Fix relay selector to force blocked state with daita and obfuscation on

mullvad · Dec 13, 2024 · 44185ae · 44185ae
1 parent d720161
commit 44185ae
Show file tree

Hide file tree

Showing 13 changed files with 275 additions and 184 deletions.
diff --git a/ios/MullvadREST/Relay/NoRelaysSatisfyingConstraintsError.swift b/ios/MullvadREST/Relay/NoRelaysSatisfyingConstraintsError.swift
@@ -15,6 +15,7 @@ public enum NoRelaysSatisfyingConstraintsReason {
     case multihopInvalidFlow
     case noActiveRelaysFound
     case noDaitaRelaysFound
+    case noObfuscatedRelaysFound
     case relayConstraintNotMatching
 }
 
@@ -35,6 +36,8 @@ public struct NoRelaysSatisfyingConstraintsError: LocalizedError {
             "No active relays found"
         case .noDaitaRelaysFound:
             "No DAITA relays found"
+        case .noObfuscatedRelaysFound:
+            "No obfuscated relays found"
         case .relayConstraintNotMatching:
             "Invalid constraint created to pick a relay"
         }

diff --git a/ios/MullvadREST/Relay/ObfuscatorPortSelector.swift b/ios/MullvadREST/Relay/ObfuscatorPortSelector.swift
@@ -12,6 +12,7 @@ import MullvadTypes
 struct ObfuscatorPortSelection {
     let entryRelays: REST.ServerRelaysResponse
     let exitRelays: REST.ServerRelaysResponse
+    let unfilteredRelays: REST.ServerRelaysResponse
     let port: RelayConstraint<UInt16>
     let method: WireGuardObfuscationState
 
@@ -61,6 +62,7 @@ struct ObfuscatorPortSelector {
         return ObfuscatorPortSelection(
             entryRelays: entryRelays,
             exitRelays: exitRelays,
+            unfilteredRelays: relays,
             port: port,
             method: obfuscationMethod
         )

