Added obfsproxy bridges support and "gentoo=obfs" boot parameter

When "gentoo=obfs" boot parameter is supplied, and bridges are given
via "bridges=...", a "ClientTransportPlugin obfs2" entry is added to
Tor's configuration, and each bridge is configured to use "obfs2"
transport. Thus, "obfsproxy" daemon is launched only when requested
via "gentoo=obfs".

Since obfsproxy bridges typically use arbitrary ports, firewall now
allows Tor to connect to all high ports. This shouldn't be a problem,
since Tor daemon enforces its own firewall policy via the
"ReachableAddresses" setting. Now, if any bridges are specified, Tor's
internal firewall is configured to allow access to these bridges only
(original "ReachableAddresses" directive is disabled).

Current implementation assumes that "ReachableAddresses" directives
aggregate (which seems to be true).

doc/changelog.txt

@@ -5,6 +5,7 @@
   * Xorg server 1.13
   * Firewire SBP-2 module is blacklisted to prevent Firewire RAM access
 
+  * Added "gentoo=obfs" boot parameter for obfsproxy Tor bridges
   * Added "gentoo=xkms" boot parameter for forcing X modesetting driver
   * More robust Xorg autoconfiguration
   * Added ASCII virtual keyboard table for OTFE password entry

src/etc/init.d/identity

@@ -44,11 +44,19 @@ start() {
                   s/(^[^:]*|])$/&:443/'`
     if [ -n "${bridges}" ]  &&  grep -q '^UseBridges[[:blank:]]\+0\>' ${torrc}; then
         ebegin Configuring Tor bridges
-        sed -i 's/^\(UseBridges[[:blank:]]\+\).*/\11/' ${torrc}
+        sed -i 's/^\(UseBridges[[:blank:]]\+\).*/\11/; s/^ReachableAddresses\>/# &/' ${torrc}
+
+        transport=
+        if get_bootparam 'obfs'; then
+            echo 'ClientTransportPlugin obfs2 exec /usr/bin/obfsproxy --managed' >> ${torrc}
+            transport="obfs2 "
+        fi
+
         for bridge in ${bridges}; do
             eindent
-            einfo "Bridge: ${bridge}"
-            echo  "Bridge  ${bridge}" >> ${torrc}
+            einfo "Bridge: ${transport}${bridge}"
+            echo  "Bridge  ${transport}${bridge}" >> ${torrc}
+            echo  "ReachableAddresses  ${bridge}" >> ${torrc}
             eoutdent
         done
         eend $?

src/etc/portage/package.keywords

@@ -13,6 +13,7 @@
 
 # Network
 =net-wireless/reaver-1.4*
+=net-proxy/obfsproxy-0.1.4*
 
 # GTK+ 3
 =x11-themes/light-themes-0.1.11*

src/etc/tor/torrc

@@ -3,7 +3,7 @@ User tor
 
 PIDFile              /var/run/tor/tor.pid
 Log notice syslog
-#Log notice file     /var/log/tor/tor.log
+# Log notice file     /var/log/tor/tor.log
 
 ## "SocksPort 0" for server-only setup
 SocksListenAddress   127.0.0.1

src/root/config/syslinux.cfg

@@ -24,6 +24,7 @@
 #     gentoo=noanon      - non-anonymous mode with separate user settings (CAUTION)
 #
 #     bridges=...        - comma-separated list of Tor bridges: IP[:port(=443)]
+#     gentoo=obfs        - enable obfsproxy transport for bridges
 # "gentoo=" prefix is optional, and can combine several comma-separated parameters
 #
 # Other parameters: http://www.kernel.org/doc/Documentation/kernel-parameters.txt

src/usr/local/sbin/fw-reload

@@ -5,7 +5,8 @@ nofw=nofw
 cable=cable
 
 # ReachableAddresses ports in /etc/tor/torrc [uid=tor]
-torports=80,443
+# (allow high ports in order to support most bridges)
+torports=80,443,1024:65535
 
 # VPN TCP/UDP server ports (PPTP, OpenVPN, Cisco) [uid=root]
 vpntports=https,imaps,1723,openvpn,10000

src/var/lib/portage/world

@@ -118,6 +118,7 @@ net-misc/connect
 net-misc/proxychains
 net-misc/whois
 net-proxy/torsocks
+net-proxy/obfsproxy
 net-proxy/privoxy
 net-mail/cables