The biggest win is that we now declare what versions of each dependency
we require to build. This way, building a certain version of obfs4 will
always use the same source code, independent of the master branch of
each dependency.
This is necessary for reproducible builds. On top of that, go.sum
contains checksums of all the transitive dependencies and their modules,
so the build system will also recognise when the source code has been
changed.
Updated the build instructions accordingly. We don't drop support for
earlier Go versions, but those won't get the benefit of reproducible
builds unless we start vendoring the dependencies too.
The Go developers decided to move the go.net repository to
golang.org/x/net, and also to transition from hg to git. This wasn't
changed when the go.crypto imports were since the 'proxy' component
doesn't have imports that break, so the old code still works.
While the change here is simple (just update the import location), this
affects packagers as it now expects the updated package. Sorry for the
inconveneince, I blame the Go people, and myself for not just doing
this along with the go.crypto changes.
This allows obfs4proxy to be used as a ScrambleSuit client that is wire
compatible with the obfs4proxy implementation, including session ticket
support, and length obfuscation.
The current implementation has the following limitations:
* IAT obfuscation is not supported (and is disabled in all other
ScrambleSuit implementations by default).
* The length distribution and probabilites are different from those
generated by obfsproxy and obfsclient due to a different DRBG.
* Server support is missing and is unlikely to be implemented.
The Go developers decided to move the go.crypto repository to
golang.org/x/crypto, and also to transition from hg to git. The tip of
tree code.google.com copy of the code is broken due to the import paths
pointing at the new repository.
While the change here is simple (just update the import location), this
affects packagers as it now expects the updated package. Sorry for the
inconveneince, I blame the Go people.
Instead of "node-id" and "public-key" that are Base16 encoded, use
"cert" which contains the "node-id" and "public-key" in Base64 encoded
form. This is more compact and cuts the length down by 49 characters.
* Changed obfs4proxy to be more like obfsproxy in terms of design,
including being an easy framework for developing new TCP/IP style
pluggable transports.
* Added support for also acting as an obfs2/obfs3 client or bridge
as a transition measure (and because the code itself is trivial).
* Massively cleaned up the obfs4 and related code to be easier to
read, and more idiomatic Go-like in style.
* To ease deployment, obfs4proxy will now autogenerate the node-id,
curve25519 keypair, and drbg seed if none are specified, and save
them to a JSON file in the pt_state directory (Fixes Tor bug #12605).
The same algorithm as ScrambleSuit is used, except:
* SipHash-2-4 in OFB mode is used to create the distribution.
* The system CSPRNG is used when sampling the distribution.
This fixes most of #3, all that remains is generating and sending a
persistent distribution on the server side to the client.