Merge branch 'ticket22143_squashed'

src/or/consdiff.c

@@ -65,17 +65,35 @@ line_str_eq(const cdline_t *a, const char *b)
   return lines_eq(a, &bline);
 }
 
-/** Add a cdline_t to <b>lst</b> holding as its contents the nul-terminated
- * string s.  Use the provided memory area for storage. */
-STATIC void
-smartlist_add_linecpy(smartlist_t *lst, memarea_t *area, const char *s)
+/** Return true iff a begins with the same contents as the nul-terminated
+ * string b. */
+static int
+line_starts_with_str(const cdline_t *a, const char *b)
+{
+  const size_t len = strlen(b);
+  tor_assert(len <= UINT32_MAX);
+  return a->len >= len && fast_memeq(a->s, b, len);
+}
+
+/** Return a new cdline_t holding as its contents the nul-terminated
+ * string s. Use the provided memory area for storage. */
+static cdline_t *
+cdline_linecpy(memarea_t *area, const char *s)
 {
   size_t len = strlen(s);
   const char *ss = memarea_memdup(area, s, len);
   cdline_t *line = memarea_alloc(area, sizeof(cdline_t));
   line->s = ss;
   line->len = (uint32_t)len;
-  smartlist_add(lst, line);
+  return line;
+}
+
+/** Add a cdline_t to <b>lst</b> holding as its contents the nul-terminated
+ * string s.  Use the provided memory area for storage. */
+STATIC void
+smartlist_add_linecpy(smartlist_t *lst, memarea_t *area, const char *s)
+{
+  smartlist_add(lst, cdline_linecpy(area, s));
 }
 
 /** Compute the digest of <b>cons</b>, and store the result in
@@ -91,6 +109,18 @@ consensus_compute_digest,(const char *cons,
   return r;
 }
 
+/** Compute the digest-as-signed of <b>cons</b>, and store the result in
+ * <b>digest_out</b>. Return 0 on success, -1 on failure. */
+/* This is a separate, mockable function so that we can override it when
+ * fuzzing. */
+MOCK_IMPL(STATIC int,
+consensus_compute_digest_as_signed,(const char *cons,
+                                    consensus_digest_t *digest_out))
+{
+  return router_get_networkstatus_v3_sha3_as_signed(digest_out->sha3_256,
+                                                    cons);
+}
+
 /** Return true iff <b>d1</b> and <b>d2</b> contain the same digest */
 /* This is a separate, mockable function so that we can override it when
  * fuzzing. */
@@ -533,6 +563,42 @@ find_next_router_line(const smartlist_t *cons,
   return 0;
 }
 
+/** Line-prefix indicating the beginning of the signatures section that we
+ * intend to delete. */
+#define START_OF_SIGNATURES_SECTION "directory-signature "
+
+/** Pre-process a consensus in <b>cons</b> (represented as a list of cdline_t)
+ * to remove the signatures from it.  If the footer is removed, return a
+ * cdline_t containing a delete command to delete the footer, allocated in
+ * <b>area</>.  If no footer is removed, return NULL.
+ *
+ * We remove the signatures here because they are not themselves signed, and
+ * as such there might be different encodings for them.
+ */
+static cdline_t *
+preprocess_consensus(memarea_t *area,
+                     smartlist_t *cons)
+{
+  int idx;
+  int dirsig_idx = -1;
+  for (idx = 0; idx < smartlist_len(cons); ++idx) {
+    cdline_t *line = smartlist_get(cons, idx);
+    if (line_starts_with_str(line, START_OF_SIGNATURES_SECTION)) {
+      dirsig_idx = idx;
+      break;
+    }
+  }
+  if (dirsig_idx >= 0) {
+    char buf[64];
+    while (smartlist_len(cons) > dirsig_idx)
+      smartlist_del(cons, dirsig_idx);
+    tor_snprintf(buf, sizeof(buf), "%d,$d", dirsig_idx+1);
+    return cdline_linecpy(area, buf);
+  } else {
+    return NULL;
+  }
+}
+
 /** Generate an ed diff as a smartlist from two consensuses, also given as
  * smartlists. Will return NULL if the diff could not be generated, which can
  * happen if any lines the script had to add matched "." or if the routers
@@ -554,13 +620,22 @@ find_next_router_line(const smartlist_t *cons,
  *   calc_changes(cons1_sl, cons2_sl, changed1, changed2);
  */
 STATIC smartlist_t *
-gen_ed_diff(const smartlist_t *cons1, const smartlist_t *cons2,
+gen_ed_diff(const smartlist_t *cons1_orig, const smartlist_t *cons2,
             memarea_t *area)
 {
+  smartlist_t *cons1 = smartlist_new();
+  smartlist_add_all(cons1, cons1_orig);
+  cdline_t *remove_trailer = preprocess_consensus(area, cons1);
+
   int len1 = smartlist_len(cons1);
   int len2 = smartlist_len(cons2);
   smartlist_t *result = smartlist_new();
 
