shared_random.c 43 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334
  1. /* Copyright (c) 2016, The Tor Project, Inc. */
  2. /* See LICENSE for licensing information */
  3. /**
  4. * \file shared_random.c
  5. *
  6. * \brief Functions and data structure needed to accomplish the shared
  7. * random protocol as defined in proposal #250.
  8. *
  9. * \details
  10. *
  11. * This file implements the dirauth-only commit-and-reveal protocol specified
  12. * by proposal #250. The protocol has two phases (sr_phase_t): the commitment
  13. * phase and the reveal phase (see get_sr_protocol_phase()).
  14. *
  15. * During the protocol, directory authorities keep state in memory (using
  16. * sr_state_t) and in disk (using sr_disk_state_t). The synchronization between
  17. * these two data structures happens in disk_state_update() and
  18. * disk_state_parse().
  19. *
  20. * Here is a rough protocol outline:
  21. *
  22. * 1) In the beginning of the commitment phase, dirauths generate a
  23. * commitment/reveal value for the current protocol run (see
  24. * new_protocol_run() and sr_generate_our_commit()).
  25. *
  26. * 2) During voting, dirauths publish their commits in their votes
  27. * depending on the current phase. Dirauths also include the two
  28. * latest shared random values (SRV) in their votes.
  29. * (see sr_get_string_for_vote())
  30. *
  31. * 3) Upon receiving a commit from a vote, authorities parse it, verify
  32. * it, and attempt to save any new commitment or reveal information in
  33. * their state file (see extract_shared_random_commits() and
  34. * sr_handle_received_commits()). They also parse SRVs from votes to
  35. * decide which SRV should be included in the final consensus (see
  36. * extract_shared_random_srvs()).
  37. *
  38. * 3) After voting is done, we count the SRVs we extracted from the votes,
  39. * to find the one voted by the majority of dirauths which should be
  40. * included in the final consensus (see get_majority_srv_from_votes()).
  41. * If an appropriate SRV is found, it is embedded in the consensus (see
  42. * sr_get_string_for_consensus()).
  43. *
  44. * 4) At the end of the reveal phase, dirauths compute a fresh SRV for the
  45. * day using the active commits (see sr_compute_srv()). This new SRV
  46. * is embedded in the votes as described above.
  47. *
  48. * Some more notes:
  49. *
  50. * - To support rebooting authorities and to avoid double voting, each dirauth
  51. * saves the current state of the protocol on disk so that it can resume
  52. * normally in case of reboot. The disk state (sr_disk_state_t) is managed by
  53. * shared_random_state.c:state_query() and we go to extra lengths to ensure
  54. * that the state is flushed on disk everytime we receive any useful
  55. * information like commits or SRVs.
  56. *
  57. * - When we receive a commit from a vote, we examine it to see if it's useful
  58. * to us and whether it's appropriate to receive it according to the current
  59. * phase of the protocol (see should_keep_commit()). If the commit is useful
  60. * to us, we save it in our disk state using save_commit_to_state(). When we
  61. * receive the reveal information corresponding to a commitment, we verify
  62. * that they indeed match using verify_commit_and_reveal().
  63. *
  64. * - We treat consensuses as the ground truth, so everytime we generate a new
  65. * consensus we update our SR state accordingly even if our local view was
  66. * different (see sr_act_post_consensus()).
  67. *
  68. * - After a consensus has been composed, the SR protocol state gets prepared
  69. * for the next voting session using sr_state_update(). That function takes
  70. * care of housekeeping and also rotates the SRVs and commits in case a new
  71. * protocol run is coming up. We also call sr_state_update() on bootup (in
  72. * sr_state_init()), to prepare the state for the very first voting session.
  73. *
  74. * Terminology:
  75. *
  76. * - "Commitment" is the commitment value of the commit-and-reveal protocol.
  77. *
  78. * - "Reveal" is the reveal value of the commit-and-reveal protocol.
  79. *
  80. * - "Commit" is a struct (sr_commit_t) that contains a commitment value and
  81. * optionally also a corresponding reveal value.
  82. *
  83. * - "SRV" is the Shared Random Value that gets generated as the result of the
  84. * commit-and-reveal protocol.
  85. **/
  86. #define SHARED_RANDOM_PRIVATE
  87. #include "or.h"
  88. #include "shared_random.h"
  89. #include "config.h"
  90. #include "confparse.h"
  91. #include "dirvote.h"
  92. #include "networkstatus.h"
  93. #include "routerkeys.h"
  94. #include "router.h"
  95. #include "routerlist.h"
  96. #include "shared_random_state.h"
  97. #include "util.h"
  98. /* String prefix of shared random values in votes/consensuses. */
  99. static const char previous_srv_str[] = "shared-rand-previous-value";
  100. static const char current_srv_str[] = "shared-rand-current-value";
  101. static const char commit_ns_str[] = "shared-rand-commit";
  102. static const char sr_flag_ns_str[] = "shared-rand-participate";
  103. /* Return a heap allocated copy of the SRV <b>orig</b>. */
  104. STATIC sr_srv_t *
  105. srv_dup(const sr_srv_t *orig)
  106. {
  107. sr_srv_t *dup = NULL;
  108. if (!orig) {
  109. return NULL;
  110. }
  111. dup = tor_malloc_zero(sizeof(sr_srv_t));
  112. dup->num_reveals = orig->num_reveals;
  113. memcpy(dup->value, orig->value, sizeof(dup->value));
  114. return dup;
  115. }
  116. /* Allocate a new commit object and initializing it with <b>rsa_identity</b>
  117. * that MUST be provided. The digest algorithm is set to the default one
  118. * that is supported. The rest is uninitialized. This never returns NULL. */
  119. static sr_commit_t *
  120. commit_new(const char *rsa_identity)
  121. {
  122. sr_commit_t *commit;
  123. tor_assert(rsa_identity);
  124. commit = tor_malloc_zero(sizeof(*commit));
  125. commit->alg = SR_DIGEST_ALG;
  126. memcpy(commit->rsa_identity, rsa_identity, sizeof(commit->rsa_identity));
  127. return commit;
  128. }
  129. /* Issue a log message describing <b>commit</b>. */
  130. static void
  131. commit_log(const sr_commit_t *commit)
  132. {
  133. tor_assert(commit);
  134. log_debug(LD_DIR, "SR: Commit from %s", sr_commit_get_rsa_fpr(commit));
  135. log_debug(LD_DIR, "SR: Commit: [TS: %" PRIu64 "] [Encoded: %s]",
  136. commit->commit_ts, commit->encoded_commit);
  137. log_debug(LD_DIR, "SR: Reveal: [TS: %" PRIu64 "] [Encoded: %s]",
