Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add verification methods #74

Closed
wants to merge 40 commits into from
Closed

Add verification methods #74

wants to merge 40 commits into from

Conversation

vqhuy
Copy link
Member

@vqhuy vqhuy commented Aug 18, 2016

To be paired w/ #86

  • Temporarily ignore the cgo client library until we have a complete protocol/client library.

@vqhuy vqhuy force-pushed the cgo-client branch 2 times, most recently from 7ed7bbe to f91dc4c Compare August 20, 2016 10:42
@vqhuy vqhuy changed the base branch from master to lookup August 20, 2016 11:58
@vqhuy vqhuy changed the title [WIP] A stab at idea of cgoDoClientBusiness A stab at idea of cgoDoClientBusiness Aug 20, 2016
@vqhuy vqhuy force-pushed the lookup branch 2 times, most recently from 60f803d to 498f6e8 Compare August 22, 2016 06:19
@vqhuy vqhuy force-pushed the cgo-client branch 5 times, most recently from 23b04d4 to 4e9f659 Compare August 22, 2016 15:23
@arlolra arlolra closed this Aug 23, 2016
@arlolra arlolra reopened this Aug 23, 2016
@vqhuy vqhuy changed the base branch from lookup to master August 23, 2016 02:56
@vqhuy vqhuy force-pushed the cgo-client branch 5 times, most recently from 7fec73a to a7c6680 Compare August 23, 2016 13:59
@vqhuy vqhuy changed the base branch from master to registration-bots August 23, 2016 15:01
}
}

// step 2. verify STR's signature
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it makes more sense to verify the STR signature before verifying the TB's signature, since the TB's signature depends on the STR's signature.

Q: Which epoch did this lookup happen in?
A: verifyFulfilledPromise must take a STR as its argument. This STR should be verified in updateSTR (e.g., epoch transitioning etc ...).
@vqhuy
Copy link
Member Author

vqhuy commented Nov 14, 2016

@masomel @arlolra @liamsi : I merged branch str2 into this and did some refactors. Please take a look :)
(Agrr, sorry for this long pull with many changes).

Copy link
Member

@masomel masomel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like what you guys did, @c633 and @arlolra. I think the consistency checks make a lot more sense now. Most of my comments are more about code cleanup (e.g. redundant params).

if err := cc.verifySTR(str); err == nil {
return nil
}
// Otherwise, expect that we've enterred a new epoch
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/enterred/entered

// FIXME: check whether the STR was issued on time and whatnot.
// Maybe it has something to do w/ #81 and client transitioning between epochs.
// Try to verify w/ what's been saved
if err := cc.verifySTR(str); err == nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/coniks-sys/coniks-go/blob/cgo-client/protocol/consistencychecks.go#L257 states that verifySTR() should only be called in the case that requestType is KeyLookupType, but here it's clearly called for a RegistrationType as well. I'm probably missing something, but won't verifySTR() return an ErrorBadSTR in that case? I'm unclear at which point the cc is initialized with an STR before the registration response is received that won't cause verifySTR() to fail. (I see that in the tests we sort of "cheat" and just pass in d.LatestSTR(), but this presumably won't be the case in practice).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is @arlolra explanantion:
#74 (comment)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had originally written it like this, 80e453c

But Huy made this change, 8e97d88

I'm assuming because of #74 (comment)

However, we've since opened #106 and agreed to do TOFU for the time being, so that should probably be reverted too? Huy?

Maybe he was thinking we'd do a #119 first?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

80e453c makes me feel like a lazy developer can always pass a nil pointer of savedSTR instead.

Since we don't have #119 yet, so yes, I agree it should be reverted too.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I appreciate your concern.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, thanks for this explanation.

return nil
}
// Otherwise, expect that we've enterred a new epoch
if err := cc.verifySTRConsistency(cc.SavedSTR, str); err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similarly to above, https://github.com/coniks-sys/coniks-go/blob/cgo-client/protocol/consistencychecks.go#L238 states that verifySTRConsistency() should only be called in the case of a RegistrationType or a MonitoringType. So I'm wondering why the registration and key lookup responses are being handled the same way.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, the comment is no longer true. See #74 (comment).

// This uses the pinning signing key in cc
// verifySTRConsistency checks the consistency between 2 snapshots.
// This should be called if the request is either registration or
// monitoring. It uses the pinning signing key in cc
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/pinning/pinned

return invalidProof, ErrorBadCommitment
}
proofType = proofOfInclusion
key = ap.Leaf.Value
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would add to the comment that we accept the received key as TOFU.

case msg.Error == ErrorNameNotFound && proofType == proofOfAbsence:
case msg.Error == Success:
case msg.Error == ErrorNameNotFound && proofType == m.ProofOfAbsence:
case msg.Error == Success && proofType == m.ProofOfInclusion && tb == nil:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This case is going to change when we support key changes, so I would add a FIXME or TODO to indicate this.

func (cc *ConsistencyChecks) verifyReturnedPromise(requestType int,
responseCode ErrorCode, df *DirectoryProof,
// These above checks should be performed before calling this method.
func (cc *ConsistencyChecks) verifyReturnedPromise(df *DirectoryProof,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update the comment: https://github.com/coniks-sys/coniks-go/blob/cgo-client/protocol/consistencychecks.go#L286 states that verifyReturnedPromise() operates based on the request type, which no longer is true.

func (cc *ConsistencyChecks) verifyReturnedPromise(requestType int,
responseCode ErrorCode, df *DirectoryProof,
// These above checks should be performed before calling this method.
func (cc *ConsistencyChecks) verifyReturnedPromise(df *DirectoryProof,
uname string, key []byte) error {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The uname parameter seems to be unused, and the ap.LookupIndex will have already been validated when verifyReturnedPromise() is called, right? We can drop this param.

