From db7558bbb41f8c01a08e1e46b01ad14d955f724b Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Mon, 15 Jan 2024 15:09:52 +0100 Subject: improve secmod for donau --- src/exchange/taler-exchange-httpd_keys.c | 6 ++-- src/util/crypto_helper_cs.c | 2 +- src/util/crypto_helper_esign.c | 4 +-- src/util/crypto_helper_rsa.c | 6 ++-- src/util/taler-exchange-secmod-cs.c | 48 ++++++++++++++++++++++-------- src/util/taler-exchange-secmod-eddsa.c | 43 ++++++++++++++++++--------- src/util/taler-exchange-secmod-rsa.c | 50 ++++++++++++++++++++++++-------- src/util/taler-exchange-secmod-rsa.conf | 5 +++- src/util/test_helper_cs.c | 4 +-- src/util/test_helper_eddsa.c | 4 +-- src/util/test_helper_rsa.c | 4 +-- 11 files changed, 123 insertions(+), 53 deletions(-) diff --git a/src/exchange/taler-exchange-httpd_keys.c b/src/exchange/taler-exchange-httpd_keys.c index 4d6decf35..8ec11cff9 100644 --- a/src/exchange/taler-exchange-httpd_keys.c +++ b/src/exchange/taler-exchange-httpd_keys.c @@ -1630,7 +1630,7 @@ setup_key_helpers (struct HelperState *hs) = GNUNET_CONTAINER_multipeermap_create (32, GNUNET_NO /* MUST BE NO! */); hs->rsadh = TALER_CRYPTO_helper_rsa_connect (TEH_cfg, - "taler", + "taler-exchange", &helper_rsa_cb, hs); if (NULL == hs->rsadh) @@ -1639,7 +1639,7 @@ setup_key_helpers (struct HelperState *hs) return GNUNET_SYSERR; } hs->csdh = TALER_CRYPTO_helper_cs_connect (TEH_cfg, - "taler", + "taler-exchange", &helper_cs_cb, hs); if (NULL == hs->csdh) @@ -1648,7 +1648,7 @@ setup_key_helpers (struct HelperState *hs) return GNUNET_SYSERR; } hs->esh = TALER_CRYPTO_helper_esign_connect (TEH_cfg, - "taler", + "taler-exchange", &helper_esign_cb, hs); if (NULL == hs->esh) diff --git a/src/util/crypto_helper_cs.c b/src/util/crypto_helper_cs.c index ac41f52c6..4c4a56feb 100644 --- a/src/util/crypto_helper_cs.c +++ b/src/util/crypto_helper_cs.c @@ -122,7 +122,7 @@ TALER_CRYPTO_helper_cs_connect ( char *secname; GNUNET_asprintf (&secname, - "%s-exchange-secmod-cs", + "%s-secmod-cs", section); if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_filename (cfg, diff --git a/src/util/crypto_helper_esign.c b/src/util/crypto_helper_esign.c index 4901937f5..e044d31d1 100644 --- a/src/util/crypto_helper_esign.c +++ b/src/util/crypto_helper_esign.c @@ -118,9 +118,9 @@ TALER_CRYPTO_helper_esign_connect ( struct TALER_CRYPTO_ExchangeSignHelper *esh; char *unixpath; char *secname; - + GNUNET_asprintf (&secname, - "%s-exchange-secmod-eddsa", + "%s-secmod-eddsa", section); if (GNUNET_OK != diff --git a/src/util/crypto_helper_rsa.c b/src/util/crypto_helper_rsa.c index d5b7ccf2f..e23e12a88 100644 --- a/src/util/crypto_helper_rsa.c +++ b/src/util/crypto_helper_rsa.c @@ -120,9 +120,9 @@ TALER_CRYPTO_helper_rsa_connect ( struct TALER_CRYPTO_RsaDenominationHelper *dh; char *unixpath; char *secname; - + GNUNET_asprintf (&secname, - "%s-exchange-secmod-rsa", + "%s-secmod-rsa", section); if (GNUNET_OK != @@ -142,7 +142,7 @@ TALER_CRYPTO_helper_rsa_connect ( if (strlen (unixpath) >= sizeof (dh->sa.sun_path)) { GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR, - "taler-exchange-secmod-rsa", + secname, "UNIXPATH", "path too long"); GNUNET_free (unixpath); diff --git a/src/util/taler-exchange-secmod-cs.c b/src/util/taler-exchange-secmod-cs.c