March 2013 - tor-commits - lists.torproject.org

[flashproxy/master] Nicer URL building.
by dcf＠torproject.org 13 Mar '13

13 Mar '13

commit ef486a7425771471c965eeb2db6f295074b7e7ea Author: David Fifield <david(a)bamsoftware.com> Date: Wed Mar 13 01:43:32 2013 -0700 Nicer URL building. --- flashproxy-reg-url | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/flashproxy-reg-url b/flashproxy-reg-url index 1070889..dc953c1 100755 --- a/flashproxy-reg-url +++ b/flashproxy-reg-url @@ -5,6 +5,7 @@ import socket import sys import re import getopt +import urlparse from M2Crypto import RSA, … [View More]

1 0

[flashproxy/master] Formatting.
by dcf＠torproject.org 13 Mar '13

13 Mar '13

commit 64167c2715578bb544b2002757d6455ac4c13d72 Author: David Fifield <david(a)bamsoftware.com> Date: Wed Mar 13 01:45:49 2013 -0700 Formatting. --- flashproxy-reg-url | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) diff --git a/flashproxy-reg-url b/flashproxy-reg-url index dc953c1..dcd4ec1 100755 --- a/flashproxy-reg-url +++ b/flashproxy-reg-url @@ -1,10 +1,10 @@ #!/usr/bin/env python import base64 +import getopt +import re import socket import sys -… [View More]

1 0

[flashproxy/master] Show an error if the remote IP address is not given.
by dcf＠torproject.org 13 Mar '13

13 Mar '13

commit 40976bd26cc06a2ab95d6c598f9d18f19d76b7b8 Author: David Fifield <david(a)bamsoftware.com> Date: Wed Mar 13 01:48:03 2013 -0700 Show an error if the remote IP address is not given. Unlike the http and email methods, this rendezvous method cannot guess your external address. --- flashproxy-reg-url | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/flashproxy-reg-url b/flashproxy-reg-url index dcd4ec1..a2aba34 100755 --- a/flashproxy-reg-… [View More]

1 0

[flashproxy/master] Remove unused import.
by dcf＠torproject.org 13 Mar '13

13 Mar '13

commit 0e7f7b52b8c9c3240df08fb1957261d8417e3792 Author: David Fifield <david(a)bamsoftware.com> Date: Wed Mar 13 02:01:11 2013 -0700 Remove unused import. --- facilitator/facilitator.cgi | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/facilitator/facilitator.cgi b/facilitator/facilitator.cgi index 1dd125a..bb0ac51 100755 --- a/facilitator/facilitator.cgi +++ b/facilitator/facilitator.cgi @@ -5,7 +5,6 @@ import os import socket import sys import urllib -… [View More]

1 0

[flashproxy/master] ChangeLog typo.
by dcf＠torproject.org 13 Mar '13

13 Mar '13

commit 4c58edf363e4a7457dd59a794293d115fb5cecab Author: David Fifield <david(a)bamsoftware.com> Date: Wed Mar 13 01:52:21 2013 -0700 ChangeLog typo. --- ChangeLog | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ChangeLog b/ChangeLog index 49fedf2..fdbf5da 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,7 +25,7 @@ Changes in version 0.12 by Alexandre Allaire. o Updated the Tor Browser check to match the behavior of new Tor - Browsers. Patch by … [View More]

1 0

[flashproxy/master] ChangeLog for #7559.
by dcf＠torproject.org 13 Mar '13

13 Mar '13

commit 2f94ae45faadc16117a3f027de93eaa2b80cabd5 Author: David Fifield <david(a)bamsoftware.com> Date: Wed Mar 13 01:52:12 2013 -0700 ChangeLog for #7559. --- ChangeLog | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8a4b163..49fedf2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,10 @@ Changes in version 0.12 + o The new flashproxy-reg-url program prints a URL which, when + requested, causes an address to be … [View More]

1 0

[flashproxy/master] Add helper daemon for indirect URL registration.
by dcf＠torproject.org 13 Mar '13

