tlsWrap,
keepAliveSeconds: keepAliveSeconds, keepAliveSeconds: keepAliveSeconds,
renegotiatesAfterSeconds: renegotiatesAfterSeconds, renegotiatesAfterSeconds: renegotiatesAfterSeconds,
usesPIAPatches: usesPIAPatches, usesPIAPatches: usesPIAPatches,
@ -306,6 +318,8 @@ extension TunnelKitProvider {
static let compressionFraming = "CompressionFraming" static let compressionFraming = "CompressionFraming"
static let tlsWrap = "TLSWrap"
static let keepAlive = "KeepAlive" static let keepAlive = "KeepAlive"
static let renegotiatesAfter = "RenegotiatesAfter" static let renegotiatesAfter = "RenegotiatesAfter"
@ -349,6 +363,9 @@ extension TunnelKitProvider {
/// - Seealso: `TunnelKitProvider.ConfigurationBuilder.compressionFraming` /// - Seealso: `TunnelKitProvider.ConfigurationBuilder.compressionFraming`
public let compressionFraming: SessionProxy.CompressionFraming public let compressionFraming: SessionProxy.CompressionFraming
/// - Seealso: `TunnelKitProvider.ConfigurationBuilder.tlsWrap`
public let tlsWrap: SessionProxy.TLSWrap?
/// - Seealso: `TunnelKitProvider.ConfigurationBuilder.keepAliveSeconds` /// - Seealso: `TunnelKitProvider.ConfigurationBuilder.keepAliveSeconds`
public let keepAliveSeconds: Int? public let keepAliveSeconds: Int?
@ -433,6 +450,9 @@ extension TunnelKitProvider {
dict[S.resolvedAddresses] = resolvedAddresses dict[S.resolvedAddresses] = resolvedAddresses
} }
dict[S.compressionFraming] = compressionFraming.rawValue dict[S.compressionFraming] = compressionFraming.rawValue
if let tlsWrapData = tlsWrap?.serialized() {
dict[S.tlsWrap] = tlsWrapData
}
if let keepAliveSeconds = keepAliveSeconds { if let keepAliveSeconds = keepAliveSeconds {
dict[S.keepAlive] = keepAliveSeconds dict[S.keepAlive] = keepAliveSeconds
} }
@ -507,6 +527,11 @@ extension TunnelKitProvider {
} else { } else {
log.info("\tRenegotiation: never") log.info("\tRenegotiation: never")
} }
if let tlsWrap = tlsWrap {
log.info("\tTLS wrapping: \(tlsWrap.strategy)")
} else {
log.info("\tTLS wrapping: disabled")
}
log.info("\tDebug: \(shouldDebug)") log.info("\tDebug: \(shouldDebug)")
} }
} }
@ -530,6 +555,7 @@ extension TunnelKitProvider.Configuration: Equatable {
builder.clientKey = clientKey builder.clientKey = clientKey
builder.mtu = mtu builder.mtu = mtu
builder.compressionFraming = compressionFraming builder.compressionFraming = compressionFraming
builder.tlsWrap = tlsWrap
builder.keepAliveSeconds = keepAliveSeconds builder.keepAliveSeconds = keepAliveSeconds
builder.renegotiatesAfterSeconds = renegotiatesAfterSeconds builder.renegotiatesAfterSeconds = renegotiatesAfterSeconds
builder.usesPIAPatches = usesPIAPatches builder.usesPIAPatches = usesPIAPatches
@ -552,6 +578,7 @@ extension TunnelKitProvider.Configuration: Equatable {
(lhs.compressionFraming == rhs.compressionFraming) && (lhs.compressionFraming == rhs.compressionFraming) &&
(lhs.keepAliveSeconds == rhs.keepAliveSeconds) && (lhs.keepAliveSeconds == rhs.keepAliveSeconds) &&
(lhs.renegotiatesAfterSeconds == rhs.renegotiatesAfterSeconds) (lhs.renegotiatesAfterSeconds == rhs.renegotiatesAfterSeconds)
// XXX: tlsWrap not copied
) )
} }
} }

