April 2012 - tor-commits - lists.torproject.org

[translation/vidalia_alpha] Update translations for vidalia_alpha
by translation＠torproject.org 13 Apr '12

13 Apr '12

commit 197ca8cc2d24255f7b189d09693b1b609f0208c9 Author: Translation commit bot <translation(a)torproject.org> Date: Fri Apr 13 11:15:11 2012 +0000 Update translations for vidalia_alpha --- pt_BR/vidalia_pt_BR.po | 9 +++++---- 1 files changed, 5 insertions(+), 4 deletions(-) diff --git a/pt_BR/vidalia_pt_BR.po b/pt_BR/vidalia_pt_BR.po index ac3d57c..1c2e7a6 100644 --- a/pt_BR/vidalia_pt_BR.po +++ b/pt_BR/vidalia_pt_BR.po @@ -1,5 +1,6 @@ # # Translators: +# Arthur Rodrigues Araruna <araruna(a)gmail.com>, 2012. # n3t0 <>, 2012. # runasand <runa.sandvik(a)gmail.com>, 2011. # <viniciusandrade(a)estadao.com.br>, 2012. @@ -8,8 +9,8 @@ msgstr "" "Project-Id-Version: The Tor Project\n" "Report-Msgid-Bugs-To: https://trac.torproject.org/projects/tor\n" "POT-Creation-Date: 2012-03-21 17:46+0000\n" -"PO-Revision-Date: 2012-04-10 18:48+0000\n" -"Last-Translator: noruega <viniciusandrade(a)estadao.com.br>\n" +"PO-Revision-Date: 2012-04-13 11:15+0000\n" +"Last-Translator: Arthur Rodrigues Araruna <araruna(a)gmail.com>\n" "Language-Team: translations(a)vidalia-project.net\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" @@ -197,7 +198,7 @@ msgstr "Selecione um arquivo para o Tor usar como caminho do socket" msgctxt "AdvancedPage" msgid "Configure ControlPort automatically" -msgstr "" +msgstr "Configurar ControlPort automaticamente" msgctxt "AdvancedPage" msgid "" @@ -227,7 +228,7 @@ msgid "" "You've checked the autoconfiguration option for the ControlPort, but " "provided no Data Directory. Please add one, or uncheck the \"Configure " "ControlPort automatically\" option." -msgstr "" +msgstr "Você selecionou a opção de autoconfiguração para a ControlPort, mas não informou nenhum Diretório de Dados. Por favor, adicione um ou desmarque a opção \"Configurar ControlPort automataticamente\"." msgctxt "AdvancedPage" msgid ""

1 0

[obfsproxy/master] Fix '--version' when called outside of a git repository.
by asn＠torproject.org 12 Apr '12

12 Apr '12

commit 8b53ef32f626229db8c4ac860733f75b00d66112 Author: George Kadianakis <desnacked(a)riseup.net> Date: Mon Apr 9 16:53:19 2012 +0200 Fix '--version' when called outside of a git repository. Also, have '--version' output the release name and not just the git hash. --- ChangeLog | 5 +++++ src/main.c | 6 +++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2a7605c..a818f34 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +Changes in version 0.1.4 - <not yet released> + - Fix 'obfsproxy --version' when called outside of a git + repository. Fixes bug 5560. + + Changes in version 0.1.3 - 2012-04-03 - Display git revision when we start logging. Fixes part of bug #5157. diff --git a/src/main.c b/src/main.c index 30210f1..c78ee0e 100644 --- a/src/main.c +++ b/src/main.c @@ -59,9 +59,9 @@ get_version(void) { if (!the_obfsproxy_version) { if (strlen(obfs_git_revision)) - obfs_asprintf(&the_obfsproxy_version, "git-%s", obfs_git_revision); + obfs_asprintf(&the_obfsproxy_version, "%s (git-%s)", VERSION, obfs_git_revision); else - obfs_asprintf(&the_obfsproxy_version, "git"); + the_obfsproxy_version = xstrdup(VERSION); } return the_obfsproxy_version; @@ -337,7 +337,7 @@ obfs_main(int argc, const char *const *argv) /* Handle optional obfsproxy arguments. */ begin = argv + handle_obfsproxy_args(argv); - log_notice("Starting (%s).", get_version()); + log_notice("Starting (obfsproxy version: %s).", get_version()); if (is_external_proxy) { if (launch_external_proxy(begin) < 0)

1 0

r25606: {website} New obfsproxy bundles are up (website/trunk/projects/en)
by Sebastian Hahn 12 Apr '12

12 Apr '12

Author: sebastian Date: 2012-04-12 19:28:29 +0000 (Thu, 12 Apr 2012) New Revision: 25606 Modified: website/trunk/projects/en/obfsproxy.wml Log: New obfsproxy bundles are up Modified: website/trunk/projects/en/obfsproxy.wml =================================================================== --- website/trunk/projects/en/obfsproxy.wml 2012-04-12 12:34:34 UTC (rev 25605) +++ website/trunk/projects/en/obfsproxy.wml 2012-04-12 19:28:29 UTC (rev 25606) @@ -65,23 +65,23 @@ <a - href="https://www.torproject.org/dist/obfsproxy/tor-obfsproxy-browser-bundle-2.3.…">Windows Obfsproxy Tor Browser Bundle</a> (<a - href="https://www.torproject.org/dist/obfsproxy/tor-obfsproxy-browser-bundle-2.3.…">signature</a>). + href="https://www.torproject.org/dist/obfsproxy/tor-obfsproxy-browser-bundle-2.3.…">Windows Obfsproxy Tor Browser Bundle</a> (<a + href="https://www.torproject.org/dist/obfsproxy/tor-obfsproxy-browser-bundle-2.3.…">signature</a>). - <a href="https://www.torproject.org/dist/obfsproxy/tor-obfsproxy-browser-bundle-2.3.…">OSX (10.6 & 10.7) Obfsproxy Tor Browser Bundle</a> - (<a href="https://www.torproject.org/dist/obfsproxy/tor-obfsproxy-browser-bundle-2.3.…">signature</a>). + <a href="https://www.torproject.org/dist/obfsproxy/tor-obfsproxy-browser-bundle-2.3.…">OSX (10.6 & 10.7) Obfsproxy Tor Browser Bundle</a> + (<a href="https://www.torproject.org/dist/obfsproxy/tor-obfsproxy-browser-bundle-2.3.…">signature</a>). - <a href="https://www.torproject.org/dist/obfsproxy/tor-obfsproxy-browser-bundle-2.3.…">Linux 32-bit Obfsproxy Tor Browser Bundle</a> - (<a href="https://www.torproject.org/dist/obfsproxy/tor-obfsproxy-browser-bundle-2.3.…">signature</a>). + <a href="https://www.torproject.org/dist/obfsproxy/tor-obfsproxy-browser-bundle-2.3.…">Linux 32-bit Obfsproxy Tor Browser Bundle</a> + (<a href="https://www.torproject.org/dist/obfsproxy/tor-obfsproxy-browser-bundle-2.3.…">signature</a>). - <a href="https://www.torproject.org/dist/obfsproxy/tor-obfsproxy-browser-bundle-2.3.…">Linux 64-bit Obfsproxy Tor Browser Bundle</a> - (<a href="https://www.torproject.org/dist/obfsproxy/tor-obfsproxy-browser-bundle-2.3.…">signature</a>). + <a href="https://www.torproject.org/dist/obfsproxy/tor-obfsproxy-browser-bundle-2.3.…">Linux 64-bit Obfsproxy Tor Browser Bundle</a> + (<a href="https://www.torproject.org/dist/obfsproxy/tor-obfsproxy-browser-bundle-2.3.…">signature</a>). <h2><a class="anchor" href="#instructions">Installation Instructions</a></h2>

1 0

r25605: {website} update hidden service examples. (website/trunk/docs/en)
by Andrew Lewman 12 Apr '12

