[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] r17611: {tor} Implement the /tor/keys/fp-sk/ URL format. That mostly finis (in tor/trunk: . doc/spec doc/spec/proposals src/or)
Author: nickm
Date: 2008-12-12 14:05:36 -0500 (Fri, 12 Dec 2008)
New Revision: 17611
Modified:
tor/trunk/ChangeLog
tor/trunk/doc/spec/dir-spec.txt
tor/trunk/doc/spec/proposals/157-specific-cert-download.txt
tor/trunk/src/or/directory.c
tor/trunk/src/or/or.h
tor/trunk/src/or/test.c
Log:
Implement the /tor/keys/fp-sk/ URL format. That mostly finishes the server side of 157.
Modified: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog 2008-12-12 18:31:39 UTC (rev 17610)
+++ tor/trunk/ChangeLog 2008-12-12 19:05:36 UTC (rev 17611)
@@ -22,6 +22,8 @@
- Add cross-certification to newly generated certificates, so that
a signing key is enough information to use to look up a certificate.
Partial implementation of proposal 157.
+ - Start serving certificates by <identity digest, signing key digest>
+ pairs. Partial implementation of proposal 157.
o Minor features (controller):
- New CONSENSUS_ARRIVED event to note when a new consensus has
Modified: tor/trunk/doc/spec/dir-spec.txt
===================================================================
--- tor/trunk/doc/spec/dir-spec.txt 2008-12-12 18:31:39 UTC (rev 17610)
+++ tor/trunk/doc/spec/dir-spec.txt 2008-12-12 19:05:36 UTC (rev 17611)
@@ -1556,6 +1556,15 @@
available at:
http://<hostname>/tor/keys/sk/<F>.z
+ The key certificate whose identity key fingerprint is <F> and whose signing
+ key fingerprint is <S> should be available at:
+
+ http://<hostname>/tor/keys/fp-sk/<F>-<S>.z
+
+ (As usual, clients may request multiple certificates using:
+ http://<hostname>/tor/keys/fp-sk/<F1>-<S1>+<F2>-<S2>.z )
+ [The above fp-sk format was not supported before Tor 0.2.1.9-alpha.]
+
The most recent descriptor for a server whose identity key has a
fingerprint of <F> should be available at:
http://<hostname>/tor/server/fp/<F>.z
Modified: tor/trunk/doc/spec/proposals/157-specific-cert-download.txt
===================================================================
--- tor/trunk/doc/spec/proposals/157-specific-cert-download.txt 2008-12-12 18:31:39 UTC (rev 17610)
+++ tor/trunk/doc/spec/proposals/157-specific-cert-download.txt 2008-12-12 19:05:36 UTC (rev 17611)
@@ -15,8 +15,9 @@
Status:
- Cross-certification is implemented for new certificates, but not yet
- required.
+ As of 0.2.1.9-alpha:
+ Cross-certification is implemented for new certificates, but not yet
+ required. Directories support the tor/keys/fp-sk urls.
Overview:
Modified: tor/trunk/src/or/directory.c
===================================================================
--- tor/trunk/src/or/directory.c 2008-12-12 18:31:39 UTC (rev 17610)
+++ tor/trunk/src/or/directory.c 2008-12-12 19:05:36 UTC (rev 17611)
@@ -2780,6 +2780,17 @@
tor_free(d);
});
smartlist_free(fps);
+ } else if (!strcmpstart(url, "/tor/keys/fp-sk/")) {
+ smartlist_t *fp_sks = smartlist_create();
+ dir_split_resource_into_fingerprint_pairs(url+strlen("/tor/keys/fp-sk/"),
+ fp_sks);
+ SMARTLIST_FOREACH(fp_sks, fp_pair_t *, pair, {
+ authority_cert_t *c = authority_cert_get_by_digests(pair->first,
+ pair->second);
+ if (c) smartlist_add(certs, c);
+ tor_free(pair);
+ });
+ smartlist_free(fp_sks);
} else {
write_http_status_line(conn, 400, "Bad request");
goto keys_done;
@@ -3383,6 +3394,63 @@
* every 10 or 60 seconds (FOO_DESCRIPTOR_RETRY_INTERVAL) in main.c. */
}
+static int
+_compare_pairs(const void **a, const void **b)
+{
+ const fp_pair_t *fp1 = *a, *fp2 = *b;
+ int r;
+ if ((r = memcmp(fp1->first, fp2->first, DIGEST_LEN)))
+ return r;
+ else
+ return memcmp(fp1->second, fp2->second, DIGEST_LEN);
+}
+
+/** DOCDOC */
+int
+dir_split_resource_into_fingerprint_pairs(const char *res,