  138. commit->reveal_ts, safe_str(commit->encoded_reveal));
  139. }
  140. /* Make sure that the commitment and reveal information in <b>commit</b>
  141. * match. If they match return 0, return -1 otherwise. This function MUST be
  142. * used everytime we receive a new reveal value. Furthermore, the commit
  143. * object MUST have a reveal value and the hash of the reveal value. */
  144. STATIC int
  145. verify_commit_and_reveal(const sr_commit_t *commit)
  146. {
  147. tor_assert(commit);
  148. log_debug(LD_DIR, "SR: Validating commit from authority %s",
  149. sr_commit_get_rsa_fpr(commit));
  150. /* Check that the timestamps match. */
  151. if (commit->commit_ts != commit->reveal_ts) {
  152. log_warn(LD_BUG, "SR: Commit timestamp %" PRIu64 " doesn't match reveal "
  153. "timestamp %" PRIu64, commit->commit_ts,
  154. commit->reveal_ts);
  155. goto invalid;
  156. }
  157. /* Verify that the hashed_reveal received in the COMMIT message, matches
  158. * the reveal we just received. */
  159. {
  160. /* We first hash the reveal we just received. */
  161. char received_hashed_reveal[sizeof(commit->hashed_reveal)];
  162. /* Only sha3-256 is supported. */
  163. if (commit->alg != SR_DIGEST_ALG) {
  164. goto invalid;
  165. }
  166. /* Use the invariant length since the encoded reveal variable has an
  167. * extra byte for the NUL terminated byte. */
  168. if (crypto_digest256(received_hashed_reveal, commit->encoded_reveal,
  169. SR_REVEAL_BASE64_LEN, commit->alg)) {
  170. /* Unable to digest the reveal blob, this is unlikely. */
  171. goto invalid;
  172. }
  173. /* Now compare that with the hashed_reveal we received in COMMIT. */
  174. if (fast_memneq(received_hashed_reveal, commit->hashed_reveal,
  175. sizeof(received_hashed_reveal))) {
  176. log_warn(LD_BUG, "SR: Received reveal value from authority %s "
  177. "does't match the commit value.",
  178. sr_commit_get_rsa_fpr(commit));
  179. goto invalid;
  180. }
  181. }
  182. return 0;
  183. invalid:
  184. return -1;
  185. }
  186. /* Return true iff the commit contains an encoded reveal value. */
  187. STATIC int
  188. commit_has_reveal_value(const sr_commit_t *commit)
  189. {
  190. return !tor_mem_is_zero(commit->encoded_reveal,
  191. sizeof(commit->encoded_reveal));
  192. }
  193. /* Parse the encoded commit. The format is:
  194. * base64-encode( TIMESTAMP || H(REVEAL) )
  195. *
  196. * If successfully decoded and parsed, commit is updated and 0 is returned.
  197. * On error, return -1. */
  198. STATIC int
  199. commit_decode(const char *encoded, sr_commit_t *commit)
  200. {
  201. int decoded_len = 0;
  202. size_t offset = 0;
  203. /* XXX: Needs two extra bytes for the base64 decode calculation matches
  204. * the binary length once decoded. #17868. */
  205. char b64_decoded[SR_COMMIT_LEN + 2];
  206. tor_assert(encoded);
  207. tor_assert(commit);
  208. if (strlen(encoded) > SR_COMMIT_BASE64_LEN) {
  209. /* This means that if we base64 decode successfully the reveiced commit,
  210. * we'll end up with a bigger decoded commit thus unusable. */
  211. goto error;
  212. }
  213. /* Decode our encoded commit. Let's be careful here since _encoded_ is
  214. * coming from the network in a dirauth vote so we expect nothing more
  215. * than the base64 encoded length of a commit. */
  216. decoded_len = base64_decode(b64_decoded, sizeof(b64_decoded),
  217. encoded, strlen(encoded));
  218. if (decoded_len < 0) {
  219. log_warn(LD_BUG, "SR: Commit from authority %s can't be decoded.",
  220. sr_commit_get_rsa_fpr(commit));
  221. goto error;
  222. }
  223. if (decoded_len != SR_COMMIT_LEN) {
  224. log_warn(LD_BUG, "SR: Commit from authority %s decoded length doesn't "
  225. "match the expected length (%d vs %d).",
  226. sr_commit_get_rsa_fpr(commit), decoded_len, SR_COMMIT_LEN);
  227. goto error;
  228. }
  229. /* First is the timestamp (8 bytes). */
  230. commit->commit_ts = tor_ntohll(get_uint64(b64_decoded));
  231. offset += sizeof(uint64_t);
  232. /* Next is hashed reveal. */
  233. memcpy(commit->hashed_reveal, b64_decoded + offset,
  234. sizeof(commit->hashed_reveal));
  235. /* Copy the base64 blob to the commit. Useful for voting. */
  236. strlcpy(commit->encoded_commit, encoded, sizeof(commit->encoded_commit));
  237. return 0;
  238. error:
  239. return -1;
  240. }
  241. /* Parse the b64 blob at <b>encoded</b> containing reveal information and
  242. * store the information in-place in <b>commit</b>. Return 0 on success else
  243. * a negative value. */
  244. STATIC int
  245. reveal_decode(const char *encoded, sr_commit_t *commit)
  246. {
  247. int decoded_len = 0;
  248. /* XXX: Needs two extra bytes for the base64 decode calculation matches
  249. * the binary length once decoded. #17868. */
  250. char b64_decoded[SR_REVEAL_LEN + 2];
  251. tor_assert(encoded);
  252. tor_assert(commit);
  253. if (strlen(encoded) > SR_REVEAL_BASE64_LEN) {
  254. /* This means that if we base64 decode successfully the received reveal
  255. * value, we'll end up with a bigger decoded value thus unusable. */
  256. goto error;
  257. }
  258. /* Decode our encoded reveal. Let's be careful here since _encoded_ is
  259. * coming from the network in a dirauth vote so we expect nothing more
  260. * than the base64 encoded length of our reveal. */
  261. decoded_len = base64_decode(b64_decoded, sizeof(b64_decoded),
  262. encoded, strlen(encoded));
  263. if (decoded_len < 0) {
  264. log_warn(LD_BUG, "SR: Reveal from authority %s can't be decoded.",
  265. sr_commit_get_rsa_fpr(commit));
  266. goto error;
  267. }
  268. if (decoded_len != SR_REVEAL_LEN) {
  269. log_warn(LD_BUG, "SR: Reveal from authority %s decoded length is "
  270. "doesn't match the expected length (%d vs %d)",
  271. sr_commit_get_rsa_fpr(commit), decoded_len, SR_REVEAL_LEN);
  272. goto error;
  273. }
  274. commit->reveal_ts = tor_ntohll(get_uint64(b64_decoded));
  275. /* Copy the last part, the random value. */
  276. memcpy(commit->random_number, b64_decoded + 8,
  277. sizeof(commit->random_number));
  278. /* Also copy the whole message to use during verification */
  279. strlcpy(commit->encoded_reveal, encoded, sizeof(commit->encoded_reveal));
  280. return 0;
  281. error:
  282. return -1;
  283. }
  284. /* Encode a reveal element using a given commit object to dst which is a
  285. * buffer large enough to put the base64-encoded reveal construction. The
  286. * format is as follow:
  287. * REVEAL = base64-encode( TIMESTAMP || H(RN) )
  288. * Return base64 encoded length on success else a negative value.
