From e1093cbb335f5f893937e95fa684d2a7c868e09e Mon Sep 17 00:00:00 2001
From: Brian Warner <warner@lothar.com>
Date: Sun, 10 Jun 2012 19:10:22 -0700
Subject: [PATCH] introducer: add sequence-numbers to announcements, ignore
 replays

This will support revocation of Accounting recommendation records,
assuming the gossip-based broadcast channel isn't easily jammed.
---
 src/allmydata/introducer/client.py    |  24 +++++-
 src/allmydata/introducer/server.py    |  17 +++++
 src/allmydata/test/test_introducer.py | 106 +++++++++++++++++++++++---
 3 files changed, 137 insertions(+), 10 deletions(-)

diff --git a/src/allmydata/introducer/client.py b/src/allmydata/introducer/client.py
index 260e13cf..33ce5ad8 100644
--- a/src/allmydata/introducer/client.py
+++ b/src/allmydata/introducer/client.py
@@ -201,8 +201,9 @@ class IntroducerClient(service.Service, Referenceable):
         d.addCallback(_publish_stub_client)
         return d
 
-    def create_announcement(self, service_name, ann, signing_key):
+    def create_announcement(self, service_name, ann, signing_key, _mod=None):
         full_ann = { "version": 0,
+                     "seqnum": time.time(),
                      "nickname": self._nickname,
                      "app-versions": self._app_versions,
                      "my-version": self._my_version,
@@ -211,6 +212,8 @@ class IntroducerClient(service.Service, Referenceable):
                      "service-name": service_name,
                      }
         full_ann.update(ann)
+        if _mod:
+            full_ann = _mod(full_ann) # for unit tests
         return sign_to_foolscap(full_ann, signing_key)
 
     def publish(self, service_name, ann, signing_key=None):
@@ -303,8 +306,27 @@ class IntroducerClient(service.Service, Referenceable):
                      parent=lp2, level=log.UNUSUAL, umid="B1MIdA")
             self._debug_counts["duplicate_announcement"] += 1
             return
+
         # does it update an existing one?
         if index in self._current_announcements:
+            old,_,_ = self._current_announcements[index]
+            if "seqnum" in old:
+                # must beat previous sequence number to replace
+                if "seqnum" not in ann:
+                    self.log("not replacing old announcement, no seqnum: %s"
+                             % (ann,),
+                             parent=lp2, level=log.NOISY, umid="zFGH3Q")
+                    return
+                if ann["seqnum"] <= old["seqnum"]:
+                    # note that exact replays are caught earlier, by
+                    # comparing the entire signed announcement.
+                    self.log("not replacing old announcement, "
+                             "new seqnum is too old (%s <= %s) "
+                             "(replay attack?): %s"
+                             % (ann["seqnum"], old["seqnum"], ann),
+                             parent=lp2, level=log.UNUSUAL, umid="JAAAoQ")
+                    return
+                # ok, seqnum is newer, allow replacement
             self._debug_counts["update"] += 1
             self.log("replacing old announcement: %s" % (ann,),
                      parent=lp2, level=log.NOISY, umid="wxwgIQ")
diff --git a/src/allmydata/introducer/server.py b/src/allmydata/introducer/server.py
index 394fdf00..1a4b7680 100644
--- a/src/allmydata/introducer/server.py
+++ b/src/allmydata/introducer/server.py
@@ -120,6 +120,8 @@ class IntroducerService(service.MultiService, Referenceable):
 
         self._debug_counts = {"inbound_message": 0,
                               "inbound_duplicate": 0,
+                              "inbound_no_seqnum": 0,
+                              "inbound_old_replay": 0,
                               "inbound_update": 0,
                               "outbound_message": 0,
                               "outbound_announcements": 0,
@@ -216,6 +218,21 @@ class IntroducerService(service.MultiService, Referenceable):
                 self._debug_counts["inbound_duplicate"] += 1
                 return
             else:
+                if "seqnum" in old_ann:
+                    # must beat previous sequence number to replace
+                    if "seqnum" not in ann:
+                        self.log("not replacing old ann, no seqnum",
+                                 level=log.NOISY, umid="ySbaVw")
+                        self._debug_counts["inbound_no_seqnum"] += 1
+                        return
+                    if ann["seqnum"] <= old_ann["seqnum"]:
+                        self.log("not replacing old ann, new seqnum is too old"
+                                 " (%s <= %s) (replay attack?)"
+                                 % (ann["seqnum"], old_ann["seqnum"]),
+                                 level=log.UNUSUAL, umid="sX7yqQ")
+                        self._debug_counts["inbound_old_replay"] += 1
+                        return
+                    # ok, seqnum is newer, allow replacement
                 self.log("old announcement being updated", level=log.NOISY,
                          umid="304r9g")
                 self._debug_counts["inbound_update"] += 1
diff --git a/src/allmydata/test/test_introducer.py b/src/allmydata/test/test_introducer.py
index 6624a15b..e8eca502 100644
--- a/src/allmydata/test/test_introducer.py
+++ b/src/allmydata/test/test_introducer.py
@@ -117,8 +117,13 @@ def make_ann(furl):
             "permutation-seed-base32": get_tubid_string(furl) }
     return ann
 
