July 2014 - tor-commits - lists.torproject.org

[translation/bridgedb] Update translations for bridgedb
by translation＠torproject.org 07 Jul '14

07 Jul '14

commit d5523217f4d2274a7b5cd99d6af35ca80dbf73a0 Author: Translation commit bot <translation(a)torproject.org> Date: Mon Jul 7 10:45:03 2014 +0000 Update translations for bridgedb --- ar/LC_MESSAGES/bridgedb.po | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/ar/LC_MESSAGES/bridgedb.po b/ar/LC_MESSAGES/bridgedb.po index 42c7743..77f8762 100644 --- a/ar/LC_MESSAGES/bridgedb.po +++ b/ar/LC_MESSAGES/bridgedb.po @@ -6,6 +6,7 @@ # Ahmad Gharbeia <gharbeia(a)gmail.com>, 2014 # allamiro <allamiro(a)gmail.com>, 2011 # Mohamed El-Feky <elfeky.m(a)gmail.com>, 2014 +# AnonymousLady <farah.jaza(a)hotmail.com>, 2014 # 0xidz <ghoucine(a)gmail.com>, 2014 # محمد الحرقان <malham1(a)gmail.com>, 2011 # Sherief Alaa <sheriefalaa.w(a)gmail.com>, 2013-2014 @@ -16,8 +17,8 @@ msgstr "" "Project-Id-Version: The Tor Project\n" "Report-Msgid-Bugs-To: 'https://trac.torproject.org/projects/tor/newticket?component=BridgeDB&keywo…'\n" "POT-Creation-Date: 2014-06-06 21:46+0000\n" -"PO-Revision-Date: 2014-07-04 15:21+0000\n" -"Last-Translator: 0xidz <ghoucine(a)gmail.com>\n" +"PO-Revision-Date: 2014-07-07 10:41+0000\n" +"Last-Translator: AnonymousLady <farah.jaza(a)hotmail.com>\n" "Language-Team: Arabic (http://www.transifex.com/projects/p/torproject/language/ar/)\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" @@ -159,7 +160,7 @@ msgstr "bridges لا تعمل! أنا بحاجة إلى مساعدة!" #: lib/bridgedb/strings.py:92 #, python-format msgid "If your Tor doesn't work, you should email %s." -msgstr "" +msgstr "في حال عدم عمل Tor, ارسل بريد الكتروني الى %s." #. TRANSLATORS: Please DO NOT translate "Pluggable Transports". #. TRANSLATORS: Please DO NOT translate "Tor Browser". @@ -259,7 +260,7 @@ msgstr "" #. TRANSLATORS: Please DO NOT translate "GnuPG". #: lib/bridgedb/strings.py:151 msgid "Get a copy of BridgeDB's public GnuPG key." -msgstr "" +msgstr "احصل على نسخة لالمفتاح GnuPG العام العائد لBridgeDB" #: lib/bridgedb/templates/base.html:91 msgid "Report a Bug"

1 0

[flashproxy/master] factor out the M2Crypto check to flashproxy.keys
by infinity0＠torproject.org 07 Jul '14

07 Jul '14

commit 2d1fd22de9ab2648ab81287079a9b9b9f7700f64 Author: Ximin Luo <infinity0(a)gmx.com> Date: Tue Nov 19 15:29:19 2013 +0000 factor out the M2Crypto check to flashproxy.keys --- flashproxy-reg-appspot | 15 +++------------ flashproxy-reg-email | 17 +++-------------- flashproxy-reg-url | 15 +++------------ flashproxy/keys.py | 19 +++++++++++++++++++ 4 files changed, 28 insertions(+), 38 deletions(-) diff --git a/flashproxy-reg-appspot b/flashproxy-reg-appspot index 134e9ff..616b407 100755 --- a/flashproxy-reg-appspot +++ b/flashproxy-reg-appspot @@ -10,14 +10,14 @@ import sys import urlparse import urllib2 -from flashproxy.keys import PIN_GOOGLE_CA_CERT, PIN_GOOGLE_PUBKEY_SHA1, check_certificate_pin, temp_cert +from flashproxy.keys import PIN_GOOGLE_CA_CERT, PIN_GOOGLE_PUBKEY_SHA1, check_certificate_pin, ensure_M2Crypto, temp_cert from flashproxy.util import parse_addr_spec, format_addr try: from M2Crypto import SSL except ImportError: # Defer the error reporting so that --help works even without M2Crypto. - SSL = None + pass DEFAULT_REMOTE_ADDRESS = "" DEFAULT_REMOTE_PORT = 9000 @@ -181,16 +181,7 @@ else: usage(sys.stderr) sys.exit(1) -if SSL is None: - print >> sys.stderr, """\ -This program requires the M2Crypto library, which is not installed. - -You can install it using one of the packages at -http://chandlerproject.org/Projects/MeTooCrypto#Downloads. - -On Debian-like systems, use the command "apt-get install python-m2crypto".\ -""" - sys.exit(1) +ensure_M2Crypto() if options.address_family != socket.AF_UNSPEC: getaddrinfo = socket.getaddrinfo diff --git a/flashproxy-reg-email b/flashproxy-reg-email index 6309cec..7dac8cb 100755 --- a/flashproxy-reg-email +++ b/flashproxy-reg-email @@ -9,16 +9,14 @@ import socket import sys import urllib -from flashproxy.keys import PIN_GOOGLE_CA_CERT, PIN_GOOGLE_PUBKEY_SHA1, DEFAULT_FACILITATOR_PUBKEY_PEM, check_certificate_pin, temp_cert +from flashproxy.keys import PIN_GOOGLE_CA_CERT, PIN_GOOGLE_PUBKEY_SHA1, DEFAULT_FACILITATOR_PUBKEY_PEM, check_certificate_pin, ensure_M2Crypto, temp_cert from flashproxy.util import parse_addr_spec, format_addr try: from M2Crypto import BIO, RSA, SSL except ImportError: # Defer the error reporting so that --help works even without M2Crypto. - BIO = None - RSA = None - SSL = None + pass DEFAULT_REMOTE_ADDRESS = "" DEFAULT_REMOTE_PORT = 9000 @@ -145,16 +143,7 @@ else: usage(sys.stderr) sys.exit(1) -if SSL is None: - print >> sys.stderr, """\ -This program requires the M2Crypto library, which is not installed. - -You can install it using one of the packages at -http://chandlerproject.org/Projects/MeTooCrypto#Downloads. - -On Debian-like systems, use the command "apt-get install python-m2crypto".\ -""" - sys.exit(1) +ensure_M2Crypto() if options.address_family != socket.AF_UNSPEC: getaddrinfo = socket.getaddrinfo diff --git a/flashproxy-reg-url b/flashproxy-reg-url index 4685f28..26109fc 100755 --- a/flashproxy-reg-url +++ b/flashproxy-reg-url @@ -7,14 +7,14 @@ import sys import urllib import urlparse -from flashproxy.keys import DEFAULT_FACILITATOR_PUBKEY_PEM +from flashproxy.keys import DEFAULT_FACILITATOR_PUBKEY_PEM, ensure_M2Crypto from flashproxy.util import parse_addr_spec, format_addr try: from M2Crypto import BIO, RSA except ImportError: # Defer the error reporting so that --help works even without M2Crypto. - RSA = None + pass DEFAULT_REMOTE_ADDRESS = "" DEFAULT_REMOTE_PORT = 9000 @@ -88,16 +88,7 @@ if not remote_addr[0]: print >> sys.stderr, "An IP address (not just a port) is required." sys.exit(1) -if RSA is None: - print >> sys.stderr, """\ -This program requires the M2Crypto library, which is not installed. - -You can install it using one of the packages at -http://chandlerproject.org/Projects/MeTooCrypto#Downloads. - -On Debian-like systems, use the command "apt-get install python-m2crypto".\ -""" - sys.exit(1) +ensure_M2Crypto() reg_plain = build_reg(remote_addr, options.transport) rsa = get_facilitator_pubkey() diff --git a/flashproxy/keys.py b/flashproxy/keys.py index 08ffc46..1365f07 100644 --- a/flashproxy/keys.py +++ b/flashproxy/keys.py @@ -4,6 +4,12 @@ import tempfile from hashlib import sha1 +try: + import M2Crypto +except ImportError: + # Defer the error so that the main program gets a chance to print help text + M2Crypto = None + # We trust no other CA certificate than this. # # To find the certificate to copy here, @@ -98,3 +104,16 @@ class temp_cert(object): def __exit__(self, type, value, traceback): os.unlink(self.path) + +def ensure_M2Crypto(): + if M2Crypto is None: + print >> sys.stderr, """\ +This program requires the M2Crypto library, which is not installed. + +You can install it using one of the packages at +http://chandlerproject.org/Projects/MeTooCrypto#Downloads. + +On Debian-like systems, use the command "apt-get install python-m2crypto".\ +""" + sys.exit(1) +

1 0

[flashproxy/master] fix flashproxy-client registration
by infinity0＠torproject.org 07 Jul '14

07 Jul '14

commit e6b07f1d84fd5735a9ba3afae96ff8626e7cd9a2 Author: Ximin Luo <infinity0(a)torproject.org> Date: Thu Feb 13 16:43:17 2014 +0000 fix flashproxy-client registration - this ought to have been grouped together with c323a11f "migrate flashproxy-client to argparse" but it had already been reviewed, so I kept this extra commit --- flashproxy-client | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/flashproxy-client b/flashproxy-client index af20dcf..9e198a4 100755 --- a/flashproxy-client +++ b/flashproxy-client @@ -54,10 +54,7 @@ class options(object): managed = True - address_family = socket.AF_UNSPEC daemonize = False - facilitator_url = None - facilitator_pubkey_filename = None log_filename = None log_file = sys.stdout pid_filename = None @@ -66,8 +63,13 @@ class options(object): port_forwarding_external = None register = False register_commands = [] + + # registration options + address_family = socket.AF_UNSPEC transport = DEFAULT_TRANSPORT safe_logging = True + facilitator_url = None + facilitator_pubkey_filename = None def safe_str(s): """Return "[scrubbed]" if options.safe_logging is true, and s otherwise.""" @@ -1087,13 +1089,17 @@ If you need to pass more options, use TODO #9976.""") % DEFAULT_REMOTE_PORT, default="", nargs="?") ns = parser.parse_args(sys.argv[1:]) + # set registration options options.address_family = ns.address_family or socket.AF_UNSPEC if options.address_family != socket.AF_UNSPEC: getaddrinfo = socket.getaddrinfo def getaddrinfo_replacement(host, port, family, *args, **kwargs): return getaddrinfo(host, port, options.address_family, *args, **kwargs) socket.getaddrinfo = getaddrinfo_replacement + options.transport = ns.transport options.safe_logging = not ns.unsafe_logging + options.facilitator_url = ns.facilitator + options.facilitator_pubkey_filename = ns.facilitator_pubkey options.managed = not ns.external

1 0

[flashproxy/master] migrate flashproxy-client to argparse
by infinity0＠torproject.org 07 Jul '14