  289. */
  290. STATIC int
  291. reveal_encode(const sr_commit_t *commit, char *dst, size_t len)
  292. {
  293. int ret;
  294. size_t offset = 0;
  295. char buf[SR_REVEAL_LEN] = {0};
  296. tor_assert(commit);
  297. tor_assert(dst);
  298. set_uint64(buf, tor_htonll(commit->reveal_ts));
  299. offset += sizeof(uint64_t);
  300. memcpy(buf + offset, commit->random_number,
  301. sizeof(commit->random_number));
  302. /* Let's clean the buffer and then b64 encode it. */
  303. memset(dst, 0, len);
  304. ret = base64_encode(dst, len, buf, sizeof(buf), 0);
  305. /* Wipe this buffer because it contains our random value. */
  306. memwipe(buf, 0, sizeof(buf));
  307. return ret;
  308. }
  309. /* Encode the given commit object to dst which is a buffer large enough to
  310. * put the base64-encoded commit. The format is as follow:
  311. * COMMIT = base64-encode( TIMESTAMP || H(H(RN)) )
  312. * Return base64 encoded length on success else a negative value.
  313. */
  314. STATIC int
  315. commit_encode(const sr_commit_t *commit, char *dst, size_t len)
  316. {
  317. size_t offset = 0;
  318. char buf[SR_COMMIT_LEN] = {0};
  319. tor_assert(commit);
  320. tor_assert(dst);
  321. /* First is the timestamp (8 bytes). */
  322. set_uint64(buf, tor_htonll(commit->commit_ts));
  323. offset += sizeof(uint64_t);
  324. /* and then the hashed reveal. */
  325. memcpy(buf + offset, commit->hashed_reveal,
  326. sizeof(commit->hashed_reveal));
  327. /* Clean the buffer and then b64 encode it. */
  328. memset(dst, 0, len);
  329. return base64_encode(dst, len, buf, sizeof(buf), 0);
  330. }
  331. /* Cleanup both our global state and disk state. */
  332. static void
  333. sr_cleanup(void)
  334. {
  335. sr_state_free();
  336. }
  337. /* Using <b>commit</b>, return a newly allocated string containing the commit
  338. * information that should be used during SRV calculation. It's the caller
  339. * responsibility to free the memory. Return NULL if this is not a commit to be
  340. * used for SRV calculation. */
  341. static char *
  342. get_srv_element_from_commit(const sr_commit_t *commit)
  343. {
  344. char *element;
  345. tor_assert(commit);
  346. if (!commit_has_reveal_value(commit)) {
  347. return NULL;
  348. }
  349. tor_asprintf(&element, "%s%s", sr_commit_get_rsa_fpr(commit),
  350. commit->encoded_reveal);
  351. return element;
  352. }
  353. /* Return a srv object that is built with the construction:
  354. * SRV = SHA3-256("shared-random" | INT_8(reveal_num) |
  355. * INT_8(version) | HASHED_REVEALS | previous_SRV)
  356. * This function cannot fail. */
  357. static sr_srv_t *
  358. generate_srv(const char *hashed_reveals, uint8_t reveal_num,
  359. const sr_srv_t *previous_srv)
  360. {
  361. char msg[DIGEST256_LEN + SR_SRV_MSG_LEN] = {0};
  362. size_t offset = 0;
  363. sr_srv_t *srv;
  364. tor_assert(hashed_reveals);
  365. /* Add the invariant token. */
  366. memcpy(msg, SR_SRV_TOKEN, SR_SRV_TOKEN_LEN);
  367. offset += SR_SRV_TOKEN_LEN;
  368. set_uint8(msg + offset, reveal_num);
  369. offset += 1;
  370. set_uint8(msg + offset, SR_PROTO_VERSION);
  371. offset += 1;
  372. memcpy(msg + offset, hashed_reveals, DIGEST256_LEN);
  373. offset += DIGEST256_LEN;
  374. if (previous_srv != NULL) {
  375. memcpy(msg + offset, previous_srv->value, sizeof(previous_srv->value));
  376. }
  377. /* Ok we have our message and key for the HMAC computation, allocate our
  378. * srv object and do the last step. */
  379. srv = tor_malloc_zero(sizeof(*srv));
  380. crypto_digest256((char *) srv->value, msg, sizeof(msg), SR_DIGEST_ALG);
  381. srv->num_reveals = reveal_num;
  382. {
  383. /* Debugging. */
  384. char srv_hash_encoded[SR_SRV_VALUE_BASE64_LEN + 1];
  385. sr_srv_encode(srv_hash_encoded, sizeof(srv_hash_encoded), srv);
  386. log_debug(LD_DIR, "SR: Generated SRV: %s", srv_hash_encoded);
  387. }
  388. return srv;
  389. }
  390. /* Compare reveal values and return the result. This should exclusively be
  391. * used by smartlist_sort(). */
  392. static int
  393. compare_reveal_(const void **_a, const void **_b)
  394. {
  395. const sr_commit_t *a = *_a, *b = *_b;
  396. return fast_memcmp(a->hashed_reveal, b->hashed_reveal,
  397. sizeof(a->hashed_reveal));
  398. }
  399. /* Given <b>commit</b> give the line that we should place in our votes.
