Commit Graph

769 Commits

Author SHA1 Message Date
Brian Warner
2318c94169 test_server: error properly when EventSource fails 2015-11-23 16:49:46 -08:00
Brian Warner
c482c248ff server: add "watch" endpoint, deprecate non-ES "get"
I'm planning to leave non-EventSource "/get" in until after 0.6.0, then
remove it. I think it's cleaner for the logs to have the two
forms (EventSource and immediate) use different URLs.
2015-11-23 16:43:25 -08:00
Brian Warner
82cdadae80 check welcome message 'send' too 2015-11-23 16:33:09 -08:00
Brian Warner
1db485d493 Antithesis: merge branch 'send-multiple' (no code changes)
At PyCon 2007, Robert "r0ml" Lefkowitz gave a keynote comparing the rise
of actual-paper literacy (the development of whitespace, punctuation,
sentences, pages, bookmarks, an index, argumentative forms, forensics,
rhetoric) with the rise of computer-language literacy (macros,
multicharacter variable names, loops, comments, OOP, reusable code,
collaborative review). He pointed out that many classical written
techniques do not yet have analogues in our programming practices,
citing "antithesis" as one such tool. In writing, Antithesis is where
you lay out the opposite of the idea you really want to convey, to
explain what's wrong with it. By including antithesis, you can capture
some valuable knowledge, and might anticipate (and head off) future "but
what about X" arguments.

This branch documents a wrong turn: an API that I thought would be a
good idea, but which turned out to not be worth it. Rather than
discarding the branch entirely, I decided to merge the history (but not
the changes) into trunk, so I don't lose the decision-making process or
the implementation.

The impetus for this feature was the unfortunate extra round trip
introduced when I added "confirmation" messages in 3220014. Confirmation
messages were necessary to avoid a hang when "wormhole receive" was
given the wrong codephrase. The previous messages flow was:

* sender->receiver: PAKE1
* receiver->sender: PAKE2
* sender->receiver: DATA
* receiver->sender: ACK

Both sides compute a key when they hear the other's PAKE message, but if
the wormhole codes are different, they will compute different keys. When
they discover this, they should raise a WrongPasswordError to notify
their users. But when exactly does this happen?

The receiver learns about this when they hear the DATA message,
and (before commit d1cf1c6) would hang up immediately, before allowing
the application code to send any ACK. As a result, the sender never sees
the ACK (which would be mis-encrypted, and thus reveal that the codes
were different), and waits forever.

Adding confirmations to the flow gives us:

* sender->receiver: PAKE1
* receiver->sender: PAKE2
* sender->receiver: CONFIRM1
* sender->receiver: DATA
* receiver->sender: CONFIRM2
* receiver->sender: ACK

Both sides send a CONFIRM message as soon as they hear the other's PAKE
message, before computing a shared key or returning control to
application code. The receiver's CONFIRM2 goes out before it processes
DATA. A moment later, in the same function call, the receiver gets a
decrypt error on the DATA message and aborts the connection. However the
sender will see CONFIRM2 arrive, tries (and fails) to validate it, and
can abort the connection itself, giving the "wormhole send" user a clear
error message (WrongPasswordError).

The sender is now sending two messages in close succession: CONFIRM1 and
DATA. Both are sent in response to the incoming PAKE2 message, and in an
ideal world both would be sent in the same round trip. In the hopes of
achieving this, I spent quite a bit of time changing the architecture on
both client and server sides, and improving the server API:

* POST to the server would accept multiple messages, not just one
* the EventSource "watch" API could deliver multiple messages in a
  single line

Those changes worked, however when I finally came to change the sender
to put both messages in a single call, I found that I could not: the
messages come from very different places. The CONFIRM1 is sent just
after waiting for (and receiving) PAKE2, in `_get_key()`. The DATA
message it sent after getting the key, in `send_data()`. Despite both
happening in the same turn of the event loop (or, equivalently, in the
same stack frame), the Wormhole API would have to be unpleasantly
changed to make it possible for both messages to go out together. In
particular, `_get_key()` is called from both `send_data()` (which sends
DATA) and `get_verifier()` (which deliberately does not). The least-bad
approach I could come up with was to have CONFIRM1 be accumulated in a
Nagle-like queue until the caller allowed all messages to be sent.

In the end I decided it wasn't worth the complexity. Sufficiently
motivated senders can manually pipeline the two messages without
explicit API support (there's no reason an async sender must wait for
CONFIRM1 to be delivered before sending DATA down the same wire). And
receivers don't really need their "watch" (EventSource) API to deliver
batches of messages instead of single ones: apps should treat messages
as an unordered set anyways. I also realized that the prioritization
aspect of the new "get_first_of" API was unnecessary: any client that
wants a CONFIRM message for key confirmation would be just as well
served by any DATA message (either can be used for key-confirmation):
the important property is that we accept CONFIRM *in addition to* a
DATA, because in some error cases we'll never see the DATA (ACK).

So, having watched the reasons for these changes crumble to the ground,
I decided to not land them. But the lessons learned in the process were
still valuable, so I'm including this branch in the mainline history
even though the actual code changes were abandoned.
2015-11-23 16:29:40 -08:00
Brian Warner
033e442721 revert send-multiple changes from 56b88d0 and 969619f
This restores the code to commit badf516.
2015-11-23 16:28:44 -08:00
Brian Warner
969619fff5 clients: use new send-multiple API 2015-11-22 18:16:43 -08:00
Brian Warner
56b88d0b40 new server APIs: handle multiple messages per call 2015-11-22 18:06:47 -08:00
Brian Warner
badf5168ef test_server: rename some functions 2015-11-22 18:06:42 -08:00
Brian Warner
5e0a7e4c93 remove stale copy of server URLs 2015-11-22 17:44:25 -08:00
Brian Warner
00bb816d11 remove close-on-error from derive_key(), for now
In the twisted-style code, the close_on_error() decorator forces the
return value to be a Deferred, which is all wrong for internal uses of
derive_key() (verification string and confirmation message). It might be
useful to have a synchronous form of close_on_error(), but since the
actual close() is async, that's not very straightforward.

So for now, tolerate unclosed Wormhole objects when someone calls
derive_key() too early, or with a non-unicode type string.
2015-11-19 17:11:27 -08:00
Brian Warner
22a1ce2eda add close-with-mood-on-error to twisted style too 2015-11-19 17:08:21 -08:00
Brian Warner
d1cf1c6da0 Merge branch 'confirm-msg' 2015-11-19 16:26:07 -08:00
Brian Warner
9827a2e50c add twisted/blocking interop test 2015-11-19 16:21:10 -08:00
Brian Warner
fd9a62e8ff change confirmation message: must be different on each side
The previous same-message-for-both-sides approach failed, because the
Channel filters out duplicates.
2015-11-19 16:06:30 -08:00
Brian Warner
1ad001bbc3 WIP: test that we tolerate missing key-confirmation messages 2015-11-16 18:25:28 -08:00
Brian Warner
6b57d7d05d check key-confirmation messages, if present 2015-11-16 18:24:39 -08:00
Brian Warner
3220014605 send key-confirmation message upon receipt of PAKE
This will allow the first peer to detect a wrong password even though
the second peer bails before sending something encrypted.
2015-11-16 17:02:02 -08:00
Brian Warner
4ad7342459 make self.channel internal (twisted) 2015-11-16 16:54:00 -08:00
Brian Warner
ae2a6c6a05 add Channel.get_first_of()
This allows the Wormhole code to wait for multiple messages, which will
be useful for getting Confirmation messages soon.
2015-11-16 16:47:52 -08:00
Brian Warner
b709a45891 get_data/set_data: reserve _ for internal uses 2015-11-16 16:20:00 -08:00
Brian Warner
6956f35e9a receive: fetch channel list before completion, to get welcome message 2015-11-15 10:53:13 -08:00
Brian Warner
7426097ba5 Merge branch 'usage' 2015-11-15 10:35:06 -08:00
Brian Warner
47d3eee6fe server: treat missing moods (from older clients) as "quiet" 2015-11-15 10:34:40 -08:00
Brian Warner
4f0dde9529 server: summarize transfers, store in DB 2015-11-15 10:34:29 -08:00
Brian Warner
26c7008c23 DB: use 'messages' to track allocations, not 'allocations'
This removes the 'allocations' table entirely, and cleans up the way we
prune old messages. This should make it easier to summarize each
connection (for usage stats) when it gets deallocated, as well as making
pruning more reliable.
2015-11-13 18:24:36 -08:00
Brian Warner
bb97729a23 server: more refactoring
flattening some attribute access paths
2015-11-13 18:20:47 -08:00
Brian Warner
0b9f858761 server: internal refactoring 2015-11-13 18:12:47 -08:00
Brian Warner
101c800237 deallocate: ignore all 'requests' exceptions 2015-11-12 10:11:30 -08:00
Brian Warner
2e393c145e make default mood "happy", change other mood names 2015-11-12 09:31:03 -08:00
Brian Warner
cc369d6b1e api.md: fix typo 2015-11-12 09:30:48 -08:00
Brian Warner
dc581d34f2 Merge branch 'error-handling' 2015-11-11 22:02:51 -08:00
Brian Warner
80beb20631 make blocking.Wormhole into a context manager 2015-11-11 21:59:16 -08:00
Brian Warner
a881d6055f auto-close Channel (with a "mood") upon server or crypto error 2015-11-11 21:54:45 -08:00
Brian Warner
0748647049 allow multiple close() calls, throw error when using a closed Wormhole 2015-11-11 18:17:52 -08:00
Brian Warner
3daef13ac0 indent commands: no functional changes 2015-11-11 18:11:53 -08:00
Brian Warner
cb5ad8ced1 Use exception for Timeout, not return value 2015-11-11 18:01:22 -08:00
Brian Warner
6de677c1df use timeouts for allocate and list_channels too 2015-11-11 18:00:06 -08:00
Brian Warner
fa3be3523d pass timeouts down 2015-11-11 17:56:08 -08:00
Brian Warner
07686f3de7 make self.channel internal 2015-11-11 17:52:13 -08:00
Brian Warner
9ead3f48a8 fix 'wormhole server restart'
It got broken when I added --no-daemon to 'server start'.
2015-11-11 17:30:31 -08:00
Brian Warner
ec51adb713 add 'wormhole send --text -' to read message from stdin 2015-11-11 17:27:26 -08:00
Brian Warner
b83062701d server: give old 0.4.0 senders a "you must upgrade" error
Without this, old senders will throw a messy 404 traceback when talking
to a modern server.

Unfortunately 0.4.0 receivers don't make API calls in the right order,
so they throw a 404 before seeing our "you need to upgrade" message.
2015-11-11 17:06:33 -08:00
Brian Warner
ca5f79233c update NEWS (belatedly) for 0.5.0 2015-11-11 17:06:32 -08:00
Vikas Parashar
79471dff7c Updated README.md with Installation instruction
Instruction for installation were missing so updated with `pip install` method.
2015-10-12 17:44:36 -07:00
Brian Warner
595a0e5845 server API: include "mood" when closing the channel
This will be used as a simple unverifiable counter of success/failure.
2015-10-08 18:35:26 -07:00
Brian Warner
7a3b18b7f7 setup.cfg: make a py2/py3 "universal" wheel 2015-10-07 17:13:39 -07:00
Brian Warner
03566b3ed4 update docs for 0.5.0 release 2015-10-07 17:10:48 -07:00
Brian Warner
0a6ab83bc5 test distinctness of encryption nonces 2015-10-07 16:31:45 -07:00
Brian Warner
385762b36d demo.py: make it easier to modify for local testing 2015-10-07 16:31:45 -07:00
Brian Warner
df3aee2a86 fix EventSource (server and parsers)
I was really confused about the Server-Sent Events syntax. This new one
is compatible with actual web browsers and the spec:

 http://www.w3.org/TR/eventsource/
2015-10-07 16:31:45 -07:00