commit 49302db0cd095bbc02c631e1628542f4d8b003a9
Author: Zack Weinberg <zackw(a)panix.com>
Date: Sat Mar 24 20:27:50 2012 -0700
Revise chop.cc to be closer to what the paper says it does:
* new block format
* 32-bit circuit IDs
* separate header and payload encryption
* sequence numbers count by block, not byte
Still to do:
* proper handshakes
* rekeying
* "exactly what steg wants" block padding
---
src/crypt.cc | 4 +-
src/protocol/chop.cc | 2059 +++++++++++++++++++++++++-------------------------
2 files changed, 1038 insertions(+), 1025 deletions(-)
diff --git a/src/crypt.cc b/src/crypt.cc
index d6eed49..e81e8d4 100644
--- a/src/crypt.cc
+++ b/src/crypt.cc
@@ -273,9 +273,7 @@ key_generator::from_passphrase(const uint8_t *phra, size_t plen,
// to just feed its output directly to the HKDF-Expand phase; an
// alternative would be to run PBKDF2 on the passphrase without a
// salt, then put the result through HKDF-Extract with the salt.
- //
- // 1000 iterations or 50 ms, whichever is more
- extractor.DeriveKey(prk, SHA256_LEN, 0, phra, plen, salt, slen, 1000, 0.05);
+ extractor.DeriveKey(prk, SHA256_LEN, 0, phra, plen, salt, slen, 1000);
key_generator *r = new key_generator_impl(prk, ctxt, clen);
memset(prk, 0, SHA256_LEN);
diff --git a/src/protocol/chop.cc b/src/protocol/chop.cc
index b4ec692..e81214a 100644
--- a/src/protocol/chop.cc
+++ b/src/protocol/chop.cc
@@ -1,10 +1,9 @@
-/* Copyright 2011 Zack Weinberg
+/* Copyright 2011, 2012 Zack Weinberg
See LICENSE for other credits and copying information
The chopper is the core StegoTorus protocol implementation.
- For its design, see doc/chopper.tex. Note that it is still
- being implemented, and many things that are *intended* to change
- from the toy "roundrobin" protocol have not yet changed. */
+ For its design, see doc/chopper.txt. Note that it is still
+ being implemented, and may change incompatibly. */
#include "util.h"
#include "connections.h"
@@ -20,805 +19,363 @@
#include <event2/event.h>
#include <event2/buffer.h>
+#ifdef HAVE_EXECINFO_H
+#include <execinfo.h>
+#endif
+
using std::tr1::unordered_map;
using std::tr1::unordered_set;
using std::vector;
+using std::make_pair;
-/* Header serialization and deserialization */
-
-struct chop_header
+namespace
{
- uint64_t ckt_id;
- uint8_t pkt_iv[8];
- uint32_t offset;
- uint16_t length;
- uint16_t flags;
-};
-
-#define CHOP_WIRE_HDR_LEN (sizeof(struct chop_header))
-#define CHOP_BLOCK_OVERHD (CHOP_WIRE_HDR_LEN + GCM_TAG_LEN)
-#define CHOP_MAX_DATA (65535 - CHOP_BLOCK_OVERHD)
-#define CHOP_MAX_CHAFF 2048
-#define CHOP_F_SYN 0x0001
-#define CHOP_F_FIN 0x0002
-#define CHOP_F_CHAFF 0x0004
-/* further flags values are reserved */
-
-/* Reassembly queue. This is a doubly-linked circular list with a
- sentinel element at the head (identified by data == 0). List
- entries are sorted by offset. Gaps in so-far-received data
- are "in between" entries in the list. */
-
-struct chop_reassembly_elt
+/* Packets on the wire have a 16-byte header, consisting of a 32-bit
+ sequence number, two 16-bit length fields ("D" and "P"), an 8-bit
+ opcode ("F"), and a 56-bit check field. All numbers in this header
+ are serialized in network byte order.
+
+ | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | A | B | C | D | E | F |
+ |Sequence Number| D | P | F | Check |
+
+ The header is encrypted with AES in ECB mode: this is safe because
+ the header is exactly one AES block long, the sequence number is
+ never repeated, the header-encryption key is not used for anything
+ else, and the high 24 bits of the sequence number, plus the check
+ field, constitute an 80-bit MAC. The receiver maintains a
+ 256-element sliding window of acceptable sequence numbers, which
+ begins one after the highest sequence number so far _processed_
+ (not received). If the sequence number is outside this window, or
+ the check field is not all-bits-zero, the packet is discarded. An
+ attacker's odds of being able to manipulate the D, P, or F fields
+ or the low bits of the sequence number are therefore less than one
+ in 2^80. Unlike TCP, our sequence numbers always start at zero on
+ a new (or freshly rekeyed) circuit, and increment by one per
+ _block_, not per byte of data. Furthermore, they do not wrap: a
+ rekeying cycle (which resets the sequence number) is required to
+ occur before the highest-received sequence number reaches 2^32.
+
+ Following the header are two variable-length payload sections,
+ "data" and "padding", whose length in bytes are given by the D and
+ P fields, respectively. These sections are encrypted, using a
+ different key, with AES in GCM mode. The *encrypted* packet header
+ doubles as the GCM nonce. The semantics of the "data" section's
+ contents, if any, are defined by the opcode F. The "padding"
+ section SHOULD be filled with zeroes by the sender; regardless, its
+ contents MUST be ignored by the receiver. Following these sections
+ is a 16-byte GCM authentication tag, computed over the data and
+ padding sections only, NOT the message header. */
+
+const size_t HEADER_LEN = 16;
+const size_t TRAILER_LEN = 16;
+const size_t SECTION_LEN = UINT16_MAX;
+const size_t MIN_BLOCK_SIZE = HEADER_LEN + TRAILER_LEN;
+const size_t MAX_BLOCK_SIZE = MIN_BLOCK_SIZE + SECTION_LEN*2;
+
+enum opcode_t
{
- struct chop_reassembly_elt *prev;
- struct chop_reassembly_elt *next;
- struct evbuffer *data;
- uint32_t offset;
- uint16_t length;
- uint16_t flags;
+ op_DAT = 0, // Pass data section along to upstream
+ op_FIN = 1, // No further transmissions (pass data along if any)
+ op_RST = 2, // Protocol error, close circuit now
+ op_RK1 = 3, // Commence rekeying
+ op_RK2 = 4, // Continue rekeying
+ op_RK3 = 5, // Conclude rekeying
+ op_RESERVED0 = 6, // 6 -- 127 reserved for future definition
+ op_STEG0 = 128, // 128 -- 255 reserved for steganography modules
+ op_LAST = 255
};
-/* Horrifically crude "encryption". Uses a compiled-in pair of
- encryption keys, no MAC, and recycles the circuit ID as a
- partial IV. To be replaced with something less laughable ASAP. */
-
-static const uint8_t c2s_key[] =
- "\x44\x69\x5f\x45\x41\x67\xe9\x69\x14\x6c\x5f\xd2\x41\x63\xc4\x02";
-static const uint8_t s2c_key[] =
- "\xfa\x31\x78\x6c\xb9\x4c\x66\x2a\xd0\x30\x59\xf7\x28\x22\x2f\x22";
-
-/* Connections and circuits */
-
-namespace {
- struct chop_config_t;
- struct chop_circuit_t;
- typedef unordered_map<uint64_t, chop_circuit_t *> chop_circuit_table;
-
- struct chop_conn_t : conn_t
- {
- chop_config_t *config;
- chop_circuit_t *upstream;
- steg_t *steg;
- struct evbuffer *recv_pending;
- struct event *must_transmit_timer;
- bool no_more_transmissions : 1;
-
- CONN_DECLARE_METHODS(chop);
- };
+class block_header
+{
+ uint8_t clear[16];
+ uint8_t ciphr[16];
- struct chop_circuit_t : circuit_t
+public:
+ block_header(uint32_t s, uint16_t d, uint16_t p, opcode_t f,
+ ecb_encryptor &ec)
{
- chop_reassembly_elt reassembly_queue;
- unordered_set<chop_conn_t *> downstreams;
- gcm_encryptor *send_crypt;
- gcm_decryptor *recv_crypt;
- chop_config_t *config;
-
- uint64_t circuit_id;
- uint32_t send_offset;
- uint32_t recv_offset;
- uint32_t dead_cycles;
- bool received_syn : 1;
- bool received_fin : 1;
- bool sent_syn : 1;
- bool sent_fin : 1;
- bool upstream_eof : 1;
-
- CIRCUIT_DECLARE_METHODS(chop);
-
- uint32_t axe_interval() {
- // This function must always return a number which is larger than
- // the maximum possible number that *our peer's* flush_interval()
- // could have returned; otherwise, we might axe the connection when
- // it was just that there was nothing to say for a while.
- // For simplicity's sake, right now we hardwire this to be 30 minutes.
- return 30 * 60 * 1000;
- }
- uint32_t flush_interval() {
- // 10*60*1000 lies between 2^19 and 2^20.
- uint32_t shift = std::max(1u, std::min(19u, dead_cycles));
- uint32_t xv = std::max(1u, std::min(10u * 60 * 1000, 1u << shift));
- return rng_range_geom(20 * 60 * 1000, xv) + 100;
+ if (f > op_LAST || (f >= op_RESERVED0 && f < op_STEG0)) {
+ memset(clear, 0xFF, sizeof clear); // invalid!