  400. * It's the responsibility of the caller to free the string. */
  401. static char *
  402. get_vote_line_from_commit(const sr_commit_t *commit, sr_phase_t phase)
  403. {
  404. char *vote_line = NULL;
  405. switch (phase) {
  406. case SR_PHASE_COMMIT:
  407. tor_asprintf(&vote_line, "%s %u %s %s %s\n",
  408. commit_ns_str,
  409. SR_PROTO_VERSION,
  410. crypto_digest_algorithm_get_name(commit->alg),
  411. sr_commit_get_rsa_fpr(commit),
  412. commit->encoded_commit);
  413. break;
  414. case SR_PHASE_REVEAL:
  415. {
  416. /* Send a reveal value for this commit if we have one. */
  417. const char *reveal_str = commit->encoded_reveal;
  418. if (tor_mem_is_zero(commit->encoded_reveal,
  419. sizeof(commit->encoded_reveal))) {
  420. reveal_str = "";
  421. }
  422. tor_asprintf(&vote_line, "%s %u %s %s %s %s\n",
  423. commit_ns_str,
  424. SR_PROTO_VERSION,
  425. crypto_digest_algorithm_get_name(commit->alg),
  426. sr_commit_get_rsa_fpr(commit),
  427. commit->encoded_commit, reveal_str);
  428. break;
  429. }
  430. default:
  431. tor_assert(0);
  432. }
  433. log_debug(LD_DIR, "SR: Commit vote line: %s", vote_line);
  434. return vote_line;
  435. }
  436. /* Return a heap allocated string that contains the given <b>srv</b> string
  437. * representation formatted for a networkstatus document using the
  438. * <b>key</b> as the start of the line. This doesn't return NULL. */
  439. static char *
  440. srv_to_ns_string(const sr_srv_t *srv, const char *key)
  441. {
  442. char *srv_str;
  443. char srv_hash_encoded[SR_SRV_VALUE_BASE64_LEN + 1];
  444. tor_assert(srv);
  445. tor_assert(key);
  446. sr_srv_encode(srv_hash_encoded, sizeof(srv_hash_encoded), srv);
  447. tor_asprintf(&srv_str, "%s %d %s\n", key,
  448. srv->num_reveals, srv_hash_encoded);
  449. log_debug(LD_DIR, "SR: Consensus SRV line: %s", srv_str);
  450. return srv_str;
  451. }
  452. /* Given the previous SRV and the current SRV, return a heap allocated
  453. * string with their data that could be put in a vote or a consensus. Caller
  454. * must free the returned string. Return NULL if no SRVs were provided. */
  455. static char *
  456. get_ns_str_from_sr_values(const sr_srv_t *prev_srv, const sr_srv_t *cur_srv)
  457. {
  458. smartlist_t *chunks = NULL;
  459. char *srv_str;
  460. if (!prev_srv && !cur_srv) {
  461. return NULL;
  462. }
  463. chunks = smartlist_new();
  464. if (prev_srv) {
  465. char *srv_line = srv_to_ns_string(prev_srv, previous_srv_str);
  466. smartlist_add(chunks, srv_line);
  467. }
  468. if (cur_srv) {
  469. char *srv_line = srv_to_ns_string(cur_srv, current_srv_str);
  470. smartlist_add(chunks, srv_line);
  471. }
  472. /* Join the line(s) here in one string to return. */
  473. srv_str = smartlist_join_strings(chunks, "", 0, NULL);
  474. SMARTLIST_FOREACH(chunks, char *, s, tor_free(s));
  475. smartlist_free(chunks);
  476. return srv_str;
  477. }
  478. /* Return 1 iff the two commits have the same commitment values. This
  479. * function does not care about reveal values. */
  480. STATIC int
  481. commitments_are_the_same(const sr_commit_t *commit_one,
  482. const sr_commit_t *commit_two)
  483. {
  484. tor_assert(commit_one);
  485. tor_assert(commit_two);
  486. if (strcmp(commit_one->encoded_commit, commit_two->encoded_commit)) {
  487. return 0;
  488. }
  489. return 1;
  490. }
  491. /* We just received a commit from the vote of authority with
  492. * <b>identity_digest</b>. Return 1 if this commit is authorititative that
  493. * is, it belongs to the authority that voted it. Else return 0 if not. */
  494. STATIC int
  495. commit_is_authoritative(const sr_commit_t *commit,
  496. const char *voter_key)
  497. {
  498. tor_assert(commit);
  499. tor_assert(voter_key);
  500. return !memcmp(commit->rsa_identity, voter_key,
  501. sizeof(commit->rsa_identity));
  502. }
  503. /* Decide if the newly received <b>commit</b> should be kept depending on
  504. * the current phase and state of the protocol. The <b>voter_key</b> is the
  505. * RSA identity key fingerprint of the authority's vote from which the
  506. * commit comes from. The <b>phase</b> is the phase we should be validating
  507. * the commit for. Return 1 if the commit should be added to our state or 0
  508. * if not. */
  509. STATIC int
  510. should_keep_commit(const sr_commit_t *commit, const char *voter_key,
  511. sr_phase_t phase)
  512. {
  513. sr_commit_t *saved_commit;
  514. tor_assert(commit);
  515. tor_assert(voter_key);
  516. log_debug(LD_DIR, "SR: Inspecting commit from %s (voter: %s)?",
  517. sr_commit_get_rsa_fpr(commit),
  518. hex_str(voter_key, DIGEST_LEN));
  519. /* For a commit to be considered, it needs to be authoritative (it should
  520. * be the voter's own commit). */
  521. if (!commit_is_authoritative(commit, voter_key)) {
  522. log_debug(LD_DIR, "SR: Ignoring non-authoritative commit.");
  523. goto ignore;
  524. }
  525. /* Let's make sure, for extra safety, that this fingerprint is known to
  526. * us. Even though this comes from a vote, doesn't hurt to be
  527. * extracareful. */
  528. if (trusteddirserver_get_by_v3_auth_digest(commit->rsa_identity) == NULL) {
  529. log_warn(LD_DIR, "SR: Fingerprint %s is not from a recognized "
  530. "authority. Discarding commit.",
  531. escaped(commit->rsa_identity));
  532. goto ignore;
  533. }
  534. /* Check if the authority that voted for <b>commit</b> has already posted
  535. * a commit before. */
  536. saved_commit = sr_state_get_commit(commit->rsa_identity);
  537. switch (phase) {
  538. case SR_PHASE_COMMIT:
  539. /* Already having a commit for an authority so ignore this one. */
  540. if (saved_commit) {
  541. log_debug(LD_DIR, "SR: Ignoring known commit during COMMIT phase.");
  542. goto ignore;
  543. }
  544. /* A commit with a reveal value during commitment phase is very wrong. */
  545. if (commit_has_reveal_value(commit)) {
  546. log_warn(LD_DIR, "SR: Commit from authority %s has a reveal value "
  547. "during COMMIT phase. (voter: %s)",
  548. sr_commit_get_rsa_fpr(commit),
  549. hex_str(voter_key, DIGEST_LEN));
  550. goto ignore;
  551. }
  552. break;
  553. case SR_PHASE_REVEAL:
  554. /* We are now in reveal phase. We keep a commit if and only if:
  555. *
  556. * - We have already seen a commit by this auth, AND
  557. * - the saved commit has the same commitment value as this one, AND
  558. * - the saved commit has no reveal information, AND
  559. * - this commit does have reveal information, AND
  560. * - the reveal & commit information are matching.
