From 57c90547840ea2a073c950116303c54f9ef976f1 Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Sat, 26 Dec 2020 15:55:34 +0100 Subject: implement #6161 --- .../taler-auditor-httpd_deposit-confirmation.c | 54 ++++++++++++++++------ 1 file changed, 39 insertions(+), 15 deletions(-) (limited to 'src/auditor/taler-auditor-httpd_deposit-confirmation.c') diff --git a/src/auditor/taler-auditor-httpd_deposit-confirmation.c b/src/auditor/taler-auditor-httpd_deposit-confirmation.c index 08a781f30..61263888f 100644 --- a/src/auditor/taler-auditor-httpd_deposit-confirmation.c +++ b/src/auditor/taler-auditor-httpd_deposit-confirmation.c @@ -35,7 +35,7 @@ /** * Cache of already verified exchange signing keys. Maps the hash of the * `struct TALER_ExchangeSigningKeyValidityPS` to the (static) string - * "verified". Access to this map is guarded by the #lock. + * "verified" or "revoked". Access to this map is guarded by the #lock. */ static struct GNUNET_CONTAINER_MultiHashMap *cache; @@ -66,7 +66,7 @@ verify_and_execute_deposit_confirmation ( enum GNUNET_DB_QueryStatus qs; struct GNUNET_TIME_Absolute now; struct GNUNET_HashCode h; - int cached; + const char *cached; struct TALER_ExchangeSigningKeyValidityPS skv = { .purpose.purpose = htonl (TALER_SIGNATURE_MASTER_SIGNING_KEY_VALIDITY), .purpose.size = htonl (sizeof (struct TALER_ExchangeSigningKeyValidityPS)), @@ -94,10 +94,9 @@ verify_and_execute_deposit_confirmation ( sizeof (skv), &h); GNUNET_assert (0 == pthread_mutex_lock (&lock)); - cached = GNUNET_CONTAINER_multihashmap_contains (cache, - &h); + cached = GNUNET_CONTAINER_multihashmap_get (cache, + &h); GNUNET_assert (0 == pthread_mutex_unlock (&lock)); - session = TAH_plugin->get_session (TAH_plugin->cls); if (NULL == session) { @@ -107,7 +106,7 @@ verify_and_execute_deposit_confirmation ( TALER_EC_GENERIC_DB_SETUP_FAILED, NULL); } - if (! cached) + if (NULL == cached) { /* Not in cache, need to verify the signature, persist it, and possibly cache it */ if (GNUNET_OK != @@ -139,18 +138,43 @@ verify_and_execute_deposit_confirmation ( TALER_EC_GENERIC_DB_STORE_FAILED, "exchange signing key"); } + cached = "verified"; + } + + if (0 == strcmp (cached, + "verified")) + { + struct TALER_MasterSignatureP master_sig; - /* Cache it, due to concurreny it might already be in the cache, - so we do not cache it twice but also don't insist on the 'put' to - succeed. */ - GNUNET_assert (0 == pthread_mutex_lock (&lock)); - (void) GNUNET_CONTAINER_multihashmap_put (cache, - &h, - "verified", - GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY); - GNUNET_assert (0 == pthread_mutex_unlock (&lock)); + /* check for revocation */ + qs = TAH_eplugin->lookup_signkey_revocation (TAH_eplugin->cls, + NULL, + &es->exchange_pub, + &master_sig); + if (0 > qs) + { + GNUNET_break (GNUNET_DB_STATUS_HARD_ERROR == qs); + TALER_LOG_WARNING ( + "Failed to check for signing key revocation in database\n"); + return TALER_MHD_reply_with_error (connection, + MHD_HTTP_INTERNAL_SERVER_ERROR, + TALER_EC_GENERIC_DB_FETCH_FAILED, + "exchange signing key revocation"); + } + if (0 < qs) + cached = "revoked"; } + /* Cache it, due to concurreny it might already be in the cache, + so we do not cache it twice but also don't insist on the 'put' to + succeed. */ + GNUNET_assert (0 == pthread_mutex_lock (&lock)); + (void) GNUNET_CONTAINER_multihashmap_put (cache, + &h, + (void *) cached, + GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY); + GNUNET_assert (0 == pthread_mutex_unlock (&lock)); + /* check deposit confirmation signature */ { struct TALER_DepositConfirmationPS dcs = { -- cgit v1.2.3