summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-03-28Add support for tor feature #15435.Yawning Angel
If the relevant enviornment variable is set, treat read errors from Stdin as a SIGTERM.
2015-03-28Clean up/refactor the shutdown/termination handling code.Yawning Angel
This combines the old signal processing code with the parent monitor, into a new termination monitor structure, which also now handles keeping track of outstanding sessions.
2015-03-26Fix comments. (No functional changes)Yawning Angel
2015-03-26Attempt to detect if the parent crashed without killing obfs4proxy.Yawning Angel
The ideal solution here would be to implement #15435, but till then use one of several kludges: * Linux - prctl() so that the kernel SIGTERMs on parent exit. * Other U*ix - Poll the parent process id once a second, and SIGTERM ourself/exit if it changes. Former is better since all the normal cleanup if any gets done. * Windows - Log a warning.
2015-03-23Change the import path for go.net.Yawning Angel
The Go developers decided to move the go.net repository to golang.org/x/net, and also to transition from hg to git. This wasn't changed when the go.crypto imports were since the 'proxy' component doesn't have imports that break, so the old code still works. While the change here is simple (just update the import location), this affects packagers as it now expects the updated package. Sorry for the inconveneince, I blame the Go people, and myself for not just doing this along with the go.crypto changes.
2015-03-22Update the ChangeLog (No functional changes).Yawning Angel
2015-03-22Simplify some err and return logicDaniel Martí
2015-03-18Reduce some if err != nil logic linesDaniel Martí
2015-03-16Update the ChangeLog (No functional changes).Yawning Angel
2015-03-16Fix all go vet issuesDaniel Martí
2015-03-16Run go fmtDaniel Martí
2015-02-17Do the release ritual for obfs4proxy-0.0.4.Yawning Angel
2015-02-17Add support for acting as a ScrambleSuit client.Yawning Angel
This allows obfs4proxy to be used as a ScrambleSuit client that is wire compatible with the obfs4proxy implementation, including session ticket support, and length obfuscation. The current implementation has the following limitations: * IAT obfuscation is not supported (and is disabled in all other ScrambleSuit implementations by default). * The length distribution and probabilites are different from those generated by obfsproxy and obfsclient due to a different DRBG. * Server support is missing and is unlikely to be implemented.
2015-01-14Document the obfs4 NaCl secretbox nonce generation.Yawning Angel
Forgot to include this in the spec, though it was documented as a comment in the framing code.
2015-01-14Change the import path for go.crypto.Yawning Angel
The Go developers decided to move the go.crypto repository to golang.org/x/crypto, and also to transition from hg to git. The tip of tree code.google.com copy of the code is broken due to the import paths pointing at the new repository. While the change here is simple (just update the import location), this affects packagers as it now expects the updated package. Sorry for the inconveneince, I blame the Go people.
2014-10-24Fix minor issues pointed out by "go vet".Yawning Angel
2014-10-03Improve the performance of the obfs4 handshake test.Yawning Angel
Exhaustively testing padding combinations is really slow, and was causing timeouts during the Debian ARM package build process. Attempt to improve the situation by: * Reusing the client and server keypair for all of the tests, to cut runtime down by ~50%. * Splitting the client side and server side tests up, as it appears the timeout is per-test case. If this doesn't fix things, the next thing to try would be to reduce the actual number of padding lengths tested, but that is a last resort at the moment.
2014-10-01Do the release ritual for obfs4proxy-0.0.3.Yawning Angel
2014-10-01Change the bridge line format to be more compact.Yawning Angel
Instead of "node-id" and "public-key" that are Base16 encoded, use "cert" which contains the "node-id" and "public-key" in Base64 encoded form. This is more compact and cuts the length down by 49 characters.
2014-09-26Do the release ritual for obfs4proxy-0.0.2.Yawning Angel
2014-09-24Write an example obfs4 bridge line to "obfs4_bridgeline.txt".Yawning Angel
Write an example client bridge line suitable for use with the running obfs4 server instance to "obfs4_bridgeline.txt" for the convenience of bridge operators.
2014-09-06Fix spelling error in man page, no functional changes.Yawning Angel
2014-09-06Minor documentation cleanups, no functional changes.Yawning Angel
2014-09-06Add a man page for obfs4proxy.Yawning Angel
2014-09-03Do the release ritual for obfs4proxy-0.0.1.Yawning Angel
2014-09-03Change the default logLevel to ERROR, upgrade some client warnings.Yawning Angel
Client side logs are less spammy than server side in general, so more messages should be visible at the default logLevel when running as a client. Server side logging will be spammy basically no matter what unless obfs4proxy gets into the (arguably dangerous) business of figuring out which errors are people being evil vs which ones are transient network issues, so most logging is suppressed by default, unless the admin choses to open the floodgates.
2014-09-03Add a prolog/epilog to the logging that always gets logged.Yawning Angel
The prolog prints the version as soon as logging is enabled, but before the pluggable transport configuration is done. The epilog is printed as the code returns from main, as long as either client or server pt configuration succeded.
2014-09-03Update the README.md (No functional changes).Yawning Angel
2014-09-03Change the version command line arg from `-v` to `-version`.Yawning Angel
For consistency with the rest of the arguments.
2014-09-03Add support for "logLevel" to reduce log spam.Yawning Angel
By default logging will be done at the "WARN" level. Fatal initialization errors will always be logged as long as logging is enabled regardless of logLevel.
