1 /* Copyright (c) 2016-2017, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
5 * \file shared_random.c
7 * \brief Functions and data structure needed to accomplish the shared
8 * random protocol as defined in proposal #250.
12 * This file implements the dirauth-only commit-and-reveal protocol specified
13 * by proposal #250. The protocol has two phases (sr_phase_t): the commitment
14 * phase and the reveal phase (see get_sr_protocol_phase()).
16 * During the protocol, directory authorities keep state in memory (using
17 * sr_state_t) and in disk (using sr_disk_state_t). The synchronization between
18 * these two data structures happens in disk_state_update() and
21 * Here is a rough protocol outline:
23 * 1) In the beginning of the commitment phase, dirauths generate a
24 * commitment/reveal value for the current protocol run (see
25 * new_protocol_run() and sr_generate_our_commit()).
27 * 2) During voting, dirauths publish their commits in their votes
28 * depending on the current phase. Dirauths also include the two
29 * latest shared random values (SRV) in their votes.
30 * (see sr_get_string_for_vote())
32 * 3) Upon receiving a commit from a vote, authorities parse it, verify
33 * it, and attempt to save any new commitment or reveal information in
34 * their state file (see extract_shared_random_commits() and
35 * sr_handle_received_commits()). They also parse SRVs from votes to
36 * decide which SRV should be included in the final consensus (see
37 * extract_shared_random_srvs()).
39 * 3) After voting is done, we count the SRVs we extracted from the votes,
40 * to find the one voted by the majority of dirauths which should be
41 * included in the final consensus (see get_majority_srv_from_votes()).
42 * If an appropriate SRV is found, it is embedded in the consensus (see
43 * sr_get_string_for_consensus()).
45 * 4) At the end of the reveal phase, dirauths compute a fresh SRV for the
46 * day using the active commits (see sr_compute_srv()). This new SRV
47 * is embedded in the votes as described above.
51 * - To support rebooting authorities and to avoid double voting, each dirauth
52 * saves the current state of the protocol on disk so that it can resume
53 * normally in case of reboot. The disk state (sr_disk_state_t) is managed by
54 * shared_random_state.c:state_query() and we go to extra lengths to ensure
55 * that the state is flushed on disk everytime we receive any useful
56 * information like commits or SRVs.
58 * - When we receive a commit from a vote, we examine it to see if it's useful
59 * to us and whether it's appropriate to receive it according to the current
60 * phase of the protocol (see should_keep_commit()). If the commit is useful
61 * to us, we save it in our disk state using save_commit_to_state(). When we
62 * receive the reveal information corresponding to a commitment, we verify
63 * that they indeed match using verify_commit_and_reveal().
65 * - We treat consensuses as the ground truth, so everytime we generate a new
66 * consensus we update our SR state accordingly even if our local view was
67 * different (see sr_act_post_consensus()).
69 * - After a consensus has been composed, the SR protocol state gets prepared
70 * for the next voting session using sr_state_update(). That function takes
71 * care of housekeeping and also rotates the SRVs and commits in case a new
72 * protocol run is coming up. We also call sr_state_update() on bootup (in
73 * sr_state_init()), to prepare the state for the very first voting session.
77 * - "Commitment" is the commitment value of the commit-and-reveal protocol.
79 * - "Reveal" is the reveal value of the commit-and-reveal protocol.
81 * - "Commit" is a struct (sr_commit_t) that contains a commitment value and
82 * optionally also a corresponding reveal value.
84 * - "SRV" is the Shared Random Value that gets generated as the result of the
85 * commit-and-reveal protocol.
88 #define SHARED_RANDOM_PRIVATE
91 #include "shared_random.h"
93 #include "confparse.h"
95 #include "networkstatus.h"
96 #include "routerkeys.h"
98 #include "routerlist.h"
99 #include "shared_random_state.h"
102 /* String prefix of shared random values in votes/consensuses. */
103 static const char previous_srv_str
[] = "shared-rand-previous-value";
104 static const char current_srv_str
[] = "shared-rand-current-value";
105 static const char commit_ns_str
[] = "shared-rand-commit";
106 static const char sr_flag_ns_str
[] = "shared-rand-participate";
108 /* The value of the consensus param AuthDirNumSRVAgreements found in the
109 * vote. This is set once the consensus creation subsystem requests the
110 * SRV(s) that should be put in the consensus. We use this value to decide
111 * if we keep or not an SRV. */
112 static int32_t num_srv_agreements_from_vote
;
114 /* Return a heap allocated copy of the SRV <b>orig</b>. */
116 srv_dup(const sr_srv_t
*orig
)
118 sr_srv_t
*duplicate
= NULL
;
124 duplicate
= tor_malloc_zero(sizeof(sr_srv_t
));
125 duplicate
->num_reveals
= orig
->num_reveals
;
126 memcpy(duplicate
->value
, orig
->value
, sizeof(duplicate
->value
));
130 /* Allocate a new commit object and initializing it with <b>rsa_identity</b>
131 * that MUST be provided. The digest algorithm is set to the default one
132 * that is supported. The rest is uninitialized. This never returns NULL. */
134 commit_new(const char *rsa_identity
)
138 tor_assert(rsa_identity
);
140 commit
= tor_malloc_zero(sizeof(*commit
));
141 commit
->alg
= SR_DIGEST_ALG
;
142 memcpy(commit
->rsa_identity
, rsa_identity
, sizeof(commit
->rsa_identity
));
143 base16_encode(commit
->rsa_identity_hex
, sizeof(commit
->rsa_identity_hex
),
144 commit
->rsa_identity
, sizeof(commit
->rsa_identity
));
