Commit Graph

62 Commits

Author SHA1 Message Date
Zooko O'Whielacronx
8b7ce325d7 immutable, checker, and tests: improve docstrings, assertions, tests
No functional changes, but remove unused code, improve or fix docstrings, etc.
2008-12-21 15:07:52 -07:00
Zooko O'Whielacronx
60bbc46a53 minor: fix unused imports -- thanks, pyflakes 2008-12-05 13:07:23 -07:00
Zooko O'Whielacronx
b315619d6b download: refactor handling of URI Extension Block and crypttext hash tree, simplify things
Refactor into a class the logic of asking each server in turn until one of them gives an answer 
that validates.  It is called ValidatedThingObtainer.

Refactor the downloading and verification of the URI Extension Block into a class named 
ValidatedExtendedURIProxy.

The new logic of validating UEBs is minimalist: it doesn't require the UEB to contain any 
unncessary information, but of course it still accepts such information for backwards 
compatibility (so that this new download code is able to download files uploaded with old, and 
for that matter with current, upload code).

The new logic of validating UEBs follows the practice of doing all validation up front.  This 
practice advises one to isolate the validation of incoming data into one place, so that all of 
the rest of the code can assume only valid data.

If any redundant information is present in the UEB+URI, the new code cross-checks and asserts 
that it is all fully consistent.  This closes some issues where the uploader could have 
uploaded inconsistent redundant data, which would probably have caused the old downloader to 
simply reject that download after getting a Python exception, but perhaps could have caused 
greater harm to the old downloader.

I removed the notion of selecting an erasure codec from codec.py based on the string that was 
passed in the UEB.  Currently "crs" is the only such string that works, so 
"_assert(codec_name == 'crs')" is simpler and more explicit.  This is also in keeping with the 
"validate up front" strategy -- now if someone sets a different string than "crs" in their UEB, 
the downloader will reject the download in the "validate this UEB" function instead of in a 
separate "select the codec instance" function.

I removed the code to check plaintext hashes and plaintext Merkle Trees.  Uploaders do not 
produce this information any more (since it potentially exposes confidential information about 
the file), and the unit tests for it were disabled.  The downloader before this patch would 
check that plaintext hash or plaintext merkle tree if they were present, but not complain if 
they were absent.  The new downloader in this patch complains if they are present and doesn't 
check them.  (We might in the future re-introduce such hashes over the plaintext, but encrypt 
the hashes which are stored in the UEB to preserve confidentiality.  This would be a double-
check on the correctness of our own source code -- the current Merkle Tree over the ciphertext 
is already sufficient to guarantee the integrity of the download unless there is a bug in our 
Merkle Tree or AES implementation.) 

This patch increases the lines-of-code count by 8 (from 17,770 to 17,778), and reduces the 
uncovered-by-tests lines-of-code count by 24 (from 1408 to 1384).  Those numbers would be more 
meaningful if we omitted src/allmydata/util/ from the test-coverage statistics.
2008-12-05 08:17:54 -07:00
Brian Warner
b73c380cdb move testutil into test/common_util.py, since it doesn't count as 'code under test' for our pyflakes numbers 2008-10-28 21:28:31 -07:00
Brian Warner
914655c52b interfaces.py: promote immutable.encode.NotEnoughSharesError.. it isn't just for immutable files any more 2008-10-27 13:34:49 -07:00
Zooko O'Whielacronx
9461887e0a immutable file download: make the ciphertext hash tree mandatory
This fixes #491 (URIs do not refer to unique files in Allmydata Tahoe).
Fortunately all of the versions of Tahoe currently in use are already producing
this ciphertext hash tree when uploading, so there is no
backwards-compatibility problem with having the downloader require it to be
present.
2008-07-21 09:31:02 -07:00
Brian Warner
7394607141 move encode/upload/download/checker.py into a new immutable/ directory. No behavior changes expected. 2008-07-16 13:14:39 -07:00
Brian Warner
fd465b4aaf download: fix stopProducing failure ('self._paused_at not defined'), add tests 2008-07-14 15:25:21 -07:00
Brian Warner
1b4b4cbd4a mutable WIP: rename NotEnoughPeersError to NotEnoughSharesError 2008-04-15 16:08:32 -07:00
Brian Warner
1e097766c9 disable plaintext hashes in shares, but leave a switch to turn it back on 2008-03-24 13:39:51 -07:00
Brian Warner
7b21054c33 UNDO: upload: stop putting plaintext and ciphertext hashes in shares.
This removes the guess-partial-information attack vector, and reduces
the amount of overhead that we consume with each file. It also introduces
a forwards-compability break: older versions of the code (before the
previous download-time "make hashes optional" patch) will be unable
to read files uploaded by this version, as they will complain about the
missing hashes. This patch is experimental, and is being pushed into
trunk to obtain test coverage. We may undo it before releasing 1.0.
2008-03-23 15:35:54 -07:00
Zooko O'Whielacronx
fc3bd0c987 use added secret to protect convergent encryption
Now upload or encode methods take a required argument named "convergence" which can be either None, indicating no convergent encryption at all, or a string, which is the "added secret" to be mixed in to the content hash key.  If you want traditional convergent encryption behavior, set the added secret to be the empty string.

