Compare commits

...

9 Commits

Author SHA1 Message Date
Andrej Mihajlov 296ec5b63e Kit: implement Codable
Signed-off-by: Andrej Mihajlov <and@mullvad.net>
2022-05-06 13:31:36 +02:00
Andrej Mihajlov 94fa120c73 Kit: rework keys implementation
Signed-off-by: Andrej Mihajlov <and@mullvad.net>
2022-05-06 13:31:28 +02:00
Roopesh Chander 23618f994f UI: When saving on-demand rules, deactivate if reqd and then save
Signed-off-by: Roopesh Chander <roop@roopc.net>
2021-09-28 00:16:35 +05:30
Roopesh Chander ba644415c7 UI: When saving on-demand rules on a config, enable on-demand if active
When a user saves on-demand rules on the configuration, set
onDemandEnabled to true if the tunnel is active, and false if it isn't.
Then deactivate the tunnel.

Signed-off-by: Roopesh Chander <roop@roopc.net>
2021-09-24 01:01:10 +05:30
Jason A. Donenfeld 10da5cfdef App: version bump
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-09-23 06:20:28 +02:00
Jason A. Donenfeld 75b6925deb UI: macOS: increase login detector file timeout
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-09-23 06:19:48 +02:00
Jason A. Donenfeld 03a59ff38e Model: migrate iOS 14 keychain references to iOS 15 format
Keychain references used to be bijective, but with the change in format,
Apple tried to be too clever, and references are no longer bijective.
This lead to us deleting keychain entries, which in turn emptied out
people's configs upon upgrading to iOS 15. Disaster!

Fix this by detecting the change in format and saving the new password
reference. We still rely on this being bijective moving forward;
hopefully this bug won't repeat itself. It would be nice to not rely on
that property, but doing so without grinding startup to a halt isn't
obviously done, given how slow the keychain accesses are and how limited
the API is.