148 /* Issue a log message describing <b>commit</b>. */
150 commit_log(const sr_commit_t
*commit
)
154 log_debug(LD_DIR
, "SR: Commit from %s", sr_commit_get_rsa_fpr(commit
));
155 log_debug(LD_DIR
, "SR: Commit: [TS: %" PRIu64
"] [Encoded: %s]",
156 commit
->commit_ts
, commit
->encoded_commit
);
157 log_debug(LD_DIR
, "SR: Reveal: [TS: %" PRIu64
"] [Encoded: %s]",
158 commit
->reveal_ts
, safe_str(commit
->encoded_reveal
));
161 /* Make sure that the commitment and reveal information in <b>commit</b>
162 * match. If they match return 0, return -1 otherwise. This function MUST be
163 * used everytime we receive a new reveal value. Furthermore, the commit
164 * object MUST have a reveal value and the hash of the reveal value. */
166 verify_commit_and_reveal(const sr_commit_t
*commit
)
170 log_debug(LD_DIR
, "SR: Validating commit from authority %s",
171 sr_commit_get_rsa_fpr(commit
));
173 /* Check that the timestamps match. */
174 if (commit
->commit_ts
!= commit
->reveal_ts
) {
175 log_warn(LD_BUG
, "SR: Commit timestamp %" PRIu64
" doesn't match reveal "
176 "timestamp %" PRIu64
, commit
->commit_ts
,
181 /* Verify that the hashed_reveal received in the COMMIT message, matches
182 * the reveal we just received. */
184 /* We first hash the reveal we just received. */
185 char received_hashed_reveal
[sizeof(commit
->hashed_reveal
)];
187 /* Only sha3-256 is supported. */
188 if (commit
->alg
!= SR_DIGEST_ALG
) {
192 /* Use the invariant length since the encoded reveal variable has an
193 * extra byte for the NUL terminated byte. */
194 if (crypto_digest256(received_hashed_reveal
, commit
->encoded_reveal
,
195 SR_REVEAL_BASE64_LEN
, commit
->alg
) < 0) {
196 /* Unable to digest the reveal blob, this is unlikely. */
200 /* Now compare that with the hashed_reveal we received in COMMIT. */
201 if (fast_memneq(received_hashed_reveal
, commit
->hashed_reveal
,
202 sizeof(received_hashed_reveal
))) {
203 log_warn(LD_BUG
, "SR: Received reveal value from authority %s "
204 "doesn't match the commit value.",
205 sr_commit_get_rsa_fpr(commit
));
215 /* Return true iff the commit contains an encoded reveal value. */
217 commit_has_reveal_value(const sr_commit_t
*commit
)
219 return !tor_mem_is_zero(commit
->encoded_reveal
,
220 sizeof(commit
->encoded_reveal
));
223 /* Parse the encoded commit. The format is:
224 * base64-encode( TIMESTAMP || H(REVEAL) )
226 * If successfully decoded and parsed, commit is updated and 0 is returned.
227 * On error, return -1. */
229 commit_decode(const char *encoded
, sr_commit_t
*commit
)
233 char b64_decoded
[SR_COMMIT_LEN
];
238 if (strlen(encoded
) > SR_COMMIT_BASE64_LEN
) {
239 /* This means that if we base64 decode successfully the reveiced commit,
240 * we'll end up with a bigger decoded commit thus unusable. */
244 /* Decode our encoded commit. Let's be careful here since _encoded_ is
245 * coming from the network in a dirauth vote so we expect nothing more
246 * than the base64 encoded length of a commit. */
247 decoded_len
= base64_decode(b64_decoded
, sizeof(b64_decoded
),
248 encoded
, strlen(encoded
));
249 if (decoded_len
< 0) {
250 log_warn(LD_BUG
, "SR: Commit from authority %s can't be decoded.",
251 sr_commit_get_rsa_fpr(commit
));
255 if (decoded_len
!= SR_COMMIT_LEN
) {
256 log_warn(LD_BUG
, "SR: Commit from authority %s decoded length doesn't "
257 "match the expected length (%d vs %u).",
258 sr_commit_get_rsa_fpr(commit
), decoded_len
,
259 (unsigned)SR_COMMIT_LEN
);
263 /* First is the timestamp (8 bytes). */
264 commit
->commit_ts
= tor_ntohll(get_uint64(b64_decoded
));
265 offset
+= sizeof(uint64_t);
266 /* Next is hashed reveal. */
267 memcpy(commit
->hashed_reveal
, b64_decoded
+ offset
,
268 sizeof(commit
->hashed_reveal
));
269 /* Copy the base64 blob to the commit. Useful for voting. */
270 strlcpy(commit
->encoded_commit
, encoded
, sizeof(commit
->encoded_commit
));
278 /* Parse the b64 blob at <b>encoded</b> containing reveal information and
279 * store the information in-place in <b>commit</b>. Return 0 on success else
280 * a negative value. */
282 reveal_decode(const char *encoded
, sr_commit_t
*commit
)
285 char b64_decoded
[SR_REVEAL_LEN
];
290 if (strlen(encoded
) > SR_REVEAL_BASE64_LEN
) {
291 /* This means that if we base64 decode successfully the received reveal
292 * value, we'll end up with a bigger decoded value thus unusable. */
296 /* Decode our encoded reveal. Let's be careful here since _encoded_ is
297 * coming from the network in a dirauth vote so we expect nothing more
298 * than the base64 encoded length of our reveal. */
299 decoded_len
= base64_decode(b64_decoded
, sizeof(b64_decoded
),
300 encoded
, strlen(encoded
));
301 if (decoded_len
< 0) {
302 log_warn(LD_BUG
, "SR: Reveal from authority %s can't be decoded.",
303 sr_commit_get_rsa_fpr(commit
));
307 if (decoded_len
!= SR_REVEAL_LEN
) {
308 log_warn(LD_BUG
, "SR: Reveal from authority %s decoded length is "
309 "doesn't match the expected length (%d vs %u)",
310 sr_commit_get_rsa_fpr(commit
), decoded_len
,
311 (unsigned)SR_REVEAL_LEN
);
315 commit
->reveal_ts
= tor_ntohll(get_uint64(b64_decoded
));
316 /* Copy the last part, the random value. */
317 memcpy(commit
->random_number
, b64_decoded
+ 8,
318 sizeof(commit
->random_number
));
319 /* Also copy the whole message to use during verification */
320 strlcpy(commit
->encoded_reveal
, encoded
, sizeof(commit
->encoded_reveal
));
328 /* Encode a reveal element using a given commit object to dst which is a
329 * buffer large enough to put the base64-encoded reveal construction. The
330 * format is as follow:
331 * REVEAL = base64-encode( TIMESTAMP || H(RN) )
332 * Return base64 encoded length on success else a negative value.
