March 2013 - tor-commits - lists.torproject.org

[flashproxy/master] Make URL-based registration work with HEAD as well as GET.
by dcf＠torproject.org 13 Mar '13

13 Mar '13

commit 370a2650d406f3b1b2029f54b174f7e24446b61a Author: David Fifield <david(a)bamsoftware.com> Date: Wed Mar 13 02:24:05 2013 -0700 Make URL-based registration work with HEAD as well as GET. --- facilitator/facilitator.cgi | 33 +++++++++++++++++++++++---------- 1 files changed, 23 insertions(+), 10 deletions(-) diff --git a/facilitator/facilitator.cgi b/facilitator/facilitator.cgi index bb0ac51..4885ead 100755 --- a/facilitator/facilitator.cgi +++ b/facilitator/facilitator.cgi @@ -21,7 +21,7 @@ def exit_error(status): sys.exit() # Send a base64-encoded client address to the registration daemon. -def url_reg(reg): +def send_url_reg(reg): # Translate from url-safe base64 alphabet to the standard alphabet. reg = reg.replace('-', '+').replace('_', '/') return fac.put_reg_base64(reg) @@ -35,17 +35,28 @@ if not method or not remote_addr[0]: fs = cgi.FieldStorage() +# Print the HEAD part of a URL-based registration response, or exit with an +# error if appropriate. +def url_reg(reg): + try: + if send_url_reg(reg): + output_status(204) + else: + exit_error(400) + except: + exit_error(500) + +def do_head(): + path_parts = [x for x in path_info.split("/") if x] + if len(path_parts) == 2 and path_parts[0] == "reg": + url_reg(path_parts[1]) + else: + exit_error(400) + def do_get(): path_parts = [x for x in path_info.split("/") if x] if len(path_parts) == 2 and path_parts[0] == "reg": - # This is a URL-based registration. - try: - if url_reg(path_parts[1]): - output_status(204) - else: - exit_error(400) - except: - exit_error(500) + url_reg(path_parts[1]) elif len(path_parts) == 0: try: reg = fac.get_reg(FACILITATOR_ADDR, remote_addr) or "" @@ -79,7 +90,9 @@ def do_post(): Status: 200\r \r""" -if method == "GET": +if method == "HEAD": + do_head() +elif method == "GET": do_get() elif method == "POST": do_post()

1 0

[flashproxy/master] Nicer URL building.
by dcf＠torproject.org 13 Mar '13

13 Mar '13

commit ef486a7425771471c965eeb2db6f295074b7e7ea Author: David Fifield <david(a)bamsoftware.com> Date: Wed Mar 13 01:43:32 2013 -0700 Nicer URL building. --- flashproxy-reg-url | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/flashproxy-reg-url b/flashproxy-reg-url index 1070889..dc953c1 100755 --- a/flashproxy-reg-url +++ b/flashproxy-reg-url @@ -5,6 +5,7 @@ import socket import sys import re import getopt +import urlparse from M2Crypto import RSA, BIO @@ -112,4 +113,4 @@ rsa = RSA.load_pub_key_bio(BIO.MemoryBuffer(FACILITATOR_PUBKEY_PEM)) reg_crypt = rsa.public_encrypt(reg_plain, RSA.pkcs1_oaep_padding) reg = base64.urlsafe_b64encode(reg_crypt) -print "/".join([options.facilitator_url.strip("/"), "reg", reg]) +print urlparse.urljoin(options.facilitator_url, "reg/" + reg)

1 0

[flashproxy/master] Formatting.
by dcf＠torproject.org 13 Mar '13

13 Mar '13

commit 64167c2715578bb544b2002757d6455ac4c13d72 Author: David Fifield <david(a)bamsoftware.com> Date: Wed Mar 13 01:45:49 2013 -0700 Formatting. --- flashproxy-reg-url | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) diff --git a/flashproxy-reg-url b/flashproxy-reg-url index dc953c1..dcd4ec1 100755 --- a/flashproxy-reg-url +++ b/flashproxy-reg-url @@ -1,10 +1,10 @@ #!/usr/bin/env python import base64 +import getopt +import re import socket import sys -import re -import getopt import urlparse from M2Crypto import RSA, BIO @@ -19,8 +19,8 @@ def usage(f = sys.stdout): print >> f, """\ Usage: %(progname)s REMOTE[:PORT] Print a URL, which, when retrieved, will cause the client address -REMOTE[:PORT] to be registered with the flash proxy facilitator. The default -PORT is %(port)d. +REMOTE[:PORT] to be registered with the flash proxy facilitator. The +default PORT is %(port)d. -f, --facilitator=URL register with the given facilitator (by default "%(fac_url)s").

