Tor  0.4.7.0-alpha-dev
shared_random.c
Go to the documentation of this file.
1 /* Copyright (c) 2016-2021, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3 
4 /**
5  * \file shared_random.c
6  *
7  * \brief Functions and data structure needed to accomplish the shared
8  * random protocol as defined in proposal #250.
9  *
10  * \details
11  *
12  * This file implements the dirauth-only commit-and-reveal protocol specified
13  * by proposal #250. The protocol has two phases (sr_phase_t): the commitment
14  * phase and the reveal phase (see get_sr_protocol_phase()).
15  *
16  * During the protocol, directory authorities keep state in memory (using
17  * sr_state_t) and in disk (using sr_disk_state_t). The synchronization between
18  * these two data structures happens in disk_state_update() and
19  * disk_state_parse().
20  *
21  * Here is a rough protocol outline:
22  *
23  * 1) In the beginning of the commitment phase, dirauths generate a
24  * commitment/reveal value for the current protocol run (see
25  * new_protocol_run() and sr_generate_our_commit()).
26  *
27  * 2) During voting, dirauths publish their commits in their votes
28  * depending on the current phase. Dirauths also include the two
29  * latest shared random values (SRV) in their votes.
30  * (see sr_get_string_for_vote())
31  *
32  * 3) Upon receiving a commit from a vote, authorities parse it, verify
33  * it, and attempt to save any new commitment or reveal information in
34  * their state file (see extract_shared_random_commits() and
35  * sr_handle_received_commits()). They also parse SRVs from votes to
36  * decide which SRV should be included in the final consensus (see
37  * extract_shared_random_srvs()).
38  *
39  * 3) After voting is done, we count the SRVs we extracted from the votes,
40  * to find the one voted by the majority of dirauths which should be
41  * included in the final consensus (see get_majority_srv_from_votes()).
42  * If an appropriate SRV is found, it is embedded in the consensus (see
43  * sr_get_string_for_consensus()).
44  *
45  * 4) At the end of the reveal phase, dirauths compute a fresh SRV for the
46  * day using the active commits (see sr_compute_srv()). This new SRV
47  * is embedded in the votes as described above.
48  *
49  * Some more notes:
50  *
51  * - To support rebooting authorities and to avoid double voting, each dirauth
52  * saves the current state of the protocol on disk so that it can resume
53  * normally in case of reboot. The disk state (sr_disk_state_t) is managed by
54  * shared_random_state.c:state_query() and we go to extra lengths to ensure
55  * that the state is flushed on disk every time we receive any useful
56  * information like commits or SRVs.
57  *
58  * - When we receive a commit from a vote, we examine it to see if it's useful
59  * to us and whether it's appropriate to receive it according to the current
60  * phase of the protocol (see should_keep_commit()). If the commit is useful
61  * to us, we save it in our disk state using save_commit_to_state(). When we
62  * receive the reveal information corresponding to a commitment, we verify
63  * that they indeed match using verify_commit_and_reveal().
64  *
65  * - We treat consensuses as the ground truth, so every time we generate a new
66  * consensus we update our SR state accordingly even if our local view was
67  * different (see sr_act_post_consensus()).
68  *
69  * - After a consensus has been composed, the SR protocol state gets prepared
70  * for the next voting session using sr_state_update(). That function takes
71  * care of housekeeping and also rotates the SRVs and commits in case a new
72  * protocol run is coming up. We also call sr_state_update() on bootup (in
73  * sr_state_init()), to prepare the state for the very first voting session.
74  *
75  * Terminology:
76  *
77  * - "Commitment" is the commitment value of the commit-and-reveal protocol.
78  *
79  * - "Reveal" is the reveal value of the commit-and-reveal protocol.
80  *
81  * - "Commit" is a struct (sr_commit_t) that contains a commitment value and
82  * optionally also a corresponding reveal value.
83  *
84  * - "SRV" is the Shared Random Value that gets generated as the result of the
85  * commit-and-reveal protocol.
86  **/
87 
88 #define SHARED_RANDOM_PRIVATE
89 
90 #include "core/or/or.h"
92 #include "app/config/config.h"
93 #include "lib/confmgt/confmgt.h"
97 #include "feature/relay/router.h"
103 
104 #include "feature/dirauth/dirvote.h"
107 
111 
112 /** String prefix of shared random values in votes/consensuses. */
113 static const char previous_srv_str[] = "shared-rand-previous-value";
114 static const char current_srv_str[] = "shared-rand-current-value";
115 static const char commit_ns_str[] = "shared-rand-commit";
116 static const char sr_flag_ns_str[] = "shared-rand-participate";
117 
118 /** The value of the consensus param AuthDirNumSRVAgreements found in the
119  * vote. This is set once the consensus creation subsystem requests the
120  * SRV(s) that should be put in the consensus. We use this value to decide
121  * if we keep or not an SRV. */
123 
124 /** Return a heap allocated copy of the SRV <b>orig</b>. */
125 sr_srv_t *
126 sr_srv_dup(const sr_srv_t *orig)
127 {
128  sr_srv_t *duplicate = NULL;
129 
130  if (!orig) {
131  return NULL;
132  }
133 
134  duplicate = tor_malloc_zero(sizeof(sr_srv_t));
135  duplicate->num_reveals = orig->num_reveals;
136  memcpy(duplicate->value, orig->value, sizeof(duplicate->value));
137  return duplicate;
138 }
139 
140 /** Allocate a new commit object and initializing it with <b>rsa_identity</b>
141  * that MUST be provided. The digest algorithm is set to the default one
142  * that is supported. The rest is uninitialized. This never returns NULL. */
143 static sr_commit_t *
144 commit_new(const char *rsa_identity)
145 {
146  sr_commit_t *commit;
147 
148  tor_assert(rsa_identity);
149 
150  commit = tor_malloc_zero(sizeof(*commit));
151  commit->alg = SR_DIGEST_ALG;
152  memcpy(commit->rsa_identity, rsa_identity, sizeof(commit->rsa_identity));
153  base16_encode(commit->rsa_identity_hex, sizeof(commit->rsa_identity_hex),
154  commit->rsa_identity, sizeof(commit->rsa_identity));
155  return commit;
156 }
157 
158 /** Issue a log message describing <b>commit</b>. */
159 static void
160 commit_log(const sr_commit_t *commit)
161 {
162  tor_assert(commit);
163 
164  log_debug(LD_DIR, "SR: Commit from %s", sr_commit_get_rsa_fpr(commit));
165  log_debug(LD_DIR, "SR: Commit: [TS: %" PRIu64 "] [Encoded: %s]",
166  commit->commit_ts, commit->encoded_commit);
167  log_debug(LD_DIR, "SR: Reveal: [TS: %" PRIu64 "] [Encoded: %s]",
168  commit->reveal_ts, safe_str(commit->encoded_reveal));
169 }
170 
171 /** Make sure that the commitment and reveal information in <b>commit</b>
172  * match. If they match return 0, return -1 otherwise. This function MUST be
173  * used every time we receive a new reveal value. Furthermore, the commit
174  * object MUST have a reveal value and the hash of the reveal value. */
175 STATIC int
177 {
178  tor_assert(commit);
179 
180  log_debug(LD_DIR, "SR: Validating commit from authority %s",
181  sr_commit_get_rsa_fpr(commit));
182 
183  /* Check that the timestamps match. */
184  if (commit->commit_ts != commit->reveal_ts) {
185  log_warn(LD_BUG, "SR: Commit timestamp %" PRIu64 " doesn't match reveal "
186  "timestamp %" PRIu64, commit->commit_ts,
187  commit->reveal_ts);
188  goto invalid;
189  }
190 
191  /* Verify that the hashed_reveal received in the COMMIT message, matches
192  * the reveal we just received. */
193  {
194  /* We first hash the reveal we just received. */
195  char received_hashed_reveal[sizeof(commit->hashed_reveal)];
196 
197  /* Only sha3-256 is supported. */
198  if (commit->alg != SR_DIGEST_ALG) {
199  goto invalid;
200  }
201 
202  /* Use the invariant length since the encoded reveal variable has an
203  * extra byte for the NUL terminated byte. */
204  if (crypto_digest256(received_hashed_reveal, commit->encoded_reveal,
205  SR_REVEAL_BASE64_LEN, commit->alg) < 0) {
206  /* Unable to digest the reveal blob, this is unlikely. */
207  goto invalid;
208  }
209 
210  /* Now compare that with the hashed_reveal we received in COMMIT. */
211  if (fast_memneq(received_hashed_reveal, commit->hashed_reveal,
212  sizeof(received_hashed_reveal))) {
213  log_warn(LD_BUG, "SR: Received reveal value from authority %s "
214  "doesn't match the commit value.",
215  sr_commit_get_rsa_fpr(commit));
216  goto invalid;
217  }
218  }
219 
220  return 0;
221  invalid:
222  return -1;
223 }
224 
225 /** Return true iff the commit contains an encoded reveal value. */
226 STATIC int
228 {
229  return !fast_mem_is_zero(commit->encoded_reveal,
230  sizeof(commit->encoded_reveal));
231 }
232 
233 /** Parse the encoded commit. The format is:
234  * base64-encode( TIMESTAMP || H(REVEAL) )
235  *
236  * If successfully decoded and parsed, commit is updated and 0 is returned.