13 Mar '13

commit ab8ecafb5d424b7c9ba720a3bc06e1b948555153 Author: Alexandre Allaire <alexandre.allaire(a)mail.mcgill.ca> Date: Thu Jan 17 20:34:26 2013 -0500 Add helper daemon for indirect URL registration. Add a daemon which accepts RSA encrypted, base64 encoded client addresses and registers them with the facilitator. It is meant to be used by facilitator.cgi upon receiving a registration through a GET request. --- facilitator/facilitator-reg-url | 157 +++++++++++++++… [View More]++++++++++++++++++++++++ 1 files changed, 157 insertions(+), 0 deletions(-) diff --git a/facilitator/facilitator-reg-url b/facilitator/facilitator-reg-url new file mode 100644 index 0000000..0127719 --- /dev/null +++ b/facilitator/facilitator-reg-url @@ -0,0 +1,157 @@ +#!/usr/bin/python + +import sys +import base64 +import getopt +import traceback +import socket +import time +import os + +from M2Crypto import RSA + +import fac + +DEFAULT_FACILITATOR_ADDR = ("127.0.0.1", 9002) +DEFAULT_RSA_KEY_FILE = "/etc/flashproxy/reg-url.key" +DEFAULT_PORT = 9003 +DEFAULT_LOG_FILE = "/var/log/facilitator-reg-url.log" + +LOG_DATE_FORMAT = "%Y-%m-%d %H:%M:%S" + +# M2Crypto RSA object +rsa = None + +class options(object): + log_filename = DEFAULT_LOG_FILE + log_file = sys.stdout + port = DEFAULT_PORT + debug = False + daemonize = True + key_file = DEFAULT_RSA_KEY_FILE + facilitator = DEFAULT_FACILITATOR_ADDR + safe_logging = True + pid_filename = None + +def usage(): + print """ +Usage: %(progname)s + +Helper daemon for registration by indirect URL. Receives +client addresses from facilitator.cgi, decrypts them and +registers them with the facilitator. + + -h, --help print this help message and exit. + -d, --debug don't daemonize, log to stdout. + -k, --key=KEYFILE read the RSA private key from KEYFILE. + -f, --facilitator=ADDR register with facilitator listening at ADDR. + -p, --port=PORT listen for registrations on this port (default %(port)s). + -l, --log FILE write log to FILE (default "%(log)s"). + --pidfile FILE write pid to file after daemonizing. + --unsafe-logging don't scrub IP addresses from logs. +""" % { + "progname": sys.argv[0], + "port": DEFAULT_PORT, + "log": DEFAULT_LOG_FILE, +} + +def safe_str(s): + """Return s if options.safe_logging is true, and "[scrubbed]" otherwise.""" + if options.safe_logging: + return "[scrubbed]" + else: + return s + +def log(msg): + print >> options.log_file, (u"%s %s" % (time.strftime(LOG_DATE_FORMAT), msg)).encode("UTF-8") + options.log_file.flush() + +def register(reg): + try: + ciphertext = base64.urlsafe_b64decode(reg) + client_spec = rsa.private_decrypt(ciphertext, RSA.pkcs1_oaep_padding) + except: + log(u"Error occurred while decoding and decrypting registration:") + traceback.print_exc(file=options.log_file) + return False + try: + client_addr = fac.parse_addr_spec(client_spec) + except ValueError: + log(u"Registration of %s failed because of parsing error:" % safe_str(client_spec)) + traceback.print_exc(file=options.log_file) + return False + if not fac.put_reg(options.facilitator, client_addr): + log(u"Regstration of %s failed at the facilitator." % safe_str(client_spec)) + return False + log(u"Registered %s" % safe_str(client_spec)) + return True + +def loop(): + sock = socket.socket() + sock.bind(('', options.port)) + sock.listen(5) + + while True: + client, _ = sock.accept() + reg, buf = "", "" + while True: + buf = client.recv(4096) + if buf == "": + break + reg += buf + if register(reg): + client.send("\x00") + else: + client.send("\x01") + client.shutdown(socket.SHUT_RDWR) + client.close() + +def main(): + opts, args = getopt.gnu_getopt(sys.argv[1:], "hdl:p:k:f:", ["help", "debug", "log=", "port=", "key=", "facilitator=", "pidfile=", "unsafe-logging"]) + for o, a in opts: + if o == "-h" or o == "--help": + usage() + sys.exit(0) + if o == "-d" or o == "--debug": + options.daemonize = False + options.log_filename = False + if o == "-l" or o == "--log": + options.log_filename = a + if o == "-p" or o == "--port": + options.port = int(a) + if o == "-k" or o == "--key": + options.key_file = a + if o == "-f" or o == "--facilitator": + options.facilitator = fac.parse_addr_spec(a, resolve=True) + if o == "--pidfile": + options.pid_filename = a + if o == "--unsafe-logging": + options.safe_logging = False + + if options.daemonize: + log(u"daemonizing") + pid = os.fork() + if pid != 0: + if options.pid_filename: + f = open(options.pid_filename, "w") + print >> f, pid + f.close() + sys.exit(0) + + if options.log_filename: + options.log_file = open(options.log_filename, "a") + log(u"Starting on port %s" % options.port) + + # Load RSA key. + try: + global rsa + rsa = RSA.load_key(options.key_file) + except: + log(u"Failed to load RSA private key:") + traceback.print_exc(file=options.log_file) + sys.exit(1) + + loop() + +if __name__ == "__main__": + main() [View Less]

