torbrowser: support pluggable transports

[Pleune]

System

• Kernel: Linux nixos 4.4.4 #1-NixOS SMP Thu Mar 3 23:10:04 UTC 2016 x86_64 GNU/Linux
• System: 16.09pre78286.0bf8a1a (Emu)
• Nix version: nix-env (Nix) 1.11.2
• Nixpkgs version: 16.09pre78286.0bf8a1a

  The issue:

The PluggableTransports have not been patched. I attempted to add them to the patch phase, but patchelf fails with the following:

patchelf: patchelf.cc:693: void ElfFile<Elf_Ehdr, Elf_Phdr, Elf_Shdr, Elf_Addr, Elf_Off, Elf_Dyn, Elf_Sym>::rewriteSectionsExecutable() [with Elf_Ehdr = Elf64_Ehdr; Elf_Phdr = Elf64_Phdr; Elf_Shdr = Elf64_Shdr; Elf_Addr = long unsigned int; Elf_Off = long unsigned int; Elf_Dyn = Elf64_Dyn; Elf_Sym = Elf64_Sym]: Assertion `(off_t) rdi(hdr->e_shoff) >= startOffset' failed. [1] 10371 abort sudo patchelf --set-interpreter meek-client

output of file meek-client :

meek-client: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, stripped

If you would like to see the log from tor: pastebin.com

Steps to reproduce

Install tor-browser and attempt to use a bridge

[joachifm]

After looking at this, I think we can safely say that PluggableTransports are thoroughly broken at the moment

[joachifm]

With 0a04f7a870e4a7e538387b4f8d0a79f9ebe76cb8 I'm now able to connect to pre-defined bridges using the obfs4 transport. NixOS support blocked by https://github.com/NixOS/patchelf/issues/66

[Pleune]

@joachifm I will test this out later today

[joachifm]

I think we need to think about building these things from source at some point. I'll be looking into at least building the transports from source, they are a rather important feature for those who need them, after all.

[Pleune]

I can confirm your findings. I can connect with predefined obfs4 bridges, The default bridges do not work.

[joachifm]

I'm working on a re-write of the tor-browser package at https://github.com/joachifm/nixpkgs/tree/tor-browser Among other things, it adds a hack to allow plugin transports to be executed via the nixpkgs dynamic linker without patchelf, so should improve NixOS compatibility.

[spacekitteh]

Did you ever fix this?

I think we should definitely add pluggable transports to the standard Tor package as well.

[joachifm]

My rewrite effort did manage to get some of the transports working (except meek), but I utterly failed to get it working on grsec so lost interest. I might port over some of the wrapper improvements eventually.

From-source is probably the best way to go here. My thinking is that we build a custom bundle ontop of the firefox-esr derivation. My main worry is somehow introducing observable differences in the bundle that'd make nixpkgs users discernable from others ... avoiding that is the primary reason for using the upstream binaries.

Another possibility is to re-write the wrapper so that it copies the entire binary payload into $HOME and runs setfattr on it. That does work.

[joachifm]

I have mostly fixed this; all transports work for me now, all that remains is some polish & tweaks.

[spacekitteh]

How did you fix it?

[joachifm]

@spacekitteh brute force ... see https://github.com/joachifm/nixpkgs/commit/34c2f30959f027890de461c20ec0249b8b7a2a84

[spacekitteh]

hideous but I guess that can't be helped

[mmahut]

What is next here?

[stale[bot]]

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
2. Ask on the NixOS Discourse.
3. Ask on the #nixos channel on irc.freenode.net.

[spacekitteh]

@joachifm @Pleune any info?

[stale[bot]]

I marked this as stale due to inactivity. → More info