Age | Commit message (Collapse) | Author |
|
The old way was biasted towards the earlier values. Thanks to asn for
pointing this out and suggesting an alternative.
As an additional tweak, do not reuse the drbg seed when calculating the
IAT distribution, but instead run the seed through SHA256 first, for
extra tinfoil goodness.
|
|
|
|
This makes the length error and MAC error indistinguishable to an
external attacker.
|
|
This breaks wireprotocol compatibility.
|
|
Instead of including the previous secretbox in the input when
calculating the SipHash-2-4 digest used to generate the obfuscation
mask, use only the nonce. This is significantly faster, and if someone
breaks obfs4 by exploiting the low amount of input entropy between each
invocation (a counter incrementing by 1), I hope they publish the
attack on the PRF.
This breaks wire protocol compatibility.
|
|
In theory this is easier on the garbage collector. Probably could
reuse more of the intermediary buffers by stashing them in the
connection state, but that makes the code kind of messy. This should
be an improvement.
|
|
|
|
On second thought instead of using log.Panicf(), panic() and do the
logging with recover(). This somewhat centralizes logging in
obfs4proxy, which will be easier to change when I invariably decide to
do logging differently in the future.
|
|
This adds preliminary support for data padding by adding another layer
of encapsulation inside each AEAD frame containing a type and length.
For now, data is still sent unpadded, but the infrastructure for
supporting it is mostly there.
Additionally, use log.Panic[f]() instead of panic through out the code
so that some panics are logged.
|
|
|
|
|