1 0

[flashproxy/master] Show an error if the remote IP address is not given.
by dcf＠torproject.org 13 Mar '13

13 Mar '13

commit 40976bd26cc06a2ab95d6c598f9d18f19d76b7b8 Author: David Fifield <david(a)bamsoftware.com> Date: Wed Mar 13 01:48:03 2013 -0700 Show an error if the remote IP address is not given. Unlike the http and email methods, this rendezvous method cannot guess your external address. --- flashproxy-reg-url | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/flashproxy-reg-url b/flashproxy-reg-url index dcd4ec1..a2aba34 100755 --- a/flashproxy-reg-url +++ b/flashproxy-reg-url @@ -108,6 +108,10 @@ if len(args) != 1: sys.exit(1) remote_addr = parse_addr_spec(args[0], defport=DEFAULT_REMOTE_PORT) +if remote_addr[0] is None: + print >> sys.stderr, "An IP address (not just a port) is required." + sys.exit(1) + reg_plain = (u"client=%s" % format_addr(remote_addr)).encode("utf-8") rsa = RSA.load_pub_key_bio(BIO.MemoryBuffer(FACILITATOR_PUBKEY_PEM)) reg_crypt = rsa.public_encrypt(reg_plain, RSA.pkcs1_oaep_padding)

1 0

[flashproxy/master] Remove unused import.
by dcf＠torproject.org 13 Mar '13

13 Mar '13

commit 0e7f7b52b8c9c3240df08fb1957261d8417e3792 Author: David Fifield <david(a)bamsoftware.com> Date: Wed Mar 13 02:01:11 2013 -0700 Remove unused import. --- facilitator/facilitator.cgi | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/facilitator/facilitator.cgi b/facilitator/facilitator.cgi index 1dd125a..bb0ac51 100755 --- a/facilitator/facilitator.cgi +++ b/facilitator/facilitator.cgi @@ -5,7 +5,6 @@ import os import socket import sys import urllib -import subprocess import fac

1 0

[flashproxy/master] ChangeLog typo.
by dcf＠torproject.org 13 Mar '13

13 Mar '13

commit 4c58edf363e4a7457dd59a794293d115fb5cecab Author: David Fifield <david(a)bamsoftware.com> Date: Wed Mar 13 01:52:21 2013 -0700 ChangeLog typo. --- ChangeLog | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ChangeLog b/ChangeLog index 49fedf2..fdbf5da 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,7 +25,7 @@ Changes in version 0.12 by Alexandre Allaire. o Updated the Tor Browser check to match the behavior of new Tor - Browsers. Patch by Alexandre Allaire and Arlo Breault. Fixed bug + Browsers. Patch by Alexandre Allaire and Arlo Breault. Fixes bug 8434. Changes in version 0.11

1 0

[flashproxy/master] ChangeLog for #7559.
by dcf＠torproject.org 13 Mar '13

13 Mar '13

commit 2f94ae45faadc16117a3f027de93eaa2b80cabd5 Author: David Fifield <david(a)bamsoftware.com> Date: Wed Mar 13 01:52:12 2013 -0700 ChangeLog for #7559. --- ChangeLog | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8a4b163..49fedf2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,10 @@ Changes in version 0.12 + o The new flashproxy-reg-url program prints a URL which, when + requested, causes an address to be registered with the facilitator. + You can use this program if the other registration methods are + blocked: pass the URL to a third party and ask them to request it. + Patch by Alexandre Allaire. Fixes bug 7559. + o The new websocket-server program is the server transport plugin that flash proxies talk to. It replaces the third-party websockify program that was used formerly. It works as a managed proxy and

1 0

[flashproxy/master] Add helper daemon for indirect URL registration.
by dcf＠torproject.org 13 Mar '13

