| blob | b3f62a8fd806be956c1919b45084104a0fa10702 |
1 /* Copyright (c) 2016-2017, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
4 /**
5 * \file shared_random.c
6 *
7 * \brief Functions and data structure needed to accomplish the shared
8 * random protocol as defined in proposal #250.
9 *
10 * \details
11 *
12 * This file implements the dirauth-only commit-and-reveal protocol specified
13 * by proposal #250. The protocol has two phases (sr_phase_t): the commitment
14 * phase and the reveal phase (see get_sr_protocol_phase()).
15 *
16 * During the protocol, directory authorities keep state in memory (using
17 * sr_state_t) and in disk (using sr_disk_state_t). The synchronization between
18 * these two data structures happens in disk_state_update() and
19 * disk_state_parse().
20 *
21 * Here is a rough protocol outline:
22 *
23 * 1) In the beginning of the commitment phase, dirauths generate a
24 * commitment/reveal value for the current protocol run (see
25 * new_protocol_run() and sr_generate_our_commit()).
26 *
27 * 2) During voting, dirauths publish their commits in their votes
28 * depending on the current phase. Dirauths also include the two
29 * latest shared random values (SRV) in their votes.
30 * (see sr_get_string_for_vote())
31 *
32 * 3) Upon receiving a commit from a vote, authorities parse it, verify
33 * it, and attempt to save any new commitment or reveal information in
34 * their state file (see extract_shared_random_commits() and
35 * sr_handle_received_commits()). They also parse SRVs from votes to
36 * decide which SRV should be included in the final consensus (see
37 * extract_shared_random_srvs()).
38 *
39 * 3) After voting is done, we count the SRVs we extracted from the votes,
40 * to find the one voted by the majority of dirauths which should be
41 * included in the final consensus (see get_majority_srv_from_votes()).
42 * If an appropriate SRV is found, it is embedded in the consensus (see
43 * sr_get_string_for_consensus()).
44 *
45 * 4) At the end of the reveal phase, dirauths compute a fresh SRV for the
46 * day using the active commits (see sr_compute_srv()). This new SRV
47 * is embedded in the votes as described above.
48 *
49 * Some more notes:
50 *
51 * - To support rebooting authorities and to avoid double voting, each dirauth
52 * saves the current state of the protocol on disk so that it can resume
53 * normally in case of reboot. The disk state (sr_disk_state_t) is managed by
54 * shared_random_state.c:state_query() and we go to extra lengths to ensure
55 * that the state is flushed on disk everytime we receive any useful
56 * information like commits or SRVs.
57 *
58 * - When we receive a commit from a vote, we examine it to see if it's useful
59 * to us and whether it's appropriate to receive it according to the current
60 * phase of the protocol (see should_keep_commit()). If the commit is useful
61 * to us, we save it in our disk state using save_commit_to_state(). When we
62 * receive the reveal information corresponding to a commitment, we verify
63 * that they indeed match using verify_commit_and_reveal().
64 *
65 * - We treat consensuses as the ground truth, so everytime we generate a new
66 * consensus we update our SR state accordingly even if our local view was
67 * different (see sr_act_post_consensus()).
68 *
69 * - After a consensus has been composed, the SR protocol state gets prepared
70 * for the next voting session using sr_state_update(). That function takes
71 * care of housekeeping and also rotates the SRVs and commits in case a new
72 * protocol run is coming up. We also call sr_state_update() on bootup (in
73 * sr_state_init()), to prepare the state for the very first voting session.
74 *
75 * Terminology:
76 *
77 * - "Commitment" is the commitment value of the commit-and-reveal protocol.
78 *
79 * - "Reveal" is the reveal value of the commit-and-reveal protocol.
80 *
81 * - "Commit" is a struct (sr_commit_t) that contains a commitment value and
82 * optionally also a corresponding reveal value.
