From 339c63f0c8cd4374f6fa26484498eb6fa91b7bca Mon Sep 17 00:00:00 2001 From: Yawning Angel Date: Sun, 17 Aug 2014 17:11:03 +0000 Subject: Massive cleanup/code reorg. * Changed obfs4proxy to be more like obfsproxy in terms of design, including being an easy framework for developing new TCP/IP style pluggable transports. * Added support for also acting as an obfs2/obfs3 client or bridge as a transition measure (and because the code itself is trivial). * Massively cleaned up the obfs4 and related code to be easier to read, and more idiomatic Go-like in style. * To ease deployment, obfs4proxy will now autogenerate the node-id, curve25519 keypair, and drbg seed if none are specified, and save them to a JSON file in the pt_state directory (Fixes Tor bug #12605). --- replay_filter.go | 145 ------------------------------------------------------- 1 file changed, 145 deletions(-) delete mode 100644 replay_filter.go (limited to 'replay_filter.go') diff --git a/replay_filter.go b/replay_filter.go deleted file mode 100644 index b8f284a..0000000 --- a/replay_filter.go +++ /dev/null @@ -1,145 +0,0 @@ -/* - * Copyright (c) 2014, Yawning Angel - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -package obfs4 - -import ( - "container/list" - "encoding/binary" - "sync" - - "github.com/dchest/siphash" - - "git.torproject.org/pluggable-transports/obfs4.git/csrand" -) - -// maxFilterSize is the maximum capacity of the replay filter. The busiest -// bridge I know about processes something along the order of 3000 connections -// per day. The maximum timespan any entry can live in the filter is 2 hours, -// so this value should be sufficient. -const maxFilterSize = 100 * 1024 - -// replayFilter is a simple filter designed only to answer if it has seen a -// given byte sequence before. It is based around comparing the SipHash-2-4 -// digest of data to match against. Collisions are treated as positive matches -// however, the probability of such occurences is negligible. -type replayFilter struct { - lock sync.Mutex - key [2]uint64 - filter map[uint64]*filterEntry - fifo *list.List -} - -type filterEntry struct { - firstSeen int64 - hash uint64 - element *list.Element -} - -// newReplayFilter creates a new replayFilter instance. -func newReplayFilter() (filter *replayFilter, err error) { - // Initialize the SipHash-2-4 instance with a random key. - var key [16]byte - err = csrand.Bytes(key[:]) - if err != nil { - return - } - - filter = new(replayFilter) - filter.key[0] = binary.BigEndian.Uint64(key[0:8]) - filter.key[1] = binary.BigEndian.Uint64(key[8:16]) - filter.filter = make(map[uint64]*filterEntry) - filter.fifo = list.New() - - return -} - -// testAndSet queries the filter for buf, adds it if it was not present and -// returns if it has added the entry or not. This method is threadsafe. -func (f *replayFilter) testAndSet(now int64, buf []byte) bool { - hash := siphash.Hash(f.key[0], f.key[1], buf) - - f.lock.Lock() - defer f.lock.Unlock() - - f.compactFilter(now) - - entry := f.filter[hash] - if entry != nil { - return true - } - - entry = new(filterEntry) - entry.hash = hash - entry.firstSeen = now - entry.element = f.fifo.PushBack(entry) - f.filter[hash] = entry - - return false -} - -// compactFilter purges entries that are too old to be relevant. If the filter -// is filled to maxFilterCapacity, it will force purge a single entry. This -// method is NOT threadsafe. -func (f *replayFilter) compactFilter(now int64) { - e := f.fifo.Front() - for e != nil { - entry, _ := e.Value.(*filterEntry) - - // If the filter is at max capacity, force purge at least one entry. - if f.fifo.Len() < maxFilterSize { - deltaT := now - entry.firstSeen - if deltaT < 0 { - // Aeeeeeee, the system time jumped backwards, potentially by - // a lot. This will eventually self-correct, but "eventually" - // could be a long time. As much as this sucks, jettison the - // entire filter. - f.reset() - return - } - if deltaT < 3600*2 { - // Why yes, this is 2 hours. The MAC code includes a hour - // resolution timestamp, but to deal with clock skew, it - // accepts time +- 1 hour. - break - } - } - eNext := e.Next() - delete(f.filter, entry.hash) - f.fifo.Remove(entry.element) - entry.element = nil - e = eNext - } -} - -// reset purges the entire filter. This methoid is NOT threadsafe. -func (f *replayFilter) reset() { - f.filter = make(map[uint64]*filterEntry) - f.fifo = list.New() -} - -/* vim :set ts=4 sw=4 sts=4 noet : */ -- cgit v1.2.3