07 Jul '14

commit c323a11f3c4fbf9ed0fd9721d62410584524197b Author: Ximin Luo <infinity0(a)gmx.com> Date: Tue Nov 19 17:17:59 2013 +0000 migrate flashproxy-client to argparse --- flashproxy-client | 255 ++++++++++++++++++++++++----------------------------- 1 file changed, 115 insertions(+), 140 deletions(-) diff --git a/flashproxy-client b/flashproxy-client index 09630b3..60068be 100755 --- a/flashproxy-client +++ b/flashproxy-client @@ -3,11 +3,11 @@ The flashproxy client transport plugin. """ +import argparse import BaseHTTPServer import array import base64 import cStringIO -import getopt import os import os.path import select @@ -69,70 +69,6 @@ class options(object): transport = DEFAULT_TRANSPORT safe_logging = True -def usage(f = sys.stdout): - print >> f, """\ -Usage: %(progname)s --register [LOCAL][:PORT] [REMOTE][:PORT] -Wait for connections on a local and a remote port. When any pair of connections -exists, data is ferried between them until one side is closed. By default -LOCAL is localhost addresses on port %(local_port)d and REMOTE is all addresses -on port %(remote_port)d. - -The local connection acts as a SOCKS4a proxy, but the host and port in the SOCKS -request are ignored and the local connection is always linked to a remote -connection. - -By default, runs as a managed proxy: informs a parent Tor process of support for -the "flashproxy" or "websocket" pluggable transport. In managed mode, -the LOCAL port is chosen arbitrarily instead of defaulting to -%(local_port)d; however this can be overridden by including a LOCAL port -in the command. This is the way the program should be invoked in a torrc -ClientTransportPlugin "exec" line. Use the --external option to run as -an external proxy that does not interact with Tor. - -If any of the --register, --register-addr, or --register-methods options are -used, then your IP address will be sent to the facilitator so that proxies can -connect to you. You need to register in some way in order to get any service. -The --facilitator option allows controlling which facilitator is used; if -omitted, it uses a public default. - - -4 registration helpers use IPv4. - -6 registration helpers use IPv6. - --daemon daemonize (Unix only). - --external be an external proxy (don't interact with Tor using - environment variables and stdout). - -f, --facilitator=URL advertise willingness to receive connections to URL. - --facilitator-pubkey=FILENAME - encrypt registrations to the given PEM-formatted - public key (default built-in). - -h, --help show this help. - -l, --log FILENAME write log to FILENAME (default stdout). - --pidfile FILENAME write PID to FILENAME after daemonizing. - --port-forwarding attempt to forward REMOTE port. - --port-forwarding-helper=PROGRAM use the given PROGRAM to forward ports - (default "%(port_forwarding_helper)s"). Implies --port-forwarding. - --port-forwarding-external=PORT forward the external PORT to REMOTE on - the local host (default same as REMOTE). Implies - --port-forwarding. - -r, --register register with the facilitator. - --register-addr=ADDR register the given address (in case it differs from - REMOTE). Implies --register. - --register-methods=METHOD[,METHOD...] - register using the given comma-separated list of - methods. Implies --register. Possible methods are - appspot email http - Default is "%(reg_methods)s". - --transport=TRANSPORT register using the given transport - (default "%(transport)s"). - --unsafe-logging don't scrub IP addresses from logs.\ -""" % { - "progname": sys.argv[0], - "local_port": DEFAULT_LOCAL_PORT_EXTERNAL, - "remote_port": DEFAULT_REMOTE_PORT, - "reg_methods": ",".join(DEFAULT_REGISTER_METHODS), - "port_forwarding_helper": DEFAULT_PORT_FORWARDING_HELPER, - "transport": DEFAULT_TRANSPORT, -} - def safe_str(s): """Return "[scrubbed]" if options.safe_logging is true, and s otherwise.""" if options.safe_logging: @@ -1070,69 +1006,109 @@ def main(): global websocket_pending, socks_pending global unlinked_locals, unlinked_remotes - register_addr_spec = None - register_methods = [] - - opts, args = getopt.gnu_getopt(sys.argv[1:], "46f:hl:r", [ - "daemon", - "external", - "facilitator=", - "facilitator-pubkey=", - "help", - "log=", - "pidfile=", - "register", - "register-addr=", - "register-methods=", - "port-forwarding", - "port-forwarding-helper=", - "port-forwarding-external=", - "transport=", - "unsafe-logging", - ]) - for o, a in opts: - if o == "-4": - options.address_family = socket.AF_INET - elif o == "-6": - options.address_family = socket.AF_INET6 - elif o == "--daemon": - options.daemonize = True - elif o == "--external": - options.managed = False - elif o == "-f" or o == "--facilitator": - options.facilitator_url = a - elif o == "--facilitator-pubkey": - options.facilitator_pubkey_filename = a - elif o == "-h" or o == "--help": - usage() - sys.exit() - elif o == "-l" or o == "--log": - options.log_filename = a - elif o == "--pidfile": - options.pid_filename = a - elif o == "-r" or o == "--register": - options.register = True - elif o == "--register-addr": - if register_addr_spec is not None: - print >> sys.stderr, "%s: only one --register-addr is allowed." % sys.argv[0] - sys.exit(1) - options.register = True - register_addr_spec = a - elif o == "--register-methods": - options.register = True - register_methods.extend(a.split(",")) - elif o == "--port-forwarding": - options.port_forwarding = True - elif o == "--port-forwarding-helper": - options.port_forwarding = True - options.port_forwarding_helper = a - elif o == "--port-forwarding-external": - options.port_forwarding = True - options.port_forwarding_external = int(a) - elif o == "--transport": - options.transport = a - elif o == "--unsafe-logging": - options.safe_logging = False + parser = argparse.ArgumentParser( + formatter_class=argparse.RawDescriptionHelpFormatter, + description="""\ +Wait for connections on a local and a remote port. When any pair of connections +exists, data is ferried between them until one side is closed. + +The local connection acts as a SOCKS4a proxy, but the host and port in the SOCKS +request are ignored and the local connection is always linked to a remote +connection. + +By default, runs as a managed proxy: informs a parent Tor process of support for +the "flashproxy" or "websocket" pluggable transport. In managed mode, the LOCAL +port is chosen arbitrarily instead of the default; this can be overridden by +including a LOCAL port in the command. This is the way the program should be +invoked in a torrc ClientTransportPlugin "exec" line. Use the --external option +to run as an external proxy that does not interact with Tor. + +If any of the --register, --register-addr, or --register-methods options are +used, then your IP address will be sent to the facilitator so that proxies can +connect to you. You need to register in some way in order to get any service. +The --facilitator option allows controlling which facilitator is used; if +omitted, it uses a public default.""", + epilog="""\ +The -4, -6, --unsafe-logging, --transport and --facilitator-pubkey options are +propagated to the child registration helpers. For backwards compatilibility, +the --facilitator option is also propagated to the http registration helper. +If you need to pass more options, use TODO #9976.""") + # common opts + parser.add_argument("-4", help="name lookups use only IPv4.", + action="store_const", const=socket.AF_INET, dest="address_family") + parser.add_argument("-6", help="name lookups use only IPv6.", + action="store_const", const=socket.AF_INET6, dest="address_family") + parser.add_argument("--unsafe-logging", help="don't scrub IP addresses and " + "other sensitive information from logs.", action="store_true") + parser.add_argument("--facilitator-pubkey", help="encrypt registrations to " + "the given PEM-formatted public key file (default built-in).", + metavar='FILENAME') + parser.add_argument("--transport", + help="register using the given transport, default %(default)s.", + default=DEFAULT_TRANSPORT) + parser.add_argument("-f", "--facilitator", metavar="URL", + help="register with the facilitator at this URL, default %(default)s. " + "This is passed to the http registration ONLY.") + # specific opts and args + parser.add_argument("--daemon", + help="daemonize (Unix only).", action="store_true") + parser.add_argument("--external", + help="be an external (non-managed) proxy - don't interact with Tor " + "using environment variables and stdout.", action="store_true") + parser.add_argument("-l", "--log", metavar="FILENAME", + help="write log to FILENAME (default stderr).") + parser.add_argument("--pidfile", metavar="FILENAME", + help="write PID to FILENAME after daemonizing.") + parser.add_argument("--port-forwarding", + help="attempt to forward REMOTE port.", action="store_true") + parser.add_argument("--port-forwarding-helper", metavar="PROGRAM", + help="use the given PROGRAM to forward ports, default %s. Implies " + "--port-forwarding." % DEFAULT_PORT_FORWARDING_HELPER) + parser.add_argument("--port-forwarding-external", metavar="PORT", + help="forward the external PORT to REMOTE on the local host, default " + "same as the REMOTE. Implies --port-forwarding.", type=int) + parser.add_argument("-r", "--register", + help="register with the facilitator.", action="store_true") + parser.add_argument("--register-addr", metavar="ADDR", + help="register the given address (in case it differs from REMOTE). " + "Implies --register.") + parser.add_argument("--register-methods", metavar="METHOD[,METHOD...]", + help="register using the given comma-separated list of methods. " + "Implies --register. Possible methods are appspot,email,http. Default " + "is %s." % ",".join(DEFAULT_REGISTER_METHODS), + type=lambda x: None if x is None else x.split(",") if x else []) + parser.add_argument("local_addr", metavar="LOCAL:PORT", + help="local addr+port to listen on, default all localhost addresses on " + "port %s. In managed mode, the port is chosen arbitrarily if not given." + % DEFAULT_LOCAL_PORT_EXTERNAL, default="", nargs="?") + parser.add_argument("remote_addr", metavar="REMOTE:PORT", + help="remote addr+port to listen on, default all addresses on port %s" + % DEFAULT_REMOTE_PORT, default="", nargs="?") + + ns = parser.parse_args(sys.argv[1:]) + options.address_family = ns.address_family or socket.AF_UNSPEC + if options.address_family != socket.AF_UNSPEC: + getaddrinfo = socket.getaddrinfo + def getaddrinfo_replacement(host, port, family, *args, **kwargs): + return getaddrinfo(host, port, options.address_family, *args, **kwargs) + socket.getaddrinfo = getaddrinfo_replacement + options.safe_logging = not ns.unsafe_logging + + options.managed = not ns.external + + # do registration if any of the register options were set + do_register = (ns.register or + ns.register_addr is not None or + ns.register_methods is not None) + + # do port forwarding if any of the port-forwarding options were set + do_port_forwarding = (ns.port_forwarding or + ns.port_forwarding_helper is not None or + ns.port_forwarding_external is not None) + + options.log_filename = ns.log + options.daemonize = ns.daemon + options.pid_filename = ns.pidfile if options.log_filename: options.log_file = open(options.log_filename, "a") @@ -1152,18 +1128,8 @@ def main(): default_local_port = DEFAULT_LOCAL_PORT_EXTERNAL default_remote_port = DEFAULT_REMOTE_PORT - if len(args) == 0: - local_addr = ("", default_local_port) - remote_addr = ("", default_remote_port) - elif len(args) == 1: - local_addr = parse_addr_spec(args[0], defhost="", defport=default_local_port) - remote_addr = ("", default_remote_port) - elif len(args) == 2: - local_addr = parse_addr_spec(args[0], defhost="", defport=default_local_port) - remote_addr = parse_addr_spec(args[1], defhost="", defport=default_remote_port) - else: - usage(sys.stderr) - sys.exit(1) + local_addr = parse_addr_spec(ns.local_addr, defhost="", defport=default_local_port) + remote_addr = parse_addr_spec(ns.remote_addr, defhost="", defport=default_remote_port) if local_addr[0]: options.local_addrs.append(local_addr) @@ -1180,11 +1146,20 @@ def main(): if socket.has_ipv6: options.remote_addrs.append(("::", remote_addr[1])) + # Determine registration info if requested. + options.register = do_register + register_addr_spec = ns.register_addr + register_methods = ns.register_methods + if not register_methods: register_methods = DEFAULT_REGISTER_METHODS for method in register_methods: options.register_commands.append(build_register_command(method)) + options.port_forwarding = do_port_forwarding + options.port_forwarding_helper = ns.port_forwarding_helper or DEFAULT_PORT_FORWARDING_HELPER + options.port_forwarding_external = ns.port_forwarding_external + # Remote sockets, accepting remote WebSocket connections from proxies. remote_listen = [] for addr in options.remote_addrs:

1 0

[flashproxy/master] more docs for reg methods
by infinity0＠torproject.org 07 Jul '14

07 Jul '14

commit d3dbe18920f39e6d365186f26a2feda98d81decc Author: Ximin Luo <infinity0(a)gmx.com> Date: Tue Nov 19 19:28:57 2013 +0000 more docs for reg methods - mention how the client registration address is worked out - add shorter usage synopses from man pages --- flashproxy-client | 1 + flashproxy-reg-appspot | 5 ++++- flashproxy-reg-email | 4 +++- flashproxy-reg-http | 5 ++++- flashproxy-reg-url | 1 + 5 files changed, 13 insertions(+), 3 deletions(-) diff --git a/flashproxy-client b/flashproxy-client index 60068be..af20dcf 100755 --- a/flashproxy-client +++ b/flashproxy-client @@ -1007,6 +1007,7 @@ def main(): global unlinked_locals, unlinked_remotes parser = argparse.ArgumentParser( + usage="%(prog)s --register [OPTIONS] [LOCAL][:PORT] [REMOTE][:PORT]", formatter_class=argparse.RawDescriptionHelpFormatter, description="""\ Wait for connections on a local and a remote port. When any pair of connections diff --git a/flashproxy-reg-appspot b/flashproxy-reg-appspot index ca78419..f0e4714 100755 --- a/flashproxy-reg-appspot +++ b/flashproxy-reg-appspot @@ -126,7 +126,10 @@ def get_external_ip(): f.close() parser = argparse.ArgumentParser( - description="Register with a facilitator through a Google App Engine app.") + usage="%(prog)s [OPTIONS] [REMOTE][:PORT]", + description="Register with a facilitator through a Google App Engine app. " + "If only the external port is given, the remote server guesses our " + "external address.") # common opts parser.add_argument("-4", help="name lookups use only IPv4.", action="store_const", const=socket.AF_INET, dest="address_family") diff --git a/flashproxy-reg-email b/flashproxy-reg-email index a7e7d23..a151efd 100755 --- a/flashproxy-reg-email +++ b/flashproxy-reg-email @@ -63,9 +63,11 @@ def get_facilitator_pubkey(): return RSA.load_pub_key_bio(BIO.MemoryBuffer(DEFAULT_FACILITATOR_PUBKEY_PEM)) parser = argparse.ArgumentParser( + usage="%(prog)s [OPTIONS] [REMOTE][:PORT]", description="Register with a flash proxy facilitator through email. Makes " "a STARTTLS connection to an SMTP server and sends mail with a client IP " - "address to a designated address.", + "address to a designated address. If only the external port is given, the " + "external address is guessed from the SMTP EHLO response.", epilog="Using an SMTP server or email address other than the defaults will " "not work unless you have made special arrangements to connect them to a " "facilitator.") diff --git a/flashproxy-reg-http b/flashproxy-reg-http index 2fc0f23..a3ad246 100755 --- a/flashproxy-reg-http +++ b/flashproxy-reg-http @@ -38,7 +38,10 @@ def build_reg(addr, transport): )) parser = argparse.ArgumentParser( - description="Register with a flash proxy facilitator using an HTTP POST.") + usage="%(prog)s [OPTIONS] [REMOTE][:PORT]", + description="Register with a flash proxy facilitator using an HTTP POST. " + "If only the external port is given, the remote server guesses our " + "external address.") # common opts parser.add_argument("-4", help="name lookups use only IPv4.", action="store_const", const=socket.AF_INET, dest="address_family") diff --git a/flashproxy-reg-url b/flashproxy-reg-url index fce6d05..e8789d5 100755 --- a/flashproxy-reg-url +++ b/flashproxy-reg-url @@ -38,6 +38,7 @@ def get_facilitator_pubkey(): return RSA.load_pub_key_bio(BIO.MemoryBuffer(DEFAULT_FACILITATOR_PUBKEY_PEM)) parser = argparse.ArgumentParser( + usage="%(prog)s [OPTIONS] REMOTE[:PORT]", description="Print a URL, which, when retrieved, will cause the input " "client address to be registered with the flash proxy facilitator.") # common opts

1 0

[flashproxy/master] migrate reg methods to argparse
by infinity0＠torproject.org 07 Jul '14