237  * On error, return -1. */
238 STATIC int
239 commit_decode(const char *encoded, sr_commit_t *commit)
240 {
241  int decoded_len = 0;
242  size_t offset = 0;
243  char b64_decoded[SR_COMMIT_LEN];
244 
245  tor_assert(encoded);
246  tor_assert(commit);
247 
248  if (strlen(encoded) > SR_COMMIT_BASE64_LEN) {
249  /* This means that if we base64 decode successfully the reveiced commit,
250  * we'll end up with a bigger decoded commit thus unusable. */
251  goto error;
252  }
253 
254  /* Decode our encoded commit. Let's be careful here since _encoded_ is
255  * coming from the network in a dirauth vote so we expect nothing more
256  * than the base64 encoded length of a commit. */
257  decoded_len = base64_decode(b64_decoded, sizeof(b64_decoded),
258  encoded, strlen(encoded));
259  if (decoded_len < 0) {
260  log_warn(LD_BUG, "SR: Commit from authority %s can't be decoded.",
261  sr_commit_get_rsa_fpr(commit));
262  goto error;
263  }
264 
265  if (decoded_len != SR_COMMIT_LEN) {
266  log_warn(LD_BUG, "SR: Commit from authority %s decoded length doesn't "
267  "match the expected length (%d vs %u).",
268  sr_commit_get_rsa_fpr(commit), decoded_len,
269  (unsigned)SR_COMMIT_LEN);
270  goto error;
271  }
272 
273  /* First is the timestamp (8 bytes). */
274  commit->commit_ts = tor_ntohll(get_uint64(b64_decoded));
275  offset += sizeof(uint64_t);
276  /* Next is hashed reveal. */
277  memcpy(commit->hashed_reveal, b64_decoded + offset,
278  sizeof(commit->hashed_reveal));
279  /* Copy the base64 blob to the commit. Useful for voting. */
280  strlcpy(commit->encoded_commit, encoded, sizeof(commit->encoded_commit));
281 
282  return 0;
283 
284  error:
285  return -1;
286 }
287 
288 /** Parse the b64 blob at <b>encoded</b> containing reveal information and
289  * store the information in-place in <b>commit</b>. Return 0 on success else
290  * a negative value. */
291 STATIC int
292 reveal_decode(const char *encoded, sr_commit_t *commit)
293 {
294  int decoded_len = 0;
295  char b64_decoded[SR_REVEAL_LEN];
296 
297  tor_assert(encoded);
298  tor_assert(commit);
299 
300  if (strlen(encoded) > SR_REVEAL_BASE64_LEN) {
301  /* This means that if we base64 decode successfully the received reveal
302  * value, we'll end up with a bigger decoded value thus unusable. */
303  goto error;
304  }
305 
306  /* Decode our encoded reveal. Let's be careful here since _encoded_ is
307  * coming from the network in a dirauth vote so we expect nothing more
308  * than the base64 encoded length of our reveal. */
309  decoded_len = base64_decode(b64_decoded, sizeof(b64_decoded),
310  encoded, strlen(encoded));
311  if (decoded_len < 0) {
312  log_warn(LD_BUG, "SR: Reveal from authority %s can't be decoded.",
313  sr_commit_get_rsa_fpr(commit));
314  goto error;
315  }
316 
317  if (decoded_len != SR_REVEAL_LEN) {
318  log_warn(LD_BUG, "SR: Reveal from authority %s decoded length is "
319  "doesn't match the expected length (%d vs %u)",
320  sr_commit_get_rsa_fpr(commit), decoded_len,
321  (unsigned)SR_REVEAL_LEN);
322  goto error;
323  }
324 
325  commit->reveal_ts = tor_ntohll(get_uint64(b64_decoded));
326  /* Copy the last part, the random value. */
327  memcpy(commit->random_number, b64_decoded + 8,
328  sizeof(commit->random_number));
329  /* Also copy the whole message to use during verification */
330  strlcpy(commit->encoded_reveal, encoded, sizeof(commit->encoded_reveal));
331 
332  return 0;
333 
334  error:
335  return -1;
336 }
337 
338 /** Encode a reveal element using a given commit object to dst which is a
339  * buffer large enough to put the base64-encoded reveal construction. The
340  * format is as follow:
341  * REVEAL = base64-encode( TIMESTAMP || H(RN) )
342  * Return base64 encoded length on success else a negative value.
343  */
344 STATIC int
345 reveal_encode(const sr_commit_t *commit, char *dst, size_t len)
346 {
347  int ret;
348  size_t offset = 0;
349  char buf[SR_REVEAL_LEN] = {0};
350 
351  tor_assert(commit);
352  tor_assert(dst);
353 
354  set_uint64(buf, tor_htonll(commit->reveal_ts));
355  offset += sizeof(uint64_t);
356  memcpy(buf + offset, commit->random_number,
357  sizeof(commit->random_number));
358 
359  /* Let's clean the buffer and then b64 encode it. */
360  memset(dst, 0, len);
361  ret = base64_encode(dst, len, buf, sizeof(buf), 0);
362  /* Wipe this buffer because it contains our random value. */
363  memwipe(buf, 0, sizeof(buf));
364  return ret;
365 }
366 
367 /** Encode the given commit object to dst which is a buffer large enough to
368  * put the base64-encoded commit. The format is as follow:
369  * COMMIT = base64-encode( TIMESTAMP || H(H(RN)) )
370  * Return base64 encoded length on success else a negative value.
