From f9e09b7b22844de577dd3980d5aeaaf24a5ed657 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Em=C4=ABls?= Date: Fri, 20 Dec 2024 09:38:03 +0100 Subject: [PATCH 1/2] Bump wireguard-apple --- ios/MullvadVPN.xcodeproj/project.pbxproj | 16 ++++++++++------ .../xcshareddata/swiftpm/Package.resolved | 2 +- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/ios/MullvadVPN.xcodeproj/project.pbxproj b/ios/MullvadVPN.xcodeproj/project.pbxproj index 31cab3122857..ecc4ce38a869 100644 --- a/ios/MullvadVPN.xcodeproj/project.pbxproj +++ b/ios/MullvadVPN.xcodeproj/project.pbxproj @@ -739,18 +739,19 @@ A932D9F52B5EBB9D00999395 /* RESTTransportStub.swift in Sources */ = {isa = PBXBuildFile; fileRef = A932D9F42B5EBB9D00999395 /* RESTTransportStub.swift */; }; A935594C2B4C2DA900D5D524 /* APIAvailabilityTestRequest.swift in Sources */ = {isa = PBXBuildFile; fileRef = A935594B2B4C2DA900D5D524 /* APIAvailabilityTestRequest.swift */; }; A939661B2CAE6CE1008128CA /* MigrationManagerMultiProcessUpgradeTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = A939661A2CAE6CE1008128CA /* MigrationManagerMultiProcessUpgradeTests.swift */; }; + A93969812CE606190032A7A0 /* Maybenot.swift in Sources */ = {isa = PBXBuildFile; fileRef = A9840BB32C69F78A0030F05E /* Maybenot.swift */; }; A94D691A2ABAD66700413DD4 /* WireGuardKitTypes in Frameworks */ = {isa = PBXBuildFile; productRef = 58FE25E22AA72AE9003D1918 /* WireGuardKitTypes */; }; A94D691B2ABAD66700413DD4 /* WireGuardKitTypes in Frameworks */ = {isa = PBXBuildFile; productRef = 58FE25E72AA7399D003D1918 /* WireGuardKitTypes */; }; A95EEE362B722CD600A8A39B /* TunnelMonitorState.swift in Sources */ = {isa = PBXBuildFile; fileRef = A95EEE352B722CD600A8A39B /* TunnelMonitorState.swift */; }; A95EEE382B722DFC00A8A39B /* PingStats.swift in Sources */ = {isa = PBXBuildFile; fileRef = A95EEE372B722DFC00A8A39B /* PingStats.swift */; }; A970C89D2B29E38C000A7684 /* Socks5UsernamePasswordCommand.swift in Sources */ = {isa = PBXBuildFile; fileRef = A970C89C2B29E38C000A7684 /* Socks5UsernamePasswordCommand.swift */; }; + A97275562CE36CAE00029F15 /* DaitaV2Parameters.swift in Sources */ = {isa = PBXBuildFile; fileRef = A97275552CE36CAE00029F15 /* DaitaV2Parameters.swift */; }; A97D25AE2B0BB18100946B2D /* ProtocolObfuscator.swift in Sources */ = {isa = PBXBuildFile; fileRef = A97D25AD2B0BB18100946B2D /* ProtocolObfuscator.swift */; }; A97D25B02B0BB5C400946B2D /* ProtocolObfuscationStub.swift in Sources */ = {isa = PBXBuildFile; fileRef = A97D25AF2B0BB5C400946B2D /* ProtocolObfuscationStub.swift */; }; A97D25B22B0CB02D00946B2D /* ProtocolObfuscatorTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = A97D25B12B0CB02D00946B2D /* ProtocolObfuscatorTests.swift */; }; A97D25B42B0CB59300946B2D /* TunnelObfuscationStub.swift in Sources */ = {isa = PBXBuildFile; fileRef = A97D25B32B0CB59300946B2D /* TunnelObfuscationStub.swift */; }; A97D30172AE6B5E90045C0E4 /* StoredWgKeyData.swift in Sources */ = {isa = PBXBuildFile; fileRef = A97D30162AE6B5E90045C0E4 /* StoredWgKeyData.swift */; }; A97FF5502A0D2FFC00900996 /* NSFileCoordinator+Extensions.swift in Sources */ = {isa = PBXBuildFile; fileRef = A97FF54F2A0D2FFC00900996 /* NSFileCoordinator+Extensions.swift */; }; - A9840BB42C69F78A0030F05E /* Maybenot.swift in Sources */ = {isa = PBXBuildFile; fileRef = A9840BB32C69F78A0030F05E /* Maybenot.swift */; }; A98502032B627B120061901E /* LocalNetworkProbe.swift in Sources */ = {isa = PBXBuildFile; fileRef = A98502022B627B120061901E /* LocalNetworkProbe.swift */; }; A988A3E22AFE54AC0008D2C7 /* AccountExpiry.swift in Sources */ = {isa = PBXBuildFile; fileRef = 7A6F2FA62AFBB9AE006D0856 /* AccountExpiry.swift */; }; A988DF272ADE86ED00D807EF /* WireGuardObfuscationSettings.swift in Sources */ = {isa = PBXBuildFile; fileRef = A988DF252ADE86ED00D807EF /* WireGuardObfuscationSettings.swift */; }; @@ -2120,6 +2121,7 @@ A95EEE352B722CD600A8A39B /* TunnelMonitorState.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TunnelMonitorState.swift; sourceTree = ""; }; A95EEE372B722DFC00A8A39B /* PingStats.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = PingStats.swift; sourceTree = ""; }; A970C89C2B29E38C000A7684 /* Socks5UsernamePasswordCommand.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Socks5UsernamePasswordCommand.swift; sourceTree = ""; }; + A97275552CE36CAE00029F15 /* DaitaV2Parameters.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = DaitaV2Parameters.swift; sourceTree = ""; }; A97D25AD2B0BB18100946B2D /* ProtocolObfuscator.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ProtocolObfuscator.swift; sourceTree = ""; }; A97D25AF2B0BB5C400946B2D /* ProtocolObfuscationStub.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ProtocolObfuscationStub.swift; sourceTree = ""; }; A97D25B12B0CB02D00946B2D /* ProtocolObfuscatorTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ProtocolObfuscatorTests.swift; sourceTree = ""; }; @@ -2714,6 +2716,7 @@ 449EBA252B975B9700DFA4EB /* EphemeralPeerReceiving.swift */, A90C48662C36BC2600DCB94C /* EphemeralPeerReceiver.swift */, A90C48682C36BF3900DCB94C /* TunnelProvider.swift */, + A97275552CE36CAE00029F15 /* DaitaV2Parameters.swift */, ); path = Protocols; sourceTree = ""; @@ -4721,7 +4724,6 @@ isa = PBXNativeTarget; buildConfigurationList = 58C7A44B2A863F4A0060C66F /* Build configuration list for PBXNativeTarget "PacketTunnelCore" */; buildPhases = ( - A9840BB22C69F7290030F05E /* Import maybenot_machines */, 58C7A4312A863F440060C66F /* Headers */, 58C7A4322A863F440060C66F /* Sources */, 58C7A4332A863F440060C66F /* Frameworks */, @@ -4973,6 +4975,7 @@ isa = PBXNativeTarget; buildConfigurationList = A992DA252C24709F00DE7CE5 /* Build configuration list for PBXNativeTarget "MullvadRustRuntime" */; buildPhases = ( + A93969802CE603110032A7A0 /* Import maybenot_machines */, A992DA2A2C2470B300DE7CE5 /* Build MullvadRustRuntime */, A992DA182C24709F00DE7CE5 /* Headers */, A992DA192C24709F00DE7CE5 /* Sources */, @@ -5351,7 +5354,7 @@ shellPath = /bin/sh; shellScript = "if [[ \"$(uname -m)\" == arm64 ]]; then\n export PATH=\"/opt/homebrew/bin:$PATH\"\nfi\n\nif which swiftlint > /dev/null; then\n swiftlint PacketTunnel/**/*.swift\nelse\n echo \"warning: SwiftLint not installed, download from https://github.com/realm/SwiftLint\"\nfi\n"; }; - A9840BB22C69F7290030F05E /* Import maybenot_machines */ = { + A93969802CE603110032A7A0 /* Import maybenot_machines */ = { isa = PBXShellScriptBuildPhase; buildActionMask = 2147483647; files = ( @@ -5367,7 +5370,7 @@ ); runOnlyForDeploymentPostprocessing = 0; shellPath = /bin/sh; - shellScript = "MAYBENOT_MACHINES=`cat ${SRCROOT}/../dist-assets/maybenot_machines`\ncat > ${SRCROOT}/PacketTunnelCore/Daita/Maybenot.swift << EOF\n// swiftlint:disable line_length\n// This is an autogenerated file, do not edit\npublic struct Maybenot {\n public let machines=\"\"\"\n$MAYBENOT_MACHINES\n\"\"\"\n public let maximumEvents: UInt32 = 1000\n public let maximumActions: UInt32 = 1000\n}\n// swiftlint:enable