| blob | 323f2bd5761c03bef864fb6a883c749e049c0598 |
1 /* Copyright (c) 2014, Daniel MartÃ
2 * Copyright (c) 2014-2021, The Tor Project, Inc. */
3 /* See LICENSE for licensing information */
5 /**
6 * \file consdiff.c
7 * \brief Consensus diff implementation, including both the generation and the
8 * application of diffs in a minimal ed format.
9 *
10 * The consensus diff application is done in consdiff_apply_diff, which relies
11 * on apply_ed_diff for the main ed diff part and on some digest helper
12 * functions to check the digest hashes found in the consensus diff header.
13 *
14 * The consensus diff generation is more complex. consdiff_gen_diff generates
15 * it, relying on gen_ed_diff to generate the ed diff and some digest helper
16 * functions to generate the digest hashes.
17 *
18 * gen_ed_diff is the tricky bit. In it simplest form, it will take quadratic
19 * time and linear space to generate an ed diff given two smartlists. As shown
20 * in its comment section, calling calc_changes on the entire two consensuses
21 * will calculate what is to be added and what is to be deleted in the diff.
22 * Its comment section briefly explains how it works.
23 *
24 * In our case specific to consensuses, we take advantage of the fact that
25 * consensuses list routers sorted by their identities. We use that
26 * information to avoid running calc_changes on the whole smartlists.
27 * gen_ed_diff will navigate through the two consensuses identity by identity
28 * and will send small couples of slices to calc_changes, keeping the running
29 * time near-linear. This is explained in more detail in the gen_ed_diff
30 * comments.
31 *
32 * The allocation strategy tries to save time and memory by avoiding needless
33 * copies. Instead of actually splitting the inputs into separate strings, we
34 * allocate cdline_t objects, each of which represents a line in the original
35 * object or in the output. We use memarea_t allocators to manage the
36 * temporary memory we use when generating or applying diffs.
37 **/
39 #define CONSDIFF_PRIVATE
51 /** Return true iff a and b have the same contents. */
52 STATIC int
54 {
56 }
58 /** Return true iff a has the same contents as the nul-terminated string b. */
59 STATIC int
61 {
66 }
68 /** Return true iff a begins with the same contents as the nul-terminated
69 * string b. */
70 static int
72 {
76 }
78 /** Return a new cdline_t holding as its contents the nul-terminated
79 * string s. Use the provided memory area for storage. */
82 {
89 }
91 /** Add a cdline_t to <b>lst</b> holding as its contents the nul-terminated
92 * string s. Use the provided memory area for storage. */
93 STATIC void
95 {
97 }
99 /** Compute the digest of <b>cons</b>, and store the result in
100 * <b>digest_out</b>. Return 0 on success, -1 on failure. */
101 /* This is a separate, mockable function so that we can override it when
102 * fuzzing. */
106 {
110 }
112 /** Compute the digest-as-signed of <b>cons</b>, and store the result in
113 * <b>digest_out</b>. Return 0 on success, -1 on failure. */
114 /* This is a separate, mockable function so that we can override it when
115 * fuzzing. */
119 {
122 }
124 /** Return true iff <b>d1</b> and <b>d2</b> contain the same digest */
125 /* This is a separate, mockable function so that we can override it when
126 * fuzzing. */
130 {
132 }
134 /** Create (allocate) a new slice from a smartlist. Assumes that the start
135 * and the end indexes are within the bounds of the initial smartlist. The end
136 * element is not part of the resulting slice. If end is -1, the slice is to
137 * reach the end of the smartlist.
138 */
139 STATIC smartlist_slice_t *
141 {
147 }
155 }
157 /** Helper: Compute the longest common subsequence lengths for the two slices.
158 * Used as part of the diff generation to find the column at which to split
159 * slice2 while still having the optimal solution.
160 * If direction is -1, the navigation is reversed. Otherwise it must be 1.
161 * The length of the resulting integer array is that of the second slice plus
162 * one.