371  */
372 STATIC int
373 commit_encode(const sr_commit_t *commit, char *dst, size_t len)
374 {
375  size_t offset = 0;
376  char buf[SR_COMMIT_LEN] = {0};
377 
378  tor_assert(commit);
379  tor_assert(dst);
380 
381  /* First is the timestamp (8 bytes). */
382  set_uint64(buf, tor_htonll(commit->commit_ts));
383  offset += sizeof(uint64_t);
384  /* and then the hashed reveal. */
385  memcpy(buf + offset, commit->hashed_reveal,
386  sizeof(commit->hashed_reveal));
387 
388  /* Clean the buffer and then b64 encode it. */
389  memset(dst, 0, len);
390  return base64_encode(dst, len, buf, sizeof(buf), 0);
391 }
392 
393 /** Cleanup both our global state and disk state. */
394 static void
396 {
398 }
399 
400 /** Using <b>commit</b>, return a newly allocated string containing the commit
401  * information that should be used during SRV calculation. It's the caller
402  * responsibility to free the memory. Return NULL if this is not a commit to be
403  * used for SRV calculation. */
404 static char *
406 {
407  char *element;
408  tor_assert(commit);
409 
410  if (!commit_has_reveal_value(commit)) {
411  return NULL;
412  }
413 
414  tor_asprintf(&element, "%s%s", sr_commit_get_rsa_fpr(commit),
415  commit->encoded_reveal);
416  return element;
417 }
418 
419 /** Return a srv object that is built with the construction:
420  * SRV = SHA3-256("shared-random" | INT_8(reveal_num) |
421  * INT_4(version) | HASHED_REVEALS | previous_SRV)
422  * This function cannot fail. */
423 static sr_srv_t *
424 generate_srv(const char *hashed_reveals, uint64_t reveal_num,
425  const sr_srv_t *previous_srv)
426 {
427  char msg[DIGEST256_LEN + SR_SRV_MSG_LEN] = {0};
428  size_t offset = 0;
429  sr_srv_t *srv;
430 
431  tor_assert(hashed_reveals);
432 
433  /* Add the invariant token. */
434  memcpy(msg, SR_SRV_TOKEN, SR_SRV_TOKEN_LEN);
435  offset += SR_SRV_TOKEN_LEN;
436  set_uint64(msg + offset, tor_htonll(reveal_num));
437  offset += sizeof(uint64_t);
438  set_uint32(msg + offset, htonl(SR_PROTO_VERSION));
439  offset += sizeof(uint32_t);
440  memcpy(msg + offset, hashed_reveals, DIGEST256_LEN);
441  offset += DIGEST256_LEN;
442  if (previous_srv != NULL) {
443  memcpy(msg + offset, previous_srv->value, sizeof(previous_srv->value));
444  }
445 
446  /* Ok we have our message and key for the HMAC computation, allocate our
447  * srv object and do the last step. */
448  srv = tor_malloc_zero(sizeof(*srv));
449  crypto_digest256((char *) srv->value, msg, sizeof(msg), SR_DIGEST_ALG);
450  srv->num_reveals = reveal_num;
451 
452  {
453  /* Debugging. */
454  char srv_hash_encoded[SR_SRV_VALUE_BASE64_LEN + 1];
455  sr_srv_encode(srv_hash_encoded, sizeof(srv_hash_encoded), srv);
456  log_info(LD_DIR, "SR: Generated SRV: %s", srv_hash_encoded);
457  }
458  return srv;
459 }
460 
461 /** Compare reveal values and return the result. This should exclusively be
462  * used by smartlist_sort(). */
463 static int
464 compare_reveal_(const void **_a, const void **_b)
465 {
466  const sr_commit_t *a = *_a, *b = *_b;
467  return fast_memcmp(a->hashed_reveal, b->hashed_reveal,
468  sizeof(a->hashed_reveal));
469 }
470 
471 /** Given <b>commit</b> give the line that we should place in our votes.
472  * It's the responsibility of the caller to free the string. */
473 static char *
475 {
476  char *vote_line = NULL;
477 
478  switch (phase) {
479  case SR_PHASE_COMMIT:
480  tor_asprintf(&vote_line, "%s %u %s %s %s\n",
481  commit_ns_str,
484  sr_commit_get_rsa_fpr(commit),
485  commit->encoded_commit);
486  break;
487  case SR_PHASE_REVEAL:
488  {
489  /* Send a reveal value for this commit if we have one. */
490  const char *reveal_str = commit->encoded_reveal;
491  if (fast_mem_is_zero(commit->encoded_reveal,
492  sizeof(commit->encoded_reveal))) {
493  reveal_str = "";
494  }
495  tor_asprintf(&vote_line, "%s %u %s %s %s %s\n",
496  commit_ns_str,
499  sr_commit_get_rsa_fpr(commit),
500  commit->encoded_commit, reveal_str);
501  break;
502  }
503  default:
504  tor_assert(0);
505  }
506 
507  log_debug(LD_DIR, "SR: Commit vote line: %s", vote_line);
508  return vote_line;
509 }
510 
511 /** Return a heap allocated string that contains the given <b>srv</b> string
512  * representation formatted for a networkstatus document using the
513  * <b>key</b> as the start of the line. This doesn't return NULL. */
514 static char *
515 srv_to_ns_string(const sr_srv_t *srv, const char *key)
516 {
517  char *srv_str;
518  char srv_hash_encoded[SR_SRV_VALUE_BASE64_LEN + 1];
519  tor_assert(srv);
520  tor_assert(key);
521 
522  sr_srv_encode(srv_hash_encoded, sizeof(srv_hash_encoded), srv);
523  tor_asprintf(&srv_str, "%s %" PRIu64 " %s\n", key,
524  srv->num_reveals, srv_hash_encoded);
525  log_debug(LD_DIR, "SR: Consensus SRV line: %s", srv_str);
526  return srv_str;
527 }
528 
529 /** Given the previous SRV and the current SRV, return a heap allocated
530  * string with their data that could be put in a vote or a consensus. Caller
531  * must free the returned string. Return NULL if no SRVs were provided. */
532 static char *
533 get_ns_str_from_sr_values(const sr_srv_t *prev_srv, const sr_srv_t *cur_srv)
534 {
535  smartlist_t *chunks = NULL;
536  char *srv_str;
537 
538  if (!prev_srv && !cur_srv) {
539  return NULL;
540  }
541 
542  chunks = smartlist_new();
543 
544  if (prev_srv) {
545  char *srv_line = srv_to_ns_string(prev_srv, previous_srv_str);
546  smartlist_add(chunks, srv_line);
547  }
548 
549  if (cur_srv) {
550  char *srv_line = srv_to_ns_string(cur_srv, current_srv_str);
551  smartlist_add(chunks, srv_line);
552  }
553 
554  /* Join the line(s) here in one string to return. */
555  srv_str = smartlist_join_strings(chunks, "", 0, NULL);
556  SMARTLIST_FOREACH(chunks, char *, s, tor_free(s));
557  smartlist_free(chunks);
558 
559  return srv_str;
560 }
561 
562 /** Return 1 iff the two commits have the same commitment values. This
563  * function does not care about reveal values. */
564 STATIC int
566  const sr_commit_t *commit_two)
567 {
568  tor_assert(commit_one);
569  tor_assert(commit_two);
570 
571  if (strcmp(commit_one->encoded_commit, commit_two->encoded_commit)) {
