}
class TunnelsManager {
- fileprivate var tunnels: [TunnelContainer]
+ private var tunnels: [TunnelContainer]
weak var tunnelsListDelegate: TunnelsManagerListDelegate?
weak var activationDelegate: TunnelsManagerActivationDelegate?
private var statusObservationToken: AnyObject?
private var waiteeObservationToken: AnyObject?
private var configurationsObservationToken: AnyObject?
- private var catalinaWorkaround: Any?
init(tunnelProviders: [NETunnelProviderManager]) {
tunnels = tunnelProviders.map { TunnelContainer(tunnel: $0) }.sorted { TunnelsManager.tunnelNameIsLessThan($0.name, $1.name) }
startObservingTunnelStatuses()
startObservingTunnelConfigurations()
- #if os(macOS)
- if #available(macOS 10.15, *) {
- self.catalinaWorkaround = CatalinaWorkaround(tunnelsManager: self)
- }
- #endif
}
static func create(completionHandler: @escaping (Result<TunnelsManager, TunnelsManagerError>) -> Void) {
tunnelManagers.remove(at: index)
}
}
- #if os(macOS)
- if #available(macOS 10.15, *) {
- // Don't delete orphaned keychain refs. We need them to restore tunnels as a workaround.
- } else {
- Keychain.deleteReferences(except: refs)
- }
- #else
Keychain.deleteReferences(except: refs)
- #endif
#if os(iOS)
RecentTunnelsTracker.cleanupTunnels(except: tunnelNames)
#endif
}
extension NETunnelProviderManager {
- fileprivate static var cachedConfigKey: UInt8 = 0
+ private static var cachedConfigKey: UInt8 = 0
var tunnelConfiguration: TunnelConfiguration? {
if let cached = objc_getAssociatedObject(self, &NETunnelProviderManager.cachedConfigKey) as? TunnelConfiguration {
return localizedDescription == tunnel.name && tunnelConfiguration == tunnel.tunnelConfiguration
}
}
-
-#if os(macOS)
-@available(macOS 10.15, *)
-class CatalinaWorkaround {
-
- // In macOS Catalina, for some users, the tunnels get deleted arbitrarily
- // by the OS. It's not clear what triggers that.
-
- // As a workaround, in macOS Catalina, when we realize that tunnels have been
- // deleted outside the app, we reinstate those tunnels using the information
- // in the keychain.
-
- unowned let tunnelsManager: TunnelsManager
- private var configChangeSubscriber: Any?
-
- struct ReinstationData {
- let tunnelConfiguration: TunnelConfiguration
- let keychainPasswordRef: Data
- }
-
- init(tunnelsManager: TunnelsManager) {
- self.tunnelsManager = tunnelsManager
-
- // Attempt reinstation when there's a change in tunnel configurations,
- // which indicates that tunnels may have been deleted outside the app.
- // We use debounce to wait for all change notifications to arrive
- // before attempting to reinstate, so that we don't have saveToPreferences
- // being called while another saveToPreferences is in progress.
- self.configChangeSubscriber = NotificationCenter.default
- .publisher(for: .NEVPNConfigurationChange, object: nil)
- .debounce(for: .seconds(1), scheduler: RunLoop.main)
- .subscribe(on: RunLoop.main)
- .sink { [weak self] _ in
- self?.reinstateTunnelsDeletedOutsideApp()
- }
-
- // Attempt reinstation on app launch
- reinstateTunnelsDeletedOutsideApp()
- }
-
- func reinstateTunnelsDeletedOutsideApp() {
- let data = reinstationDataForTunnelsDeletedOutsideApp()
- reinstateTunnels(ArraySlice(data), completionHandler: nil)
- }
-
- private func reinstateTunnels(_ rdArray: ArraySlice<ReinstationData>, completionHandler: (() -> Void)?) {
- guard let head = rdArray.first else {
- completionHandler?()
- return
- }
- let tail = rdArray.dropFirst()
- self.tunnelsManager.reinstateTunnel(reinstationData: head) { _ in
- DispatchQueue.main.async {
- self.reinstateTunnels(tail, completionHandler: completionHandler)
- }
- }
- }
-
- private func reinstationDataForTunnelsDeletedOutsideApp() -> [ReinstationData] {
- let knownRefs: [Data] = self.tunnelsManager.tunnels
- .compactMap { $0.tunnelProvider.protocolConfiguration as? NETunnelProviderProtocol }
- .compactMap { $0.passwordReference }
- let knownRefsSet: Set<Data> = Set(knownRefs)
- var result: CFTypeRef?
