Add covert-dtls to proxy and client (!448) · Merge requests · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake

theodorsm requested to merge theodorsm/snowflake:covertdtls into main Dec 01, 2024

Related to #40014

This MR implements mimicking and randomization of DTLS client hello messages using my covert-dtls library.

I initially thought the Snowflake client always would be the DTLS client also, however that is not the case (and the reason for a lot of head-scratching and a delayed patch). The SDP protocol negotiates which party becomes the client/server of the Snowflake client/proxy, thus I added covert-dtls to both the Snowflake client and proxy. Two flags have been added to use either randomization or mimicry.

I have confirmed this patch works with snowbox. The proxy became the client in the DTLS handshake every time. Help testing this patch with Tor would be appreciated, as I have not been able to become a DTLS client using the Snowflake client.

Note: The GO version has been upgraded to 1.22 as I use the new math/rand/v2 std module in covert-dtls. I have not had any problems, but I am unsure how this would affect Snowflake.

Randomization would theoretically be better with more DTLS cipher suites. However, this requires the WebRTC API to expose additional DTLS configurations. I have this as a TODO for the future, but randomization should still be practically effective.

Edited Dec 01, 2024 by theodorsm

Add covert-dtls to proxy and client

Merge request reports