572  return 0;
573  }
574  return 1;
575 }
576 
577 /** We just received a commit from the vote of authority with
578  * <b>identity_digest</b>. Return 1 if this commit is authorititative that
579  * is, it belongs to the authority that voted it. Else return 0 if not. */
580 STATIC int
582  const char *voter_key)
583 {
584  tor_assert(commit);
585  tor_assert(voter_key);
586 
587  return fast_memeq(commit->rsa_identity, voter_key,
588  sizeof(commit->rsa_identity));
589 }
590 
591 /** Decide if the newly received <b>commit</b> should be kept depending on
592  * the current phase and state of the protocol. The <b>voter_key</b> is the
593  * RSA identity key fingerprint of the authority's vote from which the
594  * commit comes from. The <b>phase</b> is the phase we should be validating
595  * the commit for. Return 1 if the commit should be added to our state or 0
596  * if not. */
597 STATIC int
598 should_keep_commit(const sr_commit_t *commit, const char *voter_key,
599  sr_phase_t phase)
600 {
601  const sr_commit_t *saved_commit;
602 
603  tor_assert(commit);
604  tor_assert(voter_key);
605 
606  log_debug(LD_DIR, "SR: Inspecting commit from %s (voter: %s)?",
607  sr_commit_get_rsa_fpr(commit),
608  hex_str(voter_key, DIGEST_LEN));
609 
610  /* For a commit to be considered, it needs to be authoritative (it should
611  * be the voter's own commit). */
612  if (!commit_is_authoritative(commit, voter_key)) {
613  log_debug(LD_DIR, "SR: Ignoring non-authoritative commit.");
614  goto ignore;
615  }
616 
617  /* Let's make sure, for extra safety, that this fingerprint is known to
618  * us. Even though this comes from a vote, doesn't hurt to be
619  * extracareful. */
621  log_warn(LD_DIR, "SR: Fingerprint %s is not from a recognized "
622  "authority. Discarding commit.",
623  escaped(commit->rsa_identity));
624  goto ignore;
625  }
626 
627  /* Check if the authority that voted for <b>commit</b> has already posted
628  * a commit before. */
629  saved_commit = sr_state_get_commit(commit->rsa_identity);
630 
631  switch (phase) {
632  case SR_PHASE_COMMIT:
633  /* Already having a commit for an authority so ignore this one. */
634  if (saved_commit) {
635  /* Receiving known commits should happen naturally since commit phase
636  lasts multiple rounds. However if the commitment value changes
637  during commit phase, it might be a bug so log more loudly. */
638  if (!commitments_are_the_same(commit, saved_commit)) {
639  log_info(LD_DIR,
640  "SR: Received altered commit from %s in commit phase.",
641  sr_commit_get_rsa_fpr(commit));
642  } else {
643  log_debug(LD_DIR, "SR: Ignoring known commit during commit phase.");
644  }
645  goto ignore;
646  }
647 
648  /* A commit with a reveal value during commitment phase is very wrong. */
649  if (commit_has_reveal_value(commit)) {
650  log_warn(LD_DIR, "SR: Commit from authority %s has a reveal value "
651  "during COMMIT phase. (voter: %s)",
652  sr_commit_get_rsa_fpr(commit),
653  hex_str(voter_key, DIGEST_LEN));
654  goto ignore;
655  }
656  break;
657  case SR_PHASE_REVEAL:
658  /* We are now in reveal phase. We keep a commit if and only if:
659  *
660  * - We have already seen a commit by this auth, AND
661  * - the saved commit has the same commitment value as this one, AND
662  * - the saved commit has no reveal information, AND
663  * - this commit does have reveal information, AND
664  * - the reveal & commit information are matching.
665  *
666  * If all the above are true, then we are interested in this new commit
667  * for its reveal information. */
668 
669  if (!saved_commit) {
670  log_debug(LD_DIR, "SR: Ignoring commit first seen in reveal phase.");
671  goto ignore;
672  }
673 
674  if (!commitments_are_the_same(commit, saved_commit)) {
675  log_warn(LD_DIR, "SR: Commit from authority %s is different from "
676  "previous commit in our state (voter: %s)",
677  sr_commit_get_rsa_fpr(commit),
678  hex_str(voter_key, DIGEST_LEN));
679  goto ignore;
680  }
681 
682  if (commit_has_reveal_value(saved_commit)) {
683  log_debug(LD_DIR, "SR: Ignoring commit with known reveal info.");
684  goto ignore;
685  }
686 
687  if (!commit_has_reveal_value(commit)) {
688  log_debug(LD_DIR, "SR: Ignoring commit without reveal value.");
689  goto ignore;
690  }
691 
692  if (verify_commit_and_reveal(commit) < 0) {
693  log_warn(LD_BUG, "SR: Commit from authority %s has an invalid "
694  "reveal value. (voter: %s)",
695  sr_commit_get_rsa_fpr(commit),
696  hex_str(voter_key, DIGEST_LEN));
697  goto ignore;
698  }
699  break;
700  default:
701  tor_assert(0);
702  }
703 
704  return 1;
705 
706  ignore:
707  return 0;
708 }
709 
710 /** We are in reveal phase and we found a valid and verified <b>commit</b> in
711  * a vote that contains reveal values that we could use. Update the commit
712  * we have in our state. Never call this with an unverified commit. */
713 STATIC void
715 {
716  sr_commit_t *saved_commit;
717 
718  tor_assert(commit);
719 
720  /* Get the commit from our state. */
721  saved_commit = sr_state_get_commit(commit->rsa_identity);
722  tor_assert(saved_commit);
723  /* Safety net. They can not be different commitments at this point. */
724  int same_commits = commitments_are_the_same(commit, saved_commit);
725  tor_assert(same_commits);
726 
727  /* Copy reveal information to our saved commit. */
728  sr_state_copy_reveal_info(saved_commit, commit);
729 }
730 
731 /** Save <b>commit</b> to our persistent state. Depending on the current
732  * phase, different actions are taken. Steals reference of <b>commit</b>.
733  * The commit object MUST be valid and verified before adding it to the
734  * state. */
735 STATIC void
737 {
738  sr_phase_t phase = sr_state_get_phase();
739 
740  ASSERT_COMMIT_VALID(commit);
741 
742  switch (phase) {
743  case SR_PHASE_COMMIT:
744  /* During commit phase, just save any new authoritative commit */
745  sr_state_add_commit(commit);
746  break;
747  case SR_PHASE_REVEAL:
749  sr_commit_free(commit);
750  break;
751  default:
752  tor_assert(0);
753  }
754 }
755 
756 /** Return 1 if we should we keep an SRV voted by <b>n_agreements</b> auths.