163 */
167 {
170 /* Resulting lcs lengths. */
172 /* Copy of the lcs lengths from the last iteration. */
180 }
185 /* Store the last results. */
191 }
197 /* If the lines are equal, the lcs is one line longer. */
200 /* If not, see what lcs parent path is longer. */
202 }
203 }
204 }
207 }
209 /** Helper: Trim any number of lines that are equally at the start or the end
210 * of both slices.
211 */
212 STATIC void
214 {
220 }
223 }
233 }
234 i1--;
236 i2--;
238 }
239 }
241 /** Like smartlist_string_pos, but uses a cdline_t, and is restricted to the
242 * bounds of the slice.
243 */
244 STATIC int
247 {
253 }
254 }
256 }
258 /** Helper: Set all the appropriate changed booleans to true. The first slice
259 * must be of length 0 or 1. All the lines of slice1 and slice2 which are not
260 * present in the other slice will be set to changed in their bool array.
261 * The two changed bool arrays are passed in the same order as the slices.
262 */
263 STATIC void
266 {
275 }
276 }
281 }
282 }
283 }
285 /*
286 * Helper: Given that slice1 has been split by half into top and bot, we want
287 * to fetch the column at which to split slice2 so that we are still on track
288 * to the optimal diff solution, i.e. the shortest one. We use lcs_lengths
289 * since the shortest diff is just another way to say the longest common
290 * subsequence.
291 */
292 static int
296 {
306 }
307 }
312 }
314 /**
315 * Helper: Figure out what elements are new or gone on the second smartlist
316 * relative to the first smartlist, and store the booleans in the bitarrays.
317 * True on the first bitarray means the element is gone, true on the second
318 * bitarray means it's new.
319 *
320 * In its base case, either of the smartlists is of length <= 1 and we can
321 * quickly see what elements are new or are gone. In the other case, we will
322 * split one smartlist by half and we'll use optimal_column_to_split to find
323 * the optimal column at which to split the second smartlist so that we are
324 * finding the smallest diff possible.
325 */
326 STATIC void
330 {
339 /* Keep on splitting the slices in two. */
343 /* Split the first slice in half. */
349 /* Split the second slice by the optimal column. */
361 }
362 }
364 /* This table is from crypto.c. The SP and PAD defines are different. */
365 #define NOT_VALID_BASE64 255
366 #define X NOT_VALID_BASE64
367 #define SP NOT_VALID_BASE64
368 #define PAD NOT_VALID_BASE64
386 };
388 /** Helper: Get the identity hash from a router line, assuming that the line
389 * at least appears to be a router line and thus starts with "r ".
390 *
391 * If an identity hash is found, store it (without decoding it) in
392 * <b>hash_out</b>, and return 0. On failure, return -1.
393 */
394 STATIC int
396 {
400 /* Skip the router name. */
404 }
406 hash++;
408 /* Stop when the first non-base64 character is found. Use unsigned chars to
409 * avoid negative indexes causing crashes.
410 */
414 hash_end++;
415 }
417 /* Empty hash. */
420 }
423 /* Always true because lines are limited to this length */
429 }
431 /** Helper: Check that a line is a valid router entry. We must at least be
432 * able to fetch a proper identity hash from it for it to be valid.
433 */
434 STATIC int
436 {
439 cdline_t tmp;
441 }
443 /** Helper: Find the next router line starting at the current position.
444 * Assumes that cur is lower than the length of the smartlist, i.e. it is a
445 * line within the bounds of the consensus. The only exception is when we
446 * don't want to skip the first line, in which case cur will be -1.
447 */
448 STATIC int
450 {
456 }
462 }
464 }
466 }
468 /** Helper: compare two base64-encoded identity hashes, which may be of
469 * different lengths. Comparison ends when the first non-base64 char is found.