335 reveal_encode(const sr_commit_t
*commit
, char *dst
, size_t len
)
339 char buf
[SR_REVEAL_LEN
] = {0};
344 set_uint64(buf
, tor_htonll(commit
->reveal_ts
));
345 offset
+= sizeof(uint64_t);
346 memcpy(buf
+ offset
, commit
->random_number
,
347 sizeof(commit
->random_number
));
349 /* Let's clean the buffer and then b64 encode it. */
351 ret
= base64_encode(dst
, len
, buf
, sizeof(buf
), 0);
352 /* Wipe this buffer because it contains our random value. */
353 memwipe(buf
, 0, sizeof(buf
));
357 /* Encode the given commit object to dst which is a buffer large enough to
358 * put the base64-encoded commit. The format is as follow:
359 * COMMIT = base64-encode( TIMESTAMP || H(H(RN)) )
360 * Return base64 encoded length on success else a negative value.
363 commit_encode(const sr_commit_t
*commit
, char *dst
, size_t len
)
366 char buf
[SR_COMMIT_LEN
] = {0};
371 /* First is the timestamp (8 bytes). */
372 set_uint64(buf
, tor_htonll(commit
->commit_ts
));
373 offset
+= sizeof(uint64_t);
374 /* and then the hashed reveal. */
375 memcpy(buf
+ offset
, commit
->hashed_reveal
,
376 sizeof(commit
->hashed_reveal
));
378 /* Clean the buffer and then b64 encode it. */
380 return base64_encode(dst
, len
, buf
, sizeof(buf
), 0);
383 /* Cleanup both our global state and disk state. */
390 /* Using <b>commit</b>, return a newly allocated string containing the commit
391 * information that should be used during SRV calculation. It's the caller
392 * responsibility to free the memory. Return NULL if this is not a commit to be
393 * used for SRV calculation. */
395 get_srv_element_from_commit(const sr_commit_t
*commit
)
400 if (!commit_has_reveal_value(commit
)) {
404 tor_asprintf(&element
, "%s%s", sr_commit_get_rsa_fpr(commit
),
405 commit
->encoded_reveal
);
409 /* Return a srv object that is built with the construction:
410 * SRV = SHA3-256("shared-random" | INT_8(reveal_num) |
411 * INT_4(version) | HASHED_REVEALS | previous_SRV)
412 * This function cannot fail. */
414 generate_srv(const char *hashed_reveals
, uint64_t reveal_num
,
415 const sr_srv_t
*previous_srv
)
417 char msg
[DIGEST256_LEN
+ SR_SRV_MSG_LEN
] = {0};
421 tor_assert(hashed_reveals
);
423 /* Add the invariant token. */
424 memcpy(msg
, SR_SRV_TOKEN
, SR_SRV_TOKEN_LEN
);
425 offset
+= SR_SRV_TOKEN_LEN
;
426 set_uint64(msg
+ offset
, tor_htonll(reveal_num
));
427 offset
+= sizeof(uint64_t);
428 set_uint32(msg
+ offset
, htonl(SR_PROTO_VERSION
));
429 offset
+= sizeof(uint32_t);
430 memcpy(msg
+ offset
, hashed_reveals
, DIGEST256_LEN
);
431 offset
+= DIGEST256_LEN
;
432 if (previous_srv
!= NULL
) {
433 memcpy(msg
+ offset
, previous_srv
->value
, sizeof(previous_srv
->value
));
436 /* Ok we have our message and key for the HMAC computation, allocate our
437 * srv object and do the last step. */
438 srv
= tor_malloc_zero(sizeof(*srv
));
439 crypto_digest256((char *) srv
->value
, msg
, sizeof(msg
), SR_DIGEST_ALG
);
440 srv
->num_reveals
= reveal_num
;
444 char srv_hash_encoded
[SR_SRV_VALUE_BASE64_LEN
+ 1];
445 sr_srv_encode(srv_hash_encoded
, sizeof(srv_hash_encoded
), srv
);
446 log_info(LD_DIR
, "SR: Generated SRV: %s", srv_hash_encoded
);
451 /* Compare reveal values and return the result. This should exclusively be
452 * used by smartlist_sort(). */
454 compare_reveal_(const void **_a
, const void **_b
)
456 const sr_commit_t
*a
= *_a
, *b
= *_b
;
457 return fast_memcmp(a
->hashed_reveal
, b
->hashed_reveal
,
458 sizeof(a
->hashed_reveal
));
461 /* Given <b>commit</b> give the line that we should place in our votes.
462 * It's the responsibility of the caller to free the string. */
464 get_vote_line_from_commit(const sr_commit_t
*commit
, sr_phase_t phase
)
466 char *vote_line
= NULL
;
469 case SR_PHASE_COMMIT
:
470 tor_asprintf(&vote_line
, "%s %u %s %s %s\n",
473 crypto_digest_algorithm_get_name(commit
->alg
),
474 sr_commit_get_rsa_fpr(commit
),
475 commit
->encoded_commit
);
477 case SR_PHASE_REVEAL
:
479 /* Send a reveal value for this commit if we have one. */
480 const char *reveal_str
= commit
->encoded_reveal
;
481 if (tor_mem_is_zero(commit
->encoded_reveal
,
482 sizeof(commit
->encoded_reveal
))) {
485 tor_asprintf(&vote_line
, "%s %u %s %s %s %s\n",
488 crypto_digest_algorithm_get_name(commit
->alg
),
489 sr_commit_get_rsa_fpr(commit
),
490 commit
->encoded_commit
, reveal_str
);
497 log_debug(LD_DIR
, "SR: Commit vote line: %s", vote_line
);
501 /* Convert a given srv object to a string for the control port. This doesn't
502 * fail and the srv object MUST be valid. */
504 srv_to_control_string(const sr_srv_t
*srv
)
507 char srv_hash_encoded
[SR_SRV_VALUE_BASE64_LEN
+ 1];
510 sr_srv_encode(srv_hash_encoded
, sizeof(srv_hash_encoded
), srv
);
511 tor_asprintf(&srv_str
, "%s", srv_hash_encoded
);
515 /* Return a heap allocated string that contains the given <b>srv</b> string
516 * representation formatted for a networkstatus document using the
517 * <b>key</b> as the start of the line. This doesn't return NULL. */
519 srv_to_ns_string(const sr_srv_t
*srv
, const char *key
)
522 char srv_hash_encoded
[SR_SRV_VALUE_BASE64_LEN
+ 1];
526 sr_srv_encode(srv_hash_encoded
, sizeof(srv_hash_encoded
), srv
);
527 tor_asprintf(&srv_str
, "%s %" PRIu64
" %s\n", key
,
528 srv
->num_reveals
, srv_hash_encoded
);
529 log_debug(LD_DIR
, "SR: Consensus SRV line: %s", srv_str
);
533 /* Given the previous SRV and the current SRV, return a heap allocated
534 * string with their data that could be put in a vote or a consensus. Caller
535 * must free the returned string. Return NULL if no SRVs were provided. */
537 get_ns_str_from_sr_values(const sr_srv_t
*prev_srv
, const sr_srv_t
*cur_srv
)
539 smartlist_t
*chunks
= NULL
;
542 if (!prev_srv
&& !cur_srv
) {