12 Apr '12

Author: phobos Date: 2012-04-12 12:34:34 +0000 (Thu, 12 Apr 2012) New Revision: 25605 Modified: website/trunk/docs/en/hidden-services.wml website/trunk/docs/en/tor-hidden-service.wml Log: update hidden service examples. Modified: website/trunk/docs/en/hidden-services.wml =================================================================== --- website/trunk/docs/en/hidden-services.wml 2012-04-12 01:10:13 UTC (rev 25604) +++ website/trunk/docs/en/hidden-services.wml 2012-04-12 12:34:34 UTC (rev 25605) @@ -69,17 +69,16 @@ # use? - Step three: A client that wants to contact a hidden service needs to - learn about its - onion address first. After that, the client can initiate connection - establishment by downloading the descriptor from the distributed hash - table. If - there is a descriptor for XYZ.onion (the hidden service could also be - offline or have left long ago, or there could be a typo in the onion - address), the client now knows the set of introduction points and the - right public key to use. Around this time, the client also creates - a circuit to another randomly picked relay and asks it to act as - rendezvous point by telling it a one-time secret. + Step three: A client that wants to contact a hidden service needs + to learn about its onion address first. After that, the client can + initiate connection establishment by downloading the descriptor from + the distributed hash table. If there is a descriptor for XYZ.onion + (the hidden service could also be offline or have left long ago, + or there could be a typo in the onion address), the client now + knows the set of introduction points and the right public key to + use. Around this time, the client also creates a circuit to another + randomly picked relay and asks it to act as rendezvous point + by telling it a one-time secret. <img alt="Tor hidden service step three" src="$(IMGROOT)/THS-3.png"> @@ -87,24 +86,23 @@ # "IP1-3" and "PK" - Step four: When the descriptor is present and the rendezvous point is - ready, the client assembles an introduce - message (encrypted to the hidden service's public key) including the - address of the rendezvous point and the one-time secret. The client sends - this message to one of the introduction points, requesting it be delivered - to the hidden service. Again, communication takes place via a Tor circuit: - nobody can relate sending the introduce message to the client's IP - address, so the client remains anonymous. + Step four: When the descriptor is present and the rendezvous + point is ready, the client assembles an introduce message + (encrypted to the hidden service's public key) including the address + of the rendezvous point and the one-time secret. The client sends + this message to one of the introduction points, requesting it be + delivered to the hidden service. Again, communication takes place + via a Tor circuit: nobody can relate sending the introduce message + to the client's IP address, so the client remains anonymous. <img alt="Tor hidden service step four" src="$(IMGROOT)/THS-4.png"> Step five: The hidden service decrypts the client's introduce message - and finds the - address of the rendezvous point and the one-time secret in it. The service - creates a circuit to the rendezvous point and sends the one-time secret to - it in a rendezvous message. + and finds the address of the rendezvous point and the one-time secret + in it. The service creates a circuit to the rendezvous point and + sends the one-time secret to it in a rendezvous message. Modified: website/trunk/docs/en/tor-hidden-service.wml =================================================================== --- website/trunk/docs/en/tor-hidden-service.wml 2012-04-12 01:10:13 UTC (rev 25604) +++ website/trunk/docs/en/tor-hidden-service.wml 2012-04-12 12:34:34 UTC (rev 25605) @@ -20,15 +20,34 @@ If you have Tor installed, you can see hidden services - in action by visiting <a href="http://duskgytldkxiuqc6.onion/">our - example hidden service</a>. + in action by visiting one of our official hidden services: + <ul> + <li><a href="http://idnxcnkne4qt76tg.onion/">The Tor Project Website</a></li> + <li><a href="http://j6im4v42ur6dpic3.onion/">The Tor Package Archive</a></li> + <li><a href="http://p3igkncehackjtib.onion/">The Tor Media Archive</a></li> + </ul> + + Others run reliable hidden services, such as <a + href="http://3g2upl4pq6kufc4m.onion/">The Duck Duck + Go</a> search engine and someone hosting a <a + href="http://duskgytldkxiuqc6.onion/">sample site</a>. - - This howto describes the steps for setting up your own hidden service + + It will typically take 10-60 seconds to load (or to decide that the + service is currently unreachable). If it fails immediately and your + browser pops up an alert saying that "www.duskgytldkxiuqc6.onion could + not be found, please check the name and try again" then you haven't + configured Tor correctly; see <a href="<page docs/faq>#DoesntWork">the + it-doesn't-work FAQ entry</a> for some help. + + + + This howto describes the steps for setting up your own hidden service website. For the technical details of how the hidden service protocol - works, see our <a href="<page docs/hidden-services>">hidden service protocol</a> page. + works, see our <a href="<page docs/hidden-services>">hidden service + protocol</a> page. - + <hr> <a id="zero"></a> <h2><a class="anchor" href="#zero">Step Zero: Get Tor working</a></h2> @@ -48,66 +67,33 @@ X howto</a>, and Linux/BSD/Unix users should follow the <a href="<page docs/tor-doc-unix>">Unix howto</a>. - - Once you've got Tor installed and configured, - you can see hidden services in action by following this link to <a - href="http://duskgytldkxiuqc6.onion/">our example hidden service</a> - or the <a - href="http://3g2upl4pq6kufc4m.onion/">DuckDuckGo search engine hidden service</a>. - It will typically take 10-60 seconds to load (or to decide that it - is currently unreachable). If it fails immediately and your browser - pops up an alert saying that "www.duskgytldkxiuqc6.onion could not - be found, please check the name and try again" then you haven't - configured Tor correctly; see <a - href="<page docs/faq>#DoesntWork">the - it-doesn't-work FAQ entry</a> for some help. - - + <hr> <a id="one"></a> <h2><a class="anchor" href="#one">Step One: Install a web server locally</a></h2> - First, you need to set up a web server locally. Setting up a web - server can be tricky, - so we're just going to go over a few basics here. If you get stuck - or want to do more, find a friend who can help you. We recommend you - install a new separate web server for your hidden service, since even - if you already have one installed, you may be using it (or want to use - it later) for an actual website. + + First, you need to set up a web server locally. Setting up a web + server can be tricky, so we're just going to go over a few basics + here. If you get stuck or want to do more, find a friend who can + help you. We recommend you install a new separate web server for + your hidden service, since even if you already have one installed, + you may be using it (or want to use it later) for an actual website. - - If you're on Unix or OS X and you're comfortable with - the command-line, by far the best way to go is to install <a - href="http://www.acme.com/software/thttpd/">thttpd</a>. Just grab the - latest tarball, untar it (it will create its own directory), and run - <kbd>./configure && make</kbd>. Then <kbd>mkdir hidserv; cd - hidserv</kbd>, and run - <kbd>../thttpd -p 5222 -h localhost</kbd>. It will give you back your prompt, - and now you're running a webserver on port 5222. You can put files to - serve in the hidserv directory. + + + Once you've got your web server set up, make + sure it works: open your browser and go to <a + href="http://localhost:5222/">http://localhost:5222/</a>, where + 5222 is the port that you picked above. Then try putting a file in + the main html directory, and make sure it shows up when you access + the site. The reason we bind the web server only to localhost is to + make sure it isn't publically accessible. If people could get to it + directly, they could confirm that your computer is the one offering + the hidden service. - - If you're on Windows, you might pick <a - href="http://savant.sourceforge.net/">Savant</a> or <a - href="http://httpd.apache.org/">Apache</a>, and be sure to configure it - to bind only to localhost. You should also figure out what port you're - listening on, because you'll use it below. - - - (The reason we bind the web server only to localhost is to make - sure it isn't publically accessible. If people could get to it directly, - they could confirm that your computer is the one offering the hidden - service.) - - - Once you've got your web server set up, make sure it works: open your - browser and go to <a - href="http://localhost:5222/">http://localhost:5222/</a>, where 5222 is - the port that you picked above. Then try putting a file in the main html - directory, and make sure it shows up when you access the site. - - + <hr> <a id="two"></a> <h2><a class="anchor" href="#two">Step Two: Configure your hidden service</a></h2>

1 0

r25604: {website} fix awkward grammar. (website/trunk/getinvolved/en)
by Andrew Lewman 12 Apr '12

12 Apr '12

Author: phobos Date: 2012-04-12 01:10:13 +0000 (Thu, 12 Apr 2012) New Revision: 25604 Modified: website/trunk/getinvolved/en/relays.wml Log: fix awkward grammar. Modified: website/trunk/getinvolved/en/relays.wml =================================================================== --- website/trunk/getinvolved/en/relays.wml 2012-04-12 00:43:58 UTC (rev 25603) +++ website/trunk/getinvolved/en/relays.wml 2012-04-12 01:10:13 UTC (rev 25604) @@ -22,9 +22,9 @@ We created a video with <a href="https://www.tacticaltech.org/">Tactical -Tech</a> to help why being a relay matters (<a +Tech</a> to help understand why being a relay matters (<a href="https://media.torproject.org/video/2012-03-04-BuildingBridges-HD-english.ogv">HD -version</a>). It's been translated into <a +version</a>). It is translated into <a href="https://media.torproject.org/video/2012-03-04-BuildingBridges-HD-arabic.ogv">Arabic</a>, <a href="https://media.torproject.org/video/2012-03-04-BuildingBridges-HD-farsi.ogv">Farsi</a>,

1 0

r25603: {website} we have the relays video translated into a few languages. (website/trunk/getinvolved/en)
by Andrew Lewman 12 Apr '12

12 Apr '12

Author: phobos Date: 2012-04-12 00:43:58 +0000 (Thu, 12 Apr 2012) New Revision: 25603 Modified: website/trunk/getinvolved/en/relays.wml Log: we have the relays video translated into a few languages. Modified: website/trunk/getinvolved/en/relays.wml =================================================================== --- website/trunk/getinvolved/en/relays.wml 2012-04-11 00:22:24 UTC (rev 25602) +++ website/trunk/getinvolved/en/relays.wml 2012-04-12 00:43:58 UTC (rev 25603) @@ -20,11 +20,20 @@ autobuffer="true" controls="controls"></video> </div> -<a href="https://www.tacticaltech.org/">Tactical Tech</a> -created a video to encourage you to join the Tor Network (<a -href="https://media.torproject.org/video/2012-03-04-BuildingBridges-HD.ogv">HD -version</a>). If you want to help us translate it into your language, -<a href="<page about/contact>">let us know</a>! +We created a video with <a +href="https://www.tacticaltech.org/">Tactical +Tech</a> to help why being a relay matters (<a +href="https://media.torproject.org/video/2012-03-04-BuildingBridges-HD-english.ogv">HD +version</a>). It's been translated into <a +href="https://media.torproject.org/video/2012-03-04-BuildingBridges-HD-arabic.ogv">Arabic</a>, +<a +href="https://media.torproject.org/video/2012-03-04-BuildingBridges-HD-farsi.ogv">Farsi</a>, +<a +href="https://media.torproject.org/video/2012-03-04-BuildingBridges-HD-german.ogv">German</a>, +<a +href="https://media.torproject.org/video/2012-03-04-BuildingBridges-HD-mandarin.o…">Mandarin +Chinese</a>, and <a +href="https://media.torproject.org/video/2012-03-04-BuildingBridges-HD-spanish.ogv">Spanish</a> The Tor network relies on volunteers to donate bandwidth. The more people who run Tor as a bridge or a relay, the faster and safer the