07 Jul '14

commit 56ff2609cf9ec4f36357d92123c95922b4fbdc44 Author: Ximin Luo <infinity0(a)gmx.com> Date: Tue Nov 19 16:12:07 2013 +0000 migrate reg methods to argparse --- flashproxy-reg-appspot | 95 ++++++++++++-------------------- flashproxy-reg-email | 141 +++++++++++++++++++----------------------------- flashproxy-reg-http | 87 +++++++++++------------------- flashproxy-reg-url | 80 +++++++++++---------------- 4 files changed, 151 insertions(+), 252 deletions(-) diff --git a/flashproxy-reg-appspot b/flashproxy-reg-appspot index 616b407..ca78419 100755 --- a/flashproxy-reg-appspot +++ b/flashproxy-reg-appspot @@ -1,7 +1,7 @@ #!/usr/bin/env python """Register with a facilitator through Google App Engine.""" -import getopt +import argparse import httplib import os import socket @@ -19,8 +19,7 @@ except ImportError: # Defer the error reporting so that --help works even without M2Crypto. pass -DEFAULT_REMOTE_ADDRESS = "" -DEFAULT_REMOTE_PORT = 9000 +DEFAULT_REMOTE = ("", 9000) DEFAULT_TRANSPORT = "websocket" # The domain to which requests appear to go. @@ -37,29 +36,6 @@ class options(object): transport = DEFAULT_TRANSPORT safe_logging = True -def usage(f = sys.stdout): - print >> f, """\ -Usage: %(progname)s [REMOTE][:PORT] -Register with a flash proxy facilitator through a Google App Engine app. -By default the remote address registered is "%(remote_addr)s" (the -external IP address is guessed). - - -4 name lookups use only IPv4. - -6 name lookups use only IPv6. - --disable-pin don't check server public key against a known pin. - --facilitator-pubkey=FILENAME - encrypt registrations to the given PEM-formatted - public key (default built-in). - -h, --help show this help. - --transport=TRANSPORT register using the given transport - (default "%(transport)s"). - --unsafe-logging don't scrub IP addresses from logs.\ -""" % { - "progname": sys.argv[0], - "remote_addr": format_addr((DEFAULT_REMOTE_ADDRESS, DEFAULT_REMOTE_PORT)), - "transport": DEFAULT_TRANSPORT, -} - def safe_str(s): """Return "[scrubbed]" if options.safe_logging is true, and s otherwise.""" if options.safe_logging: @@ -149,45 +125,44 @@ def get_external_ip(): finally: f.close() -opt, args = getopt.gnu_getopt(sys.argv[1:], "46h", [ - "disable-pin", - "facilitator-pubkey=", - "help", - "transport=", - "unsafe-logging", -]) -for o, a in opt: - if o == "-4": - options.address_family = socket.AF_INET - elif o == "-6": - options.address_family = socket.AF_INET6 - elif o == "--disable-pin": - options.use_certificate_pin = False - elif o == "--facilitator-pubkey": - options.facilitator_pubkey_filename = a - elif o == "-h" or o == "--help": - usage() - sys.exit() - elif o == "--transport": - options.transport = a - elif o == "--unsafe-logging": - options.safe_logging = False - -if len(args) == 0: - remote_addr = (DEFAULT_REMOTE_ADDRESS, DEFAULT_REMOTE_PORT) -elif len(args) == 1: - remote_addr = parse_addr_spec(args[0], DEFAULT_REMOTE_ADDRESS, DEFAULT_REMOTE_PORT) -else: - usage(sys.stderr) - sys.exit(1) - -ensure_M2Crypto() - +parser = argparse.ArgumentParser( + description="Register with a facilitator through a Google App Engine app.") +# common opts +parser.add_argument("-4", help="name lookups use only IPv4.", + action="store_const", const=socket.AF_INET, dest="address_family") +parser.add_argument("-6", help="name lookups use only IPv6.", + action="store_const", const=socket.AF_INET6, dest="address_family") +parser.add_argument("--unsafe-logging", help="don't scrub IP addresses and " + "other sensitive information from logs.", action="store_true") +parser.add_argument("--disable-pin", help="disable all certificate pinning " + "checks", action="store_true",) +parser.add_argument("--facilitator-pubkey", help="encrypt registrations to " + "the given PEM-formatted public key file (default built-in).", + metavar='FILENAME') +parser.add_argument("--transport", + help="register using the given transport, default %(default)s.", + default=DEFAULT_TRANSPORT) +# common args +parser.add_argument("remote_addr", + help="remote to register, default %s - the external IP address is guessed." + % format_addr(DEFAULT_REMOTE), + metavar="REMOTE:PORT", default="", nargs="?", + type=lambda x: parse_addr_spec(x, *DEFAULT_REMOTE)) + +ns = parser.parse_args(sys.argv[1:]) +options.address_family = ns.address_family or socket.AF_UNSPEC if options.address_family != socket.AF_UNSPEC: getaddrinfo = socket.getaddrinfo def getaddrinfo_replacement(host, port, family, *args, **kwargs): return getaddrinfo(host, port, options.address_family, *args, **kwargs) socket.getaddrinfo = getaddrinfo_replacement +options.safe_logging = not ns.unsafe_logging +options.use_certificate_pin = not ns.disable_pin +options.facilitator_pubkey_filename = ns.facilitator_pubkey +options.transport = ns.transport +remote_addr = ns.remote_addr + +ensure_M2Crypto() if not remote_addr[0]: try: diff --git a/flashproxy-reg-email b/flashproxy-reg-email index 7dac8cb..a7e7d23 100755 --- a/flashproxy-reg-email +++ b/flashproxy-reg-email @@ -1,7 +1,7 @@ #!/usr/bin/env python """Register with a facilitator using the email method.""" -import getopt +import argparse import os import re import smtplib @@ -18,12 +18,10 @@ except ImportError: # Defer the error reporting so that --help works even without M2Crypto. pass -DEFAULT_REMOTE_ADDRESS = "" -DEFAULT_REMOTE_PORT = 9000 +DEFAULT_REMOTE = ("", 9000) DEFAULT_EMAIL_ADDRESS = "flashproxyreg.a(a)gmail.com" # dig MX gmail.com -DEFAULT_SMTP_HOST = "gmail-smtp-in.l.google.com" -DEFAULT_SMTP_PORT = 25 +DEFAULT_SMTP = ("gmail-smtp-in.l.google.com", 25) DEFAULT_TRANSPORT = "websocket" # Use this to prevent Python smtplib from guessing and leaking our hostname. @@ -42,41 +40,6 @@ class options(object): transport = DEFAULT_TRANSPORT safe_logging = True -def usage(f = sys.stdout): - print >> f, """\ -Usage: %(progname)s [REMOTE][:PORT] -Register with a flash proxy facilitator through email. Makes a STARTTLS -connection to an SMTP server and sends mail with a client IP address to a -designated address. By default the remote address registered is -"%(remote_addr)s" (the external IP address is guessed). - -Using an SMTP server or email address other than the defaults will not work -unless you have made special arrangements to connect them to a facilitator. - -This program requires the M2Crypto library for Python. - - -4 name lookups use only IPv4. - -6 name lookups use only IPv6. - -d, --debug enable debugging output (Python smtplib messages). - --disable-pin don't check server public key against a known pin. - -e, --email=ADDRESS send mail to ADDRESS (default "%(email_addr)s"). - --facilitator-pubkey=FILENAME - encrypt registrations to the given PEM-formatted - public key (default built-in). - -h, --help show this help. - -s, --smtp=HOST[:PORT] use the given SMTP server - (default "%(smtp_addr)s"). - --transport=TRANSPORT register using the given transport - (default "%(transport)s"). - --unsafe-logging don't scrub IP addresses from logs.\ -""" % { - "progname": sys.argv[0], - "remote_addr": format_addr((DEFAULT_REMOTE_ADDRESS, DEFAULT_REMOTE_PORT)), - "email_addr": DEFAULT_EMAIL_ADDRESS, - "smtp_addr": format_addr((DEFAULT_SMTP_HOST, DEFAULT_SMTP_PORT)), - "transport": DEFAULT_TRANSPORT, -} - def safe_str(s): """Return "[scrubbed]" if options.safe_logging is true, and s otherwise.""" if options.safe_logging: @@ -99,57 +62,63 @@ def get_facilitator_pubkey(): else: return RSA.load_pub_key_bio(BIO.MemoryBuffer(DEFAULT_FACILITATOR_PUBKEY_PEM)) -options.email_addr = DEFAULT_EMAIL_ADDRESS -options.smtp_addr = (DEFAULT_SMTP_HOST, DEFAULT_SMTP_PORT) - -opts, args = getopt.gnu_getopt(sys.argv[1:], "46de:hs:", [ - "debug", - "disable-pin", - "email=", - "facilitator-pubkey=", - "help", - "smtp=", - "transport=", - "unsafe-logging", -]) -for o, a in opts: - if o == "-4": - options.address_family = socket.AF_INET - elif o == "-6": - options.address_family = socket.AF_INET6 - elif o == "-d" or o == "--debug": - options.debug = True - elif o == "--disable-pin": - options.use_certificate_pin = False - elif o == "-e" or o == "--email": - options.email_addr = a - elif o == "--facilitator-pubkey": - options.facilitator_pubkey_filename = a - elif o == "-h" or o == "--help": - usage() - sys.exit() - elif o == "-s" or o == "--smtp": - options.smtp_addr = parse_addr_spec(a, DEFAULT_SMTP_HOST, DEFAULT_SMTP_PORT) - elif o == "--transport": - options.transport = a - elif o == "--unsafe-logging": - options.safe_logging = False - -if len(args) == 0: - options.remote_addr = (DEFAULT_REMOTE_ADDRESS, DEFAULT_REMOTE_PORT) -elif len(args) == 1: - options.remote_addr = parse_addr_spec(args[0], DEFAULT_REMOTE_ADDRESS, DEFAULT_REMOTE_PORT) -else: - usage(sys.stderr) - sys.exit(1) - -ensure_M2Crypto() - +parser = argparse.ArgumentParser( + description="Register with a flash proxy facilitator through email. Makes " + "a STARTTLS connection to an SMTP server and sends mail with a client IP " + "address to a designated address.", + epilog="Using an SMTP server or email address other than the defaults will " + "not work unless you have made special arrangements to connect them to a " + "facilitator.") +# common opts +parser.add_argument("-4", help="name lookups use only IPv4.", + action="store_const", const=socket.AF_INET, dest="address_family") +parser.add_argument("-6", help="name lookups use only IPv6.", + action="store_const", const=socket.AF_INET6, dest="address_family") +parser.add_argument("--unsafe-logging", help="don't scrub IP addresses and " + "other sensitive information from logs.", action="store_true") +parser.add_argument("--disable-pin", help="disable all certificate pinning " + "checks", action="store_true",) +parser.add_argument("--facilitator-pubkey", help="encrypt registrations to " + "the given PEM-formatted public key file (default built-in).", + metavar='FILENAME') +parser.add_argument("--transport", + help="register using the given transport, default %(default)s.", + default=DEFAULT_TRANSPORT) +# common args +parser.add_argument("remote_addr", + help="remote to register, default %s - the external IP address is guessed." + % format_addr(DEFAULT_REMOTE), + metavar="REMOTE:PORT", default="", nargs="?", + type=lambda x: parse_addr_spec(x, *DEFAULT_REMOTE)) +# specific opts +parser.add_argument("-e", "--email", metavar="ADDRESS", + help="send mail to ADDRESS, default %(default)s.", + default=DEFAULT_EMAIL_ADDRESS) +parser.add_argument("-s", "--smtp", metavar="HOST[:PORT]", + help="use the given SMTP server, default %s." % format_addr(DEFAULT_SMTP), + default="", type=lambda x: parse_addr_spec(x, *DEFAULT_SMTP)) +parser.add_argument("-d", "--debug", + help="enable debugging output (Python smtplib messages).", + action="store_true") + +ns = parser.parse_args(sys.argv[1:]) +options.address_family = ns.address_family or socket.AF_UNSPEC if options.address_family != socket.AF_UNSPEC: getaddrinfo = socket.getaddrinfo def getaddrinfo_replacement(host, port, family, *args, **kwargs): return getaddrinfo(host, port, options.address_family, *args, **kwargs) socket.getaddrinfo = getaddrinfo_replacement +options.safe_logging = not ns.unsafe_logging +options.use_certificate_pin = not ns.disable_pin +options.facilitator_pubkey_filename = ns.facilitator_pubkey +options.transport = ns.transport +options.remote_addr = ns.remote_addr +# specific parsing +options.email_addr = ns.email +options.smtp_addr = ns.smtp +options.debug = ns.debug + +ensure_M2Crypto() smtp = smtplib.SMTP(options.smtp_addr[0], options.smtp_addr[1], EHLO_FQDN) diff --git a/flashproxy-reg-http b/flashproxy-reg-http index 9f85570..2fc0f23 100755 --- a/flashproxy-reg-http +++ b/flashproxy-reg-http @@ -1,7 +1,7 @@ #!/usr/bin/env python """Register with a facilitator using the HTTP method.""" -import getopt +import argparse import socket import sys import urllib @@ -9,8 +9,7 @@ import urllib2 from flashproxy.util import parse_addr_spec, format_addr -DEFAULT_REMOTE_ADDRESS = "" -DEFAULT_REMOTE_PORT = 9000 +DEFAULT_REMOTE = ("", 9000) DEFAULT_FACILITATOR_URL = "https://fp-facilitator.org/" DEFAULT_TRANSPORT = "websocket" @@ -22,27 +21,6 @@ class options(object): transport = DEFAULT_TRANSPORT safe_logging = True -def usage(f = sys.stdout): - print >> f, """\ -Usage: %(progname)s [REMOTE][:PORT] -Register with a flash proxy facilitator using an HTTP POST. By default the -remote address registered is "%(remote_addr)s". - - -4 name lookups use only IPv4. - -6 name lookups use only IPv6. - -f, --facilitator=URL register with the given facilitator - (default "%(fac_url)s"). - -h, --help show this help. - --transport=TRANSPORT register using the given transport - (default "%(transport)s"). - --unsafe-logging don't scrub IP addresses from logs.\ -""" % { - "progname": sys.argv[0], - "fac_url": DEFAULT_FACILITATOR_URL, - "remote_addr": format_addr((DEFAULT_REMOTE_ADDRESS, DEFAULT_REMOTE_PORT)), - "transport": DEFAULT_TRANSPORT, -} - def safe_str(s): """Return "[scrubbed]" if options.safe_logging is true, and s otherwise.""" if options.safe_logging: @@ -59,43 +37,40 @@ def build_reg(addr, transport): ("client-transport", transport), )) -options.facilitator_url = DEFAULT_FACILITATOR_URL -options.remote_addr = (DEFAULT_REMOTE_ADDRESS, DEFAULT_REMOTE_PORT) - -opts, args = getopt.gnu_getopt(sys.argv[1:], "46f:h", [ - "facilitator=", - "help", - "transport=", - "unsafe-logging", -]) -for o, a in opts: - if o == "-4": - options.address_family = socket.AF_INET - elif o == "-6": - options.address_family = socket.AF_INET6 - elif o == "-f" or o == "--facilitator": - options.facilitator_url = a - elif o == "-h" or o == "--help": - usage() - sys.exit() - elif o == "--transport": - options.transport = a - elif o == "--unsafe-logging": - options.safe_logging = False - -if len(args) == 0: - pass -elif len(args) == 1: - options.remote_addr = parse_addr_spec(args[0], DEFAULT_REMOTE_ADDRESS, DEFAULT_REMOTE_PORT) -else: - usage(sys.stderr) - sys.exit(1) - +parser = argparse.ArgumentParser( + description="Register with a flash proxy facilitator using an HTTP POST.") +# common opts +parser.add_argument("-4", help="name lookups use only IPv4.", + action="store_const", const=socket.AF_INET, dest="address_family") +parser.add_argument("-6", help="name lookups use only IPv6.", + action="store_const", const=socket.AF_INET6, dest="address_family") +parser.add_argument("--unsafe-logging", help="don't scrub IP addresses and " + "other sensitive information from logs.", action="store_true") +parser.add_argument("--transport", + help="register using the given transport, default %(default)s.", + default=DEFAULT_TRANSPORT) +# common args +parser.add_argument("remote_addr", + help="remote to register, default %s - the external IP address is guessed." + % format_addr(DEFAULT_REMOTE), + metavar="REMOTE:PORT", default="", nargs="?", + type=lambda x: parse_addr_spec(x, *DEFAULT_REMOTE)) +# specific opts +parser.add_argument("-f", "--facilitator", metavar="URL", + help="register with the given facilitator, default %(default)s.", + default=DEFAULT_FACILITATOR_URL) + +ns = parser.parse_args(sys.argv[1:]) +options.address_family = ns.address_family or socket.AF_UNSPEC if options.address_family != socket.AF_UNSPEC: getaddrinfo = socket.getaddrinfo def getaddrinfo_replacement(host, port, family, *args, **kwargs): return getaddrinfo(host, port, options.address_family, *args, **kwargs) socket.getaddrinfo = getaddrinfo_replacement +options.safe_logging = not ns.unsafe_logging +options.transport = ns.transport +options.remote_addr = ns.remote_addr +options.facilitator_url = ns.facilitator body = build_reg(options.remote_addr, options.transport) try: diff --git a/flashproxy-reg-url b/flashproxy-reg-url index 26109fc..fce6d05 100755 --- a/flashproxy-reg-url +++ b/flashproxy-reg-url @@ -1,8 +1,8 @@ #!/usr/bin/env python """Register with a facilitator using an indirect URL.""" +import argparse import base64 -import getopt import sys import urllib import urlparse @@ -16,8 +16,7 @@ except ImportError: # Defer the error reporting so that --help works even without M2Crypto. pass -DEFAULT_REMOTE_ADDRESS = "" -DEFAULT_REMOTE_PORT = 9000 +DEFAULT_REMOTE = ("", 9000) DEFAULT_FACILITATOR_URL = "https://fp-facilitator.org/" DEFAULT_TRANSPORT = "websocket" @@ -26,28 +25,6 @@ class options(object): facilitator_pubkey_filename = None transport = DEFAULT_TRANSPORT -def usage(f = sys.stdout): - print >> f, """\ -Usage: %(progname)s REMOTE[:PORT] -Print a URL, which, when retrieved, will cause the client address -REMOTE[:PORT] to be registered with the flash proxy facilitator. The -default PORT is %(port)d. - - -f, --facilitator=URL register with the given facilitator - (default "%(fac_url)s"). - --facilitator-pubkey=FILENAME - encrypt registrations to the given PEM-formatted - public key (default built-in). - -h, --help show this help. - --transport=TRANSPORT register using the given transport - (default "%(transport)s").\ -""" % { - "progname": sys.argv[0], - "fac_url": DEFAULT_FACILITATOR_URL, - "port": DEFAULT_REMOTE_PORT, - "transport": DEFAULT_TRANSPORT, -} - def build_reg(addr, transport): return urllib.urlencode(( ("client", format_addr(addr)), @@ -60,36 +37,39 @@ def get_facilitator_pubkey(): else: return RSA.load_pub_key_bio(BIO.MemoryBuffer(DEFAULT_FACILITATOR_PUBKEY_PEM)) -options.facilitator_url = DEFAULT_FACILITATOR_URL +parser = argparse.ArgumentParser( + description="Print a URL, which, when retrieved, will cause the input " + "client address to be registered with the flash proxy facilitator.") +# common opts +parser.add_argument("--facilitator-pubkey", help="encrypt registrations to " + "the given PEM-formatted public key file (default built-in).", + metavar='FILENAME') +parser.add_argument("--transport", + help="register using the given transport, default %(default)s.", + default=DEFAULT_TRANSPORT) +# common args +parser.add_argument("remote_addr", + help="remote to register, default %s - the external IP address is guessed." + % format_addr(DEFAULT_REMOTE), + metavar="REMOTE:PORT", default="", nargs="?", + type=lambda x: parse_addr_spec(x, *DEFAULT_REMOTE)) +# specific opts +parser.add_argument("-f", "--facilitator", metavar="URL", + help="register with the given facilitator, default %(default)s.", + default=DEFAULT_FACILITATOR_URL) + +ns = parser.parse_args(sys.argv[1:]) +options.facilitator_pubkey_filename = ns.facilitator_pubkey +options.transport = ns.transport +remote_addr = ns.remote_addr +options.facilitator_url = ns.facilitator -opt, args = getopt.gnu_getopt(sys.argv[1:], "f:h", [ - "facilitator=", - "facilitator-pubkey=", - "help", - "transport=", -]) -for o, a in opt: - if o == "-f" or o == "--facilitator": - options.facilitator_url = a - elif o == "--facilitator-pubkey": - options.facilitator_pubkey_filename = a - elif o == "-h" or o == "--help": - usage() - sys.exit() - elif o == "--transport": - options.transport = a - -if len(args) != 1: - usage(sys.stderr) - sys.exit(1) +ensure_M2Crypto() -remote_addr = parse_addr_spec(args[0], DEFAULT_REMOTE_ADDRESS, DEFAULT_REMOTE_PORT) -if not remote_addr[0]: +if not ns.remote_addr[0]: print >> sys.stderr, "An IP address (not just a port) is required." sys.exit(1) -ensure_M2Crypto() - reg_plain = build_reg(remote_addr, options.transport) rsa = get_facilitator_pubkey() reg_crypt = rsa.public_encrypt(reg_plain, RSA.pkcs1_oaep_padding)

1 0

[flashproxy/master] move common functionality and command-line options into flashproxy-common
by infinity0＠torproject.org 07 Jul '14

07 Jul '14

commit badb39f9c13497a7887bac4ac24210ec12be9e39 Author: Ximin Luo <infinity0(a)torproject.org> Date: Thu Feb 13 16:45:09 2014 +0000 move common functionality and command-line options into flashproxy-common - move keys.DEFAULT_FACILITATOR_PUBKEY_PEM into new reg module to be with other default-facilitator data --- flashproxy-client | 37 +++-------------- flashproxy-reg-appspot | 97 ++++++--------------------------------------- flashproxy-reg-email | 103 +++++++----------------------------------------- flashproxy-reg-http | 69 ++++---------------------------- flashproxy-reg-url | 65 ++++-------------------------- flashproxy/keys.py | 47 ++++++++++++++-------- flashproxy/reg.py | 59 ++++++++++++++++++++++++++- flashproxy/util.py | 38 ++++++++++++++++++ 8 files changed, 177 insertions(+), 338 deletions(-) diff --git a/flashproxy-client b/flashproxy-client index 9e198a4..b69d1bf 100755 --- a/flashproxy-client +++ b/flashproxy-client @@ -8,6 +8,7 @@ import BaseHTTPServer import array import base64 import cStringIO +import flashproxy import os import os.path import select @@ -19,7 +20,8 @@ import threading import time import traceback -from flashproxy.util import parse_addr_spec, addr_family, format_addr +from flashproxy.util import parse_addr_spec, addr_family, format_addr, safe_str, safe_format_addr +from flashproxy.reg import DEFAULT_TRANSPORT from hashlib import sha1 @@ -35,7 +37,6 @@ DEFAULT_LOCAL_PORT_EXTERNAL = 9001 DEFAULT_REMOTE_PORT = 9000 DEFAULT_REGISTER_METHODS = ["appspot", "email", "http"] DEFAULT_PORT_FORWARDING_HELPER = "tor-fw-helper" -DEFAULT_TRANSPORT = "websocket" # We will re-register if we have fewer than this many waiting proxies. The # facilitator may choose to ignore our requests. @@ -71,22 +72,12 @@ class options(object): facilitator_url = None facilitator_pubkey_filename = None -def safe_str(s): - """Return "[scrubbed]" if options.safe_logging is true, and s otherwise.""" - if options.safe_logging: - return "[scrubbed]" - else: - return s - log_lock = threading.Lock() def log(msg): with log_lock: print >> options.log_file, (u"%s %s" % (time.strftime(LOG_DATE_FORMAT), msg)).encode("UTF-8") options.log_file.flush() -def safe_format_addr(addr): - return safe_str(format_addr(addr)) - def format_sockaddr(sockaddr): host, port = socket.getnameinfo(sockaddr, socket.NI_NUMERICHOST | socket.NI_NUMERICSERV) port = int(port) @@ -1036,19 +1027,8 @@ The -4, -6, --unsafe-logging, --transport and --facilitator-pubkey options are propagated to the child registration helpers. For backwards compatilibility, the --facilitator option is also propagated to the http registration helper. If you need to pass more options, use TODO #9976.""") - # common opts - parser.add_argument("-4", help="name lookups use only IPv4.", - action="store_const", const=socket.AF_INET, dest="address_family") - parser.add_argument("-6", help="name lookups use only IPv6.", - action="store_const", const=socket.AF_INET6, dest="address_family") - parser.add_argument("--unsafe-logging", help="don't scrub IP addresses and " - "other sensitive information from logs.", action="store_true") - parser.add_argument("--facilitator-pubkey", help="encrypt registrations to " - "the given PEM-formatted public key file (default built-in).", - metavar='FILENAME') - parser.add_argument("--transport", - help="register using the given transport, default %(default)s.", - default=DEFAULT_TRANSPORT) + flashproxy.util.add_module_opts(parser) + flashproxy.reg.add_module_opts(parser) parser.add_argument("-f", "--facilitator", metavar="URL", help="register with the facilitator at this URL, default %(default)s. " "This is passed to the http registration ONLY.") @@ -1090,12 +1070,7 @@ If you need to pass more options, use TODO #9976.""") ns = parser.parse_args(sys.argv[1:]) # set registration options - options.address_family = ns.address_family or socket.AF_UNSPEC - if options.address_family != socket.AF_UNSPEC: - getaddrinfo = socket.getaddrinfo - def getaddrinfo_replacement(host, port, family, *args, **kwargs): - return getaddrinfo(host, port, options.address_family, *args, **kwargs) - socket.getaddrinfo = getaddrinfo_replacement + options.address_family = ns.address_family options.transport = ns.transport options.safe_logging = not ns.unsafe_logging options.facilitator_url = ns.facilitator diff --git a/flashproxy-reg-appspot b/flashproxy-reg-appspot index f0e4714..42aef97 100755 --- a/flashproxy-reg-appspot +++ b/flashproxy-reg-appspot @@ -2,16 +2,16 @@ """Register with a facilitator through Google App Engine.""" import argparse +import flashproxy import httplib -import os import socket -import subprocess import sys import urlparse import urllib2 from flashproxy.keys import PIN_GOOGLE_CA_CERT, PIN_GOOGLE_PUBKEY_SHA1, check_certificate_pin, ensure_M2Crypto, temp_cert -from flashproxy.util import parse_addr_spec, format_addr +from flashproxy.reg import build_reg_b64enc +from flashproxy.util import parse_addr_spec, safe_str, safe_format_addr try: from M2Crypto import SSL @@ -19,54 +19,11 @@ except ImportError: # Defer the error reporting so that --help works even without M2Crypto. pass -DEFAULT_REMOTE = ("", 9000) -DEFAULT_TRANSPORT = "websocket" - # The domain to which requests appear to go. FRONT_DOMAIN = "www.google.com" # The value of the Host header within requests. TARGET_DOMAIN = "fp-reg-a.appspot.com" -FLASHPROXY_REG_URL = "flashproxy-reg-url" - -class options(object): - address_family = socket.AF_UNSPEC - use_certificate_pin = True - facilitator_pubkey_filename = None - transport = DEFAULT_TRANSPORT - safe_logging = True - -def safe_str(s): - """Return "[scrubbed]" if options.safe_logging is true, and s otherwise.""" - if options.safe_logging: - return "[scrubbed]" - else: - return s - -def safe_format_addr(addr): - return safe_str(format_addr(addr)) - -def generate_url(addr): - if getattr(sys, "frozen", False): - script_dir = os.path.dirname(sys.executable) - else: - script_dir = sys.path[0] - if not script_dir: - # Maybe the script was read from stdin; in any case don't guess at the directory. - raise ValueError("Can't find executable directory for registration helpers") - command = [os.path.join(script_dir, FLASHPROXY_REG_URL)] - command += ["-f", urlparse.urlunparse(("https", FRONT_DOMAIN, "/", "", "", ""))] - if options.transport is not None: - command += ["--transport", options.transport] - if options.facilitator_pubkey_filename is not None: - command += ["--facilitator-pubkey", options.facilitator_pubkey_filename] - command.append(format_addr(addr)) - p = subprocess.Popen(command, stdout=subprocess.PIPE) - stdout, stderr = p.communicate() - if p.returncode != 0: - raise ValueError("%s exited with status %d" % (FLASHPROXY_REG_URL, p.returncode)) - return stdout.strip() - # Like socket.create_connection in that it tries resolving different address # families, but doesn't connect the socket. def create_socket(address, timeout = None): @@ -105,8 +62,7 @@ class PinHTTPSConnection(httplib.HTTPSConnection): self.sock = SSL.Connection(ctx, sock) self.sock.connect((self.host, self.port)) - if options.use_certificate_pin: - check_certificate_pin(self.sock, PIN_GOOGLE_PUBKEY_SHA1) + check_certificate_pin(self.sock, PIN_GOOGLE_PUBKEY_SHA1) class PinHTTPSHandler(urllib2.HTTPSHandler): def https_open(self, req): @@ -130,40 +86,12 @@ parser = argparse.ArgumentParser( description="Register with a facilitator through a Google App Engine app. " "If only the external port is given, the remote server guesses our " "external address.") -# common opts -parser.add_argument("-4", help="name lookups use only IPv4.", - action="store_const", const=socket.AF_INET, dest="address_family") -parser.add_argument("-6", help="name lookups use only IPv6.", - action="store_const", const=socket.AF_INET6, dest="address_family") -parser.add_argument("--unsafe-logging", help="don't scrub IP addresses and " - "other sensitive information from logs.", action="store_true") -parser.add_argument("--disable-pin", help="disable all certificate pinning " - "checks", action="store_true",) -parser.add_argument("--facilitator-pubkey", help="encrypt registrations to " - "the given PEM-formatted public key file (default built-in).", - metavar='FILENAME') -parser.add_argument("--transport", - help="register using the given transport, default %(default)s.", - default=DEFAULT_TRANSPORT) -# common args -parser.add_argument("remote_addr", - help="remote to register, default %s - the external IP address is guessed." - % format_addr(DEFAULT_REMOTE), - metavar="REMOTE:PORT", default="", nargs="?", - type=lambda x: parse_addr_spec(x, *DEFAULT_REMOTE)) - -ns = parser.parse_args(sys.argv[1:]) -options.address_family = ns.address_family or socket.AF_UNSPEC -if options.address_family != socket.AF_UNSPEC: - getaddrinfo = socket.getaddrinfo - def getaddrinfo_replacement(host, port, family, *args, **kwargs): - return getaddrinfo(host, port, options.address_family, *args, **kwargs) - socket.getaddrinfo = getaddrinfo_replacement -options.safe_logging = not ns.unsafe_logging -options.use_certificate_pin = not ns.disable_pin -options.facilitator_pubkey_filename = ns.facilitator_pubkey -options.transport = ns.transport -remote_addr = ns.remote_addr +flashproxy.util.add_module_opts(parser) +flashproxy.keys.add_module_opts(parser) +flashproxy.reg.add_registration_args(parser) + +options = parser.parse_args(sys.argv[1:]) +remote_addr = options.remote_addr ensure_M2Crypto() @@ -186,9 +114,10 @@ if not remote_addr[0]: sys.exit(1) try: - url = generate_url(remote_addr) + reg = build_reg_b64enc(remote_addr, options.transport, urlsafe=True) + url = urlparse.urljoin(urlparse.urlunparse(("https", FRONT_DOMAIN, "/", "", "", "")), "reg/" + reg) except Exception, e: - print >> sys.stderr, "Error running %s: %s" % (FLASHPROXY_REG_URL, str(e)) + print >> sys.stderr, "Error generating