13 Mar '13

commit ab8ecafb5d424b7c9ba720a3bc06e1b948555153 Author: Alexandre Allaire <alexandre.allaire(a)mail.mcgill.ca> Date: Thu Jan 17 20:34:26 2013 -0500 Add helper daemon for indirect URL registration. Add a daemon which accepts RSA encrypted, base64 encoded client addresses and registers them with the facilitator. It is meant to be used by facilitator.cgi upon receiving a registration through a GET request. --- facilitator/facilitator-reg-url | 157 +++++++++++++++++++++++++++++++++++++++ 1 files changed, 157 insertions(+), 0 deletions(-) diff --git a/facilitator/facilitator-reg-url b/facilitator/facilitator-reg-url new file mode 100644 index 0000000..0127719 --- /dev/null +++ b/facilitator/facilitator-reg-url @@ -0,0 +1,157 @@ +#!/usr/bin/python + +import sys +import base64 +import getopt +import traceback +import socket +import time +import os + +from M2Crypto import RSA + +import fac + +DEFAULT_FACILITATOR_ADDR = ("127.0.0.1", 9002) +DEFAULT_RSA_KEY_FILE = "/etc/flashproxy/reg-url.key" +DEFAULT_PORT = 9003 +DEFAULT_LOG_FILE = "/var/log/facilitator-reg-url.log" + +LOG_DATE_FORMAT = "%Y-%m-%d %H:%M:%S" + +# M2Crypto RSA object +rsa = None + +class options(object): + log_filename = DEFAULT_LOG_FILE + log_file = sys.stdout + port = DEFAULT_PORT + debug = False + daemonize = True + key_file = DEFAULT_RSA_KEY_FILE + facilitator = DEFAULT_FACILITATOR_ADDR + safe_logging = True + pid_filename = None + +def usage(): + print """ +Usage: %(progname)s + +Helper daemon for registration by indirect URL. Receives +client addresses from facilitator.cgi, decrypts them and +registers them with the facilitator. + + -h, --help print this help message and exit. + -d, --debug don't daemonize, log to stdout. + -k, --key=KEYFILE read the RSA private key from KEYFILE. + -f, --facilitator=ADDR register with facilitator listening at ADDR. + -p, --port=PORT listen for registrations on this port (default %(port)s). + -l, --log FILE write log to FILE (default "%(log)s"). + --pidfile FILE write pid to file after daemonizing. + --unsafe-logging don't scrub IP addresses from logs. +""" % { + "progname": sys.argv[0], + "port": DEFAULT_PORT, + "log": DEFAULT_LOG_FILE, +} + +def safe_str(s): + """Return s if options.safe_logging is true, and "[scrubbed]" otherwise.""" + if options.safe_logging: + return "[scrubbed]" + else: + return s + +def log(msg): + print >> options.log_file, (u"%s %s" % (time.strftime(LOG_DATE_FORMAT), msg)).encode("UTF-8") + options.log_file.flush() + +def register(reg): + try: + ciphertext = base64.urlsafe_b64decode(reg) + client_spec = rsa.private_decrypt(ciphertext, RSA.pkcs1_oaep_padding) + except: + log(u"Error occurred while decoding and decrypting registration:") + traceback.print_exc(file=options.log_file) + return False + try: + client_addr = fac.parse_addr_spec(client_spec) + except ValueError: + log(u"Registration of %s failed because of parsing error:" % safe_str(client_spec)) + traceback.print_exc(file=options.log_file) + return False + if not fac.put_reg(options.facilitator, client_addr): + log(u"Regstration of %s failed at the facilitator." % safe_str(client_spec)) + return False + log(u"Registered %s" % safe_str(client_spec)) + return True + +def loop(): + sock = socket.socket() + sock.bind(('', options.port)) + sock.listen(5) + + while True: + client, _ = sock.accept() + reg, buf = "", "" + while True: + buf = client.recv(4096) + if buf == "": + break + reg += buf + if register(reg): + client.send("\x00") + else: + client.send("\x01") + client.shutdown(socket.SHUT_RDWR) + client.close() + +def main(): + opts, args = getopt.gnu_getopt(sys.argv[1:], "hdl:p:k:f:", ["help", "debug", "log=", "port=", "key=", "facilitator=", "pidfile=", "unsafe-logging"]) + for o, a in opts: + if o == "-h" or o == "--help": + usage() + sys.exit(0) + if o == "-d" or o == "--debug": + options.daemonize = False + options.log_filename = False + if o == "-l" or o == "--log": + options.log_filename = a + if o == "-p" or o == "--port": + options.port = int(a) + if o == "-k" or o == "--key": + options.key_file = a + if o == "-f" or o == "--facilitator": + options.facilitator = fac.parse_addr_spec(a, resolve=True) + if o == "--pidfile": + options.pid_filename = a + if o == "--unsafe-logging": + options.safe_logging = False + + if options.daemonize: + log(u"daemonizing") + pid = os.fork() + if pid != 0: + if options.pid_filename: + f = open(options.pid_filename, "w") + print >> f, pid + f.close() + sys.exit(0) + + if options.log_filename: + options.log_file = open(options.log_filename, "a") + log(u"Starting on port %s" % options.port) + + # Load RSA key. + try: + global rsa + rsa = RSA.load_key(options.key_file) + except: + log(u"Failed to load RSA private key:") + traceback.print_exc(file=options.log_file) + sys.exit(1) + + loop() + +if __name__ == "__main__": + main()