+ memset(ciphr, 0xFF, sizeof ciphr);
+ return;
}
- };
-
- struct chop_config_t : config_t
- {
- struct evutil_addrinfo *up_address;
- vector<struct evutil_addrinfo *> down_addresses;
- vector<const char *> steg_targets;
- chop_circuit_table circuits;
- CONFIG_DECLARE_METHODS(chop);
- };
-}
-
-PROTO_DEFINE_MODULE(chop);
+ // sequence number
+ clear[0] = (s >> 24) & 0xFF;
+ clear[1] = (s >> 16) & 0xFF;
+ clear[2] = (s >> 8) & 0xFF;
+ clear[3] = (s ) & 0xFF;
-/* Header serialization and deserialization */
+ // D field
+ clear[4] = (d >> 8) & 0xFF;
+ clear[5] = (d ) & 0xFF;
-static void
-chop_write_header(uint8_t *wire_header, const struct chop_header *hdr)
-{
- /* bits on the wire are in network byte order */
- wire_header[ 0] = (hdr->ckt_id & 0xFF00000000000000ull) >> 56;
- wire_header[ 1] = (hdr->ckt_id & 0x00FF000000000000ull) >> 48;
- wire_header[ 2] = (hdr->ckt_id & 0x0000FF0000000000ull) >> 40;
- wire_header[ 3] = (hdr->ckt_id & 0x000000FF00000000ull) >> 32;
- wire_header[ 4] = (hdr->ckt_id & 0x00000000FF000000ull) >> 24;
- wire_header[ 5] = (hdr->ckt_id & 0x0000000000FF0000ull) >> 16;
- wire_header[ 6] = (hdr->ckt_id & 0x000000000000FF00ull) >> 8;
- wire_header[ 7] = (hdr->ckt_id & 0x00000000000000FFull) >> 0;
-
- wire_header[ 8] = hdr->pkt_iv[0];
- wire_header[ 9] = hdr->pkt_iv[1];
- wire_header[10] = hdr->pkt_iv[2];
- wire_header[11] = hdr->pkt_iv[3];
- wire_header[12] = hdr->pkt_iv[4];
- wire_header[13] = hdr->pkt_iv[5];
- wire_header[14] = hdr->pkt_iv[6];
- wire_header[15] = hdr->pkt_iv[7];
-
- wire_header[16] = (hdr->offset & 0xFF000000u) >> 24;
- wire_header[17] = (hdr->offset & 0x00FF0000u) >> 16;
- wire_header[18] = (hdr->offset & 0x0000FF00u) >> 8;
- wire_header[19] = (hdr->offset & 0x000000FFu) >> 0;
-
- wire_header[20] = (hdr->length & 0xFF00u) >> 8;
- wire_header[21] = (hdr->length & 0x00FFu) >> 0;
- wire_header[22] = (hdr->flags & 0xFF00u) >> 8;
- wire_header[23] = (hdr->flags & 0x00FFu) >> 0;
-}
+ // P field
+ clear[6] = (p >> 8) & 0xFF;
+ clear[7] = (p ) & 0xFF;
-static int
-chop_peek_circuit_id(struct evbuffer *buf, struct chop_header *hdr)
-{
- uint8_t wire_id[8];
- if (evbuffer_copyout(buf, wire_id, 8) != 8)
- return -1;
- hdr->ckt_id = ((((uint64_t)wire_id[ 0]) << 56) +
- (((uint64_t)wire_id[ 1]) << 48) +
- (((uint64_t)wire_id[ 2]) << 40) +
- (((uint64_t)wire_id[ 3]) << 32) +
- (((uint64_t)wire_id[ 4]) << 24) +
- (((uint64_t)wire_id[ 5]) << 16) +
- (((uint64_t)wire_id[ 6]) << 8) +
- (((uint64_t)wire_id[ 7]) << 0));
- return 0;
-}
+ // F field
+ clear[8] = uint8_t(f);
-static int
-chop_decrypt_header(chop_circuit_t *ckt,
- struct evbuffer *buf,
- struct chop_header *hdr)
-{
- uint8_t wire_header[CHOP_WIRE_HDR_LEN];
- uint8_t decoded_header[CHOP_WIRE_HDR_LEN-16];
+ // Check field
+ memset(clear + 9, 0, 7);
- if (evbuffer_copyout(buf, wire_header, CHOP_WIRE_HDR_LEN)
- != CHOP_WIRE_HDR_LEN) {
- log_warn("not enough data copied out");
- return -1;
+ ec.encrypt(ciphr, clear);
}
- hdr->ckt_id = ((((uint64_t)wire_header[ 0]) << 56) +
- (((uint64_t)wire_header[ 1]) << 48) +
- (((uint64_t)wire_header[ 2]) << 40) +
- (((uint64_t)wire_header[ 3]) << 32) +
- (((uint64_t)wire_header[ 4]) << 24) +
- (((uint64_t)wire_header[ 5]) << 16) +
- (((uint64_t)wire_header[ 6]) << 8) +
- (((uint64_t)wire_header[ 7]) << 0));
-
- hdr->pkt_iv[0] = wire_header[ 8];
- hdr->pkt_iv[1] = wire_header[ 9];
- hdr->pkt_iv[2] = wire_header[10];
- hdr->pkt_iv[3] = wire_header[11];
- hdr->pkt_iv[4] = wire_header[12];
- hdr->pkt_iv[5] = wire_header[13];
- hdr->pkt_iv[6] = wire_header[14];
- hdr->pkt_iv[7] = wire_header[15];
-
- /* The full IV is the circuit ID plus packet ID *as it is on the
- wire*. */
- ckt->recv_crypt->decrypt_unchecked(decoded_header,
- wire_header + 16, CHOP_WIRE_HDR_LEN - 16,
- wire_header, 16);
-
- hdr->offset = ((((uint32_t)decoded_header[0]) << 24) +
- (((uint32_t)decoded_header[1]) << 16) +
- (((uint32_t)decoded_header[2]) << 8) +
- (((uint32_t)decoded_header[3]) << 0));
-
- hdr->length = ((((uint16_t)decoded_header[4]) << 8) +
- (((uint16_t)decoded_header[5]) << 0));
-
- hdr->flags = ((((uint16_t)decoded_header[6]) << 8) +
- (((uint16_t)decoded_header[7]) << 0));
-
- log_debug("decoded offset %u length %hu flags %04hx",
- hdr->offset, hdr->length, hdr->flags);
- return 0;
-}
-
-/* Transmit subroutines. */
-
-static chop_conn_t *
-chop_pick_connection(chop_circuit_t *ckt, size_t desired, size_t *blocksize)
-{
- size_t maxbelow = 0;
- size_t minabove = SIZE_MAX;
- chop_conn_t *targbelow = NULL;
- chop_conn_t *targabove = NULL;
-
- if (desired > CHOP_MAX_DATA)
- desired = CHOP_MAX_DATA;
-
- /* Find the best fit for the desired transmission from all the
- outbound connections' transmit rooms. */
- for (unordered_set<chop_conn_t *>::iterator i = ckt->downstreams.begin();
- i != ckt->downstreams.end(); i++) {
- chop_conn_t *conn = *i;
- /* We can only use candidates that have a steg target already. */
- if (conn->steg) {
- /* Find the connections whose transmit rooms are closest to the
- desired transmission length from both directions. */
- size_t room = conn->steg->transmit_room(conn);
- log_debug(conn, "offers %lu bytes (%s)", (unsigned long)room,
- conn->steg->name());
-
- if (room <= CHOP_BLOCK_OVERHD)
- room = 0;
- else
- room -= CHOP_BLOCK_OVERHD;
-
- if (room > CHOP_MAX_DATA)
- room = CHOP_MAX_DATA;
-
- if (room >= desired) {
- if (room < minabove) {
- minabove = room;
- targabove = conn;
- }
- } else {
- if (room > maxbelow) {
- maxbelow = room;
- targbelow = conn;
- }
- }
- } else {
- log_debug(conn, "offers 0 bytes (no steg)");
+ block_header(evbuffer *buf, ecb_decryptor &dc)
+ {
+ if (evbuffer_copyout(buf, ciphr, sizeof ciphr) != sizeof ciphr) {
+ memset(clear, 0xFF, sizeof clear);
+ memset(ciphr, 0xFF, sizeof ciphr);
+ return;
}
+ dc.decrypt(clear, ciphr);
}
- /* If we have a connection that can take all the data, use it.
- Otherwise, use the connection that can take as much of the data
- as possible. As a special case, if no connection can take data,
- targbelow, targabove, maxbelow, and minabove will all still have
- their initial values, so we'll return NULL and set blocksize to 0,
- which callers know how to handle. */
- if (targabove) {
- *blocksize = minabove;
- return targabove;
- } else {
- *blocksize = maxbelow;
- return targbelow;
- }
-}
-
-static int
-chop_send_block(chop_conn_t *dest,
- chop_circuit_t *ckt,
- struct evbuffer *source,
- struct evbuffer *block,
- uint16_t length,
- uint16_t flags)
-{
- chop_header hdr;
- struct evbuffer_iovec v;
- uint8_t *p;
-
- log_assert(evbuffer_get_length(block) == 0);
- log_assert(evbuffer_get_length(source) >= length);
- log_assert(dest->steg);
-
- /* We take special care not to modify 'source' if any step fails. */
- if (evbuffer_reserve_space(block,
- length + CHOP_WIRE_HDR_LEN + GCM_TAG_LEN,
- &v, 1) != 1)
- return -1;
- if (v.iov_len < length + CHOP_WIRE_HDR_LEN + GCM_TAG_LEN)
- goto fail;
-
- v.iov_len = length + CHOP_WIRE_HDR_LEN + GCM_TAG_LEN;
-
- hdr.ckt_id = ckt->circuit_id;
- hdr.offset = ckt->send_offset;
- hdr.length = length;
- hdr.flags = flags;
- rng_bytes(hdr.pkt_iv, 8);
- chop_write_header((uint8_t*)v.iov_base, &hdr);
-
- if (evbuffer_copyout(source, (uint8_t *)v.iov_base + CHOP_WIRE_HDR_LEN,
- length) != length)
- goto fail;
-
- p = (uint8_t *)v.iov_base;
- ckt->send_crypt->encrypt(p + 16, p + 16, length + CHOP_WIRE_HDR_LEN - 16,
- p, 16);
-
- if (evbuffer_commit_space(block, &v, 1))
- goto fail;
-
- if (dest->steg->transmit(block, dest))
- goto fail_committed;
-
- if (evbuffer_drain(source, length))
- /* this really should never happen, and we can't recover from it */
- log_abort(dest, "evbuffer_drain failed"); /* does not return */
-
- /* Cancel the must-transmit timer if it's pending; we have transmitted. */
- if (dest->must_transmit_timer)
- evtimer_del(dest->must_transmit_timer);
-
- if (!(flags & CHOP_F_CHAFF))
- ckt->send_offset += length;
- if (flags & CHOP_F_SYN)
- ckt->sent_syn = true;
- if (flags & CHOP_F_FIN)
- ckt->sent_fin = true;
- log_debug(dest, "sent %lu+%u byte block [flags %04hx]",
- (unsigned long)CHOP_WIRE_HDR_LEN, length, flags);
-
- return 0;
-
- fail:
- v.iov_len = 0;
- evbuffer_commit_space(block, &v, 1);
- fail_committed:
- evbuffer_drain(block, evbuffer_get_length(block));
- log_warn(dest, "allocation or buffer copy failed");
-
- return -1;
-}
-
-static int
-chop_send_blocks(chop_circuit_t *ckt)
-{
- struct evbuffer *xmit_pending = bufferevent_get_input(ckt->up_buffer);
- struct evbuffer *block;
- chop_conn_t *target;
- size_t avail;
- size_t blocksize;
- uint16_t flags;
+ uint32_t seqno() const
+ {
+ return ((uint32_t(clear[0]) << 24) |
+ (uint32_t(clear[1]) << 16) |
+ (uint32_t(clear[2]) << 8) |
+ (uint32_t(clear[3]) ));
- if (!(block = evbuffer_new())) {
- log_warn(ckt, "allocation failure");
- return -1;
}
- for (;;) {
- avail = evbuffer_get_length(xmit_pending);
- flags = ckt->sent_syn ? 0 : CHOP_F_SYN;
-
- log_debug(ckt, "%lu bytes to send", (unsigned long)avail);
-
- if (avail == 0)
- break;
-
- target = chop_pick_connection(ckt, avail, &blocksize);
- if (!target) {
- log_debug(ckt, "no target connection available");
- /* this is not an error; it can happen e.g. when the server has
