r9449@Kushana: nickm | 2006-10-31 00:12:02 -0500

Dump breakdown of PK operations when we get a USR2 signal.  This should help us figure out of we are doing some of them for stupid reasons.


svn:r8881

ChangeLog

@@ -1,3 +1,8 @@
+Changes in version 0.1.2.4-alpha - 2006-11-??
+  o Minor Features
+    - Add breakdown of public key operations to dumped statistics.
+
+
 Changes in version 0.1.2.3-alpha - 2006-10-29
   o Minor features:
     - Prepare for servers to publish descriptors less often: never

src/or/connection_or.c

@@ -488,6 +488,8 @@ connection_tls_start_handshake(or_connection_t *conn, int receiving)
   }
   connection_start_reading(TO_CONN(conn));
   log_debug(LD_OR,"starting TLS handshake on fd %d", conn->_base.s);
+  note_crypto_pk_op(receiving ? TLS_HANDSHAKE_S : TLS_HANDSHAKE_C);
+
   if (connection_tls_continue_handshake(conn) < 0) {
     return -1;
   }

src/or/dirserv.c

@@ -904,6 +904,7 @@ dirserv_dump_directory_to_string(char **dir_out,
     tor_free(buf);
     return -1;
   }
+  note_crypto_pk_op(SIGN_DIR);
   if (router_append_dirobj_signature(buf,buf_len,digest,private_key)<0) {
     tor_free(buf);
     return -1;
@@ -1235,6 +1236,7 @@ generate_runningrouters(void)
     log_warn(LD_BUG,"couldn't compute digest");
     goto err;
   }
+  note_crypto_pk_op(SIGN_DIR);
   if (router_append_dirobj_signature(s, len, digest, private_key)<0)
     goto err;
 
@@ -1544,6 +1546,7 @@ generate_v2_networkstatus(void)
     goto done;
   }
 
+  note_crypto_pk_op(SIGN_DIR);
   if (router_append_dirobj_signature(outp,endp-outp,digest,private_key)<0) {
     log_warn(LD_BUG, "Unable to sign router status.");
     goto done;

src/or/main.c

@@ -1435,6 +1435,7 @@ dumpstats(int severity)
 
   rep_hist_dump_stats(now,severity);
   rend_service_dump_stats(severity);
+  dump_pk_ops(severity);
 }
 
 /** Called by exit() as we shut down the process.

src/or/onion.c

@@ -196,6 +196,8 @@ onion_skin_create(crypto_pk_env_t *dest_router_key,
   puts("");
 #endif
 
+  note_crypto_pk_op(ENC_ONIONSKIN);
+
   /* set meeting point, meeting cookie, etc here. Leave zero for now. */
   if (crypto_pk_public_hybrid_encrypt(dest_router_key, onion_skin_out,
                                       challenge, DH_KEY_LEN,
@@ -237,6 +239,7 @@ onion_skin_server_handshake(const char *onion_skin, /*ONIONSKIN_CHALLENGE_LEN*/
     k = i==0?private_key:prev_private_key;
     if (!k)
       break;
+    note_crypto_pk_op(DEC_ONIONSKIN);
     len = crypto_pk_private_hybrid_decrypt(k, challenge,
                                            onion_skin, ONIONSKIN_CHALLENGE_LEN,
                                            PK_PKCS1_OAEP_PADDING,0);

src/or/or.h

@@ -2408,6 +2408,16 @@ int rep_hist_get_predicted_internal(time_t now, int *need_uptime,
 int any_predicted_circuits(time_t now);
 int rep_hist_circbuilding_dormant(time_t now);
 
+typedef enum {
+  SIGN_DIR, SIGN_RTR,
+  VERIFY_DIR, VERIFY_RTR,
+  ENC_ONIONSKIN, DEC_ONIONSKIN,
+  TLS_HANDSHAKE_C, TLS_HANDSHAKE_S,
+  REND_CLIENT, REND_MID, REND_SERVER,
+} pk_op_t;
+void note_crypto_pk_op(pk_op_t operation);
+void dump_pk_ops(int severity);
+
 void rep_hist_free_all(void);
 