546 chunks
= smartlist_new();
549 char *srv_line
= srv_to_ns_string(prev_srv
, previous_srv_str
);
550 smartlist_add(chunks
, srv_line
);
554 char *srv_line
= srv_to_ns_string(cur_srv
, current_srv_str
);
555 smartlist_add(chunks
, srv_line
);
558 /* Join the line(s) here in one string to return. */
559 srv_str
= smartlist_join_strings(chunks
, "", 0, NULL
);
560 SMARTLIST_FOREACH(chunks
, char *, s
, tor_free(s
));
561 smartlist_free(chunks
);
566 /* Return 1 iff the two commits have the same commitment values. This
567 * function does not care about reveal values. */
569 commitments_are_the_same(const sr_commit_t
*commit_one
,
570 const sr_commit_t
*commit_two
)
572 tor_assert(commit_one
);
573 tor_assert(commit_two
);
575 if (strcmp(commit_one
->encoded_commit
, commit_two
->encoded_commit
)) {
581 /* We just received a commit from the vote of authority with
582 * <b>identity_digest</b>. Return 1 if this commit is authorititative that
583 * is, it belongs to the authority that voted it. Else return 0 if not. */
585 commit_is_authoritative(const sr_commit_t
*commit
,
586 const char *voter_key
)
589 tor_assert(voter_key
);
591 return fast_memeq(commit
->rsa_identity
, voter_key
,
592 sizeof(commit
->rsa_identity
));
595 /* Decide if the newly received <b>commit</b> should be kept depending on
596 * the current phase and state of the protocol. The <b>voter_key</b> is the
597 * RSA identity key fingerprint of the authority's vote from which the
598 * commit comes from. The <b>phase</b> is the phase we should be validating
599 * the commit for. Return 1 if the commit should be added to our state or 0
602 should_keep_commit(const sr_commit_t
*commit
, const char *voter_key
,
605 const sr_commit_t
*saved_commit
;
608 tor_assert(voter_key
);
610 log_debug(LD_DIR
, "SR: Inspecting commit from %s (voter: %s)?",
611 sr_commit_get_rsa_fpr(commit
),
612 hex_str(voter_key
, DIGEST_LEN
));
614 /* For a commit to be considered, it needs to be authoritative (it should
615 * be the voter's own commit). */
616 if (!commit_is_authoritative(commit
, voter_key
)) {
617 log_debug(LD_DIR
, "SR: Ignoring non-authoritative commit.");
621 /* Let's make sure, for extra safety, that this fingerprint is known to
622 * us. Even though this comes from a vote, doesn't hurt to be
624 if (trusteddirserver_get_by_v3_auth_digest(commit
->rsa_identity
) == NULL
) {
625 log_warn(LD_DIR
, "SR: Fingerprint %s is not from a recognized "
626 "authority. Discarding commit.",
627 escaped(commit
->rsa_identity
));
631 /* Check if the authority that voted for <b>commit</b> has already posted
632 * a commit before. */
633 saved_commit
= sr_state_get_commit(commit
->rsa_identity
);
636 case SR_PHASE_COMMIT
:
637 /* Already having a commit for an authority so ignore this one. */
639 /* Receiving known commits should happen naturally since commit phase
640 lasts multiple rounds. However if the commitment value changes
641 during commit phase, it might be a bug so log more loudly. */
642 if (!commitments_are_the_same(commit
, saved_commit
)) {
644 "SR: Received altered commit from %s in commit phase.",
645 sr_commit_get_rsa_fpr(commit
));
647 log_debug(LD_DIR
, "SR: Ignoring known commit during commit phase.");
652 /* A commit with a reveal value during commitment phase is very wrong. */
653 if (commit_has_reveal_value(commit
)) {
654 log_warn(LD_DIR
, "SR: Commit from authority %s has a reveal value "
655 "during COMMIT phase. (voter: %s)",
656 sr_commit_get_rsa_fpr(commit
),
657 hex_str(voter_key
, DIGEST_LEN
));
661 case SR_PHASE_REVEAL
:
662 /* We are now in reveal phase. We keep a commit if and only if:
664 * - We have already seen a commit by this auth, AND
665 * - the saved commit has the same commitment value as this one, AND
666 * - the saved commit has no reveal information, AND
667 * - this commit does have reveal information, AND
668 * - the reveal & commit information are matching.
670 * If all the above are true, then we are interested in this new commit
671 * for its reveal information. */
674 log_debug(LD_DIR
, "SR: Ignoring commit first seen in reveal phase.");
678 if (!commitments_are_the_same(commit
, saved_commit
)) {
679 log_warn(LD_DIR
, "SR: Commit from authority %s is different from "
680 "previous commit in our state (voter: %s)",
681 sr_commit_get_rsa_fpr(commit
),
682 hex_str(voter_key
, DIGEST_LEN
));
686 if (commit_has_reveal_value(saved_commit
)) {
687 log_debug(LD_DIR
, "SR: Ignoring commit with known reveal info.");
691 if (!commit_has_reveal_value(commit
)) {
692 log_debug(LD_DIR
, "SR: Ignoring commit without reveal value.");
696 if (verify_commit_and_reveal(commit
) < 0) {
697 log_warn(LD_BUG
, "SR: Commit from authority %s has an invalid "
698 "reveal value. (voter: %s)",
699 sr_commit_get_rsa_fpr(commit
),
700 hex_str(voter_key
, DIGEST_LEN
));
714 /* We are in reveal phase and we found a valid and verified <b>commit</b> in
715 * a vote that contains reveal values that we could use. Update the commit
716 * we have in our state. Never call this with an unverified commit. */
718 save_commit_during_reveal_phase(const sr_commit_t
*commit
)
720 sr_commit_t
*saved_commit
;
724 /* Get the commit from our state. */
725 saved_commit
= sr_state_get_commit(commit
->rsa_identity
);
726 tor_assert(saved_commit
);
727 /* Safety net. They can not be different commitments at this point. */
728 int same_commits
= commitments_are_the_same(commit
, saved_commit
);
729 tor_assert(same_commits
);
731 /* Copy reveal information to our saved commit. */
732 sr_state_copy_reveal_info(saved_commit
, commit
);
735 /* Save <b>commit</b> to our persistent state. Depending on the current
736 * phase, different actions are taken. Steals reference of <b>commit</b>.