URL: %s" % str(e) sys.exit(1) try: diff --git a/flashproxy-reg-email b/flashproxy-reg-email index a151efd..ddfc9fa 100755 --- a/flashproxy-reg-email +++ b/flashproxy-reg-email @@ -2,66 +2,30 @@ """Register with a facilitator using the email method.""" import argparse +import flashproxy import os import re import smtplib -import socket import sys -import urllib -from flashproxy.keys import PIN_GOOGLE_CA_CERT, PIN_GOOGLE_PUBKEY_SHA1, DEFAULT_FACILITATOR_PUBKEY_PEM, check_certificate_pin, ensure_M2Crypto, temp_cert -from flashproxy.util import parse_addr_spec, format_addr +from flashproxy.keys import PIN_GOOGLE_CA_CERT, PIN_GOOGLE_PUBKEY_SHA1, check_certificate_pin, ensure_M2Crypto, temp_cert +from flashproxy.reg import build_reg_b64enc +from flashproxy.util import parse_addr_spec, format_addr, safe_format_addr try: - from M2Crypto import BIO, RSA, SSL + from M2Crypto import SSL except ImportError: # Defer the error reporting so that --help works even without M2Crypto. pass -DEFAULT_REMOTE = ("", 9000) DEFAULT_EMAIL_ADDRESS = "flashproxyreg.a(a)gmail.com" # dig MX gmail.com DEFAULT_SMTP = ("gmail-smtp-in.l.google.com", 25) -DEFAULT_TRANSPORT = "websocket" # Use this to prevent Python smtplib from guessing and leaking our hostname. EHLO_FQDN = "[127.0.0.1]" FROM_EMAIL_ADDRESS = "nobody@localhost" -class options(object): - remote_addr = None - - address_family = socket.AF_UNSPEC - debug = False - use_certificate_pin = True - email_addr = None - facilitator_pubkey_filename = None - smtp_addr = None - transport = DEFAULT_TRANSPORT - safe_logging = True - -def safe_str(s): - """Return "[scrubbed]" if options.safe_logging is true, and s otherwise.""" - if options.safe_logging: - return "[scrubbed]" - else: - return s - -def safe_format_addr(addr): - return safe_str(format_addr(addr)) - -def build_reg(addr, transport): - return urllib.urlencode(( - ("client", format_addr(addr)), - ("client-transport", transport), - )) - -def get_facilitator_pubkey(): - if options.facilitator_pubkey_filename is not None: - return RSA.load_pub_key(options.facilitator_pubkey_filename) - else: - return RSA.load_pub_key_bio(BIO.MemoryBuffer(DEFAULT_FACILITATOR_PUBKEY_PEM)) - parser = argparse.ArgumentParser( usage="%(prog)s [OPTIONS] [REMOTE][:PORT]", description="Register with a flash proxy facilitator through email. Makes " @@ -71,27 +35,9 @@ parser = argparse.ArgumentParser( epilog="Using an SMTP server or email address other than the defaults will " "not work unless you have made special arrangements to connect them to a " "facilitator.") -# common opts -parser.add_argument("-4", help="name lookups use only IPv4.", - action="store_const", const=socket.AF_INET, dest="address_family") -parser.add_argument("-6", help="name lookups use only IPv6.", - action="store_const", const=socket.AF_INET6, dest="address_family") -parser.add_argument("--unsafe-logging", help="don't scrub IP addresses and " - "other sensitive information from logs.", action="store_true") -parser.add_argument("--disable-pin", help="disable all certificate pinning " - "checks", action="store_true",) -parser.add_argument("--facilitator-pubkey", help="encrypt registrations to " - "the given PEM-formatted public key file (default built-in).", - metavar='FILENAME') -parser.add_argument("--transport", - help="register using the given transport, default %(default)s.", - default=DEFAULT_TRANSPORT) -# common args -parser.add_argument("remote_addr", - help="remote to register, default %s - the external IP address is guessed." - % format_addr(DEFAULT_REMOTE), - metavar="REMOTE:PORT", default="", nargs="?", - type=lambda x: parse_addr_spec(x, *DEFAULT_REMOTE)) +flashproxy.util.add_module_opts(parser) +flashproxy.keys.add_module_opts(parser) +flashproxy.reg.add_registration_args(parser) # specific opts parser.add_argument("-e", "--email", metavar="ADDRESS", help="send mail to ADDRESS, default %(default)s.", @@ -103,26 +49,11 @@ parser.add_argument("-d", "--debug", help="enable debugging output (Python smtplib messages).", action="store_true") -ns = parser.parse_args(sys.argv[1:]) -options.address_family = ns.address_family or socket.AF_UNSPEC -if options.address_family != socket.AF_UNSPEC: - getaddrinfo = socket.getaddrinfo - def getaddrinfo_replacement(host, port, family, *args, **kwargs): - return getaddrinfo(host, port, options.address_family, *args, **kwargs) - socket.getaddrinfo = getaddrinfo_replacement -options.safe_logging = not ns.unsafe_logging -options.use_certificate_pin = not ns.disable_pin -options.facilitator_pubkey_filename = ns.facilitator_pubkey -options.transport = ns.transport -options.remote_addr = ns.remote_addr -# specific parsing -options.email_addr = ns.email -options.smtp_addr = ns.smtp -options.debug = ns.debug +options = parser.parse_args(sys.argv[1:]) ensure_M2Crypto() -smtp = smtplib.SMTP(options.smtp_addr[0], options.smtp_addr[1], EHLO_FQDN) +smtp = smtplib.SMTP(options.smtp[0], options.smtp[1], EHLO_FQDN) if options.debug: smtp.set_debuglevel(1) @@ -149,8 +80,7 @@ try: smtp.sock.connect_ssl() smtp.file = smtp.sock.makefile() - if options.use_certificate_pin: - check_certificate_pin(smtp.sock, PIN_GOOGLE_PUBKEY_SHA1) + check_certificate_pin(smtp.sock, PIN_GOOGLE_PUBKEY_SHA1) smtp.ehlo(EHLO_FQDN) if not options.remote_addr[0]: @@ -164,21 +94,18 @@ try: spec = "[" + spec + "]" options.remote_addr = parse_addr_spec(spec, *options.remote_addr) - body_plain = build_reg(options.remote_addr, options.transport) - rsa = get_facilitator_pubkey() - body_crypt = rsa.public_encrypt(body_plain, RSA.pkcs1_oaep_padding) - body = body_crypt.encode("base64") + body = build_reg_b64enc(options.remote_addr, options.transport) # Add a random subject to keep Gmail from threading everything. rand_string = os.urandom(5).encode("hex") - smtp.sendmail(options.email_addr, options.email_addr, """\ + smtp.sendmail(options.email, options.email, """\ To: %(to_addr)s\r From: %(from_addr)s\r Subject: client reg %(rand_string)s\r \r %(body)s """ % { - "to_addr": options.email_addr, + "to_addr": options.email, "from_addr": FROM_EMAIL_ADDRESS, "rand_string": rand_string, "body": body, @@ -188,4 +115,4 @@ except Exception, e: print >> sys.stderr, "Failed to register: %s" % str(e) sys.exit(1) -print "Registered \"%s\" with %s." % (safe_format_addr(options.remote_addr), options.email_addr) +print "Registered \"%s\" with %s." % (safe_format_addr(options.remote_addr), options.email) diff --git a/flashproxy-reg-http b/flashproxy-reg-http index a3ad246..debd2d1 100755 --- a/flashproxy-reg-http +++ b/flashproxy-reg-http @@ -2,82 +2,29 @@ """Register with a facilitator using the HTTP method.""" import argparse -import socket +import flashproxy import sys -import urllib import urllib2 -from flashproxy.util import parse_addr_spec, format_addr - -DEFAULT_REMOTE = ("", 9000) -DEFAULT_FACILITATOR_URL = "https://fp-facilitator.org/" -DEFAULT_TRANSPORT = "websocket" - -class options(object): - remote_addr = None - - address_family = socket.AF_UNSPEC - facilitator_url = None - transport = DEFAULT_TRANSPORT - safe_logging = True - -def safe_str(s): - """Return "[scrubbed]" if options.safe_logging is true, and s otherwise.""" - if options.safe_logging: - return "[scrubbed]" - else: - return s - -def safe_format_addr(addr): - return safe_str(format_addr(addr)) - -def build_reg(addr, transport): - return urllib.urlencode(( - ("client", format_addr(addr)), - ("client-transport", transport), - )) +from flashproxy.util import safe_format_addr +from flashproxy.reg import DEFAULT_FACILITATOR_URL, build_reg parser = argparse.ArgumentParser( usage="%(prog)s [OPTIONS] [REMOTE][:PORT]", description="Register with a flash proxy facilitator using an HTTP POST. " "If only the external port is given, the remote server guesses our " "external address.") -# common opts -parser.add_argument("-4", help="name lookups use only IPv4.", - action="store_const", const=socket.AF_INET, dest="address_family") -parser.add_argument("-6", help="name lookups use only IPv6.", - action="store_const", const=socket.AF_INET6, dest="address_family") -parser.add_argument("--unsafe-logging", help="don't scrub IP addresses and " - "other sensitive information from logs.", action="store_true") -parser.add_argument("--transport", - help="register using the given transport, default %(default)s.", - default=DEFAULT_TRANSPORT) -# common args -parser.add_argument("remote_addr", - help="remote to register, default %s - the external IP address is guessed." - % format_addr(DEFAULT_REMOTE), - metavar="REMOTE:PORT", default="", nargs="?", - type=lambda x: parse_addr_spec(x, *DEFAULT_REMOTE)) -# specific opts +flashproxy.util.add_module_opts(parser) +flashproxy.reg.add_registration_args(parser, ignore_pubkey=True) parser.add_argument("-f", "--facilitator", metavar="URL", help="register with the given facilitator, default %(default)s.", default=DEFAULT_FACILITATOR_URL) -ns = parser.parse_args(sys.argv[1:]) -options.address_family = ns.address_family or socket.AF_UNSPEC -if options.address_family != socket.AF_UNSPEC: - getaddrinfo = socket.getaddrinfo - def getaddrinfo_replacement(host, port, family, *args, **kwargs): - return getaddrinfo(host, port, options.address_family, *args, **kwargs) - socket.getaddrinfo = getaddrinfo_replacement -options.safe_logging = not ns.unsafe_logging -options.transport = ns.transport -options.remote_addr = ns.remote_addr -options.facilitator_url = ns.facilitator +options = parser.parse_args(sys.argv[1:]) body = build_reg(options.remote_addr, options.transport) try: - http = urllib2.urlopen(options.facilitator_url, body, 10) + http = urllib2.urlopen(options.facilitator, body, 10) except urllib2.HTTPError, e: print >> sys.stderr, "Status code was %d, not 200" % e.code sys.exit(1) @@ -89,4 +36,4 @@ except Exception, e: sys.exit(1) http.close() -print "Registered \"%s\" with %s." % (safe_format_addr(options.remote_addr), options.facilitator_url) +print "Registered \"%s\" with %s." % (safe_format_addr(options.remote_addr), options.facilitator) diff --git a/flashproxy-reg-url b/flashproxy-reg-url index e8789d5..e73b035 100755 --- a/flashproxy-reg-url +++ b/flashproxy-reg-url @@ -2,78 +2,29 @@ """Register with a facilitator using an indirect URL.""" import argparse -import base64 +import flashproxy import sys -import urllib import urlparse -from flashproxy.keys import DEFAULT_FACILITATOR_PUBKEY_PEM, ensure_M2Crypto -from flashproxy.util import parse_addr_spec, format_addr - -try: - from M2Crypto import BIO, RSA -except ImportError: - # Defer the error reporting so that --help works even without M2Crypto. - pass - -DEFAULT_REMOTE = ("", 9000) -DEFAULT_FACILITATOR_URL = "https://fp-facilitator.org/" -DEFAULT_TRANSPORT = "websocket" - -class options(object): - facilitator_url = None - facilitator_pubkey_filename = None - transport = DEFAULT_TRANSPORT - -def build_reg(addr, transport): - return urllib.urlencode(( - ("client", format_addr(addr)), - ("client-transport", transport), - )) - -def get_facilitator_pubkey(): - if options.facilitator_pubkey_filename is not None: - return RSA.load_pub_key(options.facilitator_pubkey_filename) - else: - return RSA.load_pub_key_bio(BIO.MemoryBuffer(DEFAULT_FACILITATOR_PUBKEY_PEM)) +from flashproxy.keys import ensure_M2Crypto +from flashproxy.reg import DEFAULT_FACILITATOR_URL, build_reg_b64enc parser = argparse.ArgumentParser( usage="%(prog)s [OPTIONS] REMOTE[:PORT]", description="Print a URL, which, when retrieved, will cause the input " "client address to be registered with the flash proxy facilitator.") -# common opts -parser.add_argument("--facilitator-pubkey", help="encrypt registrations to " - "the given PEM-formatted public key file (default built-in).", - metavar='FILENAME') -parser.add_argument("--transport", - help="register using the given transport, default %(default)s.", - default=DEFAULT_TRANSPORT) -# common args -parser.add_argument("remote_addr", - help="remote to register, default %s - the external IP address is guessed." - % format_addr(DEFAULT_REMOTE), - metavar="REMOTE:PORT", default="", nargs="?", - type=lambda x: parse_addr_spec(x, *DEFAULT_REMOTE)) -# specific opts +flashproxy.reg.add_registration_args(parser) parser.add_argument("-f", "--facilitator", metavar="URL", help="register with the given facilitator, default %(default)s.", default=DEFAULT_FACILITATOR_URL) -ns = parser.parse_args(sys.argv[1:]) -options.facilitator_pubkey_filename = ns.facilitator_pubkey -options.transport = ns.transport -remote_addr = ns.remote_addr -options.facilitator_url = ns.facilitator +options = parser.parse_args(sys.argv[1:]) ensure_M2Crypto() -if not ns.remote_addr[0]: +if not options.remote_addr[0]: print >> sys.stderr, "An IP address (not just a port) is required." sys.exit(1) -reg_plain = build_reg(remote_addr, options.transport) -rsa = get_facilitator_pubkey() -reg_crypt = rsa.public_encrypt(reg_plain, RSA.pkcs1_oaep_padding) -reg = base64.urlsafe_b64encode(reg_crypt) - -print urlparse.urljoin(options.facilitator_url, "reg/" + reg) +reg = build_reg_b64enc(options.remote_addr, options.transport, urlsafe=True) +print urlparse.urljoin(options.facilitator, "reg/" + reg) diff --git a/flashproxy/keys.py b/flashproxy/keys.py index 1365f07..8c60dc0 100644 --- a/flashproxy/keys.py +++ b/flashproxy/keys.py @@ -1,15 +1,32 @@ +import base64 import errno import os +import sys import tempfile from hashlib import sha1 try: import M2Crypto + from M2Crypto import BIO, RSA except ImportError: # Defer the error so that the main program gets a chance to print help text M2Crypto = None +class options(object): + disable_pin = True + +def add_module_opts(parser): + parser.add_argument("--disable-pin", help="disable all certificate pinning " + "checks", action="store_true",) + + old_parse = parser.parse_args + def parse_args(namespace): + options.disable_pin = namespace.disable_pin + return namespace + parser.parse_args = lambda *a, **kw: parse_args(old_parse(*a, **kw)) + + # We trust no other CA certificate than this. # # To find the certificate to copy here, @@ -49,23 +66,8 @@ PIN_GOOGLE_PUBKEY_SHA1 = ( "\x43\xda\xd6\x30\xee\x53\xf8\xa9\x80\xca\x6e\xfd\x85\xf4\x6a\xa3\x79\x90\xe0\xea", ) -# Registrations are encrypted with this public key before being emailed. Only -# the facilitator operators should have the corresponding private key. Given a -# private key in reg-email, get the public key like this: -# openssl rsa -pubout < reg-email > reg-email.pub -DEFAULT_FACILITATOR_PUBKEY_PEM = """\ ------BEGIN PUBLIC KEY----- -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA44Mt8c599/4N2fgu6ppN -oatPW1GOgZxxObljFtEy0OWM1eHB35OOn+Kn9MxNHTRxVWwCEi0HYxWNVs2qrXxV -84LmWBz6A65d2qBlgltgLXusiXLrpwxVmJeO+GfmbF8ur0U9JSYxA20cGW/kujNg -XYDGQxO1Gvxq2lHK2LQmBpkfKEE1DMFASmIvlHDQgDj3XBb5lYeOsHZmg16UrGAq -1UH238hgJITPGLXBtwLtJkYbrATJvrEcmvI7QSm57SgYGpaB5ZdCbJL5bag5Pgt6 -M5SDDYYY4xxEPzokjFJfCQv+kcyAnzERNMQ9kR41ePTXG62bpngK5iWGeJ5XdkxG -gwIDAQAB ------END PUBLIC KEY----- -""" - def check_certificate_pin(sock, cert_pubkey): + if options.disable_pin: return found = [] for cert in sock.get_peer_cert_chain(): pubkey_der = cert.get_pubkey().as_der() @@ -105,6 +107,19 @@ class temp_cert(object): def __exit__(self, type, value, traceback): os.unlink(self.path) +def get_pubkey(defaultkeybytes, overridefn=None): + if overridefn is not None: + return RSA.load_pub_key(overridefn) + else: + return RSA.load_pub_key_bio(BIO.MemoryBuffer(defaultkeybytes)) + +def pubkey_b64enc(plaintext, pubkey, urlsafe=False): + ciphertext = pubkey.public_encrypt(plaintext, RSA.pkcs1_oaep_padding) + if urlsafe: + return base64.urlsafe_b64encode(ciphertext) + else: + return ciphertext.encode("base64") + def ensure_M2Crypto(): if M2Crypto is None: print >> sys.stderr, """\ diff --git a/flashproxy/reg.py b/flashproxy/reg.py index 0551f06..bc292dc 100644 --- a/flashproxy/reg.py +++ b/flashproxy/reg.py @@ -1,6 +1,63 @@ +import urllib from collections import namedtuple -from flashproxy.util import parse_addr_spec +from flashproxy.keys import get_pubkey, pubkey_b64enc +from flashproxy.util import parse_addr_spec, format_addr + +DEFAULT_REMOTE = ("", 9000) +DEFAULT_FACILITATOR_URL = "https://fp-facilitator.org/" +DEFAULT_TRANSPORT = "websocket" +# Default facilitator pubkey owned by the operator of DEFAULT_FACILITATOR_URL +DEFAULT_FACILITATOR_PUBKEY_PEM = """\ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA44Mt8c599/4N2fgu6ppN +oatPW1GOgZxxObljFtEy0OWM1eHB35OOn+Kn9MxNHTRxVWwCEi0HYxWNVs2qrXxV +84LmWBz6A65d2qBlgltgLXusiXLrpwxVmJeO+GfmbF8ur0U9JSYxA20cGW/kujNg +XYDGQxO1Gvxq2lHK2LQmBpkfKEE1DMFASmIvlHDQgDj3XBb5lYeOsHZmg16UrGAq +1UH238hgJITPGLXBtwLtJkYbrATJvrEcmvI7QSm57SgYGpaB5ZdCbJL5bag5Pgt6 +M5SDDYYY4xxEPzokjFJfCQv+kcyAnzERNMQ9kR41ePTXG62bpngK5iWGeJ5XdkxG +gwIDAQAB +-----END PUBLIC KEY----- +""" +_OPTION_IGNORED = "ignored; for compatibility with other methods" + +class options(object): + transport = DEFAULT_TRANSPORT + facilitator_pubkey = None + +def add_module_opts(parser, ignore_pubkey=False): + parser.add_argument("--transport", metavar="TRANSPORT", + help="register using the given transport, default %(default)s.", + default=DEFAULT_TRANSPORT) + parser.add_argument("--facilitator-pubkey", metavar="FILENAME", + help=(_OPTION_IGNORED if ignore_pubkey else "encrypt registrations to " + "the given PEM-formatted public key file (default built-in).")) + + old_parse = parser.parse_args + def parse_args(namespace): + options.transport = namespace.transport + options.facilitator_pubkey = namespace.facilitator_pubkey + return namespace + parser.parse_args = lambda *a, **kw: parse_args(old_parse(*a, **kw)) + +def add_registration_args(parser, **kwargs): + add_module_opts(parser, **kwargs) + parser.add_argument("remote_addr", metavar="ADDR:PORT", + help="external addr+port to register, default %s" % + format_addr(DEFAULT_REMOTE), default="", nargs="?", + type=lambda x: parse_addr_spec(x, *DEFAULT_REMOTE)) + + +def build_reg(addr, transport): + return urllib.urlencode(( + ("client", format_addr(addr)), + ("client-transport", transport), + )) + +def build_reg_b64enc(addr, transport, urlsafe=False): + pubkey = get_pubkey(DEFAULT_FACILITATOR_PUBKEY_PEM, options.facilitator_pubkey) + return pubkey_b64enc(build_reg(addr, transport), pubkey, urlsafe=urlsafe) + class Transport(namedtuple("Transport", "inner outer")): @classmethod diff --git a/flashproxy/util.py b/flashproxy/util.py index 13cb5a4..5df15be 100644 --- a/flashproxy/util.py +++ b/flashproxy/util.py @@ -1,6 +1,44 @@ import re import socket +_old_socket_getaddrinfo = socket.getaddrinfo + +class options(object): + safe_logging = True + address_family = socket.AF_UNSPEC + +def add_module_opts(parser): + parser.add_argument("-4", + help="name lookups use only IPv4.", + action="store_const", const=socket.AF_INET, dest="address_family") + parser.add_argument("-6", + help="name lookups use only IPv6.", + action="store_const", const=socket.AF_INET6, dest="address_family") + parser.add_argument("--unsafe-logging", + help="don't scrub IP addresses and other sensitive information from " + "logs.", action="store_true") + + old_parse = parser.parse_args + def parse_args(namespace): + options.safe_logging = not namespace.unsafe_logging + options.address_family = namespace.address_family or socket.AF_UNSPEC + if options.address_family != socket.AF_UNSPEC: + def getaddrinfo_replacement(host, port, family, *args, **kwargs): + return _old_socket_getaddrinfo(host, port, options.address_family, *args, **kwargs) + socket.getaddrinfo = getaddrinfo_replacement + return namespace + parser.parse_args = lambda *a, **kw: parse_args(old_parse(*a, **kw)) + +def safe_str(s): + """Return "[scrubbed]" if options.safe_logging is true, and s otherwise.""" + if options.safe_logging: + return "[scrubbed]" + else: + return s + +def safe_format_addr(addr): + return safe_str(format_addr(addr)) + def parse_addr_spec(spec, defhost = None, defport = None): """Parse a host:port specification and return a 2-tuple ("host", port) as understood by the Python socket functions.

