September 2012 - tor-commits - lists.torproject.org

[flashproxy/master] Pin the public key of the Gmail MX.
by dcf＠torproject.org 28 Sep '12

28 Sep '12

commit f681f846f3cd35605c84792fd7a4540419b1d42f Author: David Fifield <david(a)bamsoftware.com> Date: Tue Sep 18 21:14:14 2012 -0700 Pin the public key of the Gmail MX. For this I resorted to the M2Crypto library to parse the public key out of the certificate. I did not find an easy way to do it using only standard Python libraries. --- flashproxy-reg-email | 19 ++++++++++++++++--- 1 files changed, 16 insertions(+), 3 deletions(-) diff --git a/flashproxy-reg-email b/flashproxy-reg-email index 71dcc51..424e731 100755 --- a/flashproxy-reg-email +++ b/flashproxy-reg-email @@ -9,6 +9,9 @@ import ssl import sys import tempfile +from hashlib import sha1 +from M2Crypto import X509 + DEFAULT_REMOTE_ADDRESS = "" DEFAULT_REMOTE_PORT = 9000 DEFAULT_EMAIL_ADDRESS = "hoddwee(a)gmail.com" @@ -48,6 +51,10 @@ A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y 1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4 -----END CERTIFICATE----- """ +# SHA-1 digest of expected public key. See +# http://www.imperialviolet.org/2011/05/04/pinning.html for the reason behind +# hashing the public key, not the entire certificate. +PUBKEY_SHA1 = "e341556ff3fd18e155ce30971fc93e740aa4b185".decode("hex") class options(object): remote_addr = None @@ -176,9 +183,15 @@ try: finally: ca_certs_file.close() - peercert_pem = ssl.DER_cert_to_PEM_cert(smtp.sock.getpeercert(binary_form=True)) - if options.debug: - print peercert_pem + # Check that the public key is what we expect. + cert_der = smtp.sock.getpeercert(binary_form=True) + cert = X509.load_cert_string(cert_der, format=X509.FORMAT_DER) + pubkey_der = cert.get_pubkey().as_der() + pubkey_digest = sha1(pubkey_der).digest() + + if pubkey_digest != PUBKEY_SHA1: + raise ValueError("Public key does not match pin: got %s but expected %s" % + pubkey_digest.encode("hex"), PUBKEY_SHA1.encode("hex")) smtp.ehlo(EHLO_FQDN)

1 0

[flashproxy/master] Provide diagnostics for missing M2Crypto.
by dcf＠torproject.org 28 Sep '12

28 Sep '12

commit 9b04b5fe3d8aa8096737fa379183a311d46ffce8 Author: David Fifield <david(a)bamsoftware.com> Date: Tue Sep 18 21:27:45 2012 -0700 Provide diagnostics for missing M2Crypto. --- flashproxy-reg-email | 20 +++++++++++++++++++- 1 files changed, 19 insertions(+), 1 deletions(-) diff --git a/flashproxy-reg-email b/flashproxy-reg-email index 424e731..a8f3130 100755 --- a/flashproxy-reg-email +++ b/flashproxy-reg-email @@ -10,7 +10,12 @@ import sys import tempfile from hashlib import sha1 -from M2Crypto import X509 + +try: + from M2Crypto import X509 +except ImportError: + # Defer the error reporting so that --help works even without M2Crypto. + X509 = None DEFAULT_REMOTE_ADDRESS = "" DEFAULT_REMOTE_PORT = 9000 @@ -73,6 +78,8 @@ designated address. By default the remote address registered is Using an SMTP server or email address other than the defaults will not work unless you have made special arrangements to connect them to a facilitator. +This program requires the M2Crypto library for Python. + -d, --debug enable debugging output (Python smtplib messages). -e, --email=ADDRESS send mail to ADDRESS (default "%(email_addr)s"). -h, --help show this help. @@ -159,6 +166,17 @@ else: usage(sys.stderr) sys.exit(1) +if X509 is None: + print >> sys.stderr, """\ +This program requires the M2Crypto library, which is not installed. + +You can install it using one of the packages at +http://chandlerproject.org/Projects/MeTooCrypto#Downloads. + +On Debian-like systems, use the command "apt-get install python-m2crypto".\ +""" + sys.exit(1) + smtp = smtplib.SMTP(options.smtp_addr[0], options.smtp_addr[1], EHLO_FQDN) if options.debug:

1 0

[flashproxy/master] Get peer certificate.
by dcf＠torproject.org 28 Sep '12

28 Sep '12

commit 2931e62b9933d84c6e5696abf1d273d2d8b36ae7 Author: David Fifield <david(a)bamsoftware.com> Date: Tue Sep 11 11:24:00 2012 -0700 Get peer certificate. --- flashproxy-reg-email | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/flashproxy-reg-email b/flashproxy-reg-email index c79f03b..71dcc51 100755 --- a/flashproxy-reg-email +++ b/flashproxy-reg-email @@ -176,6 +176,10 @@ try: finally: ca_certs_file.close() + peercert_pem = ssl.DER_cert_to_PEM_cert(smtp.sock.getpeercert(binary_form=True)) + if options.debug: + print peercert_pem + smtp.ehlo(EHLO_FQDN) if not options.remote_addr[0]:

1 0

[flashproxy/master] Force TLSv1.
by dcf＠torproject.org 28 Sep '12

28 Sep '12

commit 26d5a47b2d2c6e2c4f9728a473def8a9dc57e093 Author: David Fifield <david(a)bamsoftware.com> Date: Tue Sep 11 11:20:03 2012 -0700 Force TLSv1. --- flashproxy-reg-email | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/flashproxy-reg-email b/flashproxy-reg-email index f57bc58..c79f03b 100755 --- a/flashproxy-reg-email +++ b/flashproxy-reg-email @@ -170,8 +170,8 @@ try: code, msg = smtp.docmd("STARTTLS") if code != 220: raise ValueError("Got code %d after STARTTLS" % code) - smtp.sock = ssl.wrap_socket(smtp.sock, cert_reqs=ssl.CERT_REQUIRED, - ca_certs=ca_certs_file.name) + smtp.sock = ssl.wrap_socket(smtp.sock, ssl_version=ssl.PROTOCOL_TLSv1, + cert_reqs=ssl.CERT_REQUIRED, ca_certs=ca_certs_file.name) smtp.file = smtp.sock.makefile() finally: ca_certs_file.close()

1 0

[flashproxy/master] Encrypt the registrations using a public key belonging to the facilitator.
by dcf＠torproject.org 28 Sep '12

28 Sep '12

commit da32a75f2634de9ae364c9e228091a2474bf7f29 Author: David Fifield <david(a)bamsoftware.com> Date: Tue Sep 18 21:58:36 2012 -0700 Encrypt the registrations using a public key belonging to the facilitator. This is to provide client addresses some protection against Google or anyone who manages to gain access to the registration account. --- flashproxy-reg-email | 25 ++++++++++++++++++++++--- 1 files changed, 22 insertions(+), 3 deletions(-) diff --git a/flashproxy-reg-email b/flashproxy-reg-email index a8f3130..bd5095a 100755 --- a/flashproxy-reg-email +++ b/flashproxy-reg-email @@ -12,7 +12,7 @@ import tempfile from hashlib import sha1 try: - from M2Crypto import X509 + from M2Crypto import BIO, RSA, X509 except ImportError: # Defer the error reporting so that --help works even without M2Crypto. X509 = None @@ -61,6 +61,20 @@ A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y # hashing the public key, not the entire certificate. PUBKEY_SHA1 = "e341556ff3fd18e155ce30971fc93e740aa4b185".decode("hex") +# openssl genrsa reg-email 2048 +# openssl rsa -pubout < reg-email > reg-email.pub +FACILITATOR_PUBKEY_PEM = """\ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArzOJ0Ya0fVp6pcgIf2GW +CBanFAyDygMFm9WfSwgQMf9XmMoHmI39bM4MftLjnhfmN75IT1DESFprmxca+vNA +SYuN5rnCLcV5hcCFIHgDWRxQkDuRnQfYCZN7/lWgYUiMpU92vdlyYnP+XNVat7qw +06tSHey2FS417zmIsNTcKUk9XhWb/uVHzOw/oCwG1wuxdUXKXLHjgwR5V17NbNwc +FJ1qCmQeswQk44wfJHuXJiIxMgDWF6p4LH07hBrP68L1vtlOVpqVAAoi/wLUhBgZ +WG0m/agJiktYR1qkLRNSH0afmpQn/v8kQg3T/5d0+HLECMfuBqoWEuJBACPSlA06 +5wIDAQAB +-----END PUBLIC KEY----- +""" + class options(object): remote_addr = None email_addr = None @@ -224,6 +238,11 @@ try: spec = "[" + spec + "]" options.remote_addr = parse_addr_spec(spec, *options.remote_addr) + body_plain = "client=%s" % format_addr(options.remote_addr) + rsa = RSA.load_pub_key_bio(BIO.MemoryBuffer(FACILITATOR_PUBKEY_PEM)) + body_crypt = rsa.public_encrypt(body_plain, RSA.pkcs1_oaep_padding) + body = body_crypt.encode("base64") + # Add a random subject to keep Gmail from threading everything. rand_string = os.urandom(5).encode("hex") smtp.sendmail(options.email_addr, options.email_addr, """\ @@ -231,12 +250,12 @@ To: %(to_addr)s\r From: %(from_addr)s\r Subject: client reg %(rand_string)s\r \r -client=%(client_spec)s +%(body)s """ % { "to_addr": options.email_addr, "from_addr": FROM_EMAIL_ADDRESS, "rand_string": rand_string, - "client_spec": format_addr(options.remote_addr), + "body": body, }) smtp.quit() except Exception, e:

1 0

[flashproxy/master] Fix the --email option in flashproxy-reg-email.
by dcf＠torproject.org 28 Sep '12

28 Sep '12

commit c44ce7276a648ae1363adfe16c5e55619e991c01 Author: David Fifield <david(a)bamsoftware.com> Date: Wed Sep 19 11:24:43 2012 -0700 Fix the --email option in flashproxy-reg-email. --- flashproxy-reg-email | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/flashproxy-reg-email b/flashproxy-reg-email index bd5095a..babcc85 100755 --- a/flashproxy-reg-email +++ b/flashproxy-reg-email @@ -165,7 +165,7 @@ for o, a in opts: if o == "-d" or o == "--debug": options.debug = True elif o == "-e" or o == "--email": - options.email_addr = parse_addr_spec(a, DEFAULT_FACILITATOR_HOST, DEFAULT_FACILITATOR_PORT) + options.email_addr = a elif o == "-h" or o == "--help": usage() sys.exit()

1 0

[flashproxy/master] Add gmail-setup.txt on craeting a Gmail facilitator listener.
by dcf＠torproject.org 28 Sep '12

28 Sep '12

commit ede7f95129401def6ebc34c477072e350ccd7eb0 Author: David Fifield <david(a)bamsoftware.com> Date: Tue Sep 11 09:53:18 2012 -0700 Add gmail-setup.txt on craeting a Gmail facilitator listener. --- doc/gmail-setup.txt | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 42 insertions(+), 0 deletions(-) diff --git a/doc/gmail-setup.txt b/doc/gmail-setup.txt new file mode 100644 index 0000000..d3dc68a --- /dev/null +++ b/doc/gmail-setup.txt @@ -0,0 +1,42 @@ +These are instructions for setting up a Gmail account for use with the +email-based rendezvous and flashproxy-reg-email. These instructions were +current as of September 2012. + +You may have trouble if you are using Tor to create the account, for two +reasons. The first is that exit nodes are a source of abuse and Google +is more suspicious of them. The second is that Gmail is suspicious and +can lock you out of the account when your IP address is changing. While +setting up the account, use a single node in your torrc ExitNodes +configuration. Choose a U.S. exit node, one of the ones with the lowest +bandwidth. + +Go to https://mail.google.com/. Allow JavaScript to run. Click the +"CREATE AN ACCOUNT" button. + +Enter the account details and click "Next Step". + +What may go wrong is that after entering the account details you see a +screen "Verify your account" that asks for a mobile phone number. Try +again with a different low-bandwidth exit node. exit node, one of the +ones with the lowest bandwidth. Also, it may be my imagination, but +Gmail seems to be checking for user names that appear randomly +generated; try inserting vowels between your randomly generated +consonants to make the word pronouncable. + +You may be gently forced into joining Google+ at this point; I think +that the Gmail account is already created, so you may be able to skip +Google+ by browsing back to https://mail.google.com/. If not, you can +delete the Google+ account by clicking on the account name from inside +of Gmail. + +Log out of the account and log back in again. There will be new text in +the lower right reading "Recent Activity". Click "Details" and turn off +the suspicious activity warnings. This will keep you from getting locked +out when you come from different IP addresses. At this point you should +remove the temporary ExitNodes configuration from torrc. + +Add a filter to prevent registrations from being marked as spam. Click +on the gear icon, and select "Settings". Select "Filters" and add a new +filter. For "Containing the words:" insert "in:spam". You will get a +warning that says it will not match any incoming messages; this appears +to be wrong and you can click through it.

1 0

[flashproxy/master] Verify TLS certificate, and trust only Google's CA.
by dcf＠torproject.org 28 Sep '12