83 *
84 * - "SRV" is the Shared Random Value that gets generated as the result of the
85 * commit-and-reveal protocol.
86 **/
88 #define SHARED_RANDOM_PRIVATE
102 /* String prefix of shared random values in votes/consensuses. */
108 /* The value of the consensus param AuthDirNumSRVAgreements found in the
109 * vote. This is set once the consensus creation subsystem requests the
110 * SRV(s) that should be put in the consensus. We use this value to decide
111 * if we keep or not an SRV. */
114 /* Return a heap allocated copy of the SRV <b>orig</b>. */
115 STATIC sr_srv_t *
117 {
122 }
128 }
130 /* Allocate a new commit object and initializing it with <b>rsa_identity</b>
131 * that MUST be provided. The digest algorithm is set to the default one
132 * that is supported. The rest is uninitialized. This never returns NULL. */
135 {
146 }
148 /* Issue a log message describing <b>commit</b>. */
149 static void
151 {
159 }
161 /* Make sure that the commitment and reveal information in <b>commit</b>
162 * match. If they match return 0, return -1 otherwise. This function MUST be
163 * used everytime we receive a new reveal value. Furthermore, the commit
164 * object MUST have a reveal value and the hash of the reveal value. */
165 STATIC int
167 {
173 /* Check that the timestamps match. */
179 }
181 /* Verify that the hashed_reveal received in the COMMIT message, matches
182 * the reveal we just received. */
183 {
184 /* We first hash the reveal we just received. */
187 /* Only sha3-256 is supported. */
190 }
192 /* Use the invariant length since the encoded reveal variable has an
193 * extra byte for the NUL terminated byte. */
196 /* Unable to digest the reveal blob, this is unlikely. */
198 }
200 /* Now compare that with the hashed_reveal we received in COMMIT. */
207 }
208 }
211 invalid:
213 }
215 /* Return true iff the commit contains an encoded reveal value. */
216 STATIC int
218 {
221 }
223 /* Parse the encoded commit. The format is:
224 * base64-encode( TIMESTAMP || H(REVEAL) )
225 *
226 * If successfully decoded and parsed, commit is updated and 0 is returned.
227 * On error, return -1. */
228 STATIC int
230 {
239 /* This means that if we base64 decode successfully the reveiced commit,
240 * we'll end up with a bigger decoded commit thus unusable. */
242 }
244 /* Decode our encoded commit. Let's be careful here since _encoded_ is
245 * coming from the network in a dirauth vote so we expect nothing more
246 * than the base64 encoded length of a commit. */
253 }
261 }
263 /* First is the timestamp (8 bytes). */
266 /* Next is hashed reveal. */
269 /* Copy the base64 blob to the commit. Useful for voting. */
274 error:
276 }
278 /* Parse the b64 blob at <b>encoded</b> containing reveal information and
279 * store the information in-place in <b>commit</b>. Return 0 on success else
280 * a negative value. */
281 STATIC int
283 {
291 /* This means that if we base64 decode successfully the received reveal
292 * value, we'll end up with a bigger decoded value thus unusable. */
294 }
296 /* Decode our encoded reveal. Let's be careful here since _encoded_ is
297 * coming from the network in a dirauth vote so we expect nothing more
298 * than the base64 encoded length of our reveal. */
305 }
313 }
316 /* Copy the last part, the random value. */
319 /* Also copy the whole message to use during verification */
324 error:
326 }
328 /* Encode a reveal element using a given commit object to dst which is a
329 * buffer large enough to put the base64-encoded reveal construction. The
330 * format is as follow:
331 * REVEAL = base64-encode( TIMESTAMP || H(RN) )
332 * Return base64 encoded length on success else a negative value.
333 */
334 STATIC int
336 {
349 /* Let's clean the buffer and then b64 encode it. */
352 /* Wipe this buffer because it contains our random value. */
355 }
357 /* Encode the given commit object to dst which is a buffer large enough to
358 * put the base64-encoded commit. The format is as follow:
359 * COMMIT = base64-encode( TIMESTAMP || H(H(RN)) )
360 * Return base64 encoded length on success else a negative value.