+  if (remove_trailer) {
+    /* There's a delete-the-trailer line at the end, so add it here. */
+    smartlist_add(result, remove_trailer);
+  }
+
   /* Initialize the changed bitarrays to zero, so that calc_changes only needs
    * to set the ones that matter and leave the rest untouched.
    */
@@ -734,6 +809,7 @@ gen_ed_diff(const smartlist_t *cons1, const smartlist_t *cons2,
     }
   }
 
+  smartlist_free(cons1);
   bitarray_free(changed1);
   bitarray_free(changed2);
 
@@ -741,6 +817,7 @@ gen_ed_diff(const smartlist_t *cons1, const smartlist_t *cons2,
 
  error_cleanup:
 
+  smartlist_free(cons1);
   bitarray_free(changed1);
   bitarray_free(changed2);
 
@@ -799,6 +876,7 @@ apply_ed_diff(const smartlist_t *cons1, const smartlist_t *diff,
     const char *ptr = diff_line;
     int start = 0, end = 0;
     int had_range = 0;
+    int end_was_eof = 0;
     if (get_linenum(&ptr, &start) < 0) {
       log_warn(LD_CONSDIFF, "Could not apply consensus diff because "
                "an ed command was missing a line number.");
@@ -808,7 +886,11 @@ apply_ed_diff(const smartlist_t *cons1, const smartlist_t *diff,
       /* Two-item range */
       had_range = 1;
       ++ptr;
-      if (get_linenum(&ptr, &end) < 0) {
+      if (*ptr == '$') {
+        end_was_eof = 1;
+        end = smartlist_len(cons1);
+        ++ptr;
+      } else if (get_linenum(&ptr, &end) < 0) {
         log_warn(LD_CONSDIFF, "Could not apply consensus diff because "
                  "an ed command was missing a range end line number.");
         goto error_cleanup;
@@ -855,6 +937,13 @@ apply_ed_diff(const smartlist_t *cons1, const smartlist_t *diff,
         goto error_cleanup;
     }
 
+    /** $ is not allowed with non-d actions. */
+    if (end_was_eof && action != 'd') {
+      log_warn(LD_CONSDIFF, "Could not apply consensus diff because "
+               "it wanted to use $ with a command other than delete");
+      goto error_cleanup;
+    }
+
     /* 'a' commands are not allowed to have ranges. */
     if (had_range && action == 'a') {
       log_warn(LD_CONSDIFF, "Could not apply consensus diff because "
@@ -1250,7 +1339,7 @@ consensus_diff_generate(const char *cons1,
   int r1, r2;
   char *result = NULL;
 
-  r1 = consensus_compute_digest(cons1, &d1);
+  r1 = consensus_compute_digest_as_signed(cons1, &d1);
   r2 = consensus_compute_digest(cons2, &d2);
   if (BUG(r1 < 0 || r2 < 0))
     return NULL; // LCOV_EXCL_LINE
@@ -1291,7 +1380,7 @@ consensus_diff_apply(const char *consensus,
   char *result = NULL;
   memarea_t *area = memarea_new();
 
-  r1 = consensus_compute_digest(consensus, &d1);
+  r1 = consensus_compute_digest_as_signed(consensus, &d1);
   if (BUG(r1 < 0))
     return NULL; // LCOV_EXCL_LINE
 

src/or/consdiff.h

@@ -84,6 +84,9 @@ STATIC int line_str_eq(const cdline_t *a, const char *b);
 MOCK_DECL(STATIC int,
           consensus_compute_digest,(const char *cons,
                                     consensus_digest_t *digest_out));
+MOCK_DECL(STATIC int,
+          consensus_compute_digest_as_signed,(const char *cons,
+                                              consensus_digest_t *digest_out));
 MOCK_DECL(STATIC int,
           consensus_digest_eq,(const uint8_t *d1,
                                const uint8_t *d2));

src/or/consdiffmgr.c

@@ -19,6 +19,7 @@
 #include "consdiffmgr.h"
 #include "cpuworker.h"
 #include "networkstatus.h"
+#include "routerparse.h"
 #include "workqueue.h"
 