  561. *
  562. * If all the above are true, then we are interested in this new commit
  563. * for its reveal information. */
  564. if (!saved_commit) {
  565. log_debug(LD_DIR, "SR: Ignoring commit first seen in reveal phase.");
  566. goto ignore;
  567. }
  568. if (!commitments_are_the_same(commit, saved_commit)) {
  569. log_warn(LD_DIR, "SR: Commit from authority %s is different from "
  570. "previous commit in our state (voter: %s)",
  571. sr_commit_get_rsa_fpr(commit),
  572. hex_str(voter_key, DIGEST_LEN));
  573. goto ignore;
  574. }
  575. if (commit_has_reveal_value(saved_commit)) {
  576. log_debug(LD_DIR, "SR: Ignoring commit with known reveal info.");
  577. goto ignore;
  578. }
  579. if (!commit_has_reveal_value(commit)) {
  580. log_debug(LD_DIR, "SR: Ignoring commit without reveal value.");
  581. goto ignore;
  582. }
  583. if (verify_commit_and_reveal(commit) < 0) {
  584. log_warn(LD_BUG, "SR: Commit from authority %s has an invalid "
  585. "reveal value. (voter: %s)",
  586. sr_commit_get_rsa_fpr(commit),
  587. hex_str(voter_key, DIGEST_LEN));
  588. goto ignore;
  589. }
  590. break;
  591. default:
  592. tor_assert(0);
  593. }
  594. return 1;
  595. ignore:
  596. return 0;
  597. }
  598. /* We are in reveal phase and we found a valid and verified <b>commit</b> in
  599. * a vote that contains reveal values that we could use. Update the commit
  600. * we have in our state. Never call this with an unverified commit. */
  601. STATIC void
  602. save_commit_during_reveal_phase(const sr_commit_t *commit)
  603. {
  604. sr_commit_t *saved_commit;
  605. tor_assert(commit);
  606. /* Get the commit from our state. */
  607. saved_commit = sr_state_get_commit(commit->rsa_identity);
  608. tor_assert(saved_commit);
  609. /* Safety net. They can not be different commitments at this point. */
  610. int same_commits = commitments_are_the_same(commit, saved_commit);
  611. tor_assert(same_commits);
  612. /* Copy reveal information to our saved commit. */
  613. sr_state_copy_reveal_info(saved_commit, commit);
  614. }
  615. /* Save <b>commit</b> to our persistent state. Depending on the current
  616. * phase, different actions are taken. Steals reference of <b>commit</b>.
  617. * The commit object MUST be valid and verified before adding it to the
  618. * state. */
  619. STATIC void
  620. save_commit_to_state(sr_commit_t *commit)
  621. {
  622. sr_phase_t phase = sr_state_get_phase();
  623. ASSERT_COMMIT_VALID(commit);
  624. switch (phase) {
  625. case SR_PHASE_COMMIT:
  626. /* During commit phase, just save any new authoritative commit */
  627. sr_state_add_commit(commit);
  628. break;
  629. case SR_PHASE_REVEAL:
  630. save_commit_during_reveal_phase(commit);
  631. sr_commit_free(commit);
  632. break;
  633. default:
  634. tor_assert(0);
  635. }
  636. }
  637. /* Return the number of required participants of the SR protocol. This is based
  638. * on a consensus params. */
  639. static int
  640. get_n_voters_for_srv_agreement(void)
  641. {
  642. int num_dirauths = get_n_authorities(V3_DIRINFO);
  643. /* If the params is not found, default value should always be the maximum
  644. * number of trusted authorities. Let's not take any chances. */
  645. return networkstatus_get_param(NULL, "AuthDirNumSRVAgreements",
  646. num_dirauths, 1, num_dirauths);
  647. }
  648. /* Return 1 if we should we keep an SRV voted by <b>n_agreements</b> auths.
  649. * Return 0 if we should ignore it. */
  650. static int
  651. should_keep_srv(int n_agreements)
  652. {
  653. /* Check if the most popular SRV has reached majority. */
  654. int n_voters = get_n_authorities(V3_DIRINFO);
  655. int votes_required_for_majority = (n_voters / 2) + 1;
  656. /* We need at the very least majority to keep a value. */
  657. if (n_agreements < votes_required_for_majority) {
  658. log_notice(LD_DIR, "SR: SRV didn't reach majority [%d/%d]!",
  659. n_agreements, votes_required_for_majority);
  660. return 0;
  661. }
  662. /* When we just computed a new SRV, we need to have super majority in order
  663. * to keep it. */
  664. if (sr_state_srv_is_fresh()) {
  665. /* Check if we have super majority for this new SRV value. */
  666. int num_required_agreements = get_n_voters_for_srv_agreement();
  667. if (n_agreements < num_required_agreements) {
  668. log_notice(LD_DIR, "SR: New SRV didn't reach agreement [%d/%d]!",
  669. n_agreements, num_required_agreements);
  670. return 0;
  671. }
  672. }
  673. return 1;
  674. }
  675. /* Helper: compare two DIGEST256_LEN digests. */
  676. static int
  677. compare_srvs_(const void **_a, const void **_b)
  678. {
  679. const sr_srv_t *a = *_a, *b = *_b;
  680. return tor_memcmp(a->value, b->value, sizeof(a->value));
  681. }
  682. /* Return the most frequent member of the sorted list of DIGEST256_LEN
  683. * digests in <b>sl</b> with the count of that most frequent element. */
  684. static sr_srv_t *
  685. smartlist_get_most_frequent_srv(const smartlist_t *sl, int *count_out)
  686. {
  687. return smartlist_get_most_frequent_(sl, compare_srvs_, count_out);
  688. }
  689. /** Compare two SRVs. Used in smartlist sorting. */
  690. static int
  691. compare_srv_(const void **_a, const void **_b)
  692. {
  693. const sr_srv_t *a = *_a, *b = *_b;
  694. return fast_memcmp(a->value, b->value,
  695. sizeof(a->value));
  696. }
  697. /* Using a list of <b>votes</b>, return the SRV object from them that has
  698. * been voted by the majority of dirauths. If <b>current</b> is set, we look
  699. * for the current SRV value else the previous one. The returned pointer is
  700. * an object located inside a vote. NULL is returned if no appropriate value
  701. * could be found. */
  702. STATIC sr_srv_t *
  703. get_majority_srv_from_votes(const smartlist_t *votes, int current)
  704. {
  705. int count = 0;
  706. sr_srv_t *most_frequent_srv = NULL;
  707. sr_srv_t *the_srv = NULL;
  708. smartlist_t *srv_list;
  709. tor_assert(votes);
  710. srv_list = smartlist_new();
  711. /* Walk over votes and register any SRVs found. */
  712. SMARTLIST_FOREACH_BEGIN(votes, networkstatus_t *, v) {
  713. sr_srv_t *srv_tmp = NULL;
  714. if (!v->sr_info.participate) {
  715. /* Ignore vote that do not participate. */
  716. continue;
  717. }
  718. /* Do we want previous or current SRV? */
  719. srv_tmp = current ? v->sr_info.current_srv : v->sr_info.previous_srv;
  720. if (!srv_tmp) {
  721. continue;
  722. }
  723. smartlist_add(srv_list, srv_tmp);
  724. } SMARTLIST_FOREACH_END(v);
  725. smartlist_sort(srv_list, compare_srv_);
  726. most_frequent_srv = smartlist_get_most_frequent_srv(srv_list, &count);
  727. if (!most_frequent_srv) {
  728. goto end;
  729. }