361 */
362 STATIC int
364 {
371 /* First is the timestamp (8 bytes). */
374 /* and then the hashed reveal. */
378 /* Clean the buffer and then b64 encode it. */
381 }
383 /* Cleanup both our global state and disk state. */
384 static void
386 {
388 }
390 /* Using <b>commit</b>, return a newly allocated string containing the commit
391 * information that should be used during SRV calculation. It's the caller
392 * responsibility to free the memory. Return NULL if this is not a commit to be
393 * used for SRV calculation. */
396 {
402 }
407 }
409 /* Return a srv object that is built with the construction:
410 * SRV = SHA3-256("shared-random" | INT_8(reveal_num) |
411 * INT_4(version) | HASHED_REVEALS | previous_SRV)
412 * This function cannot fail. */
416 {
423 /* Add the invariant token. */
434 }
436 /* Ok we have our message and key for the HMAC computation, allocate our
437 * srv object and do the last step. */
442 {
443 /* Debugging. */
447 }
449 }
451 /* Compare reveal values and return the result. This should exclusively be
452 * used by smartlist_sort(). */
453 static int
455 {
459 }
461 /* Given <b>commit</b> give the line that we should place in our votes.
462 * It's the responsibility of the caller to free the string. */
465 {
471 commit_ns_str,
472 SR_PROTO_VERSION,
478 {
479 /* Send a reveal value for this commit if we have one. */
484 }
486 commit_ns_str,
487 SR_PROTO_VERSION,
492 }
495 }
499 }
501 /* Convert a given srv object to a string for the control port. This doesn't
502 * fail and the srv object MUST be valid. */
505 {
513 }
515 /* Return a heap allocated string that contains the given <b>srv</b> string
516 * representation formatted for a networkstatus document using the
517 * <b>key</b> as the start of the line. This doesn't return NULL. */
520 {
531 }
533 /* Given the previous SRV and the current SRV, return a heap allocated
534 * string with their data that could be put in a vote or a consensus. Caller
535 * must free the returned string. Return NULL if no SRVs were provided. */
538 {
544 }
551 }
556 }
558 /* Join the line(s) here in one string to return. */
564 }
566 /* Return 1 iff the two commits have the same commitment values. This
567 * function does not care about reveal values. */
568 STATIC int
571 {
577 }
579 }
581 /* We just received a commit from the vote of authority with
582 * <b>identity_digest</b>. Return 1 if this commit is authorititative that
583 * is, it belongs to the authority that voted it. Else return 0 if not. */
584 STATIC int
587 {
593 }
595 /* Decide if the newly received <b>commit</b> should be kept depending on
596 * the current phase and state of the protocol. The <b>voter_key</b> is the
597 * RSA identity key fingerprint of the authority's vote from which the
598 * commit comes from. The <b>phase</b> is the phase we should be validating
599 * the commit for. Return 1 if the commit should be added to our state or 0
600 * if not. */
601 STATIC int
603 sr_phase_t phase)
604 {
614 /* For a commit to be considered, it needs to be authoritative (it should
615 * be the voter's own commit). */
619 }
621 /* Let's make sure, for extra safety, that this fingerprint is known to
622 * us. Even though this comes from a vote, doesn't hurt to be
623 * extracareful. */
629 }
631 /* Check if the authority that voted for <b>commit</b> has already posted
632 * a commit before. */
637 /* Already having a commit for an authority so ignore this one. */
639 /* Receiving known commits should happen naturally since commit phase
640 lasts multiple rounds. However if the commitment value changes
641 during commit phase, it might be a bug so log more loudly. */
648 }
650 }
652 /* A commit with a reveal value during commitment phase is very wrong. */
659 }
662 /* We are now in reveal phase. We keep a commit if and only if:
663 *
664 * - We have already seen a commit by this auth, AND
665 * - the saved commit has the same commitment value as this one, AND
666 * - the saved commit has no reveal information, AND
667 * - this commit does have reveal information, AND
668 * - the reveal & commit information are matching.