- something to send immediately and the client hasn't spoken yet */
- break;
- }
-
- if (avail <= blocksize) {
- blocksize = avail;
- if (ckt->upstream_eof && !ckt->sent_fin)
- flags |= CHOP_F_FIN;
- }
-
- if (chop_send_block(target, ckt, xmit_pending, block, blocksize, flags)) {
- evbuffer_free(block);
- return -1;
- }
+ size_t dlen() const
+ {
+ return ((uint16_t(clear[4]) << 8) |
+ (uint16_t(clear[5]) ));
}
- evbuffer_free(block);
- avail = evbuffer_get_length(xmit_pending);
- if (avail)
- log_debug(ckt, "%lu bytes still waiting to be sent", (unsigned long)avail);
- return 0;
-}
-
-static int
-chop_send_targeted(chop_circuit_t *ckt, chop_conn_t *target, size_t blocksize)
-{
- struct evbuffer *xmit_pending = bufferevent_get_input(ckt->up_buffer);
- size_t avail = evbuffer_get_length(xmit_pending);
- struct evbuffer *block = evbuffer_new();
- uint16_t flags = 0;
-
- log_debug(target, "%lu bytes available, %lu bytes room",
- (unsigned long)avail, (unsigned long)blocksize);
- if (!block) {
- log_warn(target, "allocation failure");
- return -1;
+ size_t plen() const
+ {
+ return ((uint16_t(clear[6]) << 8) |
+ (uint16_t(clear[7]) ));
}
- if (!ckt->sent_syn)
- flags |= CHOP_F_SYN;
-
- if (avail) {
- if (avail <= blocksize) {
- blocksize = avail;
- if (ckt->upstream_eof && !ckt->sent_fin)
- flags |= CHOP_F_FIN;
- }
-
-
- if (chop_send_block(target, ckt, xmit_pending, block, blocksize, flags)) {
- evbuffer_free(block);
- return -1;
- }
-
- evbuffer_free(block);
- avail = evbuffer_get_length(xmit_pending);
- if (avail)
- log_debug(ckt, "%lu bytes still waiting to be sent",
- (unsigned long)avail);
- return 0;
-
- } else {
- struct evbuffer *chaff;
- struct evbuffer_iovec v;
-
- if (blocksize > CHOP_MAX_CHAFF)
- blocksize = CHOP_MAX_CHAFF;
-
- blocksize = rng_range(1, blocksize + 1);
- log_debug(target, "generating %lu bytes chaff", (unsigned long)blocksize);
-
- chaff = evbuffer_new();
- if (!chaff ||
- evbuffer_reserve_space(chaff, blocksize, &v, 1) != 1 ||
- v.iov_len < blocksize)
- goto fail;
-
- v.iov_len = blocksize;
- memset(v.iov_base, 0, v.iov_len);
- if (evbuffer_commit_space(chaff, &v, 1))
- goto fail;
-
- flags |= CHOP_F_CHAFF;
- if (ckt->upstream_eof && !ckt->sent_fin)
- flags |= CHOP_F_FIN;
- if (chop_send_block(target, ckt, chaff, block, blocksize, flags))
- goto fail;
-
- evbuffer_free(chaff);
- evbuffer_free(block);
- return 0;
-
- fail:
- log_warn(target, "failed to construct chaff block");
- if (chaff) evbuffer_free(chaff);
- if (block) evbuffer_free(block);
- return -1;
+ size_t total_len() const
+ {
+ return HEADER_LEN + TRAILER_LEN + dlen() + plen();
}
-}
-
-static int
-chop_send_chaff(chop_circuit_t *ckt)
-{
- size_t room;
- chop_conn_t *target = chop_pick_connection(ckt, 1, &room);
- if (!target) {
- /* If we have connections and we can't send, that means we're waiting
- for the server to respond. Just wait. */
- return 0;
+ opcode_t opcode() const
+ {
+ return opcode_t(clear[8]);
}
- return chop_send_targeted(ckt, target, room);
-}
-
-static void
-must_transmit_timer_cb(evutil_socket_t, short, void *arg)
-{
- chop_conn_t *conn = static_cast<chop_conn_t*>(arg);
- size_t room;
- if (!conn->upstream) {
- log_debug(conn, "must transmit, but no circuit (stale connection)");
- conn_do_flush(conn);
- return;
+ bool valid(uint64_t window) const
+ {
+ // This check must run in constant time.
+ uint8_t ck = (clear[ 9] | clear[10] | clear[11] | clear[12] |
+ clear[13] | clear[14] | clear[15]);
+ uint32_t delta = seqno() - window;
+ ck |= !!(delta & ~uint32_t(0xFF));
+ return !ck;
}
- if (!conn->steg) {
- log_warn(conn, "must transmit, but no steg module available");
- return;
- }
- room = conn->steg->transmit_room(conn);
- if (room <= CHOP_BLOCK_OVERHD) {
- log_warn(conn, "must transmit, but no transmit room");
- return;
+ const uint8_t *nonce() const
+ {
+ return ciphr;
}
- log_debug(conn, "must transmit");
- chop_send_targeted(conn->upstream, conn, room - CHOP_BLOCK_OVERHD);
-}
+ const uint8_t *cleartext() const
+ {
+ return clear;
+ }
+};
-/* Receive subroutines. */
+/* Most of a block's header information is processed before it reaches
+ the reassembly queue; the only things the queue needs to record are
+ the sequence number (which is stored implictly), the opcode, and an
+ evbuffer holding the data section. Zero-data blocks still get an
+ evbuffer, for simplicity's sake: a reassembly queue element holds a
+ received block if and only if its data pointer is non-null.
-/* True if s < t (mod 2**32). */
-static inline bool
-mod32_lt(uint32_t s, uint32_t t)
-{
- uint32_t d = t - s;
- return 0 < d && d < 0x80000000u;
-}
+ The reassembly queue is a 256-element circular buffer of
+ 'reassembly_elt' structs. This corresponds to the 256-element
+ sliding window of sequence numbers which may legitimately be
+ received at any time. */
-/* True if s <= t (mod 2**32). */
-static inline bool
-mod32_le(uint32_t s, uint32_t t)
+struct reassembly_elt
{
- uint32_t d = t - s;
- return d < 0x80000000u;
-}
+ evbuffer *data;
+ opcode_t op;
+};
-/** Add BLOCK to the reassembly queue at the appropriate location
- and merge adjacent blocks to the extent possible. */
-static int
-chop_reassemble_block(chop_circuit_t *ckt, struct evbuffer *block,
- chop_header *hdr)
+class reassembly_queue
{
- chop_reassembly_elt *queue = &ckt->reassembly_queue;
- chop_reassembly_elt *p, *q;
-
- if (hdr->flags & CHOP_F_CHAFF) {
- /* Chaff goes on the reassembly queue if it carries any flags that
- must be processed in sequence (SYN, FIN), but we throw away its
- contents. Doing all chaff-handling here simplifies the caller
- at the expense of slightly more buffer-management overhead. */
- if (!(hdr->flags & (CHOP_F_SYN|CHOP_F_FIN))) {
- log_debug(ckt, "discarding chaff with no flags");
- evbuffer_free(block);
- return 0;
- }
+ reassembly_elt cbuf[256];
+ uint32_t next_to_process;
- hdr->length = 0;
- evbuffer_drain(block, evbuffer_get_length(block));
- log_debug(ckt, "chaff with flags, treating length as 0");
- }
+ reassembly_queue(const reassembly_queue&) DELETE_METHOD;
+ reassembly_queue& operator=(const reassembly_queue&) DELETE_METHOD;
- /* SYN must occur at offset zero, may not be duplicated, and if we
- already have anything on the reassembly queue, it must come
- logically after this block. */
- if ((hdr->flags & CHOP_F_SYN) &&
- (hdr->offset > 0 ||
- (queue->next != queue &&
- ((queue->next->flags & CHOP_F_SYN) ||
- !mod32_le(hdr->offset + hdr->length, queue->next->offset))))) {
- log_warn(ckt, "protocol error: inappropriate SYN block");
- return -1;
+public:
+ reassembly_queue()
+ : next_to_process(0)
+ {
+ memset(cbuf, 0, sizeof cbuf);
}
- /* FIN may not be duplicated and must occur logically after everything
- we've already received. */
- if ((hdr->flags & CHOP_F_FIN) && queue->prev != queue &&
- ((queue->prev->flags & CHOP_F_FIN) ||
- !mod32_le(queue->prev->offset + queue->prev->length, hdr->offset))) {
- log_warn(ckt, "protocol error: inappropriate FIN block");
- return -1;
+ ~reassembly_queue()
+ {
+ for (int i = 0; i < 256; i++)
+ if (cbuf[i].data)
+ evbuffer_free(cbuf[i].data);
}
- /* Non-SYN/FIN must come after any SYN block presently in the queue
- and before any FIN block presently in the queue. */
- if (!(hdr->flags & (CHOP_F_SYN|CHOP_F_FIN)) && queue->next != queue &&
- (((queue->next->flags & CHOP_F_SYN) &&
- !mod32_le(queue->next->offset + queue->next->length, hdr->offset)) ||
- ((queue->prev->flags & CHOP_F_FIN) &&
- !mod32_le(hdr->offset + hdr->length, queue->prev->offset)))) {
- log_warn(ckt, "protocol error: inappropriate normal block");
- return -1;
+ // Remove the next block to be processed from the reassembly queue
+ // and return it. If we are out of blocks or the next block to
+ // process has not yet arrived, return an empty reassembly_elt.
+ // Caller is responsible for freeing the evbuffer in the
+ // reassembly_elt, if any.
+ reassembly_elt
+ remove_next()
+ {
+ reassembly_elt rv = { 0, op_DAT };
+ uint8_t front = next_to_process & 0xFF;
+ if (cbuf[front].data) {
+ rv = cbuf[front];
+ cbuf[front].data = 0;
+ cbuf[front].op = op_DAT;
+ next_to_process++;
+ }
+ return rv;
}
- for (p = queue->next; p != queue; p = p->next) {
- /* Try first to merge the new block into an existing one. */
- if (hdr->offset + hdr->length == p->offset)
- goto grow_front;
-
- if (hdr->offset == p->offset + p->length)
- goto grow_back;
-
- /* Does this block fit in between 'p->prev' and 'p'?
- Note: if 'p->prev->data' is NULL, it is the sentinel,
- and p->prev->offset is meaningless. */
- if (mod32_lt(hdr->offset + hdr->length, p->offset)) {
- if (!p->prev->data ||
- mod32_lt(p->prev->offset + p->prev->length, hdr->offset))
- break;
-
- /* protocol error: this block goes before 'p' but does not fit
- after 'p->prev' */
- log_warn(ckt, "protocol error: %u byte block does not fit at offset %u",
- hdr->length, hdr->offset);
- return -1;
+ // Insert a block into the reassembly queue at sequence number
+ // SEQNO, with opcode OP and data section DATA. Returns true if the
+ // block was successfully added to the queue, false if it is either
+ // outside the acceptable window or duplicates a block already on
+ // the queue (both of these cases indicate protocol errors).