1 0

[flashproxy/master] Add helper program to print URL registrations.
by dcf＠torproject.org 13 Mar '13

13 Mar '13

commit 295ec665c214f266899be3bb01ce12bd32b3a8d8 Author: Alexandre Allaire <alexandre.allaire(a)mail.mcgill.ca> Date: Tue Jan 22 21:05:37 2013 -0500 Add helper program to print URL registrations. Add a client-side helper program, flashproxy-reg-url, to print out encrypted URLs that can be used to register with a facilitator. The public key and facilitator are hard coded into the script. --- flashproxy-reg-url | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 112 insertions(+), 0 deletions(-) diff --git a/flashproxy-reg-url b/flashproxy-reg-url new file mode 100755 index 0000000..60f7e7b --- /dev/null +++ b/flashproxy-reg-url @@ -0,0 +1,112 @@ +#!/usr/bin/env python + +import base64 +import socket +import sys +import re +import getopt + +from M2Crypto import RSA, BIO + +FACILITATOR_URL = "https://tor-facilitator.bamsoftware.com/" +DEFAULT_REMOTE_PORT = 9000 + +def usage(f=sys.stdout): + print >> f, """\ +Usage: %(progname)s REMOTE[:PORT] + +Print a URL suitable for registering your client with the facilitator +at %(fac)s. This URL can be copy-pasted into an unblocked URL retrieval +service. The argument is the external address and port you wish to register. +If you omit the port, it will default to %(port)s. + + -h, --help show this message and exit. + +""" % { + "progname": sys.argv[0], + "fac": FACILITATOR_URL, + "port": DEFAULT_REMOTE_PORT, +} + +FACILITATOR_PUBKEY_PEM = """\ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzntbuj1olKgr1rTHiZqm +a/D7xauVqkpdkEF24eONpYfe1ziatBPft5X9D9flHnsa6mZlE671MT6CmjPo5Be/ +urk5gEiXvLiYlrWLAdYd/VzUow5JYLc24rLGHZxKrbXRNf2rdkH7fBlyOekmLj2G +k4Bi/t3OQvXP+7D+4ZVVrYemSWxSCSonjMSQg62TrQalyaTAjZNl9SLdALchR8Kk +rJS9VgCCjY5vG29WhWattEtlH5lKdkPcobhR/12MYh12AsdgDh7r2Zv9pSkDPuRb +mSvIn0b5R700sroS4BwwMpJOJFBnsFzE+Zz2MxGWwAf+9tXQW2Xfmarea0BaKOx/ +awIDAQAB +-----END PUBLIC KEY-----\ +""" + +def parse_addr_spec(spec, defhost = None, defport = None): + host = None + port = None + af = 0 + m = None + # IPv6 syntax. + if not m: + m = re.match(ur'^\[(.+)\]:(\d*)$', spec) + if m: + host, port = m.groups() + af = socket.AF_INET6 + if not m: + m = re.match(ur'^\[(.+)\]$', spec) + if m: + host, = m.groups() + af = socket.AF_INET6 + # IPv4/hostname/port-only syntax. + if not m: + try: + host, port = spec.split(":", 1) + except ValueError: + host = spec + if re.match(ur'^[\d.]+$', host): + af = socket.AF_INET + else: + af = 0 + host = host or defhost + port = port or defport + if port is not None: + port = int(port) + return host, port + +def format_addr(addr): + host, port = addr + if not host: + return u":%d" % port + # Numeric IPv6 address? + try: + addrs = socket.getaddrinfo(host, port, 0, socket.SOCK_STREAM, +socket.IPPROTO_TCP, socket.AI_NUMERICHOST) + af = addrs[0][0] + except socket.gaierror, e: + af = 0 + if af == socket.AF_INET6: + result = u"[%s]" % host + else: + result = "%s" % host + if port is not None: + result += u":%d" % port + return result + + +opt, args = getopt.gnu_getopt(sys.argv[1:], "h", ["help"]) +for o, a in opt: + if o == "-h" or o == "--help": + usage() + sys.exit(0) + +if len(args) != 1: + usage(f=sys.stderr) + sys.exit(1) + +addr = parse_addr_spec(args[0], defport=DEFAULT_REMOTE_PORT) +spec = format_addr(addr) + +rsa = RSA.load_pub_key_bio(BIO.MemoryBuffer(FACILITATOR_PUBKEY_PEM)) +ciphertext = rsa.public_encrypt(spec, RSA.pkcs1_oaep_padding) +reg = base64.urlsafe_b64encode(ciphertext) + +print "/".join([FACILITATOR_URL.strip("/"), "reg", reg])

