mullvad
diff --git a/‎ios/CHANGELOG.md
+5 b/‎ios/CHANGELOG.md
+5
diff --git a/‎ios/MullvadRustRuntime/EphemeralPeerReceiver.swift
+23-4 b/‎ios/MullvadRustRuntime/EphemeralPeerReceiver.swift
+23-4
diff --git a/‎ios/MullvadRustRuntime/include/mullvad_rust_runtime.h
+27-16 b/‎ios/MullvadRustRuntime/include/mullvad_rust_runtime.h
+27-16
diff --git a/‎ios/MullvadTypes/Protocols/DaitaV2Parameters.swift
+31 b/‎ios/MullvadTypes/Protocols/DaitaV2Parameters.swift
+31
diff --git a/‎ios/MullvadTypes/Protocols/EphemeralPeerReceiver.swift
+11-4 b/‎ios/MullvadTypes/Protocols/EphemeralPeerReceiver.swift
+11-4
diff --git a/‎ios/MullvadTypes/Protocols/EphemeralPeerReceiving.swift
+6-3 b/‎ios/MullvadTypes/Protocols/EphemeralPeerReceiving.swift
+6-3
diff --git a/‎ios/PacketTunnel/PacketTunnelProvider/PacketTunnelProvider.swift
+18-4 b/‎ios/PacketTunnel/PacketTunnelProvider/PacketTunnelProvider.swift
+18-4
diff --git a/‎ios/PacketTunnel/PostQuantum/EphemeralPeerExchangingPipeline.swift
+19-4 b/‎ios/PacketTunnel/PostQuantum/EphemeralPeerExchangingPipeline.swift
+19-4
diff --git a/‎ios/PacketTunnel/PostQuantum/MultiHopEphemeralPeerExchanger.swift
+19-7 b/‎ios/PacketTunnel/PostQuantum/MultiHopEphemeralPeerExchanger.swift
+19-7
@@ -21,6 +21,11 @@ Line wrap the file at 100 chars.                                              Th
 * **Fixed**: for any bug fixes.
 * **Security**: in case of vulnerabilities.
 
+## Unreleased
+### Added
+- Update to DAITA v2 - now machines are provided by relays dynamically instead
+  of using bundled ones.
+
 ## [2024.11 - 2024-12-12]
 ### Added
 - Add WireGuard over Shadowsocks obfuscation. It can be enabled in "VPN settings". This will
 
@@ -24,11 +24,13 @@ import WireGuardKitTypes
 ///   - rawEphemeralPeerReceiver: A raw pointer to the running instance of `NEPacketTunnelProvider`
 ///   - rawPresharedKey: A raw pointer to the quantum-secure pre shared key
 ///   - rawEphemeralKey: A raw pointer to the ephemeral private key of the device
-@_cdecl("swift_ephemeral_peer_ready")
+///   - rawDaitaParameters: A raw pointer to negotiated DAITA parameters
+@_silgen_name("swift_ephemeral_peer_ready")
 func receivePostQuantumKey(
     rawEphemeralPeerReceiver: UnsafeMutableRawPointer?,
     rawPresharedKey: UnsafeMutableRawPointer?,
-    rawEphemeralKey: UnsafeMutableRawPointer?
+    rawEphemeralKey: UnsafeMutableRawPointer?,
+    rawDaitaParameters: UnsafePointer<DaitaV2Parameters>?
 ) {
     guard let rawEphemeralPeerReceiver else { return }
     let ephemeralPeerReceiver = Unmanaged<EphemeralPeerReceiver>.fromOpaque(rawEphemeralPeerReceiver)
@@ -41,12 +43,29 @@ func receivePostQuantumKey(
         return
     }
 