+ // DATA is consumed no matter what the return value is.
+ bool
+ insert(uint32_t seqno, opcode_t op, evbuffer *data, conn_t *conn)
+ {
+ if (seqno - window() > 255) {
+ log_warn(conn, "block outside receive window");
+ evbuffer_free(data);
+ return false;
+ }
+ uint8_t front = next_to_process & 0xFF;
+ uint8_t pos = front + (seqno - window());
+ if (cbuf[pos].data) {
+ log_warn(conn, "duplicate block");
+ evbuffer_free(data);
+ return false;
}
- }
- /* This block goes before, but does not merge with, 'p'.
- Special case: if 'p' is the sentinel, we have not yet checked
- that this block goes after the last block in the list (aka p->prev). */
- if (!p->data && p->prev->data &&
- !mod32_lt(p->prev->offset + p->prev->length, hdr->offset)) {
- log_warn(ckt, "protocol error: %u byte block does not fit at offset %u "
- "(sentinel case)",
- hdr->length, hdr->offset);
- return -1;
+ cbuf[pos].data = data;
+ cbuf[pos].op = op;
+ return true;
}
- q = (chop_reassembly_elt *)xzalloc(sizeof(chop_reassembly_elt));
- q->data = block;
- q->offset = hdr->offset;
- q->length = hdr->length;
- q->flags = hdr->flags;
+ // Return the current lowest acceptable sequence number in the
+ // receive window. This is the value to be passed to
+ // block_header::valid().
+ uint32_t window() const { return next_to_process; }
- q->prev = p->prev;
- q->next = p;
- q->prev->next = q;
- q->next->prev = q;
- return 0;
-
- grow_back:
- if (evbuffer_add_buffer(p->data, block)) {
- log_warn(ckt, "failed to append to existing buffer");
- return -1;
- }
- evbuffer_free(block);
- p->length += hdr->length;
- p->flags |= hdr->flags;
-
- /* Can we now combine 'p' with its successor? */
- while (p->next->data && p->offset + p->length == p->next->offset) {
- q = p->next;
- if (evbuffer_add_buffer(p->data, q->data)) {
- log_warn(ckt, "failed to merge buffers");
- return -1;
+ // As the last step of a rekeying cycle, the expected next sequence number
+ // is reset to zero.
+ void reset()
+ {
+ for (int i = 0; i < 256; i++) {
+ log_assert(!cbuf[i].data);
}
- p->length += q->length;
- p->flags |= q->flags;
-
- evbuffer_free(q->data);
- q->next->prev = q->prev;
- q->prev->next = q->next;
- free(q);
+ next_to_process = 0;
}
- return 0;
+};
- grow_front:
- if (evbuffer_prepend_buffer(p->data, block)) {
- log_warn(ckt, "failed to prepend to existing buffer");
- return -1;
- }
- evbuffer_free(block);
- p->length += hdr->length;
- p->offset -= hdr->length;
- p->flags |= hdr->flags;
-
- /* Can we now combine 'p' with its predecessor? */
- while (p->prev->data && p->offset == p->prev->offset + p->prev->length) {
- q = p->prev;
- if (evbuffer_prepend_buffer(p->data, q->data)) {
- log_warn(ckt, "failed to merge buffers");
- return -1;
- }
- p->length += q->length;
- p->offset -= q->length;
- p->flags |= q->flags;
-
- evbuffer_free(q->data);
- q->next->prev = q->prev;
- q->prev->next = q->next;
- free(q);
- }
+// Protocol objects
- return 0;
-}
+struct chop_config_t;
+struct chop_circuit_t;
-/* Flush as much data toward upstream as we can. */
-static int
-chop_push_to_upstream(chop_circuit_t *ckt)
-{
- /* Only the first reassembly queue entry, if any, can possibly be
- ready to flush (because chop_reassemble_block ensures that there
- are gaps between all queue elements). */
- chop_reassembly_elt *ready = ckt->reassembly_queue.next;
- if (!ready->data || ckt->recv_offset != ready->offset) {
- log_debug(ckt, "no data pushable to upstream yet");
- return 0;
- }
+typedef unordered_map<uint32_t, chop_circuit_t *> chop_circuit_table;
- if (!ckt->received_syn) {
- if (!(ready->flags & CHOP_F_SYN)) {
- log_debug(ckt, "waiting for SYN");
- return 0;
- }
- log_debug(ckt, "processed SYN");
- ckt->received_syn = true;
- }
+struct chop_conn_t : conn_t
+{
+ chop_config_t *config;
+ chop_circuit_t *upstream;
+ steg_t *steg;
+ struct evbuffer *recv_pending;
+ struct event *must_send_timer;
+ bool sent_handshake : 1;
+ bool no_more_transmissions : 1;
+
+ CONN_DECLARE_METHODS(chop);
+
+ int recv_handshake();
+ int send(struct evbuffer *block);
+
+ void send();
+ bool must_send_p() const;
+ static void must_send_timeout(evutil_socket_t, short, void *arg);
+};
- log_debug(ckt, "can push %lu bytes to upstream",
- (unsigned long)evbuffer_get_length(ready->data));
- if (evbuffer_add_buffer(bufferevent_get_output(ckt->up_buffer),
- ready->data)) {
- log_warn(ckt, "failure pushing data to upstream");
- return -1;
+struct chop_circuit_t : circuit_t
+{
+ reassembly_queue recv_queue;
+ unordered_set<chop_conn_t *> downstreams;
+ gcm_encryptor *send_crypt;
+ ecb_encryptor *send_hdr_crypt;
+ gcm_decryptor *recv_crypt;
+ ecb_decryptor *recv_hdr_crypt;
+ chop_config_t *config;
+
+ uint32_t circuit_id;
+ uint32_t send_seq;
+ uint32_t dead_cycles;
+ bool received_fin : 1;
+ bool sent_fin : 1;
+ bool upstream_eof : 1;
+
+ CIRCUIT_DECLARE_METHODS(chop);
+
+ // Shortcut some unnecessary conversions for callers within this file.
+ void add_downstream(chop_conn_t *conn);
+ void drop_downstream(chop_conn_t *conn);
+
+ int send_special(opcode_t f, struct evbuffer *payload);
+ int send_targeted(chop_conn_t *conn);
+ int send_targeted(chop_conn_t *conn, size_t blocksize);
+ int send_targeted(chop_conn_t *conn, size_t d, size_t p, opcode_t f,
+ struct evbuffer *payload);
+
+ chop_conn_t *pick_connection(size_t desired, size_t *blocksize);
+
+ int process_queue();
+ int check_for_eof();
+
+ uint32_t axe_interval() {
+ // This function must always return a number which is larger than
+ // the maximum possible number that *our peer's* flush_interval()
+ // could have returned; otherwise, we might axe the connection when
+ // it was just that there was nothing to say for a while.
+ // For simplicity's sake, right now we hardwire this to be 30 minutes.
+ return 30 * 60 * 1000;
}
-
- ckt->dead_cycles = 0;
- ckt->recv_offset += ready->length;
-
- if (ready->flags & CHOP_F_FIN) {
- log_assert(!ckt->received_fin);
- log_assert(ready->next == &ckt->reassembly_queue);
- ckt->received_fin = true;
- log_debug(ckt, "processed FIN");
- circuit_recv_eof(ckt);
+ uint32_t flush_interval() {
+ // 10*60*1000 lies between 2^19 and 2^20.
+ uint32_t shift = std::max(1u, std::min(19u, dead_cycles));
+ uint32_t xv = std::max(1u, std::min(10u * 60 * 1000, 1u << shift));
+ return rng_range_geom(20 * 60 * 1000, xv) + 100;
}
+};
- log_assert(ready->next == &ckt->reassembly_queue ||
- ready->next->offset != ckt->recv_offset);
- ready->next->prev = ready->prev;
- ready->prev->next = ready->next;
-
- evbuffer_free(ready->data);
- free(ready);
- return 0;
-}
-
-/* Circuit handling */
-
-static int
-chop_find_or_make_circuit(chop_conn_t *conn, uint64_t circuit_id)
+struct chop_config_t : config_t
{
- chop_circuit_table::value_type in(circuit_id, 0);
- std::pair<chop_circuit_table::iterator, bool> out
- = conn->config->circuits.insert(in);
- chop_circuit_t *ck;
-
- if (!out.second) { // element already exists
- if (!out.first->second) {
- log_debug(conn, "stale circuit");
- return 0;
- }
- ck = out.first->second;
- log_debug(conn, "found circuit to %s", ck->up_peer);
- } else {
- ck = dynamic_cast<chop_circuit_t *>(circuit_create(conn->config, 0));
- if (!ck) {
- log_warn(conn, "failed to create new circuit");
- return -1;
- }
- if (circuit_open_upstream(ck)) {
- log_warn(conn, "failed to begin upstream connection");
- delete ck;
- return -1;
- }
- log_debug(conn, "created new circuit to %s", ck->up_peer);
- ck->circuit_id = circuit_id;
- out.first->second = ck;
- }
+ struct evutil_addrinfo *up_address;
+ vector<struct evutil_addrinfo *> down_addresses;
+ vector<const char *> steg_targets;
+ chop_circuit_table circuits;
- ck->add_downstream(conn);
- return 0;
-}
+ CONFIG_DECLARE_METHODS(chop);
+};
-/* Protocol methods */
+// Configuration methods
chop_config_t::chop_config_t()
{
@@ -833,7 +390,7 @@ chop_config_t::~chop_config_t()
i != down_addresses.end(); i++)
evutil_freeaddrinfo(*i);
- /* The strings in steg_targets are not on the heap. */
+ // The strings in steg_targets are not on the heap.
for (chop_circuit_table::iterator i = circuits.begin();
i != circuits.end(); i++)
@@ -854,28 +411,28 @@ chop_config_t::init(int n_options, const char *const *options)
}
if (!strcmp(options[0], "client")) {
- defport = "48988"; /* bf5c */
- this->mode = LSN_SIMPLE_CLIENT;
+ defport = "48988"; // bf5c
+ mode = LSN_SIMPLE_CLIENT;
listen_up = 1;
} else if (!strcmp(options[0], "socks")) {
- defport = "23548"; /* 5bf5 */
- this->mode = LSN_SOCKS_CLIENT;
+ defport = "23548"; // 5bf5
+ mode = LSN_SOCKS_CLIENT;
listen_up = 1;
} else if (!strcmp(options[0], "server")) {
- defport = "11253"; /* 2bf5 */
- this->mode = LSN_SIMPLE_SERVER;
+ defport = "11253"; // 2bf5
+ mode = LSN_SIMPLE_SERVER;
listen_up = 0;
} else
goto usage;
- this->up_address = resolve_address_port(options[1], 1, listen_up, defport);
- if (!this->up_address) {
+ up_address = resolve_address_port(options[1], 1, listen_up, defport);
+ if (!up_address) {
log_warn("chop: invalid up address: %s", options[1]);
goto usage;
}
- /* From here on out, arguments alternate between downstream
- addresses and steg targets. */
+ // From here on out, arguments alternate between downstream
+ // addresses and steg targets.
