From a65cea38d2ff3b306b9b1477309c9bf60392228a Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Fri, 27 Jul 2007 18:33:28 +0000 Subject: [PATCH] r13936@catbus: nickm | 2007-07-27 12:23:26 -0400 Code to implement detached signature documents. svn:r10944 --- src/or/dirvote.c | 149 ++++++++++++++++++++++++++++++++++++------- src/or/or.h | 17 +++++ src/or/routerparse.c | 103 +++++++++++++++++++++++++++++- 3 files changed, 243 insertions(+), 26 deletions(-) diff --git a/src/or/dirvote.c b/src/or/dirvote.c index d8c143e9fe..5d89b473d4 100644 --- a/src/or/dirvote.c +++ b/src/or/dirvote.c @@ -754,32 +754,21 @@ networkstatus_check_consensus_signature(networkstatus_vote_t *consensus) } /** DOCDOC */ -int -networkstatus_add_consensus_signatures(networkstatus_vote_t *target, - networkstatus_vote_t *src, - char **new_signatures_out) +static int +networkstatus_add_signatures_impl(networkstatus_vote_t *target, + smartlist_t *src_voter_list, + char **new_signatures_out) { smartlist_t *added_signatures, *sigs; int r; tor_assert(target); - tor_assert(src); - tor_assert(! target->is_vote); - tor_assert(! src->is_vote); + tor_assert(!target->is_vote); tor_assert(new_signatures_out); - *new_signatures_out = NULL; - - /* Are they the same consensus? */ - if (memcmp(target->networkstatus_digest, src->networkstatus_digest, - DIGEST_LEN)) - return -1; - if (target == src) - return 0; - added_signatures = smartlist_create(); /* For each voter in src... */ - SMARTLIST_FOREACH(src->voters, networkstatus_voter_info_t *, src_voter, + SMARTLIST_FOREACH(src_voter_list, networkstatus_voter_info_t *, src_voter, { networkstatus_voter_info_t *target_voter = networkstatus_get_voter_by_id(target, src_voter->identity_digest); @@ -793,11 +782,13 @@ networkstatus_add_consensus_signatures(networkstatus_vote_t *target, if (target_voter->good_signature) continue; - /* If this signature is no good, then skip. */ - cert = authority_cert_get_by_digests(src_voter->identity_digest, - src_voter->signing_key_digest); - if (cert) { - networkstatus_check_voter_signature(target, src_voter, cert); + /* Try checking the signature if we haven't already. */ + if (!src_voter->good_signature && !src_voter->bad_signature) { + cert = authority_cert_get_by_digests(src_voter->identity_digest, + src_voter->signing_key_digest); + if (cert) { + networkstatus_check_voter_signature(target, src_voter, cert); + } } /* If this signature is good, then replace and add. */ if (src_voter->good_signature || !target_voter->signature) { @@ -824,10 +815,10 @@ networkstatus_add_consensus_signatures(networkstatus_vote_t *target, base16_encode(sk, sizeof(sk), v->signing_key_digest, DIGEST_LEN); base16_encode(ik, sizeof(ik), v->identity_digest, DIGEST_LEN); tor_snprintf(buf, sizeof(buf), "directory-signature %s %s\n" - "-----BEGIN SIGNATURE-----", ik, sk); + "-----BEGIN SIGNATURE-----\n", ik, sk); smartlist_add(sigs, tor_strdup(buf)); base64_encode(buf, sizeof(buf), v->signature, v->signature_len); - strlcat(buf, "-----END SIGNATURE-----", sizeof(buf)); + strlcat(buf, "-----END SIGNATURE-----\n", sizeof(buf)); smartlist_add(sigs, tor_strdup(buf)); }); @@ -839,6 +830,116 @@ networkstatus_add_consensus_signatures(networkstatus_vote_t *target, return r; } +/** DOCDOC */ +int +networkstatus_add_consensus_signatures(networkstatus_vote_t *target, + networkstatus_vote_t *src, + char **new_signatures_out) +{ + tor_assert(src); + tor_assert(! src->is_vote); + + *new_signatures_out = NULL; + + /* Are they the same consensus? */ + if (memcmp(target->networkstatus_digest, src->networkstatus_digest, + DIGEST_LEN)) + return -1; + if (target == src) + return 0; + + return networkstatus_add_signatures_impl(target, src->voters, + new_signatures_out); +} + +/** DOCDOC */ +int +networkstatus_add_detached_signatures(networkstatus_vote_t *target, + ns_detached_signatures_t *sigs, + char **new_signatures_out) +{ + tor_assert(sigs); + + *new_signatures_out = NULL; + + /* Are they the same consensus? */ + if (memcmp(target->networkstatus_digest, sigs->networkstatus_digest, + DIGEST_LEN)) + return -1; + + return networkstatus_add_signatures_impl(target, sigs->signatures, + new_signatures_out); +} + +/** DOCDOC */ +char * +networkstatus_get_detached_signatures(networkstatus_vote_t *consensus) +{ + smartlist_t *elements; + char buf[4096]; + char *result = NULL; + tor_assert(consensus); + tor_assert(! consensus->is_vote); + + elements = smartlist_create(); + + { + char va_buf[ISO_TIME_LEN+1], fu_buf[ISO_TIME_LEN+1], + vu_buf[ISO_TIME_LEN+1]; + char d[HEX_DIGEST_LEN+1]; + + base16_encode(d, sizeof(d), consensus->networkstatus_digest, DIGEST_LEN); + format_iso_time(va_buf, consensus->valid_after); + format_iso_time(fu_buf, consensus->fresh_until); + format_iso_time(vu_buf, consensus->valid_until); + + tor_snprintf(buf, sizeof(buf), + "consensus-digest %s\n" + "valid-after %s\n" + "fresh-until %s\n" + "valid-until %s\n", d, va_buf, fu_buf, vu_buf); + smartlist_add(elements, tor_strdup(buf)); + } + + SMARTLIST_FOREACH(consensus->voters, networkstatus_voter_info_t *, v, + { + char sk[HEX_DIGEST_LEN+1]; + char id[HEX_DIGEST_LEN+1]; + if (!v->signature || !v->good_signature) + continue; + base16_encode(sk, sizeof(sk), v->signing_key_digest, DIGEST_LEN); + base16_encode(id, sizeof(id), v->identity_digest, DIGEST_LEN); + tor_snprintf(buf, sizeof(buf), + "directory-signature %s %s\n-----BEGIN SIGNATURE-----\n", + id, sk); + smartlist_add(elements, tor_strdup(buf)); + base64_encode(buf, sizeof(buf), v->signature, v->signature_len); + strlcat(buf, "-----END SIGNATURE-----\n", sizeof(buf)); + smartlist_add(elements, tor_strdup(buf)); + }); + + result = smartlist_join_strings(elements, "", 0, NULL); + + SMARTLIST_FOREACH(elements, char *, cp, tor_free(cp)); + smartlist_free(elements); + return result; +} + +/** DOCDOC */ +void +ns_detached_signatures_free(ns_detached_signatures_t *s) +{ + if (s->signatures) { + SMARTLIST_FOREACH(s->signatures, networkstatus_voter_info_t *, v, + { + tor_free(v->signature); + tor_free(v); + }); + smartlist_free(s->signatures); + } + tor_free(s); +} + /* ===== * Certificate functions * ===== */ diff --git a/src/or/or.h b/src/or/or.h index c238efc9c8..e54b39b96a 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1361,6 +1361,16 @@ typedef struct networkstatus_vote_t { * otherwise just routerstatus_t. */ } networkstatus_vote_t; +/* XXXX020 merge with networkstatus_vote_t ?? */ +/** DOCDOC */ +typedef struct ns_detached_signatures_t { + time_t valid_after; + time_t fresh_until; + time_t valid_until; + char networkstatus_digest[DIGEST_LEN]; + smartlist_t *signatures; /* list of networkstatus_voter_info_t */ +} ns_detached_signatures_t; + /** Contents of a directory of onion routers. */ typedef struct { /** Map from server identity digest to a member of routers. */ @@ -2796,6 +2806,11 @@ int networkstatus_check_consensus_signature(networkstatus_vote_t *consensus); int networkstatus_add_consensus_signatures(networkstatus_vote_t *target, networkstatus_vote_t *src, char **new_signatures_out); +int networkstatus_add_detached_signatures(networkstatus_vote_t *target, + ns_detached_signatures_t *sigs, + char **new_signatures_out); +char *networkstatus_get_detached_signatures(networkstatus_vote_t *consensus); +void ns_detached_signatures_free(ns_detached_signatures_t *s); /* cert manipulation */ void authority_cert_free(authority_cert_t *cert); @@ -3505,6 +3520,8 @@ void dump_distinct_digest_count(int severity); networkstatus_t *networkstatus_parse_from_string(const char *s); networkstatus_vote_t *networkstatus_parse_vote_from_string(const char *s, int is_vote); +ns_detached_signatures_t *networkstatus_parse_detached_signatures( + const char *s, const char *eos); authority_cert_t *authority_cert_parse_from_string(const char *s, const char **end_of_string); diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 