470 */
471 STATIC int
473 {
474 /* NULL is always lower, useful for last_hash which starts at NULL. */
477 }
480 }
483 }
485 /* Don't index with a char; char may be signed. */
495 /* Both ended with exactly the same characters. */
498 /* hash2 goes on longer than hash1 and thus hash1 is lower. */
500 }
502 /* hash1 goes on longer than hash2 and thus hash1 is greater. */
505 /* The first difference shows that hash1 is lower. */
508 /* The first difference shows that hash1 is greater. */
511 a++;
512 b++;
518 }
521 }
522 }
523 }
524 }
526 /** Structure used to remember the previous and current identity hash of
527 * the "r " lines in a consensus, to enforce well-ordering. */
529 cdline_t last_hash;
530 cdline_t hash;
533 #ifndef COCCI
534 /**
535 * Initializer for a router_id_iterator_t.
536 */
537 #define ROUTER_ID_ITERATOR_INIT { { NULL, 0 }, { NULL, 0 } }
540 /** Given an index *<b>idxp</b> into the consensus at <b>cons</b>, advance
541 * the index to the next router line ("r ...") in the consensus, or to
542 * an index one after the end of the list if there is no such line.
543 *
544 * Use <b>iter</b> to record the hash of the found router line, if any,
545 * and to enforce ordering on the hashes. If the hashes are mis-ordered,
546 * return -1. Else, return 0.
547 **/
548 static int
553 {
560 "the %s consensus doesn't have its router entries sorted "
563 }
564 }
566 }
568 /** Line-prefix indicating the beginning of the signatures section that we
569 * intend to delete. */
572 /** Pre-process a consensus in <b>cons</b> (represented as a list of cdline_t)
573 * to remove the signatures from it. If the footer is removed, return a
574 * cdline_t containing a delete command to delete the footer, allocated in
575 * <b>area</b>. If no footer is removed, return NULL.
576 *
577 * We remove the signatures here because they are not themselves signed, and
578 * as such there might be different encodings for them.
579 */
583 {
591 }
592 }
601 }
602 }
604 /** Generate an ed diff as a smartlist from two consensuses, also given as
605 * smartlists. Will return NULL if the diff could not be generated, which can
606 * happen if any lines the script had to add matched "." or if the routers
607 * were not properly ordered.
608 *
609 * All cdline_t objects in the resulting object are either references to lines
610 * in one of the inputs, or are newly allocated lines in the provided memarea.
611 *
612 * This implementation is consensus-specific. To generate an ed diff for any
613 * given input in quadratic time, you can replace all the code until the
614 * navigation in reverse order with the following:
615 *
616 * int len1 = smartlist_len(cons1);
617 * int len2 = smartlist_len(cons2);
618 * bitarray_t *changed1 = bitarray_init_zero(len1);
619 * bitarray_t *changed2 = bitarray_init_zero(len2);
620 * cons1_sl = smartlist_slice(cons1, 0, -1);
621 * cons2_sl = smartlist_slice(cons2, 0, -1);
622 * calc_changes(cons1_sl, cons2_sl, changed1, changed2);
623 */
624 STATIC smartlist_t *
627 {
637 /* There's a delete-the-trailer line at the end, so add it here. */
639 }
641 /* Initialize the changed bitarrays to zero, so that calc_changes only needs
642 * to set the ones that matter and leave the rest untouched.
643 */
649 /* To check that hashes are ordered properly */
653 /* i1 and i2 are initialized at the first line of each consensus. They never
654 * reach past len1 and len2 respectively, since next_router doesn't let that
655 * happen. i1 and i2 are advanced by at least one line at each iteration as
656 * long as they have not yet reached len1 and len2, so the loop is
657 * guaranteed to end, and each pair of (i1,i2) will be inspected at most
658 * once.
659 */
662 /* Advance each of the two navigation positions by one router entry if not
663 * yet at the end.
664 */
668 }
669 }
674 }
675 }
677 /* If we have reached the end of both consensuses, there is no need to
678 * compare hashes anymore, since this is the last iteration.
