Apply the obfuscation port to the entry configuration only

ios/MullvadREST/ApiHandlers/ServerRelaysResponse.swift

@@ -37,7 +37,7 @@ extension REST {
         public var daita: Bool?
 
         public func override(ipv4AddrIn: IPv4Address?) -> Self {
-            return BridgeRelay(
+            BridgeRelay(
                 hostname: hostname,
                 active: active,
                 owned: owned,
@@ -65,7 +65,7 @@ extension REST {
         public let shadowsocksExtraAddrIn: [String]?
 
         public func override(ipv4AddrIn: IPv4Address?, ipv6AddrIn: IPv6Address?) -> Self {
-            return ServerRelay(
+            ServerRelay(
                 hostname: hostname,
                 active: active,
                 owned: owned,
@@ -82,7 +82,7 @@ extension REST {
         }
 
         public func override(daita: Bool) -> Self {
-            return ServerRelay(
+            ServerRelay(
                 hostname: hostname,
                 active: active,
                 owned: owned,

ios/MullvadREST/Relay/MultihopDecisionFlow.swift

@@ -22,6 +22,7 @@ protocol MultihopDecisionFlow {
 struct OneToOne: MultihopDecisionFlow {
     let next: MultihopDecisionFlow?
     let relayPicker: RelayPicking
+
     init(next: (any MultihopDecisionFlow)?, relayPicker: RelayPicking) {
         self.next = next
         self.relayPicker = relayPicker
@@ -47,10 +48,11 @@ struct OneToOne: MultihopDecisionFlow {
             throw NoRelaysSatisfyingConstraintsError(.entryEqualsExit)
         }
 
-        let exitMatch = try relayPicker.findBestMatch(from: exitCandidates)
+        let exitMatch = try relayPicker.findBestMatch(from: exitCandidates, useObfuscatedPortIfAvailable: false)
         let entryMatch = try relayPicker.findBestMatch(
             from: entryCandidates,
-            closeTo: daitaAutomaticRouting ? exitMatch.location : nil
+            closeTo: daitaAutomaticRouting ? exitMatch.location : nil,
+            useObfuscatedPortIfAvailable: true
         )
 
         return SelectedRelays(entry: entryMatch, exit: exitMatch, retryAttempt: relayPicker.connectionAttemptCount)
@@ -95,8 +97,12 @@ struct OneToMany: MultihopDecisionFlow {
                 .pick(entryCandidates: entryCandidates, exitCandidates: exitCandidates, daitaAutomaticRouting: true)
         }
 
-        let entryMatch = try multihopPicker.findBestMatch(from: entryCandidates)
-        let exitMatch = try multihopPicker.exclude(relay: entryMatch, from: exitCandidates)
+        let entryMatch = try multihopPicker.findBestMatch(from: entryCandidates, useObfuscatedPortIfAvailable: true)
+        let exitMatch = try multihopPicker.exclude(
+            relay: entryMatch,
+            from: exitCandidates,
+            useObfuscatedPortIfAvailable: false
+        )
 
         return SelectedRelays(entry: entryMatch, exit: exitMatch, retryAttempt: relayPicker.connectionAttemptCount)
     }
@@ -135,11 +141,12 @@ struct ManyToOne: MultihopDecisionFlow {
             )
         }
 
-        let exitMatch = try multihopPicker.findBestMatch(from: exitCandidates)
+        let exitMatch = try multihopPicker.findBestMatch(from: exitCandidates, useObfuscatedPortIfAvailable: false)
         let entryMatch = try multihopPicker.exclude(
             relay: exitMatch,
             from: entryCandidates,
-            closeTo: daitaAutomaticRouting ? exitMatch.location : nil
+            closeTo: daitaAutomaticRouting ? exitMatch.location : nil,
+            useObfuscatedPortIfAvailable: true
         )
 
         return SelectedRelays(entry: entryMatch, exit: exitMatch, retryAttempt: relayPicker.connectionAttemptCount)
@@ -179,11 +186,12 @@ struct ManyToMany: MultihopDecisionFlow {
             )
         }
 
-        let exitMatch = try multihopPicker.findBestMatch(from: exitCandidates)
+        let exitMatch = try multihopPicker.findBestMatch(from: exitCandidates, useObfuscatedPortIfAvailable: false)
         let entryMatch = try multihopPicker.exclude(
             relay: exitMatch,
             from: entryCandidates,
-            closeTo: daitaAutomaticRouting ? exitMatch.location : nil
+            closeTo: daitaAutomaticRouting ? exitMatch.location : nil,
+            useObfuscatedPortIfAvailable: true
         )
 
         return SelectedRelays(entry: entryMatch, exit: exitMatch, retryAttempt: relayPicker.connectionAttemptCount)

ios/MullvadREST/Relay/ObfuscatorPortSelector.swift

@@ -9,9 +9,10 @@
 import MullvadSettings
 import MullvadTypes
 
-struct ObfuscatorPortSelectorResult {
+struct ObfuscatorPortSelection {
     let relays: REST.ServerRelaysResponse
     let port: RelayConstraint<UInt16>
+    let method: WireGuardObfuscationState
 }
 
 struct ObfuscatorPortSelector {
@@ -20,7 +21,7 @@ struct ObfuscatorPortSelector {
     func obfuscate(
         tunnelSettings: LatestTunnelSettings,
         connectionAttemptCount: UInt
-    ) throws -> ObfuscatorPortSelectorResult {
+    ) throws -> ObfuscatorPortSelection {
         var relays = relays
         var port = tunnelSettings.relayConstraints.port
         let obfuscationMethod = ObfuscationMethodSelector.obfuscationMethodBy(
@@ -44,7 +45,7 @@ struct ObfuscatorPortSelector {
             break
         }
 
-        return ObfuscatorPortSelectorResult(relays: relays, port: port)
+        return ObfuscatorPortSelection(relays: relays, port: port, method: obfuscationMethod)
     }
 
     private func obfuscateShadowsocksRelays(tunnelSettings: LatestTunnelSettings) -> REST.ServerRelaysResponse {

ios/MullvadREST/Relay/RelayPicking.swift

@@ -8,8 +8,10 @@
 
 import MullvadSettings
 import MullvadTypes
+import Network
 
 protocol RelayPicking {
+    var obfuscation: ObfuscatorPortSelection { get }
     var relays: REST.ServerRelaysResponse { get }
     var constraints: RelayConstraints { get }
     var connectionAttemptCount: UInt { get }
@@ -20,30 +22,64 @@ protocol RelayPicking {
 extension RelayPicking {
     func findBestMatch(
         from candidates: [RelayWithLocation<REST.ServerRelay>],
-        closeTo location: Location? = nil
+        closeTo location: Location? = nil,
+        useObfuscatedPortIfAvailable: Bool
     ) throws -> SelectedRelay {
-        let match = try RelaySelector.WireGuard.pickCandidate(
+        var match = try RelaySelector.WireGuard.pickCandidate(
             from: candidates,
             relays: relays,
-            portConstraint: constraints.port,
+            portConstraint: useObfuscatedPortIfAvailable ? obfuscation.port : constraints.port,
             numberOfFailedAttempts: connectionAttemptCount,
             closeTo: location
         )
 
+        if useObfuscatedPortIfAvailable && obfuscation.method == .shadowsocks {
+            match = applyShadowsocksIpAddress(in: match)
+        }
+
         return SelectedRelay(
             endpoint: match.endpoint,
             hostname: match.relay.hostname,
             location: match.location
         )
     }
+
+    private func applyShadowsocksIpAddress(in match: RelaySelectorMatch) -> RelaySelectorMatch {
+        let port = match.endpoint.ipv4Relay.port
+        let portRanges = RelaySelector.parseRawPortRanges(relays.wireguard.shadowsocksPortRanges)
+        let portIsWithinRange = portRanges.contains(where: { $0.contains(port) })
+
+        var endpoint = match.endpoint
+
+        // If the currently selected obfuscation port is not within the allowed range (as specified
+        // in the relay list), we should use one of the extra Shadowsocks IP addresses instead of
+        // the default one.
+        if !portIsWithinRange {
+            var ipv4Address = match.endpoint.ipv4Relay.ip
+            if let shadowsocksAddress = match.relay.shadowsocksExtraAddrIn?.randomElement() {
+                ipv4Address = IPv4Address(shadowsocksAddress) ?? ipv4Address
+            }
+
+            endpoint = match.endpoint.override(ipv4Relay: IPv4Endpoint(
+                ip: ipv4Address,
+                port: port
+            ))
+        }
+
+        return RelaySelectorMatch(endpoint: endpoint, relay: match.relay, location: match.location)
+    }
 }
 
 struct SinglehopPicker: RelayPicking {
-    let relays: REST.ServerRelaysResponse
+    let obfuscation: ObfuscatorPortSelection
     let constraints: RelayConstraints
     let connectionAttemptCount: UInt
     let daitaSettings: DAITASettings
 
+    var relays: REST.ServerRelaysResponse {
+        obfuscation.relays
+    }
+
     func pick() throws -> SelectedRelays {
         do {
             let exitCandidates = try RelaySelector.WireGuard.findCandidates(
@@ -53,14 +89,14 @@ struct SinglehopPicker: RelayPicking {
                 daitaEnabled: daitaSettings.daitaState.isEnabled
             )
 
-            let match = try findBestMatch(from: exitCandidates)
+            let match = try findBestMatch(from: exitCandidates, useObfuscatedPortIfAvailable: true)
             return SelectedRelays(entry: nil, exit: match, retryAttempt: connectionAttemptCount)
         } catch let error as NoRelaysSatisfyingConstraintsError where error.reason == .noDaitaRelaysFound {
             // If DAITA is on and Direct only is off, and no supported relays are found, we should try to find the nearest
             // available relay that supports DAITA and use it as entry in a multihop selection.
             if daitaSettings.isAutomaticRouting {
                 return try MultihopPicker(
-                    relays: relays,
+                    obfuscation: obfuscation,
                     constraints: constraints,
                     connectionAttemptCount: connectionAttemptCount,
                     daitaSettings: daitaSettings
@@ -73,11 +109,15 @@ struct SinglehopPicker: RelayPicking {
 }
 
 struct MultihopPicker: RelayPicking {
-    let relays: REST.ServerRelaysResponse
+    let obfuscation: ObfuscatorPortSelection
     let constraints: RelayConstraints
     let connectionAttemptCount: UInt
     let daitaSettings: DAITASettings
 