for (i = 2; i < n_options; i++) {
struct evutil_addrinfo *addr =
resolve_address_port(options[i], 1, !listen_up, NULL);
@@ -883,7 +440,7 @@ chop_config_t::init(int n_options, const char *const *options)
log_warn("chop: invalid down address: %s", options[i]);
goto usage;
}
- this->down_addresses.push_back(addr);
+ down_addresses.push_back(addr);
i++;
if (i == n_options) {
@@ -895,7 +452,7 @@ chop_config_t::init(int n_options, const char *const *options)
log_warn("chop: steganographer '%s' not supported", options[i]);
goto usage;
}
- this->steg_targets.push_back(options[i]);
+ steg_targets.push_back(options[i]);
}
return true;
@@ -917,12 +474,12 @@ chop_config_t::init(int n_options, const char *const *options)
struct evutil_addrinfo *
chop_config_t::get_listen_addrs(size_t n)
{
- if (this->mode == LSN_SIMPLE_SERVER) {
- if (n < this->down_addresses.size())
- return this->down_addresses[n];
+ if (mode == LSN_SIMPLE_SERVER) {
+ if (n < down_addresses.size())
+ return down_addresses[n];
} else {
if (n == 0)
- return this->up_address;
+ return up_address;
}
return 0;
}
@@ -930,58 +487,96 @@ chop_config_t::get_listen_addrs(size_t n)
struct evutil_addrinfo *
chop_config_t::get_target_addrs(size_t n)
{
- if (this->mode == LSN_SIMPLE_SERVER) {
+ if (mode == LSN_SIMPLE_SERVER) {
if (n == 0)
- return this->up_address;
+ return up_address;
} else {
- if (n < this->down_addresses.size())
- return this->down_addresses[n];
+ if (n < down_addresses.size())
+ return down_addresses[n];
}
return NULL;
}
+// Circuit methods
+
+const char passphrase[] =
+ "did you buy one of therapist reawaken chemists continually gamma pacifies?";
+
circuit_t *
chop_config_t::circuit_create(size_t)
{
chop_circuit_t *ckt = new chop_circuit_t;
ckt->config = this;
- if (this->mode == LSN_SIMPLE_SERVER) {
- ckt->send_crypt = gcm_encryptor::create(s2c_key, 16);
- ckt->recv_crypt = gcm_decryptor::create(c2s_key, 16);
- } else {
- ckt->send_crypt = gcm_encryptor::create(c2s_key, 16);
- ckt->recv_crypt = gcm_decryptor::create(s2c_key, 16);
- while (!ckt->circuit_id)
- rng_bytes((uint8_t *)&ckt->circuit_id, sizeof(uint64_t));
-
- chop_circuit_table::value_type in(ckt->circuit_id, 0);
- std::pair<chop_circuit_table::iterator, bool> out = circuits.insert(in);
- log_assert(out.second);
- out.first->second = ckt;
- }
- return ckt;
-}
+ key_generator *kgen =
+ key_generator::from_passphrase((const uint8_t *)passphrase,
+ sizeof(passphrase) - 1,
+ 0, 0, 0, 0);
+ uint8_t kbuf[16];
-chop_circuit_t::chop_circuit_t()
-{
- this->reassembly_queue.next = &this->reassembly_queue;
- this->reassembly_queue.prev = &this->reassembly_queue;
+ if (mode == LSN_SIMPLE_SERVER) {
+ log_assert(kgen->generate(kbuf, 16) == 16);
+ ckt->send_crypt = gcm_encryptor::create(kbuf, 16);
+
+ log_assert(kgen->generate(kbuf, 16) == 16);
+ ckt->send_hdr_crypt = ecb_encryptor::create(kbuf, 16);
+
+ log_assert(kgen->generate(kbuf, 16) == 16);
+ ckt->recv_crypt = gcm_decryptor::create(kbuf, 16);
+
+ log_assert(kgen->generate(kbuf, 16) == 16);
+ ckt->recv_hdr_crypt = ecb_decryptor::create(kbuf, 16);
+ } else {
+ log_assert(kgen->generate(kbuf, 16) == 16);
+ ckt->recv_crypt = gcm_decryptor::create(kbuf, 16);
+
+ log_assert(kgen->generate(kbuf, 16) == 16);
+ ckt->recv_hdr_crypt = ecb_decryptor::create(kbuf, 16);
+
+ log_assert(kgen->generate(kbuf, 16) == 16);
+ ckt->send_crypt = gcm_encryptor::create(kbuf, 16);
+
+ log_assert(kgen->generate(kbuf, 16) == 16);
+ ckt->send_hdr_crypt = ecb_encryptor::create(kbuf, 16);
+
+ std::pair<chop_circuit_table::iterator, bool> out;
+ do {
+ do {
+ rng_bytes((uint8_t *)&ckt->circuit_id, sizeof(ckt->circuit_id));
+ } while (!ckt->circuit_id);
+
+ out = circuits.insert(make_pair(ckt->circuit_id, (chop_circuit_t *)0));
+ } while (!out.second);
+
+ out.first->second = ckt;
+ }
+
+ memset(kbuf, 0, 16);
+ delete kgen;
+ return ckt;
}
-chop_circuit_t::~chop_circuit_t()
+chop_circuit_t::chop_circuit_t()
{
- chop_reassembly_elt *p, *q, *queue;
- chop_circuit_table::iterator out;
+}
- log_debug(this, "syn%c%c fin%c%c eof%c ds=%lu",
- sent_syn ? '+' : '-', received_syn ? '+' : '-',
- sent_fin ? '+' : '-', received_fin ? '+' : '-',
- upstream_eof ? '+' : '-',
- (unsigned long)downstreams.size());
+chop_circuit_t::~chop_circuit_t()
+{
+ if (!sent_fin || !received_fin || !upstream_eof) {
+ log_warn(this, "destroying active circuit: fin%c%c eof%c ds=%lu",
+ sent_fin ? '+' : '-', received_fin ? '+' : '-',
+ upstream_eof ? '+' : '-',
+ (unsigned long)downstreams.size());
+#ifdef HAVE_EXECINFO_H
+ int n;
+ void *backtracebuf[256];
+ n = backtrace(backtracebuf, sizeof backtracebuf / sizeof(void*));
+ backtrace_symbols_fd(backtracebuf, n, 2);
+#endif
+ }
- for (unordered_set<chop_conn_t *>::iterator i = this->downstreams.begin();
- i != this->downstreams.end(); i++) {
+ for (unordered_set<chop_conn_t *>::iterator i = downstreams.begin();
+ i != downstreams.end(); i++) {
chop_conn_t *conn = *i;
conn->upstream = NULL;
if (evbuffer_get_length(conn->outbound()) > 0)
@@ -990,28 +585,23 @@ chop_circuit_t::~chop_circuit_t()
delete conn;
}
- delete this->send_crypt;
- delete this->recv_crypt;
-
- queue = &this->reassembly_queue;
- for (q = p = queue->next; p != queue; p = q) {
- q = p->next;
- if (p->data)
- evbuffer_free(p->data);
- free(p);
- }
-
- /* The IDs for old circuits are preserved for a while (at present,
- indefinitely; FIXME: purge them on a timer) against the
- possibility that we'll get a junk connection for one of them
- right after we close it (same deal as the TIME_WAIT state in
- TCP). Note that we can hit this case for the *client* if the
- cover protocol includes a mandatory reply to every client
- message and the hidden channel closed s->c before c->s: the
- circuit will get destroyed on the client side after the c->s FIN,
- and the mandatory reply will be to a stale circuit. */
- out = this->config->circuits.find(this->circuit_id);
- log_assert(out != this->config->circuits.end());
+ delete send_crypt;
+ delete send_hdr_crypt;
+ delete recv_crypt;
+ delete recv_hdr_crypt;
+
+ // The IDs for old circuits are preserved for a while (at present,
+ // indefinitely; FIXME: purge them on a timer) against the
+ // possibility that we'll get a junk connection for one of them
+ // right after we close it (same deal as the TIME_WAIT state in
+ // TCP). Note that we can hit this case for the *client* if the
+ // cover protocol includes a mandatory reply to every client message
+ // and the hidden channel closed s->c before c->s: the circuit will
+ // get destroyed on the client side after the c->s FIN, and the
+ // mandatory reply will be to a stale circuit.
+ chop_circuit_table::iterator out;
+ out = config->circuits.find(circuit_id);
+ log_assert(out != config->circuits.end());
log_assert(out->second == this);
out->second = NULL;
}
@@ -1019,69 +609,442 @@ chop_circuit_t::~chop_circuit_t()
config_t *
chop_circuit_t::cfg() const
{
- return this->config;
+ return config;
}
void
-chop_circuit_t::add_downstream(conn_t *cn)
+chop_circuit_t::add_downstream(chop_conn_t *conn)
{
- chop_conn_t *conn = dynamic_cast<chop_conn_t *>(cn);
log_assert(conn);
log_assert(!conn->upstream);
-
conn->upstream = this;
- this->downstreams.insert(conn);
+ downstreams.insert(conn);
log_debug(this, "added connection <%d.%d> to %s, now %lu",
- this->serial, conn->serial, conn->peername,
- (unsigned long)this->downstreams.size());
+ serial, conn->serial, conn->peername,
+ (unsigned long)downstreams.size());
circuit_disarm_axe_timer(this);
}
void
-chop_circuit_t::drop_downstream(conn_t *cn)
+chop_circuit_t::add_downstream(conn_t *cn)
+{
+ add_downstream(dynamic_cast<chop_conn_t *>(cn));
+}
+
+void
+chop_circuit_t::drop_downstream(chop_conn_t *conn)
{
- chop_conn_t *conn = dynamic_cast<chop_conn_t *>(cn);
log_assert(conn);
log_assert(conn->upstream == this);
conn->upstream = NULL;
- this->downstreams.erase(conn);
+ downstreams.erase(conn);
log_debug(this, "dropped connection <%d.%d> to %s, now %lu",
- this->serial, conn->serial, conn->peername,
- (unsigned long)this->downstreams.size());
- /* If that was the last connection on this circuit AND we've both
- received and sent a FIN, close the circuit. Otherwise, if we're
- the server, arm a timer that will kill off this circuit in a
- little while if no new connections happen (we might've lost all
- our connections to protocol errors, or because the steg modules
- wanted them closed); if we're the client, send chaff in a bit,
- to enable further transmissions from the server. */
- if (this->downstreams.empty()) {
- if (this->sent_fin && this->received_fin) {
- if (evbuffer_get_length(bufferevent_get_output(this->up_buffer)) > 0)
- /* this may already have happened, but there's no harm in
- doing it again */
+ serial, conn->serial, conn->peername,
+ (unsigned long)downstreams.size());
+ // If that was the last connection on this circuit AND we've both
+ // received and sent a FIN, close the circuit. Otherwise, if we're
+ // the server, arm a timer that will kill off this circuit in a
+ // little while if no new connections happen (we might've lost all
+ // our connections to protocol errors, or because the steg modules
+ // wanted them closed); if we're the client, send chaff in a bit,
+ // to enable further transmissions from the server.
