From 05547861b65100279027a64f58793caea1143a30 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Fri, 8 Feb 2019 00:44:14 +0100
Subject: Key: Constant time encoding

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 .../Tunnel/TunnelConfiguration+UapiConfig.swift    | 27 +++-------------------
 WireGuard/WireGuard/UI/TunnelViewModel.swift       | 26 +++++++++++----------
 .../TunnelEditTableViewController.swift            |  2 +-
 .../ViewController/TunnelEditViewController.swift  | 12 +++++-----
 4 files changed, 24 insertions(+), 43 deletions(-)

(limited to 'WireGuard/WireGuard')

diff --git a/WireGuard/WireGuard/Tunnel/TunnelConfiguration+UapiConfig.swift b/WireGuard/WireGuard/Tunnel/TunnelConfiguration+UapiConfig.swift
index 63a8570..b72223d 100644
--- a/WireGuard/WireGuard/Tunnel/TunnelConfiguration+UapiConfig.swift
+++ b/WireGuard/WireGuard/Tunnel/TunnelConfiguration+UapiConfig.swift
@@ -88,7 +88,7 @@ extension TunnelConfiguration {
         guard let privateKeyString = attributes["private_key"] else {
             throw ParseError.interfaceHasNoPrivateKey
         }
-        guard let privateKey = Data(hexEncoded: privateKeyString), privateKey.count == TunnelConfiguration.keyLength else {
+        guard let privateKey = Data(hexKey: privateKeyString), privateKey.count == TunnelConfiguration.keyLength else {
             throw ParseError.interfaceHasInvalidPrivateKey(privateKeyString)
         }
         var interface = InterfaceConfiguration(privateKey: privateKey)
@@ -108,12 +108,12 @@ extension TunnelConfiguration {
         guard let publicKeyString = attributes["public_key"] else {
             throw ParseError.peerHasNoPublicKey
         }
-        guard let publicKey = Data(hexEncoded: publicKeyString), publicKey.count == TunnelConfiguration.keyLength else {
+        guard let publicKey = Data(hexKey: publicKeyString), publicKey.count == TunnelConfiguration.keyLength else {
             throw ParseError.peerHasInvalidPublicKey(publicKeyString)
         }
         var peer = PeerConfiguration(publicKey: publicKey)
         if let preSharedKeyString = attributes["preshared_key"] {
-            guard let preSharedKey = Data(hexEncoded: preSharedKeyString), preSharedKey.count == TunnelConfiguration.keyLength else {
+            guard let preSharedKey = Data(hexKey: preSharedKeyString), preSharedKey.count == TunnelConfiguration.keyLength else {
                 throw ParseError.peerHasInvalidPreSharedKey(preSharedKeyString)
             }
             // TODO(zx2c4): does the compiler optimize this away?
@@ -184,24 +184,3 @@ extension TunnelConfiguration {
         return peer
     }
 }
-
-extension Data {
-    //swiftlint:disable identifier_name
-    init?(hexEncoded hexString: String) {
-        if hexString.count % 2 != 0 {
-            return nil
-        }
-        let len = hexString.count / 2
-        self.init(capacity: len)
-        for i in 0..<len {
-            let j = hexString.index(hexString.startIndex, offsetBy: i * 2)
-            let k = hexString.index(j, offsetBy: 2)
-            let bytes = hexString[j..<k]
-            if var num = UInt8(bytes, radix: 16) {
-                append(&num, count: 1)
-            } else {
-                return nil
-            }
-        }
-    }
-}
diff --git a/WireGuard/WireGuard/UI/TunnelViewModel.swift b/WireGuard/WireGuard/UI/TunnelViewModel.swift
index 5de6cab..35dd98b 100644
--- a/WireGuard/WireGuard/UI/TunnelViewModel.swift
+++ b/WireGuard/WireGuard/UI/TunnelViewModel.swift
@@ -105,9 +105,9 @@ class TunnelViewModel {
                     scratchpad[field] = stringValue
                 }
                 if field == .privateKey {
-                    if stringValue.count == TunnelViewModel.keyLengthInBase64, let privateKey = Data(base64Encoded: stringValue), privateKey.count == TunnelConfiguration.keyLength {
-                        let publicKey = Curve25519.generatePublicKey(fromPrivateKey: privateKey)
-                        scratchpad[.publicKey] = publicKey.base64EncodedString()
+                    if stringValue.count == TunnelViewModel.keyLengthInBase64, let privateKey = Data(base64Key: stringValue), privateKey.count == TunnelConfiguration.keyLength {
+                        let publicKey = Curve25519.generatePublicKey(fromPrivateKey: privateKey).base64Key() ?? ""
+                        scratchpad[.publicKey] = publicKey
                     } else {
                         scratchpad.removeValue(forKey: .publicKey)
                     }
@@ -124,8 +124,8 @@ class TunnelViewModel {
         private static func createScratchPad(from config: InterfaceConfiguration, name: String) -> [InterfaceField: String] {
             var scratchpad = [InterfaceField: String]()
             scratchpad[.name] = name
-            scratchpad[.privateKey] = config.privateKey.base64EncodedString()
-            scratchpad[.publicKey] = config.publicKey.base64EncodedString()
+            scratchpad[.privateKey] = config.privateKey.base64Key() ?? ""
+            scratchpad[.publicKey] = config.publicKey.base64Key() ?? ""
             if !config.addresses.isEmpty {
                 scratchpad[.addresses] = config.addresses.map { $0.stringRepresentation }.joined(separator: ", ")
             }
@@ -155,7 +155,7 @@ class TunnelViewModel {
                 fieldsWithError.insert(.privateKey)
                 return .error(tr("alertInvalidInterfaceMessagePrivateKeyRequired"))
             }
-            guard let privateKey = Data(base64Encoded: privateKeyString), privateKey.count == TunnelConfiguration.keyLength else {
+            guard let privateKey = Data(base64Key: privateKeyString), privateKey.count == TunnelConfiguration.keyLength else {
                 fieldsWithError.insert(.privateKey)
                 return .error(tr("alertInvalidInterfaceMessagePrivateKeyInvalid"))
             }
@@ -255,7 +255,7 @@ class TunnelViewModel {
                 return validatedConfiguration.publicKey
             }
             if let scratchPadPublicKey = scratchpad[.publicKey] {
-                return Data(base64Encoded: scratchPadPublicKey)
+                return Data(base64Key: scratchPadPublicKey)
             }
             return nil
         }
@@ -300,9 +300,11 @@ class TunnelViewModel {
 
         private static func createScratchPad(from config: PeerConfiguration) -> [PeerField: String] {
             var scratchpad = [PeerField: String]()
-            scratchpad[.publicKey] = config.publicKey.base64EncodedString()
-            if let preSharedKey = config.preSharedKey {
-                scratchpad[.preSharedKey] = preSharedKey.base64EncodedString()
+            if let publicKey = config.publicKey.base64Key() {
+                scratchpad[.publicKey] = publicKey
+            }
+            if let preSharedKey = config.preSharedKey?.base64Key() {
+                scratchpad[.preSharedKey] = preSharedKey
             }
             if !config.allowedIPs.isEmpty {
                 scratchpad[.allowedIPs] = config.allowedIPs.map { $0.stringRepresentation }.joined(separator: ", ")
@@ -335,14 +337,14 @@ class TunnelViewModel {
                 fieldsWithError.insert(.publicKey)
                 return .error(tr("alertInvalidPeerMessagePublicKeyRequired"))
             }
-            guard let publicKey = Data(base64Encoded: publicKeyString), publicKey.count == TunnelConfiguration.keyLength else {
+            guard let publicKey = Data(base64Key: publicKeyString), publicKey.count == TunnelConfiguration.keyLength else {
                 fieldsWithError.insert(.publicKey)
                 return .error(tr("alertInvalidPeerMessagePublicKeyInvalid"))
             }
             var config = PeerConfiguration(publicKey: publicKey)
             var errorMessages = [String]()
             if let preSharedKeyString = scratchpad[.preSharedKey] {
-                if let preSharedKey = Data(base64Encoded: preSharedKeyString), preSharedKey.count == TunnelConfiguration.keyLength {
+                if let preSharedKey = Data(base64Key: preSharedKeyString), preSharedKey.count == TunnelConfiguration.keyLength {
                     config.preSharedKey = preSharedKey
                 } else {
                     fieldsWithError.insert(.preSharedKey)
diff --git a/WireGuard/WireGuard/UI/iOS/ViewController/TunnelEditTableViewController.swift b/WireGuard/WireGuard/UI/iOS/ViewController/TunnelEditTableViewController.swift
index f4bf157..01fed49 100644
--- a/WireGuard/WireGuard/UI/iOS/ViewController/TunnelEditTableViewController.swift
+++ b/WireGuard/WireGuard/UI/iOS/ViewController/TunnelEditTableViewController.swift
@@ -213,7 +213,7 @@ extension TunnelEditTableViewController {
         cell.onTapped = { [weak self] in
             guard let self = self else { return }
 
-            self.tunnelViewModel.interfaceData[.privateKey] = Curve25519.generatePrivateKey().base64EncodedString()
+            self.tunnelViewModel.interfaceData[.privateKey] = Curve25519.generatePrivateKey().base64Key() ?? ""
             if let privateKeyRow = self.interfaceFieldsBySection[indexPath.section].firstIndex(of: .privateKey),
                 let publicKeyRow = self.interfaceFieldsBySection[indexPath.section].firstIndex(of: .publicKey) {
                 let privateKeyIndex = IndexPath(row: privateKeyRow, section: indexPath.section)
diff --git a/WireGuard/WireGuard/UI/macOS/ViewController/TunnelEditViewController.swift b/WireGuard/WireGuard/UI/macOS/ViewController/TunnelEditViewController.swift
index 27d60c7..395eeb4 100644
--- a/WireGuard/WireGuard/UI/macOS/ViewController/TunnelEditViewController.swift
+++ b/WireGuard/WireGuard/UI/macOS/ViewController/TunnelEditViewController.swift
@@ -104,8 +104,8 @@ class TunnelEditViewController: NSViewController {
             let tunnelConfiguration = tunnel.tunnelConfiguration!
             nameRow.value = tunnel.name
             textView.string = tunnelConfiguration.asWgQuickConfig()
-            publicKeyRow.value = tunnelConfiguration.interface.publicKey.base64EncodedString()
-            textView.privateKeyString = tunnelConfiguration.interface.privateKey.base64EncodedString()
+            publicKeyRow.value = tunnelConfiguration.interface.publicKey.base64Key() ?? ""
+            textView.privateKeyString = tunnelConfiguration.interface.privateKey.base64Key() ?? ""
             if tunnel.activateOnDemandSetting.isActivateOnDemandEnabled {
                 selectedActivateOnDemandOption = tunnel.activateOnDemandSetting.activateOnDemandOption
             } else {
@@ -115,17 +115,17 @@ class TunnelEditViewController: NSViewController {
             // Creating a new tunnel
             let privateKey = Curve25519.generatePrivateKey()
             let publicKey = Curve25519.generatePublicKey(fromPrivateKey: privateKey)
-            let bootstrappingText = "[Interface]\nPrivateKey = \(privateKey.base64EncodedString())\n"
-            publicKeyRow.value = publicKey.base64EncodedString()
+            let bootstrappingText = "[Interface]\nPrivateKey = \(privateKey.base64Key() ?? "")\n"
+            publicKeyRow.value = publicKey.base64Key() ?? ""
             textView.string = bootstrappingText
             selectedActivateOnDemandOption = .none
         }
         privateKeyObservationToken = textView.observe(\.privateKeyString) { [weak publicKeyRow] textView, _ in
             if let privateKeyString = textView.privateKeyString,
-                let privateKey = Data(base64Encoded: privateKeyString),
+                let privateKey = Data(base64Key: privateKeyString),
                 privateKey.count == TunnelConfiguration.keyLength {
                 let publicKey = Curve25519.generatePublicKey(fromPrivateKey: privateKey)
-                publicKeyRow?.value = publicKey.base64EncodedString()
+                publicKeyRow?.value = publicKey.base64Key() ?? ""
             } else {
                 publicKeyRow?.value = ""
             }
-- 
cgit v1.2.3-59-g8ed1b