This patch also renames "content hash key" to "convergent encryption" in a argument names and variable names.  (A different and larger renaming is needed in order to clarify that Tahoe supports immutable files which are not encrypted content-hash-key a.k.a. convergent encryption.)

This patch also changes a few unit tests to use non-convergent encryption, because it doesn't matter for what they are testing and non-convergent encryption is slightly faster.
2008-03-24 09:46:06 -07:00
Brian Warner
7996131a0a upload: stop putting plaintext and ciphertext hashes in shares.
This removes the guess-partial-information attack vector, and reduces
the amount of overhead that we consume with each file. It also introduces
a forwards-compability break: older versions of the code (before the
previous download-time "make hashes optional" patch) will be unable
to read files uploaded by this version, as they will complain about the
missing hashes. This patch is experimental, and is being pushed into
trunk to obtain test coverage. We may undo it before releasing 1.0.
2008-03-23 15:35:54 -07:00
Brian Warner
553367d567 download: make plaintext and ciphertext hashes in the UEB optional.
Removing the plaintext hashes can help with the guess-partial-information
attack. This does not affect compatibility, but if and when we actually
remove any hashes from the share, that will introduce a 
forwards-compatibility break: tahoe-0.9 will not be able to read such files.
2008-03-23 14:46:49 -07:00
Brian Warner
886ef22335 webish: download-results: add server_problems 2008-03-03 20:30:35 -07:00
Brian Warner
81c5ceae16 upload: rework passing of default encoding parameters: move more responsibility into BaseUploadable 2008-02-06 18:39:03 -07:00
Brian Warner
8f1212edac encode.py: don't allow a shareholder which dies in start() to kill the whole upload 2008-01-28 12:14:48 -07:00
Brian Warner
51321944f0 megapatch: overhaul encoding_parameters handling: now it comes from the Uploadable, or the Client. Removed options= too. Also move helper towards resumability. 2008-01-16 03:03:35 -07:00
Brian Warner
a6ca98ac53 upload: add Encoder.abort(), to abandon the upload in progress. Add some debug hooks to enable unit tests. 2008-01-14 21:22:55 -07:00
Brian Warner
50bc0d2fb3 the new pyflakes is stricter, complaining about function definitions that overshadow earlier definitions or imports. Fix some of its complaints. 2007-12-18 18:47:28 -07:00
Brian Warner
869b690378 download: use hierarchical logging 2007-11-19 19:07:10 -07:00
Brian Warner
20af973272 trailing-whitespace eradication, no functional changes 2007-11-01 15:25:00 -07:00
Zooko O'Whielacronx
74f52d79f2 tests: make test_encode specify the erasure coding params it wants instead of expecting the defaults to be what it wants 2007-10-15 20:07:42 -07:00
Brian Warner
e6e9ddc588 refactor upload/encode, to split encrypt and encode responsibilities 2007-07-23 19:31:53 -07:00
Brian Warner
81a9904455 CHK: remove the storage index from the URI, deriving it from the key instead 2007-07-21 18:23:15 -07:00
Brian Warner
1d9a58977f uri: implement URI-processing classes, IFileURI/IDirnodeURI, use internally 2007-07-21 15:40:36 -07:00
Brian Warner
e3a57fca98 upload: finish refactoring, all unit tests pass now 2007-07-19 22:53:29 -07:00
Brian Warner
1f8e407d9c more #85 work, system test still fails 2007-07-13 15:09:01 -07:00
Brian Warner
cd8648d39b storage: use one file per share instead of 7 (#85). work-in-progress, tests still fail 2007-07-13 14:04:49 -07:00
Brian Warner
dce1dc2730 storage: wrap buckets in a local proxy
This will make it easier to change RIBucketWriter in the future to reduce the wire
protocol to just open/write(offset,data)/close, and do all the structuring on the
client end. The ultimate goal is to store each bucket in a single file, to reduce
the considerable filesystem-quantization/inode overhead on the storage servers.
2007-07-08 23:27:46 -07:00
Brian Warner
956d5ae256 rename fileid/verifierid to plaintext_hash/crypttext_hash 2007-06-09 20:46:04 -07:00
Brian Warner
c9ef291c02 rename thingA to 'uri extension' 2007-06-08 15:59:16 -07:00
Brian Warner
f62a544b93 remove several leftover defintions of netstring() 2007-06-07 22:13:18 -07:00
Brian Warner
c049941529 move almost all hashing to SHA256, consolidate into hashutil.py
The only SHA-1 hash that remains is used in the permutation of nodeids,
where we need to decide if we care about performance or long-term security.
I suspect that we could use a much weaker hash (and faster) hash for
this purpose. In the long run, we'll be doing thousands of such hashes
for each file uploaded or downloaded (one per known peer).
2007-06-07 21:47:21 -07:00
Brian Warner
cabba59fe7 test_encode.py: even more testing of merkle trees, getting fairly comprehensive now 2007-06-07 21:24:39 -07:00
Brian Warner
053109b28b add tests for bad/inconsistent plaintext/crypttext merkle tree hashes 2007-06-07 19:32:29 -07:00
Brian Warner
4f001bedb3 test_encode.py: further refactoring of send_and_recover 2007-06-07 18:36:25 -07:00
Brian Warner
c7160af7ee test_encode.py: refactor send_and_recover a bit 2007-06-07 18:24:26 -07:00
Brian Warner
e04ff3adac fetch plaintext/crypttext merkle trees during download, but don't check the segments against them yet 2007-06-07 00:15:41 -07:00
Brian Warner
5cbdc240e2 encode: add plaintext/crypttext merkle trees to the shares, and the thingA block. Still needs tests and download-side verification. 2007-06-06 19:40:20 -07:00
Brian Warner
6bb9debc16 encode: tolerate lost peers, as long as we still get enough shares out. Closes #17. 2007-06-06 10:32:40 -07:00
Brian Warner
3dfd26970b move validation data to thingA, URI has storage_index plus thingA hash
This (compatibility-breaking) change moves much of the validation data and
encoding parameters out of the URI and into the so-called "thingA" block
(which will get a better name as soon as we find one we're comfortable with).
The URI retains the "storage_index" (a generalized term for the role that
we're currently using the verifierid for, the unique index for each file
that gets used by storage servers to decide which shares to return), the
decryption key, the needed_shares/total_shares counts (since they affect
peer selection), and the hash of the thingA block.

This shortens the URI and lets us add more kinds of validation data without
growing the URI (like plaintext merkle trees, to enable strong incremental
plaintext validation), at the cost of maybe 150 bytes of alacrity. Each
storage server holds an identical copy of the thingA block.

This is an incompatible change: new messages have been added to the storage
server interface, and the URI format has changed drastically.
2007-06-01 18:48:01 -07:00
Brian Warner
4b2298937b use real encryption, generate/store/verify verifierid and fileid 2007-04-25 17:53:10 -07:00
Brian Warner
49e992b8b6 make test_encode less CPU-intense by using 4-out-of-10 encoding instead of 25-out-of-100 2007-04-19 10:56:15 -07:00
Brian Warner
a0dc26ee11 test_encode.Roundtrip: cover more combinations of data size relative to segment size and number of block hash tree leaves 2007-04-17 12:57:55 -07:00
Brian Warner
96812507a0 test_encode.Encode: cover more combinations of data size relative to segment size and number of block hash tree leaves 2007-04-17 12:29:56 -07:00
Brian Warner
a05b713076 test_encode: test filesizes which are an exact multiple of the segment size. This test fails right now. 2007-04-16 19:55:03 -07:00
Brian Warner
ff8cb4d32e encode: make MAX_SEGMENT_SIZE controllable, to support tests which force the use of multiple segments. Also, remove not-very-useful upload-side debug messages 2007-04-16 19:29:57 -07:00
Brian Warner
b9624502c9 download: more test coverage 2007-04-16 17:21:37 -07:00
Brian Warner
2f5fb51848 download: validate handling of missing sharehashes too 2007-04-16 17:15:44 -07:00