passepartoutvpn
/
tunnelkit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Shut down on compressed data packet 

Re-inforce #65 at the data path level. Should now cover all
compression scenarios.
This commit is contained in:
Davide De Rosa 2019-02-28 17:10:50 +01:00
parent 9544e59fcf
commit 86420ba8ea
7 changed files with 49 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGELOG.md
View File

@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## Unreleased
### Added
- Shut down if server pushes a compressed data packet.
## 1.4.1 (2019-02-25) ## 1.4.1 (2019-02-25)
### Added ### Added

3
TunnelKit/Sources/AppExtension/TunnelKitProvider.swift
View File

@ -586,6 +586,9 @@ extension TunnelKitProvider {
case .dataPathOverflow, .dataPathPeerIdMismatch: case .dataPathOverflow, .dataPathPeerIdMismatch:
return .unexpectedReply return .unexpectedReply
case .dataPathCompression:
return .serverCompression
} }
} else if let se = error as? SessionError { } else if let se = error as? SessionError {
switch se { switch se {

6
TunnelKit/Sources/Core/CryptoAEAD.m
View File

@ -346,7 +346,7 @@ static const NSInteger CryptoAEADTagLength = 16;
return YES; return YES;
} }
- (const uint8_t *)parsePayloadWithBlock:(DataPathParseBlock)block length:(NSInteger *)length packetBytes:(uint8_t *)packetBytes packetLength:(NSInteger)packetLength - (const uint8_t *)parsePayloadWithBlock:(DataPathParseBlock)block length:(NSInteger *)length packetBytes:(uint8_t *)packetBytes packetLength:(NSInteger)packetLength error:(NSError * _Nullable __autoreleasing * _Nullable)error
{ {
uint8_t *payload = packetBytes; uint8_t *payload = packetBytes;
*length = packetLength - (int)(payload - packetBytes); *length = packetLength - (int)(payload - packetBytes);
@ -356,7 +356,9 @@ static const NSInteger CryptoAEADTagLength = 16;
NSInteger payloadOffset; NSInteger payloadOffset;
NSInteger payloadHeaderLength; NSInteger payloadHeaderLength;
block(payload, &payloadOffset, &payloadHeaderLength, packetBytes, packetLength); if (!block(payload, &payloadOffset, &payloadHeaderLength, packetBytes, packetLength, error)) {
return NULL;
}
*length -= payloadHeaderLength; *length -= payloadHeaderLength;
return payload + payloadOffset; return payload + payloadOffset;
} }

6
TunnelKit/Sources/Core/CryptoCBC.m
View File

@ -368,7 +368,7 @@ const NSInteger CryptoCBCMaxHMACLength = 100;
return YES; return YES;
} }
- (const uint8_t *)parsePayloadWithBlock:(DataPathParseBlock)block length:(NSInteger *)length packetBytes:(uint8_t *)packetBytes packetLength:(NSInteger)packetLength - (const uint8_t *)parsePayloadWithBlock:(DataPathParseBlock)block length:(NSInteger *)length packetBytes:(uint8_t *)packetBytes packetLength:(NSInteger)packetLength error:(NSError * _Nullable __autoreleasing * _Nullable)error
{ {
uint8_t *payload = packetBytes; uint8_t *payload = packetBytes;
payload += sizeof(uint32_t); // packet id payload += sizeof(uint32_t); // packet id
@ -379,7 +379,9 @@ const NSInteger CryptoCBCMaxHMACLength = 100;
NSInteger payloadOffset; NSInteger payloadOffset;
NSInteger payloadHeaderLength; NSInteger payloadHeaderLength;
block(payload, &payloadOffset, &payloadHeaderLength, packetBytes, packetLength); if (!block(payload, &payloadOffset, &payloadHeaderLength, packetBytes, packetLength, error)) {
return NULL;
}
*length -= payloadHeaderLength; *length -= payloadHeaderLength;
return payload + payloadOffset; return payload + payloadOffset;
} }

