Fix obfs4 bridge: add seed frame, packet layer, full-duplex proxy

Three critical bugs prevented Tor Browser from connecting through the
obfs4 bridge relay:

1. Missing inline seed frame after handshake - the Go client (lyrebird)
   expects a PrngSeed frame appended to the server hello. Without it,
   both sides deadlock waiting for data.

2. Missing packet layer - obfs4 frames contain packets with type/length/
   data/padding headers. The proxy was forwarding raw frame payloads
   (including packet overhead) to the OR port, corrupting Tor cells.

3. Serial proxy loop - replaced with two threads for full-duplex
   bidirectional proxying. Connection handler also runs in a detached
   thread to not block the accept loop.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: gpuhashcracker

src/transport/obfs4_listener.cpp

@@ -1,6 +1,10 @@
 #include "tor/transport/obfs4_listener.hpp"
 #include "tor/util/logging.hpp"
+#include "obfs4/transport/packet.hpp"
+#include "obfs4/transport/framing.hpp"
+#include "obfs4/common/csrand.hpp"
 #include <cstring>
+#include <thread>
 
 namespace tor::transport {
 
@@ -70,155 +74,216 @@ void Obfs4Listener::stop() {
 
 void Obfs4Listener::handle_connection(std::shared_ptr<net::TcpConnection> conn) {
     LOG_INFO("obfs4: starting handshake for new connection");
-    auto handshake = std::make_shared<Obfs4ServerHandshake>(node_id_, identity_key_);
 
+    // Spawn a thread per connection to avoid blocking the accept loop
+    auto handshake = std::make_shared<Obfs4ServerHandshake>(node_id_, identity_key_);
     auto stats_completed = &handshakes_completed_;
     auto stats_failed = &handshakes_failed_;
     auto local_or_port = or_port_;
     auto& io = io_context_;
 
-    auto buffer = std::make_shared<std::array<uint8_t, 4096>>();
-
-    // Handshake state machine: read -> consume -> check state -> loop or finish
-    struct HandshakeReader {
-        std::shared_ptr<net::TcpConnection> conn;
-        std::shared_ptr<Obfs4ServerHandshake> handshake;
-        std::shared_ptr<std::array<uint8_t, 4096>> buffer;
-        std::atomic<uint64_t>* completed;
-        std::atomic<uint64_t>* failed;
-        uint16_t or_port;
-        boost::asio::io_context* io_ctx;
-
-        void start() {
-            read_more();
-        }
+    std::thread([conn, handshake, stats_completed, stats_failed,
+                 local_or_port, &io]() {
+        auto buffer = std::array<uint8_t, 8192>{};
 
-        void read_more() {
+        // --- Phase 1: Handshake ---
+        while (true) {
             auto bytes_read = conn->read(
-                std::span<uint8_t>(buffer->data(), buffer->size()));
+                std::span<uint8_t>(buffer.data(), buffer.size()));
 
             if (!bytes_read || *bytes_read == 0) {
                 LOG_WARN("obfs4 handshake: connection closed during read");
-                failed->fetch_add(1, std::memory_order_relaxed);
+                stats_failed->fetch_add(1, std::memory_order_relaxed);
                 return;
             }
 
             LOG_INFO("obfs4 handshake: received {} bytes", *bytes_read);
 
-            auto data = std::span<const uint8_t>(buffer->data(), *bytes_read);
+            auto data = std::span<const uint8_t>(buffer.data(), *bytes_read);
             auto consume_result = handshake->consume(data);
             if (!consume_result) {
                 LOG_WARN("obfs4 handshake failed: {}",
                          obfs4_error_message(consume_result.error()));
-                failed->fetch_add(1, std::memory_order_relaxed);
+                stats_failed->fetch_add(1, std::memory_order_relaxed);
                 return;
             }
 
             if (handshake->state() == Obfs4ServerHandshake::State::Completed) {
-                auto hello = handshake->generate_server_hello();
-                if (!hello) {
-                    LOG_ERROR("obfs4: failed to generate server hello");
-                    failed->fetch_add(1, std::memory_order_relaxed);
-                    return;
-                }
+                break;
+            }
+            if (handshake->state() == Obfs4ServerHandshake::State::Failed) {
+                stats_failed->fetch_add(1, std::memory_order_relaxed);
+                return;
+            }
+        }
 
-                auto hello_span = std::span<const uint8_t>(hello->data(), hello->size());
-                auto write_result = conn->write(hello_span);
-                if (!write_result) {
-                    LOG_ERROR("obfs4: failed to send server hello");
-                    failed->fetch_add(1, std::memory_order_relaxed);
-                    return;
-                }
+        // --- Phase 2: Initialize framing and send server hello + seed frame ---
+        const auto& keys = handshake->session_keys();
 