669 *
670 * If all the above are true, then we are interested in this new commit
671 * for its reveal information. */
676 }
684 }
689 }
694 }
702 }
706 }
710 ignore:
712 }
714 /* We are in reveal phase and we found a valid and verified <b>commit</b> in
715 * a vote that contains reveal values that we could use. Update the commit
716 * we have in our state. Never call this with an unverified commit. */
717 STATIC void
719 {
724 /* Get the commit from our state. */
727 /* Safety net. They can not be different commitments at this point. */
731 /* Copy reveal information to our saved commit. */
733 }
735 /* Save <b>commit</b> to our persistent state. Depending on the current
736 * phase, different actions are taken. Steals reference of <b>commit</b>.
737 * The commit object MUST be valid and verified before adding it to the
738 * state. */
739 STATIC void
741 {
748 /* During commit phase, just save any new authoritative commit */
757 }
758 }
760 /* Return 1 if we should we keep an SRV voted by <b>n_agreements</b> auths.
761 * Return 0 if we should ignore it. */
762 static int
764 {
765 /* Check if the most popular SRV has reached majority. */
769 /* We need at the very least majority to keep a value. */
774 }
776 /* When we just computed a new SRV, we need to have super majority in order
777 * to keep it. */
779 /* Check if we have super majority for this new SRV value. */
784 }
785 }
788 }
790 /* Helper: compare two DIGEST256_LEN digests. */
791 static int
793 {
796 }
798 /* Return the most frequent member of the sorted list of DIGEST256_LEN
799 * digests in <b>sl</b> with the count of that most frequent element. */
802 {
804 }
806 /** Compare two SRVs. Used in smartlist sorting. */
807 static int
809 {
813 }
815 /* Using a list of <b>votes</b>, return the SRV object from them that has
816 * been voted by the majority of dirauths. If <b>current</b> is set, we look
817 * for the current SRV value else the previous one. The returned pointer is
818 * an object located inside a vote. NULL is returned if no appropriate value
819 * could be found. */
820 STATIC sr_srv_t *
822 {
832 /* Walk over votes and register any SRVs found. */
837 /* Ignore vote that do not participate. */
839 }
840 /* Do we want previous or current SRV? */
844 }
853 }
855 /* Was this SRV voted by enough auths for us to keep it? */
858 }
860 /* We found an SRV that we can use! Habemus SRV! */
863 {
864 /* Debugging */
868 count);
869 }
871 end:
872 /* We do not free any sr_srv_t values, we don't have the ownership. */
875 }
877 /* Encode the given shared random value and put it in dst. Destination
878 * buffer must be at least SR_SRV_VALUE_BASE64_LEN plus the NULL byte. */
879 void
881 {
883 /* Extra byte for the NULL terminated char. */
892 /* Always expect the full length without the NULL byte. */
896 }
898 /* Free a commit object. */
899 void
901 {
904 }
905 /* Make sure we do not leave OUR random number in memory. */
908 }
910 /* Generate the commitment/reveal value for the protocol run starting at
911 * <b>timestamp</b>. <b>my_rsa_cert</b> is our authority RSA certificate. */
912 sr_commit_t *
914 {
920 /* Get our RSA identity fingerprint */
923 }
925 /* New commit with our identity key. */
928 /* Generate the reveal random value */
933 /* Now get the base64 blob that corresponds to our reveal */
938 }
940 /* Now let's create the commitment */
942 /* The invariant length is used here since the encoded reveal variable
943 * has an extra byte added for the NULL terminated byte. */
947 }
949 /* Now get the base64 blob that corresponds to our commit. */
954 }
958 /* Our commit better be valid :). */
