Commit Graph

774 Commits

Author SHA1 Message Date
Brian Warner
f2050c5fd4 internal renaming: hint objects vs hint structs 2016-05-25 00:23:12 -07:00
Brian Warner
7aa55e6b65 INCOMPATIBILITY: deliver hints as JSON, not strings
The file-send protocol now sends a "hints-v1" key in the "transit"
message, which contains a list of JSON data structures that describe the
connection hints (a mixture of direct, tor, and relay hints, for now).
Previously the direct/tor and relay hints were sent in different keys,
and all were sent as strings like "tcp:hostname:1234" which had to be
parsed by the recipient.

The new structures include a version string, to make it easier to add
new types in the future. Transit logs+ignores hints it cannot
understand.
2016-05-25 00:11:17 -07:00
Brian Warner
afdbbe84c3 cmd_send: allow multiple things in a single message 2016-05-24 19:30:55 -07:00
Brian Warner
8e7c6f16cb cmd_receive: tolerate unrecognized messages
at the expense of not failing quickly when the sender doesn't send an
offer
2016-05-24 19:30:21 -07:00
Brian Warner
1b5f3e125e cmd_receive: add underscore prefix to all internal methods 2016-05-24 19:14:56 -07:00
Brian Warner
812fd0b4da INCOMPATIBILITY: send "transit" message before offer/answer
In the future, both sides should expect to receive "transit" messages at
any time, and they will add to the list of hints that they should try.
For now, each side only sends a single transit message, before they send
the offer (sender) or answer (receiver).
2016-05-24 18:59:04 -07:00
Brian Warner
1a9e565fc3 cmd_send: turn into a self-contained class
This will make it easier to maintain state.
2016-05-24 17:44:41 -07:00
Brian Warner
ac1db705fe INCOMPATIBLE CHANGE: put offer/answer in their own keys
This moves us slowly towards a file-transfer protocol that exchanges
multiple messages, with a single offer (sender->receiver) and
answer (receiver->sender), and one or more connection hint messages (in
either direction) that appear gradually over time as connection
providers come online.

At present the protocol still expects the whole hint list to be present
in the offer/answer message.
2016-05-24 17:32:30 -07:00
Brian Warner
96f25ec7a2 rename phase1 to offer/answer
rearrange cmd_send a bit to do less before the Wormhole is built
2016-05-24 16:41:13 -07:00
Brian Warner
2c7e1529dd Merge branch 'remove-wormhole.twisted' 2016-05-24 16:27:12 -07:00
Brian Warner
0414051df2 remove wormhole/twisted/ 2016-05-24 16:26:17 -07:00
Brian Warner
c06bc83d3f remove unused twisted/eventual.py 2016-05-24 16:25:37 -07:00
Brian Warner
c218b939c0 move wormhole.twisted.tor_manager up to wormhole/ 2016-05-24 16:25:12 -07:00
Brian Warner
7140565b99 move wormhole.twisted.ipaddrs up to wormhole/ 2016-05-24 16:23:52 -07:00
Brian Warner
0e1a4dd513 move wormhole.twisted.transit up to wormhole.transit 2016-05-24 16:22:37 -07:00
Brian Warner
4b3d53ba4e log+ignore unrecognized phase messages
This should enable forwards-compatibility with clients which send extra
data, like a pre-PAKE "auxdata" message that hints we should spin up a
tor client (because they can connect to it) while we're waiting for the
user to type in the wormhole code.
2016-05-24 16:15:43 -07:00
Brian Warner
f6a5581f92 move events diagram (.dot) into docs/ 2016-05-24 16:15:19 -07:00
Brian Warner
783cd984f6 add 'coverage' environment for tox 2016-05-24 16:03:39 -07:00
Brian Warner
88696dd0ed INCOMPATIBLE CHANGE: Merge branch 'new-proto'
This is a very large branch that replaces many aspects of the wormhole
protocol. Clients that use code before this change (including the 0.7.6
release) will not be able to talk to clients after this change. They
won't even be able to talk to the relay.

Things that have changed:

* The server protocol has changed. A new public relay has been set up,
  which listens on a different port.
* The blocking (non-Twisted) implementation has been removed. It will
  return, built on top of the Twisted falvor, using the Crochet library.
* Persistence (state = wormhole.serialize()) has been removed. It will
  return, in a form that works better for constantly-evolving Wormholes.
* API changes:
  * 'from wormhole.wormhole import wormhole', rather than from
    wormhole.twisted.transcribe (this is likely to change further)
  * Create the Wormhole with the wormhole() function, rather than the
    Wormhole() class constructor. You *must* pass reactor= to get a
    Twisted-flavor wormhole (omitting reactor= will, in the future, give
    you a blocking-flavor wormhole).
  * w.get() and w.send(data), instead of w.get_data(phase) and
    w.send_data(data, phase). Wormhole is now a sequential record pipe,
    rather than a named-record channel. Internally, these APIs produce
    numbered phases.
  * verifier = yield w.verify(), instead of get_verifier(). The new
    verify() defers until the connection has received the
    key-confirmation message, and will errback with WrongPasswordError
    if that message doesn't match.
  * w.derive_key(purpose, length) now requires a length, instead of
    defaulting to the NaCl SecretBox key size.
  * w.close() now always defers until all outbound messages have been
    delivered to the relay server, and the connection has closed. It
    always returns a Deferred. Application code should close() before
    calling os.exit(), to make sure your ACKs have been delivered.
  * Any errors (WrongPasswordError, websocket dropped early) will cause
    all pending Deferreds to errback, the nameplate and mailbox will be
    released, and the websocket connection will be closed. w.close() is
    still the right thing to call after an error, as it will defer until
    the connection is finally dropped.
* The Wormhole object starts working as soon as wormhole() is called,
  rather than waiting until an API method is invoked.
* There are more opportunities for parallelism, which should avoid a few
  roundtrips and make things faster.
* We now use SPAKE2-0.7, which changes the key-derivation function to
  one that hopefully matches a proposed SJCL implementation, enabling
  future interoperability between python and javascript clients.
* We derive per-message keys differently, to prevent a particular kind
  of reflection attack that was mitigated differently before.
* The server now manages "nameplates" and "mailboxes" separately (the
  old server/protocol didn't make a distinction). A "nameplate" is a
  channel with a short name (the number from the wormhole code) and
  which only contains one value (a pointer to a mailbox). A "mailbox"
  has a long random name and contains the usual queue of messages being
  sent from one client to the other. This lets us drop the nameplate as
  soon as the second side has connected (and switches to the mailbox),
  so long file transfers don't hog the short wormhole codes for longer
  than necessary.
* There is room for "nameplate attributes", which will (in the future)
  be used to indicate the wordlist being used for the wormhole code,
  allowing tab-completion for alternate wordlists, including languages
  other than english.
* The new expectation is that nameplates and mailboxes will be deleted
  if nobody is connected to them for a while (although this is not yet
  implemented in the server). Applications which need extended offline
  persistent channels will be able to ask for them when claiming the
  nameplate.
2016-05-24 15:26:26 -07:00
Brian Warner
90e6d23c17 change server default port to match new public relay 2016-05-24 14:12:10 -07:00
Brian Warner
30ab940034 INCOMPATIBLE: change derivation of phase keys to include side
Previously the encryption key used for "phase messages" (anything sent
from one side to the other, protected by the shared PAKE-generated
session key) was derived just from the session key and the phase name.
The two sides would use the same key for their first message (but with
random, thus different, nonces).

This uses the sending side's string (a random 5-byte/10-character hex
string) in the derivation process too, so the two sides use different
keys. This gives us an easy way to reject reflected messages. We already
ignore messages that claim to use a "side" which matches our own (to
ignore server echoes of our own outbound messages). With this change, an
attacker (or the server) can't swap in the payload of an outbound
message, change the "side" to make it look like a peer message, and then
let us decrypt it correctly.

It also changes the derivation function to combine the phase and side
values safely. This didn't matter much when we only had one
externally-provided string, but with two, there's an opportunity for
format confusion if they were combined with a simple delimiter. Now we
hash both values before concatenating them.

This breaks interoperability with clients from before this change. They
will always get WrongPasswordErrors.
2016-05-24 13:47:15 -07:00
Brian Warner
97c5d08b6a internally, _derive_key now takes bytes
The w.derive_key(purpose) API still requires unicode.
2016-05-24 13:31:03 -07:00
Brian Warner
7c8e5fb062 factor out key-derivation, prepare for change 2016-05-24 13:26:08 -07:00
Brian Warner
b72f0ce934 INCOMPATIBLE CHANGE: switch to spake2-0.7
This changes the way keys are derived, and thus is incompatible with
previous versions. We pin "spake2==0.7" to avoid future surprises.
2016-05-24 13:14:34 -07:00
Brian Warner
77661bf94e use new relay URL, for new protocol 2016-05-24 13:10:45 -07:00
Brian Warner
c5b174dd6a Merge branch 'master' into new-proto 2016-05-24 13:08:21 -07:00
Brian Warner
fb2ffe1963 add --signal-error to restart too 2016-05-24 12:59:02 -07:00
Brian Warner
a2b88dbf61 server: add --signal-error CLI argument 2016-05-24 12:46:42 -07:00
Brian Warner
bc908ef07e setup.py: pin twisted==16.1.1, remove pytrie
* To avoid an incompatible patch that landed in Twisted trunk after the
  16.1.1 release, autobahn pinned their requirement on Twisted to
  be <=16.1.1 . However Twisted reverted the patch before making a
  release. The new 16.2.0 is fine. Since autobahn has this pin, and
  since pip doesn't do full dependency resolution, I must add the pin
  too, so that 'pip install magic-wormhole' can work. I plan to remove
  this pin as soon as autobahn does the same upstream.
  https://github.com/crossbario/autobahn-python/issues/680
* A previous version of autobahn had a bug where it tried to import
  something that wasn't actually depended upon, exposed by having pynacl
  installed. Installing 'pytrie' manually fixed it. This doesn't seem to
  be a problem anymore, so I'm removing the manual dependency.
2016-05-24 00:10:16 -07:00
Brian Warner
1ef6218b5b remove old twisted/transcribe.py, now just wormhole.py 2016-05-24 00:01:22 -07:00
Brian Warner
3a062eaa26 bring scripts and tests up to date
* use wormhole instead of transcribe.py
* send() no longer waits
* get_verifier -> verify
* derive_key demands a length
2016-05-24 00:00:44 -07:00
Brian Warner
e2aa43d0a9 transit: expose desired key length 2016-05-24 00:00:21 -07:00
Brian Warner
2c64805ea1 fix input_code 2016-05-24 00:00:04 -07:00
Brian Warner
9bd5afe7df make close() always wait 2016-05-23 23:59:49 -07:00
Brian Warner
e11a6f8243 new connection management, test_wormhole passes 2016-05-23 22:53:26 -07:00
Brian Warner
7bcefa78e6 remove test_twisted, now in test_wormhole 2016-05-23 22:53:26 -07:00
Brian Warner
528092dd97 improve error signalling 2016-05-23 00:14:39 -07:00
Brian Warner
c88d6937c2 close(wait=True): wait for connection to be dropped 2016-05-22 18:45:50 -07:00
Brian Warner
c10fd98167 many tests working
* add "released" ack-response for "release" command, to sync w.close()
* move websocket URL to root
* relayurl= should now be a "ws://" URL
* many tests pass (except for test_twisted, which will be removed, and
  test_scripts)
* still moving integration tests from test_twisted to
  test_wormhole.Wormholes
2016-05-22 18:40:44 -07:00
Brian Warner
c6ba55c6b5 better diagram 2016-05-22 11:31:15 -07:00
Brian Warner
3da52b0a3e add 'mock', building out test_wormhole 2016-05-22 11:31:00 -07:00
Brian Warner
0ee56e12b0 change 'list' protocol, make room for nameplate attributes 2016-05-22 11:01:44 -07:00
Brian Warner
53bbcc33f6 new file, state-machine based 2016-05-20 18:49:20 -07:00
Brian Warner
181ef04a91 break out more message components, use SidedMessage 2016-05-20 16:39:59 -07:00
Brian Warner
05aa5ca76e WIP Wormhole 2016-05-20 13:51:05 -07:00
Brian Warner
3b86571de3 fix py3 2016-05-20 12:12:07 -07:00
Brian Warner
390cd08b53 better command/response names: allocate+allocated, claim+claimed 2016-05-20 11:35:30 -07:00
Brian Warner
6c5b517ad1 hush 2016-05-20 11:10:17 -07:00
Brian Warner
ce06d379d9 remove old tests 2016-05-20 11:09:45 -07:00
Brian Warner
0a14901e94 full coverage of websocket 2016-05-20 11:08:10 -07:00