| blob | dd567bc06ad3dd77901f49ff7bf7bb06de91b247 |
1 /* Copyright (c) 2016, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
4 /**
5 * \file shared_random.c
6 *
7 * \brief Functions and data structure needed to accomplish the shared
8 * random protocol as defined in proposal #250.
9 **/
11 #define SHARED_RANDOM_PRIVATE
23 /* Allocate a new commit object and initializing it with <b>identity</b>
24 * that MUST be provided. The digest algorithm is set to the default one
25 * that is supported. The rest is uninitialized. This never returns NULL. */
28 {
38 }
40 /* Issue a log message describing <b>commit</b>. */
41 static void
43 {
51 }
58 }
59 }
61 /* Return true iff the commit contains an encoded reveal value. */
62 STATIC int
64 {
67 }
69 /* Parse the encoded commit. The format is:
70 * base64-encode( TIMESTAMP || H(REVEAL) )
71 *
72 * If successfully decoded and parsed, commit is updated and 0 is returned.
73 * On error, return -1. */
74 STATIC int
76 {
79 /* XXX: Needs two extra bytes for the base64 decode calculation matches
80 * the binary length once decoded. #17868. */
87 /* This means that if we base64 decode successfully the reveiced commit,
88 * we'll end up with a bigger decoded commit thus unusable. */
90 }
92 /* Decode our encoded commit. Let's be careful here since _encoded_ is
93 * coming from the network in a dirauth vote so we expect nothing more
94 * than the base64 encoded length of a commit. */
101 }
108 }
110 /* First is the timestamp (8 bytes). */
113 /* Next is hashed reveal. */
116 /* Copy the base64 blob to the commit. Useful for voting. */
121 error:
123 }
125 /* Parse the b64 blob at <b>encoded</b> containing reveal information and
126 * store the information in-place in <b>commit</b>. Return 0 on success else
127 * a negative value. */
128 STATIC int
130 {
132 /* XXX: Needs two extra bytes for the base64 decode calculation matches
133 * the binary length once decoded. #17868. */
140 /* This means that if we base64 decode successfully the received reveal
141 * value, we'll end up with a bigger decoded value thus unusable. */
143 }
145 /* Decode our encoded reveal. Let's be careful here since _encoded_ is
146 * coming from the network in a dirauth vote so we expect nothing more
147 * than the base64 encoded length of our reveal. */
154 }
161 }
164 /* Copy the last part, the random value. */
167 /* Also copy the whole message to use during verification */
172 error:
174 }
177 /* Encode a reveal element using a given commit object to dst which is a
178 * buffer large enough to put the base64-encoded reveal construction. The
179 * format is as follow:
180 * REVEAL = base64-encode( TIMESTAMP || H(RN) )
181 * Return base64 encoded length on success else a negative value.
182 */
183 STATIC int
185 {
198 /* Let's clean the buffer and then b64 encode it. */
201 /* Wipe this buffer because it contains our random value. */
204 }
206 /* Encode the given commit object to dst which is a buffer large enough to
207 * put the base64-encoded commit. The format is as follow:
208 * COMMIT = base64-encode( TIMESTAMP || H(H(RN)) )
209 * Return base64 encoded length on success else a negative value.