1 0

[flashproxy/master] remove ignore_pubkey param, treat http as special case
by infinity0＠torproject.org 07 Jul '14

07 Jul '14

commit 701a03c82900c4c76963563554234c86929d30d1 Author: Ximin Luo <infinity0(a)torproject.org> Date: Sun Jul 6 21:53:11 2014 +0100 remove ignore_pubkey param, treat http as special case --- flashproxy-reg-http | 12 +++++++++--- flashproxy/reg.py | 11 +++++------ 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/flashproxy-reg-http b/flashproxy-reg-http index debd2d1..3414802 100755 --- a/flashproxy-reg-http +++ b/flashproxy-reg-http @@ -6,8 +6,8 @@ import flashproxy import sys import urllib2 -from flashproxy.util import safe_format_addr -from flashproxy.reg import DEFAULT_FACILITATOR_URL, build_reg +from flashproxy.util import format_addr, parse_addr_spec, safe_format_addr +from flashproxy.reg import DEFAULT_FACILITATOR_URL, DEFAULT_REMOTE, DEFAULT_TRANSPORT, build_reg parser = argparse.ArgumentParser( usage="%(prog)s [OPTIONS] [REMOTE][:PORT]", @@ -15,7 +15,13 @@ parser = argparse.ArgumentParser( "If only the external port is given, the remote server guesses our " "external address.") flashproxy.util.add_module_opts(parser) -flashproxy.reg.add_registration_args(parser, ignore_pubkey=True) +parser.add_argument("--transport", metavar="TRANSPORT", + help="register using the given transport, default %(default)s.", + default=DEFAULT_TRANSPORT) +parser.add_argument("remote_addr", metavar="ADDR:PORT", + help="external addr+port to register, default %s" % + format_addr(DEFAULT_REMOTE), default="", nargs="?", + type=lambda x: parse_addr_spec(x, *DEFAULT_REMOTE)) parser.add_argument("-f", "--facilitator", metavar="URL", help="register with the given facilitator, default %(default)s.", default=DEFAULT_FACILITATOR_URL) diff --git a/flashproxy/reg.py b/flashproxy/reg.py index bc292dc..84a1275 100644 --- a/flashproxy/reg.py +++ b/flashproxy/reg.py @@ -19,19 +19,18 @@ M5SDDYYY4xxEPzokjFJfCQv+kcyAnzERNMQ9kR41ePTXG62bpngK5iWGeJ5XdkxG gwIDAQAB -----END PUBLIC KEY----- """ -_OPTION_IGNORED = "ignored; for compatibility with other methods" class options(object): transport = DEFAULT_TRANSPORT facilitator_pubkey = None -def add_module_opts(parser, ignore_pubkey=False): +def add_module_opts(parser): parser.add_argument("--transport", metavar="TRANSPORT", help="register using the given transport, default %(default)s.", default=DEFAULT_TRANSPORT) parser.add_argument("--facilitator-pubkey", metavar="FILENAME", - help=(_OPTION_IGNORED if ignore_pubkey else "encrypt registrations to " - "the given PEM-formatted public key file (default built-in).")) + help=("encrypt registrations to the given PEM-formatted public " + "key file (default built-in).")) old_parse = parser.parse_args def parse_args(namespace): @@ -40,8 +39,8 @@ def add_module_opts(parser, ignore_pubkey=False): return namespace parser.parse_args = lambda *a, **kw: parse_args(old_parse(*a, **kw)) -def add_registration_args(parser, **kwargs): - add_module_opts(parser, **kwargs) +def add_registration_args(parser): + add_module_opts(parser) parser.add_argument("remote_addr", metavar="ADDR:PORT", help="external addr+port to register, default %s" % format_addr(DEFAULT_REMOTE), default="", nargs="?",

1 0

[flashproxy/master] unify common parts of build_register_command
by infinity0＠torproject.org 07 Jul '14

07 Jul '14

commit 0361a009f6c13dd125c8ad3267d0c9fc6074b298 Author: Ximin Luo <infinity0(a)torproject.org> Date: Sun Jul 6 21:53:46 2014 +0100 unify common parts of build_register_command --- flashproxy-client | 43 ++++++++++++++++++++----------------------- 1 file changed, 20 insertions(+), 23 deletions(-) diff --git a/flashproxy-client b/flashproxy-client index b69d1bf..05d2fdb 100755 --- a/flashproxy-client +++ b/flashproxy-client @@ -898,34 +898,31 @@ def build_register_command(method): # Maybe the script was read from stdin; in any case don't guess at the directory. raise ValueError("Can't find executable directory for registration helpers") - # "common" is options shared by every registration helper. - common = [] + if method not in ("http", "appspot", "email"): + raise ValueError("Unknown registration method \"%s\"" % method) + + args = [] + + # facilitator selection + if method == "http": + if options.facilitator_url is not None: + args += ["-f", options.facilitator_url] + else: + if options.facilitator_pubkey_filename is not None: + args += ["--facilitator-pubkey", options.facilitator_pubkey_filename] + + # options shared by every registration helper. if options.address_family == socket.AF_INET: - common += ["-4"] + args += ["-4"] elif options.address_family == socket.AF_INET6: - common += ["-6"] + args += ["-6"] if options.transport is not None: - common += ["--transport", options.transport] + args += ["--transport", options.transport] if not options.safe_logging: - common += ["--unsafe-logging"] + args += ["--unsafe-logging"] - if method == "appspot": - command = [os.path.join(script_dir, "flashproxy-reg-appspot")] + common - if options.facilitator_pubkey_filename is not None: - command += ["--facilitator-pubkey", options.facilitator_pubkey_filename] - return command - elif method == "email": - command = [os.path.join(script_dir, "flashproxy-reg-email")] + common - if options.facilitator_pubkey_filename is not None: - command += ["--facilitator-pubkey", options.facilitator_pubkey_filename] - return command - elif method == "http": - command = [os.path.join(script_dir, "flashproxy-reg-http")] + common - if options.facilitator_url is not None: - command += ["-f", options.facilitator_url] - return command - else: - raise ValueError("Unknown registration method \"%s\"" % method) + prog = os.path.join(script_dir, "flashproxy-reg-%s" % method) + return [prog] + args def pt_escape(s): result = []

1 0

[flashproxy/master] Merge branch 'bug9975'
by infinity0＠torproject.org 07 Jul '14

07 Jul '14

commit 6108ddf5003f5ab85de7d91e701231432fa148bc Merge: 8a73911 0361a00 Author: Ximin Luo <infinity0(a)torproject.org> Date: Mon Jul 7 09:33:11 2014 +0100 Merge branch 'bug9975' Use argparse instead of getopt and factor out much duplicate code. flashproxy-client | 310 +++++++++++++++++++++--------------------------- flashproxy-reg-appspot | 144 ++++------------------ flashproxy-reg-email | 195 +++++++----------------------- flashproxy-reg-http | 119 ++++--------------- flashproxy-reg-url | 111 +++-------------- flashproxy/keys.py | 66 ++++++++--- flashproxy/reg.py | 58 ++++++++- flashproxy/util.py | 38 ++++++ 8 files changed, 381 insertions(+), 660 deletions(-)

1 0