737 * The commit object MUST be valid and verified before adding it to the
740 save_commit_to_state(sr_commit_t
*commit
)
742 sr_phase_t phase
= sr_state_get_phase();
744 ASSERT_COMMIT_VALID(commit
);
747 case SR_PHASE_COMMIT
:
748 /* During commit phase, just save any new authoritative commit */
749 sr_state_add_commit(commit
);
751 case SR_PHASE_REVEAL
:
752 save_commit_during_reveal_phase(commit
);
753 sr_commit_free(commit
);
760 /* Return 1 if we should we keep an SRV voted by <b>n_agreements</b> auths.
761 * Return 0 if we should ignore it. */
763 should_keep_srv(int n_agreements
)
765 /* Check if the most popular SRV has reached majority. */
766 int n_voters
= get_n_authorities(V3_DIRINFO
);
767 int votes_required_for_majority
= (n_voters
/ 2) + 1;
769 /* We need at the very least majority to keep a value. */
770 if (n_agreements
< votes_required_for_majority
) {
771 log_notice(LD_DIR
, "SR: SRV didn't reach majority [%d/%d]!",
772 n_agreements
, votes_required_for_majority
);
776 /* When we just computed a new SRV, we need to have super majority in order
778 if (sr_state_srv_is_fresh()) {
779 /* Check if we have super majority for this new SRV value. */
780 if (n_agreements
< num_srv_agreements_from_vote
) {
781 log_notice(LD_DIR
, "SR: New SRV didn't reach agreement [%d/%d]!",
782 n_agreements
, num_srv_agreements_from_vote
);
790 /* Helper: compare two DIGEST256_LEN digests. */
792 compare_srvs_(const void **_a
, const void **_b
)
794 const sr_srv_t
*a
= *_a
, *b
= *_b
;
795 return tor_memcmp(a
->value
, b
->value
, sizeof(a
->value
));
798 /* Return the most frequent member of the sorted list of DIGEST256_LEN
799 * digests in <b>sl</b> with the count of that most frequent element. */
801 smartlist_get_most_frequent_srv(const smartlist_t
*sl
, int *count_out
)
803 return smartlist_get_most_frequent_(sl
, compare_srvs_
, count_out
);
806 /** Compare two SRVs. Used in smartlist sorting. */
808 compare_srv_(const void **_a
, const void **_b
)
810 const sr_srv_t
*a
= *_a
, *b
= *_b
;
811 return fast_memcmp(a
->value
, b
->value
,
815 /* Using a list of <b>votes</b>, return the SRV object from them that has
816 * been voted by the majority of dirauths. If <b>current</b> is set, we look
817 * for the current SRV value else the previous one. The returned pointer is
818 * an object located inside a vote. NULL is returned if no appropriate value
821 get_majority_srv_from_votes(const smartlist_t
*votes
, int current
)
824 sr_srv_t
*most_frequent_srv
= NULL
;
825 sr_srv_t
*the_srv
= NULL
;
826 smartlist_t
*srv_list
;
830 srv_list
= smartlist_new();
832 /* Walk over votes and register any SRVs found. */
833 SMARTLIST_FOREACH_BEGIN(votes
, networkstatus_t
*, v
) {
834 sr_srv_t
*srv_tmp
= NULL
;
836 if (!v
->sr_info
.participate
) {
837 /* Ignore vote that do not participate. */
840 /* Do we want previous or current SRV? */
841 srv_tmp
= current
? v
->sr_info
.current_srv
: v
->sr_info
.previous_srv
;
846 smartlist_add(srv_list
, srv_tmp
);
847 } SMARTLIST_FOREACH_END(v
);
849 smartlist_sort(srv_list
, compare_srv_
);
850 most_frequent_srv
= smartlist_get_most_frequent_srv(srv_list
, &count
);
851 if (!most_frequent_srv
) {
855 /* Was this SRV voted by enough auths for us to keep it? */
856 if (!should_keep_srv(count
)) {
860 /* We found an SRV that we can use! Habemus SRV! */
861 the_srv
= most_frequent_srv
;
865 char encoded
[SR_SRV_VALUE_BASE64_LEN
+ 1];
866 sr_srv_encode(encoded
, sizeof(encoded
), the_srv
);
867 log_debug(LD_DIR
, "SR: Chosen SRV by majority: %s (%d votes)", encoded
,
872 /* We do not free any sr_srv_t values, we don't have the ownership. */
873 smartlist_free(srv_list
);
877 /* Encode the given shared random value and put it in dst. Destination
878 * buffer must be at least SR_SRV_VALUE_BASE64_LEN plus the NULL byte. */
880 sr_srv_encode(char *dst
, size_t dst_len
, const sr_srv_t
*srv
)
883 /* Extra byte for the NULL terminated char. */
884 char buf
[SR_SRV_VALUE_BASE64_LEN
+ 1];
888 tor_assert(dst_len
>= sizeof(buf
));
890 ret
= base64_encode(buf
, sizeof(buf
), (const char *) srv
->value
,
891 sizeof(srv
->value
), 0);
892 /* Always expect the full length without the NULL byte. */
893 tor_assert(ret
== (sizeof(buf
) - 1));
894 tor_assert(ret
<= (int) dst_len
);
895 strlcpy(dst
, buf
, dst_len
);
898 /* Free a commit object. */
900 sr_commit_free(sr_commit_t
*commit
)
902 if (commit
== NULL
) {
905 /* Make sure we do not leave OUR random number in memory. */
906 memwipe(commit
->random_number
, 0, sizeof(commit
->random_number
));
910 /* Generate the commitment/reveal value for the protocol run starting at
911 * <b>timestamp</b>. <b>my_rsa_cert</b> is our authority RSA certificate. */
913 sr_generate_our_commit(time_t timestamp
, const authority_cert_t
*my_rsa_cert
)
915 sr_commit_t
*commit
= NULL
;
916 char digest
[DIGEST_LEN
];
918 tor_assert(my_rsa_cert
);
920 /* Get our RSA identity fingerprint */
921 if (crypto_pk_get_digest(my_rsa_cert
->identity_key
, digest
) < 0) {