View File

@ -228,6 +228,7 @@ open class TunnelKitProvider: NEPacketTunnelProvider {
sessionConfiguration.clientCertificatePath = clientCertificatePath sessionConfiguration.clientCertificatePath = clientCertificatePath
sessionConfiguration.clientKeyPath = clientKeyPath sessionConfiguration.clientKeyPath = clientKeyPath
sessionConfiguration.compressionFraming = cfg.compressionFraming sessionConfiguration.compressionFraming = cfg.compressionFraming
sessionConfiguration.tlsWrap = cfg.tlsWrap
if let keepAliveSeconds = cfg.keepAliveSeconds { if let keepAliveSeconds = cfg.keepAliveSeconds {
sessionConfiguration.keepAliveInterval = TimeInterval(keepAliveSeconds) sessionConfiguration.keepAliveInterval = TimeInterval(keepAliveSeconds)
} }

View File

@ -156,6 +156,9 @@ extension SessionProxy {
/// Sets compression framing, disabled by default. /// Sets compression framing, disabled by default.
public var compressionFraming: CompressionFraming public var compressionFraming: CompressionFraming
/// The optional TLS wrapping.
public var tlsWrap: TLSWrap?
/// Sends periodical keep-alive packets if set. /// Sends periodical keep-alive packets if set.
public var keepAliveInterval: TimeInterval? public var keepAliveInterval: TimeInterval?
@ -174,6 +177,7 @@ extension SessionProxy {
clientCertificatePath = nil clientCertificatePath = nil
clientKeyPath = nil clientKeyPath = nil
compressionFraming = .disabled compressionFraming = .disabled
tlsWrap = nil
keepAliveInterval = nil keepAliveInterval = nil
renegotiatesAfter = nil renegotiatesAfter = nil
usesPIAPatches = false usesPIAPatches = false
@ -193,6 +197,7 @@ extension SessionProxy {
clientCertificatePath: clientCertificatePath, clientCertificatePath: clientCertificatePath,
clientKeyPath: clientKeyPath, clientKeyPath: clientKeyPath,
compressionFraming: compressionFraming, compressionFraming: compressionFraming,
tlsWrap: tlsWrap,
keepAliveInterval: keepAliveInterval, keepAliveInterval: keepAliveInterval,
renegotiatesAfter: renegotiatesAfter, renegotiatesAfter: renegotiatesAfter,
usesPIAPatches: usesPIAPatches usesPIAPatches: usesPIAPatches
@ -224,6 +229,9 @@ extension SessionProxy {
/// - Seealso: `SessionProxy.ConfigurationBuilder.compressionFraming` /// - Seealso: `SessionProxy.ConfigurationBuilder.compressionFraming`
public let compressionFraming: CompressionFraming public let compressionFraming: CompressionFraming
/// - Seealso: `SessionProxy.ConfigurationBuilder.tlsWrap`
public var tlsWrap: TLSWrap?
/// - Seealso: `SessionProxy.ConfigurationBuilder.keepAliveInterval` /// - Seealso: `SessionProxy.ConfigurationBuilder.keepAliveInterval`
public let keepAliveInterval: TimeInterval? public let keepAliveInterval: TimeInterval?

View File

@ -0,0 +1,60 @@
//
// SessionProxy+TLSWrap.swift
// TunnelKit
//
// Created by Davide De Rosa on 9/11/18.
// Copyright (c) 2018 Davide De Rosa. All rights reserved.
//
// https://github.com/keeshux
//
// This file is part of TunnelKit.
//
// TunnelKit is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// TunnelKit is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with TunnelKit. If not, see <http://www.gnu.org/licenses/>.
//
import Foundation
extension SessionProxy {
/// Holds parameters for TLS wrapping.
public class TLSWrap: Codable {
/// The wrapping strategy.
public enum Strategy: String, Codable {
case none
}
/// The wrapping strategy.
public let strategy: Strategy
/// The static encryption key.
public let key: StaticKey
/// :nodoc:
public init(strategy: Strategy, key: StaticKey) {
self.strategy = strategy
self.key = key
}
/// :nodoc:
public static func deserialized(_ data: Data) throws -> SessionProxy.TLSWrap {
return try JSONDecoder().decode(SessionProxy.TLSWrap.self, from: data)
}
/// :nodoc:
public func serialized() -> Data? {
return try? JSONEncoder().encode(self)
}
}
}

View File

@ -173,7 +173,16 @@ public class SessionProxy {
lastPing = BidirectionalState(withResetValue: Date.distantPast) lastPing = BidirectionalState(withResetValue: Date.distantPast)
isStopping = false isStopping = false
controlChannel = ControlChannel() if let tlsWrap = configuration.tlsWrap {
// TODO: select strategy
switch tlsWrap.strategy {
default:
controlChannel = ControlChannel()
}
} else {
controlChannel = ControlChannel()
}
} }
deinit { deinit {