757  * Return 0 if we should ignore it. */
758 static int
759 should_keep_srv(int n_agreements)
760 {
761  /* Check if the most popular SRV has reached majority. */
762  int n_voters = get_n_authorities(V3_DIRINFO);
763  int votes_required_for_majority = (n_voters / 2) + 1;
764 
765  /* We need at the very least majority to keep a value. */
766  if (n_agreements < votes_required_for_majority) {
767  log_notice(LD_DIR, "SR: SRV didn't reach majority [%d/%d]!",
768  n_agreements, votes_required_for_majority);
769  return 0;
770  }
771 
772  /* When we just computed a new SRV, we need to have super majority in order
773  * to keep it. */
774  if (sr_state_srv_is_fresh()) {
775  /* Check if we have super majority for this new SRV value. */
776  if (n_agreements < num_srv_agreements_from_vote) {
777  log_notice(LD_DIR, "SR: New SRV didn't reach agreement [%d/%d]!",
778  n_agreements, num_srv_agreements_from_vote);
779  return 0;
780  }
781  }
782 
783  return 1;
784 }
785 
786 /** Helper: compare two DIGEST256_LEN digests. */
787 static int
788 compare_srvs_(const void **_a, const void **_b)
789 {
790  const sr_srv_t *a = *_a, *b = *_b;
791  return tor_memcmp(a->value, b->value, sizeof(a->value));
792 }
793 
794 /** Return the most frequent member of the sorted list of DIGEST256_LEN
795  * digests in <b>sl</b> with the count of that most frequent element. */
796 static sr_srv_t *
798 {
799  return smartlist_get_most_frequent_(sl, compare_srvs_, count_out);
800 }
801 
802 /** Compare two SRVs. Used in smartlist sorting. */
803 static int
804 compare_srv_(const void **_a, const void **_b)
805 {
806  const sr_srv_t *a = *_a, *b = *_b;
807  return fast_memcmp(a->value, b->value,
808  sizeof(a->value));
809 }
810 
811 /** Using a list of <b>votes</b>, return the SRV object from them that has
812  * been voted by the majority of dirauths. If <b>current</b> is set, we look
813  * for the current SRV value else the previous one. The returned pointer is
814  * an object located inside a vote. NULL is returned if no appropriate value
815  * could be found. */
817 get_majority_srv_from_votes(const smartlist_t *votes, int current)
818 {
819  int count = 0;
820  sr_srv_t *most_frequent_srv = NULL;
821  sr_srv_t *the_srv = NULL;
822  smartlist_t *srv_list;
823 
824  tor_assert(votes);
825 
826  srv_list = smartlist_new();
827 
828  /* Walk over votes and register any SRVs found. */
830  sr_srv_t *srv_tmp = NULL;
831 
832  if (!v->sr_info.participate) {
833  /* Ignore vote that do not participate. */
834  continue;
835  }
836  /* Do we want previous or current SRV? */
837  srv_tmp = current ? v->sr_info.current_srv : v->sr_info.previous_srv;
838  if (!srv_tmp) {
839  continue;
840  }
841 
842  smartlist_add(srv_list, srv_tmp);
843  } SMARTLIST_FOREACH_END(v);
844 
845  smartlist_sort(srv_list, compare_srv_);
846  most_frequent_srv = smartlist_get_most_frequent_srv(srv_list, &count);
847  if (!most_frequent_srv) {
848  goto end;
849  }
850 
851  /* Was this SRV voted by enough auths for us to keep it? */
852  if (!should_keep_srv(count)) {
853  goto end;
854  }
855 
856  /* We found an SRV that we can use! Habemus SRV! */
857  the_srv = most_frequent_srv;
858 
859  {
860  /* Debugging */
861  char encoded[SR_SRV_VALUE_BASE64_LEN + 1];
862  sr_srv_encode(encoded, sizeof(encoded), the_srv);
863  log_debug(LD_DIR, "SR: Chosen SRV by majority: %s (%d votes)", encoded,
864  count);
865  }
866 
867  end:
868  /* We do not free any sr_srv_t values, we don't have the ownership. */
869  smartlist_free(srv_list);
870  return the_srv;
871 }
872 
873 /** Free a commit object. */
874 void
876 {
877  if (commit == NULL) {
878  return;
879  }
880  /* Make sure we do not leave OUR random number in memory. */
881  memwipe(commit->random_number, 0, sizeof(commit->random_number));
882  tor_free(commit);
883 }
884 
885 /** Generate the commitment/reveal value for the protocol run starting at
886  * <b>timestamp</b>. <b>my_rsa_cert</b> is our authority RSA certificate. */
887 sr_commit_t *
888 sr_generate_our_commit(time_t timestamp, const authority_cert_t *my_rsa_cert)
889 {
890  sr_commit_t *commit = NULL;
891  char digest[DIGEST_LEN];
892 
893  tor_assert(my_rsa_cert);
894 
895  /* Get our RSA identity fingerprint */
896  if (crypto_pk_get_digest(my_rsa_cert->identity_key, digest) < 0) {
897  goto error;
898  }
899 
900  /* New commit with our identity key. */
901  commit = commit_new(digest);
902 
903  /* Generate the reveal random value */
905  sizeof(commit->random_number));
906  commit->commit_ts = commit->reveal_ts = timestamp;
907 
908  /* Now get the base64 blob that corresponds to our reveal */
909  if (reveal_encode(commit, commit->encoded_reveal,
910  sizeof(commit->encoded_reveal)) < 0) {
911  log_err(LD_DIR, "SR: Unable to encode our reveal value!");
912  goto error;
913  }
914 
915  /* Now let's create the commitment */
916  tor_assert(commit->alg == SR_DIGEST_ALG);
917  /* The invariant length is used here since the encoded reveal variable
918  * has an extra byte added for the NULL terminated byte. */
919  if (crypto_digest256(commit->hashed_reveal, commit->encoded_reveal,
920  SR_REVEAL_BASE64_LEN, commit->alg) < 0) {
921  goto error;
922  }
923 
924  /* Now get the base64 blob that corresponds to our commit. */
925  if (commit_encode(commit, commit->encoded_commit,
926  sizeof(commit->encoded_commit)) < 0) {
927  log_err(LD_DIR, "SR: Unable to encode our commit value!");
928  goto error;
929  }
930 
931  log_debug(LD_DIR, "SR: Generated our commitment:");
932  commit_log(commit);
933  /* Our commit better be valid :). */
934  commit->valid = 1;
935  return commit;
936 
937  error:
938  sr_commit_free(commit);
939  return NULL;
940 }
941 
942 /** Compute the shared random value based on the active commits in our
943  * state. */
944 void
946 {
947  uint64_t reveal_num = 0;
948  char *reveals = NULL;
949  smartlist_t *chunks, *commits;
950  digestmap_t *state_commits;
951 
952  /* Computing a shared random value in the commit phase is very wrong. This
953  * should only happen at the very end of the reveal phase when a new
954  * protocol run is about to start. */
955  if (BUG(sr_state_get_phase() != SR_PHASE_REVEAL))
956  return;
957  state_commits = sr_state_get_commits();
958 
959  commits = smartlist_new();
960  chunks = smartlist_new();
961 
962  /* We must make a list of commit ordered by authority fingerprint in
963  * ascending order as specified by proposal 250. */
964  DIGESTMAP_FOREACH(state_commits, key, sr_commit_t *, c) {
965  /* Extra safety net, make sure we have valid commit before using it. */
967  /* Let's not use a commit from an authority that we don't know. It's
968  * possible that an authority could be removed during a protocol run so
969  * that commit value should never be used in the SRV computation. */
970  if (trusteddirserver_get_by_v3_auth_digest(c->rsa_identity) == NULL) {
971  log_warn(LD_DIR, "SR: Fingerprint %s is not from a recognized "
972  "authority. Discarding commit for the SRV computation.",
973  sr_commit_get_rsa_fpr(c));
974  continue;
975  }
976  /* We consider this commit valid. */
977  smartlist_add(commits, c);
980 
981  /* Now for each commit for that sorted list in ascending order, we'll
982  * build the element for each authority that needs to go into the srv
983  * computation. */
984  SMARTLIST_FOREACH_BEGIN(commits, const sr_commit_t *, c) {
985  char *element = get_srv_element_from_commit(c);
986  if (element) {
987  smartlist_add(chunks, element);
988  reveal_num++;
989  }
990  } SMARTLIST_FOREACH_END(c);
991  smartlist_free(commits);
992 
993  {
994  /* Join all reveal values into one giant string that we'll hash so we
995  * can generated our shared random value. */
996  sr_srv_t *current_srv;
997  char hashed_reveals[DIGEST256_LEN];
998  reveals = smartlist_join_strings(chunks, "", 0, NULL);
999  SMARTLIST_FOREACH(chunks, char *, s, tor_free(s));
1000  smartlist_free(chunks);
1001  if (crypto_digest256(hashed_reveals, reveals, strlen(reveals),
1002  SR_DIGEST_ALG) < 0) {
1003  goto end;
1004  }
1005  current_srv = generate_srv(hashed_reveals, reveal_num,
1007  sr_state_set_current_srv(current_srv);
1008  /* We have a fresh SRV, flag our state. */
1010  }
1011 
1012  end:
1013  tor_free(reveals);
1014 }
1015 
1016 /** Parse a commit from a vote or from our disk state and return a newly
1017  * allocated commit object. NULL is returned on error.
