// unpackRemoteServerListFile reads a file that contains a
// zlib compressed authenticated data package, validates
// the package, and returns the payload.
func unpackRemoteServerListFile(
	config *Config, filename string) (string, error) {

	fileReader, err := os.Open(filename)
	if err != nil {
		return "", common.ContextError(err)
	}
	defer fileReader.Close()

	zlibReader, err := zlib.NewReader(fileReader)
	if err != nil {
		return "", common.ContextError(err)
	}

	dataPackage, err := ioutil.ReadAll(zlibReader)
	zlibReader.Close()
	if err != nil {
		return "", common.ContextError(err)
	}

	payload, err := common.ReadAuthenticatedDataPackage(
		dataPackage, config.RemoteServerListSignaturePublicKey)
	if err != nil {
		return "", common.ContextError(err)
	}

	return payload, nil
}
Пример #2
0
// UnpackRegistry decompresses, validates, and loads a
// JSON encoded OSL registry.
func UnpackRegistry(
	compressedRegistry []byte, signingPublicKey string) (*Registry, []byte, error) {

	packagedRegistry, err := uncompress(compressedRegistry)
	if err != nil {
		return nil, nil, common.ContextError(err)
	}

	encodedRegistry, err := common.ReadAuthenticatedDataPackage(
		packagedRegistry, signingPublicKey)
	if err != nil {
		return nil, nil, common.ContextError(err)
	}

	registryJSON, err := base64.StdEncoding.DecodeString(encodedRegistry)
	if err != nil {
		return nil, nil, common.ContextError(err)
	}

	registry, err := LoadRegistry(registryJSON)
	return registry, registryJSON, err
}
Пример #3
0
// UnpackOSL reassembles the key for the OSL specified by oslID and uses
// that key to decrypt oslFileContents, uncompress the contents, validate
// the authenticated package, and extract the payload.
// Clients will call UnpackOSL for OSLs indicated by GetSeededOSLIDs along
// with their downloaded content.
// SLOKLookup is called to determine which SLOKs are seeded with the client.
func (registry *Registry) UnpackOSL(
	lookup SLOKLookup,
	oslID []byte,
	oslFileContents []byte,
	signingPublicKey string) (string, error) {

	fileSpec, ok := registry.oslIDLookup[string(oslID)]
	if !ok {
		return "", common.ContextError(errors.New("unknown OSL ID"))
	}

	ok, fileKey, err := fileSpec.KeyShares.reassembleKey(lookup, true)
	if err != nil {
		return "", common.ContextError(err)
	}
	if !ok {
		return "", common.ContextError(errors.New("unseeded OSL"))
	}

	decryptedContents, err := unbox(fileKey, oslFileContents)
	if err != nil {
		return "", common.ContextError(err)
	}

	dataPackage, err := uncompress(decryptedContents)
	if err != nil {
		return "", common.ContextError(err)
	}

	oslPayload, err := common.ReadAuthenticatedDataPackage(
		dataPackage, signingPublicKey)
	if err != nil {
		return "", common.ContextError(err)
	}

	return oslPayload, nil
}
Пример #4
0
// getRoutes makes a web request to download fresh routes data for the
// given region, as indicated by the tunnel. It uses web caching, If-None-Match/ETag,
// to save downloading known routes data repeatedly. If the web request
// fails and cached routes data is present, that cached data is returned.
func (classifier *SplitTunnelClassifier) getRoutes(tunnel *Tunnel) (routesData []byte, err error) {

	url := fmt.Sprintf(classifier.fetchRoutesUrlFormat, tunnel.serverContext.clientRegion)
	request, err := http.NewRequest("GET", url, nil)
	if err != nil {
		return nil, common.ContextError(err)
	}

	etag, err := GetSplitTunnelRoutesETag(tunnel.serverContext.clientRegion)
	if err != nil {
		return nil, common.ContextError(err)
	}
	if etag != "" {
		request.Header.Add("If-None-Match", etag)
	}

	tunneledDialer := func(_, addr string) (conn net.Conn, err error) {
		return tunnel.sshClient.Dial("tcp", addr)
	}
	transport := &http.Transport{
		Dial: tunneledDialer,
		ResponseHeaderTimeout: time.Duration(*tunnel.config.FetchRoutesTimeoutSeconds) * time.Second,
	}
	httpClient := &http.Client{
		Transport: transport,
		Timeout:   time.Duration(*tunnel.config.FetchRoutesTimeoutSeconds) * time.Second,
	}

	// At this time, the largest uncompressed routes data set is ~1MB. For now,
	// the processing pipeline is done all in-memory.

	useCachedRoutes := false

	response, err := httpClient.Do(request)

	if err == nil &&
		(response.StatusCode != http.StatusOK && response.StatusCode != http.StatusNotModified) {
		response.Body.Close()
		err = fmt.Errorf("unexpected response status code: %d", response.StatusCode)
	}
	if err != nil {
		NoticeAlert("failed to request split tunnel routes package: %s", common.ContextError(err))
		useCachedRoutes = true
	}

	if !useCachedRoutes {
		defer response.Body.Close()
		if response.StatusCode == http.StatusNotModified {
			useCachedRoutes = true
		}
	}

	var routesDataPackage []byte
	if !useCachedRoutes {
		routesDataPackage, err = ioutil.ReadAll(response.Body)
		if err != nil {
			NoticeAlert("failed to download split tunnel routes package: %s", common.ContextError(err))
			useCachedRoutes = true
		}
	}

	var encodedRoutesData string
	if !useCachedRoutes {
		encodedRoutesData, err = common.ReadAuthenticatedDataPackage(
			routesDataPackage, classifier.routesSignaturePublicKey)
		if err != nil {
			NoticeAlert("failed to read split tunnel routes package: %s", common.ContextError(err))
			useCachedRoutes = true
		}
	}

	var compressedRoutesData []byte
	if !useCachedRoutes {
		compressedRoutesData, err = base64.StdEncoding.DecodeString(encodedRoutesData)
		if err != nil {
			NoticeAlert("failed to decode split tunnel routes: %s", common.ContextError(err))
			useCachedRoutes = true
		}
	}

	if !useCachedRoutes {
		zlibReader, err := zlib.NewReader(bytes.NewReader(compressedRoutesData))
		if err == nil {
			routesData, err = ioutil.ReadAll(zlibReader)
			zlibReader.Close()
		}
		if err != nil {
			NoticeAlert("failed to decompress split tunnel routes: %s", common.ContextError(err))
			useCachedRoutes = true
		}
	}

	if !useCachedRoutes {
		etag := response.Header.Get("ETag")
		if etag != "" {
			err := SetSplitTunnelRoutes(tunnel.serverContext.clientRegion, etag, routesData)
			if err != nil {
				NoticeAlert("failed to cache split tunnel routes: %s", common.ContextError(err))
				// Proceed with fetched data, even when we can't cache it
			}
		}
	}

	if useCachedRoutes {
		routesData, err = GetSplitTunnelRoutesData(tunnel.serverContext.clientRegion)
		if err != nil {
			return nil, common.ContextError(err)
		}
		if routesData == nil {
			return nil, common.ContextError(errors.New("no cached routes"))
		}
	}

	return routesData, nil
}