679 */
682 /* Keep on advancing the lower (by identity hash sorting) position until
683 * we have two matching positions. The only other possible outcome is
684 * that a lower position reaches the end of the consensus before it can
685 * reach a hash that is no longer the lower one. Since there will always
686 * be a lower hash for as long as the loop runs, one of the two indexes
687 * will always be incremented, thus assuring that the loop must end
688 * after a finite number of iterations. If that cannot be because said
689 * consensus has already reached the end, both are extended to their
690 * respecting ends since we are done.
691 */
697 }
699 /* We finished the first consensus, so grab all the remaining
700 * lines of the second consensus and finish up.
701 */
704 }
708 }
710 /* We finished the second consensus, so grab all the remaining
711 * lines of the first consensus and finish up.
712 */
715 }
720 }
722 }
723 }
725 /* Make slices out of these chunks (up to the common router entry) and
726 * calculate the changes for them.
727 * Error if any of the two slices are longer than 10K lines. That should
728 * never happen with any pair of real consensuses. Feeding more than 10K
729 * lines to calc_changes would be very slow anyway.
730 */
731 #define MAX_LINE_COUNT (10000)
736 }
744 }
746 /* Navigate the changes in reverse order and generate one ed command for
747 * each chunk of changes.
748 */
755 /* We are at a point were no changed bools are true, so just keep going. */
759 i1--;
760 }
762 i2--;
763 }
765 }
769 /* Grab all contiguous changed lines */
771 i1--;
772 }
774 i2--;
775 }
787 }
799 }
807 }
809 }
811 }
812 }
820 error_cleanup:
829 }
831 /* Helper: Read a base-10 number between 0 and INT32_MAX from <b>s</b> and
832 * store it in <b>num_out</b>. Advance <b>s</b> to the character immediately
833 * after the number. Return 0 on success, -1 on failure. */
834 static int
836 {
841 }
848 }
849 }
851 /** Apply the ed diff, starting at <b>diff_starting_line</b>, to the consensus
852 * and return a new consensus, also as a line-based smartlist. Will return
853 * NULL if the ed diff is not properly formatted.
854 *
855 * All cdline_t objects in the resulting object are references to lines
856 * in one of the inputs; nothing is copied.
857 */
858 STATIC smartlist_t *
861 {
874 }
875 /* Copy the line to make it nul-terminated. */
886 }
888 /* Two-item range */
899 }
900 /* Incoherent range. */
905 }
907 /* We'll take <n1> as <n1>,<n1> for simplicity. */
909 }
915 }
921 }
927 }
940 }
942 /** $ is not allowed with non-d actions. */
947 }
949 /* 'a' commands are not allowed to have ranges. */
954 }
956 /* Add unchanged lines. */
960 }
962 /* Ignore removed lines. */
965 /* Skip line */
966 }
967 }
969 /* Add new lines in reverse order, since it will all be reversed at the
970 * end.
971 */
979 }
984 }
985 }
989 /* It would make no sense to add zero new lines. */
994 }
999 }
1000 }
1001 }
1003 /* Add remaining unchanged lines. */
1007 }
1009 /* Reverse the whole thing since we did it from the end. */
1013 error_cleanup:
1018 }
1020 /** Generate a consensus diff as a smartlist from two given consensuses, also
1021 * as smartlists. Will return NULL if the consensus diff could not be
1022 * generated. Neither of the two consensuses are modified in any way, so it's
1023 * up to the caller to free their resources.
1024 */
1025 smartlist_t *
1031 {
1033 /* ed diff could not be generated - reason already logged by gen_ed_diff. */
1036 }
1038 /* See that the script actually produces what we want. */
1041 /* LCOV_EXCL_START -- impossible if diff generation is correct */
1043 "the generated ed diff could not be tested to successfully generate "
1046 /* LCOV_EXCL_STOP */
1047 }
1056 }
1060 }
1063 /* LCOV_EXCL_START -- impossible if diff generation is correct. */
1065 "the generated ed diff did not generate the target consensus "
1068 /* LCOV_EXCL_STOP */
1069 }
1078 /* Create the resulting consensus diff. */
1090 error_cleanup:
1093 /* LCOV_EXCL_START -- ed_diff is NULL except in unreachable cases above */
1095 /* LCOV_EXCL_STOP */
1096 }
1099 }
1101 /** Fetch the digest of the base consensus in the consensus diff, encoded in
1102 * base16 as found in the diff itself. digest1_out and digest2_out must be of
1103 * length DIGEST256_LEN or larger if not NULL.
