Post-Quantum Resistant WireGuard

.github/workflows/ci.yml

@@ -1,24 +1,26 @@
 name: CI
 
-on:
-  push:
-    branches: [ "main", "develop" ]
-  pull_request:
+# This action is disabled until we can run it on Apple Silicon powered macOS runners - https://github.com/github/roadmap/issues/528
 
-jobs:
-  test:
-    name: Unit and UI Tests
-    runs-on: macOS-latest
-    steps:
-    - uses: actions/setup-go@v2
-      with:
-        go-version: 1.18
-    - uses: actions/checkout@v2
-    - name: Set up config files
-      run: |
-        cp IVPNClient/Config/staging.template.xcconfig IVPNClient/Config/staging.xcconfig
-        cp IVPNClient/Config/release.template.xcconfig IVPNClient/Config/release.xcconfig
-        cp IVPNClient/Config/OpenVPNConf.template.swift IVPNClient/Config/OpenVPNConf.swift
-        cp fastlane/Appfile.template fastlane/Appfile
-    - name: Build and test
-      run: xcodebuild test -scheme IVPNClient -destination 'platform=iOS Simulator,name=iPhone 14'
+# on:
+#   push:
+#     branches: [ "main", "develop" ]
+#   pull_request:
+
+# jobs:
+#   test:
+#     name: Unit and UI Tests
+#     runs-on: macOS-latest
+#     steps:
+#     - uses: actions/setup-go@v2
+#       with:
+#         go-version: 1.18
+#     - uses: actions/checkout@v2
+#     - name: Set up config files
+#       run: |
+#         cp IVPNClient/Config/staging.template.xcconfig IVPNClient/Config/staging.xcconfig
+#         cp IVPNClient/Config/release.template.xcconfig IVPNClient/Config/release.xcconfig
+#         cp IVPNClient/Config/OpenVPNConf.template.swift IVPNClient/Config/OpenVPNConf.swift
+#         cp fastlane/Appfile.template fastlane/Appfile
+#     - name: Build and test
+#       run: xcodebuild test -scheme IVPNClient -destination 'platform=iOS Simulator,name=iPhone 14'

.gitignore

@@ -2,6 +2,10 @@
 build/
 DerivedData/
 
+## Static libraries
+IVPNClient/liboqs/liboqs-iphoneos.a
+IVPNClient/liboqs/liboqs-iphonesimulator.a
+
 ## Various settings
 *.pbxuser
 !default.pbxuser

IVPNClient.xcodeproj/xcshareddata/xcschemes/IVPNClient.xcscheme

@@ -1,10 +1,28 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
    LastUpgradeVersion = "1430"
-   version = "1.3">
+   version = "1.7">
    <BuildAction
       parallelizeBuildables = "YES"
       buildImplicitDependencies = "YES">
+      <PreActions>
+         <ExecutionAction
+            ActionType = "Xcode.IDEStandardExecutionActionsCore.ExecutionActionType.ShellScriptAction">
+            <ActionContent
+               title = "Link liboqs"
+               scriptText = "if [ &quot;${PLATFORM_NAME}&quot; == &quot;iphoneos&quot; ]; then&#10;  LIBOQS_LIB=&quot;liboqs-iphoneos.a&quot;&#10;else&#10;  LIBOQS_LIB=&quot;liboqs-iphonesimulator.a&quot;&#10;fi&#10;&#10;if test -f &quot;${SRCROOT}/IVPNClient/liboqs/${LIBOQS_LIB}&quot;; then&#10;    cp &quot;${SRCROOT}/IVPNClient/liboqs/${LIBOQS_LIB}&quot; &quot;${SRCROOT}/IVPNClient/liboqs/liboqs.a&quot;&#10;fi&#10;">
+               <EnvironmentBuildable>
+                  <BuildableReference
+                     BuildableIdentifier = "primary"
+                     BlueprintIdentifier = "9CDDD5AA1D9D2F9E00D39924"
+                     BuildableName = "IVPNClient.app"
+                     BlueprintName = "IVPNClient"
+                     ReferencedContainer = "container:IVPNClient.xcodeproj">
+                  </BuildableReference>
+               </EnvironmentBuildable>
+            </ActionContent>
+         </ExecutionAction>
+      </PreActions>
       <BuildActionEntries>
          <BuildActionEntry
             buildForTesting = "YES"