 /**
@@ -35,11 +36,13 @@
 #define LABEL_SHA3_DIGEST "sha3-digest"
 /* A hex encoded SHA3 digest of the object before compression. */
 #define LABEL_SHA3_DIGEST_UNCOMPRESSED "sha3-digest-uncompressed"
+/* A hex encoded SHA3 digest-as-signed of a consensus */
+#define LABEL_SHA3_DIGEST_AS_SIGNED "sha3-digest-as-signed"
 /* The flavor of the consensus or consensuses diff */
 #define LABEL_FLAVOR "consensus-flavor"
-/* Diff only: the SHA3 digest of the source consensus. */
+/* Diff only: the SHA3 digest-as-signed of the source consensus. */
 #define LABEL_FROM_SHA3_DIGEST "from-sha3-digest"
-/* Diff only: the SHA3 digest of the target consensus. */
+/* Diff only: the SHA3 digest-in-full of the target consensus. */
 #define LABEL_TARGET_SHA3_DIGEST "target-sha3-digest"
 /* Diff only: the valid-after date of the source consensus. */
 #define LABEL_FROM_VALID_AFTER "from-valid-after"
@@ -466,6 +469,17 @@ consdiffmgr_add_consensus(const char *consensus,
 
     cdm_labels_prepend_sha3(&labels, LABEL_SHA3_DIGEST_UNCOMPRESSED,
                             (const uint8_t *)consensus, bodylen);
+    {
+      const char *start, *end;
+      if (router_get_networkstatus_v3_signed_boundaries(consensus,
+                                                        &start, &end) < 0) {
+        start = consensus;
+        end = consensus+bodylen;
+      }
+      cdm_labels_prepend_sha3(&labels, LABEL_SHA3_DIGEST_AS_SIGNED,
+                              (const uint8_t *)start,
+                              end - start);
+    }
 
     char *body_compressed = NULL;
     size_t size_compressed = 0;
@@ -845,7 +859,7 @@ consdiffmgr_rescan_flavor_(consensus_flavor_t flavor)
 
     uint8_t this_sha3[DIGEST256_LEN];
     if (BUG(cdm_entry_get_sha3_value(this_sha3, c,
-                                     LABEL_SHA3_DIGEST_UNCOMPRESSED)<0))
+                                     LABEL_SHA3_DIGEST_AS_SIGNED)<0))
       continue; // LCOV_EXCL_LINE
     if (cdm_diff_ht_check_and_note_pending(flavor,
                                            this_sha3, most_recent_sha3)) {
@@ -1131,7 +1145,7 @@ consensus_diff_worker_threadfn(void *state_, void *work_)
     consensus_cache_entry_get_value(job->diff_from, LABEL_VALID_AFTER);
   const char *lv_from_digest =
     consensus_cache_entry_get_value(job->diff_from,
-                                    LABEL_SHA3_DIGEST_UNCOMPRESSED);
+                                    LABEL_SHA3_DIGEST_AS_SIGNED);
   const char *lv_from_flavor =
     consensus_cache_entry_get_value(job->diff_from, LABEL_FLAVOR);
   const char *lv_to_flavor =
@@ -1140,10 +1154,17 @@ consensus_diff_worker_threadfn(void *state_, void *work_)
     consensus_cache_entry_get_value(job->diff_to,
                                     LABEL_SHA3_DIGEST_UNCOMPRESSED);
 
+  if (! lv_from_digest) {
+    /* This isn't a bug right now, since it can happen if you're migrating
+     * from an older version of master to a newer one.  The older ones didn't
+     * annotate their stored consensus objects with sha3-digest-as-signed.
+    */
+    return WQ_RPL_REPLY; // LCOV_EXCL_LINE
+  }
+
   /* All these values are mandatory on the input */
   if (BUG(!lv_to_valid_after) ||
       BUG(!lv_from_valid_after) ||
-      BUG(!lv_from_digest) ||
       BUG(!lv_from_flavor) ||
       BUG(!lv_to_flavor)) {
     return WQ_RPL_REPLY; // LCOV_EXCL_LINE
@@ -1267,7 +1288,7 @@ consensus_diff_worker_replyfn(void *work_)
 