  730. /* Was this SRV voted by enough auths for us to keep it? */
  731. if (!should_keep_srv(count)) {
  732. goto end;
  733. }
  734. /* We found an SRV that we can use! Habemus SRV! */
  735. the_srv = most_frequent_srv;
  736. {
  737. /* Debugging */
  738. char encoded[SR_SRV_VALUE_BASE64_LEN + 1];
  739. sr_srv_encode(encoded, sizeof(encoded), the_srv);
  740. log_debug(LD_DIR, "SR: Chosen SRV by majority: %s (%d votes)", encoded,
  741. count);
  742. }
  743. end:
  744. /* We do not free any sr_srv_t values, we don't have the ownership. */
  745. smartlist_free(srv_list);
  746. return the_srv;
  747. }
  748. /* Encode the given shared random value and put it in dst. Destination
  749. * buffer must be at least SR_SRV_VALUE_BASE64_LEN plus the NULL byte. */
  750. void
  751. sr_srv_encode(char *dst, size_t dst_len, const sr_srv_t *srv)
  752. {
  753. int ret;
  754. /* Extra byte for the NULL terminated char. */
  755. char buf[SR_SRV_VALUE_BASE64_LEN + 1];
  756. tor_assert(dst);
  757. tor_assert(srv);
  758. tor_assert(dst_len >= sizeof(buf));
  759. ret = base64_encode(buf, sizeof(buf), (const char *) srv->value,
  760. sizeof(srv->value), 0);
  761. /* Always expect the full length without the NULL byte. */
  762. tor_assert(ret == (sizeof(buf) - 1));
  763. tor_assert(ret <= (int) dst_len);
  764. strlcpy(dst, buf, dst_len);
  765. }
  766. /* Free a commit object. */
  767. void
  768. sr_commit_free(sr_commit_t *commit)
  769. {
  770. if (commit == NULL) {
  771. return;
  772. }
  773. /* Make sure we do not leave OUR random number in memory. */
  774. memwipe(commit->random_number, 0, sizeof(commit->random_number));
  775. tor_free(commit);
  776. }
  777. /* Generate the commitment/reveal value for the protocol run starting at
  778. * <b>timestamp</b>. <b>my_rsa_cert</b> is our authority RSA certificate. */
  779. sr_commit_t *
  780. sr_generate_our_commit(time_t timestamp, const authority_cert_t *my_rsa_cert)
  781. {
  782. sr_commit_t *commit = NULL;
  783. char digest[DIGEST_LEN];
  784. tor_assert(my_rsa_cert);
  785. /* Get our RSA identity fingerprint */
  786. if (crypto_pk_get_digest(my_rsa_cert->identity_key, digest) < 0) {
  787. goto error;
  788. }
  789. /* New commit with our identity key. */
  790. commit = commit_new(digest);
  791. /* Generate the reveal random value */
  792. crypto_strongest_rand(commit->random_number,
  793. sizeof(commit->random_number));
  794. commit->commit_ts = commit->reveal_ts = timestamp;
  795. /* Now get the base64 blob that corresponds to our reveal */
  796. if (reveal_encode(commit, commit->encoded_reveal,
  797. sizeof(commit->encoded_reveal)) < 0) {
  798. log_err(LD_DIR, "SR: Unable to encode our reveal value!");
  799. goto error;
  800. }
  801. /* Now let's create the commitment */
  802. tor_assert(commit->alg == SR_DIGEST_ALG);
  803. /* The invariant length is used here since the encoded reveal variable
  804. * has an extra byte added for the NULL terminated byte. */
  805. if (crypto_digest256(commit->hashed_reveal, commit->encoded_reveal,
  806. SR_REVEAL_BASE64_LEN, commit->alg)) {
  807. goto error;
  808. }
  809. /* Now get the base64 blob that corresponds to our commit. */
  810. if (commit_encode(commit, commit->encoded_commit,
  811. sizeof(commit->encoded_commit)) < 0) {
  812. log_err(LD_DIR, "SR: Unable to encode our commit value!");
  813. goto error;
  814. }
  815. log_debug(LD_DIR, "SR: Generated our commitment:");
  816. commit_log(commit);
  817. /* Our commit better be valid :). */
  818. commit->valid = 1;
  819. return commit;
  820. error:
  821. sr_commit_free(commit);
  822. return NULL;
  823. }
  824. /* Compute the shared random value based on the active commits in our state. */
  825. void
  826. sr_compute_srv(void)
  827. {
  828. size_t reveal_num = 0;
  829. char *reveals = NULL;
  830. smartlist_t *chunks, *commits;
  831. digestmap_t *state_commits;
  832. /* Computing a shared random value in the commit phase is very wrong. This
  833. * should only happen at the very end of the reveal phase when a new
  834. * protocol run is about to start. */
  835. tor_assert(sr_state_get_phase() == SR_PHASE_REVEAL);
  836. state_commits = sr_state_get_commits();
  837. commits = smartlist_new();
  838. chunks = smartlist_new();
  839. /* We must make a list of commit ordered by authority fingerprint in
  840. * ascending order as specified by proposal 250. */
  841. DIGESTMAP_FOREACH(state_commits, key, sr_commit_t *, c) {
  842. /* Extra safety net, make sure we have valid commit before using it. */
  843. ASSERT_COMMIT_VALID(c);
  844. /* Let's not use a commit from an authority that we don't know. It's
  845. * possible that an authority could be removed during a protocol run so
  846. * that commit value should never be used in the SRV computation. */
  847. if (trusteddirserver_get_by_v3_auth_digest(c->rsa_identity) == NULL) {
  848. log_warn(LD_DIR, "SR: Fingerprint %s is not from a recognized "
  849. "authority. Discarding commit for the SRV computation.",
  850. sr_commit_get_rsa_fpr(c));
  851. continue;
  852. }
  853. /* We consider this commit valid. */
  854. smartlist_add(commits, c);
  855. } DIGESTMAP_FOREACH_END;
  856. smartlist_sort(commits, compare_reveal_);
  857. /* Now for each commit for that sorted list in ascending order, we'll
  858. * build the element for each authority that needs to go into the srv
  859. * computation. */
  860. SMARTLIST_FOREACH_BEGIN(commits, const sr_commit_t *, c) {
  861. char *element = get_srv_element_from_commit(c);
  862. if (element) {
  863. smartlist_add(chunks, element);
  864. reveal_num++;
  865. }
  866. } SMARTLIST_FOREACH_END(c);
  867. smartlist_free(commits);
  868. {
  869. /* Join all reveal values into one giant string that we'll hash so we
  870. * can generated our shared random value. */
  871. sr_srv_t *current_srv;
  872. char hashed_reveals[DIGEST256_LEN];
  873. reveals = smartlist_join_strings(chunks, "", 0, NULL);
  874. SMARTLIST_FOREACH(chunks, char *, s, tor_free(s));
  875. smartlist_free(chunks);
  876. if (crypto_digest256(hashed_reveals, reveals, strlen(reveals),
  877. SR_DIGEST_ALG)) {
  878. goto end;
  879. }
  880. tor_assert(reveal_num < UINT8_MAX);
  881. current_srv = generate_srv(hashed_reveals, (uint8_t) reveal_num,
  882. sr_state_get_previous_srv());
  883. sr_state_set_current_srv(current_srv);
  884. /* We have a fresh SRV, flag our state. */
  885. sr_state_set_fresh_srv();
  886. }
  887. end:
  888. tor_free(reveals);
  889. }
  890. /* Parse a list of arguments from a SRV value either from a vote, consensus
  891. * or from our disk state and return a newly allocated srv object. NULL is
  892. * returned on error.