1 0

[torbrowser/maint-2.3] Improve the website fingerprinting defense patch.
by mikeperry＠torproject.org 11 Apr '12

11 Apr '12

commit 67873541918d9597024d4439b45c9d1cd3ec582d Author: Mike Perry <mikeperry-git(a)fscked.org> Date: Wed Apr 11 15:47:11 2012 -0700 Improve the website fingerprinting defense patch. --- ...6-Randomize-HTTP-pipeline-order-and-depth.patch | 151 ------------- ...ize-HTTP-request-order-and-pipeline-depth.patch | 234 ++++++++++++++++++++ 2 files changed, 234 insertions(+), 151 deletions(-) diff --git a/src/current-patches/firefox/0006-Randomize-HTTP-pipeline-order-and-depth.patch b/src/current-patches/firefox/0006-Randomize-HTTP-pipeline-order-and-depth.patch deleted file mode 100644 index 04a34ea..0000000 --- a/src/current-patches/firefox/0006-Randomize-HTTP-pipeline-order-and-depth.patch +++ /dev/null @@ -1,151 +0,0 @@ -From 39a9dab25c4ed3acc95009c0f44f4f6f2f1c5086 Mon Sep 17 00:00:00 2001 -From: Mike Perry <mikeperry-git(a)torproject.org> -Date: Thu, 15 Mar 2012 20:05:07 -0700 -Subject: [PATCH 06/13] Randomize HTTP pipeline order and depth. - -This is an experimental defense against -http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf - -See also: -https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting ---- - netwerk/protocol/http/nsHttpConnectionMgr.cpp | 79 ++++++++++++++++++++++++- - netwerk/protocol/http/nsHttpConnectionMgr.h | 4 + - 2 files changed, 82 insertions(+), 1 deletions(-) - -diff --git a/netwerk/protocol/http/nsHttpConnectionMgr.cpp b/netwerk/protocol/http/nsHttpConnectionMgr.cpp -index 17d897f..3200638 100644 ---- a/netwerk/protocol/http/nsHttpConnectionMgr.cpp -+++ b/netwerk/protocol/http/nsHttpConnectionMgr.cpp -@@ -99,6 +99,12 @@ nsHttpConnectionMgr::nsHttpConnectionMgr() - LOG(("Creating nsHttpConnectionMgr @%x\n", this)); - mCT.Init(); - mAlternateProtocolHash.Init(16); -+ -+ nsresult rv; -+ mRandomGenerator = do_GetService("@mozilla.org/security/random-generator;1", &rv); -+ if (NS_FAILED(rv)) { -+ mRandomGenerator = nsnull; -+ } - } - - nsHttpConnectionMgr::~nsHttpConnectionMgr() -@@ -1227,7 +1233,7 @@ nsHttpConnectionMgr::DispatchTransaction(nsConnectionEntry *ent, - - if (conn->SupportsPipelining() && (caps & NS_HTTP_ALLOW_PIPELINING)) { - LOG((" looking to build pipeline...\n")); -- if (BuildPipeline(ent, trans, &pipeline)) -+ if (BuildRandomizedPipeline(ent, trans, &pipeline)) - trans = pipeline; - } - -@@ -1300,6 +1306,77 @@ nsHttpConnectionMgr::BuildPipeline(nsConnectionEntry *ent, - return true; - } - -+bool -+nsHttpConnectionMgr::BuildRandomizedPipeline(nsConnectionEntry *ent, -+ nsAHttpTransaction *firstTrans, -+ nsHttpPipeline **result) -+{ -+ if (mRandomGenerator == nsnull) -+ return BuildPipeline(ent, firstTrans, result); -+ if (mMaxPipelinedRequests < 2) -+ return PR_FALSE; -+ -+ nsresult rv; -+ PRUint8 *bytes = nsnull; -+ -+ nsHttpPipeline *pipeline = nsnull; -+ nsHttpTransaction *trans; -+ -+ PRUint32 i = 0, numAdded = 0, numAllowed = 0; -+ PRUint32 max = 0; -+ -+ while (i < ent->mPendingQ.Length()) { -+ if (ent->mPendingQ[i]->Caps() & NS_HTTP_ALLOW_PIPELINING) -+ numAllowed++; -+ i++; -+ } -+ -+ rv = mRandomGenerator->GenerateRandomBytes(1, &bytes); -+ NS_ENSURE_SUCCESS(rv, rv); -+ // 4...12 -+ max = 4 + (bytes[0] % (mMaxPipelinedRequests + 1)); -+ NS_Free(bytes); -+ -+ while (numAllowed > 0) { -+ rv = mRandomGenerator->GenerateRandomBytes(1, &bytes); -+ NS_ENSURE_SUCCESS(rv, rv); -+ i = bytes[0] % ent->mPendingQ.Length(); -+ NS_Free(bytes); -+ -+ trans = ent->mPendingQ[i]; -+ -+ if (!(ent->mPendingQ[i]->Caps() & NS_HTTP_ALLOW_PIPELINING)) -+ continue; -+ -+ if (numAdded == 0) { -+ pipeline = new nsHttpPipeline; -+ if (!pipeline) -+ return PR_FALSE; -+ pipeline->AddTransaction(firstTrans); -+ numAdded = 1; -+ } -+ pipeline->AddTransaction(trans); -+ -+ // remove transaction from pending queue -+ ent->mPendingQ.RemoveElementAt(i); -+ NS_RELEASE(trans); -+ -+ numAllowed--; -+ -+ if (++numAdded == max) -+ break; -+ } -+ -+ //fprintf(stderr, "Yay!!! pipelined %u/%u transactions\n", numAdded, max); -+ LOG((" pipelined %u/%u transactions\n", numAdded, max)); -+ -+ if (numAdded == 0) -+ return PR_FALSE; -+ -+ NS_ADDREF(*result = pipeline); -+ return PR_TRUE; -+} -+ - nsresult - nsHttpConnectionMgr::ProcessNewTransaction(nsHttpTransaction *trans) - { -diff --git a/netwerk/protocol/http/nsHttpConnectionMgr.h b/netwerk/protocol/http/nsHttpConnectionMgr.h -index bb605a1..47d01f6 100644 ---- a/netwerk/protocol/http/nsHttpConnectionMgr.h -+++ b/netwerk/protocol/http/nsHttpConnectionMgr.h -@@ -54,6 +54,7 @@ - #include "nsIObserver.h" - #include "nsITimer.h" - #include "nsIX509Cert3.h" -+#include "nsIRandomGenerator.h" - - class nsHttpPipeline; - -@@ -312,6 +313,7 @@ private: - nsresult DispatchTransaction(nsConnectionEntry *, nsHttpTransaction *, - PRUint8 caps, nsHttpConnection *); - bool BuildPipeline(nsConnectionEntry *, nsAHttpTransaction *, nsHttpPipeline **); -+ bool BuildRandomizedPipeline(nsConnectionEntry *, nsAHttpTransaction *, nsHttpPipeline **); - nsresult ProcessNewTransaction(nsHttpTransaction *); - nsresult EnsureSocketThreadTargetIfOnline(); - void ClosePersistentConnections(nsConnectionEntry *ent); -@@ -405,6 +407,8 @@ private: - PRUint64 mTimeOfNextWakeUp; - // Timer for next pruning of dead connections. - nsCOMPtr<nsITimer> mTimer; -+ // Random number generator for reordering HTTP pipeline -+ nsCOMPtr<nsIRandomGenerator> mRandomGenerator; - - // - // the connection table --- -1.7.5.4 - diff --git a/src/current-patches/firefox/0006-Randomize-HTTP-request-order-and-pipeline-depth.patch b/src/current-patches/firefox/0006-Randomize-HTTP-request-order-and-pipeline-depth.patch new file mode 100644 index 0000000..9687737 --- /dev/null +++ b/src/current-patches/firefox/0006-Randomize-HTTP-request-order-and-pipeline-depth.patch @@ -0,0 +1,234 @@ +From 8e8833ea22369c7597f5844139de37212deb1cd7 Mon Sep 17 00:00:00 2001 +From: Mike Perry <mikeperry-git(a)torproject.org> +Date: Thu, 15 Mar 2012 20:05:07 -0700 +Subject: [PATCH 12/12] Randomize HTTP request order and pipeline depth. + +This is an experimental defense against +http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf + +See: +https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting + +This defense has been improved since that blog post to additionally randomize +the order and concurrency of non-pipelined HTTP requests. +--- + netwerk/protocol/http/nsHttpConnectionMgr.cpp | 133 ++++++++++++++++++++++++- + netwerk/protocol/http/nsHttpConnectionMgr.h | 5 + + 2 files changed, 133 insertions(+), 5 deletions(-) + +diff --git a/netwerk/protocol/http/nsHttpConnectionMgr.cpp b/netwerk/protocol/http/nsHttpConnectionMgr.cpp +index 17d897f..8f50bf6 100644 +--- a/netwerk/protocol/http/nsHttpConnectionMgr.cpp ++++ b/netwerk/protocol/http/nsHttpConnectionMgr.cpp +@@ -99,6 +99,12 @@ nsHttpConnectionMgr::nsHttpConnectionMgr() + LOG(("Creating nsHttpConnectionMgr @%x\n", this)); + mCT.Init(); + mAlternateProtocolHash.Init(16); ++ ++ nsresult rv; ++ mRandomGenerator = do_GetService("@mozilla.org/security/random-generator;1", &rv); ++ if (NS_FAILED(rv)) { ++ mRandomGenerator = nsnull; ++ } + } + + nsHttpConnectionMgr::~nsHttpConnectionMgr() +@@ -353,8 +359,12 @@ nsHttpConnectionMgr::AddTransactionToPipeline(nsHttpPipeline *pipeline) + nsConnectionEntry *ent = mCT.Get(ci->HashKey()); + if (ent) { + // search for another request to pipeline... +- PRInt32 i, count = ent->mPendingQ.Length(); +- for (i=0; i<count; ++i) { ++ PRInt32 i, h, count = ent->mPendingQ.Length(); ++ PRInt32 ind[count]; ++ ShuffleRequestOrder((PRUint32*)ind, (PRUint32)count); ++ ++ for (h=0; h<count; ++h) { ++ i = ind[h]; // random request sequence + nsHttpTransaction *trans = ent->mPendingQ[i]; + if (trans->Caps() & NS_HTTP_ALLOW_PIPELINING) { + pipeline->AddTransaction(trans); +@@ -895,12 +905,17 @@ nsHttpConnectionMgr::ProcessPendingQForEntry(nsConnectionEntry *ent) + if (gHttpHandler->IsSpdyEnabled()) + ProcessSpdyPendingQ(ent); + +- PRUint32 i, count = ent->mPendingQ.Length(); ++ PRUint32 h, i = 0, count = ent->mPendingQ.Length(); + if (count > 0) { + LOG((" pending-count=%u\n", count)); + nsHttpTransaction *trans = nsnull; + nsHttpConnection *conn = nsnull; +- for (i = 0; i < count; ++i) { ++ ++ PRUint32 ind[count]; ++ ShuffleRequestOrder(ind, count); ++ ++ for (h=0; h<count; ++h) { ++ i = ind[h]; // random request sequence + trans = ent->mPendingQ[i]; + + // When this transaction has already established a half-open +@@ -1011,6 +1026,19 @@ nsHttpConnectionMgr::AtActiveConnectionLimit(nsConnectionEntry *ent, PRUint8 cap + maxPersistConns = mMaxPersistConnsPerHost; + } + ++ // Fuzz maxConns for website fingerprinting attack ++ // We create a range of maxConns/5 up to 6*maxConns/5 ++ // because this function is called repeatedly, and we'll ++ // end up converging on a the high side of concurrent connections ++ // after a short while. ++ PRUint8 *bytes = nsnull; ++ nsresult rv = mRandomGenerator->GenerateRandomBytes(1, &bytes); ++ NS_ENSURE_SUCCESS(rv, rv); ++ ++ bytes[0] = bytes[0] % (maxConns + 1); ++ maxConns = (maxConns/5) + bytes[0]; ++ NS_Free(bytes); ++ + // use >= just to be safe + return (totalCount >= maxConns) || ( (caps & NS_HTTP_ALLOW_KEEPALIVE) && + (persistCount >= maxPersistConns) ); +@@ -1227,7 +1255,7 @@ nsHttpConnectionMgr::DispatchTransaction(nsConnectionEntry *ent, + + if (conn->SupportsPipelining() && (caps & NS_HTTP_ALLOW_PIPELINING)) { + LOG((" looking to build pipeline...\n")); +- if (BuildPipeline(ent, trans, &pipeline)) ++ if (BuildRandomizedPipeline(ent, trans, &pipeline)) + trans = pipeline; + } + +@@ -1300,6 +1328,101 @@ nsHttpConnectionMgr::BuildPipeline(nsConnectionEntry *ent, + return true; + } + ++ ++// Generate a shuffled request ordering sequence ++void ++nsHttpConnectionMgr::ShuffleRequestOrder(PRUint32 *ind, PRUint32 count) ++{ ++ PRUint32 i; ++ PRUint32 *rints; ++ ++ for (i=0; i<count; ++i) { ++ ind[i] = i; ++ } ++ nsresult rv = mRandomGenerator->GenerateRandomBytes(sizeof(PRUint32)*count, ++ (PRUint8**)&rints); ++ if (NS_FAILED(rv)) ++ return; // Leave unshuffled if error ++ ++ for (i=0; i < count; ++i) { ++ PRInt32 temp = ind[i]; ++ ind[i] = ind[rints[i]%count]; ++ ind[rints[i]%count] = temp; ++ } ++ NS_Free(rints); ++} ++ ++bool ++nsHttpConnectionMgr::BuildRandomizedPipeline(nsConnectionEntry *ent, ++ nsAHttpTransaction *firstTrans, ++ nsHttpPipeline **result) ++{ ++ if (mRandomGenerator == nsnull) ++ return BuildPipeline(ent, firstTrans, result); ++ if (mMaxPipelinedRequests < 2) ++ return PR_FALSE; ++ ++ nsresult rv; ++ PRUint8 *bytes = nsnull; ++ ++ nsHttpPipeline *pipeline = nsnull; ++ nsHttpTransaction *trans; ++ ++ PRUint32 i = 0, numAdded = 0, numAllowed = 0; ++ PRUint32 max = 0; ++ ++ while (i < ent->mPendingQ.Length()) { ++ if (ent->mPendingQ[i]->Caps() & NS_HTTP_ALLOW_PIPELINING) ++ numAllowed++; ++ i++; ++ } ++ ++ rv = mRandomGenerator->GenerateRandomBytes(1, &bytes); ++ NS_ENSURE_SUCCESS(rv, rv); ++ // 4...12 ++ max = 4 + (bytes[0] % (mMaxPipelinedRequests + 1)); ++ NS_Free(bytes); ++ ++ while (numAllowed > 0) { ++ rv = mRandomGenerator->GenerateRandomBytes(1, &bytes); ++ NS_ENSURE_SUCCESS(rv, rv); ++ i = bytes[0] % ent->mPendingQ.Length(); ++ NS_Free(bytes); ++ ++ trans = ent->mPendingQ[i]; ++ ++ if (!(ent->mPendingQ[i]->Caps() & NS_HTTP_ALLOW_PIPELINING)) ++ continue; ++ ++ if (numAdded == 0) { ++ pipeline = new nsHttpPipeline; ++ if (!pipeline) ++ return PR_FALSE; ++ pipeline->AddTransaction(firstTrans); ++ numAdded = 1; ++ } ++ pipeline->AddTransaction(trans); ++ ++ // remove transaction from pending queue ++ ent->mPendingQ.RemoveElementAt(i); ++ NS_RELEASE(trans); ++ ++ numAllowed--; ++ ++ if (++numAdded == max) ++ break; ++ } ++ ++ //fprintf(stderr, "Yay!!! pipelined %u/%u transactions\n", numAdded, max); ++ LOG((" pipelined %u/%u transactions\n", numAdded, max)); ++ ++ if (numAdded == 0) ++ return PR_FALSE; ++ ++ NS_ADDREF(*result = pipeline); ++ return PR_TRUE; ++} ++ + nsresult + nsHttpConnectionMgr::ProcessNewTransaction(nsHttpTransaction *trans) + { +diff --git a/netwerk/protocol/http/nsHttpConnectionMgr.h b/netwerk/protocol/http/nsHttpConnectionMgr.h +index bb605a1..e372096 100644 +--- a/netwerk/protocol/http/nsHttpConnectionMgr.h ++++ b/netwerk/protocol/http/nsHttpConnectionMgr.h +@@ -54,6 +54,7 @@ + #include "nsIObserver.h" + #include "nsITimer.h" + #include "nsIX509Cert3.h" ++#include "nsIRandomGenerator.h" + + class nsHttpPipeline; + +@@ -312,6 +313,8 @@ private: + nsresult DispatchTransaction(nsConnectionEntry *, nsHttpTransaction *, + PRUint8 caps, nsHttpConnection *); + bool BuildPipeline(nsConnectionEntry *, nsAHttpTransaction *, nsHttpPipeline **); ++ bool BuildRandomizedPipeline(nsConnectionEntry *, nsAHttpTransaction *, nsHttpPipeline **); ++ void ShuffleRequestOrder(PRUint32 *, PRUint32); + nsresult ProcessNewTransaction(nsHttpTransaction *); + nsresult EnsureSocketThreadTargetIfOnline(); + void ClosePersistentConnections(nsConnectionEntry *ent); +@@ -405,6 +408,8 @@ private: + PRUint64 mTimeOfNextWakeUp; + // Timer for next pruning of dead connections. + nsCOMPtr<nsITimer> mTimer; ++ // Random number generator for reordering HTTP pipeline ++ nsCOMPtr<nsIRandomGenerator> mRandomGenerator; + + // + // the connection table +-- +1.7.5.4 +