   const char *lv_from_digest =
     consensus_cache_entry_get_value(job->diff_from,
-                                    LABEL_SHA3_DIGEST_UNCOMPRESSED);
+                                    LABEL_SHA3_DIGEST_AS_SIGNED);
   const char *lv_to_digest =
     consensus_cache_entry_get_value(job->diff_to,
                                     LABEL_SHA3_DIGEST_UNCOMPRESSED);
@@ -1283,7 +1304,7 @@ consensus_diff_worker_replyfn(void *work_)
   int flav = -1;
   int cache = 1;
   if (BUG(cdm_entry_get_sha3_value(from_sha3, job->diff_from,
-                                   LABEL_SHA3_DIGEST_UNCOMPRESSED) < 0))
+                                   LABEL_SHA3_DIGEST_AS_SIGNED) < 0))
     cache = 0;
   if (BUG(cdm_entry_get_sha3_value(to_sha3, job->diff_to,
                                    LABEL_SHA3_DIGEST_UNCOMPRESSED) < 0))

src/or/routerparse.c

@@ -359,6 +359,7 @@ static addr_policy_t *router_parse_addr_policy_private(directory_token_t *tok);
 static int router_get_hash_impl_helper(const char *s, size_t s_len,
                             const char *start_str,
                             const char *end_str, char end_c,
+                            int log_severity,
                             const char **start_out, const char **end_out);
 static int router_get_hash_impl(const char *s, size_t s_len, char *digest,
                                 const char *start_str, const char *end_str,
@@ -988,6 +989,41 @@ router_get_router_hash(const char *s, size_t s_len, char *digest)
                               DIGEST_SHA1);
 }
 
+/** Try to find the start and end of the signed portion of a networkstatus
+ * document in <b>s</b>. On success, set <b>start_out</b> to the first
+ * character of the document, and <b>end_out</b> to a position one after the
+ * final character of the signed document, and return 0.  On failure, return
+ * -1. */
+int
+router_get_networkstatus_v3_signed_boundaries(const char *s,
+                                              const char **start_out,
+                                              const char **end_out)
+{
+  return router_get_hash_impl_helper(s, strlen(s),
+                                     "network-status-version",
+                                     "\ndirectory-signature",
+                                     ' ', LOG_INFO,
+                                     start_out, end_out);
+}
+
+/** Set <b>digest_out</b> to the SHA3-256 digest of the signed portion of the
+ * networkstatus vote in <b>s</b> -- or of the entirety of <b>s</b> if no
+ * signed portion can be identified.  Return 0 on success, -1 on failure. */
+int
+router_get_networkstatus_v3_sha3_as_signed(uint8_t *digest_out,
+                                           const char *s)
+{
+  const char *start, *end;
+  if (router_get_networkstatus_v3_signed_boundaries(s, &start, &end) < 0) {
+    start = s;
+    end = s + strlen(s);
+  }
+  tor_assert(start);
+  tor_assert(end);
+  return crypto_digest256((char*)digest_out, start, end-start,
+                          DIGEST_SHA3_256);
+}
+
 /** Set <b>digests</b> to all the digests of the consensus document in
  * <b>s</b> */
 int
@@ -1787,7 +1823,8 @@ router_parse_entry_from_string(const char *s, const char *end,
 
       if (router_get_hash_impl_helper(s, end-s, "router ",
                                       "\nrouter-sig-ed25519",
-                                      ' ', &signed_start, &signed_end) < 0) {
+                                      ' ', LOG_WARN,
+                                      &signed_start, &signed_end) < 0) {
         log_warn(LD_DIR, "Can't find ed25519-signed portion of descriptor");
         goto err;
       }
@@ -2140,7 +2177,8 @@ extrainfo_parse_entry_from_string(const char *s, const char *end,
 
