From 895d5fea41177e444c18f4fdc820fffa5f67d5bf Mon Sep 17 00:00:00 2001 From: Rasmus Dahlberg Date: Sat, 9 Dec 2023 17:08:45 +0100 Subject: Add drafty skeleton --- internal/manager/helpers.go | 52 +++++++++ internal/manager/manager.go | 94 +++++++++++++++ internal/merkle/TODO | 1 + internal/merkle/compact.go | 115 +++++++++++++++++++ internal/merkle/merkle.go | 271 ++++++++++++++++++++++++++++++++++++++++++++ internal/options/options.go | 97 ++++++++++++++++ 6 files changed, 630 insertions(+) create mode 100644 internal/manager/helpers.go create mode 100644 internal/manager/manager.go create mode 100644 internal/merkle/TODO create mode 100644 internal/merkle/compact.go create mode 100644 internal/merkle/merkle.go create mode 100644 internal/options/options.go (limited to 'internal') diff --git a/internal/manager/helpers.go b/internal/manager/helpers.go new file mode 100644 index 0000000..a9a2158 --- /dev/null +++ b/internal/manager/helpers.go @@ -0,0 +1,52 @@ +package manager + +import ( + "crypto/sha256" + "encoding/base64" + "fmt" + + ct "github.com/google/certificate-transparency-go" + "gitlab.torproject.org/rgdd/ct/pkg/metadata" + "rgdd.se/silent-ct/pkg/monitor" +) + +func selectLogs(m metadata.Metadata) []monitor.MessageLogConfig { + var logs []monitor.MessageLogConfig + for _, operator := range m.Operators { + for _, log := range operator.Logs { + if log.State == nil { + continue // ignore logs without a state (should not happen) + } + if log.State.Name == metadata.LogStatePending { + continue // log is not yet relevant + } + if log.State.Name == metadata.LogStateRetired { + continue // log is not expected to be reachable + } + if log.State.Name == metadata.LogStateRejected { + continue // log is not expected to be reachable + } + + // FIXME: remove me instead of hard coding Argon 2024 + id, _ := log.Key.ID() + got := fmt.Sprintf("%s", base64.StdEncoding.EncodeToString(id[:])) + want := "7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZs=" + if got != want { + continue + } + + logs = append(logs, monitor.MessageLogConfig{ + Metadata: log, + State: monitor.MonitorState{ + LogState: monitor.LogState{ct.SignedTreeHead{ + SHA256RootHash: [sha256.Size]byte{47, 66, 110, 15, 246, 154, 8, 100, 150, 140, 206, 208, 17, 57, 112, 116, 210, 3, 19, 55, 46, 63, 209, 12, 234, 130, 225, 124, 237, 2, 64, 228}, + TreeSize: 610650601, + Timestamp: 1702108968538, + }}, + NextIndex: 388452203, + }, + }) + } + } + return logs +} diff --git a/internal/manager/manager.go b/internal/manager/manager.go new file mode 100644 index 0000000..2210c9b --- /dev/null +++ b/internal/manager/manager.go @@ -0,0 +1,94 @@ +package manager + +import ( + "context" + "encoding/json" + "fmt" + "os" + "time" + + "gitlab.torproject.org/rgdd/ct/pkg/metadata" + "rgdd.se/silent-ct/pkg/monitor" + "rgdd.se/silent-ct/pkg/server" +) + +const ( + DefaultStateDir = "/home/rgdd/.local/share/silent-ct" // FIXME + DefaultMetadataRefreshInterval = 1 * time.Hour +) + +type Config struct { + StateDir string + Nodes server.Nodes + + MetadataRefreshInterval time.Duration +} + +type Manager struct { + Config +} + +func New(cfg Config) (Manager, error) { + if cfg.StateDir == "" { + cfg.StateDir = DefaultStateDir + } + if cfg.MetadataRefreshInterval == 0 { + cfg.MetadataRefreshInterval = DefaultMetadataRefreshInterval + } + return Manager{Config: cfg}, nil +} + +func (mgr *Manager) Run(ctx context.Context, + serverCh chan server.MessageNodeSubmission, + monitorCh chan monitor.MessageLogProgress, + configCh chan []monitor.MessageLogConfig, + errorCh chan error) error { + + md, err := mgr.metadataRead() + if err != nil { + return fmt.Errorf("read metadata: %v\n", err) + } + configCh <- selectLogs(md) + + ticker := time.NewTicker(mgr.MetadataRefreshInterval) + defer ticker.Stop() + + for { + select { + case <-ctx.Done(): + return nil + case <-ticker.C: + mu, err := mgr.metadataUpdate(ctx, md) + if err != nil { + continue + } + if mu.Version.Major <= md.Version.Major { + continue + } + md = mu + configCh <- selectLogs(md) + case ev := <-monitorCh: + fmt.Printf("DEBUG: received event from monitor with %d matches\n", len(ev.Matches)) + case ev := <-serverCh: + fmt.Printf("DEBUG: received event from server\n: %v", ev) + case err := <-errorCh: + fmt.Printf("DEBUG: received error: %v\n", err) + } + } +} + +func (mgr *Manager) metadataRead() (metadata.Metadata, error) { + b, err := os.ReadFile(mgr.StateDir + "/metadata.json") + if err != nil { + return metadata.Metadata{}, err + } + var md metadata.Metadata + if err := json.Unmarshal(b, &md); err != nil { + return metadata.Metadata{}, err + } + return md, nil +} + +func (mgr *Manager) metadataUpdate(ctx context.Context, old metadata.Metadata) (metadata.Metadata, error) { + return metadata.Metadata{}, fmt.Errorf("TODO: update metadata") +} diff --git a/internal/merkle/TODO b/internal/merkle/TODO new file mode 100644 index 0000000..46cc0cb --- /dev/null +++ b/internal/merkle/TODO @@ -0,0 +1 @@ +Drop this package, fix the minor edit in upstream. diff --git a/internal/merkle/compact.go b/internal/merkle/compact.go new file mode 100644 index 0000000..6eeabd0 --- /dev/null +++ b/internal/merkle/compact.go @@ -0,0 +1,115 @@ +// BSD 2-Clause License +// +// Copyright (c) 2022, the ct authors +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are met: +// +// 1. Redistributions of source code must retain the above copyright notice, this +// list of conditions and the following disclaimer. +// +// 2. Redistributions in binary form must reproduce the above copyright notice, +// this list of conditions and the following disclaimer in the documentation +// and/or other materials provided with the distribution. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +// +// From: +// https://gitlab.torproject.org/rgdd/ct/-/tree/main/pkg/merkle +// +// The only difference is that leaf hashes rather than leaf data are passed as +// input to TreeHeadFromRangeProof, thus also changing the nodes() helper. +package merkle + +import ( + "crypto/sha256" + "fmt" +) + +// node represents a subtree at some level and a particular index +type node struct { + index uint64 + hash [sha256.Size]byte +} + +// nodes returns a list of consecutive leaf hashes +func nodes(index uint64, leafHashes [][sha256.Size]byte) (n []node) { + for i, lh := range leafHashes { + n = append(n, node{index + uint64(i), lh}) + } + return +} + +// compactRange outputs the minimal number of fixed subtree hashes given a +// non-empty list of consecutive leaves that start from a non-zero index. For a +// definition of this algorithm, see the end of ../../doc/tlog_algorithms.md. +func compactRange(nodes []node) [][sha256.Size]byte { + // Step 1 + var hashes [][sha256.Size]byte + + // Step 2 + for len(nodes) > 1 { + // Step 2a + if xor(nodes[1].index, 1) != nodes[0].index { + hashes = append(hashes, nodes[0].hash) + nodes = nodes[1:] + } + + // Step 2b; Step 2c; Step 2c(iii) + for i := 0; i < len(nodes); i++ { + // Step 2c(i) + if i+1 != len(nodes) { + nodes[i].hash = HashInteriorNode(nodes[i].hash, nodes[i+1].hash) + nodes = append(nodes[:i+1], nodes[i+2:]...) + } + + // Step 2c(ii) + nodes[i].index = rshift(nodes[i].index) + } + } + + // Step 3 + return append(hashes, nodes[0].hash) +} + +// TreeHeadFromRangeProof computes a tree head at size n=len(leafHashes)+index +// if given a list of leaf hashes at indices index,...,n-1 as well as an +// inclusion proof for the first leaf in the tree of size n. This allows a +// verifier to check inclusion of one or more log entries with a single +// inclusion proof. +func TreeHeadFromRangeProof(leafHashes [][sha256.Size]byte, index uint64, proof [][sha256.Size]byte) (root [sha256.Size]byte, err error) { + var cr [][sha256.Size]byte + confirmHash := func(h [sha256.Size]byte) error { + if h != cr[0] { + return fmt.Errorf("aborted due incorrect right-node subtree hash") + } + cr = cr[1:] + return nil + } + copyRoot := func(r [sha256.Size]byte) error { + root = r + return nil + } + + if len(leafHashes) == 0 { + return [sha256.Size]byte{}, fmt.Errorf("need at least one leaf to recompute tree head from proof") + } + if len(leafHashes) > 1 { + cr = compactRange(nodes(index+1, leafHashes[1:])) + } + return root, inclusion(leafHashes[0], index, index+uint64(len(leafHashes)), proof, copyRoot, confirmHash) +} + +func xor(a, b uint64) uint64 { + return a ^ b +} diff --git a/internal/merkle/merkle.go b/internal/merkle/merkle.go new file mode 100644 index 0000000..872364f --- /dev/null +++ b/internal/merkle/merkle.go @@ -0,0 +1,271 @@ +// BSD 2-Clause License +// +// Copyright (c) 2022, the ct authors +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are met: +// +// 1. Redistributions of source code must retain the above copyright notice, this +// list of conditions and the following disclaimer. +// +// 2. Redistributions in binary form must reproduce the above copyright notice, +// this list of conditions and the following disclaimer in the documentation +// and/or other materials provided with the distribution. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +// +// From: +// https://gitlab.torproject.org/rgdd/ct/-/tree/main/pkg/merkle +package merkle + +import ( + "crypto/sha256" + "fmt" +) + +// HashEmptyTree computes the hash of an empty tree. See RFC 6162, §2.1: +// +// MTH({}) = SHA-256() +func HashEmptyTree() [sha256.Size]byte { + return sha256.Sum256(nil) +} + +// HashLeafNode computes the hash of a leaf's data. See RFC 6162, §2.1: +// +// MTH({d(0)}) = SHA-256(0x00 || d(0)) +func HashLeafNode(data []byte) (hash [sha256.Size]byte) { + h := sha256.New() + h.Write([]byte{0x00}) + h.Write(data) + copy(hash[:], h.Sum(nil)) + return +} + +// HashInteriorNode computes the hash of an interior node. See RFC 6962, §2.1: +// +// MTH(D[n]) = SHA-256(0x01 || MTH(D[0:k]) || MTH(D[k:n]) +func HashInteriorNode(left, right [sha256.Size]byte) (hash [sha256.Size]byte) { + h := sha256.New() + h.Write([]byte{0x01}) + h.Write(left[:]) + h.Write(right[:]) + copy(hash[:], h.Sum(nil)) + return +} + +// inclusion implements the algorithm specified in RFC 9162, Section 2.1.3.2. +// In addition, the caller is allowed to confirm right-node subtree hashes. +func inclusion(leaf [sha256.Size]byte, index, size uint64, proof [][sha256.Size]byte, + confirmRoot func([sha256.Size]byte) error, confirmHash func([sha256.Size]byte) error) error { + // Step 1 + if index >= size { + return fmt.Errorf("leaf index must be in [%d, %d]", 0, size-1) + } + + // Step 2 + fn := index + sn := size - 1 + + // Step 3 + r := leaf + + // Step 4 + for i, p := range proof { + // Step 4a + if sn == 0 { + return fmt.Errorf("reached tree head with %d remaining proof hash(es)", len(proof[i:])) + } + + // Step 4b + if isLSB(fn) || fn == sn { + // Step 4b, i + r = HashInteriorNode(p, r) + + // Step 4b, ii + if !isLSB(fn) { + for { + fn = rshift(fn) + sn = rshift(sn) + + if isLSB(fn) || fn == 0 { + break + } + } + } + } else { + // Step 4b, i + r = HashInteriorNode(r, p) + + // Extension: allow the caller to confirm right-node subtree hashes + if err := confirmHash(p); err != nil { + return fmt.Errorf("subtree index %d: %v", fn, err) + } + } + + // Step 4c + fn = rshift(fn) + sn = rshift(sn) + } + + // Step 5 + if sn != 0 { + return fmt.Errorf("stopped at subtree with index %d due to missing proof hashes", fn) + } + return confirmRoot(r) +} + +// consistency implements the algorithm specified in RFC 9162, §2.1.4.2 +func consistency(oldSize, newSize uint64, oldRoot, newRoot [sha256.Size]byte, proof [][sha256.Size]byte) error { + // Step 1 + if len(proof) == 0 { + return fmt.Errorf("need at least one proof hash") + } + + // Step 2 + if isPOW2(oldSize) { + proof = append([][sha256.Size]byte{oldRoot}, proof...) + } + + // Step 3 + fn := oldSize - 1 + sn := newSize - 1 + + // Step 4 + for isLSB(fn) { + fn = rshift(fn) + sn = rshift(sn) + } + + // Step 5 + fr := proof[0] + sr := proof[0] + + // Step 6 + for i, c := range proof[1:] { + // Step 6a + if sn == 0 { + return fmt.Errorf("reached tree head with %d remaining proof hash(es)", len(proof[i+1:])) + } + + // Step 6b + if isLSB(fn) || fn == sn { + // Step 6b, i + fr = HashInteriorNode(c, fr) + // Step 6b, ii + sr = HashInteriorNode(c, sr) + // Step 6b, iii + if !isLSB(fn) { + for { + fn = rshift(fn) + sn = rshift(sn) + + if isLSB(fn) || fn == 0 { + break + } + } + } + } else { + // Step 6b, i + sr = HashInteriorNode(sr, c) + } + + // Step 6c + fn = rshift(fn) + sn = rshift(sn) + } + + // Step 7 + if sn != 0 { + return fmt.Errorf("stopped at subtree with index %d due to missing proof hashes", fn) + } + if fr != oldRoot { + return fmt.Errorf("recomputed old tree head %x is not equal to reference tree head %x", fr[:], oldRoot[:]) + } + if sr != newRoot { + return fmt.Errorf("recomputed new tree head %x is not equal to reference tree head %x", sr[:], newRoot[:]) + } + return nil +} + +// VerifyInclusion verifies that a leaf's data is commited at a given index in a +// reference tree +func VerifyInclusion(data []byte, index, size uint64, root [sha256.Size]byte, proof [][sha256.Size]byte) error { + if size == 0 { + return fmt.Errorf("tree size must be larger than zero") + } + + confirmHash := func(h [sha256.Size]byte) error { return nil } // No compact range extension + confirmRoot := func(r [sha256.Size]byte) error { + if r != root { + return fmt.Errorf("recomputed tree head %x is not equal to reference tree head %x", r[:], root[:]) + } + return nil + } + return inclusion(HashLeafNode(data), index, size, proof, confirmRoot, confirmHash) +} + +// VerifyConsistency verifies that an an old tree is consistent with a new tree +func VerifyConsistency(oldSize, newSize uint64, oldRoot, newRoot [sha256.Size]byte, proof [][sha256.Size]byte) error { + checkTree := func(size uint64, root [sha256.Size]byte) error { + if size == 0 { + if root != HashEmptyTree() { + return fmt.Errorf("non-empty tree head %x for size zero", root[:]) + } + if len(proof) != 0 { + return fmt.Errorf("non-empty proof with %d hashes for size zero", len(proof)) + } + } else if root == HashEmptyTree() { + return fmt.Errorf("empty tree head %x for tree size %d", root[:], size) + } + return nil + } + + if err := checkTree(oldSize, oldRoot); err != nil { + return fmt.Errorf("old: %v", err) + } + if err := checkTree(newSize, newRoot); err != nil { + return fmt.Errorf("new: %v", err) + } + if oldSize == 0 { + return nil + } + + if oldSize == newSize { + if oldRoot != newRoot { + return fmt.Errorf("different tree heads %x and %x with equal tree size %d", oldRoot, newRoot, oldSize) + } + if len(proof) != 0 { + return fmt.Errorf("non-empty proof with %d hashes for equal tree size %d", len(proof), oldSize) + } + return nil + } + if oldSize > newSize { + return fmt.Errorf("old tree size %d must be smaller than or equal to the new tree size %d", oldSize, newSize) + } + + return consistency(oldSize, newSize, oldRoot, newRoot, proof) +} + +// isLSB returns true if the least significant bit of num is set +func isLSB(num uint64) bool { + return (num & 1) != 0 +} + +// isPOW2 returns true if num is a power of two (1, 2, 4, 8, ...) +func isPOW2(num uint64) bool { + return (num & (num - 1)) == 0 +} + +func rshift(num uint64) uint64 { + return num >> 1 +} diff --git a/internal/options/options.go b/internal/options/options.go new file mode 100644 index 0000000..3e253c5 --- /dev/null +++ b/internal/options/options.go @@ -0,0 +1,97 @@ +package options + +import ( + "encoding/json" + "flag" + "fmt" + "os" + + "rgdd.se/silent-ct/internal/manager" + "rgdd.se/silent-ct/pkg/monitor" + "rgdd.se/silent-ct/pkg/server" +) + +const usage = `Usage: + + silent-ct [Options] + +Options: + + -h, --help: Output usage message and exit + -c, --config: Path to a configuration file (Default: %s) + -l, --listen: Listen address to receive submission on (Default: %s) + -s, --state: Path to a directory where state is stored (Default: %s) + +Example configuration file: + + { + "monitor": [ + { + "wildcard": "example.org", + "excludes": [ + "test" + ] + } + ], + "nodes": [ + { + "name": "node_a", + "secret": "aaaa", + "issues": [ + "example.org", + "www.example.org" + ] + } + ] + } + +` + +// Options are command-line options the user can specify +type Options struct { + ListenAddr string + ConfigFile string + StateDir string +} + +func New(cmd string, args []string) (opts Options, err error) { + fs := flag.NewFlagSet(cmd, flag.ContinueOnError) + fs.Usage = func() { + fmt.Fprintf(os.Stderr, usage, server.DefaultConfigFile, server.DefaultAddress, manager.DefaultStateDir) + } + stringOpt(fs, &opts.ConfigFile, "config", "c", server.DefaultConfigFile) + stringOpt(fs, &opts.ListenAddr, "listen", "l", server.DefaultAddress) + stringOpt(fs, &opts.StateDir, "state", "s", manager.DefaultStateDir) + if err = fs.Parse(args); err != nil { + return opts, err + } + + if opts.ConfigFile == "" { + return opts, fmt.Errorf("-c, --config: must not be an empty string") + } + if opts.StateDir == "" { + return opts, fmt.Errorf("-s, --state: must not be an empty string") + } + if opts.ListenAddr == "" { + return opts, fmt.Errorf("-l, --listen: must not be an empty string") + } + return opts, err +} + +func stringOpt(fs *flag.FlagSet, opt *string, short, long, value string) { + fs.StringVar(opt, short, value, "") + fs.StringVar(opt, long, value, "") +} + +type Config struct { + Monitor monitor.MatchWildcards `json:"monitor"` + Nodes server.Nodes `json:"nodes"` +} + +func (c *Config) FromFile(fileName string) error { + b, err := os.ReadFile(fileName) + if err != nil { + return err + } + return json.Unmarshal(b, c) +} -- cgit v1.2.3