2014-08-31Add elideError(error) that knows how to sanitize net.Errors.Yawning Angel
Instead of omitting errors entirely when running with the log scrubber, filter common network errors through elideError() that can scrub the common net.Error types and remove sensitive information.
2014-08-27Various IAT related changes.Yawning Angel
* Unbreak inbound TYPE_PRNG_SEED processing. * IAT obfuscation is now a per-bridge argument (iat-mode). * 0 (default) = Disabled. * 1 = Enabled, ScrambleSuit-style with bulk throughput optimizations. * 2 = Paranoid, Each IAT write will send a length sampled from the length distribution. (EXPENSIVE). The "iat-mode" argument is mandatory on the Bridge lines, and as a ServerTransportOption. Old statefiles will continue to load and use the default value, edit it if your hat is made of tin foil.
2014-08-27Change the TYPE_PRNG_SEED length to 24.Yawning Angel
This matches what the code actually sends. It's shorter than the ScrambleSuit PRNG seed, but that's because the SipHash-2-4 based Hash_DRBG has 24 bytes of internal state (key + initial output).
2014-08-27Display a more useful error on JSON Unmarshall failure.Yawning Angel
2014-08-27Add a ChangeLog and dump the version when invoked with "-v".Yawning Angel
2014-08-23Change all the arguments to use base16 from base64.Yawning Angel
WARNING: THIS BREAKS BACKWARD COMPATIBILITY. This is primarily to work around bug #12930. Base16 was chosen over unpadded Base64 because the go runtime Base64 decoder does not handle omitting the padding. May $deity have mercy on anyone who needs to hand-enter an obfs4 bridge line because I will not.
2014-08-20Elide the error out from most logs unless unsafeLogging is set.Yawning Angel
The Golang runtime will happily splatter the remote IP address and port in the error's string representation for network related errors. While useful for debugging, this is unacceptable from a privacy standpoint.
2014-08-20Add a missing "continue" statement.Yawning Angel
Caught by asn, thanks.
2014-08-18Change the drbg seed field in the state file.Yawning Angel
Changing from "drbgSeed" to "drbg-seed" to be consistent with the ServerTransportOptions to allow for easier copy/paste.
2014-08-18Add support for enabling IAT obfuscation and biased WDist.Yawning Angel
Golang's command line parser is slightly cumbersome to use with subcommands, so the arguments are "obfs4-iatObufscation" and "obfs-distBias" instead of obfsproxy style subcommands.
2014-08-17Massive cleanup/code reorg.Yawning Angel
* Changed obfs4proxy to be more like obfsproxy in terms of design, including being an easy framework for developing new TCP/IP style pluggable transports. * Added support for also acting as an obfs2/obfs3 client or bridge as a transition measure (and because the code itself is trivial). * Massively cleaned up the obfs4 and related code to be easier to read, and more idiomatic Go-like in style. * To ease deployment, obfs4proxy will now autogenerate the node-id, curve25519 keypair, and drbg seed if none are specified, and save them to a JSON file in the pt_state directory (Fixes Tor bug #12605).
2014-06-25Change the import paths to point to the tp.o repository.Yawning Angel
2014-06-20Use delete to remove entries from the replay filter.Yawning Angel
2014-06-19Use Vose's Alias Method to sample the weighted distribution.Yawning Angel
The weight generation code also was cleaned up (and now can support generating distributions that look like what ScrambleSuit does as a compile time change). Per: http://www.keithschwarz.com/darts-dice-coins/
2014-06-07Document dependencies, add LICENSE (No functional changes).Yawning Angel
2014-06-07Allow randomly generating node-ids instead of requiring the fingerprint.Yawning Angel
To ease delopyment, "-genServerParams has changed". * "-genServerParams" is now a bool, and will by default generate a random node-id. * "-genServerParams -genServerParamsFP=<Base16 blob>" will convert the supplied bridge fingerprint to a node-id (the old behavior). Either way of deriving node-id is belived to be secure. * https://lists.torproject.org/pipermail/tor-dev/2014-May/006929.html * https://lists.torproject.org/pipermail/tor-dev/2014-June/006936.html The extra parameter was added because golang's flags library doesn't support distinguishing between "set but used the default value" and "not set, so you go the default value".
2014-06-02Use goptlib's MakeStateDir instead of the one in pt_extras.Yawning Angel
This requires changes in goptlib from last night, people may need to run "go get -u" to update dependencies before building.
2014-06-02Change how the length obfsucation mask is derived.Yawning Angel
Instead of using the nonce for the secret box, just use SipHash-2-4 in OFB mode instead. The IV is generated as part of the KDF. This simplifies the code a decent amount and also is better on the off chance that SipHash-2-4 does not avalanche as well as it is currently assumed. While here, also decouple the fact that *this implementation* of obfs4 uses a PRNG with 24 bytes of internal state for protocol polymorphism instead of 32 bytes (that the spec requires). THIS CHANGE BREAKS WIRE PROTCOL COMPATIBILITY.
2014-06-02Move the SipHash DRBG off into it's own package.Yawning Angel
2014-06-01Move the server keypair generation to right after Accept().Yawning Angel
Instead of threading the code, move the keypair generation to right after Accept() is called. This should mask the timing differential due to the rejection sampling with the noise from the variablity in how long it takes for the server to get around to pulling a connection out of the backlog, and the time taken for the client to send it's portion of the handshake. The downside is that anyone connecting to the obfs4 port does force us to do a bunch of math, but the obfs4 math is relatively cheap compared to it's precursors. Fixes #9.