line_length\nEOF\n"; + shellScript = "MAYBENOT_MACHINES=`cat ${SRCROOT}/../dist-assets/maybenot_machines`\ncat > ${SRCROOT}/PacketTunnelCore/Daita/Maybenot.swift << EOF\n// swiftlint:disable line_length\n// This is an autogenerated file, do not edit\npublic struct Maybenot {\n public let machines=\"\"\"\n$MAYBENOT_MACHINES\n\"\"\"\n public let maximumEvents: UInt32 = 2048\n public let maximumActions: UInt32 = 1024\n public let maximumPadding: Double = 1.0\n public let maximumBlocking: Double = 1.0\n}\n// swiftlint:enable line_length\nEOF\n"; }; A992DA2A2C2470B300DE7CE5 /* Build MullvadRustRuntime */ = { isa = PBXShellScriptBuildPhase; @@ -5775,7 +5778,6 @@ 583832272AC3193600EA2071 /* PacketTunnelActor+SleepCycle.swift in Sources */, 58FE25DC2AA72A8F003D1918 /* AnyTask.swift in Sources */, F04AF92D2C466013004A8314 /* EphemeralPeerNegotiationState.swift in Sources */, - A9840BB42C69F78A0030F05E /* Maybenot.swift in Sources */, 58FE25D92AA72A8F003D1918 /* AutoCancellingTask.swift in Sources */, 58FE25E12AA72A9B003D1918 /* SettingsReaderProtocol.swift in Sources */, 58C7A4582A863FB90060C66F /* TunnelMonitorProtocol.swift in Sources */, @@ -6313,6 +6315,7 @@ 58D22412294C90210029F5F8 /* RelayConstraint.swift in Sources */, 7A7AD14F2BF21EF200B30B3C /* NameInputFormatter.swift in Sources */, 58D22413294C90210029F5F8 /* RelayConstraints.swift in Sources */, + A97275562CE36CAE00029F15 /* DaitaV2Parameters.swift in Sources */, 7AF9BE8C2A321D1F00DBFEDB /* RelayFilter.swift in Sources */, 58D22414294C90210029F5F8 /* RelayLocation.swift in Sources */, 581DA2732A1E227D0046ED47 /* RESTTypes.swift in Sources */, @@ -6447,6 +6450,7 @@ A9D9A4BB2C36D397004088DD /* EphemeralPeerNegotiator.swift in Sources */, A9D9A4B22C36D12D004088DD /* TunnelObfuscator.swift in Sources */, A9173C322C36CCDD00F6A08C /* EphemeralPeerReceiver.swift in Sources */, + A93969812CE606190032A7A0 /* Maybenot.swift in Sources */, F05919802C45515200C301F3 /* EphemeralPeerExchangeActor.swift in Sources */, ); runOnlyForDeploymentPostprocessing = 0; @@ -9512,7 +9516,7 @@ repositoryURL = "https://github.com/mullvad/wireguard-apple.git"; requirement = { kind = revision; - revision = 4499596651b4fe8a162e587c75a01615168f29a6; + revision = f6c6af02d3a9168589b8c109b4826b7f224fcf73; }; }; /* End XCRemoteSwiftPackageReference section */ diff --git a/ios/MullvadVPN.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved b/ios/MullvadVPN.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved index 1e8521cd2a6c..d7612d716d63 100644 --- a/ios/MullvadVPN.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved +++ b/ios/MullvadVPN.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved @@ -14,7 +14,7 @@ "kind" : "remoteSourceControl", "location" : "https://github.com/mullvad/wireguard-apple.git", "state" : { - "revision" : "4499596651b4fe8a162e587c75a01615168f29a6" + "revision" : "f6c6af02d3a9168589b8c109b4826b7f224fcf73" } } ], From 25381c8d8deadf27d741c232b6fb4d7d06fde40d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Em=C4=ABls?= Date: Fri, 20 Dec 2024 09:37:35 +0100 Subject: [PATCH 2/2] Use DAITAv2 on iOS --- ios/CHANGELOG.md | 5 + .../EphemeralPeerReceiver.swift | 27 +++++- .../include/mullvad_rust_runtime.h | 43 +++++---- .../Protocols/DaitaV2Parameters.swift | 31 ++++++ .../Protocols/EphemeralPeerReceiver.swift | 15 ++- .../Protocols/EphemeralPeerReceiving.swift | 9 +- .../PacketTunnelProvider.swift | 22 ++++- .../EphemeralPeerExchangingPipeline.swift | 23 ++++- .../MultiHopEphemeralPeerExchanger.swift | 26 +++-- .../SingleHopEphemeralPeerExchanger.swift | 14 ++- .../Actor/EphemeralPeerNegotiationState.swift | 10 +- .../Actor/PacketTunnelActor+PostQuantum.swift | 28 ++++-- .../Actor/PacketTunnelActor.swift | 13 +-- .../EphemeralPeerExchangingProtocol.swift | 9 +- ios/PacketTunnelCore/Daita/Maybenot.swift | 6 +- ...EphemeralPeerExchangingPipelineTests.swift | 36 ++++--- .../EphemeralPeerExchangeActorStub.swift | 17 +++- .../Mocks/KeyExchangingResultStub.swift | 19 ++-- .../MultiHopEphemeralPeerExchangerTests.swift | 15 ++- ...SingleHopEphemeralPeerExchangerTests.swift | 15 ++- .../ios_tcp_connection.rs | 15 --- mullvad-ios/src/ephemeral_peer_proxy/mod.rs | 94 +++++++++++++++++-- .../src/ephemeral_peer_proxy/peer_exchange.rs | 33 +++---- talpid-tunnel-config-client/src/lib.rs | 18 ++-- 24 files changed, 389 insertions(+), 154 deletions(-) create mode 100644 ios/MullvadTypes/Protocols/DaitaV2Parameters.swift diff --git a/ios/CHANGELOG.md b/ios/CHANGELOG.md index 80ffcf9643fe..e07472792269 100644 --- a/ios/CHANGELOG.md +++ b/ios/CHANGELOG.md @@ -21,6 +21,11 @@ Line wrap the file at 100 chars. Th * **Fixed**: for any bug fixes. * **Security**: in case of vulnerabilities. +## Unreleased +### Added +- Update to DAITA v2 - now machines are provided by relays dynamically instead + of using bundled ones. + ## [2024.11 - 2024-12-12] ### Added - Add WireGuard over Shadowsocks obfuscation. It can be enabled in "VPN settings". This will diff --git a/ios/MullvadRustRuntime/EphemeralPeerReceiver.swift b/ios/MullvadRustRuntime/EphemeralPeerReceiver.swift index 2b1b4adac53b..6752ec3e51fc 100644 --- a/ios/MullvadRustRuntime/EphemeralPeerReceiver.swift +++ b/ios/MullvadRustRuntime/EphemeralPeerReceiver.swift @@ -24,11 +24,13 @@ import WireGuardKitTypes /// - rawEphemeralPeerReceiver: A raw pointer to the running instance of `NEPacketTunnelProvider` /// - rawPresharedKey: A raw pointer to the quantum-secure pre shared key /// - rawEphemeralKey: A raw pointer to the ephemeral private key of the device -@_cdecl("swift_ephemeral_peer_ready") +/// - rawDaitaParameters: A raw pointer to negotiated DAITA parameters +@_silgen_name("swift_ephemeral_peer_ready") func receivePostQuantumKey( rawEphemeralPeerReceiver: UnsafeMutableRawPointer?, rawPresharedKey: UnsafeMutableRawPointer?, - rawEphemeralKey: UnsafeMutableRawPointer? + rawEphemeralKey: UnsafeMutableRawPointer?, + rawDaitaParameters: UnsafePointer? ) { guard let rawEphemeralPeerReceiver else { return } let ephemeralPeerReceiver = Unmanaged.fromOpaque(rawEphemeralPeerReceiver) @@ -41,12 +43,29 @@ func receivePostQuantumKey( return } + let maybeNot = Maybenot() + let daitaParameters: DaitaV2Parameters? = rawDaitaParameters?.withMemoryRebound( + to: DaitaParameters.self, + capacity: 1 + ) { body in + let params = body.pointee + guard params.machines != nil else { return nil } + let machines = String(cString: params.machines) + return DaitaV2Parameters( + machines: machines, + maximumEvents: maybeNot.maximumEvents, + maximumActions: maybeNot.maximumActions, + maximumPadding: params.max_padding_frac, + maximumBlocking: params.max_blocking_frac + ) + } + // If there is a pre-shared key, an ephemeral peer was negotiated with Post Quantum options // Otherwise, a Daita enabled ephemeral peer was requested if let rawPresharedKey, let key = PreSharedKey(rawValue: Data(bytes: rawPresharedKey, count: 32)) { - ephemeralPeerReceiver.receivePostQuantumKey(key, ephemeralKey: ephemeralKey) + ephemeralPeerReceiver.receivePostQuantumKey(key, ephemeralKey: ephemeralKey, daitaParameters: daitaParameters) } else { - ephemeralPeerReceiver.receiveEphemeralPeerPrivateKey(ephemeralKey) + ephemeralPeerReceiver.receiveEphemeralPeerPrivateKey(ephemeralKey, daitaParameters: daitaParameters) } return } diff --git a/ios/MullvadRustRuntime/include/mullvad_rust_runtime.h b/ios/MullvadRustRuntime/include/mullvad_rust_runtime.h index 93c04587f16a..b10f4f81f25a 100644 --- a/ios/MullvadRustRuntime/include/mullvad_rust_runtime.h +++ b/ios/MullvadRustRuntime/include/mullvad_rust_runtime.h @@ -27,6 +27,12 @@ typedef struct ProxyHandle { uint16_t port; } ProxyHandle; +typedef struct DaitaParameters { + uint8_t *machines; + double max_padding_frac; + double max_blocking_frac; +} DaitaParameters; + typedef struct WgTcpConnectionFunctions { int32_t (*open_fn)(int32_t tunnelHandle, const char *address, uint64_t timeout); int32_t (*close_fn)(int32_t tunnelHandle, int32_t socketHandle); @@ -88,6 +94,22 @@ int32_t encrypted_dns_proxy_start(struct EncryptedDnsProxyState *encrypted_dns_p */ int32_t encrypted_dns_proxy_stop(struct ProxyHandle *proxy_config); +/** + * To be called when ephemeral peer exchange has finished. All parameters except + * `raw_packet_tunnel` are optional. + * + * # Safety: + * If the key exchange failed, all pointers except `raw_packet_tunnel` must be null. If the + * key exchange was successful, `raw_ephemeral_private_key` must be a valid pointer to 32 + * bytes for the lifetime of this call. If PQ was enabled, `raw_preshared_key` must be a valid + * pointer to 32 bytes for the lifetime of this call. If DAITA was requested, the + * `daita_prameters` must point to a valid instance of `DaitaParameters`. + */ +extern void swift_ephemeral_peer_ready(const void *raw_packet_tunnel, + const uint8_t *raw_preshared_key, + const uint8_t *raw_ephemeral_private_key, + const struct DaitaParameters *daita_parameters); + /** * Called by the Swift side to signal that the ephemeral peer exchange should be cancelled. * After this call, the cancel token is no longer valid. @@ -112,11 +134,11 @@ void drop_ephemeral_peer_exchange_token(struct ExchangeCancelToken *sender); * Entry point for requesting ephemeral peers on iOS. * The TCP connection must be created to go through the tunnel. * # Safety - * `public_key` and `ephemeral_key` must be valid respective `PublicKey` and `PrivateKey` types. - * They will not be valid after this function is called, and thus must be copied here. - * `packet_tunnel` must be valid pointers to a packet tunnel, the packet tunnel pointer must - * outlive the ephemeral peer exchange. `cancel_token` should be owned by the caller of this - * function. + * `public_key` and `ephemeral_key` must be valid respective `PublicKey` and `PrivateKey` types, + * specifically, they must be valid pointers to 32 bytes. They will not be valid after this + * function is called, and thus must be copied here. `packet_tunnel` must be valid pointers to a + * packet tunnel, the packet tunnel pointer must outlive the ephemeral peer exchange. + * `cancel_token` should be owned by the caller of this function. */ struct ExchangeCancelToken *request_ephemeral_peer(const uint8_t *public_key, const uint8_t *ephemeral_key, @@ -124,17 +146,6 @@ struct ExchangeCancelToken *request_ephemeral_peer(const uint8_t *public_key, int32_t tunnel_handle, struct EphemeralPeerParameters peer_parameters); -/** - * Called when the preshared post quantum key is ready, - * or when a Daita peer has been successfully requested. - * `raw_preshared_key` will be NULL if: - * - The post quantum key negotiation failed - * - A Daita peer has been requested without enabling post quantum keys. - */ -extern void swift_ephemeral_peer_ready(const void *raw_packet_tunnel, - const uint8_t *raw_preshared_key, - const uint8_t *raw_ephemeral_private_key); - /** * # Safety * `addr`, `password`, `cipher` must be valid for the lifetime of this function call and they must diff --git a/ios/MullvadTypes/Protocols/DaitaV2Parameters.swift b/ios/MullvadTypes/Protocols/DaitaV2Parameters.swift new file mode 100644 index 000000000000..53ab61ada42f --- /dev/null +++ b/ios/MullvadTypes/Protocols/DaitaV2Parameters.swift @@ -0,0 +1,31 @@ +// +// DaitaV2Parameters.swift +// MullvadTypes +// +// Created by Marco Nikic on 2024-11-12. +// Copyright © 2024 Mullvad VPN AB. All rights reserved. +// + +import Foundation + +public struct DaitaV2Parameters: Equatable { + public let machines: String + public let maximumEvents: UInt32 + public let maximumActions: UInt32 + public let maximumPadding: Double + public let maximumBlocking: Double + + public init( + machines: String, + maximumEvents: UInt32, + maximumActions: UInt32, + maximumPadding: Double, + maximumBlocking: Double + ) { + self.machines = machines + self.maximumEvents = maximumEvents + self.maximumActions = maximumActions + self.maximumPadding = maximumPadding + self.maximumBlocking = maximumBlocking + } +} diff --git a/ios/MullvadTypes/Protocols/EphemeralPeerReceiver.swift b/ios/MullvadTypes/Protocols/EphemeralPeerReceiver.swift index 7f4566946802..91519c746cdc 100644 --- a/ios/MullvadTypes/Protocols/EphemeralPeerReceiver.swift +++ b/ios/MullvadTypes/Protocols/EphemeralPeerReceiver.swift @@ -29,19 +29,26 @@ public class EphemeralPeerReceiver: EphemeralPeerReceiving, TunnelProvider { // MARK: - EphemeralPeerReceiving - public func receivePostQuantumKey(_ key: PreSharedKey, ephemeralKey: PrivateKey) { + public func receivePostQuantumKey( + _ key: PreSharedKey, + ephemeralKey: PrivateKey, + daitaParameters: DaitaV2Parameters? + ) { let semaphore = DispatchSemaphore(value: 0) Task { - await keyReceiver.receivePostQuantumKey(key, ephemeralKey: ephemeralKey) + await keyReceiver.receivePostQuantumKey(key, ephemeralKey: ephemeralKey, daitaParameters: daitaParameters) semaphore.signal() } semaphore.wait() } - public func receiveEphemeralPeerPrivateKey(_ ephemeralPeerPrivateKey: PrivateKey) { + public func receiveEphemeralPeerPrivateKey( + _ ephemeralPeerPrivateKey: PrivateKey, + daitaParameters: DaitaV2Parameters? + ) { let semaphore = DispatchSemaphore(value: 0) Task { - await keyReceiver.receiveEphemeralPeerPrivateKey(ephemeralPeerPrivateKey) + await keyReceiver.receiveEphemeralPeerPrivateKey(ephemeralPeerPrivateKey, daitaParameters: daitaParameters) semaphore.signal() } semaphore.wait() diff --git a/ios/MullvadTypes/Protocols/EphemeralPeerReceiving.swift b/ios/MullvadTypes/Protocols/EphemeralPeerReceiving.swift index cc1c8f0f8aae..d799dd646c35 100644 --- a/ios/MullvadTypes/Protocols/EphemeralPeerReceiving.swift +++ b/ios/MullvadTypes/Protocols/EphemeralPeerReceiving.swift @@ -15,11 +15,14 @@ public protocol EphemeralPeerReceiving { /// - Parameters: /// - key: The preshared key used by the Ephemeral Peer /// - ephemeralKey: The private key used by the Ephemeral Peer - func receivePostQuantumKey(_ key: PreSharedKey, ephemeralKey: PrivateKey) async + /// - daitaParameters: DAITA parameters + func receivePostQuantumKey(_ key: PreSharedKey, ephemeralKey: PrivateKey, daitaParameters: DaitaV2Parameters?) async /// Called when successfully requesting an ephemeral peer with Daita enabled, and Post Quantum PSK disabled - /// - Parameter _:_ The private key used by the Ephemeral Peer - func receiveEphemeralPeerPrivateKey(_: PrivateKey) async + /// - Parameters: + /// - _: The private key used by the Ephemeral Peer + /// - daitaParameters: DAITA parameters + func receiveEphemeralPeerPrivateKey(_: PrivateKey, daitaParameters: DaitaV2Parameters?) async /// Called when an ephemeral peer could not be successfully negotiated func ephemeralPeerExchangeFailed() diff --git a/ios/PacketTunnel/PacketTunnelProvider/PacketTunnelProvider.swift b/ios/PacketTunnel/PacketTunnelProvider/PacketTunnelProvider.swift index 75678417ef51..133ba93b8aca 100644 --- a/ios/PacketTunnel/PacketTunnelProvider/PacketTunnelProvider.swift +++ b/ios/PacketTunnel/PacketTunnelProvider/PacketTunnelProvider.swift @@ -376,12 +376,26 @@ extension PacketTunnelProvider { } extension PacketTunnelProvider: EphemeralPeerReceiving { - func receivePostQuantumKey(_ key: PreSharedKey, ephemeralKey: PrivateKey) async { - await ephemeralPeerExchangingPipeline.receivePostQuantumKey(key, ephemeralKey: ephemeralKey) + func receivePostQuantumKey( + _ key: PreSharedKey, + ephemeralKey: PrivateKey, + daitaParameters: MullvadTypes.DaitaV2Parameters? + ) async { + await ephemeralPeerExchangingPipeline.receivePostQuantumKey( + key, + ephemeralKey: ephemeralKey, + daitaParameters: daitaParameters + ) } - public func receiveEphemeralPeerPrivateKey(_ ephemeralPeerPrivateKey: PrivateKey) async { - await ephemeralPeerExchangingPipeline.receiveEphemeralPeerPrivateKey(ephemeralPeerPrivateKey) + public func receiveEphemeralPeerPrivateKey( + _ ephemeralPeerPrivateKey: PrivateKey, + daitaParameters: MullvadTypes.DaitaV2Parameters? + ) async { + await ephemeralPeerExchangingPipeline.receiveEphemeralPeerPrivateKey( + ephemeralPeerPrivateKey, + daitaParameters: daitaParameters + ) } func ephemeralPeerExchangeFailed() { diff --git a/ios/PacketTunnel/PostQuantum/EphemeralPeerExchangingPipeline.swift b/ios/PacketTunnel/PostQuantum/EphemeralPeerExchangingPipeline.swift index 1619889003ab..387c41213a4c 100644 --- a/ios/PacketTunnel/PostQuantum/EphemeralPeerExchangingPipeline.swift +++ b/ios/PacketTunnel/PostQuantum/EphemeralPeerExchangingPipeline.swift @@ -8,6 +8,7 @@ import MullvadRustRuntime import MullvadSettings +import MullvadTypes import PacketTunnelCore import WireGuardKitTypes @@ -59,11 +60,25 @@ final public class EphemeralPeerExchangingPipeline { await ephemeralPeerExchanger.start() } - public func receivePostQuantumKey(_ key: PreSharedKey, ephemeralKey: PrivateKey) async { - await ephemeralPeerExchanger.receivePostQuantumKey(key, ephemeralKey: ephemeralKey) + public func receivePostQuantumKey( + _ key: PreSharedKey, + ephemeralKey: PrivateKey, + daitaParameters: DaitaV2Parameters? + ) async { + await ephemeralPeerExchanger.receivePostQuantumKey( + key, + ephemeralKey: ephemeralKey, + daitaParameters: daitaParameters + ) } - public func receiveEphemeralPeerPrivateKey(_ ephemeralPeerPrivateKey: PrivateKey) async { - await ephemeralPeerExchanger.receiveEphemeralPeerPrivateKey(ephemeralPeerPrivateKey) + public func receiveEphemeralPeerPrivateKey( + _ ephemeralPeerPrivateKey: PrivateKey, + daitaParameters: DaitaV2Parameters? + ) async { + await ephemeralPeerExchanger.receiveEphemeralPeerPrivateKey( + ephemeralPeerPrivateKey, + daitaParameters: daitaParameters + ) } } diff --git a/ios/PacketTunnel/PostQuantum/MultiHopEphemeralPeerExchanger.swift b/ios/PacketTunnel/PostQuantum/MultiHopEphemeralPeerExchanger.swift index 0e2bc97778a1..91e3db3bda0b 100644 --- a/ios/PacketTunnel/PostQuantum/MultiHopEphemeralPeerExchanger.swift +++ b/ios/PacketTunnel/PostQuantum/MultiHopEphemeralPeerExchanger.swift @@ -25,6 +25,7 @@ final class MultiHopEphemeralPeerExchanger: EphemeralPeerExchangingProtocol { private var entryPeerKey: EphemeralPeerKey! private var exitPeerKey: EphemeralPeerKey! + private var daitaParameters: DaitaV2Parameters? private let defaultGatewayAddressRange = [IPAddressRange(from: "\(LocalNetworkIPs.gatewayAddress.rawValue)/32")!] private let allTrafficRange = [ @@ -66,7 +67,11 @@ final class MultiHopEphemeralPeerExchanger: EphemeralPeerExchangingProtocol { await negotiateWithEntry() } - public func receiveEphemeralPeerPrivateKey(_ ephemeralPeerPrivateKey: PrivateKey) async { + public func receiveEphemeralPeerPrivateKey( + _ ephemeralPeerPrivateKey: PrivateKey, + daitaParameters: DaitaV2Parameters? + ) async { + self.daitaParameters = daitaParameters if state == .negotiatingWithEntry { entryPeerKey = EphemeralPeerKey(ephemeralKey: ephemeralPeerPrivateKey) await negotiateBetweenEntryAndExit() @@ -78,8 +83,10 @@ final class MultiHopEphemeralPeerExchanger: EphemeralPeerExchangingProtocol { func receivePostQuantumKey( _ preSharedKey: PreSharedKey, - ephemeralKey: PrivateKey + ephemeralKey: PrivateKey, + daitaParameters: DaitaV2Parameters? ) async { + self.daitaParameters = daitaParameters if state == .negotiatingWithEntry { entryPeerKey = EphemeralPeerKey(preSharedKey: preSharedKey, ephemeralKey: ephemeralKey) await negotiateBetweenEntryAndExit() @@ -95,7 +102,8 @@ final class MultiHopEphemeralPeerExchanger: EphemeralPeerExchangingProtocol { relay: entry, configuration: EphemeralPeerConfiguration( privateKey: devicePrivateKey, - allowedIPs: defaultGatewayAddressRange + allowedIPs: defaultGatewayAddressRange, + daitaParameters: daitaParameters ) ))) keyExchanger.startNegotiation( @@ -113,14 +121,16 @@ final class MultiHopEphemeralPeerExchanger: EphemeralPeerExchangingProtocol { configuration: EphemeralPeerConfiguration( privateKey: entryPeerKey.ephemeralKey, preSharedKey: entryPeerKey.preSharedKey, - allowedIPs: [IPAddressRange(from: "\(exit.endpoint.ipv4Relay.ip)/32")!] + allowedIPs: [IPAddressRange(from: "\(exit.endpoint.ipv4Relay.ip)/32")!], + daitaParameters: self.daitaParameters ) ), exit: EphemeralPeerRelayConfiguration( relay: exit, configuration: EphemeralPeerConfiguration( privateKey: devicePrivateKey, - allowedIPs: defaultGatewayAddressRange + allowedIPs: defaultGatewayAddressRange, + daitaParameters: self.daitaParameters ) ) )) @@ -140,7 +150,8 @@ final class MultiHopEphemeralPeerExchanger: EphemeralPeerExchangingProtocol { configuration: EphemeralPeerConfiguration( privateKey: entryPeerKey.ephemeralKey, preSharedKey: entryPeerKey.preSharedKey, - allowedIPs: [IPAddressRange(from: "\(exit.endpoint.ipv4Relay.ip)/32")!] + allowedIPs: [IPAddressRange(from: "\(exit.endpoint.ipv4Relay.ip)/32")!], + daitaParameters: self.daitaParameters ) ), exit: EphemeralPeerRelayConfiguration( @@ -148,7 +159,8 @@ final class MultiHopEphemeralPeerExchanger: EphemeralPeerExchangingProtocol { configuration: EphemeralPeerConfiguration( privateKey: exitPeerKey.ephemeralKey, preSharedKey: exitPeerKey.preSharedKey, - allowedIPs: allTrafficRange + allowedIPs: allTrafficRange, + daitaParameters: self.daitaParameters ) ) )) diff --git a/ios/PacketTunnel/PostQuantum/SingleHopEphemeralPeerExchanger.swift b/ios/PacketTunnel/PostQuantum/SingleHopEphemeralPeerExchanger.swift index 3c6ab5631ac4..fc9a08f98978 100644 --- a/ios/PacketTunnel/PostQuantum/SingleHopEphemeralPeerExchanger.swift +++ b/ios/PacketTunnel/PostQuantum/SingleHopEphemeralPeerExchanger.swift @@ -45,7 +45,8 @@ struct SingleHopEphemeralPeerExchanger: EphemeralPeerExchangingProtocol { relay: exit, configuration: EphemeralPeerConfiguration( privateKey: devicePrivateKey, - allowedIPs: [IPAddressRange(from: "\(LocalNetworkIPs.gatewayAddress.rawValue)/32")!] + allowedIPs: [IPAddressRange(from: "\(LocalNetworkIPs.gatewayAddress.rawValue)/32")!], + daitaParameters: nil ) ))) keyExchanger.startNegotiation( @@ -55,7 +56,7 @@ struct SingleHopEphemeralPeerExchanger: EphemeralPeerExchangingProtocol { ) } - public func receiveEphemeralPeerPrivateKey(_ ephemeralKey: PrivateKey) async { + public func receiveEphemeralPeerPrivateKey(_ ephemeralKey: PrivateKey, daitaParameters: DaitaV2Parameters?) async { await onUpdateConfiguration(.single(EphemeralPeerRelayConfiguration( relay: exit, configuration: EphemeralPeerConfiguration( @@ -64,7 +65,8 @@ struct SingleHopEphemeralPeerExchanger: EphemeralPeerExchangingProtocol { allowedIPs: [ IPAddressRange(from: "\(LocalNetworkIPs.defaultRouteIpV4.rawValue)/0")!, IPAddressRange(from: "\(LocalNetworkIPs.defaultRouteIpV6.rawValue)/0")!, - ] + ], + daitaParameters: daitaParameters ) ))) self.onFinish() @@ -72,7 +74,8 @@ struct SingleHopEphemeralPeerExchanger: EphemeralPeerExchangingProtocol { func receivePostQuantumKey( _ preSharedKey: WireGuardKitTypes.PreSharedKey, - ephemeralKey: WireGuardKitTypes.PrivateKey + ephemeralKey: WireGuardKitTypes.PrivateKey, + daitaParameters: DaitaV2Parameters? ) async { await onUpdateConfiguration(.single(EphemeralPeerRelayConfiguration( relay: exit, @@ -82,7 +85,8 @@ struct SingleHopEphemeralPeerExchanger: EphemeralPeerExchangingProtocol { allowedIPs: [ IPAddressRange(from: "\(LocalNetworkIPs.defaultRouteIpV4.rawValue)/0")!, IPAddressRange(from: "\(LocalNetworkIPs.defaultRouteIpV6.rawValue)/0")!, - ] + ], + daitaParameters: daitaParameters ) ))) self.onFinish() diff --git a/ios/PacketTunnelCore/Actor/EphemeralPeerNegotiationState.swift b/ios/PacketTunnelCore/Actor/EphemeralPeerNegotiationState.swift index 339e458ce266..18eee61f3b0a 100644 --- a/ios/PacketTunnelCore/Actor/EphemeralPeerNegotiationState.swift +++ b/ios/PacketTunnelCore/Actor/EphemeralPeerNegotiationState.swift @@ -7,6 +7,7 @@ // import MullvadREST +import MullvadTypes import WireGuardKitTypes public enum EphemeralPeerNegotiationState: Equatable { @@ -43,11 +44,18 @@ public struct EphemeralPeerConfiguration: Equatable, CustomDebugStringConvertibl public let privateKey: PrivateKey public let preSharedKey: PreSharedKey? public let allowedIPs: [IPAddressRange] + public let daitaParameters: DaitaV2Parameters? - public init(privateKey: PrivateKey, preSharedKey: PreSharedKey? = nil, allowedIPs: [IPAddressRange]) { + public init( + privateKey: PrivateKey, + preSharedKey: PreSharedKey? = nil, + allowedIPs: [IPAddressRange], + daitaParameters: DaitaV2Parameters? + ) { self.privateKey = privateKey self.preSharedKey = preSharedKey self.allowedIPs = allowedIPs + self.daitaParameters = daitaParameters } public var debugDescription: String { diff --git a/ios/PacketTunnelCore/Actor/PacketTunnelActor+PostQuantum.swift b/ios/PacketTunnelCore/Actor/PacketTunnelActor+PostQuantum.swift index f35677c84622..ced44e3a3d09 100644 --- a/ios/PacketTunnelCore/Actor/PacketTunnelActor+PostQuantum.swift +++ b/ios/PacketTunnelCore/Actor/PacketTunnelActor+PostQuantum.swift @@ -7,6 +7,7 @@ // import Foundation +import MullvadTypes import WireGuardKitTypes extension PacketTunnelActor { @@ -65,14 +66,6 @@ extension PacketTunnelActor { } var daitaConfiguration: DaitaConfiguration? - if settings.daita.daitaState.isEnabled { - let maybeNot = Maybenot() - daitaConfiguration = DaitaConfiguration( - machines: maybeNot.machines, - maxEvents: maybeNot.maximumEvents, - maxActions: maybeNot.maximumActions - ) - } switch configuration { case let .single(hop): @@ -81,6 +74,9 @@ extension PacketTunnelActor { settings: settings, connectionData: connectionData ).make().exitConfiguration + if settings.daita.daitaState.isEnabled, let daitaSettings = hop.configuration.daitaParameters { + daitaConfiguration = DaitaConfiguration(daita: daitaSettings) + } try await tunnelAdapter.start(configuration: exitConfiguration, daita: daitaConfiguration) case let .multi(firstHop, secondHop): @@ -90,6 +86,10 @@ extension PacketTunnelActor { connectionData: connectionData ).make() + if settings.daita.daitaState.isEnabled, let daitaSettings = firstHop.configuration.daitaParameters { + daitaConfiguration = DaitaConfiguration(daita: daitaSettings) + } + try await tunnelAdapter.startMultihop( entryConfiguration: connectionConfiguration.entryConfiguration, exitConfiguration: connectionConfiguration.exitConfiguration, daita: daitaConfiguration @@ -97,3 +97,15 @@ extension PacketTunnelActor { } } } + +extension DaitaConfiguration { + init(daita: DaitaV2Parameters) { + self = DaitaConfiguration( + machines: daita.machines, + maxEvents: daita.maximumEvents, + maxActions: daita.maximumActions, + maxPadding: daita.maximumPadding, + maxBlocking: daita.maximumBlocking + ) + } +} diff --git a/ios/PacketTunnelCore/Actor/PacketTunnelActor.swift b/ios/PacketTunnelCore/Actor/PacketTunnelActor.swift index d9cce79f576d..469bf0fa20d9 100644 --- a/ios/PacketTunnelCore/Actor/PacketTunnelActor.swift +++ b/ios/PacketTunnelCore/Actor/PacketTunnelActor.swift @@ -307,20 +307,11 @@ extension PacketTunnelActor { startDefaultPathObserver(notifyObserverWithCurrentPath: true) } - var daitaConfiguration: DaitaConfiguration? - if settings.daita.daitaState.isEnabled { - let maybeNot = Maybenot() - daitaConfiguration = DaitaConfiguration( - machines: maybeNot.machines, - maxEvents: maybeNot.maximumEvents, - maxActions: maybeNot.maximumActions - ) - } - + // Daita parameters are gotten from an ephemeral peer try await tunnelAdapter.startMultihop( entryConfiguration: configuration.entryConfiguration, exitConfiguration: configuration.exitConfiguration, - daita: daitaConfiguration + daita: nil ) // Resume tunnel monitoring and use IPv4 gateway as a probe address. diff --git a/ios/PacketTunnelCore/Actor/Protocols/EphemeralPeerExchangingProtocol.swift b/ios/PacketTunnelCore/Actor/Protocols/EphemeralPeerExchangingProtocol.swift index a0d596fd9e18..1155f516e25d 100644 --- a/ios/PacketTunnelCore/Actor/Protocols/EphemeralPeerExchangingProtocol.swift +++ b/ios/PacketTunnelCore/Actor/Protocols/EphemeralPeerExchangingProtocol.swift @@ -6,10 +6,15 @@ // Copyright © 2024 Mullvad VPN AB. All rights reserved. // +import MullvadTypes import WireGuardKitTypes public protocol EphemeralPeerExchangingProtocol { func