       if (router_get_hash_impl_helper(s, end-s, "extra-info ",
                                       "\nrouter-sig-ed25519",
-                                      ' ', &signed_start, &signed_end) < 0) {
+                                      ' ', LOG_WARN,
+                                      &signed_start, &signed_end) < 0) {
         log_warn(LD_DIR, "Can't find ed25519-signed portion of extrainfo");
         goto err;
       }
@@ -4471,16 +4509,18 @@ static int
 router_get_hash_impl_helper(const char *s, size_t s_len,
                             const char *start_str,
                             const char *end_str, char end_c,
+                            int log_severity,
                             const char **start_out, const char **end_out)
 {
   const char *start, *end;
   start = tor_memstr(s, s_len, start_str);
   if (!start) {
-    log_warn(LD_DIR,"couldn't find start of hashed material \"%s\"",start_str);
+    log_fn(log_severity,LD_DIR,
+           "couldn't find start of hashed material \"%s\"",start_str);
     return -1;
   }
   if (start != s && *(start-1) != '\n') {
-    log_warn(LD_DIR,
+    log_fn(log_severity,LD_DIR,
              "first occurrence of \"%s\" is not at the start of a line",
              start_str);
     return -1;
@@ -4488,12 +4528,14 @@ router_get_hash_impl_helper(const char *s, size_t s_len,
   end = tor_memstr(start+strlen(start_str),
                    s_len - (start-s) - strlen(start_str), end_str);
   if (!end) {
-    log_warn(LD_DIR,"couldn't find end of hashed material \"%s\"",end_str);
+    log_fn(log_severity,LD_DIR,
+           "couldn't find end of hashed material \"%s\"",end_str);
     return -1;
   }
   end = memchr(end+strlen(end_str), end_c, s_len - (end-s) - strlen(end_str));
   if (!end) {
-    log_warn(LD_DIR,"couldn't find EOL");
+    log_fn(log_severity,LD_DIR,
+           "couldn't find EOL");
     return -1;
   }
   ++end;
@@ -4517,7 +4559,7 @@ router_get_hash_impl(const char *s, size_t s_len, char *digest,
                      digest_algorithm_t alg)
 {
   const char *start=NULL, *end=NULL;
-  if (router_get_hash_impl_helper(s,s_len,start_str,end_str,end_c,
+  if (router_get_hash_impl_helper(s,s_len,start_str,end_str,end_c,LOG_WARN,
                                   &start,&end)<0)
     return -1;
 
@@ -4554,7 +4596,7 @@ router_get_hashes_impl(const char *s, size_t s_len, common_digests_t *digests,
                        const char *end_str, char end_c)
 {
   const char *start=NULL, *end=NULL;
-  if (router_get_hash_impl_helper(s,s_len,start_str,end_str,end_c,
+  if (router_get_hash_impl_helper(s,s_len,start_str,end_str,end_c,LOG_WARN,
                                   &start,&end)<0)
     return -1;
 

src/or/routerparse.h

@@ -16,6 +16,11 @@ int router_get_router_hash(const char *s, size_t s_len, char *digest);
 int router_get_dir_hash(const char *s, char *digest);
 int router_get_networkstatus_v3_hashes(const char *s,
                                        common_digests_t *digests);
+int router_get_networkstatus_v3_signed_boundaries(const char *s,
+                                                  const char **start_out,
+                                                  const char **end_out);
+int router_get_networkstatus_v3_sha3_as_signed(uint8_t *digest_out,
+                                               const char *s);
 int router_get_extrainfo_hash(const char *s, size_t s_len, char *digest);
 #define DIROBJ_MAX_SIG_LEN 256
 char *router_get_dirobj_signature(const char *digest,

src/test/fuzz/fuzz_diff.c

@@ -21,6 +21,7 @@ int
 fuzz_init(void)
 {
   MOCK(consensus_compute_digest, mock_consensus_compute_digest_);
+  MOCK(consensus_compute_digest_as_signed, mock_consensus_compute_digest_);
   return 0;
 }
 
@@ -28,6 +29,7 @@ int
 fuzz_cleanup(void)
 {
   UNMOCK(consensus_compute_digest);
+  UNMOCK(consensus_compute_digest_as_signed);
   return 0;
 }
 

src/test/test_consdiff.c

@@ -709,6 +709,16 @@ test_consdiff_apply_ed_diff(void *arg)
 
   smartlist_clear(diff);
 
+  /* $ for a non-delete command. */
+  smartlist_add_linecpy(diff, area, "1,$c");
+  mock_clean_saved_logs();
+  cons2 = apply_ed_diff(cons1, diff, 0);
+  tt_ptr_op(NULL, OP_EQ, cons2);
+  expect_single_log_msg_containing("it wanted to use $ with a command "
+                                   "other than delete");
+
+  smartlist_clear(diff);
+
   /* Script is not in reverse order. */
   smartlist_add_linecpy(diff, area, "1d");
   smartlist_add_linecpy(diff, area, "3d");
@@ -907,7 +917,7 @@ test_consdiff_gen_diff(void *arg)
       );
 
   tt_int_op(0, OP_EQ,
-      consensus_compute_digest(cons1_str, &digests1));
+      consensus_compute_digest_as_signed(cons1_str, &digests1));
   tt_int_op(0, OP_EQ,
       consensus_compute_digest(cons2_str, &digests2));
 