28 Sep '12

commit 81074c20f3dcc19e24b211c8f736afe87972a657 Author: David Fifield <david(a)bamsoftware.com> Date: Tue Sep 11 10:50:10 2012 -0700 Verify TLS certificate, and trust only Google's CA. --- flashproxy-reg-email | 52 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 files changed, 50 insertions(+), 2 deletions(-) diff --git a/flashproxy-reg-email b/flashproxy-reg-email index 7dc1d84..f57bc58 100755 --- a/flashproxy-reg-email +++ b/flashproxy-reg-email @@ -5,7 +5,9 @@ import os import re import smtplib import socket +import ssl import sys +import tempfile DEFAULT_REMOTE_ADDRESS = "" DEFAULT_REMOTE_PORT = 9000 @@ -18,6 +20,35 @@ DEFAULT_SMTP_PORT = 25 EHLO_FQDN = "[127.0.0.1]" FROM_EMAIL_ADDRESS = "nobody@localhost" +# We trust no other CA certificate than this. +# +# To find the certificate to copy here, +# $ strace openssl s_client -connect gmail-smtp-in.l.google.com:25 -starttls smtp -verify 10 -CApath /etc/ssl/certs 2>&1 | grep /etc/ssl/certs +# stat("/etc/ssl/certs/XXXXXXXX.0", {st_mode=S_IFREG|0644, st_size=YYYY, ...}) = 0 +CA_CERTS = """\ +subject=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority +issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority +-----BEGIN CERTIFICATE----- +MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV +UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy +dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1 +MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx +dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B +AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f +BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A +cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC +AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm +aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw +ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj +IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF +MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA +A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y +7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh +1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4 +-----END CERTIFICATE----- +""" + class options(object): remote_addr = None email_addr = None @@ -127,8 +158,25 @@ if options.debug: smtp.set_debuglevel(1) try: - smtp.starttls() - smtp.ehlo() + ca_certs_file = tempfile.NamedTemporaryFile(prefix="flashproxy-reg-email-", suffix=".crt", delete=True) + try: + ca_certs_file.write(CA_CERTS) + ca_certs_file.flush() + # We roll our own initial EHLO/STARTTLS because smtplib.SMTP.starttls + # doesn't allow enough certificate validation. + code, msg = smtp.docmd("EHLO", EHLO_FQDN) + if code != 250: + raise ValueError("Got code %d after EHLO" % code) + code, msg = smtp.docmd("STARTTLS") + if code != 220: + raise ValueError("Got code %d after STARTTLS" % code) + smtp.sock = ssl.wrap_socket(smtp.sock, cert_reqs=ssl.CERT_REQUIRED, + ca_certs=ca_certs_file.name) + smtp.file = smtp.sock.makefile() + finally: + ca_certs_file.close() + + smtp.ehlo(EHLO_FQDN) if not options.remote_addr[0]: # Grep the EHLO response for our public IP address.

1 0

[flashproxy/master] How to enable Gmail IMAP.
by dcf＠torproject.org 28 Sep '12

28 Sep '12

commit 7142d23e405228dc0058b14a330ff68c3f58f0f5 Author: David Fifield <david(a)bamsoftware.com> Date: Wed Sep 19 11:35:37 2012 -0700 How to enable Gmail IMAP. --- doc/gmail-setup.txt | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/doc/gmail-setup.txt b/doc/gmail-setup.txt index d3dc68a..847e5b7 100644 --- a/doc/gmail-setup.txt +++ b/doc/gmail-setup.txt @@ -40,3 +40,10 @@ on the gear icon, and select "Settings". Select "Filters" and add a new filter. For "Containing the words:" insert "in:spam". You will get a warning that says it will not match any incoming messages; this appears to be wrong and you can click through it. + +Enable IMAP. Click the gear icon, then "Settings". Click "Forwarding and +POP/IMAP". Then +* Disable POP +* Enable IMAP +* Auto-Expunge on +"Save Changes".

1 0

[flashproxy/master] Encode to UTF-8 before encryption.
by dcf＠torproject.org 28 Sep '12

28 Sep '12

commit d97e41a5baf4874f19bcd7a9f69a35cfc14ae102 Author: David Fifield <david(a)bamsoftware.com> Date: Wed Sep 19 13:58:19 2012 -0700 Encode to UTF-8 before encryption. Otherwise the M2Crypto encryption seems to expand each character to 4 bytes; i.e., u"client" becomes "c\x00\x00\x00l\x00\x00\x00i\x00\x00\x00e\x00\x00\x00n\x00\x00\x00t\x00\x00\x00" after decryption. --- flashproxy-reg-email | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/flashproxy-reg-email b/flashproxy-reg-email index babcc85..debe16d 100755 --- a/flashproxy-reg-email +++ b/flashproxy-reg-email @@ -238,7 +238,7 @@ try: spec = "[" + spec + "]" options.remote_addr = parse_addr_spec(spec, *options.remote_addr) - body_plain = "client=%s" % format_addr(options.remote_addr) + body_plain = (u"client=%s" % format_addr(options.remote_addr)).encode("utf-8") rsa = RSA.load_pub_key_bio(BIO.MemoryBuffer(FACILITATOR_PUBKEY_PEM)) body_crypt = rsa.public_encrypt(body_plain, RSA.pkcs1_oaep_padding) body = body_crypt.encode("base64")

1 0