[tor-commits] [obfsproxy/master] Close connection if authentication fails.
asn at torproject.org
asn at torproject.org
Tue Jul 15 12:23:06 UTC 2014
commit d16d4ade7504e83eef6e7f34c7da827a8a76c80a
Author: Philipp Winter <phw at torproject.org>
Date: Sat Mar 1 23:29:04 2014 +0100
Close connection if authentication fails.
Adapt the server's behaviour to the spec change of commit 892846eb. When a
server bootstraps for the first time, it randomly generates a byte threshold
after which unauthenticated connections are closed.
This should fix <https://bugs.torproject.org/11092>.
---
obfsproxy/transports/scramblesuit/scramblesuit.py | 7 +++++++
obfsproxy/transports/scramblesuit/state.py | 9 +++++++++
2 files changed, 16 insertions(+)
diff --git a/obfsproxy/transports/scramblesuit/scramblesuit.py b/obfsproxy/transports/scramblesuit/scramblesuit.py
index 6279925..da2a32d 100644
--- a/obfsproxy/transports/scramblesuit/scramblesuit.py
+++ b/obfsproxy/transports/scramblesuit/scramblesuit.py
@@ -485,6 +485,13 @@ class ScrambleSuitTransport( base.BaseTransport ):
self.sendTicketAndSeed()
else:
+ if len(data) > self.srvState.closingThreshold:
+ log.info("Terminating connection after having received %d"
+ " bytes because client could not "
+ "authenticate." % len(data))
+ self.circuit.close()
+ return
+
log.debug("Authentication unsuccessful so far. "
"Waiting for more data.")
return
diff --git a/obfsproxy/transports/scramblesuit/state.py b/obfsproxy/transports/scramblesuit/state.py
index 9d32d0c..384db97 100644
--- a/obfsproxy/transports/scramblesuit/state.py
+++ b/obfsproxy/transports/scramblesuit/state.py
@@ -76,6 +76,7 @@ class State( object ):
self.pktDist = None
self.iatDist = None
self.fallbackPassword = None
+ self.closingThreshold = None
def genState( self ):
"""
@@ -112,6 +113,14 @@ class State( object ):
# did not set `ServerTransportOptions'.
self.fallbackPassword = os.urandom(const.SHARED_SECRET_LENGTH)
+ # Unauthenticated connections are closed after having received the
+ # following amount of bytes.
+ max_handshake_len = const.MAX_PADDING_LENGTH + \
+ const.MARK_LENGTH + \
+ const.HMAC_SHA256_128_LENGTH
+ self.closingThreshold = prng.randint(max_handshake_len,
+ max_handshake_len * 2)
+
self.writeState()
def isReplayed( self, hmac ):
More information about the tor-commits
mailing list