| Age | Commit message (Collapse) | Author |
|---|
|
* Changed obfs4proxy to be more like obfsproxy in terms of design,
including being an easy framework for developing new TCP/IP style
pluggable transports.
* Added support for also acting as an obfs2/obfs3 client or bridge
as a transition measure (and because the code itself is trivial).
* Massively cleaned up the obfs4 and related code to be easier to
read, and more idiomatic Go-like in style.
* To ease deployment, obfs4proxy will now autogenerate the node-id,
curve25519 keypair, and drbg seed if none are specified, and save
them to a JSON file in the pt_state directory (Fixes Tor bug #12605).
|
|
|
|
Instead of using the nonce for the secret box, just use SipHash-2-4 in
OFB mode instead. The IV is generated as part of the KDF. This
simplifies the code a decent amount and also is better on the off
chance that SipHash-2-4 does not avalanche as well as it is currently
assumed.
While here, also decouple the fact that *this implementation* of obfs4
uses a PRNG with 24 bytes of internal state for protocol polymorphism
instead of 32 bytes (that the spec requires).
THIS CHANGE BREAKS WIRE PROTCOL COMPATIBILITY.
|
|
|
|
Instead of threading the code, move the keypair generation to right
after Accept() is called. This should mask the timing differential due
to the rejection sampling with the noise from the variablity in how
long it takes for the server to get around to pulling a connection out
of the backlog, and the time taken for the client to send it's portion
of the handshake.
The downside is that anyone connecting to the obfs4 port does force us
to do a bunch of math, but the obfs4 math is relatively cheap compared
to it's precursors.
Fixes #9.
|
|
Part of issue #9.
|
|
The old way was biasted towards the earlier values. Thanks to asn for
pointing this out and suggesting an alternative.
As an additional tweak, do not reuse the drbg seed when calculating the
IAT distribution, but instead run the seed through SHA256 first, for
extra tinfoil goodness.
|
|
With tor patched to support 8402, obfs4 bootstraps via a SOCKSv5 proxy
now. Other schemes will bail with a PROXY-ERROR, as the go.net/proxy
package does not support them, and I have not gotten around to writing
dialers for them yet (next on my TODO list).
Part of issue #7.
|
|
All of the obfs4 code except unit tests now uses the csrand wrapper
routines.
|
|
When enabled, inter-packet delay will be randomized between 0 and 10
ms in 100 usec intervals. As experiences from ScrambleSuit (and back
of the envelope math based on how networks work) show, this is
extremely expensive and artificially limits the throughput of the link.
When enabled, bulk transfer throughput will be limited to an average of
278 KiB/s.
|
|
* handhake_ntor_test now is considerably more comprehensive.
* The padding related constants in the spec were clarified.
This breaks wireprotocol compatibility.
|
|
This is done by maintaining a map keyed off the SipHash-2-4 digest of
the MAC_C component of the handshake. Collisions, while possible are
unlikely in the extreme and are thus treated as replays.
In concept this is fairly similar to the ScrambleSuit `replay.py` code,
with a few modifications:
* There is a upper bound on how large the replay filter can grow.
Currently this is set to 102400 entries, though it is unlikely that
this limit will be hit.
* A doubly linked list is also maintained parallel to the map, so the
filter compaction process does not need to iterate over the entire
filter.
|
|
|
|
This makes it consistent across all incoming connections, for real this
time (oops).
|
|
It will vary per bridge as it is based off the DRBG, but ever attempt
at poking at any given bridge will exhibit consistent behavior.
|
|
This is more common than 15 seconds (It's what Firefox uses for the
request timeout).
|
|
Clients will now always add 87 bytes of padding to the clientRequest,
and Servers will always send the PRNG seed frame unpadded, and bundled
with the serverResponse.
Why 87 bytes? The amount of data that the server sends is 87.
This fixes #5.
|
|
This fixes #3, and brings the code to be on par with the delopyed
versions of ScrambleSuit in terms of features.
|
|
This also adds the drgb-seed option to the `-gen` obfs4proxy output.
|
|
This paves the way for having servers use the same seed for all
incoming connections, across multiple startup/shutdown cycles. As
opposed to the current situation where each Obfs4Listener will
randomly generate it's seed at creation time.
Additionally, use 256 bit seeds (128 bit SipHash-2-4 key + 16 bytes of
initial material).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The same algorithm as ScrambleSuit is used, except:
* SipHash-2-4 in OFB mode is used to create the distribution.
* The system CSPRNG is used when sampling the distribution.
This fixes most of #3, all that remains is generating and sending a
persistent distribution on the server side to the client.
|
|
On second thought instead of using log.Panicf(), panic() and do the
logging with recover(). This somewhat centralizes logging in
obfs4proxy, which will be easier to change when I invariably decide to
do logging differently in the future.
|
|
This adds preliminary support for data padding by adding another layer
of encapsulation inside each AEAD frame containing a type and length.
For now, data is still sent unpadded, but the infrastructure for
supporting it is mostly there.
Additionally, use log.Panic[f]() instead of panic through out the code
so that some panics are logged.
|
|
Write timeouts are obnoxious to handle as the frame encoder state
already is updated to cover the entire payload for the Write() call
that timed out. In theory it is possible to buffer the pending data,
but that causes Write() to voilate the semantics of the interface.
|
|
|
|
The current timeout value before the server fails the handshake is
15 s. This may need to be increased for clients over slow links.
|
|
Like ScrambleSuit, a random interval between 1x and 5x of additional
data from the peer is read and immediately discarded before closing.
Additionally, obfs4 will close off invalid connections anywhere between
0 and 60 seconds after it determines that the incoming connection will
never complete the handshake successfully.
|
|
* The old and the busted: obfs4-[client,server].
* The new hotness: obfs4client.
* Add obfs4.ServerHandshake() that servers need to call after a
successful return from Accept(). This allows implementations to
move the handshake into a goroutine or whatever.
|
|
|
