fix(lan): support mitigations for amplification attacks

Given a UDP packet with a spoofed address of origin, it's possible
for a client to party to a minor amplification attack.

Support the new `targetDeviceId` and `targetProtocolVersion`
fields, to mitigate the severity of such an attempt.

Author: andyholmes

src/plugins/lan/valent-lan-channel-service.c

@@ -257,6 +257,8 @@ handshake_fiber (gpointer user_data)
   if (is_incoming)
     {
       g_autoptr (JsonNode) peer_identity = NULL;
+      const char *target_device_id = NULL;
+      int64_t target_protocol_version = 0;
 
       peer_identity = dex_await_boxed (valent_packet_from_stream_future (g_io_stream_get_input_stream (data->connection),
                                                                          IDENTITY_BUFFER_MAX,
@@ -265,21 +267,72 @@ handshake_fiber (gpointer user_data)
       if (peer_identity == NULL)
         goto fail;
 
+      /* When accepting a TCP connection, the identity packet may indicate its
+       * intended target, allowing the local device to mitigate amplification
+       * attacks from a spoofed UDP address.
+       */
+      if (valent_packet_get_string (peer_identity, "targetDeviceId", &target_device_id))
+        {
+          g_autofree char *local_id = valent_channel_service_dup_id (service);
+
+          if (g_strcmp0 (target_device_id, local_id) != 0)
+            {
+              g_set_error (&error,
+                           G_IO_ERROR,
+                           G_IO_ERROR_FAILED,
+                           "expected \"targetDeviceId\" field holding \"%s\"",
+                           local_id);
+              goto fail;
+            }
+        }
+
+      if (valent_packet_get_int (peer_identity, "targetProtocolVersion", &target_protocol_version) &&
+          target_protocol_version != VALENT_NETWORK_PROTOCOL_MAX)
+        {
+          g_set_error (&error,
+                       G_IO_ERROR,
+                       G_IO_ERROR_FAILED,
+                       "expected \"targetProtocolVersion\" field holding \"%u\"",
+                       VALENT_NETWORK_PROTOCOL_MAX);
+          goto fail;
+        }
+
       data->peer_identity = g_steal_pointer (&peer_identity);
     }
   else
     {
+      JsonObject *body;
+      gboolean success;
+      const char *target_device_id = NULL;
+      int64_t target_protocol_version = 0;
+
       data->connection = dex_await_object (_dex_socket_client_connect_to_host (data->host,
                                                                                data->port,
                                                                                cancellable),
                                            &error);
       if (data->connection == NULL)
         goto fail;
 
-      if (!dex_await (valent_packet_to_stream_future (g_io_stream_get_output_stream (data->connection),
-                                                      identity,
-                                                      cancellable),
-                      &error))
+      /* When responding to a UDP broadcast, mark the identity packet for its
+       * intended target, allowing the remote device to abort if the broadcast
+       * address was spoofed.
+       */
+      valent_packet_get_string (data->peer_identity, "deviceId", &target_device_id);
+      valent_packet_get_int (data->peer_identity, "protocolVersion", &target_protocol_version);
+
+      body = valent_packet_get_body (identity);
+      json_object_set_string_member (body, "targetDeviceId", target_device_id);
+      json_object_set_int_member (body, "targetProtocolVersion", target_protocol_version);
+
+      success = dex_await (valent_packet_to_stream_future (g_io_stream_get_output_stream (data->connection),
+                                                           identity,
+                                                           cancellable),
+                           &error);
+      // TODO: operate on a deep-copy instead?
+      json_object_remove_member (body, "targetDeviceId");
+      json_object_remove_member (body, "targetProtocolVersion");
+
+      if (!success)
         goto fail;
     }
 

tests/plugins/lan/test-lan-plugin.c

@@ -36,6 +36,8 @@
 #define TEST_OUTGOING_TLS_CERTIFICATE   "/plugins/lan/outgoing-tls-certificate"
 #define TEST_INCOMING_TLS_IDENTITY      "/plugins/lan/incoming-tls-common-name"
 #define TEST_OUTGOING_TLS_IDENTITY      "/plugins/lan/outgoing-tls-common-name"
+#define TEST_UDP_SPOOFED_ADDRESS_1      "/plugins/lan/udp-spoofed-address-1"
+#define TEST_UDP_SPOOFED_ADDRESS_2      "/plugins/lan/udp-spoofed-address-2"
 
 
 typedef struct
@@ -706,6 +708,16 @@ static LanTestCase compliance_tests[] = {
     .errmsg = "*device ID does not match certificate common name*",
     .func = (LanFixtureFunc)test_lan_service_outgoing_broadcast,
   },
+  {
+    .name = TEST_UDP_SPOOFED_ADDRESS_1,
+    .errmsg = "*expected \"targetDeviceId\" field holding*",
+    .func = (LanFixtureFunc)test_lan_service_outgoing_broadcast,
+  },
+  {
+    .name = TEST_UDP_SPOOFED_ADDRESS_2,
+    .errmsg = "*expected \"targetProtocolVersion\" field holding*",
+    .func = (LanFixtureFunc)test_lan_service_outgoing_broadcast,
+  },
 };
 
 static void
@@ -775,6 +787,14 @@ test_lan_service_compliance_test (gconstpointer user_data)
           g_clear_object (&fixture->peer_certificate);
           fixture->peer_certificate = valent_certificate_new_sync (NULL, NULL);
         }
+      else if (g_strcmp0 (test_name, TEST_UDP_SPOOFED_ADDRESS_1) == 0)
+        {
+          json_object_set_string_member (body, "targetDeviceId", "27456e3cfe5c420896a7c0caeec5e5a0");
+        }
+      else if (g_strcmp0 (test_name, TEST_UDP_SPOOFED_ADDRESS_2) == 0)
+        {
+          json_object_set_int_member (body, "targetProtocolVersion", 7);
+        }
 
       test_case->func (fixture, test_case);
       lan_service_fixture_tear_down (fixture, test_case);