962 error:
965 }
967 /* Compute the shared random value based on the active commits in our state. */
968 void
970 {
976 /* Computing a shared random value in the commit phase is very wrong. This
977 * should only happen at the very end of the reveal phase when a new
978 * protocol run is about to start. */
985 /* We must make a list of commit ordered by authority fingerprint in
986 * ascending order as specified by proposal 250. */
988 /* Extra safety net, make sure we have valid commit before using it. */
990 /* Let's not use a commit from an authority that we don't know. It's
991 * possible that an authority could be removed during a protocol run so
992 * that commit value should never be used in the SRV computation. */
998 }
999 /* We consider this commit valid. */
1004 /* Now for each commit for that sorted list in ascending order, we'll
1005 * build the element for each authority that needs to go into the srv
1006 * computation. */
1011 reveal_num++;
1012 }
1016 {
1017 /* Join all reveal values into one giant string that we'll hash so we
1018 * can generated our shared random value. */
1027 }
1031 /* We have a fresh SRV, flag our state. */
1033 }
1035 end:
1037 }
1039 /* Parse a list of arguments from a SRV value either from a vote, consensus
1040 * or from our disk state and return a newly allocated srv object. NULL is
1041 * returned on error.
1042 *
1043 * The arguments' order:
1044 * num_reveals, value
1045 */
1046 sr_srv_t *
1048 {
1058 }
1060 /* First argument is the number of reveal values */
1065 }
1066 /* Second and last argument is the shared random value it self. */
1070 }
1074 /* We substract one byte from the srclen because the function ignores the
1075 * '=' character in the given buffer. This is broken but it's a documented
1076 * behavior of the implementation. */
1083 }
1084 end:
1086 }
1088 /* Parse a commit from a vote or from our disk state and return a newly
1089 * allocated commit object. NULL is returned on error.
1090 *
1091 * The commit's data is in <b>args</b> and the order matters very much:
1092 * version, algname, RSA fingerprint, commit value[, reveal value]
1093 */
1094 sr_commit_t *
1096 {
1099 digest_algorithm_t alg;
1105 }
1107 /* First is the version number of the SR protocol which indicates at which
1108 * version that commit was created. */
1115 }
1117 /* Second is the algorithm. */
1124 }
1126 /* Third argument is the RSA fingerprint of the auth and turn it into a
1127 * digest value. */
1134 }
1136 /* Allocate commit since we have a valid identity now. */
1139 /* Fourth argument is the commitment value base64-encoded. */
1143 }
1145 /* (Optional) Fifth argument is the revealed value. */
1150 }
1151 }
1155 error:
1158 }
1160 /* Called when we are done parsing a vote by <b>voter_key</b> that might
1161 * contain some useful <b>commits</b>. Find if any of them should be kept
1162 * and update our state accordingly. Once done, the list of commitments will
1163 * be empty. */
1164 void
1166 {
1171 /* It's possible that the vote has _NO_ commits. */
1174 }
1176 /* Get the RSA identity fingerprint of this voter */
1179 }
1182 /* We won't need the commit in this list anymore, kept or not. */
1184 /* Check if this commit is valid and should be stored in our state. */
1189 }
1190 /* Ok, we have a valid commit now that we are about to put in our state.
1191 * so flag it valid from now on. */
1193 /* Everything lines up: save this commit to state then! */
1196 }
1198 /* Return a heap-allocated string containing commits that should be put in
1199 * the votes. It's the responsibility of the caller to free the string.