// The client should create a new ConsistencyChecks instance only once,
// when she registers her binding with a ConiksDirectory.
// This ConsistencyChecks instance then will be used to verify
// the returned responses from the ConiksDirectory.
type ConsistencyChecks struct {
oldSTR *m.SignedTreeRoot // keep a copy of SavedSTR before it gets updated
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the idea for oldSTR to be a workaround for keeping track when the client has transitioned between epochs? It only seems to be relevant in verifyFulfilledPromise(), which we still expect to change when we address #116, right?

Copy link
Member Author

@vqhuy vqhuy Nov 15, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, right. Hope it can be used when we address #116.
EDIT: Reverted it in 09784a6.

if !tb.Verify(ap) {
if tb, ok := cc.TBs[uname]; ok {
if str.Epoch != cc.oldSTR.Epoch+1 {
return ErrorBadPromise
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't this case being true indicate that we didn't verify a TB during the next epoch (e.g. because we didn't do a lookup for this uname)? That doesn't make it a bad (i.e. invalid) TB per se, so I'm not sure if we should be returning an error here, or if we should just delete the old TB for now (until we have #116 implemented).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I thought that we could use KeyLookup for monitoring until we support it. I should revert this commit and add a FIXME here as @arlolra did.

Copy link
Member

@masomel masomel Nov 15, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought that we could use KeyLookup for monitoring until we support it.

Oh, I see. I think this would actually be fine.,and just add a FIXME. Let me look at the new changes, though.

- Re-arrange methods' order.

- Remove redundant params.

- Remove comments which are no longer true.

- Add more tests
@vqhuy
Copy link
Member Author

vqhuy commented Nov 15, 2016

Most of my comments are more about code cleanup (e.g. redundant params).

I re-organized code in ea46aaa. Thanks for your advice about that!


proofType := ap.ProofType()
switch {
case msg.Error == ErrorNameExisted && proofType == m.ProofOfInclusion && tb == nil:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason you preferred this as tb == nil instead of the useTBs in 4a345e8?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think tb==nil is more appropriate in this case, since we expect a nill tb regardless of the value of cc.useTBs. In other hand, we probably need to use a TB extension (this way or other ways), so cc.useTBs makes not much sense to me. Or maybe that's the thinking I have when working on #89.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we expect a nil tb regardless of the value of cc.useTBs.

Yes, that's true, but we're trying to eliminated the use of TBs here and only reference them in updateTB. I think it's ok to omit it and just have msg.Error == ErrorNameExisted && proofType == m.ProofOfInclusion.

However, I was more concerned with msg.Error == ErrorNameExisted && proofType == m.ProofOfAbsence, which is only valid if useTB is true.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, you're totally right. I was mixed between 2 tasks.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in d7581cc.

case msg.Error == ErrorNameNotFound && proofType == m.ProofOfAbsence:
// FIXME: This would be changed when we support key changes
case msg.Error == Success && proofType == m.ProofOfInclusion && tb == nil:
case msg.Error == Success && proofType == m.ProofOfAbsence:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same w/ this one msg.Error == Success && proofType == m.ProofOfAbsence && cc.useTBs.

type ProofType int

const (
undeterminedProof ProofType = iota
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is undeterminedProof still relevant? Doesn't seem like it's being used.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, sorry, I missed that.

}

// And update the saved STR
cc.SavedSTR = str
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we had any other request types, this would overwrite with nil, right.

Can we all a default case that panics?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already panic in HandleResponse, is that enough?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer to have it in both places, like checkConsistency.

case msg.Error == Success && proofType == m.ProofOfInclusion:
if err := cc.verifyFulfilledPromise(uname, str, ap); err != nil {
return err
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we move the delete(cc.TBs, uname) to here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it makes sense.

@arlolra
Copy link
Member

arlolra commented Nov 15, 2016

After those two last things, please squash and merge this.

@vqhuy
Copy link
Member Author

vqhuy commented Nov 15, 2016

After those two last things, please squash and merge this.

Thanks!
@masomel @liamsi : Any thoughts before this is merged?

@arlolra
Copy link
Member

arlolra commented Nov 15, 2016

Merged in d92753d.

@arlolra arlolra closed this Nov 15, 2016
@arlolra arlolra deleted the cgo-client branch November 15, 2016 17:44
@masomel
Copy link
Member

masomel commented Nov 15, 2016

Yay!!

@vqhuy
Copy link
Member Author

vqhuy commented Nov 18, 2016

Sorry, it seems like @arlolra missed 16949b2 in d92753d. Pushed directly to master in 2e86b64.

@arlolra
Copy link
Member

arlolra commented Nov 18, 2016

Crap, sorry everyone :(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants