ScrambleSuit spec improvements
Things I've noticed when adding ScrambleSuit support to obfsclient:
- The spec lies about the contents of MAC for the UniformDH handshake. Instead of "MAC(X | P_C | E)"/"MAC(X | P_S | E)" this should be "MAC(X | P_C | M_C | E)"/"MAC(Y | P_S | M_S | E)". The mark is part of the HMAC verifier, and for the server's MAC, the server's UniformDH key is used when computing the digest.
- Should the server echo the epoch received from the client? The server should attempt to verify the client's identifier with E - 1 or E + 1 and E, and it implicitly knows the E value the client sent, so it should echo it. Or the client could also verify more than 1 MAC.
- What happens when the random padding contains the mark? Should the client/server continue to scan for the MAC, or just fail the connection (The odds of this happening are extremely unlikely so failing it is probably fine).
Things that are totally missing:
- The Protocol Polymorphism PRNG needs to be documented.
Some of the things I discussed with phw already. I still haven't tackled Ticket Handshake yet, so I may end up adding more stuff to this.