  893. *
  894. * The arguments' order:
  895. * num_reveals, value
  896. */
  897. sr_srv_t *
  898. sr_parse_srv(const smartlist_t *args)
  899. {
  900. char *value;
  901. int num_reveals, ok, ret;
  902. sr_srv_t *srv = NULL;
  903. tor_assert(args);
  904. if (smartlist_len(args) < 2) {
  905. goto end;
  906. }
  907. /* First argument is the number of reveal values */
  908. num_reveals = (int)tor_parse_long(smartlist_get(args, 0),
  909. 10, 0, INT32_MAX, &ok, NULL);
  910. if (!ok) {
  911. goto end;
  912. }
  913. /* Second and last argument is the shared random value it self. */
  914. value = smartlist_get(args, 1);
  915. if (strlen(value) != SR_SRV_VALUE_BASE64_LEN) {
  916. goto end;
  917. }
  918. srv = tor_malloc_zero(sizeof(*srv));
  919. srv->num_reveals = num_reveals;
  920. /* We substract one byte from the srclen because the function ignores the
  921. * '=' character in the given buffer. This is broken but it's a documented
  922. * behavior of the implementation. */
  923. ret = base64_decode((char *) srv->value, sizeof(srv->value), value,
  924. SR_SRV_VALUE_BASE64_LEN - 1);
  925. if (ret != sizeof(srv->value)) {
  926. tor_free(srv);
  927. srv = NULL;
  928. goto end;
  929. }
  930. end:
  931. return srv;
  932. }
  933. /* Parse a commit from a vote or from our disk state and return a newly
  934. * allocated commit object. NULL is returned on error.
  935. *
  936. * The commit's data is in <b>args</b> and the order matters very much:
  937. * version, algname, RSA fingerprint, commit value[, reveal value]
  938. */
  939. sr_commit_t *
  940. sr_parse_commit(const smartlist_t *args)
  941. {
  942. uint32_t version;
  943. char *value, digest[DIGEST_LEN];
  944. digest_algorithm_t alg;
  945. const char *rsa_identity_fpr;
  946. sr_commit_t *commit = NULL;
  947. if (smartlist_len(args) < 4) {
  948. goto error;
  949. }
  950. /* First is the version number of the SR protocol which indicates at which
  951. * version that commit was created. */
  952. value = smartlist_get(args, 0);
  953. version = (uint32_t) tor_parse_ulong(value, 10, 1, UINT32_MAX, NULL, NULL);
  954. if (version > SR_PROTO_VERSION) {
  955. log_info(LD_DIR, "SR: Commit version %" PRIu32 " (%s) is not supported.",
  956. version, escaped(value));
  957. goto error;
  958. }
  959. /* Second is the algorithm. */
  960. value = smartlist_get(args, 1);
  961. alg = crypto_digest_algorithm_parse_name(value);
  962. if (alg != SR_DIGEST_ALG) {
  963. log_warn(LD_BUG, "SR: Commit algorithm %s is not recognized.",
  964. escaped(value));
  965. goto error;
  966. }
  967. /* Third argument is the RSA fingerprint of the auth and turn it into a
  968. * digest value. */
  969. rsa_identity_fpr = smartlist_get(args, 2);
  970. if (base16_decode(digest, DIGEST_LEN, rsa_identity_fpr,
  971. HEX_DIGEST_LEN) < 0) {
  972. log_warn(LD_DIR, "SR: RSA fingerprint %s not decodable",
  973. escaped(rsa_identity_fpr));
  974. goto error;
  975. }
  976. /* Allocate commit since we have a valid identity now. */
  977. commit = commit_new(digest);
  978. /* Fourth argument is the commitment value base64-encoded. */
  979. value = smartlist_get(args, 3);
  980. if (commit_decode(value, commit) < 0) {
  981. goto error;
  982. }
  983. /* (Optional) Fifth argument is the revealed value. */
  984. if (smartlist_len(args) > 4) {
  985. value = smartlist_get(args, 4);
  986. if (reveal_decode(value, commit) < 0) {
  987. goto error;
  988. }
  989. }
  990. return commit;
  991. error:
  992. sr_commit_free(commit);
  993. return NULL;
  994. }
  995. /* Called when we are done parsing a vote by <b>voter_key</b> that might
  996. * contain some useful <b>commits</b>. Find if any of them should be kept
  997. * and update our state accordingly. Once done, the list of commitments will
  998. * be empty. */
  999. void
  1000. sr_handle_received_commits(smartlist_t *commits, crypto_pk_t *voter_key)
  1001. {
  1002. char rsa_identity[DIGEST_LEN];
  1003. tor_assert(voter_key);
  1004. /* It's possible that the vote has _NO_ commits. */
  1005. if (commits == NULL) {
  1006. return;
  1007. }
  1008. /* Get the RSA identity fingerprint of this voter */
  1009. if (crypto_pk_get_digest(voter_key, rsa_identity) < 0) {
  1010. return;
  1011. }
  1012. SMARTLIST_FOREACH_BEGIN(commits, sr_commit_t *, commit) {
  1013. /* We won't need the commit in this list anymore, kept or not. */
  1014. SMARTLIST_DEL_CURRENT(commits, commit);
  1015. /* Check if this commit is valid and should be stored in our state. */
  1016. if (!should_keep_commit(commit, rsa_identity,
  1017. sr_state_get_phase())) {
  1018. sr_commit_free(commit);
  1019. continue;
  1020. }
  1021. /* Ok, we have a valid commit now that we are about to put in our state.
