commit fd4a91192ccab2cfda2c4b7887730a84152d5fa7 Author: Philipp Winter phw@torproject.org Date: Sat Mar 8 16:42:31 2014 +0100

When authenticating, also test epoch boundaries.

On occasion, a client's or a server's epoch might already have increased whereas the epoch of the other party didn't. This is a benign event and there is no reason to fail authentication because of this. As a result, as a server, we now also test boundary values, i.e., epoch - 1, epoch, epoch + 1. --- obfsproxy/transports/scramblesuit/scramblesuit.py | 22 +++++++++++++-------- obfsproxy/transports/scramblesuit/uniformdh.py | 22 +++++++++++++-------- obfsproxy/transports/scramblesuit/util.py | 10 ++++++++++ 3 files changed, 38 insertions(+), 16 deletions(-)

diff --git a/obfsproxy/transports/scramblesuit/scramblesuit.py b/obfsproxy/transports/scramblesuit/scramblesuit.py index 7e96044..87a7370 100644 --- a/obfsproxy/transports/scramblesuit/scramblesuit.py +++ b/obfsproxy/transports/scramblesuit/scramblesuit.py @@ -388,14 +388,20 @@ class ScrambleSuitTransport( base.BaseTransport ): existingHMAC = potentialTicket[index + const.MARK_LENGTH: index + const.MARK_LENGTH + const.HMAC_SHA256_128_LENGTH] - myHMAC = mycrypto.HMAC_SHA256_128(self.recvHMAC, - potentialTicket[0: - index + const.MARK_LENGTH] + - util.getEpoch()) - - if not util.isValidHMAC(myHMAC, existingHMAC, self.recvHMAC): - log.warning("The HMAC is invalid: `%s' vs. `%s'." % - (myHMAC.encode('hex'), existingHMAC.encode('hex'))) + authenticated = False + for epoch in util.expandedEpoch(): + myHMAC = mycrypto.HMAC_SHA256_128(self.recvHMAC, + potentialTicket[0:index + \ + const.MARK_LENGTH] + epoch) + + if util.isValidHMAC(myHMAC, existingHMAC, self.recvHMAC): + authenticated = True + break + + log.debug("HMAC invalid. Trying next epoch value.") + + if not authenticated: + log.warning("Could not verify the authentication message's HMAC.") return False

# Do nothing if the ticket is replayed. Immediately closing the diff --git a/obfsproxy/transports/scramblesuit/uniformdh.py b/obfsproxy/transports/scramblesuit/uniformdh.py index 1b59575..dd16070 100644 --- a/obfsproxy/transports/scramblesuit/uniformdh.py +++ b/obfsproxy/transports/scramblesuit/uniformdh.py @@ -120,19 +120,25 @@ class UniformDH( object ): if not index: return False

- self.echoEpoch = util.getEpoch() - # Now that we know where the authenticating HMAC is: verify it. hmacStart = index + const.MARK_LENGTH existingHMAC = handshake[hmacStart: (hmacStart + const.HMAC_SHA256_128_LENGTH)] - myHMAC = mycrypto.HMAC_SHA256_128(self.sharedSecret, - handshake[0 : hmacStart] + - self.echoEpoch)

- if not util.isValidHMAC(myHMAC, existingHMAC, self.sharedSecret): - log.warning("The HMAC is invalid: `%s' vs. `%s'." % - (myHMAC.encode('hex'), existingHMAC.encode('hex'))) + authenticated = False + for epoch in util.expandedEpoch(): + myHMAC = mycrypto.HMAC_SHA256_128(self.sharedSecret, + handshake[0 : hmacStart] + epoch) + + if util.isValidHMAC(myHMAC, existingHMAC, self.sharedSecret): + self.echoEpoch = epoch + authenticated = True + break + + log.debug("HMAC invalid. Trying next epoch value.") + + if not authenticated: + log.warning("Could not verify the authentication message's HMAC.") return False

# Do nothing if the ticket is replayed. Immediately closing the diff --git a/obfsproxy/transports/scramblesuit/util.py b/obfsproxy/transports/scramblesuit/util.py index bb0557e..ee25f95 100644 --- a/obfsproxy/transports/scramblesuit/util.py +++ b/obfsproxy/transports/scramblesuit/util.py @@ -106,6 +106,16 @@ def getEpoch( ): return str(int(time.time()) / const.EPOCH_GRANULARITY)

+def expandedEpoch( ): + """ + Return [epoch, epoch-1, epoch+1]. + """ + + epoch = int(getEpoch()) + + return [str(epoch), str(epoch - 1), str(epoch + 1)] + + def writeToFile( data, fileName ): """ Writes the given `data' to the file specified by `fileName'.