1 0

[flashproxy/master] Add helper program to print URL registrations.
by dcf＠torproject.org 13 Mar '13

13 Mar '13

commit 295ec665c214f266899be3bb01ce12bd32b3a8d8 Author: Alexandre Allaire <alexandre.allaire(a)mail.mcgill.ca> Date: Tue Jan 22 21:05:37 2013 -0500 Add helper program to print URL registrations. Add a client-side helper program, flashproxy-reg-url, to print out encrypted URLs that can be used to register with a facilitator. The public key and facilitator are hard coded into the script. --- flashproxy-reg-url | 112 ++++++++++++++++++++++++++++++++++++++++++++++… [View More]++++++ 1 files changed, 112 insertions(+), 0 deletions(-) diff --git a/flashproxy-reg-url b/flashproxy-reg-url new file mode 100755 index 0000000..60f7e7b --- /dev/null +++ b/flashproxy-reg-url @@ -0,0 +1,112 @@ +#!/usr/bin/env python + +import base64 +import socket +import sys +import re +import getopt + +from M2Crypto import RSA, BIO + +FACILITATOR_URL = "https://tor-facilitator.bamsoftware.com/" +DEFAULT_REMOTE_PORT = 9000 + +def usage(f=sys.stdout): + print >> f, """\ +Usage: %(progname)s REMOTE[:PORT] + +Print a URL suitable for registering your client with the facilitator +at %(fac)s. This URL can be copy-pasted into an unblocked URL retrieval +service. The argument is the external address and port you wish to register. +If you omit the port, it will default to %(port)s. + + -h, --help show this message and exit. + +""" % { + "progname": sys.argv[0], + "fac": FACILITATOR_URL, + "port": DEFAULT_REMOTE_PORT, +} + +FACILITATOR_PUBKEY_PEM = """\ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzntbuj1olKgr1rTHiZqm +a/D7xauVqkpdkEF24eONpYfe1ziatBPft5X9D9flHnsa6mZlE671MT6CmjPo5Be/ +urk5gEiXvLiYlrWLAdYd/VzUow5JYLc24rLGHZxKrbXRNf2rdkH7fBlyOekmLj2G +k4Bi/t3OQvXP+7D+4ZVVrYemSWxSCSonjMSQg62TrQalyaTAjZNl9SLdALchR8Kk +rJS9VgCCjY5vG29WhWattEtlH5lKdkPcobhR/12MYh12AsdgDh7r2Zv9pSkDPuRb +mSvIn0b5R700sroS4BwwMpJOJFBnsFzE+Zz2MxGWwAf+9tXQW2Xfmarea0BaKOx/ +awIDAQAB +-----END PUBLIC KEY-----\ +""" + +def parse_addr_spec(spec, defhost = None, defport = None): + host = None + port = None + af = 0 + m = None + # IPv6 syntax. + if not m: + m = re.match(ur'^\[(.+)\]:(\d*)$', spec) + if m: + host, port = m.groups() + af = socket.AF_INET6 + if not m: + m = re.match(ur'^\[(.+)\]$', spec) + if m: + host, = m.groups() + af = socket.AF_INET6 + # IPv4/hostname/port-only syntax. + if not m: + try: + host, port = spec.split(":", 1) + except ValueError: + host = spec + if re.match(ur'^[\d.]+$', host): + af = socket.AF_INET + else: + af = 0 + host = host or defhost + port = port or defport + if port is not None: + port = int(port) + return host, port + +def format_addr(addr): + host, port = addr + if not host: + return u":%d" % port + # Numeric IPv6 address? + try: + addrs = socket.getaddrinfo(host, port, 0, socket.SOCK_STREAM, +socket.IPPROTO_TCP, socket.AI_NUMERICHOST) + af = addrs[0][0] + except socket.gaierror, e: + af = 0 + if af == socket.AF_INET6: + result = u"[%s]" % host + else: + result = "%s" % host + if port is not None: + result += u":%d" % port + return result + + +opt, args = getopt.gnu_getopt(sys.argv[1:], "h", ["help"]) +for o, a in opt: + if o == "-h" or o == "--help": + usage() + sys.exit(0) + +if len(args) != 1: + usage(f=sys.stderr) + sys.exit(1) + +addr = parse_addr_spec(args[0], defport=DEFAULT_REMOTE_PORT) +spec = format_addr(addr) + +rsa = RSA.load_pub_key_bio(BIO.MemoryBuffer(FACILITATOR_PUBKEY_PEM)) +ciphertext = rsa.public_encrypt(spec, RSA.pkcs1_oaep_padding) +reg = base64.urlsafe_b64encode(ciphertext) + +print "/".join([FACILITATOR_URL.strip("/"), "reg", reg]) [View Less]