210 */
211 STATIC int
213 {
220 /* First is the timestamp (8 bytes). */
223 /* and then the hashed reveal. */
227 /* Clean the buffer and then b64 encode it. */
230 }
232 /* Cleanup both our global state and disk state. */
233 static void
235 {
237 }
239 /* Using <b>commit</b>, return a newly allocated string containing the commit
240 * information that should be used during SRV calculation. It's the caller
241 * responsibility to free the memory. Return NULL if this is not a commit to be
242 * used for SRV calculation. */
245 {
251 }
256 }
258 /* Return a srv object that is built with the construction:
259 * SRV = SHA3-256("shared-random" | INT_8(reveal_num) |
260 * INT_8(version) | HASHED_REVEALS | previous_SRV)
261 * This function cannot fail. */
265 {
272 /* Add the invariant token. */
283 }
285 /* Ok we have our message and key for the HMAC computation, allocate our
286 * srv object and do the last step. */
291 {
292 /* Debugging. */
296 }
298 }
300 /* Compare reveal values and return the result. This should exclusively be
301 * used by smartlist_sort(). */
302 static int
304 {
308 }
310 /* Encode the given shared random value and put it in dst. Destination
311 * buffer must be at least SR_SRV_VALUE_BASE64_LEN plus the NULL byte. */
312 void
314 {
316 /* Extra byte for the NULL terminated char. */
324 /* Always expect the full length without the NULL byte. */
327 }
329 /* Free a commit object. */
330 void
332 {
335 }
336 /* Make sure we do not leave OUR random number in memory. */
339 }
341 /* Generate the commitment/reveal value for the protocol run starting at
342 * <b>timestamp</b>. <b>my_rsa_cert</b> is our authority RSA certificate. */
343 sr_commit_t *
345 {
351 /* Get our RSA identity fingerprint */
355 }
357 /* New commit with our identity key. */
360 /* Generate the reveal random value */
365 /* Now get the base64 blob that corresponds to our reveal */
370 }
372 /* Now let's create the commitment */
374 /* The invariant length is used here since the encoded reveal variable
375 * has an extra byte added for the NULL terminated byte. */
379 }
381 /* Now get the base64 blob that corresponds to our commit. */
386 }
392 error:
395 }
397 /* Compute the shared random value based on the active commits in our state. */
398 void
400 {
406 /* Computing a shared random value in the commit phase is very wrong. This
407 * should only happen at the very end of the reveal phase when a new
408 * protocol run is about to start. */
415 /* We must make a list of commit ordered by authority fingerprint in
416 * ascending order as specified by proposal 250. */
422 /* Now for each commit for that sorted list in ascending order, we'll
423 * build the element for each authority that needs to go into the srv
424 * computation. */
429 reveal_num++;
430 }
434 {
435 /* Join all reveal values into one giant string that we'll hash so we
436 * can generated our shared random value. */
443 SR_DIGEST_ALG)) {
445 }
450 /* We have a fresh SRV, flag our state. */
452 }
454 end:
456 }
458 /* Parse a list of arguments from a SRV value either from a vote, consensus
459 * or from our disk state and return a newly allocated srv object. NULL is
460 * returned on error.
461 *
462 * The arguments' order:
463 * num_reveals, value
464 */
465 sr_srv_t *
467 {
476 }
478 /* First argument is the number of reveal values */
483 }
484 /* Second and last argument is the shared random value it self. */
488 }
492 /* We substract one byte from the srclen because the function ignores the
493 * '=' character in the given buffer. This is broken but it's a documented
494 * behavior of the implementation. */
501 }
502 end:
504 }
506 /* Parse a commit from a vote or from our disk state and return a newly
507 * allocated commit object. NULL is returned on error.
508 *
509 * The commit's data is in <b>args</b> and the order matters very much:
510 * algname, RSA fingerprint, commit value[, reveal value]
511 */
512 sr_commit_t *
514 {
516 digest_algorithm_t alg;
522 }
524 /* First argument is the algorithm. */
531 }
533 /* Second argument is the RSA fingerprint of the auth */
538 rsa_identity_fpr);
540 }
541 /* Let's make sure, for extra safety, that this fingerprint is known to
542 * us. Even though this comes from a vote, doesn't hurt to be
543 * extracareful. */
547 rsa_identity_fpr);
549 }
551 /* Allocate commit since we have a valid identity now. */
554 /* Third argument is the commitment value base64-encoded. */
558 }
560 /* (Optional) Fourth argument is the revealed value. */
565 }
566 }
570 error:
573 }
575 /* Initialize shared random subsystem. This MUST be called early in the boot
576 * process of tor. Return 0 on success else -1 on error. */
577 int
579 {
581 }
583 /* Save our state to disk and cleanup everything. */
584 void
586 {
589 }