925 /* New commit with our identity key. */
926 commit
= commit_new(digest
);
928 /* Generate the reveal random value */
929 crypto_strongest_rand(commit
->random_number
,
930 sizeof(commit
->random_number
));
931 commit
->commit_ts
= commit
->reveal_ts
= timestamp
;
933 /* Now get the base64 blob that corresponds to our reveal */
934 if (reveal_encode(commit
, commit
->encoded_reveal
,
935 sizeof(commit
->encoded_reveal
)) < 0) {
936 log_err(LD_DIR
, "SR: Unable to encode our reveal value!");
940 /* Now let's create the commitment */
941 tor_assert(commit
->alg
== SR_DIGEST_ALG
);
942 /* The invariant length is used here since the encoded reveal variable
943 * has an extra byte added for the NULL terminated byte. */
944 if (crypto_digest256(commit
->hashed_reveal
, commit
->encoded_reveal
,
945 SR_REVEAL_BASE64_LEN
, commit
->alg
) < 0) {
949 /* Now get the base64 blob that corresponds to our commit. */
950 if (commit_encode(commit
, commit
->encoded_commit
,
951 sizeof(commit
->encoded_commit
)) < 0) {
952 log_err(LD_DIR
, "SR: Unable to encode our commit value!");
956 log_debug(LD_DIR
, "SR: Generated our commitment:");
958 /* Our commit better be valid :). */
963 sr_commit_free(commit
);
967 /* Compute the shared random value based on the active commits in our state. */
971 uint64_t reveal_num
= 0;
972 char *reveals
= NULL
;
973 smartlist_t
*chunks
, *commits
;
974 digestmap_t
*state_commits
;
976 /* Computing a shared random value in the commit phase is very wrong. This
977 * should only happen at the very end of the reveal phase when a new
978 * protocol run is about to start. */
979 tor_assert(sr_state_get_phase() == SR_PHASE_REVEAL
);
980 state_commits
= sr_state_get_commits();
982 commits
= smartlist_new();
983 chunks
= smartlist_new();
985 /* We must make a list of commit ordered by authority fingerprint in
986 * ascending order as specified by proposal 250. */
987 DIGESTMAP_FOREACH(state_commits
, key
, sr_commit_t
*, c
) {
988 /* Extra safety net, make sure we have valid commit before using it. */
989 ASSERT_COMMIT_VALID(c
);
990 /* Let's not use a commit from an authority that we don't know. It's
991 * possible that an authority could be removed during a protocol run so
992 * that commit value should never be used in the SRV computation. */
993 if (trusteddirserver_get_by_v3_auth_digest(c
->rsa_identity
) == NULL
) {
994 log_warn(LD_DIR
, "SR: Fingerprint %s is not from a recognized "
995 "authority. Discarding commit for the SRV computation.",
996 sr_commit_get_rsa_fpr(c
));
999 /* We consider this commit valid. */
1000 smartlist_add(commits
, c
);
1001 } DIGESTMAP_FOREACH_END
;
1002 smartlist_sort(commits
, compare_reveal_
);
1004 /* Now for each commit for that sorted list in ascending order, we'll
1005 * build the element for each authority that needs to go into the srv
1007 SMARTLIST_FOREACH_BEGIN(commits
, const sr_commit_t
*, c
) {
1008 char *element
= get_srv_element_from_commit(c
);
1010 smartlist_add(chunks
, element
);
1013 } SMARTLIST_FOREACH_END(c
);
1014 smartlist_free(commits
);
1017 /* Join all reveal values into one giant string that we'll hash so we
1018 * can generated our shared random value. */
1019 sr_srv_t
*current_srv
;
1020 char hashed_reveals
[DIGEST256_LEN
];
1021 reveals
= smartlist_join_strings(chunks
, "", 0, NULL
);
1022 SMARTLIST_FOREACH(chunks
, char *, s
, tor_free(s
));
1023 smartlist_free(chunks
);
1024 if (crypto_digest256(hashed_reveals
, reveals
, strlen(reveals
),
1025 SR_DIGEST_ALG
) < 0) {
1028 current_srv
= generate_srv(hashed_reveals
, reveal_num
,
1029 sr_state_get_previous_srv());
1030 sr_state_set_current_srv(current_srv
);
1031 /* We have a fresh SRV, flag our state. */
1032 sr_state_set_fresh_srv();
1039 /* Parse a list of arguments from a SRV value either from a vote, consensus
1040 * or from our disk state and return a newly allocated srv object. NULL is
1041 * returned on error.
1043 * The arguments' order:
1044 * num_reveals, value
1047 sr_parse_srv(const smartlist_t
*args
)
1051 uint64_t num_reveals
;
1052 sr_srv_t
*srv
= NULL
;
1056 if (smartlist_len(args
) < 2) {
1060 /* First argument is the number of reveal values */
1061 num_reveals
= tor_parse_uint64(smartlist_get(args
, 0),
1062 10, 0, UINT64_MAX
, &ok
, NULL
);
1066 /* Second and last argument is the shared random value it self. */
1067 value
= smartlist_get(args
, 1);
1068 if (strlen(value
) != SR_SRV_VALUE_BASE64_LEN
) {
1072 srv
= tor_malloc_zero(sizeof(*srv
));
1073 srv
->num_reveals
= num_reveals
;
1074 /* We substract one byte from the srclen because the function ignores the
1075 * '=' character in the given buffer. This is broken but it's a documented
1076 * behavior of the implementation. */
1077 ret
= base64_decode((char *) srv
->value
, sizeof(srv
->value
), value
,
1078 SR_SRV_VALUE_BASE64_LEN
- 1);
1079 if (ret
!= sizeof(srv
->value
)) {
1088 /* Parse a commit from a vote or from our disk state and return a newly
1089 * allocated commit object. NULL is returned on error.