1018  *
1019  * The commit's data is in <b>args</b> and the order matters very much:
1020  * version, algname, RSA fingerprint, commit value[, reveal value]
1021  */
1022 sr_commit_t *
1024 {
1025  uint32_t version;
1026  char *value, digest[DIGEST_LEN];
1027  digest_algorithm_t alg;
1028  const char *rsa_identity_fpr;
1029  sr_commit_t *commit = NULL;
1030 
1031  if (smartlist_len(args) < 4) {
1032  goto error;
1033  }
1034 
1035  /* First is the version number of the SR protocol which indicates at which
1036  * version that commit was created. */
1037  value = smartlist_get(args, 0);
1038  version = (uint32_t) tor_parse_ulong(value, 10, 1, UINT32_MAX, NULL, NULL);
1039  if (version > SR_PROTO_VERSION) {
1040  log_info(LD_DIR, "SR: Commit version %" PRIu32 " (%s) is not supported.",
1041  version, escaped(value));
1042  goto error;
1043  }
1044 
1045  /* Second is the algorithm. */
1046  value = smartlist_get(args, 1);
1048  if (alg != SR_DIGEST_ALG) {
1049  log_warn(LD_BUG, "SR: Commit algorithm %s is not recognized.",
1050  escaped(value));
1051  goto error;
1052  }
1053 
1054  /* Third argument is the RSA fingerprint of the auth and turn it into a
1055  * digest value. */
1056  rsa_identity_fpr = smartlist_get(args, 2);
1057  if (base16_decode(digest, DIGEST_LEN, rsa_identity_fpr,
1058  HEX_DIGEST_LEN) < 0) {
1059  log_warn(LD_DIR, "SR: RSA fingerprint %s not decodable",
1060  escaped(rsa_identity_fpr));
1061  goto error;
1062  }
1063 
1064  /* Allocate commit since we have a valid identity now. */
1065  commit = commit_new(digest);
1066 
1067  /* Fourth argument is the commitment value base64-encoded. */
1068  value = smartlist_get(args, 3);
1069  if (commit_decode(value, commit) < 0) {
1070  goto error;
1071  }
1072 
1073  /* (Optional) Fifth argument is the revealed value. */
1074  if (smartlist_len(args) > 4) {
1075  value = smartlist_get(args, 4);
1076  if (reveal_decode(value, commit) < 0) {
1077  goto error;
1078  }
1079  }
1080 
1081  return commit;
1082 
1083  error:
1084  sr_commit_free(commit);
1085  return NULL;
1086 }
1087 
1088 /** Called when we are done parsing a vote by <b>voter_key</b> that might
1089  * contain some useful <b>commits</b>. Find if any of them should be kept
1090  * and update our state accordingly. Once done, the list of commitments will
1091  * be empty. */
1092 void
1094 {
1095  char rsa_identity[DIGEST_LEN];
1096 
1097  tor_assert(voter_key);
1098 
1099  /* It's possible that the vote has _NO_ commits. */
1100  if (commits == NULL) {
1101  return;
1102  }
1103 
1104  /* Get the RSA identity fingerprint of this voter */
1105  if (crypto_pk_get_digest(voter_key, rsa_identity) < 0) {
1106  return;
1107  }
1108 
1109  SMARTLIST_FOREACH_BEGIN(commits, sr_commit_t *, commit) {
1110  /* We won't need the commit in this list anymore, kept or not. */
1111  SMARTLIST_DEL_CURRENT(commits, commit);
1112  /* Check if this commit is valid and should be stored in our state. */
1113  if (!should_keep_commit(commit, rsa_identity,
1114  sr_state_get_phase())) {
1115  sr_commit_free(commit);
1116  continue;
1117  }
1118  /* Ok, we have a valid commit now that we are about to put in our state.
1119  * so flag it valid from now on. */
1120  commit->valid = 1;
1121  /* Everything lines up: save this commit to state then! */
1122  save_commit_to_state(commit);
1123  } SMARTLIST_FOREACH_END(commit);
1124 }
1125 
1126 /** Return a heap-allocated string containing commits that should be put in
1127  * the votes. It's the responsibility of the caller to free the string.
1128  * This always return a valid string, either empty or with line(s). */
1129 char *
1131 {
1132  char *vote_str = NULL;
1133  digestmap_t *state_commits;
1134  smartlist_t *chunks = smartlist_new();
1135  const dirauth_options_t *options = dirauth_get_options();
1136 
1137  /* Are we participating in the protocol? */
1138  if (!options->AuthDirSharedRandomness) {
1139  goto end;
1140  }
1141 
1142  log_debug(LD_DIR, "SR: Preparing our vote info:");
1143 
1144  /* First line, put in the vote the participation flag. */
1145  {
1146  char *sr_flag_line;
1147  tor_asprintf(&sr_flag_line, "%s\n", sr_flag_ns_str);
1148  smartlist_add(chunks, sr_flag_line);
1149  }
1150 
1151  /* In our vote we include every commitment in our permanent state. */
1152  state_commits = sr_state_get_commits();
1153  smartlist_t *state_commit_vote_lines = smartlist_new();
1154  DIGESTMAP_FOREACH(state_commits, key, const sr_commit_t *, commit) {
1155  char *line = get_vote_line_from_commit(commit, sr_state_get_phase());
1156  smartlist_add(state_commit_vote_lines, line);
1158 
1159  /* Sort the commit strings by version (string, not numeric), algorithm,
1160  * and fingerprint. This makes sure the commit lines in votes are in a
1161  * recognisable, stable order. */
1162  smartlist_sort_strings(state_commit_vote_lines);
1163 
1164  /* Now add the sorted list of commits to the vote */
1165  smartlist_add_all(chunks, state_commit_vote_lines);
1166  smartlist_free(state_commit_vote_lines);
1167 
1168  /* Add the SRV value(s) if any. */
1169  {
1172  if (srv_lines) {
1173  smartlist_add(chunks, srv_lines);
1174  }
1175  }
1176 
1177  end:
1178  vote_str = smartlist_join_strings(chunks, "", 0, NULL);
1179  SMARTLIST_FOREACH(chunks, char *, s, tor_free(s));
1180  smartlist_free(chunks);
1181  return vote_str;
1182 }
1183 
1184 /** Return a heap-allocated string that should be put in the consensus and
1185  * contains the shared randomness values. It's the responsibility of the
1186  * caller to free the string. NULL is returned if no SRV(s) available.
