Age | Commit message (Collapse) | Author |
|
|
|
|
|
Differences from my goptlib branch:
* Instead of exposing a net.Listener, just expose a Handshake() routine
that takes an existing net.Conn. (#14135 is irrelevant to this socks
server.
* There's an extra routine for sending back sensible errors on Dial
failure instead of "General failure".
* The code is slightly cleaner (IMO).
Gotchas:
* If the goptlib pt.Args datatype or external interface changes,
args.go will need to be updated.
Tested with obfs3 and obfs4, including IPv6.
|
|
Implements feature #15576.
|
|
If the relevant enviornment variable is set, treat read errors from
Stdin as a SIGTERM.
|
|
This combines the old signal processing code with the parent monitor,
into a new termination monitor structure, which also now handles keeping
track of outstanding sessions.
|
|
|
|
The ideal solution here would be to implement #15435, but till then
use one of several kludges:
* Linux - prctl() so that the kernel SIGTERMs on parent exit.
* Other U*ix - Poll the parent process id once a second, and SIGTERM
ourself/exit if it changes. Former is better since all the normal
cleanup if any gets done.
* Windows - Log a warning.
|
|
The Go developers decided to move the go.net repository to
golang.org/x/net, and also to transition from hg to git. This wasn't
changed when the go.crypto imports were since the 'proxy' component
doesn't have imports that break, so the old code still works.
While the change here is simple (just update the import location), this
affects packagers as it now expects the updated package. Sorry for the
inconveneince, I blame the Go people, and myself for not just doing
this along with the go.crypto changes.
|
|
|
|
|
|
|
|
|
|
Client side logs are less spammy than server side in general, so more
messages should be visible at the default logLevel when running as a
client.
Server side logging will be spammy basically no matter what unless
obfs4proxy gets into the (arguably dangerous) business of figuring out
which errors are people being evil vs which ones are transient network
issues, so most logging is suppressed by default, unless the admin
choses to open the floodgates.
|
|
The prolog prints the version as soon as logging is enabled, but before
the pluggable transport configuration is done. The epilog is printed as
the code returns from main, as long as either client or server pt
configuration succeded.
|
|
For consistency with the rest of the arguments.
|
|
By default logging will be done at the "WARN" level. Fatal
initialization errors will always be logged as long as logging
is enabled regardless of logLevel.
|
|
Instead of omitting errors entirely when running with the log scrubber,
filter common network errors through elideError() that can scrub the
common net.Error types and remove sensitive information.
|
|
|
|
The Golang runtime will happily splatter the remote IP address and port
in the error's string representation for network related errors. While
useful for debugging, this is unacceptable from a privacy standpoint.
|
|
Caught by asn, thanks.
|
|
* Changed obfs4proxy to be more like obfsproxy in terms of design,
including being an easy framework for developing new TCP/IP style
pluggable transports.
* Added support for also acting as an obfs2/obfs3 client or bridge
as a transition measure (and because the code itself is trivial).
* Massively cleaned up the obfs4 and related code to be easier to
read, and more idiomatic Go-like in style.
* To ease deployment, obfs4proxy will now autogenerate the node-id,
curve25519 keypair, and drbg seed if none are specified, and save
them to a JSON file in the pt_state directory (Fixes Tor bug #12605).
|
|
|
|
To ease delopyment, "-genServerParams has changed".
* "-genServerParams" is now a bool, and will by default generate a
random node-id.
* "-genServerParams -genServerParamsFP=<Base16 blob>" will convert the
supplied bridge fingerprint to a node-id (the old behavior).
Either way of deriving node-id is belived to be secure.
* https://lists.torproject.org/pipermail/tor-dev/2014-May/006929.html
* https://lists.torproject.org/pipermail/tor-dev/2014-June/006936.html
The extra parameter was added because golang's flags library doesn't
support distinguishing between "set but used the default value" and
"not set, so you go the default value".
|
|
This requires changes in goptlib from last night, people may need to
run "go get -u" to update dependencies before building.
|
|
Instead of using the nonce for the secret box, just use SipHash-2-4 in
OFB mode instead. The IV is generated as part of the KDF. This
simplifies the code a decent amount and also is better on the off
chance that SipHash-2-4 does not avalanche as well as it is currently
assumed.
While here, also decouple the fact that *this implementation* of obfs4
uses a PRNG with 24 bytes of internal state for protocol polymorphism
instead of 32 bytes (that the spec requires).
THIS CHANGE BREAKS WIRE PROTCOL COMPATIBILITY.
|
|
|
|
|
|
|
|
|
|
Joining a SOCKS dialer on the list of things the Golang runtime really
should have is a HTTP CONNECT dialer. There's a full fledged HTTP
client and server there, but not this. Why? Who knows.
This fixes issue #7.
|
|
Part of issue #7.
|
|
Despite the unfortunate scheme name, this really is SOCKS4, and not 4a,
as the torrc Socks4Proxy option only supports addresses and not FQDNs.
Part of issue #7.
|
|
|
|
With tor patched to support 8402, obfs4 bootstraps via a SOCKSv5 proxy
now. Other schemes will bail with a PROXY-ERROR, as the go.net/proxy
package does not support them, and I have not gotten around to writing
dialers for them yet (next on my TODO list).
Part of issue #7.
|
|
Part of issue #7.
|
|
Currently obfs4proxy is hardcoded to always PROXY-ERROR, despite a
valid proxy uri being passed in the env var. Once the dialer portion
of the code is done, this will be changed.
Part of issue #7.
|
|
|
|
When enabled, inter-packet delay will be randomized between 0 and 10
ms in 100 usec intervals. As experiences from ScrambleSuit (and back
of the envelope math based on how networks work) show, this is
extremely expensive and artificially limits the throughput of the link.
When enabled, bulk transfer throughput will be limited to an average of
278 KiB/s.
|
|
This reverts commit 8d61c6bcc67e7acc5604f87ca2a7c7ec43fc46de.
On second thought, don't do this. API not final, and some of the stuff
might not be a good idea after all.
|
|
As of `15b960d55905877a840fe605a41a8139bffb5329` goptlib supports
IsClient, IsServer, and handling the StateLocation.
Yes this means you need to use goptlib out of git.
|
|
This fixes #6.
|
|
|
|
Part of #6, still need to make logs nicer.
|
|
This fixes #3, and brings the code to be on par with the delopyed
versions of ScrambleSuit in terms of features.
|
|
This also adds the drgb-seed option to the `-gen` obfs4proxy output.
|
|
|
|
|
|
|
|
|