1 0

[torbrowser/maint-2.3] Merge remote-tracking branch 'mikeperry/maint-2.2' into maint-2.3
by mikeperry＠torproject.org 11 Apr '12

11 Apr '12

commit 3cd7c2cb8284e47dabe896ce2164b13867ef2a7c Merge: 7caba4b 6787354 Author: Mike Perry <mikeperry-git(a)fscked.org> Date: Wed Apr 11 15:50:08 2012 -0700 Merge remote-tracking branch 'mikeperry/maint-2.2' into maint-2.3 ...6-Randomize-HTTP-pipeline-order-and-depth.patch | 151 ------------- ...ize-HTTP-request-order-and-pipeline-depth.patch | 234 ++++++++++++++++++++ 2 files changed, 234 insertions(+), 151 deletions(-)

1 0

[torbrowser/maint-2.2] Improve the website fingerprinting defense patch.
by mikeperry＠torproject.org 11 Apr '12

11 Apr '12

commit 67873541918d9597024d4439b45c9d1cd3ec582d Author: Mike Perry <mikeperry-git(a)fscked.org> Date: Wed Apr 11 15:47:11 2012 -0700 Improve the website fingerprinting defense patch. --- ...6-Randomize-HTTP-pipeline-order-and-depth.patch | 151 ------------- ...ize-HTTP-request-order-and-pipeline-depth.patch | 234 ++++++++++++++++++++ 2 files changed, 234 insertions(+), 151 deletions(-) diff --git a/src/current-patches/firefox/0006-Randomize-HTTP-pipeline-order-and-depth.patch b/src/current-patches/firefox/0006-Randomize-HTTP-pipeline-order-and-depth.patch deleted file mode 100644 index 04a34ea..0000000 --- a/src/current-patches/firefox/0006-Randomize-HTTP-pipeline-order-and-depth.patch +++ /dev/null @@ -1,151 +0,0 @@ -From 39a9dab25c4ed3acc95009c0f44f4f6f2f1c5086 Mon Sep 17 00:00:00 2001 -From: Mike Perry <mikeperry-git(a)torproject.org> -Date: Thu, 15 Mar 2012 20:05:07 -0700 -Subject: [PATCH 06/13] Randomize HTTP pipeline order and depth. - -This is an experimental defense against -http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf - -See also: -https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting ---- - netwerk/protocol/http/nsHttpConnectionMgr.cpp | 79 ++++++++++++++++++++++++- - netwerk/protocol/http/nsHttpConnectionMgr.h | 4 + - 2 files changed, 82 insertions(+), 1 deletions(-) - -diff --git a/netwerk/protocol/http/nsHttpConnectionMgr.cpp b/netwerk/protocol/http/nsHttpConnectionMgr.cpp -index 17d897f..3200638 100644 ---- a/netwerk/protocol/http/nsHttpConnectionMgr.cpp -+++ b/netwerk/protocol/http/nsHttpConnectionMgr.cpp -@@ -99,6 +99,12 @@ nsHttpConnectionMgr::nsHttpConnectionMgr() - LOG(("Creating nsHttpConnectionMgr @%x\n", this)); - mCT.Init(); - mAlternateProtocolHash.Init(16); -+ -+ nsresult rv; -+ mRandomGenerator = do_GetService("@mozilla.org/security/random-generator;1", &rv); -+ if (NS_FAILED(rv)) { -+ mRandomGenerator = nsnull; -+ } - } - - nsHttpConnectionMgr::~nsHttpConnectionMgr() -@@ -1227,7 +1233,7 @@ nsHttpConnectionMgr::DispatchTransaction(nsConnectionEntry *ent, - - if (conn->SupportsPipelining() && (caps & NS_HTTP_ALLOW_PIPELINING)) { - LOG((" looking to build pipeline...\n")); -- if (BuildPipeline(ent, trans, &pipeline)) -+ if (BuildRandomizedPipeline(ent, trans, &pipeline)) - trans = pipeline; - } - -@@ -1300,6 +1306,77 @@ nsHttpConnectionMgr::BuildPipeline(nsConnectionEntry *ent, - return true; - } - -+bool -+nsHttpConnectionMgr::BuildRandomizedPipeline(nsConnectionEntry *ent, -+ nsAHttpTransaction *firstTrans, -+ nsHttpPipeline **result) -+{ -+ if (mRandomGenerator == nsnull) -+ return BuildPipeline(ent, firstTrans, result); -+ if (mMaxPipelinedRequests < 2) -+ return PR_FALSE; -+ -+ nsresult rv; -+ PRUint8 *bytes = nsnull; -+ -+ nsHttpPipeline *pipeline = nsnull; -+ nsHttpTransaction *trans; -+ -+ PRUint32 i = 0, numAdded = 0, numAllowed = 0; -+ PRUint32 max = 0; -+ -+ while (i < ent->mPendingQ.Length()) { -+ if (ent->mPendingQ[i]->Caps() & NS_HTTP_ALLOW_PIPELINING) -+ numAllowed++; -+ i++; -+ } -+ -+ rv = mRandomGenerator->GenerateRandomBytes(1, &bytes); -+ NS_ENSURE_SUCCESS(rv, rv); -+ // 4...12 -+ max = 4 + (bytes[0] % (mMaxPipelinedRequests + 1)); -+ NS_Free(bytes); -+ -+ while (numAllowed > 0) { -+ rv = mRandomGenerator->GenerateRandomBytes(1, &bytes); -+ NS_ENSURE_SUCCESS(rv, rv); -+ i = bytes[0] % ent->mPendingQ.Length(); -+ NS_Free(bytes); -+ -+ trans = ent->mPendingQ[i]; -+ -+ if (!(ent->mPendingQ[i]->Caps() & NS_HTTP_ALLOW_PIPELINING)) -+ continue; -+ -+ if (numAdded == 0) { -+ pipeline = new nsHttpPipeline; -+ if (!pipeline) -+ return PR_FALSE; -+ pipeline->AddTransaction(firstTrans); -+ numAdded = 1; -+ } -+ pipeline->AddTransaction(trans); -+ -+ // remove transaction from pending queue -+ ent->mPendingQ.RemoveElementAt(i); -+ NS_RELEASE(trans); -+ -+ numAllowed--; -+ -+ if (++numAdded == max) -+ break; -+ } -+ -+ //fprintf(stderr, "Yay!!! pipelined %u/%u transactions\n", numAdded, max); -+ LOG((" pipelined %u/%u transactions\n", numAdded, max)); -+ -+ if (numAdded == 0) -+ return PR_FALSE; -+ -+ NS_ADDREF(*result = pipeline); -+ return PR_TRUE; -+} -+ - nsresult - nsHttpConnectionMgr::ProcessNewTransaction(nsHttpTransaction *trans) - { -diff --git a/netwerk/protocol/http/nsHttpConnectionMgr.h b/netwerk/protocol/http/nsHttpConnectionMgr.h -index bb605a1..47d01f6 100644 ---- a/netwerk/protocol/http/nsHttpConnectionMgr.h -+++ b/netwerk/protocol/http/nsHttpConnectionMgr.h -@@ -54,6 +54,7 @@ - #include "nsIObserver.h" - #include "nsITimer.h" - #include "nsIX509Cert3.h" -+#include "nsIRandomGenerator.h" - - class nsHttpPipeline; - -@@ -312,6 +313,7 @@ private: - nsresult DispatchTransaction(nsConnectionEntry *, nsHttpTransaction *, - PRUint8 caps, nsHttpConnection *); - bool BuildPipeline(nsConnectionEntry *, nsAHttpTransaction *, nsHttpPipeline **); -+ bool BuildRandomizedPipeline(nsConnectionEntry *, nsAHttpTransaction *, nsHttpPipeline **); - nsresult ProcessNewTransaction(nsHttpTransaction *); - nsresult EnsureSocketThreadTargetIfOnline(); - void ClosePersistentConnections(nsConnectionEntry *ent); -@@ -405,6 +407,8 @@ private: - PRUint64 mTimeOfNextWakeUp; - // Timer for next pruning of dead connections. - nsCOMPtr<nsITimer> mTimer; -+ // Random number generator for reordering HTTP pipeline -+ nsCOMPtr<nsIRandomGenerator> mRandomGenerator; - - // - // the connection table --- -1.7.5.4 - diff --git a/src/current-patches/firefox/0006-Randomize-HTTP-request-order-and-pipeline-depth.patch b/src/current-patches/firefox/0006-Randomize-HTTP-request-order-and-pipeline-depth.patch new file mode 100644 index 0000000..9687737 --- /dev/null +++ b/src/current-patches/firefox/0006-Randomize-HTTP-request-order-and-pipeline-depth.patch @@ -0,0 +1,234 @@ +From 8e8833ea22369c7597f5844139de37212deb1cd7 Mon Sep 17 00:00:00 2001 +From: Mike Perry <mikeperry-git(a)torproject.org> +Date: Thu, 15 Mar 2012 20:05:07 -0700 +Subject: [PATCH 12/12] Randomize HTTP request order and pipeline depth. + +This is an experimental defense against +http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf + +See: +https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting + +This defense has been improved since that blog post to additionally randomize +the order and concurrency