start() async - func receivePostQuantumKey(_ preSharedKey: PreSharedKey, ephemeralKey: PrivateKey) async - func receiveEphemeralPeerPrivateKey(_: PrivateKey) async + func receivePostQuantumKey( + _ preSharedKey: PreSharedKey, + ephemeralKey: PrivateKey, + daitaParameters: DaitaV2Parameters? + ) async + func receiveEphemeralPeerPrivateKey(_: PrivateKey, daitaParameters: DaitaV2Parameters?) async } diff --git a/ios/PacketTunnelCore/Daita/Maybenot.swift b/ios/PacketTunnelCore/Daita/Maybenot.swift index fc5b0bd75cda..0bc682af753f 100644 --- a/ios/PacketTunnelCore/Daita/Maybenot.swift +++ b/ios/PacketTunnelCore/Daita/Maybenot.swift @@ -7,7 +7,9 @@ public struct Maybenot { 02eNqFjDkOgDAMBL056PkEJTVdvsY/+URKmojDmwiBUDyStbJ35DLuy5anWRrlqLTDcA0AkTXVkDt01ZAHwLFwludZeMsLLILlRRax4+lKcnrnl/8HJzqIIG0= 02eNpdjr0LQVEYxt9zGES5o4myKVksFM45lEHKx0LJYDAZ5C+QRTHIaGETViYDKYPp3ijFYLj3KkmGK2WwuVwiv3rrrafnA1Jm16ijKBQ+6NRDGPJ2E0Xe6YnAD0hFD9nm/ObIHumlv4imZ3Mm8DwvtaxB0Jy1IUex0pYIIB30lhuCYkYvwW6nQFSV41R1L8vkmwlgEOONVvEaYt1SwLhdhxn8gdBgEfXU7RFmzeR9YtPPxrbqOVkLsd29XJhIJfbqRomGheLcYUWeFgxQodrq9wcP1E88/w== """ - public let maximumEvents: UInt32 = 1000 - public let maximumActions: UInt32 = 1000 + public let maximumEvents: UInt32 = 2048 + public let maximumActions: UInt32 = 1024 + public let maximumPadding: Double = 1.0 + public let maximumBlocking: Double = 1.0 } // swiftlint:enable line_length diff --git a/ios/PacketTunnelCoreTests/EphemeralPeerExchangingPipelineTests.swift b/ios/PacketTunnelCoreTests/EphemeralPeerExchangingPipelineTests.swift index bbce8c8b44f7..e0ce35f2bfe7 100644 --- a/ios/PacketTunnelCoreTests/EphemeralPeerExchangingPipelineTests.swift +++ b/ios/PacketTunnelCoreTests/EphemeralPeerExchangingPipelineTests.swift @@ -77,9 +77,14 @@ final class EphemeralPeerExchangingPipelineTests: XCTestCase { negotiationSuccessful.fulfill() } - keyExchangeActor.delegate = KeyExchangingResultStub(onReceivePostQuantumKey: { preSharedKey, privateKey in - await postQuantumKeyExchangingPipeline.receivePostQuantumKey(preSharedKey, ephemeralKey: privateKey) - }) + keyExchangeActor + .delegate = KeyExchangingResultStub(onReceivePostQuantumKey: { preSharedKey, privateKey, daita in + await postQuantumKeyExchangingPipeline.receivePostQuantumKey( + preSharedKey, + ephemeralKey: privateKey, + daitaParameters: daita + ) + }) let connectionState = stubConnectionState(enableMultiHop: false, enablePostQuantum: true, enableDaita: false) await postQuantumKeyExchangingPipeline.startNegotiation(connectionState, privateKey: PrivateKey()) @@ -107,9 +112,13 @@ final class EphemeralPeerExchangingPipelineTests: XCTestCase { negotiationSuccessful.fulfill() } - keyExchangeActor.delegate = KeyExchangingResultStub(onReceiveEphemeralPeerPrivateKey: { privateKey in - await postQuantumKeyExchangingPipeline.receiveEphemeralPeerPrivateKey(privateKey) - }) + keyExchangeActor + .delegate = KeyExchangingResultStub(onReceiveEphemeralPeerPrivateKey: { privateKey, daitaParameters in + await postQuantumKeyExchangingPipeline.receiveEphemeralPeerPrivateKey( + privateKey, + daitaParameters: daitaParameters + ) + }) let connectionState = stubConnectionState(enableMultiHop: false, enablePostQuantum: false, enableDaita: true) await postQuantumKeyExchangingPipeline.startNegotiation(connectionState, privateKey: PrivateKey()) @@ -137,9 +146,14 @@ final class EphemeralPeerExchangingPipelineTests: XCTestCase { negotiationSuccessful.fulfill() } - keyExchangeActor.delegate = KeyExchangingResultStub(onReceivePostQuantumKey: { preSharedKey, privateKey in - await postQuantumKeyExchangingPipeline.receivePostQuantumKey(preSharedKey, ephemeralKey: privateKey) - }) + keyExchangeActor + .delegate = KeyExchangingResultStub(onReceivePostQuantumKey: { preSharedKey, privateKey, daita in + await postQuantumKeyExchangingPipeline.receivePostQuantumKey( + preSharedKey, + ephemeralKey: privateKey, + daitaParameters: daita + ) + }) let connectionState = stubConnectionState(enableMultiHop: true, enablePostQuantum: true, enableDaita: false) await postQuantumKeyExchangingPipeline.startNegotiation(connectionState, privateKey: PrivateKey()) @@ -167,8 +181,8 @@ final class EphemeralPeerExchangingPipelineTests: XCTestCase { negotiationSuccessful.fulfill() } - keyExchangeActor.delegate = KeyExchangingResultStub(onReceiveEphemeralPeerPrivateKey: { privateKey in - await postQuantumKeyExchangingPipeline.receiveEphemeralPeerPrivateKey(privateKey) + keyExchangeActor.delegate = KeyExchangingResultStub(onReceiveEphemeralPeerPrivateKey: { privateKey, daita in + await postQuantumKeyExchangingPipeline.receiveEphemeralPeerPrivateKey(privateKey, daitaParameters: daita) }) let connectionState = stubConnectionState(enableMultiHop: true, enablePostQuantum: false, enableDaita: true) diff --git a/ios/PacketTunnelCoreTests/Mocks/EphemeralPeerExchangeActorStub.swift b/ios/PacketTunnelCoreTests/Mocks/EphemeralPeerExchangeActorStub.swift index 2f217488200e..f3e00135e887 100644 --- a/ios/PacketTunnelCoreTests/Mocks/EphemeralPeerExchangeActorStub.swift +++ b/ios/PacketTunnelCoreTests/Mocks/EphemeralPeerExchangeActorStub.swift @@ -19,12 +19,25 @@ final class EphemeralPeerExchangeActorStub: EphemeralPeerExchangeActorProtocol { var delegate: EphemeralPeerReceiving? func startNegotiation(with privateKey: PrivateKey, enablePostQuantum: Bool, enableDaita: Bool) { + let daita = enableDaita + ? DaitaV2Parameters( + machines: "test", + maximumEvents: 1, + maximumActions: 1, + maximumPadding: 1.0, + maximumBlocking: 1.0 + ) + : nil switch result { case let .success((preSharedKey, ephemeralKey)): if enablePostQuantum { - Task { await delegate?.receivePostQuantumKey(preSharedKey, ephemeralKey: ephemeralKey) } + Task { await delegate?.receivePostQuantumKey( + preSharedKey, + ephemeralKey: ephemeralKey, + daitaParameters: daita + ) } } else { - Task { await delegate?.receiveEphemeralPeerPrivateKey(ephemeralKey) } + Task { await delegate?.receiveEphemeralPeerPrivateKey(ephemeralKey, daitaParameters: daita) } } case .failure: delegate?.ephemeralPeerExchangeFailed() diff --git a/ios/PacketTunnelCoreTests/Mocks/KeyExchangingResultStub.swift b/ios/PacketTunnelCoreTests/Mocks/KeyExchangingResultStub.swift index 250524ec0677..197ef54d3a9f 100644 --- a/ios/PacketTunnelCoreTests/Mocks/KeyExchangingResultStub.swift +++ b/ios/PacketTunnelCoreTests/Mocks/KeyExchangingResultStub.swift @@ -12,15 +12,22 @@ struct KeyExchangingResultStub: EphemeralPeerReceiving { var onFailure: (() -> Void)? - var onReceivePostQuantumKey: ((PreSharedKey, PrivateKey) async -> Void)? - var onReceiveEphemeralPeerPrivateKey: ((PrivateKey) async -> Void)? + var onReceivePostQuantumKey: ((PreSharedKey, PrivateKey, DaitaV2Parameters?) async -> Void)? + var onReceiveEphemeralPeerPrivateKey: ((PrivateKey, DaitaV2Parameters?) async -> Void)? - func receivePostQuantumKey(_ key: PreSharedKey, ephemeralKey: PrivateKey) async { - await onReceivePostQuantumKey?