-export routine for path verification (untested)

2 files changed, 65 insertions, 1 deletions

diff --git a/src/dht/dht_api.c b/src/dht/dht_api.c
index 1ba2f7277..af3c7d685 100644
--- a/src/dht/dht_api.c
+++ b/src/dht/dht_api.c
@@ -28,6 +28,7 @@
 #include "platform.h"
 #include "gnunet_util_lib.h"
 #include "gnunet_constants.h"
+#include "gnunet_signatures.h"
 #include "gnunet_arm_service.h"
 #include "gnunet_hello_lib.h"
 #include "gnunet_protocols.h"
@@ -1189,7 +1190,43 @@ GNUNET_DHT_pp2s (const struct GNUNET_DHT_PathElement *path,
                             (i == path_len - 1) ? "" : "-");
   }
   return buf;
+}
+
 
+unsigned int
+GNUNET_DHT_verify_path (const struct GNUNET_HashCode *key,
+                        const void *data,
+                        size_t data_size,
+                        struct GNUNET_TIME_Absolute exp_time,
+                        const struct GNUNET_DHT_PathElement *path,
+                        unsigned int path_len,
+                        const struct GNUNET_PeerIdentity *me)
+{
+
+  struct GNUNET_DHT_HopSignature hs = {
+    .purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_DHT_HOP),
+    .purpose.size = htonl (sizeof (hs)),
+    .expiration_time = GNUNET_TIME_absolute_hton (exp_time),
+    .key = *key,
+  };
+  unsigned int i = path_len - 1;
+
+  GNUNET_CRYPTO_hash (data,
+                      data_size,
+                      &hs.h_data);
+  while (i > 0)
+  {
+    hs.pred = path[i - 1].pred;
+    hs.succ = (path_len == i + 1) ? *me : path[i + 1].pred;
+    if (GNUNET_OK !=
+        GNUNET_CRYPTO_eddsa_verify (GNUNET_SIGNATURE_PURPOSE_DHT_HOP,
+                                    &hs,
+                                    &path[i - 1].sig,
+                                    &path[i].pred.public_key))
+      return i;
+    i--;
+  }
+  return i;
 }
 
 
diff --git a/src/include/gnunet_dht_service.h b/src/include/gnunet_dht_service.h
index 7376dd5f4..5c365639a 100644
--- a/src/include/gnunet_dht_service.h
+++ b/src/include/gnunet_dht_service.h
@@ -473,7 +473,7 @@ GNUNET_DHT_monitor_stop (struct GNUNET_DHT_MonitorHandle *handle);
  * Convert a peer path to a human-readable string.
  *
  * @param path array of path elements to convert to a string
- * @param num_pids length of the @a pids array
+ * @param path_len length of the @a path array
  * @return string representing the array of @a pids
  */
 char *
@@ -481,6 +481,33 @@ GNUNET_DHT_pp2s (const struct GNUNET_DHT_PathElement *path,
                  unsigned int path_len);
 
 
+/**
+ * Verify signatures on a @a path, in reverse order (starting at
+ * the last element of the path).  Note that the last signature
+ * on the path is never verified as that is the slot where our
+ * peer (@a me) would need to sign.
+ *
+ * @param key key of the data (not necessarily the query hash)
+ * @param data payload (the block)
+ * @param data_size number of bytes in @a data
+ * @param exp_time expiration time of @a data
+ * @param path array of path elements to verify
+ * @param path_len length of the @a path array
+ * @param me our own peer identity (needed to verify the last element)
+ * @return 0 on success, otherwise the index of
+ *         the last path element that succeeded with verification;
+ *         @a path_len -1 if no signature was valid
+ */
+unsigned int
+GNUNET_DHT_verify_path (const struct GNUNET_HashCode *key,
+                        const void *data,
+                        size_t data_size,
+                        struct GNUNET_TIME_Absolute exp_time,
+                        const struct GNUNET_DHT_PathElement *path,
+                        unsigned int path_len,
+                        const struct GNUNET_PeerIdentity *me);
+
+
 #if 0                           /* keep Emacsens' auto-indent happy */
 {
 #endif