Commit Graph

301 Commits

Author SHA1 Message Date
Brian Warner
12816c16d8 README: installation may need some libraries 2015-12-08 15:05:16 -08:00
Brian Warner
4bc0fc6cc0 Merge branch 'blur-usage' 2015-12-04 17:41:33 -08:00
Brian Warner
9ed39be346 don't log HTTP requests when blur-usage is on 2015-12-04 17:35:56 -08:00
Brian Warner
1ab66d2fd0 privacy: only store coarse timestamps in the usage table 2015-12-03 21:15:19 -08:00
Brian Warner
ee86059b0a transit_server: clean up logging slightly 2015-12-03 20:44:34 -08:00
Brian Warner
fbec4cef77 Merge branch 'transit-usage' 2015-12-03 20:44:01 -08:00
Brian Warner
6c88396f14 CLI: make 'wormhole server usage' show transit too 2015-12-03 20:15:29 -08:00
Brian Warner
909cdfa3dc track transit usage in DB 2015-12-03 19:45:34 -08:00
Brian Warner
a3656c162b schema change: prep usage table for including transit too 2015-12-03 19:44:47 -08:00
Brian Warner
fb493da8c7 transit_server.py: underscore-ify private attributes 2015-12-03 19:25:40 -08:00
Brian Warner
6369c17595 test_transit: use better error in Accumulator
apparently this was broken before, but never got triggered
2015-12-03 19:25:40 -08:00
Brian Warner
085b28f97d README: mention new send-directory feature 2015-12-03 17:02:34 -06:00
Brian Warner
cbbbe2014a release 0.6.1 2015-12-03 16:57:12 -06:00
Brian Warner
3d3d4b99ce Add NEWS items for next release 2015-12-03 16:52:58 -06:00
Brian Warner
568903ac48 add test for Transit (blocking only) 2015-12-03 16:24:52 -06:00
Brian Warner
229c702ccc transit: fix py3 2015-12-03 16:23:12 -06:00
Brian Warner
95d0e68cf2 transit: avoid near-infinite loop upon connector error
Now we will never try any hint more than once. Previously we'd hit the
relay hint over and over until the timeout fired.
2015-12-03 16:22:03 -06:00
Brian Warner
11f806a316 transit_relay: add Producer/Consumer flow control
This limits the buffering to about 10MB (per connection*direction).
Previously, if the sender had more bandwidth than the receiver, the
transit relay would buffer the entire file. With this change, the sender
will be throttled to match the receiver's downstream speed.
2015-12-03 15:07:47 -06:00
Brian Warner
c103441648 test_transit: fix py3.3, no %s in bytestrings 2015-12-02 03:02:50 -06:00
Brian Warner
8240d9e910 add test of transit server, make it work under py3
Also have transit send logs to log.msg, not stdout.
2015-12-02 01:47:52 -06:00
Brian Warner
80603aaa32 finish py3/async support, needs Twisted >= 15.5.0
The latest Twisted fixes the web.Agent code we need for proper async
support. There's still a daemonization bug that prevents 'wormhole
server start' from succeeding (it hangs).
2015-12-01 00:15:24 -06:00
Brian Warner
f8fdec18a5 stop testing py2.6, since Twisted no longer supports it
README.md: stop claiming compatibility with it.
2015-11-29 01:42:15 -06:00
Brian Warner
5b46df133f implement (and test) --output-file for receive-file 2015-11-29 01:40:25 -06:00
Brian Warner
143d6dbc74 Merge branch 'senddir' 2015-11-29 01:37:12 -06:00
Brian Warner
3a343f9895 test send/receive directory 2015-11-29 01:33:15 -06:00
Brian Warner
6fefcde061 add send/receive of whole directories 2015-11-25 01:53:04 -06:00
Brian Warner
6958241f3f preliminary refactoring 2015-11-25 01:47:24 -06:00
Brian Warner
1428507909 refactor cmd_receive.py, split accept_file() to a separate function 2015-11-25 01:40:17 -06:00
Brian Warner
a96f29d01f wormhole server show-usage / tail-usage
Use a separate "tail-usage" command instead of "show-usage -f". Make
both work on py3 too.
2015-11-24 13:20:58 -08:00
Brian Warner
0c36fad720 add "wormhole server usage" to dump usage DB 2015-11-24 13:03:53 -08:00
Brian Warner
3457360751 update docs for 0.6.0 release 2015-11-23 17:14:07 -08:00
Brian Warner
1d6c3d1f96 clients: use "watch" endpoint, not "get" 2015-11-23 16:50:54 -08:00
Brian Warner
2318c94169 test_server: error properly when EventSource fails 2015-11-23 16:49:46 -08:00
Brian Warner
c482c248ff server: add "watch" endpoint, deprecate non-ES "get"
I'm planning to leave non-EventSource "/get" in until after 0.6.0, then
remove it. I think it's cleaner for the logs to have the two
forms (EventSource and immediate) use different URLs.
2015-11-23 16:43:25 -08:00
Brian Warner
82cdadae80 check welcome message 'send' too 2015-11-23 16:33:09 -08:00
Brian Warner
1db485d493 Antithesis: merge branch 'send-multiple' (no code changes)
At PyCon 2007, Robert "r0ml" Lefkowitz gave a keynote comparing the rise
of actual-paper literacy (the development of whitespace, punctuation,
sentences, pages, bookmarks, an index, argumentative forms, forensics,
rhetoric) with the rise of computer-language literacy (macros,
multicharacter variable names, loops, comments, OOP, reusable code,
collaborative review). He pointed out that many classical written
techniques do not yet have analogues in our programming practices,
citing "antithesis" as one such tool. In writing, Antithesis is where
you lay out the opposite of the idea you really want to convey, to
explain what's wrong with it. By including antithesis, you can capture
some valuable knowledge, and might anticipate (and head off) future "but
what about X" arguments.

This branch documents a wrong turn: an API that I thought would be a
good idea, but which turned out to not be worth it. Rather than
discarding the branch entirely, I decided to merge the history (but not
the changes) into trunk, so I don't lose the decision-making process or
the implementation.

The impetus for this feature was the unfortunate extra round trip
introduced when I added "confirmation" messages in 3220014. Confirmation
messages were necessary to avoid a hang when "wormhole receive" was
given the wrong codephrase. The previous messages flow was:

* sender->receiver: PAKE1
* receiver->sender: PAKE2
* sender->receiver: DATA
* receiver->sender: ACK

Both sides compute a key when they hear the other's PAKE message, but if
the wormhole codes are different, they will compute different keys. When
they discover this, they should raise a WrongPasswordError to notify
their users. But when exactly does this happen?

The receiver learns about this when they hear the DATA message,
and (before commit d1cf1c6) would hang up immediately, before allowing
the application code to send any ACK. As a result, the sender never sees
the ACK (which would be mis-encrypted, and thus reveal that the codes
were different), and waits forever.

Adding confirmations to the flow gives us:

* sender->receiver: PAKE1
* receiver->sender: PAKE2
* sender->receiver: CONFIRM1
* sender->receiver: DATA
* receiver->sender: CONFIRM2
* receiver->sender: ACK

Both sides send a CONFIRM message as soon as they hear the other's PAKE
message, before computing a shared key or returning control to
application code. The receiver's CONFIRM2 goes out before it processes
DATA. A moment later, in the same function call, the receiver gets a
decrypt error on the DATA message and aborts the connection. However the
sender will see CONFIRM2 arrive, tries (and fails) to validate it, and
can abort the connection itself, giving the "wormhole send" user a clear
error message (WrongPasswordError).

The sender is now sending two messages in close succession: CONFIRM1 and
DATA. Both are sent in response to the incoming PAKE2 message, and in an
ideal world both would be sent in the same round trip. In the hopes of
achieving this, I spent quite a bit of time changing the architecture on
both client and server sides, and improving the server API:

* POST to the server would accept multiple messages, not just one
* the EventSource "watch" API could deliver multiple messages in a
  single line

Those changes worked, however when I finally came to change the sender
to put both messages in a single call, I found that I could not: the
messages come from very different places. The CONFIRM1 is sent just
after waiting for (and receiving) PAKE2, in `_get_key()`. The DATA
message it sent after getting the key, in `send_data()`. Despite both
happening in the same turn of the event loop (or, equivalently, in the
same stack frame), the Wormhole API would have to be unpleasantly
changed to make it possible for both messages to go out together. In
particular, `_get_key()` is called from both `send_data()` (which sends
DATA) and `get_verifier()` (which deliberately does not). The least-bad
approach I could come up with was to have CONFIRM1 be accumulated in a
Nagle-like queue until the caller allowed all messages to be sent.

In the end I decided it wasn't worth the complexity. Sufficiently
motivated senders can manually pipeline the two messages without
explicit API support (there's no reason an async sender must wait for
CONFIRM1 to be delivered before sending DATA down the same wire). And
receivers don't really need their "watch" (EventSource) API to deliver
batches of messages instead of single ones: apps should treat messages
as an unordered set anyways. I also realized that the prioritization
aspect of the new "get_first_of" API was unnecessary: any client that
wants a CONFIRM message for key confirmation would be just as well
served by any DATA message (either can be used for key-confirmation):
the important property is that we accept CONFIRM *in addition to* a
DATA, because in some error cases we'll never see the DATA (ACK).

So, having watched the reasons for these changes crumble to the ground,
I decided to not land them. But the lessons learned in the process were
still valuable, so I'm including this branch in the mainline history
even though the actual code changes were abandoned.
2015-11-23 16:29:40 -08:00
Brian Warner
033e442721 revert send-multiple changes from 56b88d0 and 969619f
This restores the code to commit badf516.
2015-11-23 16:28:44 -08:00
Brian Warner
969619fff5 clients: use new send-multiple API 2015-11-22 18:16:43 -08:00
Brian Warner
56b88d0b40 new server APIs: handle multiple messages per call 2015-11-22 18:06:47 -08:00
Brian Warner
badf5168ef test_server: rename some functions 2015-11-22 18:06:42 -08:00
Brian Warner
5e0a7e4c93 remove stale copy of server URLs 2015-11-22 17:44:25 -08:00
Brian Warner
00bb816d11 remove close-on-error from derive_key(), for now
In the twisted-style code, the close_on_error() decorator forces the
return value to be a Deferred, which is all wrong for internal uses of
derive_key() (verification string and confirmation message). It might be
useful to have a synchronous form of close_on_error(), but since the
actual close() is async, that's not very straightforward.

So for now, tolerate unclosed Wormhole objects when someone calls
derive_key() too early, or with a non-unicode type string.
2015-11-19 17:11:27 -08:00
Brian Warner
22a1ce2eda add close-with-mood-on-error to twisted style too 2015-11-19 17:08:21 -08:00
Brian Warner
d1cf1c6da0 Merge branch 'confirm-msg' 2015-11-19 16:26:07 -08:00
Brian Warner
9827a2e50c add twisted/blocking interop test 2015-11-19 16:21:10 -08:00
Brian Warner
fd9a62e8ff change confirmation message: must be different on each side
The previous same-message-for-both-sides approach failed, because the
Channel filters out duplicates.
2015-11-19 16:06:30 -08:00
Brian Warner
1ad001bbc3 WIP: test that we tolerate missing key-confirmation messages 2015-11-16 18:25:28 -08:00
Brian Warner
6b57d7d05d check key-confirmation messages, if present 2015-11-16 18:24:39 -08:00
Brian Warner
3220014605 send key-confirmation message upon receipt of PAKE
This will allow the first peer to detect a wrong password even though
the second peer bails before sending something encrypted.
2015-11-16 17:02:02 -08:00
Brian Warner
4ad7342459 make self.channel internal (twisted) 2015-11-16 16:54:00 -08:00