4e948c7945..db0c7d72b9 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -340,6 +340,15 @@ static token_rule_t networkstatus_vote_footer_token_table[] = { END_OF_TABLE }; +static token_rule_t networkstatus_detached_signature_token_table[] = { + T1_START("consensus-digest", K_CONSENSUS_DIGEST, GE(1), NO_OBJ ), + T1("valid-after", K_VALID_AFTER, CONCAT_ARGS, NO_OBJ ), + T1("fresh-until", K_FRESH_UNTIL, CONCAT_ARGS, NO_OBJ ), + T1("valid-until", K_VALID_UNTIL, CONCAT_ARGS, NO_OBJ ), + T( "directory-signature", K_DIRECTORY_SIGNATURE, GE(2), NEED_OBJ ), + END_OF_TABLE +}; + #undef T /* static function prototypes */ @@ -2058,8 +2067,7 @@ networkstatus_parse_vote_from_string(const char *s, int is_vote) goto err; v->good_signature = 1; } else { - v->signature = tor_memdup(tok->object_body, - tok->object_size); + v->signature = tor_memdup(tok->object_body, tok->object_size); v->signature_len = tok->object_size; } }); @@ -2095,6 +2103,97 @@ networkstatus_parse_vote_from_string(const char *s, int is_vote) return ns; } +/** DOCDOC */ +ns_detached_signatures_t * +networkstatus_parse_detached_signatures(const char *s, const char *eos) +{ + /* XXXX020 there is too much duplicate code here. */ + directory_token_t *tok; + + smartlist_t *tokens = smartlist_create(); + ns_detached_signatures_t *sigs = + tor_malloc_zero(sizeof(ns_detached_signatures_t)); + + if (!eos) + eos = s + strlen(s); + + if (tokenize_string(s, eos, tokens, + networkstatus_detached_signature_token_table)) { + log_warn(LD_DIR, "Error tokenizing detached networkstatus signatures"); + goto err; + } + + tok = find_first_by_keyword(tokens, K_CONSENSUS_DIGEST); + if (strlen(tok->args[0]) != HEX_DIGEST_LEN) + goto err; + if (base16_decode(sigs->networkstatus_digest, DIGEST_LEN, + tok->args[0], strlen(tok->args[0])) < 0) + goto err; + + tok = find_first_by_keyword(tokens, K_VALID_AFTER); + if (parse_iso_time(tok->args[0], &sigs->valid_after)) + goto err; + + tok = find_first_by_keyword(tokens, K_FRESH_UNTIL); + if (parse_iso_time(tok->args[0], &sigs->fresh_until)) + goto err; + + tok = find_first_by_keyword(tokens, K_VALID_UNTIL); + if (parse_iso_time(tok->args[0], &sigs->valid_until)) + goto err; + + sigs->signatures = smartlist_create(); + SMARTLIST_FOREACH(tokens, directory_token_t *, _tok, + { + char id_digest[DIGEST_LEN]; + char sk_digest[DIGEST_LEN]; + networkstatus_voter_info_t *voter; + + tok = _tok; + if (tok->tp != K_DIRECTORY_SIGNATURE) + continue; + tor_assert(tok->n_args >= 2); + + if (!tok->object_type || + strcmp(tok->object_type, "SIGNATURE") || + tok->object_size < 128 || tok->object_size > 512) { + log_warn(LD_DIR, "Bad object type or length on directory-signature"); + goto err; + } + + if (strlen(tok->args[0]) != HEX_DIGEST_LEN || + base16_decode(id_digest, sizeof(id_digest), + tok->args[0], HEX_DIGEST_LEN) < 0) { + log_warn(LD_DIR, "Error decoding declared identity %s in " + "network-status vote.", escaped(tok->args[0])); + goto err; + } + if (strlen(tok->args[1]) != HEX_DIGEST_LEN || + base16_decode(sk_digest, sizeof(sk_digest), + tok->args[1], HEX_DIGEST_LEN) < 0) { + log_warn(LD_DIR, "Error decoding declared identity %s in " + "network-status vote.", escaped(tok->args[1])); + goto err; + } + + voter = tor_malloc_zero(sizeof(networkstatus_voter_info_t)); + memcpy(voter->identity_digest, id_digest, DIGEST_LEN); + memcpy(voter->signing_key_digest, sk_digest, DIGEST_LEN); + voter->signature = tor_memdup(tok->object_body, tok->object_size); + voter->signature_len = tok->object_size; + + smartlist_add(sigs->signatures, voter); + }); + + goto done; + err: + ns_detached_signatures_free(sigs); + sigs = NULL; + done: + SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_free(t)); + return NULL; +} + /** Parse the addr policy in the string s and return it. If * assume_action is nonnegative, then insert its action (ADDR_POLICY_ACCEPT or * ADDR_POLICY_REJECT) for items that specify no action.