Instead of omitting errors entirely when running with the log scrubber,
filter common network errors through elideError() that can scrub the
common net.Error types and remove sensitive information.

 * Unbreak inbound TYPE_PRNG_SEED processing.

 * IAT obfuscation is now a per-bridge argument (iat-mode).
   * 0 (default) = Disabled.
   * 1 = Enabled, ScrambleSuit-style with bulk throughput optimizations.
   * 2 = Paranoid, Each IAT write will send a length sampled from the
     length distribution. (EXPENSIVE).

The "iat-mode" argument is mandatory on the Bridge lines, and as a
ServerTransportOption.  Old statefiles will continue to load and use
the default value, edit it if your hat is made of tin foil.

This matches what the code actually sends.  It's shorter than the
ScrambleSuit PRNG seed, but that's because the SipHash-2-4 based
Hash_DRBG has 24 bytes of internal state (key + initial output).

WARNING: THIS BREAKS BACKWARD COMPATIBILITY.

This is primarily to work around bug #12930.  Base16 was chosen over
unpadded Base64 because the go runtime Base64 decoder does not handle
omitting the padding.

May $deity have mercy on anyone who needs to hand-enter an obfs4 bridge
line because I will not.

The Golang runtime will happily splatter the remote IP address and port
in the error's string representation for network related errors.  While
useful for debugging, this is unacceptable from a privacy standpoint.

Caught by asn, thanks.

Changing from "drbgSeed" to "drbg-seed" to be consistent with the
ServerTransportOptions to allow for easier copy/paste.

Golang's command line parser is slightly cumbersome to use with
subcommands, so the arguments are "obfs4-iatObufscation" and
"obfs-distBias" instead of obfsproxy style subcommands.

 * Changed obfs4proxy to be more like obfsproxy in terms of design,
   including being an easy framework for developing new TCP/IP style
   pluggable transports.
 * Added support for also acting as an obfs2/obfs3 client or bridge
   as a transition measure (and because the code itself is trivial).
 * Massively cleaned up the obfs4 and related code to be easier to
   read, and more idiomatic Go-like in style.
 * To ease deployment, obfs4proxy will now autogenerate the node-id,
   curve25519 keypair, and drbg seed if none are specified, and save
   them to a JSON file in the pt_state directory (Fixes Tor bug #12605).

The weight generation code also was cleaned up (and now can support
generating distributions that look like what ScrambleSuit does as
a compile time change).

Per: http://www.keithschwarz.com/darts-dice-coins/

To ease delopyment, "-genServerParams has changed".

 * "-genServerParams" is now a bool, and will by default generate a
   random node-id.
 * "-genServerParams -genServerParamsFP=<Base16 blob>" will convert the
   supplied bridge fingerprint to a node-id (the old behavior).

Either way of deriving node-id is belived to be secure.

 * https://lists.torproject.org/pipermail/tor-dev/2014-May/006929.html
 * https://lists.torproject.org/pipermail/tor-dev/2014-June/006936.html

The extra parameter was added because golang's flags library doesn't
support distinguishing between "set but used the default value" and
"not set, so you go the default value".

This requires changes in goptlib from last night, people may need to
run "go get -u" to update dependencies before building.

Instead of using the nonce for the secret box, just use SipHash-2-4 in
OFB mode instead.  The IV is generated as part of the KDF.  This
simplifies the code a decent amount and also is better on the off
chance that SipHash-2-4 does not avalanche as well as it is currently
assumed.

While here, also decouple the fact that *this implementation* of obfs4
uses a PRNG with 24 bytes of internal state for protocol polymorphism
instead of 32 bytes (that the spec requires).

THIS CHANGE BREAKS WIRE PROTCOL COMPATIBILITY.

Instead of threading the code, move the keypair generation to right
after Accept() is called.  This should mask the timing differential due
to the rejection sampling with the noise from the variablity in how
long it takes for the server to get around to pulling a connection out
of the backlog, and the time taken for the client to send it's portion
of the handshake.

The downside is that anyone connecting to the obfs4 port does force us
to do a bunch of math, but the obfs4 math is relatively cheap compared
to it's precursors.

Fixes #9.

Part of issue #9.

The old way was biasted towards the earlier values.  Thanks to asn for
pointing this out and suggesting an alternative.

As an additional tweak, do not reuse the drbg seed when calculating the
IAT distribution, but instead run the seed through SHA256 first, for
extra tinfoil goodness.

Joining a SOCKS dialer on the list of things the Golang runtime really
should have is a HTTP CONNECT dialer.  There's a full fledged HTTP
client and server there, but not this.  Why?  Who knows.

This fixes issue #7.

Part of issue #7.

Despite the unfortunate scheme name, this really is SOCKS4, and not 4a,
as the torrc Socks4Proxy option only supports addresses and not FQDNs.

Part of issue #7.

With tor patched to support 8402, obfs4 bootstraps via a SOCKSv5 proxy
now.  Other schemes will bail with a PROXY-ERROR, as the go.net/proxy
package does not support them, and I have not gotten around to writing
dialers for them yet (next on my TODO list).

Part of issue #7.

Part of issue #7.

Currently obfs4proxy is hardcoded to always PROXY-ERROR, despite a
valid proxy uri being passed in the env var.  Once the dialer portion
of the code is done, this will be changed.

Part of issue #7.

This makes the length error and MAC error indistinguishable to an
external attacker.

All of the obfs4 code except unit tests now uses the csrand wrapper
routines.

When enabled, inter-packet delay will be randomized between 0 and 10
ms in 100 usec intervals.  As experiences from ScrambleSuit (and back
of the envelope math based on how networks work) show, this is
extremely expensive and artificially limits the throughput of the link.

When enabled, bulk transfer throughput will be limited to an average of
278 KiB/s.

 * handhake_ntor_test now is considerably more comprehensive.
 * The padding related constants in the spec were clarified.

This breaks wireprotocol compatibility.

This is done by maintaining a map keyed off the SipHash-2-4 digest of
the MAC_C component of the handshake.  Collisions, while possible are
unlikely in the extreme and are thus treated as replays.

In concept this is fairly similar to the ScrambleSuit `replay.py` code,
with a few modifications:

 * There is a upper bound on how large the replay filter can grow.
   Currently this is set to 102400 entries, though it is unlikely that
   this limit will be hit.

 * A doubly linked list is also maintained parallel to the map, so the
   filter compaction process does not need to iterate over the entire
   filter.