1091 * The commit's data is in <b>args</b> and the order matters very much:
1092 * version, algname, RSA fingerprint, commit value[, reveal value]
1095 sr_parse_commit(const smartlist_t
*args
)
1098 char *value
, digest
[DIGEST_LEN
];
1099 digest_algorithm_t alg
;
1100 const char *rsa_identity_fpr
;
1101 sr_commit_t
*commit
= NULL
;
1103 if (smartlist_len(args
) < 4) {
1107 /* First is the version number of the SR protocol which indicates at which
1108 * version that commit was created. */
1109 value
= smartlist_get(args
, 0);
1110 version
= (uint32_t) tor_parse_ulong(value
, 10, 1, UINT32_MAX
, NULL
, NULL
);
1111 if (version
> SR_PROTO_VERSION
) {
1112 log_info(LD_DIR
, "SR: Commit version %" PRIu32
" (%s) is not supported.",
1113 version
, escaped(value
));
1117 /* Second is the algorithm. */
1118 value
= smartlist_get(args
, 1);
1119 alg
= crypto_digest_algorithm_parse_name(value
);
1120 if (alg
!= SR_DIGEST_ALG
) {
1121 log_warn(LD_BUG
, "SR: Commit algorithm %s is not recognized.",
1126 /* Third argument is the RSA fingerprint of the auth and turn it into a
1128 rsa_identity_fpr
= smartlist_get(args
, 2);
1129 if (base16_decode(digest
, DIGEST_LEN
, rsa_identity_fpr
,
1130 HEX_DIGEST_LEN
) < 0) {
1131 log_warn(LD_DIR
, "SR: RSA fingerprint %s not decodable",
1132 escaped(rsa_identity_fpr
));
1136 /* Allocate commit since we have a valid identity now. */
1137 commit
= commit_new(digest
);
1139 /* Fourth argument is the commitment value base64-encoded. */
1140 value
= smartlist_get(args
, 3);
1141 if (commit_decode(value
, commit
) < 0) {
1145 /* (Optional) Fifth argument is the revealed value. */
1146 if (smartlist_len(args
) > 4) {
1147 value
= smartlist_get(args
, 4);
1148 if (reveal_decode(value
, commit
) < 0) {
1156 sr_commit_free(commit
);
1160 /* Called when we are done parsing a vote by <b>voter_key</b> that might
1161 * contain some useful <b>commits</b>. Find if any of them should be kept
1162 * and update our state accordingly. Once done, the list of commitments will
1165 sr_handle_received_commits(smartlist_t
*commits
, crypto_pk_t
*voter_key
)
1167 char rsa_identity
[DIGEST_LEN
];
1169 tor_assert(voter_key
);
1171 /* It's possible that the vote has _NO_ commits. */
1172 if (commits
== NULL
) {
1176 /* Get the RSA identity fingerprint of this voter */
1177 if (crypto_pk_get_digest(voter_key
, rsa_identity
) < 0) {
1181 SMARTLIST_FOREACH_BEGIN(commits
, sr_commit_t
*, commit
) {
1182 /* We won't need the commit in this list anymore, kept or not. */
1183 SMARTLIST_DEL_CURRENT(commits
, commit
);
1184 /* Check if this commit is valid and should be stored in our state. */
1185 if (!should_keep_commit(commit
, rsa_identity
,
1186 sr_state_get_phase())) {
1187 sr_commit_free(commit
);
1190 /* Ok, we have a valid commit now that we are about to put in our state.
1191 * so flag it valid from now on. */
1193 /* Everything lines up: save this commit to state then! */
1194 save_commit_to_state(commit
);
1195 } SMARTLIST_FOREACH_END(commit
);
1198 /* Return a heap-allocated string containing commits that should be put in
1199 * the votes. It's the responsibility of the caller to free the string.
1200 * This always return a valid string, either empty or with line(s). */
1202 sr_get_string_for_vote(void)
1204 char *vote_str
= NULL
;
1205 digestmap_t
*state_commits
;
1206 smartlist_t
*chunks
= smartlist_new();
1207 const or_options_t
*options
= get_options();
1209 /* Are we participating in the protocol? */
1210 if (!options
->AuthDirSharedRandomness
) {
1214 log_debug(LD_DIR
, "SR: Preparing our vote info:");
1216 /* First line, put in the vote the participation flag. */
1219 tor_asprintf(&sr_flag_line
, "%s\n", sr_flag_ns_str
);
1220 smartlist_add(chunks
, sr_flag_line
);
1223 /* In our vote we include every commitment in our permanent state. */
1224 state_commits
= sr_state_get_commits();
1225 smartlist_t
*state_commit_vote_lines
= smartlist_new();
1226 DIGESTMAP_FOREACH(state_commits
, key
, const sr_commit_t
*, commit
) {
1227 char *line
= get_vote_line_from_commit(commit
, sr_state_get_phase());
1228 smartlist_add(state_commit_vote_lines
, line
);
1229 } DIGESTMAP_FOREACH_END
;
1231 /* Sort the commit strings by version (string, not numeric), algorithm,
1232 * and fingerprint. This makes sure the commit lines in votes are in a
1233 * recognisable, stable order. */
1234 smartlist_sort_strings(state_commit_vote_lines
);
1236 /* Now add the sorted list of commits to the vote */
1237 smartlist_add_all(chunks
, state_commit_vote_lines
);
1238 smartlist_free(state_commit_vote_lines
);
1240 /* Add the SRV value(s) if any. */
1242 char *srv_lines
= get_ns_str_from_sr_values(sr_state_get_previous_srv(),
1243 sr_state_get_current_srv());
1245 smartlist_add(chunks
, srv_lines
);
1250 vote_str
= smartlist_join_strings(chunks
, "", 0, NULL
);
1251 SMARTLIST_FOREACH(chunks
, char *, s
, tor_free(s
));
1252 smartlist_free(chunks
);
1256 /* Return a heap-allocated string that should be put in the consensus and
1257 * contains the shared randomness values. It's the responsibility of the
1258 * caller to free the string. NULL is returned if no SRV(s) available.