Reported-by: Eddie <stunnel@attglobal.net>
Reported-by: Anatoli <me@anatoli.ws>
Reported-by: Alan Graham <alan@meshify.app>
Reported-by: Jacob Wilder <oss@jacobwilder.org>
Reported-by: Miguel Arroz <miguel.arroz@gmail.com>
Reported-by: Reid Rankin <reidrankin@gmail.com>
Reported-by: Fabien <patate.cosmique@pm.me>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-09-23 06:11:19 +02:00
Jason A. Donenfeld abf506c1fe UI: iOS: remove list pinking when no config
This reverts commit 86afd1a46a.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-09-23 06:08:53 +02:00
Jason A. Donenfeld dfb685f258 WireGuardApp: restore old keychain consistency behavior
This reverts commit adcbd17ebe.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-09-23 05:40:10 +02:00
8 changed files with 141 additions and 49 deletions
@@ -72,7 +72,7 @@ extension NETunnelProviderProtocol {
#error("Unimplemented")
#endif
guard passwordReference == nil else { return true }
wg_log(.debug, message: "Migrating tunnel configuration '\(name)'")
wg_log(.info, message: "Migrating tunnel configuration '\(name)'")
passwordReference = Keychain.makeReference(containing: oldConfig, called: name)
return true
}
@@ -81,6 +81,27 @@ extension NETunnelProviderProtocol {
providerConfiguration = ["UID": getuid()]
return true
}
#elseif os(iOS)
if #available(iOS 15, *) {
/* Update the stored reference from the old iOS 14 one to the canonical iOS 15 one.
* The iOS 14 ones are 96 bits, while the iOS 15 ones are 160 bits. We do this so
* that we can have fast set exclusion in deleteReferences safely. */
if passwordReference != nil && passwordReference!.count == 12 {
var result: CFTypeRef?
let ret = SecItemCopyMatching([kSecValuePersistentRef: passwordReference!,
kSecReturnPersistentRef: true] as CFDictionary,
&result)
if ret != errSecSuccess || result == nil {
return false
}
guard let newReference = result as? Data else { return false }
if !newReference.elementsEqual(passwordReference!) {
wg_log(.info, message: "Migrating iOS 14-style keychain reference to iOS 15-style keychain reference for '\(name)'")
passwordReference = newReference
return true
}
}
}
#endif
return false
}
+2 -2
View File
@@ -1,2 +1,2 @@
VERSION_NAME = 1.0.14
VERSION_ID = 25
VERSION_NAME = 1.0.15
VERSION_ID = 26
@@ -42,7 +42,7 @@ extension ActivateOnDemandOption {
}
}
tunnelProviderManager.onDemandRules = rules
tunnelProviderManager.isOnDemandEnabled = false
tunnelProviderManager.isOnDemandEnabled = (rules != nil) && tunnelProviderManager.isOnDemandEnabled
}
init(from tunnelProviderManager: NETunnelProviderManager) {
@@ -56,19 +56,21 @@ class TunnelsManager {
tunnelManager.saveToPreferences { _ in }
}
#if os(iOS)
let verify = true
let passwordRef = proto.verifyConfigurationReference() ? proto.passwordReference : nil
#elseif os(macOS)
let verify = proto.providerConfiguration?["UID"] as? uid_t == getuid()
let passwordRef: Data?
if proto.providerConfiguration?["UID"] as? uid_t == getuid() {
passwordRef = proto.verifyConfigurationReference() ? proto.passwordReference : nil
} else {
passwordRef = proto.passwordReference // To handle multiple users in macOS, we skip verifying
}
#else
#error("Unimplemented")
#endif
if verify && !proto.verifyConfigurationReference() {
wg_log(.error, message: "Unable to verify keychain entry of tunnel: \(tunnelManager.localizedDescription ?? "<unknown>")")
}
if let ref = proto.passwordReference {
if let ref = passwordRef {
refs.insert(ref)
} else {
wg_log(.error, message: "Removing orphaned tunnel with missing keychain entry: \(tunnelManager.localizedDescription ?? "<unknown>")")
wg_log(.info, message: "Removing orphaned tunnel with non-verifying keychain entry: \(tunnelManager.localizedDescription ?? "<unknown>")")
tunnelManager.removeFromPreferences { _ in }
tunnelManagers.remove(at: index)
}
@@ -204,7 +206,10 @@ class TunnelsManager {
}
}
func modify(tunnel: TunnelContainer, tunnelConfiguration: TunnelConfiguration, onDemandOption: ActivateOnDemandOption, completionHandler: @escaping (TunnelsManagerError?) -> Void) {
func modify(tunnel: TunnelContainer, tunnelConfiguration: TunnelConfiguration,
onDemandOption: ActivateOnDemandOption,
shouldEnsureOnDemandEnabled: Bool = false,
completionHandler: @escaping (TunnelsManagerError?) -> Void) {
let tunnelName = tunnelConfiguration.name ?? ""
if tunnelName.isEmpty {
completionHandler(TunnelsManagerError.tunnelNameEmpty)
@@ -212,6 +217,20 @@ class TunnelsManager {
}
let tunnelProviderManager = tunnel.tunnelProvider
let isIntroducingOnDemandRules = (tunnelProviderManager.onDemandRules ?? []).isEmpty && onDemandOption != .off
if isIntroducingOnDemandRules && tunnel.status != .inactive && tunnel.status != .deactivating {
tunnel.onDeactivated = { [weak self] in
self?.modify(tunnel: tunnel, tunnelConfiguration: tunnelConfiguration,
onDemandOption: onDemandOption, shouldEnsureOnDemandEnabled: true,
completionHandler: completionHandler)
}
self.startDeactivation(of: tunnel)
return
} else {
tunnel.onDeactivated = nil
}
let oldName = tunnelProviderManager.localizedDescription ?? ""
let isNameChanged = tunnelName != oldName
if isNameChanged {
@@ -229,8 +248,11 @@ class TunnelsManager {
}
tunnelProviderManager.isEnabled = true
let isActivatingOnDemand = !tunnelProviderManager.isOnDemandEnabled && onDemandOption != .off
let isActivatingOnDemand = !tunnelProviderManager.isOnDemandEnabled && shouldEnsureOnDemandEnabled
onDemandOption.apply(on: tunnelProviderManager)
if shouldEnsureOnDemandEnabled {
tunnelProviderManager.isOnDemandEnabled = true
}
tunnelProviderManager.saveToPreferences { [weak self] error in
if let error = error {
@@ -497,6 +519,11 @@ class TunnelsManager {
}
}
if session.status == .disconnected {
tunnel.onDeactivated?()
tunnel.onDeactivated = nil
}
if tunnel.status == .restarting && session.status == .disconnected {
