Retry auth once without local options

Hack around picky server implementations. Fixes #95
2019-05-01 10:37:39 +02:00 · 2019-05-01 10:37:39 +02:00 · 037f08ed62
parent 14b7f08fb5
commit 037f08ed62
3 changed files with 54 additions and 27 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+## Unreleased
+
+### Fixed
+
+- Authentication failure due to local options. [#95](https://github.com/keeshux/tunnelkit/issues/95)
+
 ## 1.7.0 (2019-04-28)

 ### Changed
--- a/TunnelKit/Sources/Core/SessionProxy+Authenticator.swift
+++ b/TunnelKit/Sources/Core/SessionProxy+Authenticator.swift
@ -66,6 +66,8 @@ extension SessionProxy {
        
        let password: ZeroingData?
        
+        var withLocalOptions: Bool
+        
        init(_ username: String?, _ password: String?) throws {
            preMaster = try SecureRandom.safeData(length: CoreConfiguration.preMasterLength)
            random1 = try SecureRandom.safeData(length: CoreConfiguration.randomLength)
@ -80,6 +82,8 @@ extension SessionProxy {
                self.password = nil
            }
            
+            withLocalOptions = true
+            
            controlBuffer = Z()
        }
        
@ -95,11 +99,12 @@ extension SessionProxy {
            raw.append(random2)
            
            // options string
+            let optsString: String
+            if withLocalOptions {
                var opts = [
                    "V4",
                    "dev-type tun"
                ]
-            //////
                if let comp = options.compressionFraming {
                    switch comp {
                    case .compLZO:
@ -123,7 +128,10 @@ extension SessionProxy {
                }
                opts.append("key-method 2")
                opts.append("tls-client")
-            let optsString = opts.joined(separator: ",")
+                optsString = opts.joined(separator: ",")
+            } else {
+                optsString = "V0 UNDEF"
+            }
            log.debug("TLS.auth: Local options: \(optsString)")
            raw.appendSized(Z(optsString, nullTerminated: true))
            
--- a/TunnelKit/Sources/Core/SessionProxy.swift
+++ b/TunnelKit/Sources/Core/SessionProxy.swift
@ -106,6 +106,8 @@ public class SessionProxy {

    private var tlsObserver: NSObjectProtocol?
    
+    private var withLocalOptions: Bool
+
    private var keys: [UInt8: SessionKey]

    private var oldKeys: [SessionKey]
@ -190,6 +192,7 @@ public class SessionProxy {
        self.configuration = configuration
        self.cachesURL = cachesURL

+        withLocalOptions = true
        keys = [:]
        oldKeys = []
        negotiationKeyIdx = 0
@ -676,6 +679,7 @@ public class SessionProxy {
        
        do {
            authenticator = try Authenticator(credentials?.username, pushReply?.options.authToken ?? credentials?.password)
+            authenticator?.withLocalOptions = withLocalOptions
            try authenticator?.putAuth(into: negotiationKey.tls, options: configuration)
        } catch let e {
            deferStop(.shutdown, e)
@ -908,6 +912,15 @@ public class SessionProxy {
    // Ruby: handle_ctrl_msg
    private func handleControlMessage(_ message: String) {
        guard !message.hasPrefix("AUTH_FAILED") else {
+
+            // XXX: retry without client options
+            if authenticator?.withLocalOptions ?? false {
+                log.warning("Authentication failure, retrying without local options")
+                withLocalOptions = false
+                deferStop(.reconnect, SessionError.badCredentials)
+                return
+            }
+
            deferStop(.shutdown, SessionError.badCredentials)
            return
        }