index fbd5aa258..3e9ba1558 100644 --- a/src/util/taler-exchange-secmod-cs.c +++ b/src/util/taler-exchange-secmod-cs.c @@ -341,9 +341,9 @@ static struct GNUNET_TIME_Timestamp now_tmp; static char *keydir; /** - * Name of the configuration section prefix to use. Usually either "taler" or + * Name of the configuration section prefix to use. Usually either "taler-exchange" or * "donau". The actual configuration section will then be - * "$SECTION-exchange-secmod-cs". + * "$SECTION-secmod-cs". */ static char *section; @@ -1964,6 +1964,11 @@ parse_denomination_cfg (const struct GNUNET_CONFIGURATION_Handle *cfg, const char *ct, struct Denomination *denom) { + char *secname; + + GNUNET_asprintf (&secname, + "%s-secmod-cs", + section); if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_time (cfg, ct, @@ -1973,6 +1978,7 @@ parse_denomination_cfg (const struct GNUNET_CONFIGURATION_Handle *cfg, GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, ct, "DURATION_WITHDRAW"); + GNUNET_free (secname); return GNUNET_SYSERR; } if (GNUNET_TIME_relative_cmp (overlap_duration, @@ -1980,11 +1986,13 @@ parse_denomination_cfg (const struct GNUNET_CONFIGURATION_Handle *cfg, denom->duration_withdraw)) { GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR, - "taler-exchange-secmod-cs", + secname, "OVERLAP_DURATION", "Value given must be smaller than value for DURATION_WITHDRAW!"); + GNUNET_free (secname); return GNUNET_SYSERR; } + GNUNET_free (secname); denom->section = GNUNET_strdup (ct); return GNUNET_OK; } @@ -2099,28 +2107,36 @@ load_denominations (void *cls, static enum GNUNET_GenericReturnValue load_durations (const struct GNUNET_CONFIGURATION_Handle *cfg) { + char *secname; + + GNUNET_asprintf (&secname, + "%s-secmod-cs", + section); if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_time (cfg, - "taler-exchange-secmod-cs", + secname, "OVERLAP_DURATION", &overlap_duration)) { GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, - "taler-exchange-secmod-cs", + secname, "OVERLAP_DURATION"); + GNUNET_free (secname); return GNUNET_SYSERR; } if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_time (cfg, - "taler-exchange-secmod-cs", + secname, "LOOKAHEAD_SIGN", &lookahead_sign)) { GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, - "taler-exchange-secmod-cs", + secname, "LOOKAHEAD_SIGN"); + GNUNET_free (secname); return GNUNET_SYSERR; } + GNUNET_free (secname); return GNUNET_OK; } @@ -2180,7 +2196,7 @@ run (void *cls, now = GNUNET_TIME_timestamp_get (); } GNUNET_asprintf (&secname, - "%s-exchange-secmod-cs", + "%s-secmod-cs", section); if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_filename (cfg, @@ -2202,9 +2218,17 @@ run (void *cls, global_ret = EXIT_NOTCONFIGURED; return; } - global_ret = TES_listen_start (cfg, - "taler-exchange-secmod-cs", - &cb); + { + char *secname; + + GNUNET_asprintf (&secname, + "%s-secmod-cs", + section); + global_ret = TES_listen_start (cfg, + secname, + &cb); + GNUNET_free (secname); + } if (0 != global_ret) return; sem_init (&worker_sem, @@ -2300,7 +2324,7 @@ main (int argc, /* Restrict permissions for the key files that we create. */ (void) umask (S_IWGRP | S_IROTH | S_IWOTH | S_IXOTH); - section = GNUNET_strdup ("taler"); + section = GNUNET_strdup ("taler-exchange"); /* force linker to link against libtalerutil; if we do not do this, the linker may "optimize" libtalerutil away and skip #TALER_OS_init(), which we do need */ diff --git a/src/util/taler-exchange-secmod-eddsa.c b/src/util/taler-exchange-secmod-eddsa.c index 1be4f7b49..0b95447f7 100644 --- a/src/util/taler-exchange-secmod-eddsa.c +++ b/src/util/taler-exchange-secmod-eddsa.c @@ -137,9 +137,9 @@ static struct GNUNET_TIME_Timestamp now_tmp; static char *keydir; /** - * Name of the configuration section prefix to use. Usually either "taler" or + * Name of the configuration section prefix to use. Usually either "taler-exchange" or * "donau". The actual configuration section will then be - * "$SECTION-exchange-secmod-cs". + * "$SECTION-secmod-eddsa". */ static char *section; @@ -998,39 +998,48 @@ import_key (void *cls, static enum GNUNET_GenericReturnValue load_durations (const struct GNUNET_CONFIGURATION_Handle *cfg) { + char *secname; + + GNUNET_asprintf (&secname, + "%s-secmod-eddsa", + section); if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_time (cfg, - "taler-exchange-secmod-eddsa", + secname, "OVERLAP_DURATION", &overlap_duration)) { + GNUNET_free (secname); GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, - "taler-exchange-secmod-eddsa", + secname, "OVERLAP_DURATION"); return GNUNET_SYSERR; } if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_time (cfg, - "taler-exchange-secmod-eddsa", + secname, "DURATION", &duration)) { + GNUNET_free (secname); GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, - "taler-exchange-secmod-eddsa", + secname, "DURATION"); return GNUNET_SYSERR; } if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_time (cfg, - "taler-exchange-secmod-eddsa", + secname, "LOOKAHEAD_SIGN", &lookahead_sign)) { + GNUNET_free (secname); GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, - "taler-exchange-secmod-eddsa", + secname, "LOOKAHEAD_SIGN"); return GNUNET_SYSERR; } + GNUNET_free (secname); return GNUNET_OK; } @@ -1088,7 +1097,7 @@ run (void *cls, now = GNUNET_TIME_timestamp_get (); } GNUNET_asprintf (&secname, - "%s-exchange-secmod-eddsa", + "%s-secmod-eddsa", section); if (GNUNET_OK != load_durations (cfg)) @@ -1112,9 +1121,17 @@ run (void *cls, GNUNET_free (secname); GNUNET_SCHEDULER_add_shutdown (&do_shutdown, NULL); - global_ret = TES_listen_start (cfg, - "taler-exchange-secmod-eddsa", - &cb); + { + char *secname; + + GNUNET_asprintf (&secname, + "%s-secmod-eddsa", + section); + global_ret = TES_listen_start (cfg, + secname, + &cb); + GNUNET_free (secname); + } if (0 != global_ret) return; /* Load keys */ @@ -1175,7 +1192,7 @@ main (int argc, /* Restrict permissions for the key files that we create. */ (void) umask (S_IWGRP | S_IROTH | S_IWOTH | S_IXOTH); - section = GNUNET_strdup ("taler"); + section = GNUNET_strdup ("taler-exchange"); /* force linker to link against libtalerutil; if we do not do this, the linker may "optimize" libtalerutil away and skip #TALER_OS_init(), which we do need */ diff --git a/src/util/taler-exchange-secmod-rsa.c b/src/util/taler-exchange-secmod-rsa.c index 57bf69d04..c80e2e3c4 100644 --- a/src/util/taler-exchange-secmod-rsa.c +++ b/src/util/taler-exchange-secmod-rsa.c @@ -308,9 +308,9 @@ static struct GNUNET_TIME_Timestamp