diff options
| author | Nick Mathewson <nickm@torproject.org> | 2007-07-28 00:11:34 +0000 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2007-07-28 00:11:34 +0000 |
| commit | afe9f33d35842f129d8fa363f109f643aeffef2f (patch) | |
| tree | 448b0a633b411f09232b2f3fcc699b449e7f3fe4 | |
| parent | 0d274e1db18473589658e098efdf682e304f01e7 (diff) | |
| download | tor-afe9f33d35842f129d8fa363f109f643aeffef2f.tar.gz tor-afe9f33d35842f129d8fa363f109f643aeffef2f.zip | |
r13956@catbus: nickm | 2007-07-27 20:09:48 -0400
Better certificate manipulations: extract certificates from incoming votes, forget ones that are very old, and remember to store them on disk.
svn:r10954
| -rw-r--r-- | doc/TODO | 5 | ||||
| -rw-r--r-- | src/or/dirvote.c | 9 | ||||
| -rw-r--r-- | src/or/routerlist.c | 48 |
3 files changed, 57 insertions, 5 deletions
@@ -90,9 +90,10 @@ Things we'd like to do in 0.2.0.x: o Generate certificates o Authorities load certificates o Clients cache certificates on disk - * Learn new ones when they show up in votes. - * Forget ones that are very old. + o Learn new ones when they show up in votes. + o Forget ones that are very old. - Download as needed. + o Actually invoke trusted_dirs_flush_certs_to_disk() * Serve list as needed. * Detect whether votes are really all for the same period. o Avoid double-checking signatures every time we get a vote. diff --git a/src/or/dirvote.c b/src/or/dirvote.c index e46e18e8f4..23ef147a99 100644 --- a/src/or/dirvote.c +++ b/src/or/dirvote.c @@ -1140,6 +1140,15 @@ dirvote_add_vote(const char *vote_body, const char **msg_out) *msg_out = "Vote not from a recognized v3 authority"; goto err; } + tor_assert(vote->cert); + if (!authority_cert_get_by_digests(vote->cert->cache_info.identity_digest, + vote->cert->signing_key_digest)) { + /* Hey, it's a new cert! */ + trusted_dirs_load_certs_from_string( + vote->cert->cache_info.signed_descriptor_body, + 0 /* from_store */); + } + /* XXXX020 check times; make sure epochs match. */ SMARTLIST_FOREACH(pending_vote_list, pending_vote_t *, v, { diff --git a/src/or/routerlist.c b/src/or/routerlist.c index ac74617bda..729141f1da 100644 --- a/src/or/routerlist.c +++ b/src/or/routerlist.c @@ -243,6 +243,9 @@ trusted_dirs_load_certs_from_string(const char *contents, int from_store) if (!from_store) trusted_dir_servers_certs_changed = 1; } + + trusted_dirs_flush_certs_to_disk(); + return 0; } @@ -251,7 +254,12 @@ void trusted_dirs_flush_certs_to_disk(void) { char filename[512]; - smartlist_t *chunks = smartlist_create(); + smartlist_t *chunks; + + if (!trusted_dir_servers_certs_changed) + return; + + chunks = smartlist_create(); tor_snprintf(filename,sizeof(filename),"%s"PATH_SEPARATOR"cached-certs", get_options()->DataDirectory); @@ -277,6 +285,35 @@ trusted_dirs_flush_certs_to_disk(void) } /** DOCDOC */ +static void +trusted_dirs_remove_old_certs(void) +{ + /* Any certificate that has been superseded for more than 48 hours is + * irrelevant. */ +#define OLD_CERT_LIFETIME (48*60*60) + SMARTLIST_FOREACH(trusted_dir_servers, trusted_dir_server_t *, ds, + { + authority_cert_t *newest = NULL; + if (!ds->v3_certs) + continue; + SMARTLIST_FOREACH(ds->v3_certs, authority_cert_t *, cert, + if (!newest || (cert->cache_info.published_on > + newest->cache_info.published_on)) + newest = cert); + SMARTLIST_FOREACH(ds->v3_certs, authority_cert_t *, cert, + if (newest && (newest->cache_info.published_on > + cert->cache_info.published_on + OLD_CERT_LIFETIME)) { + SMARTLIST_DEL_CURRENT(ds->v3_certs, cert); + authority_cert_free(cert); + trusted_dir_servers_certs_changed = 1; + }); + }); +#undef OLD_CERT_LIFETIME + + trusted_dirs_flush_certs_to_disk(); +} + +/** DOCDOC */ authority_cert_t * authority_cert_get_by_digests(const char *id_digest, const char *sk_digest) @@ -622,9 +659,11 @@ int router_reload_router_list(void) { if (router_reload_router_list_impl(0)) - return 1; + return -1; if (router_reload_router_list_impl(1)) - return 1; + return -1; + if (trusted_dirs_reload_certs()) + return -1; return 0; } @@ -2697,6 +2736,9 @@ routerlist_remove_old_routers(void) routerinfo_t *router; signed_descriptor_t *sd; digestmap_t *retain; + + trusted_dirs_remove_old_certs(); + if (!routerlist || !networkstatus_list) return; |