@@ -926,23 +936,29 @@ test_consdiff_gen_diff(void *arg)
       "directory-signature foo bar\nbar\n"
       );
   tt_int_op(0, OP_EQ,
-      consensus_compute_digest(cons1_str, &digests1));
+      consensus_compute_digest_as_signed(cons1_str, &digests1));
   smartlist_clear(cons1);
   consensus_split_lines(cons1, cons1_str, area);
   diff = consdiff_gen_diff(cons1, cons2, &digests1, &digests2, area);
   tt_ptr_op(NULL, OP_NE, diff);
-  tt_int_op(7, OP_EQ, smartlist_len(diff));
+  tt_int_op(11, OP_EQ, smartlist_len(diff));
   tt_assert(line_str_eq(smartlist_get(diff, 0),
                         "network-status-diff-version 1"));
   tt_assert(line_str_eq(smartlist_get(diff, 1), "hash "
-      "06646D6CF563A41869D3B02E73254372AE3140046C5E7D83C9F71E54976AF9B4 "
+      "95D70F5A3CC65F920AA8B44C4563D7781A082674329661884E19E94B79D539C2 "
       "7AFECEFA4599BA33D603653E3D2368F648DF4AC4723929B0F7CF39281596B0C1"));
-  tt_assert(line_str_eq(smartlist_get(diff, 2), "3,4d"));
-  tt_assert(line_str_eq(smartlist_get(diff, 3), "1a"));
-  tt_assert(line_str_eq(smartlist_get(diff, 4),
+  tt_assert(line_str_eq(smartlist_get(diff, 2), "6,$d"));
+  tt_assert(line_str_eq(smartlist_get(diff, 3), "3,4c"));
+  tt_assert(line_str_eq(smartlist_get(diff, 4), "bar"));
+  tt_assert(line_str_eq(smartlist_get(diff, 5),
+                        "directory-signature foo bar"));
+  tt_assert(line_str_eq(smartlist_get(diff, 6),
+                        "."));
+  tt_assert(line_str_eq(smartlist_get(diff, 7), "1a"));
+  tt_assert(line_str_eq(smartlist_get(diff, 8),
                         "r name aaaaaaaaaaaaaaaaa etc"));
-  tt_assert(line_str_eq(smartlist_get(diff, 5), "foo"));
-  tt_assert(line_str_eq(smartlist_get(diff, 6), "."));
+  tt_assert(line_str_eq(smartlist_get(diff, 9), "foo"));
+  tt_assert(line_str_eq(smartlist_get(diff, 10), "."));
 
   /* TODO: small real use-cases, i.e. consensuses. */
 

src/test/test_consdiffmgr.c

@@ -10,6 +10,7 @@
 #include "consdiffmgr.h"
 #include "cpuworker.h"
 #include "networkstatus.h"
+#include "routerparse.h"
 #include "workqueue.h"
 
 #include "test.h"
@@ -66,6 +67,7 @@ fake_ns_body_new(consensus_flavor_t flav, time_t valid_after)
 
   format_iso_time(valid_after_string, valid_after);
   char *random_stuff = crypto_random_hostname(3, 25, "junk ", "");
+  char *random_stuff2 = crypto_random_hostname(3, 10, "", "");
 
   char *consensus;
   tor_asprintf(&consensus,
@@ -74,11 +76,15 @@ fake_ns_body_new(consensus_flavor_t flav, time_t valid_after)
                "valid-after %s\n"
                "r name ccccccccccccccccc etc\nsample\n"
                "r name eeeeeeeeeeeeeeeee etc\nbar\n"
-               "%s\n",
+               "%s\n"
+               "directory-signature hello-there\n"
+               "directory-signature %s\n",
                flavor_string,
                valid_after_string,
-               random_stuff);
+               random_stuff,
+               random_stuff2);
   tor_free(random_stuff);
+  tor_free(random_stuff2);
   return consensus;
 }
 