1104 */
1105 int
1109 {
1117 }
1119 /* Check that it's the format and version we know. */
1124 }
1126 /* Grab the base16 digests. */
1128 {
1133 }
1135 /* There have to be three words, the first of which must be hash_token. */
1141 }
1143 /* Expected hashes as found in the consensus diff header. They must be of
1144 * length HEX_DIGEST256_LEN, normally 64 hexadecimal characters.
1145 * If any of the decodings fail, error to make sure that the hashes are
1146 * proper base16-encoded digests.
1147 */
1155 }
1164 }
1168 }
1171 }
1177 error_cleanup:
1182 }
1184 }
1186 /** Apply the consensus diff to the given consensus and return a new
1187 * consensus, also as a line-based smartlist. Will return NULL if the diff
1188 * could not be applied. Neither the consensus nor the diff are modified in
1189 * any way, so it's up to the caller to free their resources.
1190 */
1195 {
1203 }
1205 /* See that the consensus that was given to us matches its hash. */
1211 "the base consensus doesn't match the digest as found in "
1220 }
1222 /* Grab the ed diff and calculate the resulting consensus. */
1223 /* Skip the first two lines. */
1226 /* ed diff could not be applied - reason already logged by apply_ed_diff. */
1229 }
1233 consensus_digest_t cons2_digests;
1236 /* LCOV_EXCL_START -- digest can't fail */
1240 /* LCOV_EXCL_STOP */
1241 }
1243 /* See that the resulting consensus matches its hash. */
1247 "the resulting consensus doesn't match the digest as found in "
1258 }
1262 error_cleanup:
1265 done:
1268 }
1271 }
1273 /** Any consensus line longer than this means that the input is invalid. */
1274 #define CONSENSUS_LINE_MAX_LEN (1<<20)
1276 /**
1277 * Helper: For every NL-terminated line in <b>s</b>, add a cdline referring to
1278 * that line (without trailing newline) to <b>out</b>. Return -1 if there are
1279 * any non-NL terminated lines; 0 otherwise.
1280 *
1281 * Unlike tor_split_lines, this function avoids ambiguity on its
1282 * handling of a final line that isn't NL-terminated.
1283 *
1284 * All cdline_t objects are allocated in the provided memarea. Strings
1285 * are not copied: if <b>s</b> changes or becomes invalid, then all
1286 * generated cdlines will become invalid.
1287 */
1288 STATIC int
1292 {
1298 /* File doesn't end with newline. */
1300 }
1302 /* Line is far too long. */
1304 }
1310 }
1312 }
1314 /** Given a list of cdline_t, return a newly allocated string containing
1315 * all of the lines, terminated with NL, concatenated.
1316 *
1317 * Unlike smartlist_join_strings(), avoids lossy operations on empty
1318 * lists. */
1321 {
1335 }
1337 /** Given two consensus documents, try to compute a diff between them. On
1338 * success, return a newly allocated string containing that diff. On failure,
1339 * return NULL. */
1343 {
1364 done:
1368 }
1375 }
1377 /** Given a consensus document and a diff, try to apply the diff to the
1378 * consensus. On success return a newly allocated string containing the new
1379 * consensus. On failure, return NULL. */
1385 {
1386 consensus_digest_t d1;
1405 done:
1411 }
1413 /** Return true iff, based on its header, <b>document</b> is likely
1414 * to be a consensus diff. */
1415 int
1417 {
1420 }