29
TunnelKit/Sources/Core/DataPath.m
View File

@ -162,9 +162,10 @@
memcpy(packetDest, payload.bytes, payload.length); memcpy(packetDest, payload.bytes, payload.length);
*packetLengthOffset = 0; *packetLengthOffset = 0;
}; };
self.parsePayloadBlock = ^(uint8_t * payload, NSInteger *payloadOffset, NSInteger * headerLength, const uint8_t * packet, NSInteger packetLength) { self.parsePayloadBlock = ^BOOL(uint8_t * _Nonnull payload, NSInteger * _Nonnull payloadOffset, NSInteger * _Nonnull headerLength, const uint8_t * _Nonnull packet, NSInteger packetLength, NSError * _Nullable __autoreleasing * _Nullable error) {
*payloadOffset = 0; *payloadOffset = 0;
*headerLength = 0; *headerLength = 0;
return YES;
}; };
break; break;
} }
@ -175,11 +176,16 @@
packetDest[0] = DataPacketNoCompressSwap; packetDest[0] = DataPacketNoCompressSwap;
*packetLengthOffset = 1; *packetLengthOffset = 1;
}; };
self.parsePayloadBlock = ^(uint8_t * payload, NSInteger *payloadOffset, NSInteger * headerLength, const uint8_t * packet, NSInteger packetLength) { self.parsePayloadBlock = ^BOOL(uint8_t * _Nonnull payload, NSInteger * _Nonnull payloadOffset, NSInteger * _Nonnull headerLength, const uint8_t * _Nonnull packet, NSInteger packetLength, NSError * _Nullable __autoreleasing * _Nullable error) {
NSCAssert(payload[0] == DataPacketNoCompressSwap, @"Expected NO_COMPRESS_SWAP (found %X != %X)", payload[0], DataPacketNoCompressSwap); if (payload[0] != DataPacketNoCompressSwap) {
// @"Expected NO_COMPRESS_SWAP (found %X != %X)", payload[0], DataPacketNoCompressSwap);
*error = TunnelKitErrorWithCode(TunnelKitErrorCodeDataPathCompression);
return NO;
}
payload[0] = packet[packetLength - 1]; payload[0] = packet[packetLength - 1];
*payloadOffset = 0; *payloadOffset = 0;
*headerLength = 1; *headerLength = 1;
return YES;
}; };
break; break;
} }
@ -189,10 +195,17 @@
packetDest[0] = DataPacketNoCompress; packetDest[0] = DataPacketNoCompress;
*packetLengthOffset = 1; *packetLengthOffset = 1;
}; };
self.parsePayloadBlock = ^(uint8_t * payload, NSInteger *payloadOffset, NSInteger * headerLength, const uint8_t * packet, NSInteger packetLength) { self.parsePayloadBlock = ^BOOL(uint8_t * _Nonnull payload, NSInteger * _Nonnull payloadOffset, NSInteger * _Nonnull headerLength, const uint8_t * _Nonnull packet, NSInteger packetLength, NSError * _Nullable __autoreleasing * _Nullable error) {
NSCAssert(payload[0] == DataPacketNoCompress, @"Expected NO_COMPRESS (found %X != %X)", payload[0], DataPacketNoCompress); if (payload[0] != DataPacketNoCompress) {
// @"Expected NO_COMPRESS (found %X != %X)", payload[0], DataPacketNoCompress);
if (error) {
*error = TunnelKitErrorWithCode(TunnelKitErrorCodeDataPathCompression);
}
return NO;
}
*payloadOffset = 1; *payloadOffset = 1;
*headerLength = 1; *headerLength = 1;
return YES;
}; };
break; break;
} }
@ -280,7 +293,11 @@
const uint8_t *payloadBytes = [self.decrypter parsePayloadWithBlock:self.parsePayloadBlock const uint8_t *payloadBytes = [self.decrypter parsePayloadWithBlock:self.parsePayloadBlock
length:&payloadLength length:&payloadLength
packetBytes:dataPacketBytes packetBytes:dataPacketBytes
packetLength:dataPacketLength]; packetLength:dataPacketLength
error:error];
if (!payloadBytes) {
return nil;
}
if ((payloadLength == sizeof(DataPacketPingData)) && !memcmp(payloadBytes, DataPacketPingData, payloadLength)) { if ((payloadLength == sizeof(DataPacketPingData)) && !memcmp(payloadBytes, DataPacketPingData, payloadLength)) {
if (keepAlive) { if (keepAlive) {

9
TunnelKit/Sources/Core/DataPathCrypto.h
View File

@ -57,7 +57,12 @@ NS_ASSUME_NONNULL_BEGIN
} }
typedef void (^DataPathAssembleBlock)(uint8_t *packetDest, NSInteger *packetLengthOffset, NSData *payload); typedef void (^DataPathAssembleBlock)(uint8_t *packetDest, NSInteger *packetLengthOffset, NSData *payload);
typedef void (^DataPathParseBlock)(uint8_t *payload, NSInteger *payloadOffset, NSInteger *headerLength, const uint8_t *packet, NSInteger packetLength); typedef BOOL (^DataPathParseBlock)(uint8_t *payload,
NSInteger *payloadOffset,
NSInteger *headerLength,
const uint8_t *packet,
NSInteger packetLength,
NSError **error);
@protocol DataPathChannel @protocol DataPathChannel
@ -77,7 +82,7 @@ typedef void (^DataPathParseBlock)(uint8_t *payload, NSInteger *payloadOffset, N
@protocol DataPathDecrypter <DataPathChannel> @protocol DataPathDecrypter <DataPathChannel>
- (BOOL)decryptDataPacket:(NSData *)packet into:(uint8_t *)packetBytes length:(NSInteger *)packetLength packetId:(uint32_t *)packetId error:(NSError **)error; - (BOOL)decryptDataPacket:(NSData *)packet into:(uint8_t *)packetBytes length:(NSInteger *)packetLength packetId:(uint32_t *)packetId error:(NSError **)error;
- (const uint8_t *)parsePayloadWithBlock:(nullable DataPathParseBlock)block length:(NSInteger *)length packetBytes:(uint8_t *)packetBytes packetLength:(NSInteger)packetLength; - (const uint8_t * _Nullable)parsePayloadWithBlock:(nullable DataPathParseBlock)block length:(NSInteger *)length packetBytes:(uint8_t *)packetBytes packetLength:(NSInteger)packetLength error:(NSError **)error;
@end @end

3
TunnelKit/Sources/Core/Errors.h
View File

@ -51,7 +51,8 @@ typedef NS_ENUM(NSInteger, TunnelKitErrorCode) {
TunnelKitErrorCodeTLSBoxServerCertificate = 206, TunnelKitErrorCodeTLSBoxServerCertificate = 206,
TunnelKitErrorCodeTLSBoxServerEKU = 207, TunnelKitErrorCodeTLSBoxServerEKU = 207,
TunnelKitErrorCodeDataPathOverflow = 301, TunnelKitErrorCodeDataPathOverflow = 301,
TunnelKitErrorCodeDataPathPeerIdMismatch = 302 TunnelKitErrorCodeDataPathPeerIdMismatch = 302,
TunnelKitErrorCodeDataPathCompression = 303
}; };
static inline NSError *TunnelKitErrorWithCode(TunnelKitErrorCode code) { static inline NSError *TunnelKitErrorWithCode(TunnelKitErrorCode code) {