+    let maybeNot = Maybenot()
+    let daitaParameters: DaitaV2Parameters? = rawDaitaParameters?.withMemoryRebound(
+        to: DaitaParameters.self,
+        capacity: 1
+    ) { body in
+        let params = body.pointee
+        guard params.machines != nil else { return nil }
+        let machines = String(cString: params.machines)
+        return DaitaV2Parameters(
+            machines: machines,
+            maximumEvents: maybeNot.maximumEvents,
+            maximumActions: maybeNot.maximumActions,
+            maximumPadding: params.max_padding_frac,
+            maximumBlocking: params.max_blocking_frac
+        )
+    }
+
     // If there is a pre-shared key, an ephemeral peer was negotiated with Post Quantum options
     // Otherwise, a Daita enabled ephemeral peer was requested
     if let rawPresharedKey, let key = PreSharedKey(rawValue: Data(bytes: rawPresharedKey, count: 32)) {
-        ephemeralPeerReceiver.receivePostQuantumKey(key, ephemeralKey: ephemeralKey)
+        ephemeralPeerReceiver.receivePostQuantumKey(key, ephemeralKey: ephemeralKey, daitaParameters: daitaParameters)
     } else {
-        ephemeralPeerReceiver.receiveEphemeralPeerPrivateKey(ephemeralKey)
+        ephemeralPeerReceiver.receiveEphemeralPeerPrivateKey(ephemeralKey, daitaParameters: daitaParameters)
     }
     return
 }
@@ -27,6 +27,12 @@ typedef struct ProxyHandle {
   uint16_t port;
 } ProxyHandle;
 
+typedef struct DaitaParameters {
+  uint8_t *machines;
+  double max_padding_frac;
+  double max_blocking_frac;
+} DaitaParameters;
+
 typedef struct WgTcpConnectionFunctions {
   int32_t (*open_fn)(int32_t tunnelHandle, const char *address, uint64_t timeout);
   int32_t (*close_fn)(int32_t tunnelHandle, int32_t socketHandle);
@@ -88,6 +94,22 @@ int32_t encrypted_dns_proxy_start(struct EncryptedDnsProxyState *encrypted_dns_p
  */
 int32_t encrypted_dns_proxy_stop(struct ProxyHandle *proxy_config);
 
+/**
+ * To be called when ephemeral peer exchange has finished. All parameters except
+ * `raw_packet_tunnel` are optional.
+ *
+ * # Safety:
+ * If the key exchange failed, all pointers except `raw_packet_tunnel` must be null. If the
+ * key exchange was successful, `raw_ephemeral_private_key` must be a valid pointer to 32
+ * bytes for the lifetime of this call. If PQ was enabled, `raw_preshared_key` must be a valid
+ * pointer to 32 bytes for the lifetime of this call. If DAITA was requested, the
+ * `daita_prameters` must point to a valid instance of `DaitaParameters`.
+ */
+extern void swift_ephemeral_peer_ready(const void *raw_packet_tunnel,
+                                       const uint8_t *raw_preshared_key,
+                                       const uint8_t *raw_ephemeral_private_key,
+                                       const struct DaitaParameters *daita_parameters);
+
 /**
  * Called by the Swift side to signal that the ephemeral peer exchange should be cancelled.
  * After this call, the cancel token is no longer valid.
@@ -112,29 +134,18 @@ void drop_ephemeral_peer_exchange_token(struct ExchangeCancelToken *sender);
  * Entry point for requesting ephemeral peers on iOS.
  * The TCP connection must be created to go through the tunnel.
  * # Safety
- * `public_key` and `ephemeral_key` must be valid respective `PublicKey` and `PrivateKey` types.
- * They will not be valid after this function is called, and thus must be copied here.
- * `packet_tunnel` must be valid pointers to a packet tunnel, the packet tunnel pointer must
- * outlive the ephemeral peer exchange. `cancel_token` should be owned by the caller of this
- * function.
+ * `public_key` and `ephemeral_key` must be valid respective `PublicKey` and `PrivateKey` types,
+ * specifically, they must be valid pointers to 32 bytes. They will not be valid after this
+ * function is called, and thus must be copied here. `packet_tunnel` must be valid pointers to a
+ * packet tunnel, the packet tunnel pointer must outlive the ephemeral peer exchange.
+ * `cancel_token` should be owned by the caller of this function.
  */
 struct ExchangeCancelToken *request_ephemeral_peer(const uint8_t *public_key,
                                                    const uint8_t *ephemeral_key,
                                                    const void *packet_tunnel,
                                                    int32_t tunnel_handle,
                                                    struct EphemeralPeerParameters peer_parameters);
 