+    var relays: REST.ServerRelaysResponse {
+        obfuscation.relays
+    }
+
     func pick() throws -> SelectedRelays {
         let exitCandidates = try RelaySelector.WireGuard.findCandidates(
             by: constraints.exitLocations,
@@ -129,12 +169,17 @@ struct MultihopPicker: RelayPicking {
     func exclude(
         relay: SelectedRelay,
         from candidates: [RelayWithLocation<REST.ServerRelay>],
-        closeTo location: Location? = nil
+        closeTo location: Location? = nil,
+        useObfuscatedPortIfAvailable: Bool
     ) throws -> SelectedRelay {
         let filteredCandidates = candidates.filter { relayWithLocation in
             relayWithLocation.relay.hostname != relay.hostname
         }
 
-        return try findBestMatch(from: filteredCandidates, closeTo: location)
+        return try findBestMatch(
+            from: filteredCandidates,
+            closeTo: location,
+            useObfuscatedPortIfAvailable: useObfuscatedPortIfAvailable
+        )
     }
 }

ios/MullvadREST/Relay/RelaySelectorWrapper.swift

@@ -20,28 +20,25 @@ public final class RelaySelectorWrapper: RelaySelectorProtocol {
         tunnelSettings: LatestTunnelSettings,
         connectionAttemptCount: UInt
     ) throws -> SelectedRelays {
-        let obfuscationResult = try ObfuscatorPortSelector(
+        let obfuscation = try ObfuscatorPortSelector(
             relays: try relayCache.read().relays
         ).obfuscate(
             tunnelSettings: tunnelSettings,
             connectionAttemptCount: connectionAttemptCount
         )
 
-        var constraints = tunnelSettings.relayConstraints
-        constraints.port = obfuscationResult.port
-
         return switch tunnelSettings.tunnelMultihopState {
         case .off:
             try SinglehopPicker(
-                relays: obfuscationResult.relays,
-                constraints: constraints,
+                obfuscation: obfuscation,
+                constraints: tunnelSettings.relayConstraints,
                 connectionAttemptCount: connectionAttemptCount,
                 daitaSettings: tunnelSettings.daita
             ).pick()
         case .on:
             try MultihopPicker(
-                relays: obfuscationResult.relays,
-                constraints: constraints,
+                obfuscation: obfuscation,
+                constraints: tunnelSettings.relayConstraints,
                 connectionAttemptCount: connectionAttemptCount,
                 daitaSettings: tunnelSettings.daita
             ).pick()

ios/MullvadSettings/TunnelSettingsStrategy.swift

@@ -18,9 +18,7 @@ public struct TunnelSettingsStrategy: TunnelSettingsStrategyProtocol {
         newSettings: LatestTunnelSettings
     ) -> Bool {
         switch (oldSettings, newSettings) {
-        case let (old, new) where old.relayConstraints != new.relayConstraints,
-             let (old, new) where old.tunnelMultihopState != new.tunnelMultihopState,
-             let (old, new) where old.daita != new.daita:
+        case let (old, new) where old != new:
             true
         default:
             false

ios/MullvadTypes/MullvadEndpoint.swift

@@ -30,4 +30,14 @@ public struct MullvadEndpoint: Equatable, Codable {
         self.ipv6Gateway = ipv6Gateway
         self.publicKey = publicKey
     }
+
+    public func override(ipv4Relay: IPv4Endpoint) -> Self {
+        MullvadEndpoint(
+            ipv4Relay: ipv4Relay,
+            ipv6Relay: ipv6Relay,
+            ipv4Gateway: ipv4Gateway,
+            ipv6Gateway: ipv6Gateway,
+            publicKey: publicKey
+        )
+    }
 }

ios/MullvadVPNTests/MullvadREST/Relay/MultihopDecisionFlowTests.swift

@@ -160,13 +160,16 @@ class MultihopDecisionFlowTests: XCTestCase {
 
 extension MultihopDecisionFlowTests {
     var picker: MultihopPicker {
+        let obfuscation = try? ObfuscatorPortSelector(relays: sampleRelays)
+            .obfuscate(tunnelSettings: LatestTunnelSettings(), connectionAttemptCount: 0)
+
         let constraints = RelayConstraints(
             entryLocations: .only(UserSelectedRelays(locations: [.city("se", "sto")])),
             exitLocations: .only(UserSelectedRelays(locations: [.city("se", "sto")]))
         )
 
         return MultihopPicker(
-            relays: sampleRelays,
+            obfuscation: obfuscation.unsafelyUnwrapped,
             constraints: constraints,
             connectionAttemptCount: 0,
             daitaSettings: DAITASettings(daitaState: .off)