+ smartlist_t *pairs_out)
+{
+ smartlist_t *pairs_tmp = smartlist_create();
+ smartlist_t *pairs_result = smartlist_create();
+
+ smartlist_split_string(pairs_tmp, res, "+", 0, 0);
+ if (smartlist_len(pairs_tmp)) {
+ char *last = smartlist_get(pairs_tmp,smartlist_len(pairs_tmp)-1);
+ size_t last_len = strlen(last);
+ if (last_len > 2 && !strcmp(last+last_len-2, ".z")) {
+ last[last_len-2] = '\0';
+ }
+ }
+ SMARTLIST_FOREACH_BEGIN(pairs_tmp, char *, cp) {
+ if (strlen(cp) != HEX_DIGEST_LEN*2+1) {
+ log_info(LD_DIR,
+ "Skipping digest pair %s with non-standard length.", escaped(cp));
+ } else if (cp[HEX_DIGEST_LEN] != '-') {
+ log_info(LD_DIR,
+ "Skipping digest pair %s with missing dash.", escaped(cp));
+ } else {
+ fp_pair_t pair;
+ if (base16_decode(pair.first, DIGEST_LEN, cp, HEX_DIGEST_LEN)<0 ||
+ base16_decode(pair.second,
+ DIGEST_LEN, cp+HEX_DIGEST_LEN+1, HEX_DIGEST_LEN)<0) {
+ log_info(LD_DIR, "Skipping non-decodable digest pair %s", escaped(cp));
+ } else {
+ smartlist_add(pairs_result, tor_memdup(&pair, sizeof(pair)));
+ }
+ }
+ tor_free(cp);
+ } SMARTLIST_FOREACH_END(cp);
+ smartlist_free(pairs_tmp);
+
+ /* Uniq-and-sort */
+ smartlist_sort(pairs_result, _compare_pairs);
+ smartlist_uniq(pairs_result, _compare_pairs, _tor_free);
+
+ smartlist_add_all(pairs_out, pairs_result);
+ smartlist_free(pairs_result);
+ return 0;
+}
+
/** Given a directory <b>resource</b> request, containing zero
* or more strings separated by plus signs, followed optionally by ".z", store
* the strings, in order, into <b>fp_out</b>. If <b>compressed_out</b> is
Modified: tor/trunk/src/or/or.h
===================================================================
--- tor/trunk/src/or/or.h 2008-12-12 18:31:39 UTC (rev 17610)
+++ tor/trunk/src/or/or.h 2008-12-12 19:05:36 UTC (rev 17611)
@@ -3277,6 +3277,12 @@
int dir_split_resource_into_fingerprints(const char *resource,
smartlist_t *fp_out, int *compresseed_out,
int decode_hex, int sort_uniq);
+typedef struct {
+ char first[DIGEST_LEN];
+ char second[DIGEST_LEN];
+} fp_pair_t;
+int dir_split_resource_into_fingerprint_pairs(const char *res,
+ smartlist_t *pairs_out);
char *directory_dump_request_log(void);
void note_request(const char *key, size_t bytes);
int router_supports_extrainfo(const char *identity_digest, int is_authority);
Modified: tor/trunk/src/or/test.c
===================================================================
--- tor/trunk/src/or/test.c 2008-12-12 18:31:39 UTC (rev 17610)
+++ tor/trunk/src/or/test.c 2008-12-12 19:05:36 UTC (rev 17611)
@@ -2985,6 +2985,34 @@
tor_free(dir2); /* And more !*/
}
+static void
+test_dirutil(void)
+{
+ smartlist_t *sl = smartlist_create();
+ fp_pair_t *pair;
+
+ dir_split_resource_into_fingerprint_pairs(
+ /* Two pairs, out of order, with one duplicate. */
+ "73656372657420646174612E0000000000FFFFFF-"
+ "557365204145532d32353620696e73746561642e+"
+ "73656372657420646174612E0000000000FFFFFF-"
+ "557365204145532d32353620696e73746561642e+"
+ "48657861646563696d616c2069736e277420736f-"
+ "676f6f6420666f7220686964696e6720796f7572.z", sl);
+
+ test_eq(smartlist_len(sl), 2);
+ pair = smartlist_get(sl, 0);
+ test_memeq(pair->first, "Hexadecimal isn't so", DIGEST_LEN);
+ test_memeq(pair->second, "good for hiding your", DIGEST_LEN);
+ pair = smartlist_get(sl, 1);
+ test_memeq(pair->first, "secret data.\0\0\0\0\0\xff\xff\xff", DIGEST_LEN);
+ test_memeq(pair->second, "Use AES-256 instead.", DIGEST_LEN);
+
+ done:
+ SMARTLIST_FOREACH(sl, fp_pair_t *, pair, tor_free(pair));
+ smartlist_free(sl);
+}
+
extern const char AUTHORITY_CERT_1[];
extern const char AUTHORITY_SIGNKEY_1[];
extern const char AUTHORITY_CERT_2[];
@@ -4448,6 +4476,7 @@
SUBENT(util, order_functions),
ENT(onion_handshake),
ENT(dir_format),
+ ENT(dirutil),
ENT(v3_networkstatus),
ENT(policies),
ENT(rend_fns),