@@ -139,7 +145,10 @@ lookup_diff_from(consensus_cache_entry_t **out,
                  const char *str1)
 {
   uint8_t digest[DIGEST256_LEN];
-  crypto_digest256((char*)digest, str1, strlen(str1), DIGEST_SHA3_256);
+  if (router_get_networkstatus_v3_sha3_as_signed(digest, str1)<0) {
+    TT_FAIL(("Unable to compute sha3-as-signed"));
+    return CONSDIFF_NOT_FOUND;
+  }
   return consdiffmgr_find_diff_from(out, flav,
                                     DIGEST_SHA3_256, digest, sizeof(digest),
                                     NO_METHOD);
@@ -152,8 +161,9 @@ lookup_apply_and_verify_diff(consensus_flavor_t flav,
 {
   consensus_cache_entry_t *ent = NULL;
   consdiff_status_t status = lookup_diff_from(&ent, flav, str1);
-  if (ent == NULL || status != CONSDIFF_AVAILABLE)
+  if (ent == NULL || status != CONSDIFF_AVAILABLE) {
     return -1;
+  }
 
   consensus_cache_entry_incref(ent);
   size_t size;
@@ -299,7 +309,7 @@ test_consdiffmgr_add(void *arg)
   ns_tmp->valid_after = 86400 * 100; /* A few months into 1970 */
   r = consdiffmgr_add_consensus(dummy, ns_tmp);
   tt_int_op(r, OP_EQ, -1);
-  expect_single_log_msg_containing("it's too old.");
+  expect_log_msg_containing("it's too old.");
 
   /* Try looking up a consensuses. */
   ent = cdm_cache_lookup_consensus(FLAV_NS, now-60);
@@ -352,8 +362,7 @@ test_consdiffmgr_make_diffs(void *arg)
   ns = fake_ns_new(FLAV_MICRODESC, now-3600);
   md_ns_body = fake_ns_body_new(FLAV_MICRODESC, now-3600);
   r = consdiffmgr_add_consensus(md_ns_body, ns);
-  crypto_digest256((char*)md_ns_sha3, md_ns_body, strlen(md_ns_body),
-                   DIGEST_SHA3_256);
+  router_get_networkstatus_v3_sha3_as_signed(md_ns_sha3, md_ns_body);
   networkstatus_vote_free(ns);
   tt_int_op(r, OP_EQ, 0);
 
@@ -419,7 +428,6 @@ test_consdiffmgr_diff_rules(void *arg)
 #define N 6
   char *md_body[N], *ns_body[N];
   networkstatus_t *md_ns[N], *ns_ns[N];
-  uint8_t md_ns_sha3[N][DIGEST256_LEN], ns_ns_sha3[N][DIGEST256_LEN];
   int i;
 
   MOCK(cpuworker_queue_work, mock_cpuworker_queue_work);
@@ -432,10 +440,6 @@ test_consdiffmgr_diff_rules(void *arg)
     ns_body[i] = fake_ns_body_new(FLAV_NS, when);
     md_ns[i] = fake_ns_new(FLAV_MICRODESC, when);
     ns_ns[i] = fake_ns_new(FLAV_NS, when);
-    crypto_digest256((char *)md_ns_sha3[i], md_body[i], strlen(md_body[i]),
-                     DIGEST_SHA3_256);
-    crypto_digest256((char *)ns_ns_sha3[i], ns_body[i], strlen(ns_body[i]),
-                     DIGEST_SHA3_256);
   }
 
   /* For the MD consensuses: add 4 of them, and make sure that
@@ -715,7 +719,6 @@ test_consdiffmgr_cleanup_old_diffs(void *arg)
 #define N 4
   char *md_body[N];
   networkstatus_t *md_ns[N];
-  uint8_t md_ns_sha3[N][DIGEST256_LEN];
   int i;
   consensus_cache_entry_t *hold_ent = NULL, *ent;
 
@@ -730,8 +733,6 @@ test_consdiffmgr_cleanup_old_diffs(void *arg)
     time_t when = start + i * 15;
     md_body[i] = fake_ns_body_new(FLAV_MICRODESC, when);
     md_ns[i] = fake_ns_new(FLAV_MICRODESC, when);
-    crypto_digest256((char *)md_ns_sha3[i], md_body[i], strlen(md_body[i]),
-                     DIGEST_SHA3_256);
   }
 
   /* add the first 3. */