now_tmp; static char *keydir; /** - * Name of the configuration section prefix to use. Usually either "taler" or + * Name of the configuration section prefix to use. Usually either "taler-exchange" or * "donau". The actual configuration section will then be - * "$SECTION-exchange-secmod-cs". + * "$SECTION-secmod-rsa". */ static char *section; @@ -1261,6 +1261,7 @@ create_key (struct Denomination *denom, struct GNUNET_TIME_Timestamp anchor; anchor = now; + // FIXME: round down to multiple of 'anchor_round' value from configuration if (NULL != denom->keys_tail) { struct GNUNET_TIME_Absolute abs; @@ -1729,7 +1730,11 @@ parse_denomination_cfg (const struct GNUNET_CONFIGURATION_Handle *cfg, struct Denomination *denom) { unsigned long long rsa_keysize; + char *secname; + GNUNET_asprintf (&secname, + "%s-secmod-rsa", + section); if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_time (cfg, ct, @@ -1739,6 +1744,7 @@ parse_denomination_cfg (const struct GNUNET_CONFIGURATION_Handle *cfg, GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, ct, "DURATION_WITHDRAW"); + GNUNET_free (secname); return GNUNET_SYSERR; } if (GNUNET_TIME_relative_cmp (overlap_duration, @@ -1746,9 +1752,10 @@ parse_denomination_cfg (const struct GNUNET_CONFIGURATION_Handle *cfg, denom->duration_withdraw)) { GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR, - "taler-exchange-secmod-rsa", + section, "OVERLAP_DURATION", "Value given must be smaller than value for DURATION_WITHDRAW!"); + GNUNET_free (secname); return GNUNET_SYSERR; } if (GNUNET_OK != @@ -1760,6 +1767,7 @@ parse_denomination_cfg (const struct GNUNET_CONFIGURATION_Handle *cfg, GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, ct, "RSA_KEYSIZE"); + GNUNET_free (secname); return GNUNET_SYSERR; } if ( (rsa_keysize > 4 * 2048) || @@ -1769,8 +1777,10 @@ parse_denomination_cfg (const struct GNUNET_CONFIGURATION_Handle *cfg, ct, "RSA_KEYSIZE", "Given RSA keysize outside of permitted range [1024,8192]\n"); + GNUNET_free (secname); return GNUNET_SYSERR; } + GNUNET_free (secname); denom->rsa_keysize = (unsigned int) rsa_keysize; denom->section = GNUNET_strdup (ct); return GNUNET_OK; @@ -1885,28 +1895,36 @@ load_denominations (void *cls, static enum GNUNET_GenericReturnValue load_durations (const struct GNUNET_CONFIGURATION_Handle *cfg) { + char *secname; + + GNUNET_asprintf (&secname, + "%s-secmod-rsa", + section); if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_time (cfg, - "taler-exchange-secmod-rsa", + secname, "OVERLAP_DURATION", &overlap_duration)) { GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, - "taler-exchange-secmod-rsa", + secname, "OVERLAP_DURATION"); + GNUNET_free (secname); return GNUNET_SYSERR; } if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_time (cfg, - "taler-exchange-secmod-rsa", + secname, "LOOKAHEAD_SIGN", &lookahead_sign)) { GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, - "taler-exchange-secmod-rsa", + secname, "LOOKAHEAD_SIGN"); + GNUNET_free (secname); return GNUNET_SYSERR; } + GNUNET_free (secname); return GNUNET_OK; } @@ -1966,7 +1984,7 @@ run (void *cls, now = GNUNET_TIME_timestamp_get (); } GNUNET_asprintf (&secname, - "%s-exchange-secmod-rsa", + "%s-secmod-rsa", section); if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_filename (cfg, @@ -1988,9 +2006,17 @@ run (void *cls, global_ret = EXIT_NOTCONFIGURED; return; } - global_ret = TES_listen_start (cfg, - "taler-exchange-secmod-rsa", - &cb); + { + char *secname; + + GNUNET_asprintf (&secname, + "%s-secmod-rsa", + section); + global_ret = TES_listen_start (cfg, + secname, + &cb); + GNUNET_free (secname); + } if (0 != global_ret) return; sem_init (&worker_sem, @@ -2087,7 +2113,7 @@ main (int argc, /* Restrict permissions for the key files that we create. */ (void) umask (S_IWGRP | S_IROTH | S_IWOTH | S_IXOTH); - section = GNUNET_strdup ("taler"); + section = GNUNET_strdup ("taler-exchange"); /* force linker to link against libtalerutil; if we do not do this, the linker may "optimize" libtalerutil away and skip #TALER_OS_init(), which we do need */ diff --git a/src/util/taler-exchange-secmod-rsa.conf b/src/util/taler-exchange-secmod-rsa.conf index 7b16ad114..978c40258 100644 --- a/src/util/taler-exchange-secmod-rsa.conf +++ b/src/util/taler-exchange-secmod-rsa.conf @@ -5,7 +5,7 @@ # wallets picking one key and then due to network latency # another key being valid. The DURATION_WITHDRAW period # must be longer than this value. -OVERLAP_DURATION = 5 m +OVERLAP_DURATION = 0 m # Where do we store the generated private keys. KEY_DIR = ${TALER_DATA_HOME}exchange-secmod-rsa/keys @@ -21,3 +21,6 @@ SM_PRIV_KEY = ${TALER_DATA_HOME}exchange-secmod-rsa/secmod-private-key # For how long into the future do we pre-generate keys? LOOKAHEAD_SIGN = 1 year + +# Round down anchor key start date to multiples of this time. +ANCHOR_ROUND = 1 ms \ No newline at end of file diff --git a/src/util/test_helper_cs.c b/src/util/test_helper_cs.c index 07e9907b4..93562e459 100644 --- a/src/util/test_helper_cs.c +++ b/src/util/test_helper_cs.c @@ -970,7 +970,7 @@ par_signing (struct GNUNET_CONFIGURATION_Handle *cfg) int ret; dh = TALER_CRYPTO_helper_cs_connect (cfg, - "taler", + "taler-exchange", &key_cb, NULL); GNUNET_assert (NULL != dh); @@ -1028,7 +1028,7 @@ run_test (void) nanosleep (&req, NULL); dh = TALER_CRYPTO_helper_cs_connect (cfg, - "taler", + "taler-exchange", &key_cb, NULL); if (NULL != dh) diff --git a/src/util/test_helper_eddsa.c b/src/util/test_helper_eddsa.c index 4f1f95893..0119e4278 100644 --- a/src/util/test_helper_eddsa.c +++ b/src/util/test_helper_eddsa.c @@ -365,7 +365,7 @@ par_signing (struct GNUNET_CONFIGURATION_Handle *cfg) int ret; esh = TALER_CRYPTO_helper_esign_connect (cfg, - "taler", + "taler-exchange", &key_cb, NULL); if (NULL == esh) @@ -428,7 +428,7 @@ run_test (void) nanosleep (&req, NULL); esh = TALER_CRYPTO_helper_esign_connect (cfg, - "taler", + "taler-exchange", &key_cb, NULL); if (NULL != esh) diff --git a/src/util/test_helper_rsa.c b/src/util/test_helper_rsa.c index 2ea166330..2bc15879f 100644 --- a/src/util/test_helper_rsa.c +++ b/src/util/test_helper_rsa.c @@ -797,7 +797,7 @@ par_signing (struct GNUNET_CONFIGURATION_Handle *cfg) int ret; dh = TALER_CRYPTO_helper_rsa_connect (cfg, - "taler", + "taler-exchange", &key_cb, NULL); GNUNET_assert (NULL != dh); @@ -856,7 +856,7 @@ run_test (void) nanosleep (&req, NULL); dh = TALER_CRYPTO_helper_rsa_connect (cfg, - "taler", + "taler-exchange", &key_cb, NULL); if (NULL != dh) -- cgit v1.2.3