aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--crypto.c4
-rw-r--r--service_provider.c72
-rw-r--r--trusted_module.c8
3 files changed, 43 insertions, 41 deletions
diff --git a/crypto.c b/crypto.c
index 10576a0..5752913 100644
--- a/crypto.c
+++ b/crypto.c
@@ -242,7 +242,9 @@ void restore_nodes(hash_t *nodes, const int *indices, const hash_t *values, int
/* Update mt_nodes to reflect a change to a leaf node's
* value. Optionally, if old_dep is not NULL, *old_dep will be made to
* point to an array of length mt_logleaves that contains the old node
- * values (whose indices are returned by bintree_ancestors()). */
+ * values (whose indices are returned by bintree_ancestors()). NOTE:
+ * this function will NOT set the corresponding IOMT leaf; use
+ * iomt_update_by_leafidx for that. */
void merkle_update(struct iomt *tree, uint64_t leafidx, hash_t newval, hash_t **old_dep)
{
if(old_dep)
diff --git a/service_provider.c b/service_provider.c
index a895e98..d55ae49 100644
--- a/service_provider.c
+++ b/service_provider.c
@@ -12,6 +12,7 @@
#include "test.h"
#include "trusted_module.h"
+/* arbitrary */
#define ACL_LOGLEAVES 4
struct file_version {
@@ -89,53 +90,63 @@ struct tm_cert cert_eq(struct service_provider *sp,
hash_t h_ins = hash_node(&insert);
- int *orders_enc, *orders_ins;
- int *compidx_enc = bintree_complement(encloser_leafidx, sp->iomt->mt_logleaves, &orders_enc);
- int *compidx_ins = bintree_complement(placeholder_leafidx, sp->iomt->mt_logleaves, &orders_ins);
-
- hash_t *comp_enc = lookup_nodes(sp->iomt->mt_nodes, compidx_enc, sp->iomt->mt_logleaves);
+ int *enc_orders;
+ hash_t *enc_comp = merkle_complement(sp->iomt, encloser_leafidx, &enc_orders);
/* we need two NU certificates */
hash_t nu1_hmac, nu2_hmac;
struct tm_cert nu1 = tm_cert_node_update(sp->tm,
h_enc, h_encmod,
- comp_enc, orders_enc, sp->iomt->mt_logleaves,
+ enc_comp, enc_orders, sp->iomt->mt_logleaves,
&nu1_hmac);
/* We now update the ancestors of the encloser node. */
hash_t *old_depvalues;
merkle_update(sp->iomt, encloser_leafidx, h_encmod, &old_depvalues);
- hash_t *comp_ins = lookup_nodes(sp->iomt->mt_nodes, compidx_ins, sp->iomt->mt_logleaves);
+ int *ins_orders;
+ hash_t *ins_comp = merkle_complement(sp->iomt, placeholder_leafidx, &ins_orders);
struct tm_cert nu2 = tm_cert_node_update(sp->tm,
hash_null, h_ins,
- comp_ins, orders_ins, sp->iomt->mt_logleaves,
+ ins_comp, ins_orders, sp->iomt->mt_logleaves,
&nu2_hmac);
/* restore the tree */
int *dep_indices = bintree_ancestors(encloser_leafidx, sp->iomt->mt_logleaves);
restore_nodes(sp->iomt->mt_nodes, dep_indices, old_depvalues, sp->iomt->mt_logleaves);
+
free(dep_indices);
free(old_depvalues);
- free(compidx_enc);
- free(compidx_ins);
- free(comp_enc);
- free(comp_ins);
- free(orders_enc);
- free(orders_ins);
+ free(enc_comp);
+ free(ins_comp);
+ free(enc_orders);
+ free(ins_orders);
return tm_cert_equiv(sp->tm, &nu1, nu1_hmac, &nu2, nu2_hmac, encloser, placeholder_nodeidx, hmac_out);
}
+#if 0
+void *db_init(const char *filename)
+{
+ sqlite3 *db;
+ if(sqlite3_open(filename, &db) != SQLITE_OK)
+ return null;
+
+ return db;
+}
+#endif
+
/* leaf count will be 2^logleaves */
struct service_provider *sp_new(const void *key, size_t keylen, int logleaves)
{
assert(logleaves > 0);
struct service_provider *sp = calloc(1, sizeof(*sp));
+ //sp->db = db_init("csaa.db");
+
sp->tm = tm_new(key, keylen);
sp->iomt = iomt_new(logleaves);
@@ -145,8 +156,9 @@ struct service_provider *sp_new(const void *key, size_t keylen, int logleaves)
* insert our desired number of nodes by using EQ certificates to
* update the internal IOMT root. Note that leaf indices are
* 1-indexed. */
- sp->iomt->mt_leaves[0] = (struct iomt_node) { 1, 1, hash_null };
- merkle_update(sp->iomt, 0, hash_node(sp->iomt->mt_leaves + 0), NULL);
+ iomt_update_by_leafidx(sp->iomt,
+ 0,
+ 1, 1, hash_null);
for(int i = 1; i < sp->iomt->mt_leafcount; ++i)
{
@@ -213,10 +225,9 @@ static struct file_record *lookup_record(struct service_provider *sp, int idx)
}
/* Should we insert sorted (for O(logn) lookup), or just at the end to
- * avoid copying (O(n) lookup, O(1) insertion)? Probably better to use a hash
- * table. */
-/* We do not check to ensure that there are no duplicate file indices;
- * this is up to the caller */
+ * avoid copying (O(n) lookup, O(1) insertion)? Eventually this will
+ * be replaced with a SQL backend. We do not check to ensure that
+ * there are no duplicate file indices; that is up to the caller. */
static void append_record(struct service_provider *sp, const struct file_record *rec)
{
sp->records = realloc(sp->records, sizeof(struct file_record) * ++sp->nrecords);
@@ -245,8 +256,7 @@ static void append_version(struct file_record *rec, const struct file_version *v
*
* If the request is to either modify the ACL or create a file (which
* is essentially an ACL update), the ACL will be set to
- * new_acl. `new_acl' must be in persistent storage.