1200 * This always return a valid string, either empty or with line(s). */
1203 {
1209 /* Are we participating in the protocol? */
1212 }
1216 /* First line, put in the vote the participation flag. */
1217 {
1221 }
1223 /* In our vote we include every commitment in our permanent state. */
1231 /* Sort the commit strings by version (string, not numeric), algorithm,
1232 * and fingerprint. This makes sure the commit lines in votes are in a
1233 * recognisable, stable order. */
1236 /* Now add the sorted list of commits to the vote */
1240 /* Add the SRV value(s) if any. */
1241 {
1246 }
1247 }
1249 end:
1254 }
1256 /* Return a heap-allocated string that should be put in the consensus and
1257 * contains the shared randomness values. It's the responsibility of the
1258 * caller to free the string. NULL is returned if no SRV(s) available.
1259 *
1260 * This is called when a consensus (any flavor) is bring created thus it
1261 * should NEVER change the state nor the state should be changed in between
1262 * consensus creation.
1263 *
1264 * <b>num_srv_agreements</b> is taken from the votes thus the voted value
1265 * that should be used.
1266 * */
1270 {
1276 /* Not participating, avoid returning anything. */
1281 }
1283 /* Set the global value of AuthDirNumSRVAgreements found in the votes. */
1286 /* Check the votes and figure out if SRVs should be included in the final
1287 * consensus. */
1293 }
1296 end:
1298 }
1300 /* We just computed a new <b>consensus</b>. Update our state with the SRVs
1301 * from the consensus (might be NULL as well). Register the SRVs in our SR
1302 * state and prepare for the upcoming protocol round. */
1303 void
1305 {
1308 /* Don't act if our state hasn't been initialized. We can be called during
1309 * boot time when loading consensus from disk which is prior to the
1310 * initialization of the SR subsystem. We also should not be doing
1311 * anything if we are _not_ a directory authority and if we are a bridge
1312 * authority. */
1316 }
1318 /* Set the majority voted SRVs in our state even if both are NULL. It
1319 * doesn't matter this is what the majority has decided. Obviously, we can
1320 * only do that if we have a consensus. */
1322 /* Start by freeing the current SRVs since the SRVs we believed during
1323 * voting do not really matter. Now that all the votes are in, we use the
1324 * majority's opinion on which are the active SRVs. */
1326 /* Reset the fresh flag of the SRV so we know that from now on we don't
1327 * have a new SRV to vote for. We just used the one from the consensus
1328 * decided by the majority. */
1330 /* Set the SR values from the given consensus. */
1333 }
1335 /* Prepare our state so that it's ready for the next voting period. */
1337 }
1339 /* Initialize shared random subsystem. This MUST be called early in the boot
1340 * process of tor. Return 0 on success else -1 on error. */
1341 int
1343 {
1345 }
1347 /* Save our state to disk and cleanup everything. */
1348 void
1350 {
1353 }
1355 /* Return the current SRV string representation for the control port. Return a
1356 * newly allocated string on success containing the value else "" if not found
1357 * or if we don't have a valid consensus yet. */
1360 {
1367 }
1369 }
1371 /* Return the previous SRV string representation for the control port. Return
1372 * a newly allocated string on success containing the value else "" if not
1373 * found or if we don't have a valid consensus yet. */
1376 {
1383 }
1385 }
1387 /* Return current shared random value from the latest consensus. Caller can
1388 * NOT keep a reference to the returned pointer. Return NULL if none. */
1391 {
1394 /* Use provided ns else get a live one */
1399 }
1400 /* Ideally we would never be asked for an SRV without a live consensus. Make
1401 * sure this assumption is correct. */
1406 }
1408 }
1410 /* Return previous shared random value from the latest consensus. Caller can
1411 * NOT keep a reference to the returned pointer. Return NULL if none. */
1414 {
1417 /* Use provided ns else get a live one */
1422 }
1423 /* Ideally we would never be asked for an SRV without a live consensus. Make
1424 * sure this assumption is correct. */
1429 }
1431 }
1433 #ifdef TOR_UNIT_TESTS
1435 /* Set the global value of number of SRV agreements so the test can play
1436 * along by calling specific functions that don't parse the votes prior for
1437 * the AuthDirNumSRVAgreements value. */
1438 void
1440 {
1442 }