1 0

[flashproxy/master] Add init script for facilitator-reg-url daemon.
by dcf＠torproject.org 13 Mar '13

13 Mar '13

commit b0544a747fc5c52660f2c9fe8306d923936634f4 Author: Alexandre Allaire <alexandre.allaire(a)mail.mcgill.ca> Date: Fri Jan 18 10:06:49 2013 -0500 Add init script for facilitator-reg-url daemon. Add an init script for facilitator-reg-url. I just copied the one for facilitator-email-poller and changed some variables. Also updates the Makefile in /facilitator to copy the new init script. --- facilitator/Makefile | 5 +- facilitator/init.d/… [View More]facilitator-reg-url | 118 ++++++++++++++++++++++++++++++++ 2 files changed, 120 insertions(+), 3 deletions(-) diff --git a/facilitator/Makefile b/facilitator/Makefile index 14d7807..5a67bb5 100644 --- a/facilitator/Makefile +++ b/facilitator/Makefile @@ -6,9 +6,8 @@ all: install: mkdir -p $(BINDIR) - cp -f facilitator facilitator-email-poller facilitator.cgi fac.py $(BINDIR) - cp -f init.d/facilitator init.d/facilitator-email-poller /etc/init.d/ - + cp -f facilitator facilitator-email-poller facilitator-reg-url facilitator.cgi fac.py $(BINDIR) + cp -f init.d/facilitator init.d/facilitator-email-poller init.d/facilitator-reg-url /etc/init.d/ clean: rm -f *.pyc diff --git a/facilitator/init.d/facilitator-reg-url b/facilitator/init.d/facilitator-reg-url new file mode 100755 index 0000000..c6c129a --- /dev/null +++ b/facilitator/init.d/facilitator-reg-url @@ -0,0 +1,118 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: facilitator-reg-url +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Flash proxy URL registration helper. +# Description: Debian init script for the flash proxy URL registration daemon. +### END INIT INFO +# +# Author: Alexandre Allaire <alexandre.allaire(a)mail.mcgill.ca> +# + +# Based on /etc/init.d/skeleton from Debian 6. + +PATH=/sbin:/usr/sbin:/bin:/usr/bin +DESC="Flash proxy URL registration daemon." +NAME=facilitator-reg-url +PIDFILE=/var/run/$NAME.pid +LOGFILE=/var/log/$NAME.log +CONFDIR=/etc/flashproxy +DAEMON=/usr/local/bin/$NAME +DAEMON_ARGS="--key $CONFDIR/reg-url.key --log $LOGFILE --pidfile $PIDFILE" +SCRIPTNAME=/etc/init.d/$NAME + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +. /lib/init/vars.sh +. /lib/lsb/init-functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ + || return 1 + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ + $DAEMON_ARGS \ + || return 2 +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + # Wait for children to finish too if this is a daemon that forks + # and if the daemon is only ever run from this initscript. + # If the above conditions are not satisfied then add some other code + # that waits for the process to drop all resources that could be + # needed by services started subsequently. A last resort is to + # sleep for some time. + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON + [ "$?" = 2 ] && return 2 + rm -f $PIDFILE + return "$RETVAL" +} + +case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + status) + status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? + ;; + restart|force-reload) + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; # Old process is still running + *) log_end_msg 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 + exit 3 + ;; +esac + +: [View Less]