1260 * This is called when a consensus (any flavor) is bring created thus it
1261 * should NEVER change the state nor the state should be changed in between
1262 * consensus creation.
1264 * <b>num_srv_agreements</b> is taken from the votes thus the voted value
1265 * that should be used.
1268 sr_get_string_for_consensus(const smartlist_t
*votes
,
1269 int32_t num_srv_agreements
)
1272 const or_options_t
*options
= get_options();
1276 /* Not participating, avoid returning anything. */
1277 if (!options
->AuthDirSharedRandomness
) {
1278 log_info(LD_DIR
, "SR: Support disabled (AuthDirSharedRandomness %d)",
1279 options
->AuthDirSharedRandomness
);
1283 /* Set the global value of AuthDirNumSRVAgreements found in the votes. */
1284 num_srv_agreements_from_vote
= num_srv_agreements
;
1286 /* Check the votes and figure out if SRVs should be included in the final
1288 sr_srv_t
*prev_srv
= get_majority_srv_from_votes(votes
, 0);
1289 sr_srv_t
*cur_srv
= get_majority_srv_from_votes(votes
, 1);
1290 srv_str
= get_ns_str_from_sr_values(prev_srv
, cur_srv
);
1300 /* We just computed a new <b>consensus</b>. Update our state with the SRVs
1301 * from the consensus (might be NULL as well). Register the SRVs in our SR
1302 * state and prepare for the upcoming protocol round. */
1304 sr_act_post_consensus(const networkstatus_t
*consensus
)
1306 const or_options_t
*options
= get_options();
1308 /* Don't act if our state hasn't been initialized. We can be called during
1309 * boot time when loading consensus from disk which is prior to the
1310 * initialization of the SR subsystem. We also should not be doing
1311 * anything if we are _not_ a directory authority and if we are a bridge
1313 if (!sr_state_is_initialized() || !authdir_mode_v3(options
) ||
1314 authdir_mode_bridge(options
)) {
1318 /* Set the majority voted SRVs in our state even if both are NULL. It
1319 * doesn't matter this is what the majority has decided. Obviously, we can
1320 * only do that if we have a consensus. */
1322 /* Start by freeing the current SRVs since the SRVs we believed during
1323 * voting do not really matter. Now that all the votes are in, we use the
1324 * majority's opinion on which are the active SRVs. */
1325 sr_state_clean_srvs();
1326 /* Reset the fresh flag of the SRV so we know that from now on we don't
1327 * have a new SRV to vote for. We just used the one from the consensus
1328 * decided by the majority. */
1329 sr_state_unset_fresh_srv();
1330 /* Set the SR values from the given consensus. */
1331 sr_state_set_previous_srv(srv_dup(consensus
->sr_info
.previous_srv
));
1332 sr_state_set_current_srv(srv_dup(consensus
->sr_info
.current_srv
));
1335 /* Prepare our state so that it's ready for the next voting period. */
1337 voting_schedule_t
*voting_schedule
=
1338 get_voting_schedule(options
,time(NULL
), LOG_NOTICE
);
1339 time_t interval_starts
= voting_schedule
->interval_starts
;
1340 sr_state_update(interval_starts
);
1341 voting_schedule_free(voting_schedule
);
1345 /* Initialize shared random subsystem. This MUST be called early in the boot
1346 * process of tor. Return 0 on success else -1 on error. */
1348 sr_init(int save_to_disk
)
1350 return sr_state_init(save_to_disk
, 1);
1353 /* Save our state to disk and cleanup everything. */
1355 sr_save_and_cleanup(void)
1361 /* Return the current SRV string representation for the control port. Return a
1362 * newly allocated string on success containing the value else "" if not found
1363 * or if we don't have a valid consensus yet. */
1365 sr_get_current_for_control(void)
1368 const networkstatus_t
*c
= networkstatus_get_latest_consensus();
1369 if (c
&& c
->sr_info
.current_srv
) {
1370 srv_str
= srv_to_control_string(c
->sr_info
.current_srv
);
1372 srv_str
= tor_strdup("");
1377 /* Return the previous SRV string representation for the control port. Return
1378 * a newly allocated string on success containing the value else "" if not
1379 * found or if we don't have a valid consensus yet. */
1381 sr_get_previous_for_control(void)
1384 const networkstatus_t
*c
= networkstatus_get_latest_consensus();
1385 if (c
&& c
->sr_info
.previous_srv
) {
1386 srv_str
= srv_to_control_string(c
->sr_info
.previous_srv
);
1388 srv_str
= tor_strdup("");
1393 /* Return current shared random value from the latest consensus. Caller can
1394 * NOT keep a reference to the returned pointer. Return NULL if none. */
1396 sr_get_current(const networkstatus_t
*ns
)
1398 const networkstatus_t
*consensus
;
1400 /* Use provided ns else get a live one */
1404 consensus
= networkstatus_get_live_consensus(approx_time());
1406 /* Ideally we would never be asked for an SRV without a live consensus. Make
1407 * sure this assumption is correct. */
1408 tor_assert_nonfatal(consensus
);
1411 return consensus
->sr_info
.current_srv
;
1416 /* Return previous shared random value from the latest consensus. Caller can
1417 * NOT keep a reference to the returned pointer. Return NULL if none. */
1419 sr_get_previous(const networkstatus_t
*ns
)
1421 const networkstatus_t
*consensus
;
1423 /* Use provided ns else get a live one */
1427 consensus
= networkstatus_get_live_consensus(approx_time());
1429 /* Ideally we would never be asked for an SRV without a live consensus. Make
1430 * sure this assumption is correct. */
1431 tor_assert_nonfatal(consensus
);
1434 return consensus
->sr_info
.previous_srv
;
1439 #ifdef TOR_UNIT_TESTS
1441 /* Set the global value of number of SRV agreements so the test can play
1442 * along by calling specific functions that don't parse the votes prior for
1443 * the AuthDirNumSRVAgreements value. */
1445 set_num_srv_agreements(int32_t value
)
1447 num_srv_agreements_from_vote
= value
;
1450 #endif /* TOR_UNIT_TESTS */