-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
[Cross-posted to guardian-dev and tor-dev.]
Hey, friends.
I suppose this serves as a project announcement of sorts, and also as a progress report regarding the current status of this thing.
iObfs is an effort to build obfs4proxy for iOS and to also build out some techniques for actually making it usable within other Tor-enabled iOS apps. You may have heard me or n8fr8 discuss the idea at the dev meeting a few weeks ago. I'm not in love with the name I gave it (it's a placeholder that stuck around), but such is life. The repository is currently hosted at [1].
[1]: https://github.com/mtigas/iObfs
The initial sprint is being supported by a small Guardian Project grant through mid-April. The high-level goals are to:
1) successfully cross-compile obfs4proxy for the iOS environment 2) "library-ify" it and link it into a proof-of-concept iOS app 3) figure out how to get it to work without "managed mode" 4) build out a process for maybe putting it into Onion Browser, iCepa[2], and other Tor iOS efforts
I've got a bit of work regarding #1. I think I'm close to getting the binary running, thanks to the existence of the gomobile tools[3]. Using gomobile, you easily get[4] an "obfs4proxy.app" and (given a properly configured Xcode and iPhone) you can put it on a device. But it crashes right now because (I believe) the iOS SDK requires apps to declare some user interface (even if it's blank). So that's close, but my relative lack of experience with Go and the Go buildchain have made #1/#2 a bit slow-going.
[3]: https://golang.org/x/mobile/cmd/gomobile [4]: https://github.com/mtigas/iObfs/blob/master/buildobfs4.sh
This week, I also took the time to figure out how PT "managed mode" actually works and now have a good idea of how I'd get obfs4proxy to work in an environment where tor can't fork it as a subprocess. There were some conversations I had during the dev meeting where we thought I'd have to use the control port and manually build circuits or something crazy like that -- but it turns out that the solution is a lot simpler.[5]
[5]: https://github.com/mtigas/iObfs/blob/master/notes/obfs4-nonmanaged.md
This essentially solves #3, so the big barrier now is cross-compiling, "library-ifying", and linking -- rather than the software implementation bits.
Anyway, that's where things are. Progress will surely ramp up a bit over the next few weeks. Comments welcome.
Best,
Mike Tigas @mtigas | https://mike.tig.as/ | 0xA993E7156E0E9923
On Sat, 26 Mar 2016 21:44:54 +0000 Mike Tigas mike@tig.as wrote:
iObfs is an effort to build obfs4proxy for iOS and to also build out some techniques for actually making it usable within other Tor-enabled iOS apps. You may have heard me or n8fr8 discuss the idea at the dev meeting a few weeks ago. I'm not in love with the name I gave it (it's a placeholder that stuck around), but such is life. The repository is currently hosted at [1].
Why stick with Go. obfs4 as a protocol isn't exactly complicated and I've provided the tricky bits of crypto in a few places to make it possible to implement in other languages...
Regards,
Yawning Angel:
iObfs is an effort to build obfs4proxy for iOS and to also build out some techniques for actually making it usable within other Tor-enabled iOS apps. You may have heard me or n8fr8 discuss the idea at the dev meeting a few weeks ago. I'm not in love with the name I gave it (it's a placeholder that stuck around), but such is life. The repository is currently hosted at [1].
Why stick with Go. obfs4 as a protocol isn't exactly complicated and I've provided the tricky bits of crypto in a few places to make it possible to implement in other languages...
Partially out of limited time to work on this and limited time to maintain anything larger than this "glue" I'm trying to put together.
I would love to port obfs4proxy to Swift or another one of the memory-safe(er) languages. But it's a heavier lift than I can take on right now (also because the stdlib and ecosystem there is not quite as mature as in Go). (I'm also trying to avoid writing more Obj-C going forward, and don't trust myself to write these bits in C/C++.)
For now I'm just *much* more comfortable building the contraption to fit the square peg to the round hole, than building the new peg from scratch. It's suboptimal, but I'm also partially doing this to see if it's feasible via the Go mobile tools, without too much mess.
Cheers, Mike Tigas @mtigas | https://mike.tig.as/ | 0xA993E7156E0E9923
[again, cross-posted to tor-dev and guardian-dev.]
A quick status report on this: it works! Hit a big epiphany, figured out how to get `gomobile` to emit the necessary bits, then went wild.
Some example stdout from Onion Browser connecting to Tor via obfs4, meek_lite (google), and scramblesuit: https://gist.github.com/mtigas/f1b9a3a8befa6f60d517eb2340f3cdd4
There are trivial forks of obfs4[1] and goptlib[2] that simply hard-code some options that are normally sent as environment variables because obfs4proxy runs in managed mode[3]. (It's the best I have right now until I can figure out a better way to communicate between obfs4proxy and the iOS bits.) I’ve tacked a few other quick thoughts at the bottom of the iObfs readme[4]. As a quick test I've started building it into Onion Browser (iobfs branch[5]), which is what got the output linked above.
[1]: https://github.com/mtigas/obfs4/compare/1df5c8ffe8f4aa2614323698e8008f1ab1fb... [2]: https://github.com/mtigas/goptlib/compare/f17a5f239f705d7e39a8bccbebdf9927cc... [3]: https://github.com/mtigas/iObfs/blob/master/notes/obfs4-nonmanaged.md [4]: https://github.com/mtigas/iObfs/ [5]: https://github.com/OnionBrowser/iOS-OnionBrowser/tree/iobfs
There’s quite a bit to clean up and document. We also might want a more minimal testcase than full-blown (and cruft-filled) Onion Browser?
Though the iObfs repo[4] *does* contain an Xcode project which builds an “iObfs.app” that can successfully link and executes obfs4proxy as a thread[6] (as long as the framework has been built with the `buildobfs4.sh` script). stdout on that app properly shows the transport “CMETHOD” lines, though that’s all that app does.
[6]: https://github.com/mtigas/iObfs/blob/master/iObfs/iObfs/ObfsWrapper.m
This is probably near some "maximum viable bad idea", having the iOS browser app *and* Tor *and* go-powered obfs4proxy within the same process. (But of course, there's no easy way to get around the restriction against subprocesses on iOS.) It seems to work really well in my limited testing so far. Will continue working on it in the coming weeks and keep y’all posted.
Best,
Mike Tigas @mtigas | https://mike.tig.as/ | 0xA993E7156E0E9923
On Mon, Apr 04, 2016 at 12:04:45AM -0400, Mike Tigas wrote:
[again, cross-posted to tor-dev and guardian-dev.]
A quick status report on this: it works! Hit a big epiphany, figured out how to get `gomobile` to emit the necessary bits, then went wild.
Some example stdout from Onion Browser connecting to Tor via obfs4, meek_lite (google), and scramblesuit: https://gist.github.com/mtigas/f1b9a3a8befa6f60d517eb2340f3cdd4
There are trivial forks of obfs4[1] and goptlib[2] that simply hard-code some options that are normally sent as environment variables because obfs4proxy runs in managed mode[3]. (It's the best I have right now until I can figure out a better way to communicate between obfs4proxy and the iOS bits.) I’ve tacked a few other quick thoughts at the bottom of the iObfs readme[4]. As a quick test I've started building it into Onion Browser (iobfs branch[5]), which is what got the output linked above.
This is radical. Maybe you don't need the fork of goptlib if you do os.Setenv on the relevant variables before calling pt.ClientSetup in obfs4?
David Fifield:
There are trivial forks of obfs4[1] and goptlib[2] that simply hard-code some options that are normally sent as environment variables because obfs4proxy runs in managed mode[3].
[…] This is radical. Maybe you don't need the fork of goptlib if you do os.Setenv on the relevant variables before calling pt.ClientSetup in obfs4?
Awesome. Thanks for the tip: nuked the goptlib fork *and* cleaned up the obfs4 fork a bunch: https://github.com/mtigas/obfs4/compare/1df5c8ffe8f4aa2614323698e8008f1ab1fb...
As for the rest of iObfs, the build is a little more streamlined now, using a fork of gomobile (since mainline doesn't build for i386 by default) and the now-smaller obfs fork: https://github.com/mtigas/iObfs/blob/master/build.sh
And things are in fairly clean shape now. There's an example in my repo now[1] showing minimally what it takes to link and implement Tor into a webview app[2] and then how to link & implement obfs4proxy into it[3].
[1]: https://github.com/mtigas/iObfs/tree/master/example [2]: https://github.com/mtigas/iObfs/commit/838fe6d926d643809cc8ea7e8a9b34a14c247... [3]: https://github.com/mtigas/iObfs/commit/00fac92d620a6401de7b699720f3caa79b7a3...
-
David Fifield -
Mike Tigas -
Yawning Angel