diff --git a/ChangeLog b/ChangeLog index 412799e75e..4fcb29a548 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +Changes in version 0.1.2.4-alpha - 2006-11-?? + o Minor Features + - Add breakdown of public key operations to dumped statistics. + + Changes in version 0.1.2.3-alpha - 2006-10-29 o Minor features: - Prepare for servers to publish descriptors less often: never diff --git a/src/or/connection_or.c b/src/or/connection_or.c index 9f1119cf40..7f6f2be958 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -488,6 +488,8 @@ connection_tls_start_handshake(or_connection_t *conn, int receiving) } connection_start_reading(TO_CONN(conn)); log_debug(LD_OR,"starting TLS handshake on fd %d", conn->_base.s); + note_crypto_pk_op(receiving ? TLS_HANDSHAKE_S : TLS_HANDSHAKE_C); + if (connection_tls_continue_handshake(conn) < 0) { return -1; } diff --git a/src/or/dirserv.c b/src/or/dirserv.c index c9761ccb72..3a457345b9 100644 --- a/src/or/dirserv.c +++ b/src/or/dirserv.c @@ -904,6 +904,7 @@ dirserv_dump_directory_to_string(char **dir_out, tor_free(buf); return -1; } + note_crypto_pk_op(SIGN_DIR); if (router_append_dirobj_signature(buf,buf_len,digest,private_key)<0) { tor_free(buf); return -1; @@ -1235,6 +1236,7 @@ generate_runningrouters(void) log_warn(LD_BUG,"couldn't compute digest"); goto err; } + note_crypto_pk_op(SIGN_DIR); if (router_append_dirobj_signature(s, len, digest, private_key)<0) goto err; @@ -1544,6 +1546,7 @@ generate_v2_networkstatus(void) goto done; } + note_crypto_pk_op(SIGN_DIR); if (router_append_dirobj_signature(outp,endp-outp,digest,private_key)<0) { log_warn(LD_BUG, "Unable to sign router status."); goto done; diff --git a/src/or/main.c b/src/or/main.c index c580eb243a..7c9975ea4b 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -1435,6 +1435,7 @@ dumpstats(int severity) rep_hist_dump_stats(now,severity); rend_service_dump_stats(severity); + dump_pk_ops(severity); } /** Called by exit() as we shut down the process. diff --git a/src/or/onion.c b/src/or/onion.c index ba41f21a22..c9556db256 100644 --- a/src/or/onion.c +++ b/src/or/onion.c @@ -196,6 +196,8 @@ onion_skin_create(crypto_pk_env_t *dest_router_key, puts(""); #endif + note_crypto_pk_op(ENC_ONIONSKIN); + /* set meeting point, meeting cookie, etc here. Leave zero for now. */ if (crypto_pk_public_hybrid_encrypt(dest_router_key, onion_skin_out, challenge, DH_KEY_LEN, @@ -237,6 +239,7 @@ onion_skin_server_handshake(const char *onion_skin, /*ONIONSKIN_CHALLENGE_LEN*/ k = i==0?private_key:prev_private_key; if (!k) break; + note_crypto_pk_op(DEC_ONIONSKIN); len = crypto_pk_private_hybrid_decrypt(k, challenge, onion_skin, ONIONSKIN_CHALLENGE_LEN, PK_PKCS1_OAEP_PADDING,0); diff --git a/src/or/or.h b/src/or/or.h index 6d9b27f127..f2663695e5 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -2408,6 +2408,16 @@ int rep_hist_get_predicted_internal(time_t now, int *need_uptime, int any_predicted_circuits(time_t now); int rep_hist_circbuilding_dormant(time_t now); +typedef enum { + SIGN_DIR, SIGN_RTR, + VERIFY_DIR, VERIFY_RTR, + ENC_ONIONSKIN, DEC_ONIONSKIN, + TLS_HANDSHAKE_C, TLS_HANDSHAKE_S, + REND_CLIENT, REND_MID, REND_SERVER, +} pk_op_t; +void note_crypto_pk_op(pk_op_t operation); +void dump_pk_ops(int severity); + void