 /********************************* rendclient.c ***************************/

src/or/rendclient.c

@@ -129,6 +129,7 @@ rend_client_send_introduction(origin_circuit_t *introcirc,
     goto err;
   }
 
+  note_crypto_pk_op(REND_CLIENT);
   /*XXX maybe give crypto_pk_public_hybrid_encrypt a max_len arg,
    * to avoid buffer overflows? */
   r = crypto_pk_public_hybrid_encrypt(entry->parsed->pk, payload+DIGEST_LEN,

src/or/rendcommon.c

@@ -97,6 +97,7 @@ rend_encode_service_descriptor(rend_service_descriptor_t *desc,
       cp += 6+DIGEST_LEN+2+klen;
     }
   }
+  note_crypto_pk_op(REND_SERVER);
   i = crypto_pk_private_sign_digest(key, cp, *str_out, cp-*str_out);
   if (i<0) {
     tor_free(*str_out);
@@ -198,6 +199,7 @@ rend_parse_service_descriptor(const char *str, size_t len)
              (int)((size_t)(end-cp) - keylen));
     goto error;
   }
+  note_crypto_pk_op(REND_CLIENT);
   if (crypto_pk_public_checksig_digest(result->pk,
                                        (char*)str,cp-str, /* data */
                                        (char*)cp,end-cp  /* signature*/

src/or/rendmid.c

@@ -65,6 +65,7 @@ rend_mid_establish_intro(or_circuit_t *circ, const char *request,
     goto err;
   }
   /* Rest of body: signature of previous data */
+  note_crypto_pk_op(REND_MID);
   if (crypto_pk_public_checksig_digest(pk, request, 2+asn1len+DIGEST_LEN,
                                        request+2+DIGEST_LEN+asn1len,
                                        request_len-(2+DIGEST_LEN+asn1len))<0) {

src/or/rendservice.c

@@ -471,6 +471,7 @@ rend_service_introduce(origin_circuit_t *circuit, const char *request,
     return -1;
   }
   /* Next N bytes is encrypted with service key */
+  note_crypto_pk_op(REND_SERVER);
   r = crypto_pk_private_hybrid_decrypt(
        service->private_key,buf,request+DIGEST_LEN,request_len-DIGEST_LEN,
        PK_PKCS1_OAEP_PADDING,1);
@@ -756,6 +757,7 @@ rend_service_intro_has_opened(origin_circuit_t *circuit)
   if (crypto_digest(buf+len, auth, DIGEST_LEN+9))
     goto err;
   len += 20;
+  note_crypto_pk_op(REND_SERVER);
   r = crypto_pk_private_sign_digest(service->private_key, buf+len, buf, len);
   if (r<0) {
     log_warn(LD_BUG, "Internal error: couldn't sign introduction request.");