(key, ephemeralKey) + func receivePostQuantumKey( + _ key: PreSharedKey, + ephemeralKey: PrivateKey, + daitaParameters: DaitaV2Parameters? + ) async { + await onReceivePostQuantumKey?(key, ephemeralKey, daitaParameters) } - public func receiveEphemeralPeerPrivateKey(_ ephemeralPeerPrivateKey: PrivateKey) async { - await onReceiveEphemeralPeerPrivateKey?(ephemeralPeerPrivateKey) + public func receiveEphemeralPeerPrivateKey( + _ ephemeralPeerPrivateKey: PrivateKey, + daitaParameters daitaParamters: MullvadTypes.DaitaV2Parameters? + ) async { + await onReceiveEphemeralPeerPrivateKey?(ephemeralPeerPrivateKey, daitaParamters) } func ephemeralPeerExchangeFailed() { diff --git a/ios/PacketTunnelCoreTests/MultiHopEphemeralPeerExchangerTests.swift b/ios/PacketTunnelCoreTests/MultiHopEphemeralPeerExchangerTests.swift index c55f5b4d6566..245d2d71b7e7 100644 --- a/ios/PacketTunnelCoreTests/MultiHopEphemeralPeerExchangerTests.swift +++ b/ios/PacketTunnelCoreTests/MultiHopEphemeralPeerExchangerTests.swift @@ -123,9 +123,14 @@ final class MultiHopEphemeralPeerExchangerTests: XCTestCase { negotiationSuccessful.fulfill() } - peerExchangeActor.delegate = KeyExchangingResultStub(onReceivePostQuantumKey: { preSharedKey, ephemeralKey in - await multiHopPeerExchanger.receivePostQuantumKey(preSharedKey, ephemeralKey: ephemeralKey) - }) + peerExchangeActor + .delegate = KeyExchangingResultStub(onReceivePostQuantumKey: { preSharedKey, ephemeralKey, daita in + await multiHopPeerExchanger.receivePostQuantumKey( + preSharedKey, + ephemeralKey: ephemeralKey, + daitaParameters: daita + ) + }) await multiHopPeerExchanger.start() wait( @@ -161,8 +166,8 @@ final class MultiHopEphemeralPeerExchangerTests: XCTestCase { negotiationSuccessful.fulfill() } - peerExchangeActor.delegate = KeyExchangingResultStub(onReceiveEphemeralPeerPrivateKey: { ephemeralKey in - await multiHopPeerExchanger.receiveEphemeralPeerPrivateKey(ephemeralKey) + peerExchangeActor.delegate = KeyExchangingResultStub(onReceiveEphemeralPeerPrivateKey: { ephemeralKey, daita in + await multiHopPeerExchanger.receiveEphemeralPeerPrivateKey(ephemeralKey, daitaParameters: daita) }) await multiHopPeerExchanger.start() diff --git a/ios/PacketTunnelCoreTests/SingleHopEphemeralPeerExchangerTests.swift b/ios/PacketTunnelCoreTests/SingleHopEphemeralPeerExchangerTests.swift index deb402abeb4a..6b7b8da2bb19 100644 --- a/ios/PacketTunnelCoreTests/SingleHopEphemeralPeerExchangerTests.swift +++ b/ios/PacketTunnelCoreTests/SingleHopEphemeralPeerExchangerTests.swift @@ -100,9 +100,14 @@ final class SingleHopEphemeralPeerExchangerTests: XCTestCase { negotiationSuccessful.fulfill() } - keyExchangeActor.delegate = KeyExchangingResultStub(onReceivePostQuantumKey: { preSharedKey, ephemeralKey in - await singleHopPostQuantumKeyExchanging.receivePostQuantumKey(preSharedKey, ephemeralKey: ephemeralKey) - }) + keyExchangeActor + .delegate = KeyExchangingResultStub(onReceivePostQuantumKey: { preSharedKey, ephemeralKey, daita in + await singleHopPostQuantumKeyExchanging.receivePostQuantumKey( + preSharedKey, + ephemeralKey: ephemeralKey, + daitaParameters: daita + ) + }) await singleHopPostQuantumKeyExchanging.start() wait( @@ -137,8 +142,8 @@ final class SingleHopEphemeralPeerExchangerTests: XCTestCase { negotiationSuccessful.fulfill() } - peerExchangeActor.delegate = KeyExchangingResultStub(onReceiveEphemeralPeerPrivateKey: { ephemeralKey in - await multiHopPeerExchanger.receiveEphemeralPeerPrivateKey(ephemeralKey) + peerExchangeActor.delegate = KeyExchangingResultStub(onReceiveEphemeralPeerPrivateKey: { ephemeralKey, daita in + await multiHopPeerExchanger.receiveEphemeralPeerPrivateKey(ephemeralKey, daitaParameters: daita) }) await multiHopPeerExchanger.start() diff --git a/mullvad-ios/src/ephemeral_peer_proxy/ios_tcp_connection.rs b/mullvad-ios/src/ephemeral_peer_proxy/ios_tcp_connection.rs index 3244e5f2d95c..1be9a18bf339 100644 --- a/mullvad-ios/src/ephemeral_peer_proxy/ios_tcp_connection.rs +++ b/mullvad-ios/src/ephemeral_peer_proxy/ios_tcp_connection.rs @@ -1,4 +1,3 @@ -use libc::c_void; use std::{ ffi::CStr, future::Future, @@ -71,20 +70,6 @@ impl WgTcpConnectionFunctions { } } -extern "C" { - /// Called when the preshared post quantum key is ready, - /// or when a Daita peer has been successfully requested. - /// `raw_preshared_key` will be NULL if: - /// - The post quantum key negotiation failed - /// - A Daita peer has been requested without enabling post quantum keys. - pub fn swift_ephemeral_peer_ready( - raw_packet_tunnel: *const c_void, - raw_preshared_key: *const u8, - raw_ephemeral_private_key: *const u8, - ); - -} - #[derive(Clone)] pub struct IosTcpProvider { tunnel_handle: i32, diff --git a/mullvad-ios/src/ephemeral_peer_proxy/mod.rs b/mullvad-ios/src/ephemeral_peer_proxy/mod.rs index 70d9347ad7a1..6d598c5e4048 100644 --- a/mullvad-ios/src/ephemeral_peer_proxy/mod.rs +++ b/mullvad-ios/src/ephemeral_peer_proxy/mod.rs @@ -2,11 +2,11 @@ pub mod ios_tcp_connection; pub mod peer_exchange; -use ios_tcp_connection::swift_ephemeral_peer_ready; use libc::c_void; use peer_exchange::EphemeralPeerExchange; -use std::{ptr, sync::Once}; +use std::{ffi::CString, ptr, sync::Once}; +use talpid_tunnel_config_client::DaitaSettings; static INIT_LOGGING: Once = Once::new(); #[derive(Clone)] @@ -17,17 +17,39 @@ pub struct PacketTunnelBridge { impl PacketTunnelBridge { fn fail_exchange(self) { - unsafe { swift_ephemeral_peer_ready(self.packet_tunnel, ptr::null(), ptr::null()) }; + // # Safety + // Call is safe as long as the `packet_tunnel` pointer is valid. Since a valid instance of + // `PacketTunnelBridge` requires the packet tunnel pointer to be valid, it is assumed this + // call is safe. + unsafe { + swift_ephemeral_peer_ready(self.packet_tunnel, ptr::null(), ptr::null(), ptr::null()) + }; } - fn succeed_exchange(self, ephemeral_key: [u8; 32], preshared_key: Option<[u8; 32]>) { + fn succeed_exchange( + self, + ephemeral_key: [u8; 32], + preshared_key: Option<[u8; 32]>, + daita: Option, + ) { let ephemeral_ptr = ephemeral_key.as_ptr(); let preshared_ptr = preshared_key .as_ref() .map(|key| key.as_ptr()) .unwrap_or(ptr::null()); - unsafe { swift_ephemeral_peer_ready(self.packet_tunnel, preshared_ptr, ephemeral_ptr) }; + let daita_ptr = daita + .as_ref() + .map(|params| params as *const _) + .unwrap_or(ptr::null()); + // # Safety + // The `packet_tunnel` pointer must be valid, much like the call in `fail_exchange`, but + // since the other arguments here are non-null, these pointers (`preshared_ptr`, + // `ephmerela_ptr` and `daita_ptr`) have to be valid too. Since they point to local + // variables or are null, the pointer values will be valid for the lifetime of the call. + unsafe { + swift_ephemeral_peer_ready(self.packet_tunnel, preshared_ptr, ephemeral_ptr, daita_ptr) + }; } } @@ -42,6 +64,54 @@ pub struct EphemeralPeerParameters { pub funcs: ios_tcp_connection::WgTcpConnectionFunctions, } +#[repr(C)] +pub struct DaitaParameters { + pub machines: *mut u8, + pub max_padding_frac: f64, + pub max_blocking_frac: f64, +} + +impl DaitaParameters { + fn new(settings: DaitaSettings) -> Option { + let machines_string = settings.client_machines.join("\n"); + let machines = CString::new(machines_string).ok()?.into_raw().cast(); + Some(Self { + machines, + max_padding_frac: settings.max_padding_frac, + max_blocking_frac: settings.max_blocking_frac, + }) + } +} + +impl Drop for DaitaParameters { + fn drop(&mut self) { + // # Safety + // `machines` pointer must be a valid pointer to a CString. This can be achieved by + // ensuring that `DaitaParameters` are constructed via `DaitaParameters::new` and the + // `machines` pointer is never written to. + let _ = unsafe { CString::from_raw(self.machines.cast()) }; + } +} + +extern "C" { + /// To be called when ephemeral peer exchange has finished. All parameters except + /// `raw_packet_tunnel` are optional. + /// + /// # Safety: + /// If the key exchange failed, all pointers except `raw_packet_tunnel` must be null. If the + /// key exchange was successful, `raw_ephemeral_private_key` must be a valid pointer to 32 + /// bytes for the lifetime of this call. If PQ was enabled, `raw_preshared_key` must be a valid + /// pointer to 32 bytes for the lifetime of this call. If DAITA was requested, the + /// `daita_prameters` must point to a valid instance of `DaitaParameters`. + pub fn swift_ephemeral_peer_ready( + raw_packet_tunnel: *const c_void, + raw_preshared_key: *const u8, + raw_ephemeral_private_key: *const u8, + daita_parameters: *const DaitaParameters, + ); + +} + /// Called by the Swift side to signal that the ephemeral peer exchange should be cancelled. /// After this call, the cancel token is no longer valid. /// @@ -73,11 +143,11 @@ pub unsafe extern "C" fn drop_ephemeral_peer_exchange_token( /// Entry point for requesting ephemeral peers on iOS. /// The TCP connection must be created to go through the tunnel. /// # Safety -/// `public_key` and `ephemeral_key` must be valid respective `PublicKey` and `PrivateKey` types. -/// They will not be valid after this function is called, and thus must be copied here. -/// `packet_tunnel` must be valid pointers to a packet tunnel, the packet tunnel pointer must -/// outlive the ephemeral peer exchange. `cancel_token` should be owned by the caller of this -/// function. +/// `public_key` and `ephemeral_key` must be valid respective `PublicKey` and `PrivateKey` types, +/// specifically, they must be valid pointers to 32 bytes. They will not be valid after this +/// function is called, and thus must be copied here. `packet_tunnel` must be valid pointers to a +/// packet tunnel, the packet tunnel pointer must outlive the ephemeral peer exchange. +/// `cancel_token` should be owned by the caller of this function. #[no_mangle] pub unsafe extern "C" fn request_ephemeral_peer( public_key: *const u8, @@ -92,7 +162,11 @@ pub unsafe extern "C" fn request_ephemeral_peer( .init(); }); + // # Safety + // `public_key` pointer must be a valid pointer to 32 unsigned bytes. let pub_key: [u8; 32] = unsafe { ptr::read(public_key as *const [u8; 32]) }; + // # Safety + // `ephemeral_key` pointer must be a valid pointer to 32 unsigned bytes. let eph_key: [u8; 32] = unsafe { ptr::read(ephemeral_key as *const [u8; 32]) }; let handle = match crate::mullvad_ios_runtime() { diff --git a/mullvad-ios/src/ephemeral_peer_proxy/peer_exchange.rs b/mullvad-ios/src/ephemeral_peer_proxy/peer_exchange.rs index ee9a512777e8..f65ccd016610 100644 --- a/mullvad-ios/src/ephemeral_peer_proxy/peer_exchange.rs +++ b/mullvad-ios/src/ephemeral_peer_proxy/peer_exchange.rs @@ -1,6 +1,8 @@ -use super::{ios_tcp_connection::*, EphemeralPeerParameters, PacketTunnelBridge}; +use super::{ios_tcp_connection::*, DaitaParameters, EphemeralPeerParameters, PacketTunnelBridge}; use std::{ffi::CStr, sync::Mutex, thread}; -use talpid_tunnel_config_client::{request_ephemeral_peer_with, Error, RelayConfigService}; +use talpid_tunnel_config_client::{ + request_ephemeral_peer_with, EphemeralPeer, Error, RelayConfigService, +}; use talpid_types::net::wireguard::{PrivateKey, PublicKey}; use tokio::{runtime::Handle as TokioHandle, task::JoinHandle}; use tonic::transport::channel::Endpoint; @@ -139,24 +141,15 @@ impl EphemeralPeerExchange { self.peer_parameters.enable_daita, ) => { match ephemeral_peer { - Ok(peer) => { - match peer.psk { - Some(preshared_key) => { - let preshared_key_bytes = *preshared_key.as_bytes(); - thread::spawn(move || { - let Self{ ephemeral_key, packet_tunnel, .. } = self; - packet_tunnel.succeed_exchange(ephemeral_key, Some(preshared_key_bytes)); - }); - - }, - None => { - // Daita peer was requested, but without enabling post quantum keys - thread::spawn(move || { - let Self{ ephemeral_key, packet_tunnel, .. } = self; - packet_tunnel.succeed_exchange(ephemeral_key, None); - }); - } - } + Ok(EphemeralPeer { psk, daita }) => { + thread::spawn(move || { + let Self{ ephemeral_key, packet_tunnel, .. } = self; + packet_tunnel.succeed_exchange( + ephemeral_key, + psk.map(|psk| *psk.as_bytes()), + daita.and_then(DaitaParameters::new) + ); + }); }, Err(error) => { log::error!("Key exchange failed {}", error); diff --git a/talpid-tunnel-config-client/src/lib.rs b/talpid-tunnel-config-client/src/lib.rs index f13832fa609b..bfa3deb29277 100644 --- a/talpid-tunnel-config-client/src/lib.rs +++ b/talpid-tunnel-config-client/src/lib.rs @@ -22,7 +22,7 @@ mod proto { tonic::include_proto!("ephemeralpeer"); } -#[cfg(all(unix, not(target_os = "ios")))] +#[cfg(unix)] const DAITA_VERSION: u32 = 2; #[derive(Debug)] @@ -88,7 +88,7 @@ pub const CONFIG_SERVICE_PORT: u16 = 1337; pub struct EphemeralPeer { pub psk: Option, - #[cfg(all(unix, not(target_os = "ios")))] + #[cfg(unix)] pub daita: Option, } @@ -141,15 +141,15 @@ pub async fn request_ephemeral_peer_with( wg_parent_pubkey: parent_pubkey.as_bytes().to_vec(), wg_ephemeral_peer_pubkey: ephemeral_pubkey.as_bytes().to_vec(), post_quantum: pq_request, - #[cfg(any(windows, target_os = "ios"))] + #[cfg(windows)] daita: Some(proto::DaitaRequestV1 { activate_daita: enable_daita, }), - #[cfg(any(windows, target_os = "ios"))] + #[cfg(windows)] daita_v2: None, - #[cfg(all(unix, not(target_os = "ios")))] + #[cfg(unix)] daita: None, - #[cfg(all(unix, not(target_os = "ios")))] + #[cfg(unix)] daita_v2: enable_daita.then(|| proto::DaitaRequestV2 { level: i32::from(proto::DaitaLevel::LevelDefault), platform: i32::from(get_platform()), @@ -204,7 +204,7 @@ pub async fn request_ephemeral_peer_with( None }; - #[cfg(all(unix, not(target_os = "ios")))] + #[cfg(unix)] { let daita = response.daita.map(|daita| DaitaSettings { client_machines: daita.client_machines, @@ -217,13 +217,13 @@ pub async fn request_ephemeral_peer_with( Ok(EphemeralPeer { psk, daita }) } - #[cfg(any(windows, target_os = "ios"))] + #[cfg(windows)] { Ok(EphemeralPeer { psk }) } } -#[cfg(all(unix, not(target_os = "ios")))] +#[cfg(unix)] const fn get_platform() -> proto::DaitaPlatform { use proto::DaitaPlatform; const PLATFORM: DaitaPlatform = if cfg!(target_os = "windows") {