1187  *
1188  * This is called when a consensus (any flavor) is bring created thus it
1189  * should NEVER change the state nor the state should be changed in between
1190  * consensus creation.
1191  *
1192  * <b>num_srv_agreements</b> is taken from the votes thus the voted value
1193  * that should be used.
1194  * */
1195 char *
1197  int32_t num_srv_agreements)
1198 {
1199  char *srv_str;
1200  const dirauth_options_t *options = dirauth_get_options();
1201 
1202  tor_assert(votes);
1203 
1204  /* Not participating, avoid returning anything. */
1205  if (!options->AuthDirSharedRandomness) {
1206  log_info(LD_DIR, "SR: Support disabled (AuthDirSharedRandomness %d)",
1207  options->AuthDirSharedRandomness);
1208  goto end;
1209  }
1210 
1211  /* Set the global value of AuthDirNumSRVAgreements found in the votes. */
1212  num_srv_agreements_from_vote = num_srv_agreements;
1213 
1214  /* Check the votes and figure out if SRVs should be included in the final
1215  * consensus. */
1216  sr_srv_t *prev_srv = get_majority_srv_from_votes(votes, 0);
1217  sr_srv_t *cur_srv = get_majority_srv_from_votes(votes, 1);
1218  srv_str = get_ns_str_from_sr_values(prev_srv, cur_srv);
1219  if (!srv_str) {
1220  goto end;
1221  }
1222 
1223  return srv_str;
1224  end:
1225  return NULL;
1226 }
1227 
1228 /** We just computed a new <b>consensus</b>. Update our state with the SRVs
1229  * from the consensus (might be NULL as well). Register the SRVs in our SR
1230  * state and prepare for the upcoming protocol round. */
1231 void
1233 {
1234  const or_options_t *options = get_options();
1235 
1236  /* Don't act if our state hasn't been initialized. We can be called during
1237  * boot time when loading consensus from disk which is prior to the
1238  * initialization of the SR subsystem. We also should not be doing
1239  * anything if we are _not_ a directory authority and if we are a bridge
1240  * authority. */
1241  if (!sr_state_is_initialized() || !authdir_mode_v3(options) ||
1242  authdir_mode_bridge(options)) {
1243  return;
1244  }
1245 
1246  /* Set the majority voted SRVs in our state even if both are NULL. It
1247  * doesn't matter this is what the majority has decided. Obviously, we can
1248  * only do that if we have a consensus. */
1249  if (consensus) {
1250  /* Start by freeing the current SRVs since the SRVs we believed during
1251  * voting do not really matter. Now that all the votes are in, we use the
1252  * majority's opinion on which are the active SRVs. */
1254  /* Reset the fresh flag of the SRV so we know that from now on we don't
1255  * have a new SRV to vote for. We just used the one from the consensus
1256  * decided by the majority. */
1258  /* Set the SR values from the given consensus. */
1259  sr_state_set_previous_srv(sr_srv_dup(consensus->sr_info.previous_srv));
1260  sr_state_set_current_srv(sr_srv_dup(consensus->sr_info.current_srv));
1261  }
1262 
1263  /* Prepare our state so that it's ready for the next voting period. */
1265 }
1266 
1267 /** Initialize shared random subsystem. This MUST be called early in the boot
1268  * process of tor. Return 0 on success else -1 on error. */
1269 int
1270 sr_init(int save_to_disk)
1271 {
1272  return sr_state_init(save_to_disk, 1);
1273 }
1274 
1275 /** Save our state to disk and cleanup everything. */
1276 void
1278 {
1279  sr_state_save();
1280  sr_cleanup();
1281 }
1282 
1283 #ifdef TOR_UNIT_TESTS
1284 
1285 /** Set the global value of number of SRV agreements so the test can play
1286  * along by calling specific functions that don't parse the votes prior for
1287  * the AuthDirNumSRVAgreements value. */
1288 void
1289 set_num_srv_agreements(int32_t value)
1290 {
1292 }
1293 
1294 #endif /* defined(TOR_UNIT_TESTS) */
int authdir_mode_bridge(const or_options_t *options)
Definition: authmode.c:76
Header file for directory authority mode.
Authority certificate structure.
const char * hex_str(const char *from, size_t fromlen)
Definition: binascii.c:34
int base64_decode(char *dest, size_t destlen, const char *src, size_t srclen)
Definition: binascii.c:396
int base64_encode(char *dest, size_t destlen, const char *src, size_t srclen, int flags)
Definition: binascii.c:215
int base16_decode(char *dest, size_t destlen, const char *src, size_t srclen)
Definition: binascii.c:506
void base16_encode(char *dest, size_t destlen, const char *src, size_t srclen)
Definition: binascii.c:478
static uint64_t tor_ntohll(uint64_t a)
Definition: bytes.h:193
static void set_uint64(void *cp, uint64_t v)
Definition: bytes.h:96
static void set_uint32(void *cp, uint32_t v)
Definition: bytes.h:87
static uint64_t tor_htonll(uint64_t a)
Definition: bytes.h:184
static uint64_t get_uint64(const void *cp)
Definition: bytes.h:66
const or_options_t * get_options(void)
Definition: config.c:919
Header file for config.c.
Header for confmgt.c.
const char * crypto_digest_algorithm_get_name(digest_algorithm_t alg)
Definition: crypto_digest.c:44
int crypto_digest_algorithm_parse_name(const char *name)
Definition: crypto_digest.c:68
digest_algorithm_t
Definition: crypto_digest.h:44
#define HEX_DIGEST_LEN
Definition: crypto_digest.h:35
int crypto_digest256(char *digest, const char *m, size_t len, digest_algorithm_t algorithm)
void crypto_strongest_rand(uint8_t *out, size_t out_len)
Definition: crypto_rand.c:340
Common functions for using (pseudo-)random number generators.
int crypto_pk_get_digest(const crypto_pk_t *pk, char *digest_out)
Definition: crypto_rsa.c:356
void memwipe(void *mem, uint8_t byte, size_t sz)
Definition: crypto_util.c:55
Common functions for cryptographic routines.
int tor_memcmp(const void *a, const void *b, size_t len)
Definition: di_ops.c:31
#define fast_memeq(a, b, c)
Definition: di_ops.h:35
#define fast_memcmp(a, b, c)
Definition: di_ops.h:28
#define fast_memneq(a, b, c)
Definition: di_ops.h:42
#define DIGEST_LEN
Definition: digest_sizes.h:20
#define DIGEST256_LEN
Definition: digest_sizes.h:23
Structure dirauth_options_t to hold directory authority options.
Header for dirauth_sys.c.
int get_n_authorities(dirinfo_type_t type)
Definition: dirlist.c:103
dir_server_t * trusteddirserver_get_by_v3_auth_digest(const char *digest)
Definition: dirlist.c:215
Header file for dirlist.c.
Header file for dirvote.c.
const char * escaped(const char *s)
Definition: escape.c:126
#define LD_BUG
Definition: log.h:86
#define LD_DIR
Definition: log.h:88
#define tor_free(p)
Definition: malloc.h:52
#define DIGESTMAP_FOREACH_END
Definition: map.h:168
#define DIGESTMAP_FOREACH(map, keyvar, valtype, valvar)
Definition: map.h:154
Header file for networkstatus.c.