- let ret = SecItemCopyMatching([kSecClass as String: kSecClassGenericPassword,
- kSecAttrService as String: Bundle.main.bundleIdentifier as Any,
- kSecMatchLimit as String: kSecMatchLimitAll,
- kSecReturnAttributes as String: true,
- kSecReturnPersistentRef as String: true] as CFDictionary,
- &result)
- guard ret == errSecSuccess, let resultDicts = result as? [[String: Any]] else { return [] }
- let labelPrefix = "WireGuard Tunnel: "
- var reinstationData: [ReinstationData] = []
- for resultDict in resultDicts {
- guard let ref = resultDict[kSecValuePersistentRef as String] as? Data else { continue }
- guard let label = resultDict[kSecAttrLabel as String] as? String else { continue }
- guard label.hasPrefix(labelPrefix) else { continue }
- if !knownRefsSet.contains(ref) {
- let tunnelName = String(label.dropFirst(labelPrefix.count))
- if let configStr = Keychain.openReference(called: ref),
- let config = try? TunnelConfiguration(fromWgQuickConfig: configStr, called: tunnelName) {
- reinstationData.append(ReinstationData(tunnelConfiguration: config, keychainPasswordRef: ref))
- }
- }
- }
- return reinstationData
- }
-}
-#endif
-
-#if os(macOS)
-@available(macOS 10.15, *)
-extension TunnelsManager {
- fileprivate func reinstateTunnel(reinstationData: CatalinaWorkaround.ReinstationData, completionHandler: @escaping (Bool) -> Void) {
- let tunnelName = reinstationData.tunnelConfiguration.name ?? ""
- if tunnelName.isEmpty {
- completionHandler(false)
- return
- }
-
- if tunnels.contains(where: { $0.name == tunnelName }) {
- completionHandler(false)
- return
- }
-
- let tunnelProviderProtocol = NETunnelProviderProtocol()
- guard let appId = Bundle.main.bundleIdentifier else { fatalError() }
- tunnelProviderProtocol.providerBundleIdentifier = "\(appId).network-extension"
- tunnelProviderProtocol.passwordReference = reinstationData.keychainPasswordRef
- tunnelProviderProtocol.providerConfiguration = ["UID": getuid()]
- tunnelProviderProtocol.serverAddress = {
- let endpoints = reinstationData.tunnelConfiguration.peers.compactMap { $0.endpoint }
- if endpoints.count == 1 {
- return endpoints[0].stringRepresentation
- } else if endpoints.isEmpty {
- return "Unspecified"
- } else {
- return "Multiple endpoints"
- }
- }()
-
- let tunnelProvider = NETunnelProviderManager()
- tunnelProvider.localizedDescription = tunnelName
- tunnelProvider.protocolConfiguration = tunnelProviderProtocol
- objc_setAssociatedObject(tunnelProvider, &NETunnelProviderManager.cachedConfigKey, reinstationData.tunnelConfiguration, objc_AssociationPolicy.OBJC_ASSOCIATION_RETAIN_NONATOMIC)
- tunnelProvider.isEnabled = true
-
- tunnelProvider.saveToPreferences { [weak self] error in
- guard error == nil else {
- wg_log(.error, message: "Reinstate: Saving configuration failed: \(error!)")
- completionHandler(false)
- return
- }
-
- guard let self = self else { return }
-
- let tunnel = TunnelContainer(tunnel: tunnelProvider)
- self.tunnels.append(tunnel)
- self.tunnels.sort { TunnelsManager.tunnelNameIsLessThan($0.name, $1.name) }
- self.tunnelsListDelegate?.tunnelAdded(at: self.tunnels.firstIndex(of: tunnel)!)
- completionHandler(true)
- }
- }
-}
-#endif
projects / thirdparty / wireguard-apple.git / commitdiff