-def make_ann_t(ic, furl, privkey):
-    return ic.create_announcement("storage", make_ann(furl), privkey)
+def make_ann_t(ic, furl, privkey, seqnum):
+    def mod(ann):
+        ann["seqnum"] = seqnum
+        if seqnum is None:
+            del ann["seqnum"]
+        return ann
+    return ic.create_announcement("storage", make_ann(furl), privkey, mod)
 
 class Client(unittest.TestCase):
     def test_duplicate_receive_v1(self):
@@ -196,10 +201,12 @@ class Client(unittest.TestCase):
         # ann1b: ic2, furl1
         # ann2: ic2, furl2
 
-        self.ann1 = make_ann_t(ic1, furl1, privkey)
-        self.ann1a = make_ann_t(ic1, furl1a, privkey)
-        self.ann1b = make_ann_t(ic2, furl1, privkey)
-        self.ann2 = make_ann_t(ic2, furl2, privkey)
+        self.ann1 = make_ann_t(ic1, furl1, privkey, seqnum=10)
+        self.ann1old = make_ann_t(ic1, furl1, privkey, seqnum=9)
+        self.ann1noseqnum = make_ann_t(ic1, furl1, privkey, seqnum=None)
+        self.ann1b = make_ann_t(ic2, furl1, privkey, seqnum=11)
+        self.ann1a = make_ann_t(ic1, furl1a, privkey, seqnum=12)
+        self.ann2 = make_ann_t(ic2, furl2, privkey, seqnum=13)
 
         ic1.remote_announce_v2([self.ann1]) # queues eventual-send
         d = fireEventually()
@@ -219,6 +226,20 @@ class Client(unittest.TestCase):
             self.failUnlessEqual(len(announcements), 1)
         d.addCallback(_then2)
 
+        # an older announcement shouldn't fire the subscriber either
+        d.addCallback(lambda ign: ic1.remote_announce_v2([self.ann1old]))
+        d.addCallback(fireEventually)
+        def _then2a(ign):
+            self.failUnlessEqual(len(announcements), 1)
+        d.addCallback(_then2a)
+
+        # announcement with no seqnum cannot replace one with-seqnum
+        d.addCallback(lambda ign: ic1.remote_announce_v2([self.ann1noseqnum]))
+        d.addCallback(fireEventually)
+        def _then2b(ign):
+            self.failUnlessEqual(len(announcements), 1)
+        d.addCallback(_then2b)
+
         # and a replacement announcement: same FURL, new other stuff. The
         # subscriber *should* be fired.
         d.addCallback(lambda ign: ic1.remote_announce_v2([self.ann1b]))
@@ -298,6 +319,73 @@ class Client(unittest.TestCase):
         d.addCallback(_then2)
         return d
 