+ if (downstreams.empty()) {
+ if (sent_fin && received_fin) {
+ if (evbuffer_get_length(bufferevent_get_output(up_buffer)) > 0)
+ // this may already have happened, but there's no harm in
+ // doing it again
circuit_do_flush(this);
else
delete this;
- } else if (this->config->mode == LSN_SIMPLE_SERVER) {
- circuit_arm_axe_timer(this, this->axe_interval());
+ } else if (config->mode == LSN_SIMPLE_SERVER) {
+ circuit_arm_axe_timer(this, axe_interval());
} else {
- circuit_arm_flush_timer(this, this->flush_interval());
+ circuit_arm_flush_timer(this, flush_interval());
+ }
+ }
+}
+
+void
+chop_circuit_t::drop_downstream(conn_t *cn)
+{
+ drop_downstream(dynamic_cast<chop_conn_t *>(cn));
+}
+
+int
+chop_circuit_t::send()
+{
+ circuit_disarm_flush_timer(this);
+
+ if (downstreams.empty()) {
+ // We have no connections, but we must send. If we're the client,
+ // reopen our outbound connections; the on-connection event will
+ // bring us back here. If we're the server, we have to just
+ // twiddle our thumbs and hope the client reconnects.
+ log_debug(this, "no downstream connections");
+ if (config->mode != LSN_SIMPLE_SERVER)
+ circuit_reopen_downstreams(this);
+ else
+ circuit_arm_axe_timer(this, axe_interval());
+ return 0;
+ }
+
+ struct evbuffer *xmit_pending = bufferevent_get_input(up_buffer);
+ size_t avail = evbuffer_get_length(xmit_pending);
+ size_t avail0 = avail;
+
+ // Send at least one block, even if there is no real data to send.
+ do {
+ log_debug(this, "%lu bytes to send", (unsigned long)avail);
+ size_t blocksize;
+ chop_conn_t *target = pick_connection(avail, &blocksize);
+ if (!target) {
+ // this is not an error; it can happen e.g. when the server has
+ // something to send immediately and the client hasn't spoken yet
+ log_debug(this, "no target connection available");
+ break;
+ }
+
+ if (send_targeted(target, blocksize))
+ return -1;
+
+ avail = evbuffer_get_length(xmit_pending);
+ } while (avail > 0);
+
+ if (avail0 > avail) // we transmitted some real data
+ dead_cycles = 0;
+ else {
+ dead_cycles++;
+ log_debug(this, "%u dead cycles", dead_cycles);
+ }
+
+ return check_for_eof();
+}
+
+int
+chop_circuit_t::send_eof()
+{
+ upstream_eof = true;
+ return send();
+}
+
+int
+chop_circuit_t::send_special(opcode_t f, struct evbuffer *payload)
+{
+ size_t d = payload ? evbuffer_get_length(payload) : 0;
+ size_t blocksize;
+ log_assert(d <= SECTION_LEN);
+ chop_conn_t *conn = pick_connection(d, &blocksize);
+
+ if (!conn || (blocksize - MIN_BLOCK_SIZE < d)) {
+ log_warn("no usable connection for special block "
+ "(opcode %02x, need %lu bytes, have %lu)",
+ (unsigned int)f, (unsigned long)(d + MIN_BLOCK_SIZE),
+ (unsigned long)blocksize);
+ return -1;
+ }
+
+ return send_targeted(conn, d, (blocksize - MIN_BLOCK_SIZE) - d, f, payload);
+}
+
+int
+chop_circuit_t::send_targeted(chop_conn_t *conn)
+{
+ size_t avail = evbuffer_get_length(bufferevent_get_input(up_buffer));
+ if (avail > SECTION_LEN)
+ avail = SECTION_LEN;
+ avail += MIN_BLOCK_SIZE;
+
+ size_t room = conn->steg->transmit_room(conn);
+ if (room < MIN_BLOCK_SIZE) {
+ log_warn(conn, "send() called without enough transmit room "
+ "(have %lu, need %lu)", (unsigned long)room,
+ (unsigned long)MIN_BLOCK_SIZE);
+ return -1;
+ }
+ log_debug(conn, "offers %lu bytes (%s)", (unsigned long)room,
+ conn->steg->name());
+
+ if (room < avail)
+ avail = room;
+
+ return send_targeted(conn, avail);
+}
+
+int
+chop_circuit_t::send_targeted(chop_conn_t *conn, size_t blocksize)
+{
+ log_assert(blocksize >= MIN_BLOCK_SIZE && blocksize <= MAX_BLOCK_SIZE);
+
+ struct evbuffer *xmit_pending = bufferevent_get_input(up_buffer);
+ size_t avail = evbuffer_get_length(xmit_pending);
+ opcode_t op = op_DAT;
+
+ if (avail > SECTION_LEN)
+ avail = SECTION_LEN;
+ else if (upstream_eof && !sent_fin)
+ // this block will carry the last byte of real data to be sent in
+ // this direction; mark it as such
+ op = op_FIN;
+
+ return send_targeted(conn, avail, (blocksize - MIN_BLOCK_SIZE) - avail,
+ op, xmit_pending);
+}
+
+int
+chop_circuit_t::send_targeted(chop_conn_t *conn, size_t d, size_t p, opcode_t f,
+ struct evbuffer *payload)
+{
+ log_assert(payload || d == 0);
+ log_assert(d <= SECTION_LEN);
+ log_assert(p <= SECTION_LEN);
+
+ struct evbuffer *block = evbuffer_new();
+ if (!block) {
+ log_warn(conn, "memory allocation failure");
+ return -1;
+ }
+
+ size_t blocksize = d + p + MIN_BLOCK_SIZE;
+ struct evbuffer_iovec v;
+ if (evbuffer_reserve_space(block, blocksize, &v, 1) != 1 ||
+ v.iov_len < blocksize) {
+ log_warn(conn, "memory allocation failure");
+ return -1;
+ }
+ v.iov_len = blocksize;
+
+ block_header hdr(send_seq, d, p, f, *send_hdr_crypt);
+ log_assert(hdr.valid(send_seq));
+ memcpy(v.iov_base, hdr.nonce(), HEADER_LEN);
+
+ uint8_t encodebuf[SECTION_LEN*2];
+ if (payload) {
+ if (evbuffer_copyout(payload, encodebuf, d) != (ssize_t)d) {
+ log_warn(conn, "failed to extract payload");
+ evbuffer_free(block);
+ return -1;
+ }
+ }
+ memset(encodebuf + d, 0, p);
+ send_crypt->encrypt((uint8_t *)v.iov_base + HEADER_LEN, encodebuf,
+ d + p, hdr.nonce(), HEADER_LEN);
+ if (evbuffer_commit_space(block, &v, 1)) {
+ log_warn(conn, "failed to commit block buffer");
+ evbuffer_free(block);
+ return -1;
+ }
+
+ log_debug(conn, "transmitting block %u <d=%lu p=%lu f=%02x>",
+ hdr.seqno(), (unsigned long)hdr.dlen(), (unsigned long)hdr.plen(),
+ (uint8_t)hdr.opcode());
+
+ if (conn->send(block)) {
+ evbuffer_free(block);
+ return -1;
+ }
+
+ evbuffer_free(block);
+ evbuffer_drain(payload, d);
+
+ send_seq++;
+ if (f == op_FIN)
+ sent_fin = true;
+ return 0;
+}
+
+// N.B. 'desired' is the desired size of the _data section_, and
+// 'blocksize' on output is the size to make the _entire block_.
+chop_conn_t *
+chop_circuit_t::pick_connection(size_t desired, size_t *blocksize)
+{
+ size_t maxbelow = 0;
+ size_t minabove = MAX_BLOCK_SIZE + 1;
+ chop_conn_t *targbelow = 0;
+ chop_conn_t *targabove = 0;
+
+ if (desired > SECTION_LEN)
+ desired = SECTION_LEN;
+
+ desired += MIN_BLOCK_SIZE;
+
+ log_debug(this, "target block size %lu bytes", (unsigned long)desired);
+
+ // Find the best fit for the desired transmission from all the
+ // outbound connections' transmit rooms.
+ for (unordered_set<chop_conn_t *>::iterator i = downstreams.begin();
+ i != downstreams.end(); i++) {
+ chop_conn_t *conn = *i;
+ // We can only use candidates that have a steg target already.
+ if (conn->steg) {
+ // Find the connections whose transmit rooms are closest to the
+ // desired transmission length from both directions.
+ size_t room = conn->steg->transmit_room(conn);
+
+ if (room <= MIN_BLOCK_SIZE)
+ room = 0;
+
+ if (room > MAX_BLOCK_SIZE)
+ room = MAX_BLOCK_SIZE;
+
+ log_debug(conn, "offers %lu bytes (%s)", (unsigned long)room,
+ conn->steg->name());
+
+ if (room >= desired) {
+ if (room < minabove) {
+ minabove = room;
+ targabove = conn;
+ }
+ } else {
+ if (room > maxbelow) {
+ maxbelow = room;
+ targbelow = conn;
+ }
+ }
+ } else {
+ log_debug(conn, "offers 0 bytes (no steg)");
+ }
+ }
+
+ log_debug(this, "minabove %lu for <%u.%u> maxbelow %lu for <%u.%u>",
+ (unsigned long)minabove, serial, targabove ? targabove->serial :0,
+ (unsigned long)maxbelow, serial, targbelow ? targbelow->serial :0);
+
+ // If we have a connection that can take all the data, use it.
+ // Otherwise, use the connection that can take as much of the data
+ // as possible. As a special case, if no connection can take data,
+ // targbelow, targabove, maxbelow, and minabove will all still have
+ // their initial values, so we'll return NULL and set blocksize to 0,
+ // which callers know how to handle.