-/**
- * Called when the preshared post quantum key is ready,
- * or when a Daita peer has been successfully requested.
- * `raw_preshared_key` will be NULL if:
- * - The post quantum key negotiation failed
- * - A Daita peer has been requested without enabling post quantum keys.
- */
-extern void swift_ephemeral_peer_ready(const void *raw_packet_tunnel,
-                                       const uint8_t *raw_preshared_key,
-                                       const uint8_t *raw_ephemeral_private_key);
-
 /**
  * # Safety
  * `addr`, `password`, `cipher` must be valid for the lifetime of this function call and they must
 
@@ -0,0 +1,31 @@
+//
+//  DaitaV2Parameters.swift
+//  MullvadTypes
+//
+//  Created by Marco Nikic on 2024-11-12.
+//  Copyright © 2024 Mullvad VPN AB. All rights reserved.
+//
+
+import Foundation
+
+public struct DaitaV2Parameters: Equatable {
+    public let machines: String
+    public let maximumEvents: UInt32
+    public let maximumActions: UInt32
+    public let maximumPadding: Double
+    public let maximumBlocking: Double
+
+    public init(
+        machines: String,
+        maximumEvents: UInt32,
+        maximumActions: UInt32,
+        maximumPadding: Double,
+        maximumBlocking: Double
+    ) {
+        self.machines = machines
+        self.maximumEvents = maximumEvents
+        self.maximumActions = maximumActions
+        self.maximumPadding = maximumPadding
+        self.maximumBlocking = maximumBlocking
+    }
+}
@@ -29,19 +29,26 @@ public class EphemeralPeerReceiver: EphemeralPeerReceiving, TunnelProvider {
 
     // MARK: - EphemeralPeerReceiving
 
-    public func receivePostQuantumKey(_ key: PreSharedKey, ephemeralKey: PrivateKey) {
+    public func receivePostQuantumKey(
+        _ key: PreSharedKey,
+        ephemeralKey: PrivateKey,
+        daitaParameters: DaitaV2Parameters?
+    ) {
         let semaphore = DispatchSemaphore(value: 0)
         Task {
-            await keyReceiver.receivePostQuantumKey(key, ephemeralKey: ephemeralKey)
+            await keyReceiver.receivePostQuantumKey(key, ephemeralKey: ephemeralKey, daitaParameters: daitaParameters)
             semaphore.signal()
         }
         semaphore.wait()
     }
 
-    public func receiveEphemeralPeerPrivateKey(_ ephemeralPeerPrivateKey: PrivateKey) {
+    public func receiveEphemeralPeerPrivateKey(
+        _ ephemeralPeerPrivateKey: PrivateKey,
+        daitaParameters: DaitaV2Parameters?
+    ) {
         let semaphore = DispatchSemaphore(value: 0)
         Task {
-            await keyReceiver.receiveEphemeralPeerPrivateKey(ephemeralPeerPrivateKey)
+            await keyReceiver.receiveEphemeralPeerPrivateKey(ephemeralPeerPrivateKey, daitaParameters: daitaParameters)
             semaphore.signal()
         }
         semaphore.wait()
 
@@ -15,11 +15,14 @@ public protocol EphemeralPeerReceiving {
     /// - Parameters:
     ///   - key: The preshared key used by the Ephemeral Peer
     ///   - ephemeralKey: The private key used by the Ephemeral Peer
-    func receivePostQuantumKey(_ key: PreSharedKey, ephemeralKey: PrivateKey) async
+    ///   - daitaParameters: DAITA parameters
+    func receivePostQuantumKey(_ key: PreSharedKey, ephemeralKey: PrivateKey, daitaParameters: DaitaV2Parameters?) async
 