Networkstatus consensus/vote structure.
Master header file for Tor-specific functionality.
@ V3_DIRINFO
Definition: or.h:788
unsigned long tor_parse_ulong(const char *s, int base, unsigned long min, unsigned long max, int *ok, char **next)
Definition: parse_int.c:78
int tor_asprintf(char **strp, const char *fmt,...)
Definition: printf.c:75
Header file for router.c.
Header for routerkeys.c.
char * sr_get_string_for_consensus(const smartlist_t *votes, int32_t num_srv_agreements)
static char * get_srv_element_from_commit(const sr_commit_t *commit)
static int compare_reveal_(const void **_a, const void **_b)
sr_commit_t * sr_generate_our_commit(time_t timestamp, const authority_cert_t *my_rsa_cert)
static int compare_srv_(const void **_a, const void **_b)
STATIC void save_commit_during_reveal_phase(const sr_commit_t *commit)
sr_commit_t * sr_parse_commit(const smartlist_t *args)
static char * get_vote_line_from_commit(const sr_commit_t *commit, sr_phase_t phase)
static char * get_ns_str_from_sr_values(const sr_srv_t *prev_srv, const sr_srv_t *cur_srv)
STATIC int reveal_encode(const sr_commit_t *commit, char *dst, size_t len)
static const char previous_srv_str[]
void sr_save_and_cleanup(void)
static int compare_srvs_(const void **_a, const void **_b)
static int32_t num_srv_agreements_from_vote
STATIC int should_keep_commit(const sr_commit_t *commit, const char *voter_key, sr_phase_t phase)
int sr_init(int save_to_disk)
STATIC int commit_is_authoritative(const sr_commit_t *commit, const char *voter_key)
static sr_srv_t * generate_srv(const char *hashed_reveals, uint64_t reveal_num, const sr_srv_t *previous_srv)
static sr_commit_t * commit_new(const char *rsa_identity)
void sr_act_post_consensus(const networkstatus_t *consensus)
static void sr_cleanup(void)
sr_srv_t * sr_srv_dup(const sr_srv_t *orig)
STATIC void save_commit_to_state(sr_commit_t *commit)
void sr_handle_received_commits(smartlist_t *commits, crypto_pk_t *voter_key)
STATIC int commit_has_reveal_value(const sr_commit_t *commit)
STATIC int reveal_decode(const char *encoded, sr_commit_t *commit)
static void commit_log(const sr_commit_t *commit)
char * sr_get_string_for_vote(void)
static sr_srv_t * smartlist_get_most_frequent_srv(const smartlist_t *sl, int *count_out)
STATIC int commit_encode(const sr_commit_t *commit, char *dst, size_t len)
STATIC int commitments_are_the_same(const sr_commit_t *commit_one, const sr_commit_t *commit_two)
STATIC int verify_commit_and_reveal(const sr_commit_t *commit)
void sr_compute_srv(void)
STATIC int commit_decode(const char *encoded, sr_commit_t *commit)
static int should_keep_srv(int n_agreements)
STATIC sr_srv_t * get_majority_srv_from_votes(const smartlist_t *votes, int current)
static char * srv_to_ns_string(const sr_srv_t *srv, const char *key)
void sr_commit_free_(sr_commit_t *commit)
This file contains ABI/API of the shared random protocol defined in proposal #250....
#define SR_SRV_VALUE_BASE64_LEN
Definition: shared_random.h:48
#define SR_SRV_TOKEN
Definition: shared_random.h:22
#define SR_PROTO_VERSION
Definition: shared_random.h:18
#define SR_COMMIT_LEN
Definition: shared_random.h:30
#define SR_REVEAL_BASE64_LEN
Definition: shared_random.h:44
#define SR_REVEAL_LEN
Definition: shared_random.h:33
#define SR_SRV_MSG_LEN
Definition: shared_random.h:36
sr_phase_t
Definition: shared_random.h:54
@ SR_PHASE_COMMIT
Definition: shared_random.h:56
@ SR_PHASE_REVEAL
Definition: shared_random.h:58
#define SR_DIGEST_ALG
Definition: shared_random.h:20
#define ASSERT_COMMIT_VALID(c)
Definition: shared_random.h:51
#define SR_SRV_TOKEN_LEN
Definition: shared_random.h:24
#define SR_COMMIT_BASE64_LEN
Definition: shared_random.h:41
void sr_srv_encode(char *dst, size_t dst_len, const sr_srv_t *srv)
Header file for shared_random_client.c.
void sr_state_update(time_t valid_after)
void sr_state_set_fresh_srv(void)
void sr_state_save(void)
const sr_srv_t * sr_state_get_current_srv(void)
sr_commit_t * sr_state_get_commit(const char *rsa_identity)
void sr_state_free_all(void)
void sr_state_copy_reveal_info(sr_commit_t *saved_commit, const sr_commit_t *commit)
void sr_state_set_previous_srv(const sr_srv_t *srv)
const sr_srv_t * sr_state_get_previous_srv(void)
void sr_state_clean_srvs(void)
void sr_state_set_current_srv(const sr_srv_t *srv)
digestmap_t * sr_state_get_commits(void)
int sr_state_init(int save_to_disk, int read_from_disk)
void sr_state_unset_fresh_srv(void)
int sr_state_is_initialized(void)
unsigned int sr_state_srv_is_fresh(void)
void sr_state_add_commit(sr_commit_t *commit)
sr_phase_t sr_state_get_phase(void)
Header for shared_random_state.c.
void * smartlist_get_most_frequent_(const smartlist_t *sl, int(*compare)(const void **a, const void **b), int *count_out)
Definition: smartlist.c:348
void smartlist_sort_strings(smartlist_t *sl)
Definition: smartlist.c:549
char * smartlist_join_strings(smartlist_t *sl, const char *join, int terminate, size_t *len_out)
Definition: smartlist.c:279
void smartlist_sort(smartlist_t *sl, int(*compare)(const void **a, const void **b))
Definition: smartlist.c:334
void smartlist_add_all(smartlist_t *s1, const smartlist_t *s2)
smartlist_t * smartlist_new(void)
void smartlist_add(smartlist_t *sl, void *element)
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
#define SMARTLIST_FOREACH(sl, type, var, cmd)
#define SMARTLIST_DEL_CURRENT(sl, var)
crypto_pk_t * identity_key
networkstatus_sr_info_t sr_info
char rsa_identity[DIGEST_LEN]
Definition: shared_random.h:80
char encoded_reveal[SR_REVEAL_BASE64_LEN+1]
uint8_t random_number[SR_RANDOM_NUMBER_LEN]
Definition: shared_random.h:97
unsigned int valid
Definition: shared_random.h:74
uint64_t reveal_ts
Definition: shared_random.h:86
digest_algorithm_t alg
Definition: shared_random.h:72
uint64_t commit_ts
Definition: shared_random.h:99
uint64_t num_reveals
Definition: shared_random.h:64
uint8_t value[DIGEST256_LEN]
Definition: shared_random.h:66
#define STATIC
Definition: testsupport.h:32
#define tor_assert(expr)
Definition: util_bug.h:102
int fast_mem_is_zero(const char *mem, size_t len)
Definition: util_string.c:74
time_t dirauth_sched_get_next_valid_after_time(void)
Header file for voting_schedule.c.