of non-pipelined HTTP requests. +--- + netwerk/protocol/http/nsHttpConnectionMgr.cpp | 133 ++++++++++++++++++++++++- + netwerk/protocol/http/nsHttpConnectionMgr.h | 5 + + 2 files changed, 133 insertions(+), 5 deletions(-) + +diff --git a/netwerk/protocol/http/nsHttpConnectionMgr.cpp b/netwerk/protocol/http/nsHttpConnectionMgr.cpp +index 17d897f..8f50bf6 100644 +--- a/netwerk/protocol/http/nsHttpConnectionMgr.cpp ++++ b/netwerk/protocol/http/nsHttpConnectionMgr.cpp +@@ -99,6 +99,12 @@ nsHttpConnectionMgr::nsHttpConnectionMgr() + LOG(("Creating nsHttpConnectionMgr @%x\n", this)); + mCT.Init(); + mAlternateProtocolHash.Init(16); ++ ++ nsresult rv; ++ mRandomGenerator = do_GetService("@mozilla.org/security/random-generator;1", &rv); ++ if (NS_FAILED(rv)) { ++ mRandomGenerator = nsnull; ++ } + } + + nsHttpConnectionMgr::~nsHttpConnectionMgr() +@@ -353,8 +359,12 @@ nsHttpConnectionMgr::AddTransactionToPipeline(nsHttpPipeline *pipeline) + nsConnectionEntry *ent = mCT.Get(ci->HashKey()); + if (ent) { + // search for another request to pipeline... +- PRInt32 i, count = ent->mPendingQ.Length(); +- for (i=0; i<count; ++i) { ++ PRInt32 i, h, count = ent->mPendingQ.Length(); ++ PRInt32 ind[count]; ++ ShuffleRequestOrder((PRUint32*)ind, (PRUint32)count); ++ ++ for (h=0; h<count; ++h) { ++ i = ind[h]; // random request sequence + nsHttpTransaction *trans = ent->mPendingQ[i]; + if (trans->Caps() & NS_HTTP_ALLOW_PIPELINING) { + pipeline->AddTransaction(trans); +@@ -895,12 +905,17 @@ nsHttpConnectionMgr::ProcessPendingQForEntry(nsConnectionEntry *ent) + if (gHttpHandler->IsSpdyEnabled()) + ProcessSpdyPendingQ(ent); + +- PRUint32 i, count = ent->mPendingQ.Length(); ++ PRUint32 h, i = 0, count = ent->mPendingQ.Length(); + if (count > 0) { + LOG((" pending-count=%u\n", count)); + nsHttpTransaction *trans = nsnull; + nsHttpConnection *conn = nsnull; +- for (i = 0; i < count; ++i) { ++ ++ PRUint32 ind[count]; ++ ShuffleRequestOrder(ind, count); ++ ++ for (h=0; h<count; ++h) { ++ i = ind[h]; // random request sequence + trans = ent->mPendingQ[i]; + + // When this transaction has already established a half-open +@@ -1011,6 +1026,19 @@ nsHttpConnectionMgr::AtActiveConnectionLimit(nsConnectionEntry *ent, PRUint8 cap + maxPersistConns = mMaxPersistConnsPerHost; + } + ++ // Fuzz maxConns for website fingerprinting attack ++ // We create a range of maxConns/5 up to 6*maxConns/5 ++ // because this function is called repeatedly, and we'll ++ // end up converging on a the high side of concurrent connections ++ // after a short while. ++ PRUint8 *bytes = nsnull; ++ nsresult rv = mRandomGenerator->GenerateRandomBytes(1, &bytes); ++ NS_ENSURE_SUCCESS(rv, rv); ++ ++ bytes[0] = bytes[0] % (maxConns + 1); ++ maxConns = (maxConns/5) + bytes[0]; ++ NS_Free(bytes); ++ + // use >= just to be safe + return (totalCount >= maxConns) || ( (caps & NS_HTTP_ALLOW_KEEPALIVE) && + (persistCount >= maxPersistConns) ); +@@ -1227,7 +1255,7 @@ nsHttpConnectionMgr::DispatchTransaction(nsConnectionEntry *ent, + + if (conn->SupportsPipelining() && (caps & NS_HTTP_ALLOW_PIPELINING)) { + LOG((" looking to build pipeline...\n")); +- if (BuildPipeline(ent, trans, &pipeline)) ++ if (BuildRandomizedPipeline(ent, trans, &pipeline)) + trans = pipeline; + } + +@@ -1300,6 +1328,101 @@ nsHttpConnectionMgr::BuildPipeline(nsConnectionEntry *ent, + return true; + } + ++ ++// Generate a shuffled request ordering sequence ++void ++nsHttpConnectionMgr::ShuffleRequestOrder(PRUint32 *ind, PRUint32 count) ++{ ++ PRUint32 i; ++ PRUint32 *rints; ++ ++ for (i=0; i<count; ++i) { ++ ind[i] = i; ++ } ++ nsresult rv = mRandomGenerator->GenerateRandomBytes(sizeof(PRUint32)*count, ++ (PRUint8**)&rints); ++ if (NS_FAILED(rv)) ++ return; // Leave unshuffled if error ++ ++ for (i=0; i < count; ++i) { ++ PRInt32 temp = ind[i]; ++ ind[i] = ind[rints[i]%count]; ++ ind[rints[i]%count] = temp; ++ } ++ NS_Free(rints); ++} ++ ++bool ++nsHttpConnectionMgr::BuildRandomizedPipeline(nsConnectionEntry *ent, ++ nsAHttpTransaction *firstTrans, ++ nsHttpPipeline **result) ++{ ++ if (mRandomGenerator == nsnull) ++ return BuildPipeline(ent, firstTrans, result); ++ if (mMaxPipelinedRequests < 2) ++ return PR_FALSE; ++ ++ nsresult rv; ++ PRUint8 *bytes = nsnull; ++ ++ nsHttpPipeline *pipeline = nsnull; ++ nsHttpTransaction *trans; ++ ++ PRUint32 i = 0, numAdded = 0, numAllowed = 0; ++ PRUint32 max = 0; ++ ++ while (i < ent->mPendingQ.Length()) { ++ if (ent->mPendingQ[i]->Caps() & NS_HTTP_ALLOW_PIPELINING) ++ numAllowed++; ++ i++; ++ } ++ ++ rv = mRandomGenerator->GenerateRandomBytes(1, &bytes); ++ NS_ENSURE_SUCCESS(rv, rv); ++ // 4...12 ++ max = 4 + (bytes[0] % (mMaxPipelinedRequests + 1)); ++ NS_Free(bytes); ++ ++ while (numAllowed > 0) { ++ rv = mRandomGenerator->GenerateRandomBytes(1, &bytes); ++ NS_ENSURE_SUCCESS(rv, rv); ++ i = bytes[0] % ent->mPendingQ.Length(); ++ NS_Free(bytes); ++ ++ trans = ent->mPendingQ[i]; ++ ++ if (!(ent->mPendingQ[i]->Caps() & NS_HTTP_ALLOW_PIPELINING)) ++ continue; ++ ++ if (numAdded == 0) { ++ pipeline = new nsHttpPipeline; ++ if (!pipeline) ++ return PR_FALSE; ++ pipeline->AddTransaction(firstTrans); ++ numAdded = 1; ++ } ++ pipeline->AddTransaction(trans); ++ ++ // remove transaction from pending queue ++ ent->mPendingQ.RemoveElementAt(i); ++ NS_RELEASE(trans); ++ ++ numAllowed--; ++ ++ if (++numAdded == max) ++ break; ++ } ++ ++ //fprintf(stderr, "Yay!!! pipelined %u/%u transactions\n", numAdded, max); ++ LOG((" pipelined %u/%u transactions\n", numAdded, max)); ++ ++ if (numAdded == 0) ++ return PR_FALSE; ++ ++ NS_ADDREF(*result = pipeline); ++ return PR_TRUE; ++} ++ + nsresult + nsHttpConnectionMgr::ProcessNewTransaction(nsHttpTransaction *trans) + { +diff --git a/netwerk/protocol/http/nsHttpConnectionMgr.h b/netwerk/protocol/http/nsHttpConnectionMgr.h +index bb605a1..e372096 100644 +--- a/netwerk/protocol/http/nsHttpConnectionMgr.h ++++ b/netwerk/protocol/http/nsHttpConnectionMgr.h +@@ -54,6 +54,7 @@ + #include "nsIObserver.h" + #include "nsITimer.h" + #include "nsIX509Cert3.h" ++#include "nsIRandomGenerator.h" + + class nsHttpPipeline; + +@@ -312,6 +313,8 @@ private: + nsresult DispatchTransaction(nsConnectionEntry *, nsHttpTransaction *, + PRUint8 caps, nsHttpConnection *); + bool BuildPipeline(nsConnectionEntry *, nsAHttpTransaction *, nsHttpPipeline **); ++ bool BuildRandomizedPipeline(nsConnectionEntry *, nsAHttpTransaction *, nsHttpPipeline **); ++ void ShuffleRequestOrder(PRUint32 *, PRUint32); + nsresult ProcessNewTransaction(nsHttpTransaction *); + nsresult EnsureSocketThreadTargetIfOnline(); + void ClosePersistentConnections(nsConnectionEntry *ent); +@@ -405,6 +408,8 @@ private: + PRUint64 mTimeOfNextWakeUp; + // Timer for next pruning of dead connections. + nsCOMPtr<nsITimer> mTimer; ++ // Random number generator for reordering HTTP pipeline ++ nsCOMPtr<nsIRandomGenerator> mRandomGenerator; + + // + // the connection table +-- +1.7.5.4 +

