From 9b6b3f825b47a5912ce03f85ab49da95323a1d7d Mon Sep 17 00:00:00 2001
From: Yawning Angel <yawning@schwanenlied.me>
Date: Mon, 12 May 2014 01:13:49 +0000
Subject: Reject clients that do not authenticate quickly enough.

The current timeout value before the server fails the handshake is
15 s.  This may need to be increased for clients over slow links.
---
 obfs4.go | 29 +++++++++++++++++++++++------
 1 file changed, 23 insertions(+), 6 deletions(-)

diff --git a/obfs4.go b/obfs4.go
index 0bcd82c..45b7148 100644
--- a/obfs4.go
+++ b/obfs4.go
@@ -39,7 +39,8 @@ import (
 )
 
 const (
-	defaultReadSize = framing.MaximumSegmentLength
+	defaultReadSize   = framing.MaximumSegmentLength
+	connectionTimeout = time.Duration(15) * time.Second
 
 	minCloseThreshold = framing.MaximumSegmentLength
 	maxCloseThreshold = framing.MaximumSegmentLength * 5
@@ -150,8 +151,10 @@ func (c *Obfs4Conn) serverHandshake(nodeID *ntor.NodeID, keypair *ntor.Keypair)
 	}
 
 	hs := newServerHandshake(nodeID, keypair)
-
-	// XXX: Set the request timer.
+	err := c.conn.SetReadDeadline(time.Now().Add(connectionTimeout))
+	if err != nil {
+		return err
+	}
 
 	// Consume the client handshake.
 	hsBuf := make([]byte, clientMaxHandshakeLength)
@@ -169,17 +172,25 @@ func (c *Obfs4Conn) serverHandshake(nodeID *ntor.NodeID, keypair *ntor.Keypair)
 			return err
 		}
 		c.receiveBuffer.Reset()
+		err = c.conn.SetReadDeadline(time.Time{})
+		if err != nil {
+			return err
+		}
 
 		// Use the derived key material to intialize the link crypto.
 		okm := ntor.Kdf(seed, framing.KeyLength*2)
 		c.encoder = framing.NewEncoder(okm[framing.KeyLength:])
 		c.decoder = framing.NewDecoder(okm[:framing.KeyLength])
 
-		// XXX: Kill the request timer.
-
 		break
 	}
 
+	// Ensure that writing the response completes quickly.
+	err = c.conn.SetWriteDeadline(time.Now().Add(connectionTimeout))
+	if err != nil {
+		return err
+	}
+
 	// Generate/send the response.
 	blob, err := hs.generateHandshake()
 	if err != nil {
@@ -190,7 +201,13 @@ func (c *Obfs4Conn) serverHandshake(nodeID *ntor.NodeID, keypair *ntor.Keypair)
 		return err
 	}
 
-	// XXX: Generate/send the PRNG seed.
+	// TODO: Generate/send the PRNG seed.
+
+	// Disarm the write timer.
+	err = c.conn.SetWriteDeadline(time.Time{})
+	if err != nil {
+		return err
+	}
 
 	c.isOk = true
 
-- 
cgit v1.2.3