  1022. * so flag it valid from now on. */
  1023. commit->valid = 1;
  1024. /* Everything lines up: save this commit to state then! */
  1025. save_commit_to_state(commit);
  1026. } SMARTLIST_FOREACH_END(commit);
  1027. }
  1028. /* Return a heap-allocated string containing commits that should be put in
  1029. * the votes. It's the responsibility of the caller to free the string.
  1030. * This always return a valid string, either empty or with line(s). */
  1031. char *
  1032. sr_get_string_for_vote(void)
  1033. {
  1034. char *vote_str = NULL;
  1035. digestmap_t *state_commits;
  1036. smartlist_t *chunks = smartlist_new();
  1037. const or_options_t *options = get_options();
  1038. /* Are we participating in the protocol? */
  1039. if (!options->AuthDirSharedRandomness) {
  1040. goto end;
  1041. }
  1042. log_debug(LD_DIR, "SR: Preparing our vote info:");
  1043. /* First line, put in the vote the participation flag. */
  1044. {
  1045. char *sr_flag_line;
  1046. tor_asprintf(&sr_flag_line, "%s\n", sr_flag_ns_str);
  1047. smartlist_add(chunks, sr_flag_line);
  1048. }
  1049. /* In our vote we include every commitment in our permanent state. */
  1050. state_commits = sr_state_get_commits();
  1051. smartlist_t *state_commit_vote_lines = smartlist_new();
  1052. DIGESTMAP_FOREACH(state_commits, key, const sr_commit_t *, commit) {
  1053. char *line = get_vote_line_from_commit(commit, sr_state_get_phase());
  1054. smartlist_add(state_commit_vote_lines, line);
  1055. } DIGESTMAP_FOREACH_END;
  1056. /* Sort the commit strings by version (string, not numeric), algorithm,
  1057. * and fingerprint. This makes sure the commit lines in votes are in a
  1058. * recognisable, stable order. */
  1059. smartlist_sort_strings(state_commit_vote_lines);
  1060. /* Now add the sorted list of commits to the vote */
  1061. smartlist_add_all(chunks, state_commit_vote_lines);
  1062. smartlist_free(state_commit_vote_lines);
  1063. /* Add the SRV value(s) if any. */
  1064. {
  1065. char *srv_lines = get_ns_str_from_sr_values(sr_state_get_previous_srv(),
  1066. sr_state_get_current_srv());
  1067. if (srv_lines) {
  1068. smartlist_add(chunks, srv_lines);
  1069. }
  1070. }
  1071. end:
  1072. vote_str = smartlist_join_strings(chunks, "", 0, NULL);
  1073. SMARTLIST_FOREACH(chunks, char *, s, tor_free(s));
  1074. smartlist_free(chunks);
  1075. return vote_str;
  1076. }
  1077. /* Return a heap-allocated string that should be put in the consensus and
  1078. * contains the shared randomness values. It's the responsibility of the
  1079. * caller to free the string. NULL is returned if no SRV(s) available.
  1080. *
  1081. * This is called when a consensus (any flavor) is bring created thus it
  1082. * should NEVER change the state nor the state should be changed in between
  1083. * consensus creation. */
  1084. char *
  1085. sr_get_string_for_consensus(const smartlist_t *votes)
  1086. {
  1087. char *srv_str;
  1088. const or_options_t *options = get_options();
  1089. tor_assert(votes);
  1090. /* Not participating, avoid returning anything. */
  1091. if (!options->AuthDirSharedRandomness) {
  1092. log_info(LD_DIR, "SR: Support disabled (AuthDirSharedRandomness %d)",
  1093. options->AuthDirSharedRandomness);
  1094. goto end;
  1095. }
  1096. /* Check the votes and figure out if SRVs should be included in the final
  1097. * consensus. */
  1098. sr_srv_t *prev_srv = get_majority_srv_from_votes(votes, 0);
  1099. sr_srv_t *cur_srv = get_majority_srv_from_votes(votes, 1);
  1100. srv_str = get_ns_str_from_sr_values(prev_srv, cur_srv);
  1101. if (!srv_str) {
  1102. goto end;
  1103. }
  1104. return srv_str;
  1105. end:
  1106. return NULL;
  1107. }
  1108. /* We just computed a new <b>consensus</b>. Update our state with the SRVs
  1109. * from the consensus (might be NULL as well). Register the SRVs in our SR
  1110. * state and prepare for the upcoming protocol round. */
  1111. void
  1112. sr_act_post_consensus(const networkstatus_t *consensus)
  1113. {
  1114. time_t interval_starts;
  1115. const or_options_t *options = get_options();
  1116. /* Don't act if our state hasn't been initialized. We can be called during
  1117. * boot time when loading consensus from disk which is prior to the
  1118. * initialization of the SR subsystem. We also should not be doing
  1119. * anything if we are _not_ a directory authority and if we are a bridge
  1120. * authority. */
  1121. if (!sr_state_is_initialized() || !authdir_mode_v3(options) ||
  1122. authdir_mode_bridge(options)) {
  1123. return;
  1124. }
  1125. /* Set the majority voted SRVs in our state even if both are NULL. It
  1126. * doesn't matter this is what the majority has decided. Obviously, we can
  1127. * only do that if we have a consensus. */
  1128. if (consensus) {
  1129. /* Start by freeing the current SRVs since the SRVs we believed during
  1130. * voting do not really matter. Now that all the votes are in, we use the
  1131. * majority's opinion on which are the active SRVs. */
  1132. sr_state_clean_srvs();
  1133. /* Reset the fresh flag of the SRV so we know that from now on we don't
  1134. * have a new SRV to vote for. We just used the one from the consensus
  1135. * decided by the majority. */
  1136. sr_state_unset_fresh_srv();
  1137. /* Set the SR values from the given consensus. */
  1138. sr_state_set_previous_srv(srv_dup(consensus->sr_info.previous_srv));
  1139. sr_state_set_current_srv(srv_dup(consensus->sr_info.current_srv));
  1140. }
  1141. /* Update our internal state with the next voting interval starting time. */
  1142. interval_starts = get_voting_schedule(options, time(NULL),
  1143. LOG_NOTICE)->interval_starts;
  1144. sr_state_update(interval_starts);
  1145. }
  1146. /* Initialize shared random subsystem. This MUST be called early in the boot
  1147. * process of tor. Return 0 on success else -1 on error. */
  1148. int
  1149. sr_init(int save_to_disk)
  1150. {
  1151. return sr_state_init(save_to_disk, 1);
  1152. }
  1153. /* Save our state to disk and cleanup everything. */
  1154. void
  1155. sr_save_and_cleanup(void)
  1156. {
  1157. sr_state_save();
  1158. sr_cleanup();
  1159. }