1 0

[torbrowser/master] Improve the website fingerprinting defense patch.
by mikeperry＠torproject.org 11 Apr '12

11 Apr '12

commit 67873541918d9597024d4439b45c9d1cd3ec582d Author: Mike Perry <mikeperry-git(a)fscked.org> Date: Wed Apr 11 15:47:11 2012 -0700 Improve the website fingerprinting defense patch. --- ...6-Randomize-HTTP-pipeline-order-and-depth.patch | 151 ------------- ...ize-HTTP-request-order-and-pipeline-depth.patch | 234 ++++++++++++++++++++ 2 files changed, 234 insertions(+), 151 deletions(-) diff --git a/src/current-patches/firefox/0006-Randomize-HTTP-pipeline-order-and-depth.patch b/src/current-patches/firefox/0006-Randomize-HTTP-pipeline-order-and-depth.patch deleted file mode 100644 index 04a34ea..0000000 --- a/src/current-patches/firefox/0006-Randomize-HTTP-pipeline-order-and-depth.patch +++ /dev/null @@ -1,151 +0,0 @@ -From 39a9dab25c4ed3acc95009c0f44f4f6f2f1c5086 Mon Sep 17 00:00:00 2001 -From: Mike Perry <mikeperry-git(a)torproject.org> -Date: Thu, 15 Mar 2012 20:05:07 -0700 -Subject: [PATCH 06/13] Randomize HTTP pipeline order and depth. - -This is an experimental defense against -http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf - -See also: -https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting ---- - netwerk/protocol/http/nsHttpConnectionMgr.cpp | 79 ++++++++++++++++++++++++- - netwerk/protocol/http/nsHttpConnectionMgr.h | 4 + - 2 files changed, 82 insertions(+), 1 deletions(-) - -diff --git a/netwerk/protocol/http/nsHttpConnectionMgr.cpp b/netwerk/protocol/http/nsHttpConnectionMgr.cpp -index 17d897f..3200638 100644 ---- a/netwerk/protocol/http/nsHttpConnectionMgr.cpp -+++ b/netwerk/protocol/http/nsHttpConnectionMgr.cpp -@@ -99,6 +99,12 @@ nsHttpConnectionMgr::nsHttpConnectionMgr() - LOG(("Creating nsHttpConnectionMgr @%x\n", this)); - mCT.Init(); - mAlternateProtocolHash.Init(16); -+ -+ nsresult rv; -+ mRandomGenerator = do_GetService("@mozilla.org/security/random-generator;1", &rv); -+ if (NS_FAILED(rv)) { -+ mRandomGenerator = nsnull; -+ } - } - - nsHttpConnectionMgr::~nsHttpConnectionMgr() -@@ -1227,7 +1233,7 @@ nsHttpConnectionMgr::DispatchTransaction(nsConnectionEntry *ent, - - if (conn->SupportsPipelining() && (caps & NS_HTTP_ALLOW_PIPELINING)) { - LOG((" looking to build pipeline...\n")); -- if (BuildPipeline(ent, trans, &pipeline)) -+ if (BuildRandomizedPipeline(ent, trans, &pipeline)) - trans = pipeline; - } - -@@ -1300,6 +1306,77 @@ nsHttpConnectionMgr::BuildPipeline(nsConnectionEntry *ent, - return true; - } - -+bool -+nsHttpConnectionMgr::BuildRandomizedPipeline(nsConnectionEntry *ent, -+ nsAHttpTransaction *firstTrans, -+ nsHttpPipeline **result) -+{ -+ if (mRandomGenerator == nsnull) -+ return BuildPipeline(ent, firstTrans, result); -+ if (mMaxPipelinedRequests < 2) -+ return PR_FALSE; -+ -+ nsresult rv; -+ PRUint8 *bytes = nsnull; -+ -+ nsHttpPipeline *pipeline = nsnull; -+ nsHttpTransaction *trans; -+ -+ PRUint32 i = 0, numAdded = 0, numAllowed = 0; -+ PRUint32 max = 0; -+ -+ while (i < ent->mPendingQ.Length()) { -+ if (ent->mPendingQ[i]->Caps() & NS_HTTP_ALLOW_PIPELINING) -+ numAllowed++; -+ i++; -+ } -+ -+ rv = mRandomGenerator->GenerateRandomBytes(1, &bytes); -+ NS_ENSURE_SUCCESS(rv, rv); -+ // 4...12 -+ max = 4 + (bytes[0] % (mMaxPipelinedRequests + 1)); -+ NS_Free(bytes); -+ -+ while (numAllowed > 0) { -+ rv = mRandomGenerator->GenerateRandomBytes(1, &bytes); -+ NS_ENSURE_SUCCESS(rv, rv); -+ i = bytes[0] % ent->mPendingQ.Length(); -+ NS_Free(bytes); -+ -+ trans = ent->mPendingQ[i]; -+ -+ if (!(ent->mPendingQ[i]->Caps() & NS_HTTP_ALLOW_PIPELINING)) -+ continue; -+ -+ if (numAdded == 0) { -+ pipeline = new nsHttpPipeline; -+ if (!pipeline) -+ return PR_FALSE; -+ pipeline->AddTransaction(firstTrans); -+ numAdded = 1; -+ } -+ pipeline->AddTransaction(trans); -+ -+ // remove transaction from pending queue -+ ent->mPendingQ.RemoveElementAt(i); -+ NS_RELEASE(trans); -+ -+ numAllowed--; -+ -+ if (++numAdded == max) -+ break; -+ } -+ -+ //fprintf(stderr, "Yay!!! pipelined %u/%u transactions\n", numAdded, max); -+ LOG((" pipelined %u/%u transactions\n", numAdded, max)); -+ -+ if (numAdded == 0) -+ return PR_FALSE; -+ -+ NS_ADDREF(*result = pipeline); -+ return PR_TRUE; -+} -+ - nsresult - nsHttpConnectionMgr::ProcessNewTransaction(nsHttpTransaction *trans) - { -diff --git a/netwerk/protocol/http/nsHttpConnectionMgr.h b/netwerk/protocol/http/nsHttpConnectionMgr.h -index bb605a1..47d01f6 100644 ---- a/netwerk/protocol/http/nsHttpConnectionMgr.h -+++ b/netwerk/protocol/http/nsHttpConnectionMgr.h -@@ -54,6 +54,7 @@ - #include "nsIObserver.h" - #include "nsITimer.h" - #include "nsIX509Cert3.h" -+#include "nsIRandomGenerator.h" - - class nsHttpPipeline; - -@@ -312,6 +313,7 @@ private: - nsresult DispatchTransaction(nsConnectionEntry *, nsHttpTransaction *, - PRUint8 caps, nsHttpConnection *); - bool BuildPipeline(nsConnectionEntry *, nsAHttpTransaction *, nsHttpPipeline **); -+ bool BuildRandomizedPipeline(nsConnectionEntry *, nsAHttpTransaction *, nsHttpPipeline **); - nsresult ProcessNewTransaction(nsHttpTransaction *); - nsresult EnsureSocketThreadTargetIfOnline(); - void ClosePersistentConnections(nsConnectionEntry *ent); -@@ -405,6 +407,8 @@ private: - PRUint64 mTimeOfNextWakeUp; - // Timer for next pruning of dead connections. - nsCOMPtr<nsITimer> mTimer; -+ // Random number generator for reordering HTTP pipeline -+ nsCOMPtr<nsIRandomGenerator> mRandomGenerator; - - // - // the connection table --- -1.7.5.4 - diff --git a/src/current-patches/firefox/0006-Randomize-HTTP-request-order-and-pipeline-depth.patch b/src/current-patches/firefox/0006-Randomize-HTTP-request-order-and-pipeline-depth.patch new file mode 100644 index 0000000..9687737 --- /dev/null +++ b/src/current-patches/firefox/0006-Randomize-HTTP-request-order-and-pipeline-depth.patch @@ -0,0 +1,234 @@ +From 8e8833ea22369c7597f5844139de37212deb1cd7 Mon Sep 17 00:00:00 2001 +From: Mike Perry <mikeperry-git(a)torproject.org> +Date: Thu, 15 Mar 2012 20:05:07 -0700 +Subject: [PATCH 12/12] Randomize HTTP request order and pipeline depth. + +This is an experimental defense against +http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf + +See: +https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting + +This defense has been improved since that blog post to additionally randomize +the order and concurrency of non-pipelined HTTP requests. +--- + netwerk/protocol/http/nsHttpConnectionMgr.cpp | 133 ++++++++++++++++++++++++- + netwerk/protocol/http/nsHttpConnectionMgr.h | 5 + + 2 files changed, 133 insertions(+), 5 deletions(-) + +diff --git a/netwerk/protocol/http/nsHttpConnectionMgr.cpp