+class Server(unittest.TestCase):
+    def test_duplicate(self):
+        i = IntroducerService()
+        ic1 = IntroducerClient(None,
+                               "introducer.furl", u"my_nickname",
+                               "ver23", "oldest_version", {})
+        furl1 = "pb://62ubehyunnyhzs7r6vdonnm2hpi52w6y@127.0.0.1:36106/gydnp"
+
+        privkey_s, _ = keyutil.make_keypair()
+        privkey, _ = keyutil.parse_privkey(privkey_s)
+
+        ann1 = make_ann_t(ic1, furl1, privkey, seqnum=10)
+        ann1_old = make_ann_t(ic1, furl1, privkey, seqnum=9)
+        ann1_new = make_ann_t(ic1, furl1, privkey, seqnum=11)
+        ann1_noseqnum = make_ann_t(ic1, furl1, privkey, seqnum=None)
+
+        i.remote_publish_v2(ann1, None)
+        all = i.get_announcements()
+        self.failUnlessEqual(len(all), 1)
+        self.failUnlessEqual(all[0].announcement["seqnum"], 10)
+        self.failUnlessEqual(i._debug_counts["inbound_message"], 1)
+        self.failUnlessEqual(i._debug_counts["inbound_duplicate"], 0)
+        self.failUnlessEqual(i._debug_counts["inbound_no_seqnum"], 0)
+        self.failUnlessEqual(i._debug_counts["inbound_old_replay"], 0)
+        self.failUnlessEqual(i._debug_counts["inbound_update"], 0)
+
+        i.remote_publish_v2(ann1, None)
+        all = i.get_announcements()
+        self.failUnlessEqual(len(all), 1)
+        self.failUnlessEqual(all[0].announcement["seqnum"], 10)
+        self.failUnlessEqual(i._debug_counts["inbound_message"], 2)
+        self.failUnlessEqual(i._debug_counts["inbound_duplicate"], 1)
+        self.failUnlessEqual(i._debug_counts["inbound_no_seqnum"], 0)
+        self.failUnlessEqual(i._debug_counts["inbound_old_replay"], 0)
+        self.failUnlessEqual(i._debug_counts["inbound_update"], 0)
+
+        i.remote_publish_v2(ann1_old, None)
+        all = i.get_announcements()
+        self.failUnlessEqual(len(all), 1)
+        self.failUnlessEqual(all[0].announcement["seqnum"], 10)
+        self.failUnlessEqual(i._debug_counts["inbound_message"], 3)
+        self.failUnlessEqual(i._debug_counts["inbound_duplicate"], 1)
+        self.failUnlessEqual(i._debug_counts["inbound_no_seqnum"], 0)
+        self.failUnlessEqual(i._debug_counts["inbound_old_replay"], 1)
+        self.failUnlessEqual(i._debug_counts["inbound_update"], 0)
+
+        i.remote_publish_v2(ann1_new, None)
+        all = i.get_announcements()
+        self.failUnlessEqual(len(all), 1)
+        self.failUnlessEqual(all[0].announcement["seqnum"], 11)
+        self.failUnlessEqual(i._debug_counts["inbound_message"], 4)
+        self.failUnlessEqual(i._debug_counts["inbound_duplicate"], 1)
+        self.failUnlessEqual(i._debug_counts["inbound_no_seqnum"], 0)
+        self.failUnlessEqual(i._debug_counts["inbound_old_replay"], 1)
+        self.failUnlessEqual(i._debug_counts["inbound_update"], 1)
+
+        i.remote_publish_v2(ann1_noseqnum, None)
+        all = i.get_announcements()
+        self.failUnlessEqual(len(all), 1)
+        self.failUnlessEqual(all[0].announcement["seqnum"], 11)
+        self.failUnlessEqual(i._debug_counts["inbound_message"], 5)
+        self.failUnlessEqual(i._debug_counts["inbound_duplicate"], 1)
+        self.failUnlessEqual(i._debug_counts["inbound_no_seqnum"], 1)
+        self.failUnlessEqual(i._debug_counts["inbound_old_replay"], 1)
+        self.failUnlessEqual(i._debug_counts["inbound_update"], 1)
+
+
 NICKNAME = u"n\u00EDickname-%s" # LATIN SMALL LETTER I WITH ACUTE
 
 class SystemTestMixin(ServiceMixin, pollmixin.PollMixin):
@@ -736,7 +824,7 @@ class ClientInfo(unittest.TestCase):
         client_v2 = IntroducerClient(tub, introducer_furl, NICKNAME % u"v2",
                                      "my_version", "oldest", app_versions)
         #furl1 = "pb://62ubehyunnyhzs7r6vdonnm2hpi52w6y@127.0.0.1:0/swissnum"
-        #ann_s = make_ann_t(client_v2, furl1, None)
+        #ann_s = make_ann_t(client_v2, furl1, None, 10)
         #introducer.remote_publish_v2(ann_s, Referenceable())
         subscriber = FakeRemoteReference()
         introducer.remote_subscribe_v2(subscriber, "storage",
@@ -798,7 +886,7 @@ class Announcements(unittest.TestCase):
                                      "my_version", "oldest", app_versions)
         furl1 = "pb://62ubehyunnyhzs7r6vdonnm2hpi52w6y@127.0.0.1:0/swissnum"
         tubid = "62ubehyunnyhzs7r6vdonnm2hpi52w6y"
-        ann_s0 = make_ann_t(client_v2, furl1, None)
+        ann_s0 = make_ann_t(client_v2, furl1, None, 10.0)
         canary0 = Referenceable()
         introducer.remote_publish_v2(ann_s0, canary0)
         a = introducer.get_announcements()
@@ -821,7 +909,7 @@ class Announcements(unittest.TestCase):
         sk_s, vk_s = keyutil.make_keypair()
         sk, _ignored = keyutil.parse_privkey(sk_s)
         pks = keyutil.remove_prefix(vk_s, "pub-")
-        ann_t0 = make_ann_t(client_v2, furl1, sk)
+        ann_t0 = make_ann_t(client_v2, furl1, sk, 10.0)
         canary0 = Referenceable()
         introducer.remote_publish_v2(ann_t0, canary0)
         a = introducer.get_announcements()
-- 
2.45.2