diff --git a/ios/MullvadREST/Relay/RelayPicking.swift b/ios/MullvadREST/Relay/RelayPicking.swift
diff --git a/ios/MullvadREST/Relay/RelayPicking/MultihopPicker.swift b/ios/MullvadREST/Relay/RelayPicking/MultihopPicker.swift
@@ -0,0 +1,82 @@
+//
+//  MultihopPicker.swift
+//  MullvadVPN
+//
+//  Created by Jon Petersson on 2024-12-11.
+//  Copyright © 2024 Mullvad VPN AB. All rights reserved.
+//
+
+import MullvadSettings
+import MullvadTypes
+
+struct MultihopPicker: RelayPicking {
+    let obfuscation: ObfuscatorPortSelection
+    let constraints: RelayConstraints
+    let connectionAttemptCount: UInt
+    let daitaSettings: DAITASettings
+
+    func pick() throws -> SelectedRelays {
+        let exitCandidates = try RelaySelector.WireGuard.findCandidates(
+            by: constraints.exitLocations,
+            in: obfuscation.exitRelays,
+            filterConstraint: constraints.filter,
+            daitaEnabled: false
+        )
+
+        /*
+         Relay selection is prioritised in the following order:
+         1. Both entry and exit constraints match only a single relay. Both relays are selected.
+         2. Entry constraint matches only a single relay and the other multiple relays. The single relay
+            is selected and excluded from the list of multiple relays.
+         3. Exit constraint matches multiple relays and the other a single relay. The single relay
+            is selected and excluded from the list of multiple relays.
+         4. Both entry and exit constraints match multiple relays. Exit relay is picked first and then
+            excluded from the list of entry relays.
+         */
+        let decisionFlow = OneToOne(
+            next: OneToMany(
+                next: ManyToOne(
+                    next: ManyToMany(
+                        next: nil,
+                        relayPicker: self
+                    ),
+                    relayPicker: self
+                ),
+                relayPicker: self
+            ),
+            relayPicker: self
+        )
+
+        do {
+            let entryCandidates = try RelaySelector.WireGuard.findCandidates(
+                by: daitaSettings.isAutomaticRouting ? .any : constraints.entryLocations,
+                in: obfuscation.entryRelays,
+                filterConstraint: constraints.filter,
+                daitaEnabled: daitaSettings.daitaState.isEnabled
+            )
+
+            return try decisionFlow.pick(
+                entryCandidates: entryCandidates,
+                exitCandidates: exitCandidates,
+                daitaAutomaticRouting: daitaSettings.isAutomaticRouting
+            )
+        }
+    }
+
+    func exclude(
+        relay: SelectedRelay,
+        from candidates: [RelayWithLocation<REST.ServerRelay>],
+        closeTo location: Location? = nil,
+        useObfuscatedPortIfAvailable: Bool
+    ) throws -> SelectedRelay {
+        let filteredCandidates = candidates.filter { relayWithLocation in
+            relayWithLocation.relay.hostname != relay.hostname
+        }
+
+        return try findBestMatch(
+            from: filteredCandidates,
+            closeTo: location,
+            useObfuscatedPortIfAvailable: useObfuscatedPortIfAvailable
+        )
+    }
+}
diff --git a/ios/MullvadREST/Relay/RelayPicking/RelayPicking.swift b/ios/MullvadREST/Relay/RelayPicking/RelayPicking.swift
@@ -0,0 +1,70 @@
+//
+//  RelaySelectorPicker.swift
+//  MullvadREST
+//
+//  Created by Jon Petersson on 2024-06-05.
+//  Copyright © 2024 Mullvad VPN AB. All rights reserved.
+//
+
+import MullvadSettings
+import MullvadTypes
+import Network
+
+protocol RelayPicking {
+    var obfuscation: ObfuscatorPortSelection { get }
+    var constraints: RelayConstraints { get }
+    var connectionAttemptCount: UInt { get }
+    var daitaSettings: DAITASettings { get }
+    func pick() throws -> SelectedRelays
+}
+
+extension RelayPicking {
+    func findBestMatch(
+        from candidates: [RelayWithLocation<REST.ServerRelay>],
+        closeTo location: Location? = nil,
+        useObfuscatedPortIfAvailable: Bool
+    ) throws -> SelectedRelay {
+        var match = try RelaySelector.WireGuard.pickCandidate(
+            from: candidates,
+            wireguard: obfuscation.wireguard,
+            portConstraint: useObfuscatedPortIfAvailable ? obfuscation.port : constraints.port,
+            numberOfFailedAttempts: connectionAttemptCount,
+            closeTo: location
+        )
+
+        if useObfuscatedPortIfAvailable && obfuscation.method == .shadowsocks {
+            match = applyShadowsocksIpAddress(in: match)
+        }
+
+        return SelectedRelay(
+            endpoint: match.endpoint,
+            hostname: match.relay.hostname,
+            location: match.location
+        )
+    }
+
+    private func applyShadowsocksIpAddress(in match: RelaySelectorMatch) -> RelaySelectorMatch {
+        let port = match.endpoint.ipv4Relay.port
+        let portRanges = RelaySelector.parseRawPortRanges(obfuscation.wireguard.shadowsocksPortRanges)
+        let portIsWithinRange = portRanges.contains(where: { $0.contains(port) })
+
+        var endpoint = match.endpoint
+
+        // If the currently selected obfuscation port is not within the allowed range (as specified
+        // in the relay list), we should use one of the extra Shadowsocks IP addresses instead of
+        // the default one.
+        if !portIsWithinRange {
+            var ipv4Address = match.endpoint.ipv4Relay.ip
+            if let shadowsocksAddress = match.relay.shadowsocksExtraAddrIn?.randomElement() {
+                ipv4Address = IPv4Address(shadowsocksAddress) ?? ipv4Address
+            }
+
+            endpoint = match.endpoint.override(ipv4Relay: IPv4Endpoint(
+                ip: ipv4Address,
+                port: port
+            ))
+        }
+
+        return RelaySelectorMatch(endpoint: endpoint, relay: match.relay, location: match.location)
+    }
+}