b/netwerk/protocol/http/nsHttpConnectionMgr.cpp +index 17d897f..8f50bf6 100644 +--- a/netwerk/protocol/http/nsHttpConnectionMgr.cpp ++++ b/netwerk/protocol/http/nsHttpConnectionMgr.cpp +@@ -99,6 +99,12 @@ nsHttpConnectionMgr::nsHttpConnectionMgr() + LOG(("Creating nsHttpConnectionMgr @%x\n", this)); + mCT.Init(); + mAlternateProtocolHash.Init(16); ++ ++ nsresult rv; ++ mRandomGenerator = do_GetService("@mozilla.org/security/random-generator;1", &rv); ++ if (NS_FAILED(rv)) { ++ mRandomGenerator = nsnull; ++ } + } + + nsHttpConnectionMgr::~nsHttpConnectionMgr() +@@ -353,8 +359,12 @@ nsHttpConnectionMgr::AddTransactionToPipeline(nsHttpPipeline *pipeline) + nsConnectionEntry *ent = mCT.Get(ci->HashKey()); + if (ent) { + // search for another request to pipeline... +- PRInt32 i, count = ent->mPendingQ.Length(); +- for (i=0; i<count; ++i) { ++ PRInt32 i, h, count = ent->mPendingQ.Length(); ++ PRInt32 ind[count]; ++ ShuffleRequestOrder((PRUint32*)ind, (PRUint32)count); ++ ++ for (h=0; h<count; ++h) { ++ i = ind[h]; // random request sequence + nsHttpTransaction *trans = ent->mPendingQ[i]; + if (trans->Caps() & NS_HTTP_ALLOW_PIPELINING) { + pipeline->AddTransaction(trans); +@@ -895,12 +905,17 @@ nsHttpConnectionMgr::ProcessPendingQForEntry(nsConnectionEntry *ent) + if (gHttpHandler->IsSpdyEnabled()) + ProcessSpdyPendingQ(ent); + +- PRUint32 i, count = ent->mPendingQ.Length(); ++ PRUint32 h, i = 0, count = ent->mPendingQ.Length(); + if (count > 0) { + LOG((" pending-count=%u\n", count)); + nsHttpTransaction *trans = nsnull; + nsHttpConnection *conn = nsnull; +- for (i = 0; i < count; ++i) { ++ ++ PRUint32 ind[count]; ++ ShuffleRequestOrder(ind, count); ++ ++ for (h=0; h<count; ++h) { ++ i = ind[h]; // random request sequence + trans = ent->mPendingQ[i]; + + // When this transaction has already established a half-open +@@ -1011,6 +1026,19 @@ nsHttpConnectionMgr::AtActiveConnectionLimit(nsConnectionEntry *ent, PRUint8 cap + maxPersistConns = mMaxPersistConnsPerHost; + } + ++ // Fuzz maxConns for website fingerprinting attack ++ // We create a range of maxConns/5 up to 6*maxConns/5 ++ // because this function is called repeatedly, and we'll ++ // end up converging on a the high side of concurrent connections ++ // after a short while. ++ PRUint8 *bytes = nsnull; ++ nsresult rv = mRandomGenerator->GenerateRandomBytes(1, &bytes); ++ NS_ENSURE_SUCCESS(rv, rv); ++ ++ bytes[0] = bytes[0] % (maxConns + 1); ++ maxConns = (maxConns/5) + bytes[0]; ++ NS_Free(bytes); ++ + // use >= just to be safe + return (totalCount >= maxConns) || ( (caps & NS_HTTP_ALLOW_KEEPALIVE) && + (persistCount >= maxPersistConns) ); +@@ -1227,7 +1255,7 @@ nsHttpConnectionMgr::DispatchTransaction(nsConnectionEntry *ent, + + if (conn->SupportsPipelining() && (caps & NS_HTTP_ALLOW_PIPELINING)) { + LOG((" looking to build pipeline...\n")); +- if (BuildPipeline(ent, trans, &pipeline)) ++ if (BuildRandomizedPipeline(ent, trans, &pipeline)) + trans = pipeline; + } + +@@ -1300,6 +1328,101 @@ nsHttpConnectionMgr::BuildPipeline(nsConnectionEntry *ent, + return true; + } + ++ ++// Generate a shuffled request ordering sequence ++void ++nsHttpConnectionMgr::ShuffleRequestOrder(PRUint32 *ind, PRUint32 count) ++{ ++ PRUint32 i; ++ PRUint32 *rints; ++ ++ for (i=0; i<count; ++i) { ++ ind[i] = i; ++ } ++ nsresult rv = mRandomGenerator->GenerateRandomBytes(sizeof(PRUint32)*count, ++ (PRUint8**)&rints); ++ if (NS_FAILED(rv)) ++ return; // Leave unshuffled if error ++ ++ for (i=0; i < count; ++i) { ++ PRInt32 temp = ind[i]; ++ ind[i] = ind[rints[i]%count]; ++ ind[rints[i]%count] = temp; ++ } ++ NS_Free(rints); ++} ++ ++bool ++nsHttpConnectionMgr::BuildRandomizedPipeline(nsConnectionEntry *ent, ++ nsAHttpTransaction *firstTrans, ++ nsHttpPipeline **result) ++{ ++ if (mRandomGenerator == nsnull) ++ return BuildPipeline(ent, firstTrans, result); ++ if (mMaxPipelinedRequests < 2) ++ return PR_FALSE; ++ ++ nsresult rv; ++ PRUint8 *bytes = nsnull; ++ ++ nsHttpPipeline *pipeline = nsnull; ++ nsHttpTransaction *trans; ++ ++ PRUint32 i = 0, numAdded = 0, numAllowed = 0; ++ PRUint32 max = 0; ++ ++ while (i < ent->mPendingQ.Length()) { ++ if (ent->mPendingQ[i]->Caps() & NS_HTTP_ALLOW_PIPELINING) ++ numAllowed++; ++ i++; ++ } ++ ++ rv = mRandomGenerator->GenerateRandomBytes(1, &bytes); ++ NS_ENSURE_SUCCESS(rv, rv); ++ // 4...12 ++ max = 4 + (bytes[0] % (mMaxPipelinedRequests + 1)); ++ NS_Free(bytes); ++ ++ while (numAllowed > 0) { ++ rv = mRandomGenerator->GenerateRandomBytes(1, &bytes); ++ NS_ENSURE_SUCCESS(rv, rv); ++ i = bytes[0] % ent->mPendingQ.Length(); ++ NS_Free(bytes); ++ ++ trans = ent->mPendingQ[i]; ++ ++ if (!(ent->mPendingQ[i]->Caps() & NS_HTTP_ALLOW_PIPELINING)) ++ continue; ++ ++ if (numAdded == 0) { ++ pipeline = new nsHttpPipeline; ++ if (!pipeline) ++ return PR_FALSE; ++ pipeline->AddTransaction(firstTrans); ++ numAdded = 1; ++ } ++ pipeline->AddTransaction(trans); ++ ++ // remove transaction from pending queue ++ ent->mPendingQ.RemoveElementAt(i); ++ NS_RELEASE(trans); ++ ++ numAllowed--; ++ ++ if (++numAdded == max) ++ break; ++ } ++ ++ //fprintf(stderr, "Yay!!! pipelined %u/%u transactions\n", numAdded, max); ++ LOG((" pipelined %u/%u transactions\n", numAdded, max)); ++ ++ if (numAdded == 0) ++ return PR_FALSE; ++ ++ NS_ADDREF(*result = pipeline); ++ return PR_TRUE; ++} ++ + nsresult + nsHttpConnectionMgr::ProcessNewTransaction(nsHttpTransaction *trans) + { +diff --git a/netwerk/protocol/http/nsHttpConnectionMgr.h b/netwerk/protocol/http/nsHttpConnectionMgr.h +index bb605a1..e372096 100644 +--- a/netwerk/protocol/http/nsHttpConnectionMgr.h ++++ b/netwerk/protocol/http/nsHttpConnectionMgr.h +@@ -54,6 +54,7 @@ + #include "nsIObserver.h" + #include "nsITimer.h" + #include "nsIX509Cert3.h" ++#include "nsIRandomGenerator.h" + + class nsHttpPipeline; + +@@ -312,6 +313,8 @@ private: + nsresult DispatchTransaction(nsConnectionEntry *, nsHttpTransaction *, + PRUint8 caps, nsHttpConnection *); + bool BuildPipeline(nsConnectionEntry *, nsAHttpTransaction *, nsHttpPipeline **); ++ bool BuildRandomizedPipeline(nsConnectionEntry *, nsAHttpTransaction *, nsHttpPipeline **); ++ void ShuffleRequestOrder(PRUint32 *, PRUint32); + nsresult ProcessNewTransaction(nsHttpTransaction *); + nsresult EnsureSocketThreadTargetIfOnline(); + void ClosePersistentConnections(nsConnectionEntry *ent); +@@ -405,6 +408,8 @@ private: + PRUint64 mTimeOfNextWakeUp; + // Timer for next pruning of dead connections. + nsCOMPtr<nsITimer> mTimer; ++ // Random number generator for reordering HTTP pipeline ++ nsCOMPtr<nsIRandomGenerator> mRandomGenerator; + + // + // the connection table +-- +1.7.5.4 +

1 0