1 0

[flashproxy/master] Add handling of URL registrations to facilitator.cgi.
by dcf＠torproject.org 13 Mar '13

13 Mar '13

commit f9701df16d8f7fc02fd6a1f80ffd73f64c131ef4 Author: Alexandre Allaire <alexandre.allaire(a)mail.mcgill.ca> Date: Thu Jan 17 20:37:42 2013 -0500 Add handling of URL registrations to facilitator.cgi. Modify facilitator.cgi to accept client registrations through HTTP GET requests. The addresses are encrypted and base64 encoded, and are passed in using extra path info of the form /reg/<address>. The registrations are handed off to a daemon for … [View More]precessing. --- facilitator/facilitator.cgi | 48 ++++++++++++++++++++++++++++++++++-------- 1 files changed, 39 insertions(+), 9 deletions(-) diff --git a/facilitator/facilitator.cgi b/facilitator/facilitator.cgi index c21e67d..28c1606 100755 --- a/facilitator/facilitator.cgi +++ b/facilitator/facilitator.cgi @@ -5,10 +5,12 @@ import os import socket import sys import urllib +import subprocess import fac FACILITATOR_ADDR = ("127.0.0.1", 9002) +FACILITATOR_REG_URL_ADDR = ("127.0.0.1", 9003) def exit_error(status): print """\ @@ -16,6 +18,19 @@ Status: %d\r \r""" % status sys.exit() +# Send a client registration to the helper daemon, +# which handles decryption and registration. +def url_reg(reg): + sock = socket.create_connection(FACILITATOR_REG_URL_ADDR) + sock.sendall(reg) + sock.shutdown(socket.SHUT_WR) + response = sock.recv(4096) + sock.close() + if response == "\x00": + return True + else: + return False + method = os.environ.get("REQUEST_METHOD") remote_addr = (os.environ.get("REMOTE_ADDR"), None) path_info = os.environ.get("PATH_INFO") or "/" @@ -26,20 +41,35 @@ if not method or not remote_addr[0]: fs = cgi.FieldStorage() def do_get(): - if path_info != "/": - exit_error(400) - try: - reg = fac.get_reg(FACILITATOR_ADDR, remote_addr) or "" - except: - exit_error(500) - # Allow XMLHttpRequest from any domain. http://www.w3.org/TR/cors/. - print """\ + args = [arg for arg in path_info.split("/") if arg] + # Check if we have a URL registration or a request for a client. + if len(args) == 2: + if args[0] != "reg": + exit_error(400) + reg = args[1] + # 256 byte RSA encryption, base64-encoded, should be no longer than 344 bytes. + if len(reg) > 350: + exit_error(400) + if not url_reg(reg): + exit_error(500) + print """\ +Status: 200\r +\r""" + elif len(args) == 0: + try: + reg = fac.get_reg(FACILITATOR_ADDR, remote_addr) or "" + except: + exit_error(500) + # Allow XMLHttpRequest from any domain. http://www.w3.org/TR/cors/. + print """\ Status: 200\r Content-Type: application/x-www-form-urlencoded\r Cache-Control: no-cache\r Access-Control-Allow-Origin: *\r \r""" - sys.stdout.write(urllib.urlencode(reg)) + sys.stdout.write(urllib.urlencode(reg)) + else: + exit_error(400) def do_post(): if path_info != "/": [View Less]

1 0