     /// Called when successfully requesting an ephemeral peer with Daita enabled, and Post Quantum PSK disabled
-    /// - Parameter _:_ The private key used by the Ephemeral Peer
-    func receiveEphemeralPeerPrivateKey(_: PrivateKey) async
+    /// - Parameters:
+    ///     - _: The private key used by the Ephemeral Peer
+    ///     - daitaParameters: DAITA parameters
+    func receiveEphemeralPeerPrivateKey(_: PrivateKey, daitaParameters: DaitaV2Parameters?) async
 
     /// Called when an ephemeral peer could not be successfully negotiated
     func ephemeralPeerExchangeFailed()
 
@@ -376,12 +376,26 @@ extension PacketTunnelProvider {
 }
 
 extension PacketTunnelProvider: EphemeralPeerReceiving {
-    func receivePostQuantumKey(_ key: PreSharedKey, ephemeralKey: PrivateKey) async {
-        await ephemeralPeerExchangingPipeline.receivePostQuantumKey(key, ephemeralKey: ephemeralKey)
+    func receivePostQuantumKey(
+        _ key: PreSharedKey,
+        ephemeralKey: PrivateKey,
+        daitaParameters: MullvadTypes.DaitaV2Parameters?
+    ) async {
+        await ephemeralPeerExchangingPipeline.receivePostQuantumKey(
+            key,
+            ephemeralKey: ephemeralKey,
+            daitaParameters: daitaParameters
+        )
     }
 
-    public func receiveEphemeralPeerPrivateKey(_ ephemeralPeerPrivateKey: PrivateKey) async {
-        await ephemeralPeerExchangingPipeline.receiveEphemeralPeerPrivateKey(ephemeralPeerPrivateKey)
+    public func receiveEphemeralPeerPrivateKey(
+        _ ephemeralPeerPrivateKey: PrivateKey,
+        daitaParameters: MullvadTypes.DaitaV2Parameters?
+    ) async {
+        await ephemeralPeerExchangingPipeline.receiveEphemeralPeerPrivateKey(
+            ephemeralPeerPrivateKey,
+            daitaParameters: daitaParameters
+        )
     }
 
     func ephemeralPeerExchangeFailed() {
 
@@ -8,6 +8,7 @@
 
 import MullvadRustRuntime
 import MullvadSettings
+import MullvadTypes
 import PacketTunnelCore
 import WireGuardKitTypes
 
@@ -59,11 +60,25 @@ final public class EphemeralPeerExchangingPipeline {
         await ephemeralPeerExchanger.start()
     }
 
-    public func receivePostQuantumKey(_ key: PreSharedKey, ephemeralKey: PrivateKey) async {
-        await ephemeralPeerExchanger.receivePostQuantumKey(key, ephemeralKey: ephemeralKey)
+    public func receivePostQuantumKey(
+        _ key: PreSharedKey,
+        ephemeralKey: PrivateKey,
+        daitaParameters: DaitaV2Parameters?
+    ) async {
+        await ephemeralPeerExchanger.receivePostQuantumKey(
+            key,
+            ephemeralKey: ephemeralKey,
+            daitaParameters: daitaParameters
+        )
     }
 
-    public func receiveEphemeralPeerPrivateKey(_ ephemeralPeerPrivateKey: PrivateKey) async {
-        await ephemeralPeerExchanger.receiveEphemeralPeerPrivateKey(ephemeralPeerPrivateKey)
+    public func receiveEphemeralPeerPrivateKey(
+        _ ephemeralPeerPrivateKey: PrivateKey,
+        daitaParameters: DaitaV2Parameters?
+    ) async {
+        await ephemeralPeerExchanger.receiveEphemeralPeerPrivateKey(
+            ephemeralPeerPrivateKey,
+            daitaParameters: daitaParameters
+        )
     }
 }
@@ -25,6 +25,7 @@ final class MultiHopEphemeralPeerExchanger: EphemeralPeerExchangingProtocol {
 
     private var entryPeerKey: EphemeralPeerKey!
     private var exitPeerKey: EphemeralPeerKey!
+    private var daitaParameters: DaitaV2Parameters?
 