tunnel.startActivation(activationDelegate: self.activationDelegate)
return
@@ -567,6 +594,7 @@ class TunnelContainer: NSObject {
var activationAttemptId: String?
var activationTimer: Timer?
var deactivationTimer: Timer?
var onDeactivated: (() -> Void)?
fileprivate var tunnelProvider: NETunnelProviderManager {
didSet {
@@ -159,10 +159,6 @@ class TunnelListCell: UITableViewCell {
statusSwitch.isUserInteractionEnabled = (status == .inactive || status == .active)
}
if tunnel.tunnelConfiguration == nil {
statusSwitch.isUserInteractionEnabled = false
backgroundColor = .systemPink
}
}
private func reset(animated: Bool) {
@@ -344,7 +344,6 @@ extension TunnelsListTableViewController: UITableViewDelegate {
}
guard let tunnelsManager = tunnelsManager else { return }
let tunnel = tunnelsManager.tunnel(at: indexPath.row)
guard tunnel.tunnelConfiguration != nil else { return }
showTunnelDetail(for: tunnel, animated: true)
}
@@ -14,6 +14,6 @@ class LaunchedAtLoginDetector {
let then = data.withUnsafeBytes { ptr in
ptr.load(as: UInt64.self)
}
return now - then <= 5000000000
return now - then <= 20000000000
}
}
+78 -30
View File
@@ -7,8 +7,32 @@ import Foundation
import WireGuardKitC
#endif
/// The class describing a private key used by WireGuard.
public class PrivateKey: BaseKey {
/// Umbrella protocol for all kinds of keys.
public protocol WireGuardKey: RawRepresentable, Hashable, Codable where RawValue == Data {}
/// Class describing a private key used by WireGuard.
public final class PrivateKey: WireGuardKey {
public let rawValue: Data
/// Initialize the key with existing raw representation
public init?(rawValue: Data) {
if rawValue.count == WG_KEY_LEN {
self.rawValue = rawValue
} else {
return nil
}
}
/// Initialize new private key
convenience public init() {
var privateKeyData = Data(repeating: 0, count: Int(WG_KEY_LEN))
privateKeyData.withUnsafeMutableBytes { (rawBufferPointer: UnsafeMutableRawBufferPointer) in
let privateKeyBytes = rawBufferPointer.baseAddress!.assumingMemoryBound(to: UInt8.self)
curve25519_generate_private_key(privateKeyBytes)
}
self.init(rawValue: privateKeyData)!
}
/// Derived public key
public var publicKey: PublicKey {
return rawValue.withUnsafeBytes { (privateKeyBufferPointer: UnsafeRawBufferPointer) -> PublicKey in
@@ -23,29 +47,38 @@ public class PrivateKey: BaseKey {
return PublicKey(rawValue: publicKeyData)!
}
}
}
/// Initialize new private key
convenience public init() {
var privateKeyData = Data(repeating: 0, count: Int(WG_KEY_LEN))
privateKeyData.withUnsafeMutableBytes { (rawBufferPointer: UnsafeMutableRawBufferPointer) in
let privateKeyBytes = rawBufferPointer.baseAddress!.assumingMemoryBound(to: UInt8.self)
curve25519_generate_private_key(privateKeyBytes)
/// Class describing a public key used by WireGuard.
public final class PublicKey: WireGuardKey {
public let rawValue: Data
/// Initialize the key with existing raw representation
public init?(rawValue: Data) {
if rawValue.count == WG_KEY_LEN {
self.rawValue = rawValue
} else {
return nil
}
self.init(rawValue: privateKeyData)!
}
}
/// The class describing a public key used by WireGuard.
public class PublicKey: BaseKey {}
/// The class describing a pre-shared key used by WireGuard.
public class PreSharedKey: BaseKey {}
/// The base key implementation. Should not be used directly.
public class BaseKey: RawRepresentable, Equatable, Hashable {
/// Raw key representation
/// Class describing a pre-shared key used by WireGuard.
public final class PreSharedKey: WireGuardKey {
public let rawValue: Data
/// Initialize the key with existing raw representation
public init?(rawValue: Data) {
if rawValue.count == WG_KEY_LEN {
self.rawValue = rawValue
} else {
return nil
}
}
}
// Default implementation
extension WireGuardKey {
/// Hex encoded representation
public var hexKey: String {
return rawValue.withUnsafeBytes { (rawBufferPointer: UnsafeRawBufferPointer) -> String in
@@ -66,17 +99,8 @@ public class BaseKey: RawRepresentable, Equatable, Hashable {
}
}
/// Initialize the key with existing raw representation
required public init?(rawValue: Data) {
if rawValue.count == WG_KEY_LEN {
self.rawValue = rawValue
} else {
return nil
}
}
/// Initialize the key with hex representation
public convenience init?(hexKey: String) {
public init?(hexKey: String) {
var bytes = Data(repeating: 0, count: Int(WG_KEY_LEN))
let success = bytes.withUnsafeMutableBytes { (bufferPointer: UnsafeMutableRawBufferPointer) -> Bool in
return key_from_hex(bufferPointer.baseAddress!.assumingMemoryBound(to: UInt8.self), hexKey)
@@ -89,7 +113,7 @@ public class BaseKey: RawRepresentable, Equatable, Hashable {
}
/// Initialize the key with base64 representation
public convenience init?(base64Key: String) {
public init?(base64Key: String) {
var bytes = Data(repeating: 0, count: Int(WG_KEY_LEN))
let success = bytes.withUnsafeMutableBytes { (bufferPointer: UnsafeMutableRawBufferPointer) -> Bool in
return key_from_base64(bufferPointer.baseAddress!.assumingMemoryBound(to: UInt8.self), base64Key)
@@ -101,7 +125,31 @@ public class BaseKey: RawRepresentable, Equatable, Hashable {
}
}
public static func == (lhs: BaseKey, rhs: BaseKey) -> Bool {
// MARK: - Codable
public init(from decoder: Decoder) throws {
let container = try decoder.singleValueContainer()
let data = try container.decode(Data.self)
if let instance = Self.init(rawValue: data) {
self = instance
} else {
throw DecodingError.dataCorruptedError(
in: container,
debugDescription: "Corrupt key data."
)
}
}
public func encode(to encoder: Encoder) throws {
var container = encoder.singleValueContainer()
try container.encode(rawValue)
}
// MARK: - Equatable
public static func == (lhs: Self, rhs: Self) -> Bool {
return lhs.rawValue.withUnsafeBytes { (lhsBytes: UnsafeRawBufferPointer) -> Bool in
return rhs.rawValue.withUnsafeBytes { (rhsBytes: UnsafeRawBufferPointer) -> Bool in
return key_eq(