IVPNClient/Enums/ApiResults/InterfaceResult.swift

@@ -25,4 +25,5 @@ import Foundation
 
 struct InterfaceResult: Decodable {
     var ipAddress: String
+    let kemCipher1: String?
 }

IVPNClient/Enums/ApiResults/Session.swift

@@ -27,6 +27,7 @@ struct WireGuardResult: Codable {
     let status: Int?
     let message: String?
     let ipAddress: String?
+    let kemCipher1: String?
 }
 
 struct Session: Decodable {

IVPNClient/IVPNClient-Bridging-Header.h

@@ -1,2 +1,3 @@
 #include "../WireGuardKitC/WireGuardKitC.h"
 #include "Utilities/Logging/ringlogger.h"
+#include "liboqs/include/oqs/oqs.h"

IVPNClient/Managers/AppKeyManager.swift

@@ -34,6 +34,7 @@ class AppKeyManager {
     // MARK: - Properties -
 
     weak var delegate: AppKeyManagerDelegate?
+    static let shared = AppKeyManager()
 
     static var keyTimestamp: Date {
         return UserDefaults.shared.wgKeyTimestamp
@@ -70,8 +71,26 @@ class AppKeyManager {
         return true
     }
 
-    static var isKeyPairRequired: Bool {
-        return Application.shared.settings.connectionProtocol.tunnelType() == .wireguard
+    static var regenerationCheckInterval: TimeInterval {
+        if Config.useDebugWireGuardKeyUpgrade {
+            return TimeInterval(10)
+        }
+
+        return TimeInterval(60 * 60)
+    }
+
+    static var regenerationInterval: TimeInterval {
+        var regenerationRate = UserDefaults.shared.wgRegenerationRate
+
+        if regenerationRate <= 0 {
+            regenerationRate = 1
+        }
+
+        if Config.useDebugWireGuardKeyUpgrade {
+            return TimeInterval(regenerationRate * 60)
+        }
+
+        return TimeInterval(regenerationRate * 60 * 60 * 24)
     }
 
     // MARK: - Methods -
@@ -84,14 +103,15 @@ class AppKeyManager {
         KeyChain.wgPublicKey = interface.publicKey
     }
 
-    func setNewKey() {
+    func setNewKey(completion: @escaping (String?, String?, String?) -> Void) {
         var interface = Interface()
         interface.privateKey = Interface.generatePrivateKey()
-
-        let params = ApiService.authParams + [
+        var params = ApiService.authParams + [
             URLQueryItem(name: "public_key", value: interface.publicKey ?? "")
         ]
 
+        var kem = KEM()
+        params += [URLQueryItem(name: "kem_public_key1", value: kem.getPublicKey(algorithm: .Kyber1024))]
         let request = ApiRequestDI(method: .post, endpoint: Config.apiSessionWGKeySet, params: params)
 
         delegate?.setKeyStart()
@@ -103,11 +123,28 @@ class AppKeyManager {
                 KeyChain.wgPrivateKey = interface.privateKey
                 KeyChain.wgPublicKey = interface.publicKey
                 KeyChain.wgIpAddress = model.ipAddress
+                if let kemCipher1 = model.kemCipher1 {
+                    kem.setCipher(algorithm: .Kyber1024, cipher: kemCipher1)
+                    KeyChain.wgPresharedKey = kem.calculatePresharedKey()
+                    completion(interface.privateKey, model.ipAddress, KeyChain.wgPresharedKey)
+                } else {
+                    KeyChain.wgPresharedKey = nil
+                    completion(interface.privateKey, model.ipAddress, nil)
+                }
                 self.delegate?.setKeySuccess()
             case .failure:
                 self.delegate?.setKeyFail()
+                completion(nil, nil, nil)
             }
         }
     }
 
+    static func needToRegenerate() -> Bool {
+        guard Date() > UserDefaults.shared.wgKeyTimestamp.addingTimeInterval(regenerationInterval) else {
+            return false
+        }
+
+        return true
+    }
+
 }

IVPNClient/Managers/KeyChain.swift

@@ -33,6 +33,7 @@ class KeyChain {
     private static let wgIpAddressKey = "WGIpAddressKey"
     private static let wgIpv6HostKey = "WGIPv6HostKey"
     private static let wgIpAddressesKey = "WGIpAddressesKey"
+    private static let wgPresharedKeyKey = "WGPresharedKey"
     private static let sessionTokenKey = "session_token"
     private static let vpnUsernameKey = "vpn_username"
     private static let vpnPasswordKey = "vpn_password"
@@ -95,6 +96,15 @@ class KeyChain {
         }
     }
 
