| Commit message (Collapse) | Author | Age |
| |
|
|
|
|
|
| |
Since ctr_drbg does not implement getstate/setstate, it would raise an
exception. Resetting it and using the global CTR_DRBG instance for actual
samples is fine since it is seeded from the OS CSPRNG, and the distribution
is the only thing that should be saved.
|
| |
|
|
|
|
|
|
|
| |
This replaces Mersenne Twister with a simple CSPRNG based on CTR-AES-128,
similar to the CTR_DRBG from NIST SP 800-90A. The way it is used in
ScrambleSuit is to seed itself off of the PRNG seed per the ScrambleSuit
protocol (either derived from the long term secret, or receive from the peer
post handshake), generate the Probability Distribution and then immediately
reseed from os.urandom.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
* ACCEPTABLE_CMDS now only contains CONNECT, since that is the only command
used and actually implemented.
* Removed trailing whitespace from the socks5 tests.
|
| |
|
|
|
|
| |
Not going to touch #10240 for now since the SOCKS args handler will eventually
be totally rewritten (changed to return a dict containing the separated [k=v]
pairs).
|
| | |
|
| |
|
|
|
|
| |
* Since the compat inet_ntop is used, no longer need to try/catch
* Make _ByteBuffer.get(self, length) return a string and remove a ton of
str() calls
|
| |
|
|
| |
Apparently, these routines are missing on Windows.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changed based on feedback from hellias:
* handleCmdConnectFailure now traps errors
* sendReply no longer deals with parsing out the outgoing local address
* logging uses the obfsproxy logger again
* Fixed a bug where send_reply was used instead of sendReply
* The obfsproxy specific SOCKSv5 classes were renamed to OBFSSOCKSv5Outgoing
and OBFSSOCKSv5Protocol
Bugs I found:
* SOCKSv5Protocol.dataReceived() should actually work now (never called by
obfsproxy since it's overridden)
* _ByteBuffer.get_uint32() was always doing byte order conversion (method never
used)
|
| |
|
|
|
|
|
|
| |
* Instead of using methodcaller, just store lambdas in the auth vtable
* Add doc strings to _ByteBuffer
* Do not use "len" as a variable name
* Fix a bug in processEstablishedData() that pylint caught (obfsproxy
would never have triggered it since the routine is overriden)
|
| |
|
|
|
|
| |
* Use a wrapper class to isolate the scary struct.pack/unpack calls
* Refactor the code to look like twisted.protocols.socks
* Support DOMAINNAME, though it's untested
|
| |
|
|
|
|
|
|
| |
* SOCKSv5Reply changed to a newstyle class
* Move the pluggable transport specific auth code into it's own routine, with
lots of comments.
Thanks to isis for the help.
|
| |
|
|
| |
* It works over the loopback address at least, still haven't gotten a tunnel.
|
| | |
|
| |
|
|
|
|
| |
* Log a more useful error message when user sends payload data in _SOCKS_ST_CONNECTING
* Explicitly log a specific error when rejecting ATYP DOMAINNAME
* Connect can also fail with TimedOutError
|
| | |
|
| | |
|
| |
|
|
|
|
| |
* Fixed redundant import
* Added some more comments
* Deal with the possibility that socket.inet_ntop may be missing
|
| |
|
|
|
|
|
|
|
| |
A straight forward SOCKS5 server implementation with the following caveats:
* It is tightly coupled with the obfsproxy channel/GenericNetworkProtocol code
* It's idea of RFC1929 is the ugly hack in pt-spec.txt
* Only supports CONNECT
* Only supports IPv4/IPv6 addresses, because DNS leaks make me sad
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Test against test vectors
* Do 1000 generate/exchanges and validate the keys. Also acts as a quick and
dirty benchmark (run with the Twisted trial to actually log).
This required changing the UniformDH ctor to allow the user to specify the
private key at run time. If a key that is not 192 bits is specified, it will
raise a ValueError, but no one should use that feature apart from the test code.
The key generation was also modified to no longer leak which public key is
chosen via timing information.
|
| | |
|
| | |
|
| | |
|
| |\
| |
| |
| |
| | |
Conflicts:
ChangeLog
|
| | |
| |
| |
| | |
There is no performance difference between gmpy1 and gmpy2 for obfsproxy, but according to the gmpy authors "gmpy2 is now the recommended version, especially if you use the pre-compiled versions for Windows.".
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This cuts the amount of time that is spent doing UniformDH related work in the
context of the main event loop in half. It is impossible to eliminate it
entirely as the client and server both send the public keys immediately on
connection when doing an obfs3 handshake.
Notable changes:
* self.dh.get_secret() is processed in a Twisted worker thread.
* Another state is added as part of the handshake process for when the thread
is running.
* At each step of the handshake process, if there is data remaining unprocessed
the next stage is direcly invoked at the tail of each routine.
* After the handshake is done, if data is pending, self._scan_for_magic()
is called.
* After the magic is found, if data is pending, we relay the remaining data
immediately.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
ScrambleSuit implements a superset of the obfs3 protocol. Its original
repository is available here:
<https://gitweb.torproject.org/user/phw/scramblesuit.git>
The project web site is available here:
<http://www.cs.kau.se/philwint/scramblesuit/>
|
| |
|
|
|
| |
Passing it to setup() is enough. Transports that need it on __init__()
can keep it on their state.
|
| |
|
|
|
|
|
| |
Specifically a flag to tell us whether we are in external/managed
mode, and a flag to tell us whether we are client or server. These
will be useful so that transports can configure themselves during
setup().
|
| |
|
|
|
|
|
|
| |
The code was not functioning properly and I don't even remember how it
worked anymore.
I will leave the spec file around in case a poor soul encounters it
and decides to build it properly.
|
| | |
|
| | |
|
| |
|
|
| |
don't *need* to do any sort of handshake
|
| |
|
|
|
|
| |
in as method params
- also rm redundant "pass" statements, python doesn't need it if you have a docstring
|
| | |
|
| | |
|
| |
|
|
|
| |
Further document BaseTransport's get_public_options
using a simple example torrc and code sample.
|
| | |
|
| |
|
|
|
|
|
| |
If the transport server wishes to prevent some server
transport options from being added to the BridgeDB then
the transport may override this method and return a
transport_options dict with the keys to be distributed.
|
| |
|
|
|
| |
If the library is not installed, the built-in (and slower) modular
exponentiation is used.
|
| |
|
|
|
|
| |
pt_configs are per-transport (since on the server-side they contain
transport-specific parameters), so we should initialize one for each
transport.
|