rep_hist_free_all(void); /********************************* rendclient.c ***************************/ diff --git a/src/or/rendclient.c b/src/or/rendclient.c index 7297f1b981..4d0cdd9fc3 100644 --- a/src/or/rendclient.c +++ b/src/or/rendclient.c @@ -129,6 +129,7 @@ rend_client_send_introduction(origin_circuit_t *introcirc, goto err; } + note_crypto_pk_op(REND_CLIENT); /*XXX maybe give crypto_pk_public_hybrid_encrypt a max_len arg, * to avoid buffer overflows? */ r = crypto_pk_public_hybrid_encrypt(entry->parsed->pk, payload+DIGEST_LEN, diff --git a/src/or/rendcommon.c b/src/or/rendcommon.c index 7293f8fb06..2ecc2c3513 100644 --- a/src/or/rendcommon.c +++ b/src/or/rendcommon.c @@ -97,6 +97,7 @@ rend_encode_service_descriptor(rend_service_descriptor_t *desc, cp += 6+DIGEST_LEN+2+klen; } } + note_crypto_pk_op(REND_SERVER); i = crypto_pk_private_sign_digest(key, cp, *str_out, cp-*str_out); if (i<0) { tor_free(*str_out); @@ -198,6 +199,7 @@ rend_parse_service_descriptor(const char *str, size_t len) (int)((size_t)(end-cp) - keylen)); goto error; } + note_crypto_pk_op(REND_CLIENT); if (crypto_pk_public_checksig_digest(result->pk, (char*)str,cp-str, /* data */ (char*)cp,end-cp /* signature*/ diff --git a/src/or/rendmid.c b/src/or/rendmid.c index 740e5d0315..04e9f9ef7f 100644 --- a/src/or/rendmid.c +++ b/src/or/rendmid.c @@ -65,6 +65,7 @@ rend_mid_establish_intro(or_circuit_t *circ, const char *request, goto err; } /* Rest of body: signature of previous data */ + note_crypto_pk_op(REND_MID); if (crypto_pk_public_checksig_digest(pk, request, 2+asn1len+DIGEST_LEN, request+2+DIGEST_LEN+asn1len, request_len-(2+DIGEST_LEN+asn1len))<0) { diff --git a/src/or/rendservice.c b/src/or/rendservice.c index 984bf7e7cd..d53fd45f23 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -471,6 +471,7 @@ rend_service_introduce(origin_circuit_t *circuit, const char *request, return -1; } /* Next N bytes is encrypted with service key */ + note_crypto_pk_op(REND_SERVER); r = crypto_pk_private_hybrid_decrypt( service->private_key,buf,request+DIGEST_LEN,request_len-DIGEST_LEN, PK_PKCS1_OAEP_PADDING,1); @@ -756,6 +757,7 @@ rend_service_intro_has_opened(origin_circuit_t *circuit) if (crypto_digest(buf+len, auth, DIGEST_LEN+9)) goto err; len += 20; + note_crypto_pk_op(REND_SERVER); r = crypto_pk_private_sign_digest(service->private_key, buf+len, buf, len); if (r<0) { log_warn(LD_BUG, "Internal error: couldn't sign introduction request."); diff --git a/src/or/rephist.c b/src/or/rephist.c index aedb0072de..68c99123e3 100644 --- a/src/or/rephist.c +++ b/src/or/rephist.c @@ -934,6 +934,89 @@ rep_hist_circbuilding_dormant(time_t now) return 1; } +static uint32_t n_signed_dir_objs = 0; +static uint32_t n_signed_routerdescs = 0; +static uint32_t n_verified_dir_objs = 0; +static uint32_t n_verified_routerdescs = 0; +static uint32_t n_onionskins_encrypted = 0; +static uint32_t n_onionskins_decrypted = 0; +static uint32_t n_tls_client_handshakes = 0; +static uint32_t n_tls_server_handshakes = 0; +static uint32_t n_rend_client_ops = 0; +static uint32_t n_rend_mid_ops = 0; +static uint32_t n_rend_server_ops = 0; + +void +note_crypto_pk_op(pk_op_t operation) +{ + switch (operation) + { + case SIGN_DIR: + n_signed_dir_objs++; + break; + case SIGN_RTR: + n_signed_routerdescs++; + break; + case VERIFY_DIR: + n_verified_dir_objs++; + break; + case VERIFY_RTR: + n_verified_routerdescs++; + break; + case ENC_ONIONSKIN: + n_onionskins_encrypted++; + break; + case DEC_ONIONSKIN: + n_onionskins_decrypted++; + break; + case TLS_HANDSHAKE_C: + n_tls_client_handshakes++; + break; + case TLS_HANDSHAKE_S: + n_tls_client_handshakes++; + break; + case REND_CLIENT: + n_rend_client_ops++; + break; + case REND_MID: + n_rend_mid_ops++; + break; + case REND_SERVER: + n_rend_server_ops++; + break; + default: + log_warn(LD_BUG, "Unknown pk operation %d", operation); + } +} + +void +dump_pk_ops(int severity) +{ + log(severity, LD_GENERAL, + "PK operations: %lu directory objects signed, " + "%lu directory objects verified, " + "%lu routerdescs signed, " + "%lu routerdescs verified, " + "%lu onionskins encrypted, " + "%lu onionskins decrypted, " + "%lu client-side TLS handshakes, " + "%lu server-side TLS handshakes, " + "%lu rendezvous client operations, " + "%lu rendezvous middle operations, " + "%lu rendezvous server operations.", + (unsigned long) n_signed_dir_objs, + (unsigned long) n_verified_dir_objs, + (unsigned long) n_signed_routerdescs, + (unsigned long) n_verified_routerdescs, + (unsigned long) n_onionskins_encrypted, + (unsigned long) n_onionskins_decrypted, + (unsigned long) n_tls_client_handshakes, + (unsigned long) n_tls_server_handshakes, + (unsigned long) n_rend_client_ops, + (unsigned long) n_rend_mid_ops, + (unsigned long) n_rend_server_ops); +} + /** Free all storage held by the OR/link history caches, by the * bandwidth history arrays, or by the port history. */ void diff --git a/src/or/router.c b/src/or/router.c index 5e5c1bebcf..27f401bed6 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -1247,6 +1247,7 @@ router_dump_router_to_string(char *s, size_t maxlen, routerinfo_t *router, if (router_get_router_hash(s, digest) < 0) return -1; + note_crypto_pk_op(SIGN_RTR); if (router_append_dirobj_signature(s+written,maxlen-written, digest,ident_key)<0) { log_warn(LD_BUG, "Couldn't sign router descriptor"); diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 69cebb7059..4839ed8809 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -396,6 +396,7 @@ router_parse_directory(const char *str) log_warn(LD_DIR,"Expected a single directory signature"); goto err; } declared_key = find_dir_signing_key(str); + note_crypto_pk_op(VERIFY_DIR); if (check_directory_signature(digest, tok, NULL, declared_key, 1)<0) goto err; @@ -490,6 +491,7 @@ router_parse_runningrouters(const char *str) goto err; } declared_key = find_dir_signing_key(str); + note_crypto_pk_op(VERIFY_DIR); if (check_directory_signature(digest, tok, NULL, declared_key, 1) < 0) goto err; @@ -910,6 +912,7 @@ router_parse_entry_from_string(const char *s, const char *end, log_warn(LD_DIR, "Bad object type or length on router signature"); goto err; } + note_crypto_pk_op(VERIFY_RTR); if ((t=crypto_pk_public_checksig(router->identity_pkey, signed_digest, tok->object_body, 128)) != 20) { log_warn(LD_DIR, "Invalid signature %d",t); @@ -1264,6 +1267,7 @@ networkstatus_parse_from_string(const char *s) goto err; } + note_crypto_pk_op(VERIFY_DIR); if (check_directory_signature(ns_digest, tok, NULL, ns->signing_key, 0)) goto err;