+    class var wgPresharedKey: String? {
+        get {
+            return KeyChain.bundle[wgPresharedKeyKey]
+        }
+        set {
+            KeyChain.bundle[wgPresharedKeyKey] = newValue
+        }
+    }
+
     class var wgIpv6Host: String? {
         get {
             return KeyChain.bundle[wgIpv6HostKey]
@@ -152,6 +162,7 @@ class KeyChain {
         wgPublicKey = nil
         wgIpAddress = nil
         wgIpAddresses = nil
+        wgPresharedKey = nil
         sessionToken = nil
         vpnUsername = nil
         vpnPassword = nil

IVPNClient/Managers/SessionManager.swift

@@ -60,12 +60,13 @@ class SessionManager {
     func createSession(force: Bool = false, connecting: Bool = false, username: String? = nil, confirmation: String? = nil, captcha: String? = nil, captchaId: String? = nil) {
         delegate?.createSessionStart()
 
-        if AppKeyManager.isKeyPairRequired || connecting {
+        if Application.isKeyPairRequired || connecting {
             AppKeyManager.generateKeyPair()
             UserDefaults.shared.set(Date(), forKey: UserDefaults.Key.wgKeyTimestamp)
         }
 
-        let params = sessionNewParams(force: force, username: username, confirmation: confirmation, captcha: captcha, captchaId: captchaId)
+        var kem = KEM()
+        let params = sessionNewParams(force: force, username: username, confirmation: confirmation, captcha: captcha, captchaId: captchaId, kem: kem)
         let request = ApiRequestDI(method: .post, endpoint: Config.apiSessionNew, params: params)
 
         ApiService.shared.requestCustomError(request) { (result: ResultCustomError<Session, ErrorResultSessionNew>) in
@@ -74,6 +75,13 @@ class SessionManager {
                 Application.shared.serviceStatus = model.serviceStatus
                 Application.shared.authentication.logIn(session: model)
 
+                if let kemCipher1 = model.wireguard?.kemCipher1 {
+                    kem.setCipher(algorithm: .Kyber1024, cipher: kemCipher1)
+                    KeyChain.wgPresharedKey = kem.calculatePresharedKey()
+                } else {
+                    KeyChain.wgPresharedKey = nil
+                }
+
                 if !model.serviceStatus.isActive {
                     log(.info, message: "Create session error: createSessionServiceNotActive")
                     self.delegate?.createSessionServiceNotActive()
@@ -196,12 +204,13 @@ class SessionManager {
 
     // MARK: - Helper methods -
 
-    private func sessionNewParams(force: Bool = false, username: String? = nil, confirmation: String? = nil, captcha: String? = nil, captchaId: String? = nil) -> [URLQueryItem] {
+    private func sessionNewParams(force: Bool = false, username: String? = nil, confirmation: String? = nil, captcha: String? = nil, captchaId: String? = nil, kem: KEM) -> [URLQueryItem] {
         let username = username ?? Application.shared.authentication.getStoredUsername()
         var params = [URLQueryItem(name: "username", value: username)]
 
         if let wgPublicKey = KeyChain.wgPublicKey {
             params.append(URLQueryItem(name: "wg_public_key", value: wgPublicKey))
+            params.append(URLQueryItem(name: "kem_public_key1", value: kem.getPublicKey(algorithm: .Kyber1024)))
         }
 
         if let confirmation = confirmation {

IVPNClient/Models/Application.swift

@@ -66,6 +66,10 @@ class Application {
 
     var geoLookup = GeoLookup(ipAddress: "", countryCode: "", country: "", city: "", isIvpnServer: false, isp: "", latitude: 0, longitude: 0)
 
+    static var isKeyPairRequired: Bool {
+        return shared.settings.connectionProtocol.tunnelType() == .wireguard
+    }
+
     // MARK: - Initialize -
 
     private init() {

IVPNClient/Models/WireGuard/Tunnel.swift

@@ -91,8 +91,8 @@ struct Tunnel {
             settingsString += "public_key=\(hexPublicKey)\n"
         }
 
-        if let presharedKey = peer.presharedKey {
-            settingsString += "preshared_key=\(presharedKey)\n"
+        if let hexPresharedKey = peer.presharedKey?.base64KeyToHex() {
+            settingsString += "preshared_key=\(hexPresharedKey)\n"
         }
 
         if let endpoint = peer.endpoint {