1 0

[flashproxy/master] Add init script for facilitator-reg-url daemon.
by dcf＠torproject.org 13 Mar '13

13 Mar '13

commit b0544a747fc5c52660f2c9fe8306d923936634f4 Author: Alexandre Allaire <alexandre.allaire(a)mail.mcgill.ca> Date: Fri Jan 18 10:06:49 2013 -0500 Add init script for facilitator-reg-url daemon. Add an init script for facilitator-reg-url. I just copied the one for facilitator-email-poller and changed some variables. Also updates the Makefile in /facilitator to copy the new init script. --- facilitator/Makefile | 5 +- facilitator/init.d/facilitator-reg-url | 118 ++++++++++++++++++++++++++++++++ 2 files changed, 120 insertions(+), 3 deletions(-) diff --git a/facilitator/Makefile b/facilitator/Makefile index 14d7807..5a67bb5 100644 --- a/facilitator/Makefile +++ b/facilitator/Makefile @@ -6,9 +6,8 @@ all: install: mkdir -p $(BINDIR) - cp -f facilitator facilitator-email-poller facilitator.cgi fac.py $(BINDIR) - cp -f init.d/facilitator init.d/facilitator-email-poller /etc/init.d/ - + cp -f facilitator facilitator-email-poller facilitator-reg-url facilitator.cgi fac.py $(BINDIR) + cp -f init.d/facilitator init.d/facilitator-email-poller init.d/facilitator-reg-url /etc/init.d/ clean: rm -f *.pyc diff --git a/facilitator/init.d/facilitator-reg-url b/facilitator/init.d/facilitator-reg-url new file mode 100755 index 0000000..c6c129a --- /dev/null +++ b/facilitator/init.d/facilitator-reg-url @@ -0,0 +1,118 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: facilitator-reg-url +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Flash proxy URL registration helper. +# Description: Debian init script for the flash proxy URL registration daemon. +### END INIT INFO +# +# Author: Alexandre Allaire <alexandre.allaire(a)mail.mcgill.ca> +# + +# Based on /etc/init.d/skeleton from Debian 6. + +PATH=/sbin:/usr/sbin:/bin:/usr/bin +DESC="Flash proxy URL registration daemon." +NAME=facilitator-reg-url +PIDFILE=/var/run/$NAME.pid +LOGFILE=/var/log/$NAME.log +CONFDIR=/etc/flashproxy +DAEMON=/usr/local/bin/$NAME +DAEMON_ARGS="--key $CONFDIR/reg-url.key --log $LOGFILE --pidfile $PIDFILE" +SCRIPTNAME=/etc/init.d/$NAME + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +. /lib/init/vars.sh +. /lib/lsb/init-functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ + || return 1 + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ + $DAEMON_ARGS \ + || return 2 +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + # Wait for children to finish too if this is a daemon that forks + # and if the daemon is only ever run from this initscript. + # If the above conditions are not satisfied then add some other code + # that waits for the process to drop all resources that could be + # needed by services started subsequently. A last resort is to + # sleep for some time. + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON + [ "$?" = 2 ] && return 2 + rm -f $PIDFILE + return "$RETVAL" +} + +case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + status) + status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? + ;; + restart|force-reload) + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; # Old process is still running + *) log_end_msg 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 + exit 3 + ;; +esac + +:

1 0