     private let defaultGatewayAddressRange = [IPAddressRange(from: "\(LocalNetworkIPs.gatewayAddress.rawValue)/32")!]
     private let allTrafficRange = [
@@ -66,7 +67,11 @@ final class MultiHopEphemeralPeerExchanger: EphemeralPeerExchangingProtocol {
         await negotiateWithEntry()
     }
 
-    public func receiveEphemeralPeerPrivateKey(_ ephemeralPeerPrivateKey: PrivateKey) async {
+    public func receiveEphemeralPeerPrivateKey(
+        _ ephemeralPeerPrivateKey: PrivateKey,
+        daitaParameters: DaitaV2Parameters?
+    ) async {
+        self.daitaParameters = daitaParameters
         if state == .negotiatingWithEntry {
             entryPeerKey = EphemeralPeerKey(ephemeralKey: ephemeralPeerPrivateKey)
             await negotiateBetweenEntryAndExit()
@@ -78,8 +83,10 @@ final class MultiHopEphemeralPeerExchanger: EphemeralPeerExchangingProtocol {
 
     func receivePostQuantumKey(
         _ preSharedKey: PreSharedKey,
-        ephemeralKey: PrivateKey
+        ephemeralKey: PrivateKey,
+        daitaParameters: DaitaV2Parameters?
     ) async {
+        self.daitaParameters = daitaParameters
         if state == .negotiatingWithEntry {
             entryPeerKey = EphemeralPeerKey(preSharedKey: preSharedKey, ephemeralKey: ephemeralKey)
             await negotiateBetweenEntryAndExit()
@@ -95,7 +102,8 @@ final class MultiHopEphemeralPeerExchanger: EphemeralPeerExchangingProtocol {
             relay: entry,
             configuration: EphemeralPeerConfiguration(
                 privateKey: devicePrivateKey,
-                allowedIPs: defaultGatewayAddressRange
+                allowedIPs: defaultGatewayAddressRange,
+                daitaParameters: daitaParameters
             )
         )))
         keyExchanger.startNegotiation(
@@ -113,14 +121,16 @@ final class MultiHopEphemeralPeerExchanger: EphemeralPeerExchangingProtocol {
                 configuration: EphemeralPeerConfiguration(
                     privateKey: entryPeerKey.ephemeralKey,
                     preSharedKey: entryPeerKey.preSharedKey,
-                    allowedIPs: [IPAddressRange(from: "\(exit.endpoint.ipv4Relay.ip)/32")!]
+                    allowedIPs: [IPAddressRange(from: "\(exit.endpoint.ipv4Relay.ip)/32")!],
+                    daitaParameters: self.daitaParameters
                 )
             ),
             exit: EphemeralPeerRelayConfiguration(
                 relay: exit,
                 configuration: EphemeralPeerConfiguration(
                     privateKey: devicePrivateKey,
-                    allowedIPs: defaultGatewayAddressRange
+                    allowedIPs: defaultGatewayAddressRange,
+                    daitaParameters: self.daitaParameters
                 )
             )
         ))
@@ -140,15 +150,17 @@ final class MultiHopEphemeralPeerExchanger: EphemeralPeerExchangingProtocol {
                 configuration: EphemeralPeerConfiguration(
                     privateKey: entryPeerKey.ephemeralKey,
                     preSharedKey: entryPeerKey.preSharedKey,
-                    allowedIPs: [IPAddressRange(from: "\(exit.endpoint.ipv4Relay.ip)/32")!]
+                    allowedIPs: [IPAddressRange(from: "\(exit.endpoint.ipv4Relay.ip)/32")!],
+                    daitaParameters: self.daitaParameters
                 )
             ),
             exit: EphemeralPeerRelayConfiguration(
                 relay: exit,
                 configuration: EphemeralPeerConfiguration(
                     privateKey: exitPeerKey.ephemeralKey,
                     preSharedKey: exitPeerKey.preSharedKey,
-                    allowedIPs: allTrafficRange
+                    allowedIPs: allTrafficRange,
+                    daitaParameters: self.daitaParameters
                 )
             )
         ))