commit d16d4ade7504e83eef6e7f34c7da827a8a76c80a Author: Philipp Winter <phw@torproject.org> Date: Sat Mar 1 23:29:04 2014 +0100 Close connection if authentication fails. Adapt the server's behaviour to the spec change of commit 892846eb. When a server bootstraps for the first time, it randomly generates a byte threshold after which unauthenticated connections are closed. This should fix <https://bugs.torproject.org/11092>. --- obfsproxy/transports/scramblesuit/scramblesuit.py | 7 +++++++ obfsproxy/transports/scramblesuit/state.py | 9 +++++++++ 2 files changed, 16 insertions(+) diff --git a/obfsproxy/transports/scramblesuit/scramblesuit.py b/obfsproxy/transports/scramblesuit/scramblesuit.py index 6279925..da2a32d 100644 --- a/obfsproxy/transports/scramblesuit/scramblesuit.py +++ b/obfsproxy/transports/scramblesuit/scramblesuit.py @@ -485,6 +485,13 @@ class ScrambleSuitTransport( base.BaseTransport ): self.sendTicketAndSeed() else: + if len(data) > self.srvState.closingThreshold: + log.info("Terminating connection after having received %d" + " bytes because client could not " + "authenticate." % len(data)) + self.circuit.close() + return + log.debug("Authentication unsuccessful so far. " "Waiting for more data.") return diff --git a/obfsproxy/transports/scramblesuit/state.py b/obfsproxy/transports/scramblesuit/state.py index 9d32d0c..384db97 100644 --- a/obfsproxy/transports/scramblesuit/state.py +++ b/obfsproxy/transports/scramblesuit/state.py @@ -76,6 +76,7 @@ class State( object ): self.pktDist = None self.iatDist = None self.fallbackPassword = None + self.closingThreshold = None def genState( self ): """ @@ -112,6 +113,14 @@ class State( object ): # did not set `ServerTransportOptions'. self.fallbackPassword = os.urandom(const.SHARED_SECRET_LENGTH) + # Unauthenticated connections are closed after having received the + # following amount of bytes. + max_handshake_len = const.MAX_PADDING_LENGTH + \ + const.MARK_LENGTH + \ + const.HMAC_SHA256_128_LENGTH + self.closingThreshold = prng.randint(max_handshake_len, + max_handshake_len * 2) + self.writeState() def isReplayed( self, hmac ):