src/or/rephist.c

@@ -934,6 +934,89 @@ rep_hist_circbuilding_dormant(time_t now)
   return 1;
 }
 
+static uint32_t n_signed_dir_objs = 0;
+static uint32_t n_signed_routerdescs = 0;
+static uint32_t n_verified_dir_objs = 0;
+static uint32_t n_verified_routerdescs = 0;
+static uint32_t n_onionskins_encrypted = 0;
+static uint32_t n_onionskins_decrypted = 0;
+static uint32_t n_tls_client_handshakes = 0;
+static uint32_t n_tls_server_handshakes = 0;
+static uint32_t n_rend_client_ops = 0;
+static uint32_t n_rend_mid_ops = 0;
+static uint32_t n_rend_server_ops = 0;
+
+void
+note_crypto_pk_op(pk_op_t operation)
+{
+  switch (operation)
+    {
+    case SIGN_DIR:
+      n_signed_dir_objs++;
+      break;
+    case SIGN_RTR:
+      n_signed_routerdescs++;
+      break;
+    case VERIFY_DIR:
+      n_verified_dir_objs++;
+      break;
+    case VERIFY_RTR:
+      n_verified_routerdescs++;
+      break;
+    case ENC_ONIONSKIN:
+      n_onionskins_encrypted++;
+      break;
+    case DEC_ONIONSKIN:
+      n_onionskins_decrypted++;
+      break;
+    case TLS_HANDSHAKE_C:
+      n_tls_client_handshakes++;
+      break;
+    case TLS_HANDSHAKE_S:
+      n_tls_client_handshakes++;
+      break;
+    case REND_CLIENT:
+      n_rend_client_ops++;
+      break;
+    case REND_MID:
+      n_rend_mid_ops++;
+      break;
+    case REND_SERVER:
+      n_rend_server_ops++;
+      break;
+    default:
+      log_warn(LD_BUG, "Unknown pk operation %d", operation);
+  }
+}
+
+void
+dump_pk_ops(int severity)
+{
+  log(severity, LD_GENERAL,
+      "PK operations: %lu directory objects signed, "
+      "%lu directory objects verified, "
+      "%lu routerdescs signed, "
+      "%lu routerdescs verified, "
+      "%lu onionskins encrypted, "
+      "%lu onionskins decrypted, "
+      "%lu client-side TLS handshakes, "
+      "%lu server-side TLS handshakes, "
+      "%lu rendezvous client operations, "
+      "%lu rendezvous middle operations, "
+      "%lu rendezvous server operations.",
+      (unsigned long) n_signed_dir_objs,
+      (unsigned long) n_verified_dir_objs,
+      (unsigned long) n_signed_routerdescs,
+      (unsigned long) n_verified_routerdescs,
+      (unsigned long) n_onionskins_encrypted,
+      (unsigned long) n_onionskins_decrypted,
+      (unsigned long) n_tls_client_handshakes,
+      (unsigned long) n_tls_server_handshakes,
+      (unsigned long) n_rend_client_ops,
+      (unsigned long) n_rend_mid_ops,
+      (unsigned long) n_rend_server_ops);
+}
+
 /** Free all storage held by the OR/link history caches, by the
  * bandwidth history arrays, or by the port history. */
 void

src/or/router.c

@@ -1247,6 +1247,7 @@ router_dump_router_to_string(char *s, size_t maxlen, routerinfo_t *router,
   if (router_get_router_hash(s, digest) < 0)
     return -1;
 
+  note_crypto_pk_op(SIGN_RTR);
   if (router_append_dirobj_signature(s+written,maxlen-written,
                                      digest,ident_key)<0) {
     log_warn(LD_BUG, "Couldn't sign router descriptor");

src/or/routerparse.c

@@ -396,6 +396,7 @@ router_parse_directory(const char *str)
     log_warn(LD_DIR,"Expected a single directory signature"); goto err;
   }
   declared_key = find_dir_signing_key(str);
+  note_crypto_pk_op(VERIFY_DIR);
   if (check_directory_signature(digest, tok, NULL, declared_key, 1)<0)
     goto err;
 
@@ -490,6 +491,7 @@ router_parse_runningrouters(const char *str)
     goto err;
   }
   declared_key = find_dir_signing_key(str);
+  note_crypto_pk_op(VERIFY_DIR);
   if (check_directory_signature(digest, tok, NULL, declared_key, 1) < 0)
     goto err;
 
@@ -910,6 +912,7 @@ router_parse_entry_from_string(const char *s, const char *end,
     log_warn(LD_DIR, "Bad object type or length on router signature");
     goto err;
   }
+  note_crypto_pk_op(VERIFY_RTR);
   if ((t=crypto_pk_public_checksig(router->identity_pkey, signed_digest,
                                    tok->object_body, 128)) != 20) {
     log_warn(LD_DIR, "Invalid signature %d",t);
@@ -1264,6 +1267,7 @@ networkstatus_parse_from_string(const char *s)
     goto err;
   }
 
+  note_crypto_pk_op(VERIFY_DIR);
   if (check_directory_signature(ns_digest, tok, NULL, ns->signing_key, 0))
     goto err;