diff options
author | Christian Grothoff <christian@grothoff.org> | 2020-12-26 15:55:34 +0100 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2020-12-26 15:55:34 +0100 |
commit | 57c90547840ea2a073c950116303c54f9ef976f1 (patch) | |
tree | f53201d87e614325654e8935177275d2c4159eca /src/auditor | |
parent | 32da8154275a200144406d819d8abb77cab6fe30 (diff) | |
download | exchange-57c90547840ea2a073c950116303c54f9ef976f1.tar.xz |
implement #6161
Diffstat (limited to 'src/auditor')
-rw-r--r-- | src/auditor/Makefile.am | 1 | ||||
-rw-r--r-- | src/auditor/taler-auditor-httpd.c | 17 | ||||
-rw-r--r-- | src/auditor/taler-auditor-httpd.h | 6 | ||||
-rw-r--r-- | src/auditor/taler-auditor-httpd_deposit-confirmation.c | 54 |
4 files changed, 62 insertions, 16 deletions
diff --git a/src/auditor/Makefile.am b/src/auditor/Makefile.am index 935f83549..79da458f3 100644 --- a/src/auditor/Makefile.am +++ b/src/auditor/Makefile.am @@ -148,6 +148,7 @@ taler_auditor_httpd_LDADD = \ $(top_builddir)/src/util/libtalerutil.la \ $(top_builddir)/src/json/libtalerjson.la \ $(top_builddir)/src/auditordb/libtalerauditordb.la \ + $(top_builddir)/src/exchangedb/libtalerexchangedb.la \ -lmicrohttpd \ -ljansson \ -lgnunetjson \ diff --git a/src/auditor/taler-auditor-httpd.c b/src/auditor/taler-auditor-httpd.c index d1e3c2de5..1f6413b26 100644 --- a/src/auditor/taler-auditor-httpd.c +++ b/src/auditor/taler-auditor-httpd.c @@ -29,6 +29,7 @@ #include <sys/resource.h> #include "taler_mhd_lib.h" #include "taler_auditordb_lib.h" +#include "taler_exchangedb_lib.h" #include "taler-auditor-httpd_deposit-confirmation.h" #include "taler-auditor-httpd_exchanges.h" #include "taler-auditor-httpd_mhd.h" @@ -70,6 +71,11 @@ static struct GNUNET_CONFIGURATION_Handle *cfg; struct TALER_AUDITORDB_Plugin *TAH_plugin; /** + * Our DB plugin to talk to the *exchange* database. + */ +struct TALER_EXCHANGEDB_Plugin *TAH_eplugin; + +/** * Public key of this auditor. */ static struct TALER_AuditorPublicKeyP auditor_pub; @@ -434,7 +440,14 @@ auditor_serve_process_config (void) (TAH_plugin = TALER_AUDITORDB_plugin_load (cfg))) { GNUNET_log (GNUNET_ERROR_TYPE_ERROR, - "Failed to initialize DB subsystem\n"); + "Failed to initialize DB subsystem to interact with auditor database\n"); + return GNUNET_SYSERR; + } + if (NULL == + (TAH_eplugin = TALER_EXCHANGEDB_plugin_load (cfg))) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "Failed to initialize DB subsystem to query exchange database\n"); return GNUNET_SYSERR; } if (GNUNET_OK != @@ -729,6 +742,8 @@ main (int argc, } TALER_AUDITORDB_plugin_unload (TAH_plugin); TAH_plugin = NULL; + TALER_EXCHANGEDB_plugin_unload (TAH_eplugin); + TAH_eplugin = NULL; TEAH_DEPOSIT_CONFIRMATION_done (); return (GNUNET_SYSERR == ret) ? 1 : 0; } diff --git a/src/auditor/taler-auditor-httpd.h b/src/auditor/taler-auditor-httpd.h index 127c4dd8a..25e374277 100644 --- a/src/auditor/taler-auditor-httpd.h +++ b/src/auditor/taler-auditor-httpd.h @@ -25,6 +25,7 @@ #include <microhttpd.h> #include "taler_auditordb_plugin.h" +#include "taler_exchangedb_plugin.h" /** @@ -32,6 +33,11 @@ */ extern struct TALER_AUDITORDB_Plugin *TAH_plugin; +/** + * Our DB plugin to talk to the *exchange* database. + */ +extern struct TALER_EXCHANGEDB_Plugin *TAH_eplugin; + /** * @brief Struct describing an URL and the handler for it. diff --git a/src/auditor/taler-auditor-httpd_deposit-confirmation.c b/src/auditor/taler-auditor-httpd_deposit-confirmation.c index 08a781f30..61263888f 100644 --- a/src/auditor/taler-auditor-httpd_deposit-confirmation.c +++ b/src/auditor/taler-auditor-httpd_deposit-confirmation.c @@ -35,7 +35,7 @@ /** * Cache of already verified exchange signing keys. Maps the hash of the * `struct TALER_ExchangeSigningKeyValidityPS` to the (static) string - * "verified". Access to this map is guarded by the #lock. + * "verified" or "revoked". Access to this map is guarded by the #lock. */ static struct GNUNET_CONTAINER_MultiHashMap *cache; @@ -66,7 +66,7 @@ verify_and_execute_deposit_confirmation ( enum GNUNET_DB_QueryStatus qs; struct GNUNET_TIME_Absolute now; struct GNUNET_HashCode h; - int cached; + const char *cached; struct TALER_ExchangeSigningKeyValidityPS skv = { .purpose.purpose = htonl (TALER_SIGNATURE_MASTER_SIGNING_KEY_VALIDITY), .purpose.size = htonl (sizeof (struct TALER_ExchangeSigningKeyValidityPS)), @@ -94,10 +94,9 @@ verify_and_execute_deposit_confirmation ( sizeof (skv), &h); GNUNET_assert (0 == pthread_mutex_lock (&lock)); - cached = GNUNET_CONTAINER_multihashmap_contains (cache, - &h); + cached = GNUNET_CONTAINER_multihashmap_get (cache, + &h); GNUNET_assert (0 == pthread_mutex_unlock (&lock)); - session = TAH_plugin->get_session (TAH_plugin->cls); if (NULL == session) { @@ -107,7 +106,7 @@ verify_and_execute_deposit_confirmation ( TALER_EC_GENERIC_DB_SETUP_FAILED, NULL); } - if (! cached) + if (NULL == cached) { /* Not in cache, need to verify the signature, persist it, and possibly cache it */ if (GNUNET_OK != @@ -139,18 +138,43 @@ verify_and_execute_deposit_confirmation ( TALER_EC_GENERIC_DB_STORE_FAILED, "exchange signing key"); } + cached = "verified"; + } + + if (0 == strcmp (cached, + "verified")) + { + struct TALER_MasterSignatureP master_sig; - /* Cache it, due to concurreny it might already be in the cache, - so we do not cache it twice but also don't insist on the 'put' to - succeed. */ - GNUNET_assert (0 == pthread_mutex_lock (&lock)); - (void) GNUNET_CONTAINER_multihashmap_put (cache, - &h, - "verified", - GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY); - GNUNET_assert (0 == pthread_mutex_unlock (&lock)); + /* check for revocation */ + qs = TAH_eplugin->lookup_signkey_revocation (TAH_eplugin->cls, + NULL, + &es->exchange_pub, + &master_sig); + if (0 > qs) + { + GNUNET_break (GNUNET_DB_STATUS_HARD_ERROR == qs); + TALER_LOG_WARNING ( + "Failed to check for signing key revocation in database\n"); + return TALER_MHD_reply_with_error (connection, + MHD_HTTP_INTERNAL_SERVER_ERROR, + TALER_EC_GENERIC_DB_FETCH_FAILED, + "exchange signing key revocation"); + } + if (0 < qs) + cached = "revoked"; } + /* Cache it, due to concurreny it might already be in the cache, + so we do not cache it twice but also don't insist on the 'put' to + succeed. */ + GNUNET_assert (0 == pthread_mutex_lock (&lock)); + (void) GNUNET_CONTAINER_multihashmap_put (cache, + &h, + (void *) cached, + GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY); + GNUNET_assert (0 == pthread_mutex_unlock (&lock)); + /* check deposit confirmation signature */ { struct TALER_DepositConfirmationPS dcs = { |