-                completed->fetch_add(1, std::memory_order_relaxed);
-                LOG_INFO("obfs4 handshake completed successfully");
-
-                // Set up framing with session keys and DRBG seeds
-                auto framing = std::make_unique<Obfs4Framing>();
-                const auto& keys = handshake->session_keys();
-                framing->init_send(keys.send_key, keys.send_nonce, keys.send_drbg_seed);
-                framing->init_recv(keys.recv_key, keys.recv_nonce, keys.recv_drbg_seed);
-
-                // Connect to local OR port and start proxying
-                auto or_conn = std::make_shared<net::TcpConnection>(*io_ctx);
-                auto connect_result = or_conn->connect("127.0.0.1", or_port);
-                if (!connect_result) {
-                    LOG_ERROR("obfs4: failed to connect to local OR port {}", or_port);
-                    return;
-                }
+        auto framing = std::make_shared<Obfs4Framing>();
+        framing->init_send(keys.send_key, keys.send_nonce, keys.send_drbg_seed);
+        framing->init_recv(keys.recv_key, keys.recv_nonce, keys.recv_drbg_seed);
 
-                proxy_loop(conn, or_conn, std::move(framing));
-            } else if (handshake->state() == Obfs4ServerHandshake::State::Failed) {
-                failed->fetch_add(1, std::memory_order_relaxed);
-                return;
-            } else {
-                read_more();
-            }
+        // Generate the handshake response
+        auto hello = handshake->generate_server_hello();
+        if (!hello) {
+            LOG_ERROR("obfs4: failed to generate server hello");
+            stats_failed->fetch_add(1, std::memory_order_relaxed);
+            return;
+        }
+
+        // Generate and append inline seed frame (PrngSeed packet)
+        // The Go client (lyrebird) expects this immediately after the handshake.
+        // Without it, the client waits forever → deadlock.
+        auto seed_bytes = obfs4::common::random_bytes(24);
+        auto seed_pkt = obfs4::transport::make_packet(
+            obfs4::transport::PacketType::PrngSeed,
+            std::span<const uint8_t>(seed_bytes.data(), seed_bytes.size()));
+        auto seed_frame = framing->encode(
+            std::span<const uint8_t>(seed_pkt.data(), seed_pkt.size()));
+
+        // Append seed frame to server hello
+        hello->insert(hello->end(), seed_frame.begin(), seed_frame.end());
+
+        LOG_INFO("obfs4: sending server hello ({} bytes handshake + {} bytes seed frame)",
+                 hello->size() - seed_frame.size(), seed_frame.size());
+
+        auto hello_span = std::span<const uint8_t>(hello->data(), hello->size());
+        auto write_result = conn->write(hello_span);
+        if (!write_result) {
+            LOG_ERROR("obfs4: failed to send server hello");
+            stats_failed->fetch_add(1, std::memory_order_relaxed);
+            return;
+        }
+
+        stats_completed->fetch_add(1, std::memory_order_relaxed);
+        LOG_INFO("obfs4 handshake completed successfully");
+
+        // --- Phase 3: Connect to local OR port ---
+        auto or_conn = std::make_shared<net::TcpConnection>(io);
+        auto connect_result = or_conn->connect("127.0.0.1", local_or_port);
+        if (!connect_result) {
+            LOG_ERROR("obfs4: failed to connect to local OR port {}", local_or_port);
+            return;
         }
 
-        void proxy_loop(
-            std::shared_ptr<net::TcpConnection> obfs4_conn,
-            std::shared_ptr<net::TcpConnection> or_conn,
-            std::unique_ptr<Obfs4Framing> framing) {
+        LOG_INFO("obfs4: connected to local OR port {}, starting proxy", local_or_port);
+
+        // --- Phase 4: Full-duplex bidirectional proxy ---
+        // Two threads: one for each direction.
+        // encode() and decode() access separate internal state (Encoder/Decoder),
+        // so concurrent access from different threads is safe.
+        std::atomic<bool> running{true};
 
-            auto shared_framing = std::shared_ptr<Obfs4Framing>(std::move(framing));
-            auto proxy_buf = std::make_shared<std::array<uint8_t, 4096>>();
+        // Thread A: obfs4 client → OR port
+        // Decode frames, parse packets, forward Payload data to OR
+        std::thread client_to_or([&running, conn, or_conn, framing]() {
+            auto buf = std::array<uint8_t, 4096>{};
 
-            while (true) {
-                // Read encrypted data from obfs4 client
-                auto obfs4_read = obfs4_conn->read(
-                    std::span<uint8_t>(proxy_buf->data(), proxy_buf->size()));
+            while (running.load(std::memory_order_relaxed)) {
+                auto obfs4_read = conn->read(
+                    std::span<uint8_t>(buf.data(), buf.size()));
                 if (!obfs4_read || *obfs4_read == 0) {
+                    LOG_DEBUG("obfs4 proxy: client connection closed");
                     break;
                 }
 