+ if (targabove) {
+ *blocksize = desired;
+ return targabove;
+ } else {
+ *blocksize = maxbelow;
+ return targbelow;
+ }
+}
+
+int
+chop_circuit_t::process_queue()
+{
+ reassembly_elt blk;
+ unsigned int count = 0;
+ bool pending_fin = false;
+ bool pending_error = false;
+ bool sent_error = false;
+ while ((blk = recv_queue.remove_next()).data) {
+ switch (blk.op) {
+ case op_FIN:
+ if (received_fin) {
+ log_info(this, "protocol error: duplicate FIN");
+ pending_error = true;
+ break;
+ }
+ log_debug(this, "received FIN");
+ pending_fin = true;
+ // fall through - block may have data
+ case op_DAT:
+ if (evbuffer_get_length(blk.data)) {
+ if (received_fin) {
+ log_info(this, "protocol error: data after FIN");
+ pending_error = true;
+ } else {
+ if (evbuffer_add_buffer(bufferevent_get_output(up_buffer),
+ blk.data)) {
+ log_warn(this, "buffer transfer failure");
+ pending_error = true;
+ }
+ }
+ }
+ break;
+
+ case op_RST:
+ log_info(this, "received RST; disconnecting circuit");
+ circuit_recv_eof(this);
+ pending_error = true;
+ break;
+
+ case op_RK1:
+ case op_RK2:
+ case op_RK3:
+ log_warn(this, "rekeying not yet implemented");
+ pending_error = true;
+ break;
+
+ default:
+ log_warn(this, "protocol error: unknown block opcode %x",
+ (unsigned int)blk.op);
+ pending_error = true;
+ break;
+ }
+
+ evbuffer_free(blk.data);
+
+ if (pending_fin && !received_fin) {
+ circuit_recv_eof(this);
+ received_fin = true;
}
+ if (pending_error && !sent_error) {
+ // there's no point sending an RST in response to an RST or a
+ // duplicate FIN
+ if (blk.op != op_RST && blk.op != op_FIN)
+ send_special(op_RST, 0);
+ sent_error = true;
+ }
+ count++;
}
+
+ log_debug(this, "processed %u blocks", count);
+ if (count > 0)
+ dead_cycles = 0;
+ if (sent_error)
+ return -1;
+
+ // It may have become possible to send queued data or a FIN.
+ if (evbuffer_get_length(bufferevent_get_input(up_buffer))
+ || (upstream_eof && !sent_fin))
+ return send();
+
+ return check_for_eof();
}
+int
+chop_circuit_t::check_for_eof()
+{
+ // If we're at EOF both ways, close all connections, sending first
+ // if necessary.
+ if (sent_fin && received_fin) {
+ circuit_disarm_flush_timer(this);
+ for (unordered_set<chop_conn_t *>::iterator i = downstreams.begin();
+ i != downstreams.end(); i++) {
+ chop_conn_t *conn = *i;
+ if (conn->must_send_p())
+ conn->send();
+ conn_send_eof(conn);
+ }
+ }
+
+
+ // If we're the client we have to keep trying to talk as long as we
+ // haven't both sent and received a FIN, or we might deadlock.
+ else if (config->mode != LSN_SIMPLE_SERVER)
+ circuit_arm_flush_timer(this, flush_interval());
+
+ return 0;
+}
+
+// Connection methods
+
conn_t *
chop_config_t::conn_create(size_t index)
{
chop_conn_t *conn = new chop_conn_t;
conn->config = this;
- conn->steg = steg_new(this->steg_targets.at(index),
- this->mode != LSN_SIMPLE_SERVER);
+ conn->steg = steg_new(steg_targets.at(index), mode != LSN_SIMPLE_SERVER);
if (!conn->steg) {
free(conn);
return 0;
@@ -1097,271 +1060,239 @@ chop_conn_t::chop_conn_t()
chop_conn_t::~chop_conn_t()
{
- if (this->upstream)
- this->upstream->drop_downstream(this);
- if (this->steg)
- delete this->steg;
- if (this->must_transmit_timer)
- event_free(this->must_transmit_timer);
- evbuffer_free(this->recv_pending);
+ if (upstream)
+ upstream->drop_downstream(this);
+ if (steg)
+ delete steg;
+ if (must_send_timer)
+ event_free(must_send_timer);
+ evbuffer_free(recv_pending);
}
circuit_t *
chop_conn_t::circuit() const
{
- return this->upstream;
+ return upstream;
}
int
chop_conn_t::maybe_open_upstream()
{
- /* We can't open the upstream until we have a circuit ID. */
+ // We can't open the upstream until we have a circuit ID.
+ return 0;
+}
+
+int
+chop_conn_t::send(struct evbuffer *block)
+{
+ if (!sent_handshake && config->mode != LSN_SIMPLE_SERVER) {
+ if (!upstream || upstream->circuit_id == 0)
+ log_abort(this, "handshake: can't happen: up%c cid=%u",
+ upstream ? '+' : '-',
+ upstream ? upstream->circuit_id : 0);
+ if (evbuffer_prepend(block, (void *)&upstream->circuit_id,
+ sizeof(upstream->circuit_id))) {
+ log_warn(this, "failed to prepend handshake to first block");
+ return -1;
+ }
+ }
+
+ if (steg->transmit(block, this)) {
+ log_warn(this, "failed to transmit block");
+ return -1;
+ }
+ sent_handshake = true;
+ if (must_send_timer)
+ evtimer_del(must_send_timer);
return 0;
}
int
chop_conn_t::handshake()
{
- /* Chop has no handshake as such, but like dsteg, we need to send
- _something_ from the client on at least one of the channels
- shortly after connection, because the server doesn't know which
- connections go with which circuits till it hears from us, _and_
- it doesn't know what steganography to use. We use a 1ms timeout
- instead of a 10ms timeout as in dsteg, because unlike there, the
- server can't even _connect to its upstream_ till it gets the
- first packet from the client. */
- if (this->config->mode != LSN_SIMPLE_SERVER)
- circuit_arm_flush_timer(this->upstream, 1);
+ // The actual handshake is generated in chop_conn_t::send so that it
+ // can be merged with a block if possible; however, we use this hook
+ // to ensure that the client sends _something_ ASAP after each new
+ // connection, because the server can't forward traffic, or even
+ // open a socket to its own upstream, until it knows which circuit
+ // to associate this new connection with. Note that in some cases
+ // it's possible for us to have _already_ sent something on this
+ // connection by the time we get called back! Don't do it twice.
+ if (config->mode != LSN_SIMPLE_SERVER && !sent_handshake)
+ send();
return 0;
}
int
-chop_circuit_t::send()
+chop_conn_t::recv_handshake()
{
- circuit_disarm_flush_timer(this);
+ log_assert(!upstream);
+ log_assert(config->mode == LSN_SIMPLE_SERVER);
- if (this->downstreams.empty()) {
- /* We have no connections, but we must send. If we're the client,
- reopen our outbound connections; the on-connection event will
- bring us back here. If we're the server, we have to just
- twiddle our thumbs and hope the client reconnects. */
- log_debug(this, "no downstream connections");
- if (this->config->mode != LSN_SIMPLE_SERVER)
- circuit_reopen_downstreams(this);
- else
- circuit_arm_axe_timer(this, this->axe_interval());
- return 0;
- }
+ uint32_t circuit_id;
+ if (evbuffer_remove(recv_pending, (void *)&circuit_id,
+ sizeof circuit_id) != sizeof circuit_id)
+ return -1;
- if (evbuffer_get_length(bufferevent_get_input(this->up_buffer)) == 0) {
- /* must-send timer expired and we still have nothing to say; send chaff */
- if (chop_send_chaff(this))
- return -1;
- this->dead_cycles++;
- log_debug(this, "%u dead cycles", this->dead_cycles);
- } else {
- if (chop_send_blocks(this))
- return -1;
- this->dead_cycles = 0;
- }
+ chop_circuit_table::value_type in(circuit_id, 0);
+ std::pair<chop_circuit_table::iterator, bool> out
+ = this->config->circuits.insert(in);
+ chop_circuit_t *ck;
- /* If we're at EOF, close all connections (sending first if
- necessary). If we're the client we have to keep trying to talk
- as long as we haven't both sent and received a FIN, or we might
- deadlock. */
- if (this->sent_fin && this->received_fin) {
- for (unordered_set<chop_conn_t *>::iterator i = this->downstreams.begin();
- i != this->downstreams.end(); i++) {
- chop_conn_t *conn = *i;
- if (conn->must_transmit_timer &&
- evtimer_pending(conn->must_transmit_timer, NULL))
- must_transmit_timer_cb(-1, 0, conn);
- conn_send_eof(conn);
+ if (!out.second) { // element already exists
+ if (!out.first->second) {
+ log_debug(this, "stale circuit");
+ return 0;
}
+ ck = out.first->second;
+ log_debug(this, "found circuit to %s", ck->up_peer);
} else {
- if (this->config->mode != LSN_SIMPLE_SERVER)
- circuit_arm_flush_timer(this, this->flush_interval());
+ ck = dynamic_cast<chop_circuit_t *>(circuit_create(this->config, 0));
+ if (!ck) {
+ log_warn(this, "failed to create new circuit");
+ return -1;
+ }
+ if (circuit_open_upstream(ck)) {
+ log_warn(this, "failed to begin upstream connection");
+ delete ck;
+ return -1;
+ }
+ log_debug(this, "created new circuit to %s", ck->up_peer);
+ ck->circuit_id = circuit_id;
+ out.first->second = ck;
}
- return 0;
-}
-int
-chop_circuit_t::send_eof()
-{
- this->upstream_eof = true;
- return this->send();
+ ck->add_downstream(this);
+ return 0;
}
int
chop_conn_t::recv()
{
- chop_circuit_t *ckt;
- chop_header hdr;
- struct evbuffer *block;
- size_t avail;
- uint8_t decodebuf[CHOP_MAX_DATA + CHOP_WIRE_HDR_LEN];
-
- if (this->steg->receive(this, this->recv_pending))
+ if (steg->receive(this, recv_pending))
return -1;
- if (!this->upstream) {
- log_debug(this, "finding circuit");
- if (chop_peek_circuit_id(this->recv_pending, &hdr)) {
- log_debug(this, "not enough data to find circuit yet");
- return 0;
- }
- if (chop_find_or_make_circuit(this, hdr.ckt_id))
+ if (!upstream) {
+ // Try to receive a handshake.
+ if (recv_handshake())
return -1;
- /* If we get here and this->circuit is not set, this is a connection
- for a stale circuit: that is, a new connection made by the
- client (to draw more data down from the server) that crossed
- with a server-to-client FIN. We can't decrypt the packet, but
- it's either chaff or a protocol error; either way we can just
- discard it. Since we will never reply, call conn_do_flush so
- the connection will be dropped as soon as we receive an EOF. */
- if (!this->upstream) {
- evbuffer_drain(this->recv_pending,
- evbuffer_get_length(this->recv_pending));
+
+ // If we get here and ->upstream is not set, this is a connection
+ // for a stale circuit: that is, a new connection made by the
+ // client (to draw more data down from the server) that crossed
+ // with a server-to-client FIN, the client-to-server FIN already
+ // having been received and processed. We no longer have the keys
+ // to decrypt anything after the handshake, but it's either chaff
+ // or a protocol error. Either way, we can just drop the
+ // connection, possibly sending a response if the cover protocol
+ // requires one.