- */
+ * new_acl. `new_acl' must be in persistent storage. */
struct tm_cert sp_request(struct service_provider *sp,
const struct user_request *req, hash_t req_hmac,
hash_t *hmac_out,
@@ -298,8 +308,6 @@ struct tm_cert sp_request(struct service_provider *sp,
struct file_version ver;
memset(&ver, 0, sizeof(ver));
- hash_t gamma = sha256(encrypted_contents, contents_len);
-
if(!is_zero(encrypted_secret) && !is_zero(kf))
{
/* File is encrypted */
@@ -348,9 +356,7 @@ struct tm_cert sp_request(struct service_provider *sp,
}
/* update our tree */
- sp->iomt->mt_leaves[req->idx - 1].val = u64_to_hash(fr.fr.counter);
-
- merkle_update(sp->iomt, req->idx - 1, hash_node(sp->iomt->mt_leaves + req->idx - 1), NULL);
+ iomt_update(sp->iomt, req->idx, u64_to_hash(fr.fr.counter));
}
/* return values to caller */
@@ -385,14 +391,13 @@ struct user_request sp_createfile(struct service_provider *sp,
return req_null;
}
- int *file_compidx, *file_orders;
- file_compidx = bintree_complement(i, sp->iomt->mt_logleaves, &file_orders);
-
- hash_t *file_comp = lookup_nodes(sp->iomt->mt_nodes, file_compidx, sp->iomt->mt_logleaves);
+ int *file_orders;
+ hash_t *file_comp = merkle_complement(sp->iomt, i, &file_orders);
struct iomt *acl = iomt_new(ACL_LOGLEAVES);
- acl->mt_leaves[0] = (struct iomt_node) { user_id, user_id, u64_to_hash(3) };
- merkle_update(acl, 0, hash_node(acl->mt_leaves + 0), NULL);
+ iomt_update_by_leafidx(acl,
+ 0,
+ user_id, user_id, u64_to_hash(3));
struct user_request req = req_filecreate(sp->tm,
i + 1,
@@ -414,7 +419,6 @@ struct user_request sp_createfile(struct service_provider *sp,
iomt_free(acl);
- free(file_compidx);
free(file_comp);
free(file_orders);
diff --git a/trusted_module.c b/trusted_module.c
index e0d84ce..7ebd716 100644
--- a/trusted_module.c
+++ b/trusted_module.c
@@ -281,7 +281,7 @@ struct tm_cert tm_cert_record_verify(const struct trusted_module *tm,
{
if(encloses(node->idx, node->next_idx, b))
{
- memset(nonexist, 0, sizeof(*nonexist));
+ *nonexist = cert_null;
nonexist->type = RV;
nonexist->rv.idx = b;
@@ -299,8 +299,6 @@ struct tm_cert tm_cert_record_verify(const struct trusted_module *tm,
/* verify that this node is a child of y */
struct tm_cert cert = cert_null;
- memset(&cert, 0, sizeof(cert));
-
cert.type = RV;
cert.rv.root = nu->nu.orig_root;
cert.rv.idx = node->idx;
@@ -348,7 +346,6 @@ struct tm_cert tm_cert_record_update(const struct trusted_module *tm,
}
struct tm_cert cert = cert_null;
- memset(&cert, 0, sizeof(cert));
cert.type = RU;
cert.ru.idx = node->idx;
@@ -389,7 +386,7 @@ bool tm_set_equiv_root(struct trusted_module *tm,
}
/* user id is 1-indexed */
-hash_t req_sign(const struct trusted_module *tm, const struct user_request *req, int id)
+static hash_t req_sign(const struct trusted_module *tm, const struct user_request *req, int id)
{
return hmac_sha256(req, sizeof(*req), tm->user_keys[id - 1].key, tm->user_keys[id - 1].len);
}
@@ -959,7 +956,6 @@ struct version_info tm_verify_file(const struct trusted_module *tm,
/* self-test */
void tm_test(void)
{
-
{
/* check NU certificate generation */
struct trusted_module *tm = tm_new("a", 1);