-                // Decrypt frames
-                auto encrypted = std::span<const uint8_t>(proxy_buf->data(), *obfs4_read);
-                auto frames = shared_framing->decode(encrypted);
+                auto encrypted = std::span<const uint8_t>(buf.data(), *obfs4_read);
+                auto frames = framing->decode(encrypted);
                 if (!frames) {
-                    LOG_WARN("obfs4: frame decryption failed");
+                    LOG_WARN("obfs4 proxy: frame decryption failed");
                     break;
                 }
 
-                // Forward decrypted data to OR port
-                for (const auto& frame : frames->frames) {
-                    auto frame_span = std::span<const uint8_t>(frame.data(), frame.size());
-                    auto wr = or_conn->write(frame_span);
-                    if (!wr) {
-                        goto done;
+                // Process packet layer: extract payload from frames
+                for (const auto& frame_payload : frames->frames) {
+                    auto packets = obfs4::transport::parse_packets(
+                        std::span<const uint8_t>(frame_payload.data(),
+                                                 frame_payload.size()));
+
+                    for (const auto& pkt : packets) {
+                        if (pkt.type == obfs4::transport::PacketType::Payload
+                            && !pkt.payload.empty()) {
+                            auto wr = or_conn->write(
+                                std::span<const uint8_t>(pkt.payload.data(),
+                                                         pkt.payload.size()));
+                            if (!wr) {
+                                LOG_DEBUG("obfs4 proxy: OR write failed");
+                                running.store(false, std::memory_order_relaxed);
+                                return;
+                            }
+                        }
+                        // PrngSeed packets: client updating DRBG (ignored for now)
                     }
                 }
+            }
 
-                // Read plaintext from OR port
+            running.store(false, std::memory_order_relaxed);
+            conn->close();
+            or_conn->close();
+        });
+
+        // Thread B: OR port → obfs4 client
+        // Read plaintext, wrap in Payload packet, encode frame, forward to client
+        std::thread or_to_client([&running, conn, or_conn, framing]() {
+            auto buf = std::array<uint8_t, 4096>{};
+
+            while (running.load(std::memory_order_relaxed)) {
                 auto or_read = or_conn->read(
-                    std::span<uint8_t>(proxy_buf->data(), proxy_buf->size()));
-                if (or_read && *or_read > 0) {
-                    auto plaintext = std::span<const uint8_t>(proxy_buf->data(), *or_read);
-                    auto encoded = shared_framing->encode(plaintext);
-                    auto enc_span = std::span<const uint8_t>(encoded.data(), encoded.size());
-                    auto wr = obfs4_conn->write(enc_span);
+                    std::span<uint8_t>(buf.data(), buf.size()));
+                if (!or_read || *or_read == 0) {
+                    LOG_DEBUG("obfs4 proxy: OR connection closed");
+                    break;
+                }
+
+                auto plaintext = std::span<const uint8_t>(buf.data(), *or_read);
+
+                // Split into chunks that fit in a single frame
+                constexpr size_t max_chunk = obfs4::transport::MAX_FRAME_PAYLOAD
+                                           - obfs4::transport::PACKET_OVERHEAD;
+                size_t offset = 0;
+
+                while (offset < plaintext.size()) {
+                    size_t chunk_len = std::min(plaintext.size() - offset, max_chunk);
+                    auto chunk = plaintext.subspan(offset, chunk_len);
+
+                    // Wrap in Payload packet
+                    auto pkt = obfs4::transport::make_packet(
+                        obfs4::transport::PacketType::Payload, chunk);
+
+                    // Encode as obfs4 frame
+                    auto frame = framing->encode(
+                        std::span<const uint8_t>(pkt.data(), pkt.size()));
+
+                    auto wr = conn->write(
+                        std::span<const uint8_t>(frame.data(), frame.size()));
                     if (!wr) {
-                        break;
+                        LOG_DEBUG("obfs4 proxy: client write failed");
+                        running.store(false, std::memory_order_relaxed);
+                        return;
                     }
+
+                    offset += chunk_len;
                 }
             }
-done:
-            obfs4_conn->close();
+
+            running.store(false, std::memory_order_relaxed);
+            conn->close();
             or_conn->close();
-        }
-    };
+        });
+
+        client_to_or.join();
+        or_to_client.join();
 
-    auto reader = std::make_shared<HandshakeReader>(
-        HandshakeReader{conn, handshake, buffer,
-                        stats_completed, stats_failed, local_or_port, &io});
-    reader->start();
+        LOG_INFO("obfs4: proxy session ended");
+    }).detach();
 }
 
 void Obfs4Listener::proxy_connection(
     [[maybe_unused]] std::shared_ptr<net::TcpConnection> obfs4_conn,
     [[maybe_unused]] std::shared_ptr<net::TcpConnection> or_conn,
     [[maybe_unused]] std::unique_ptr<Obfs4Framing> framing) {
-    // Proxy logic is handled inside HandshakeReader::proxy_loop
+    // Proxy logic is handled inside handle_connection thread
 }
 
 }  // namespace tor::transport