+ if (!upstream) {
+ evbuffer_drain(recv_pending, evbuffer_get_length(recv_pending));
+ if (must_send_p())
+ send();
conn_do_flush(this);
return 0;
}
}
- ckt = this->upstream;
- log_debug(this, "circuit to %s", ckt->up_peer);
-
+ log_debug(this, "circuit to %s", upstream->up_peer);
for (;;) {
- avail = evbuffer_get_length(this->recv_pending);
+ size_t avail = evbuffer_get_length(recv_pending);
if (avail == 0)
break;
log_debug(this, "%lu bytes available", (unsigned long)avail);
- if (avail < CHOP_WIRE_HDR_LEN) {
- log_debug(this, "incomplete block");
+ if (avail < MIN_BLOCK_SIZE) {
+ log_debug(this, "incomplete block framing");
break;
}
- if (chop_decrypt_header(ckt, this->recv_pending, &hdr))
+ block_header hdr(recv_pending, *upstream->recv_hdr_crypt);
+ if (!hdr.valid(upstream->recv_queue.window())) {
+ const uint8_t *c = hdr.cleartext();
+ log_warn(this, "invalid block header: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
+ c[0], c[1], c[2], c[3], c[4], c[5], c[6], c[7],
+ c[8], c[9], c[10], c[11], c[12], c[13], c[14], c[15]);
return -1;
-
- if (avail < CHOP_WIRE_HDR_LEN + GCM_TAG_LEN + hdr.length) {
+ }
+ if (avail < hdr.total_len()) {
log_debug(this, "incomplete block (need %lu bytes)",
- (unsigned long)(CHOP_WIRE_HDR_LEN + GCM_TAG_LEN + hdr.length));
+ (unsigned long)hdr.total_len());
break;
}
- if (ckt->circuit_id != hdr.ckt_id) {
- log_warn(this, "protocol error: circuit id mismatch");
- return -1;
- }
-
- log_debug(this, "receiving block of %lu+%u bytes "
- "[offset %u flags %04hx]",
- (unsigned long)CHOP_WIRE_HDR_LEN + GCM_TAG_LEN,
- hdr.length, hdr.offset, hdr.flags);
-
- if (evbuffer_copyout(this->recv_pending, decodebuf,
- CHOP_WIRE_HDR_LEN + GCM_TAG_LEN + hdr.length)
- != (ssize_t)(CHOP_WIRE_HDR_LEN + GCM_TAG_LEN + hdr.length)) {
+ uint8_t decodebuf[MAX_BLOCK_SIZE];
+ if (evbuffer_drain(recv_pending, HEADER_LEN) ||
+ evbuffer_remove(recv_pending, decodebuf, hdr.total_len() - HEADER_LEN)
+ != (ssize_t)(hdr.total_len() - HEADER_LEN)) {
log_warn(this, "failed to copy block to decode buffer");
return -1;
}
- block = evbuffer_new();
- if (!block || evbuffer_expand(block, hdr.length)) {
- log_warn(this, "allocation failure");
+ if (upstream->recv_crypt->decrypt(decodebuf,
+ decodebuf, hdr.total_len() - HEADER_LEN,
+ hdr.nonce(), HEADER_LEN)) {
+ log_warn("MAC verification failure");
return -1;
}
- if (ckt->recv_crypt
- ->decrypt(decodebuf + 16, decodebuf + 16,
- hdr.length + CHOP_WIRE_HDR_LEN + GCM_TAG_LEN - 16,
- decodebuf, 16)) {
- log_warn(this, "MAC verification failure");
- evbuffer_free(block);
- return -1;
- }
-
- if (evbuffer_add(block, decodebuf + CHOP_WIRE_HDR_LEN, hdr.length)) {
- log_warn(this, "failed to transfer block to reassembly queue");
- evbuffer_free(block);
- return -1;
- }
-
- if (evbuffer_drain(this->recv_pending,
- CHOP_WIRE_HDR_LEN + GCM_TAG_LEN + hdr.length)) {
- log_warn(this, "failed to consume block from wire");
- evbuffer_free(block);
- return -1;
- }
+ log_debug(this, "receiving block %u <d=%lu p=%lu f=%u>",
+ hdr.seqno(), (unsigned long)hdr.dlen(), (unsigned long)hdr.plen(),
+ (unsigned int)hdr.opcode());
- if (chop_reassemble_block(ckt, block, &hdr)) {
- evbuffer_free(block);
+ evbuffer *data = evbuffer_new();
+ if (!data || (hdr.dlen() && evbuffer_add(data, decodebuf, hdr.dlen()))) {
+ log_warn(this, "failed to extract data from decode buffer");
+ evbuffer_free(data);
return -1;
}
- }
-
- if (chop_push_to_upstream(ckt))
- return -1;
- /* It may have now become possible to send queued data. */
- if (evbuffer_get_length(bufferevent_get_input(ckt->up_buffer)))
- ckt->send();
-
- /* If we're at EOF, close all connections (sending first if
- necessary). If we're the client we have to keep trying to talk
- as long as we haven't both sent and received a FIN, or we might
- deadlock. */
- else if (ckt->sent_fin && ckt->received_fin) {
- circuit_disarm_flush_timer(ckt);
- for (unordered_set<chop_conn_t *>::iterator i = ckt->downstreams.begin();
- i != ckt->downstreams.end(); i++) {
- chop_conn_t *conn = *i;
- if (conn->must_transmit_timer &&
- evtimer_pending(conn->must_transmit_timer, NULL))
- must_transmit_timer_cb(-1, 0, conn);
- conn_send_eof(conn);
- }
- } else {
- if (ckt->config->mode != LSN_SIMPLE_SERVER)
- circuit_arm_flush_timer(ckt, ckt->flush_interval());
+ if (!upstream->recv_queue.insert(hdr.seqno(), hdr.opcode(), data, this))
+ return -1; // insert() logs an error
}
- return 0;
+ return upstream->process_queue();
}
int
chop_conn_t::recv_eof()
{
- /* EOF on a _connection_ does not mean EOF on a _circuit_.
- EOF on a _circuit_ occurs when chop_push_to_upstream processes a FIN.
- We should only drop the connection from the circuit if we're no
- longer sending in the opposite direction. Also, we should not
- drop the connection if its must-transmit timer is still pending. */
- if (this->upstream) {
- chop_circuit_t *ckt = this->upstream;
-
- if (evbuffer_get_length(this->inbound()) > 0)
- if (this->recv())
- return -1;
-
- if ((ckt->sent_fin || this->no_more_transmissions) &&
- (!this->must_transmit_timer ||
- !evtimer_pending(this->must_transmit_timer, NULL)))
- ckt->drop_downstream(this);
+ // Consume any not-yet-processed incoming data. It's possible for
+ // us to get here before we've processed _any_ data -- including the
+ // handshake! -- from a new connection, so we have to do this before
+ // we look at ->upstream. */
+ if (evbuffer_get_length(inbound()) > 0) {
+ if (recv())
+ return -1;
+ // If there's anything left in the buffer at this point, it's a
+ // protocol error.
+ if (evbuffer_get_length(inbound()) > 0)
+ return -1;
}
+
+ // We should only drop the connection from the circuit if we're no
+ // longer sending covert data in the opposite direction _and_ the
+ // cover protocol does not need us to send a reply (i.e. the
+ // must_send_timer is not pending).
+ if (upstream && (upstream->sent_fin || no_more_transmissions) &&
+ !must_send_p())
+ upstream->drop_downstream(this);
+
return 0;
}
void
chop_conn_t::expect_close()
{
- /* do we need to do something here? */
+ // We currently don't need to do anything here.
+ // FIXME: figure out if this hook is _ever_ useful, and if not, remove it.
}
void
chop_conn_t::cease_transmission()
{
- this->no_more_transmissions = true;
+ no_more_transmissions = true;
+ if (must_send_timer)
+ evtimer_del(must_send_timer);
conn_do_flush(this);
}
@@ -1370,13 +1301,97 @@ chop_conn_t::transmit_soon(unsigned long milliseconds)
{
struct timeval tv;
- log_debug(this, "must transmit within %lu milliseconds", milliseconds);
+ log_debug(this, "must send within %lu milliseconds", milliseconds);
tv.tv_sec = milliseconds / 1000;
tv.tv_usec = (milliseconds % 1000) * 1000;
- if (!this->must_transmit_timer)
- this->must_transmit_timer = evtimer_new(this->config->base,
- must_transmit_timer_cb, this);
- evtimer_add(this->must_transmit_timer, &tv);
+ if (!must_send_timer)
+ must_send_timer = evtimer_new(config->base, must_send_timeout, this);
+ evtimer_add(must_send_timer, &tv);
+}
+
+void
+chop_conn_t::send()
+{
+ if (must_send_timer)
+ evtimer_del(must_send_timer);
+
+ if (!steg) {
+ log_warn(this, "send() called with no steg module available");
+ conn_do_flush(this);
+ return;
+ }
+
+ // When this happens, we must send _even if_ we have no upstream to
+ // provide us with data. For instance, to preserve the cover
+ // protocol, we must send an HTTP reply to each HTTP query that
+ // comes in for a stale circuit.
+ if (upstream) {
+ log_debug(this, "must send");
+ if (upstream->send_targeted(this))
+ conn_do_flush(this);
+
+ } else {
+ log_debug(this, "must send (no upstream)");
+
+ size_t room = steg->transmit_room(this);
+ if (room < MIN_BLOCK_SIZE) {
+ log_warn(this, "send() called without enough transmit room "
+ "(have %lu, need %lu)", (unsigned long)room,
+ (unsigned long)MIN_BLOCK_SIZE);
+ conn_do_flush(this);
+ return;
+ }
+
+ // Since we have no upstream, we can't encrypt anything; instead,
+ // generate random bytes and feed them straight to steg_transmit.
+ struct evbuffer *chaff = evbuffer_new();
+ struct evbuffer_iovec v;
+ if (!chaff || evbuffer_reserve_space(chaff, MIN_BLOCK_SIZE, &v, 1) != 1 ||
+ v.iov_len < MIN_BLOCK_SIZE) {
+ log_warn(this, "memory allocation failed");
+ if (chaff)
+ evbuffer_free(chaff);
+ conn_do_flush(this);
+ return;
+ }
+ v.iov_len = MIN_BLOCK_SIZE;
+ rng_bytes((uint8_t *)v.iov_base, MIN_BLOCK_SIZE);
+ if (evbuffer_commit_space(chaff, &v, 1)) {
+ log_warn(this, "evbuffer_commit_space failed");
+ if (chaff)
+ evbuffer_free(chaff);
+ conn_do_flush(this);
+ return;
+ }
+
+ if (steg->transmit(chaff, this))
+ conn_do_flush(this);
+
+ evbuffer_free(chaff);
+ }
+}
+
+bool
+chop_conn_t::must_send_p() const
+{
+ return must_send_timer && evtimer_pending(must_send_timer, 0);
+}
+
+/* static */ void
+chop_conn_t::must_send_timeout(evutil_socket_t, short, void *arg)
+{
+ static_cast<chop_conn_t *>(arg)->send();
}
+
+} // anonymous namespace
+
+PROTO_DEFINE_MODULE(chop);
+
+// Local Variables:
+// mode: c++
+// c-basic-offset: 2
+// c-file-style: "gnu"
+// c-file-offsets: ((innamespace . 0) (brace-list-open . 0))
+// End:
