Draft PR for Post Quantum tunneling

buggmagnet · buggmagnet · commit 3f08309e06db · 2024-02-06T15:55:11.000+01:00
diff --git a/ios/MullvadSettings/TunnelSettings.swift b/ios/MullvadSettings/TunnelSettings.swift
@@ -9,7 +9,7 @@
 import Foundation
 
 /// Alias to the latest version of the `TunnelSettings`.
-public typealias LatestTunnelSettings = TunnelSettingsV3
+public typealias LatestTunnelSettings = TunnelSettingsV4
 
 /// Protocol all TunnelSettings must adhere to, for upgrade purposes.
 public protocol TunnelSettings: Codable {
@@ -27,22 +27,26 @@ public enum SchemaVersion: Int, Equatable {
     /// V2 format with WireGuard obfuscation options, stored as `TunnelSettingsV3`.
     case v3 = 3
 
+    case v4 = 4
+
     var settingsType: any TunnelSettings.Type {
         switch self {
         case .v1: return TunnelSettingsV1.self
         case .v2: return TunnelSettingsV2.self
         case .v3: return TunnelSettingsV3.self
+        case .v4: return TunnelSettingsV4.self
         }
     }
 
     var nextVersion: Self {
         switch self {
         case .v1: return .v2
         case .v2: return .v3
-        case .v3: return .v3
+        case .v3: return .v4
+        case .v4: return .v4
         }
     }
 
     /// Current schema version.
-    public static let current = SchemaVersion.v3
+    public static let current = SchemaVersion.v4
 }
diff --git a/ios/MullvadSettings/TunnelSettingsV3.swift b/ios/MullvadSettings/TunnelSettingsV3.swift
@@ -30,6 +30,11 @@ public struct TunnelSettingsV3: Codable, Equatable, TunnelSettings {
     }
 
     public func upgradeToNextVersion() -> any TunnelSettings {
-        self
+        TunnelSettingsV4(
+            relayConstraints: relayConstraints,
+            dnsSettings: dnsSettings,
+            wireGuardObfuscation: wireGuardObfuscation,
+            tunnelQuantumResistance: .automatic
+        )
     }
 }
diff --git a/ios/MullvadSettings/TunnelSettingsV4.swift b/ios/MullvadSettings/TunnelSettingsV4.swift
@@ -0,0 +1,40 @@
+//
+//  TunnelSettingsV4.swift
+//  MullvadSettings
+//
+//  Created by Marco Nikic on 2024-02-06.
+//  Copyright © 2024 Mullvad VPN AB. All rights reserved.
+//
+
+import Foundation
+import MullvadTypes
+
+public struct TunnelSettingsV4: Codable, Equatable, TunnelSettings {
+    /// Relay constraints.
+    public var relayConstraints: RelayConstraints
+
+    /// DNS settings.
+    public var dnsSettings: DNSSettings
+
+    /// WireGuard obfuscation settings
+    public var wireGuardObfuscation: WireGuardObfuscationSettings
+
+    /// Whether Post Quantum exchanges are enabled.
+    public var tunnelQuantumResistance: TunnelQuantumResistance
+
+    public init(
+        relayConstraints: RelayConstraints = RelayConstraints(),
+        dnsSettings: DNSSettings = DNSSettings(),
+        wireGuardObfuscation: WireGuardObfuscationSettings = WireGuardObfuscationSettings(),
+        tunnelQuantumResistance: TunnelQuantumResistance = .automatic
+    ) {
+        self.relayConstraints = relayConstraints
+        self.dnsSettings = dnsSettings
+        self.wireGuardObfuscation = wireGuardObfuscation
+        self.tunnelQuantumResistance = tunnelQuantumResistance
+    }
+
+    public func upgradeToNextVersion() -> any TunnelSettings {
+        self
+    }
+}
diff --git a/ios/MullvadSettings/WireGuardObfuscationSettings.swift b/ios/MullvadSettings/WireGuardObfuscationSettings.swift
@@ -17,6 +17,12 @@ public enum WireGuardObfuscationState: Codable {
     case off
 }
 
+public enum TunnelQuantumResistance: Codable {
+    case automatic
+    case on
+    case off
+}
+
 /// The port to select when using UDP-over-TCP obfuscation
 ///
 /// `.automatic` means an algorith will decide between using `port80` or `port5001`
diff --git a/ios/MullvadVPN.xcodeproj/project.pbxproj b/ios/MullvadVPN.xcodeproj/project.pbxproj
@@ -610,6 +610,7 @@
 		A917352129FAAA5200D5DCFD /* TransportStrategyTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = A917352029FAAA5200D5DCFD /* TransportStrategyTests.swift */; };
 		A91D78E32B03BDF200FCD5D3 /* TunnelObfuscation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 5840231F2A406BF5007B27AC /* TunnelObfuscation.framework */; };
 		A91D78E42B03C01600FCD5D3 /* MullvadSettings.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 58B2FDD32AA71D2A003EB5C6 /* MullvadSettings.framework */; };
+		A93181A12B727ED700E341D2 /* TunnelSettingsV4.swift in Sources */ = {isa = PBXBuildFile; fileRef = A93181A02B727ED700E341D2 /* TunnelSettingsV4.swift */; };
 		A932D9EF2B5ADD0700999395 /* ProxyConfigurationTransportProvider.swift in Sources */ = {isa = PBXBuildFile; fileRef = A932D9EE2B5ADD0700999395 /* ProxyConfigurationTransportProvider.swift */; };
 		A932D9F32B5EB61100999395 /* HeadRequestTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = A932D9F22B5EB61100999395 /* HeadRequestTests.swift */; };
 		A932D9F52B5EBB9D00999395 /* RESTTransportStub.swift in Sources */ = {isa = PBXBuildFile; fileRef = A932D9F42B5EBB9D00999395 /* RESTTransportStub.swift */; };
@@ -1773,6 +1774,7 @@
 		A92ECC232A7802520052F1B1 /* StoredAccountData.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = StoredAccountData.swift; sourceTree = "<group>"; };
 		A92ECC272A7802AB0052F1B1 /* StoredDeviceData.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = StoredDeviceData.swift; sourceTree = "<group>"; };
 		A92ECC2B2A7803A50052F1B1 /* DeviceState.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = DeviceState.swift; sourceTree = "<group>"; };
+		A93181A02B727ED700E341D2 /* TunnelSettingsV4.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TunnelSettingsV4.swift; sourceTree = "<group>"; };
 		A932D9EE2B5ADD0700999395 /* ProxyConfigurationTransportProvider.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ProxyConfigurationTransportProvider.swift; sourceTree = "<group>"; };
 		A932D9F22B5EB61100999395 /* HeadRequestTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = HeadRequestTests.swift; sourceTree = "<group>"; };
 		A932D9F42B5EBB9D00999395 /* RESTTransportStub.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = RESTTransportStub.swift; sourceTree = "<group>"; };
@@ -2794,6 +2796,7 @@
 				587AD7C523421D7000E93A53 /* TunnelSettingsV1.swift */,
 				580F8B8228197881002E0998 /* TunnelSettingsV2.swift */,
 				A988DF282ADE880300D807EF /* TunnelSettingsV3.swift */,
+				A93181A02B727ED700E341D2 /* TunnelSettingsV4.swift */,
 				A988DF252ADE86ED00D807EF /* WireGuardObfuscationSettings.swift */,
 			);
 			path = MullvadSettings;
@@ -4612,6 +4615,7 @@
 				58B2FDE42AA71D5C003EB5C6 /* SettingsManager.swift in Sources */,
 				F0164EBC2B482E430020268D /* AppStorage.swift in Sources */,
 				58B2FDE62AA71D5C003EB5C6 /* DeviceState.swift in Sources */,
+				A93181A12B727ED700E341D2 /* TunnelSettingsV4.swift in Sources */,
 				58FE25BF2AA72311003D1918 /* MigrationManager.swift in Sources */,
 				58B2FDEF2AA720C4003EB5C6 /* ApplicationTarget.swift in Sources */,
 				A988DF272ADE86ED00D807EF /* WireGuardObfuscationSettings.swift in Sources */,
@@ -5634,6 +5638,7 @@
 			buildSettings = {
 				CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
 				CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE;
+				"CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				DEVELOPMENT_TEAM = "";
 				GENERATE_INFOPLIST_FILE = YES;
@@ -6800,6 +6805,7 @@
 			buildSettings = {
 				CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
 				CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE;
+				"CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				DEVELOPMENT_TEAM = "";
 				GENERATE_INFOPLIST_FILE = YES;
@@ -7376,6 +7382,7 @@
 			buildSettings = {
 				CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
 				CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE;
+				"CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "Apple Development";
 				CODE_SIGN_STYLE = Manual;
 				DEVELOPMENT_TEAM = "";
 				GENERATE_INFOPLIST_FILE = YES;
diff --git a/ios/PacketTunnel/PacketTunnelProvider/SettingsReader.swift b/ios/PacketTunnel/PacketTunnelProvider/SettingsReader.swift
@@ -21,7 +21,8 @@ struct SettingsReader: SettingsReaderProtocol {
             interfaceAddresses: [deviceData.ipv4Address, deviceData.ipv6Address],
             relayConstraints: settings.relayConstraints,
             dnsServers: settings.dnsSettings.selectedDNSServers,
-            obfuscation: settings.wireGuardObfuscation
+            obfuscation: settings.wireGuardObfuscation,
+            tunnelQuantumResistance: settings.tunnelQuantumResistance
         )
     }
 }
diff --git a/ios/PacketTunnel/WireGuardAdapter/WgAdapter.swift b/ios/PacketTunnel/WireGuardAdapter/WgAdapter.swift
@@ -29,6 +29,7 @@ struct WgAdapter: TunnelAdapterProtocol {
         )
     }
 
+    // TODO: Should we know here whether the configuration is for PQ key exchange or not ?
     func start(configuration: TunnelAdapterConfiguration) async throws {
         let wgConfig = configuration.asWgConfig
         do {
@@ -44,6 +45,21 @@ struct WgAdapter: TunnelAdapterProtocol {
         }
     }
 
+    func startPostQuantumKeyExchange(configuration: TunnelAdapterConfiguration) async throws {
+        let wgConfig = configuration.asWgPQConfig
+        do {
+            try await adapter.update(tunnelConfiguration: wgConfig)
+        } catch WireGuardAdapterError.invalidState {
+            try await adapter.start(tunnelConfiguration: wgConfig)
+        }
+
+        let tunAddresses = wgConfig.interface.addresses.map { $0.address }
+        // TUN addresses can be empty when adapter is configured for blocked state.
+        if !tunAddresses.isEmpty {
+            logIfDeviceHasSameIP(than: tunAddresses)
+        }
+    }
+
     func stop() async throws {
         try await adapter.stop()
     }
@@ -111,6 +127,8 @@ private extension TunnelAdapterConfiguration {
         if let peer {
             var peerConfig = PeerConfiguration(publicKey: peer.publicKey)
             peerConfig.endpoint = peer.endpoint.wgEndpoint
+            // TODO: change this to 10.64.0.1/32
+            // TODO: What about the IPv6 address here ?
             peerConfig.allowedIPs = [
                 IPAddressRange(from: "0.0.0.0/0")!,
                 IPAddressRange(from: "::/0")!,
@@ -124,6 +142,31 @@ private extension TunnelAdapterConfiguration {
             peers: peers
         )
     }
+
+    var asWgPQConfig: TunnelConfiguration {
+        var interfaceConfig = InterfaceConfiguration(privateKey: privateKey)
+        interfaceConfig.addresses = interfaceAddresses
+        interfaceConfig.dns = dns.map { DNSServer(address: $0) }
+        interfaceConfig.listenPort = 0
+
+        var peers: [PeerConfiguration] = []
+        if let peer {
+            var peerConfig = PeerConfiguration(publicKey: peer.publicKey)
+            peerConfig.endpoint = peer.endpoint.wgEndpoint
+            // TODO: change this to 10.64.0.1/32
+            // TODO: What about the IPv6 address here ?
+            peerConfig.allowedIPs = [
+                IPAddressRange(from: "10.64.0.1/32")!,
+            ]
+            peers.append(peerConfig)
+        }
+
+        return TunnelConfiguration(
+            name: nil,
+            interface: interfaceConfig,
+            peers: peers
+        )
+    }
 }
 
 private extension AnyIPEndpoint {
diff --git a/ios/PacketTunnelCore/Actor/Command.swift b/ios/PacketTunnelCore/Actor/Command.swift
@@ -10,6 +10,8 @@ import Foundation
 
 /// Describes action that actor can perform.
 enum Command {
+    case negotiatePostQuantumKey(StartOptions)
+
     /// Start tunnel.
     case start(StartOptions)
 
@@ -37,6 +39,8 @@ enum Command {
     /// Format command for log output.
     func logFormat() -> String {
         switch self {
+        case .negotiatePostQuantumKey:
+            return "PQ key exchange"
         case .start:
             return "start"
         case .stop:
diff --git a/ios/PacketTunnelCore/Actor/PacketTunnelActor.swift b/ios/PacketTunnelCore/Actor/PacketTunnelActor.swift
@@ -111,6 +111,8 @@ public actor PacketTunnelActor {
 
                 case let .networkReachability(defaultPath):
                     await handleDefaultPathChange(defaultPath)
+                case let .negotiatePostQuantumKey(StartOptions):
+                    await negotiatePostQuantumKeyExchange(StartOptions)
                 }
             }
         }
@@ -128,6 +130,7 @@ extension PacketTunnelActor {
      - Parameter options: start options produced by packet tunnel
      */
     private func start(options: StartOptions) async {
+        // TODO: Make sure that we are **Not** in the initial state anymore if PQ key exchange happened
         guard case .initial = state else { return }
 
         logger.debug("\(options.logFormat())")
@@ -147,6 +150,43 @@ extension PacketTunnelActor {
         }
     }
 
+    private func negotiatePostQuantumKeyExchange(_ options: StartOptions, nextRelay: NextRelay = .current) async {
+        // TODO: Should this be the same path as in a reconnection attempt ?
+        guard case .initial = state else { return }
+        do {
+            let settings: Settings = try settingsReader.read()
+            // `.automatic` is the same as `off` by default for now
+            if settings.tunnelQuantumResistance == .on {
+                // Generate the configuration for PQ key exchange
+                let postQuantumConfiguration = ConfigurationBuilder(
+                    privateKey: settings.privateKey,
+                    interfaceAddresses: settings.interfaceAddresses
+                )
+                let tunnelAdapterConfiguration = try postQuantumConfiguration.makeConfiguration()
+
+                // Start the adapter with the configuration
+                try await tunnelAdapter.startPostQuantumKeyExchange(configuration: tunnelAdapterConfiguration)
+
+                // Do the GRPC call from `talpid-tunnel-config-client`
+                if await negotiatePostQuantumKey() {
+                    commandChannel.send(.start(options))
+                } else {
+                    // TODO: Insert some kind of delay before retrying probably, or let the natural delay from the GRPC failure dictate how long to wait
+                    // TODO: Change the selected relay here, reuse the same logic as a normal connection
+                    await negotiatePostQuantumKeyExchange(options, nextRelay: .random)
+                }
+            }
+        } catch {
+            // TODO: probably enter error state here
+            // TODO: OR just bounce between relays until we manage to connect to a relay ?
+        }
+    }
+
+    func negotiatePostQuantumKey() async -> Bool {
+        // Do the GRPC call from `talpid-tunnel-config-client`
+        true
+    }
+
     /// Stop the tunnel.
     private func stop() async {
         switch state {
diff --git a/ios/PacketTunnelCore/Actor/Protocols/SettingsReaderProtocol.swift b/ios/PacketTunnelCore/Actor/Protocols/SettingsReaderProtocol.swift
@@ -40,18 +40,22 @@ public struct Settings {
     /// Obfuscation settings
     public var obfuscation: WireGuardObfuscationSettings
 
+    public var tunnelQuantumResistance: TunnelQuantumResistance
+
     public init(
         privateKey: PrivateKey,
         interfaceAddresses: [IPAddressRange],
         relayConstraints: RelayConstraints,
         dnsServers: SelectedDNSServers,
-        obfuscation: WireGuardObfuscationSettings
+        obfuscation: WireGuardObfuscationSettings,
+        tunnelQuantumResistance: TunnelQuantumResistance
     ) {
         self.privateKey = privateKey
         self.interfaceAddresses = interfaceAddresses
         self.relayConstraints = relayConstraints
         self.dnsServers = dnsServers
         self.obfuscation = obfuscation
+        self.tunnelQuantumResistance = tunnelQuantumResistance
     }
 }
 
diff --git a/ios/PacketTunnelCore/Actor/Protocols/TunnelAdapterProtocol.swift b/ios/PacketTunnelCore/Actor/Protocols/TunnelAdapterProtocol.swift
@@ -16,6 +16,7 @@ import WireGuardKitTypes
 public protocol TunnelAdapterProtocol {
     /// Start tunnel adapter or update active configuration.
     func start(configuration: TunnelAdapterConfiguration) async throws
+    func startPostQuantumKeyExchange(configuration: TunnelAdapterConfiguration) async throws
 
     /// Stop tunnel adapter with the given configuration.
     func stop() async throws
diff --git a/ios/PacketTunnelCoreTests/Mocks/SettingsReaderStub.swift b/ios/PacketTunnelCoreTests/Mocks/SettingsReaderStub.swift
@@ -29,7 +29,8 @@ extension SettingsReaderStub {
             interfaceAddresses: [IPAddressRange(from: "127.0.0.1/32")!],
             relayConstraints: RelayConstraints(),
             dnsServers: .gateway,
-            obfuscation: WireGuardObfuscationSettings(state: .off, port: .automatic)
+            obfuscation: WireGuardObfuscationSettings(state: .off, port: .automatic),
+            tunnelQuantumResistance: .automatic
         )
 
         return SettingsReaderStub {
diff --git a/ios/PacketTunnelCoreTests/Mocks/TunnelAdapterDummy.swift b/ios/PacketTunnelCoreTests/Mocks/TunnelAdapterDummy.swift
@@ -11,6 +11,8 @@ import PacketTunnelCore
 
 /// Dummy tunnel adapter that does nothing and reports no errors.
 class TunnelAdapterDummy: TunnelAdapterProtocol {
+    func startPostQuantumKeyExchange(configuration: PacketTunnelCore.TunnelAdapterConfiguration) async throws {}
+
     func start(configuration: TunnelAdapterConfiguration) async throws {}
 
     func stop() async throws {}
diff --git a/ios/PacketTunnelCoreTests/PacketTunnelActorTests.swift b/ios/PacketTunnelCoreTests/PacketTunnelActorTests.swift
@@ -207,7 +207,8 @@ final class PacketTunnelActorTests: XCTestCase {
                     interfaceAddresses: [IPAddressRange(from: "127.0.0.1/32")!],
                     relayConstraints: RelayConstraints(),
                     dnsServers: .gateway,
-                    obfuscation: WireGuardObfuscationSettings(state: .off, port: .automatic)
+                    obfuscation: WireGuardObfuscationSettings(state: .off, port: .automatic),
+                    tunnelQuantumResistance: .automatic
                 )
             }
         }
diff --git a/ios/PacketTunnelCoreTests/ProtocolObfuscatorTests.swift b/ios/PacketTunnelCoreTests/ProtocolObfuscatorTests.swift
@@ -110,7 +110,7 @@ final class ProtocolObfuscatorTests: XCTestCase {
             obfuscation: WireGuardObfuscationSettings(
                 state: obfuscationState,
                 port: obfuscationPort
-            )
+            ), tunnelQuantumResistance: .automatic
         )
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,11 @@ public struct TunnelSettingsV3: Codable, Equatable, TunnelSettings {`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`public func upgradeToNextVersion() -> any TunnelSettings {`
`33`		`- self`
	`33`	`+ TunnelSettingsV4(`
	`34`	`+ relayConstraints: relayConstraints,`
	`35`	`+ dnsSettings: dnsSettings,`
	`36`	`+ wireGuardObfuscation: wireGuardObfuscation,`
	`37`	`+ tunnelQuantumResistance: .automatic`
	`38`	`+ )`
`34`	`39`	`}`
`35`	`40`	`}`
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,8 @@ struct SettingsReader: SettingsReaderProtocol {`
`21`	`21`	`interfaceAddresses: [deviceData.ipv4Address, deviceData.ipv6Address],`
`22`	`22`	`relayConstraints: settings.relayConstraints,`
`23`	`23`	`dnsServers: settings.dnsSettings.selectedDNSServers,`
`24`		`- obfuscation: settings.wireGuardObfuscation`
	`24`	`+ obfuscation: settings.wireGuardObfuscation,`
	`25`	`+ tunnelQuantumResistance: settings.tunnelQuantumResistance`
`25`	`26`	`)`
`26`	`27`	`}`
`27`	`28`	`}`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,8 @@ extension SettingsReaderStub {`
`29`	`29`	`interfaceAddresses: [IPAddressRange(from: "127.0.0.1/32")!],`
`30`	`30`	`relayConstraints: RelayConstraints(),`
`31`	`31`	`dnsServers: .gateway,`
`32`		`- obfuscation: WireGuardObfuscationSettings(state: .off, port: .automatic)`
	`32`	`+ obfuscation: WireGuardObfuscationSettings(state: .off, port: .automatic),`
	`33`	`+ tunnelQuantumResistance: .automatic`
`33`	`34`	`)`
`34`	`35`
`35`	`36`	`return SettingsReaderStub {`
Original file line number	Diff line number	Diff line change
`@@ -207,7 +207,8 @@ final class PacketTunnelActorTests: XCTestCase {`
`207`	`207`	`interfaceAddresses: [IPAddressRange(from: "127.0.0.1/32")!],`
`208`	`208`	`relayConstraints: RelayConstraints(),`
`209`	`209`	`dnsServers: .gateway,`
`210`		`- obfuscation: WireGuardObfuscationSettings(state: .off, port: .automatic)`
	`210`	`+ obfuscation: WireGuardObfuscationSettings(state: .off, port: .automatic),`
	`211`	`+ tunnelQuantumResistance: .automatic`
`211`	`212`	`)`
`212`	`213`	`}`
`213`	`214`	`}`
Original file line number	Diff line number	Diff line change
`@@ -110,7 +110,7 @@ final class ProtocolObfuscatorTests: XCTestCase {`
`110`	`110`	`obfuscation: WireGuardObfuscationSettings(`
`111`	`111`	`state: obfuscationState,`
`112`	`112`	`port: obfuscationPort`
`113`		`- )`
	`113`	`+ ), tunnelQuantumResistance: .automatic`
`114`	`114`	`)`
`115`	`115`	`}`
`116`	`116`	`}`