6 files changed, 76 insertions, 7 deletions

diff --git a/changes/bug24977 b/changes/bug24977
new file mode 100644
index 0000000000..f8127a2a73
--- /dev/null
+++ b/changes/bug24977
@@ -0,0 +1,5 @@
+  o Minor bugfixes (onion services):
+    - Recompute some consensus information after clock skews or when we
+      transition from a non-live consensus to a live consensus. We do this to
+      avoid having an outdated state which could impact next-generation onion
+      services. Fixes bug 24977; bugfix on 0.3.2.1-alpha.
diff --git a/src/or/hs_common.c b/src/or/hs_common.c
index c63d4330d6..4ee06dd9b6 100644
--- a/src/or/hs_common.c
+++ b/src/or/hs_common.c
@@ -1338,15 +1338,20 @@ hs_get_responsible_hsdirs(const ed25519_public_key_t *blinded_pk,
 
   sorted_nodes = smartlist_new();
 
+  /* Make sure we actually have a live consensus */
+  networkstatus_t *c = networkstatus_get_live_consensus(approx_time());
+  if (!c || smartlist_len(c->routerstatus_list) == 0) {
+      log_warn(LD_REND, "No live consensus so we can't get the responsible "
+               "hidden service directories.");
+      goto done;
+  }
+
+  /* Ensure the nodelist is fresh, since it contains the HSDir indices. */
+  nodelist_ensure_freshness(c);
+
   /* Add every node_t that support HSDir v3 for which we do have a valid
    * hsdir_index already computed for them for this consensus. */
   {
-    networkstatus_t *c = networkstatus_get_latest_consensus();
-    if (!c || smartlist_len(c->routerstatus_list) == 0) {
-      log_warn(LD_REND, "No valid consensus so we can't get the responsible "
-                        "hidden service directories.");
-      goto done;
-    }
     SMARTLIST_FOREACH_BEGIN(c->routerstatus_list, const routerstatus_t *, rs) {
       /* Even though this node_t object won't be modified and should be const,
        * we can't add const object in a smartlist_t. */
diff --git a/src/or/nodelist.c b/src/or/nodelist.c
index 5e575e9a83..060f5d908f 100644
--- a/src/or/nodelist.c
+++ b/src/or/nodelist.c
@@ -121,6 +121,11 @@ typedef struct nodelist_t {
 
   /* Set of addresses that belong to nodes we believe in. */
   address_set_t *node_addrs;
+
+  /* The valid-after time of the last live consensus that initialized the
+   * nodelist.  We use this to detect outdated nodelists that need to be
+   * rebuilt using a newer consensus. */
+  time_t live_consensus_valid_after;
 } nodelist_t;
 
 static inline unsigned int
@@ -638,6 +643,12 @@ nodelist_set_consensus(networkstatus_t *ns)
       }
     } SMARTLIST_FOREACH_END(node);
   }
+
+  /* If the consensus is live, note down the consensus valid-after that formed
+   * the nodelist. */
+  if (networkstatus_is_live(ns, approx_time())) {
+    the_nodelist->live_consensus_valid_after = ns->valid_after;
+  }
 }
 
 /** Return 1 iff <b>node</b> has Exit flag and no BadExit flag.
@@ -871,6 +882,25 @@ nodelist_assert_ok(void)
   digestmap_free(dm, NULL);
 }
 
+/** Ensure that the nodelist has been created with the most recent consensus.
+ *  If that's not the case, make it so.  */
+void
+nodelist_ensure_freshness(networkstatus_t *ns)
+{
+  tor_assert(ns);
+
+  /* We don't even have a nodelist: this is a NOP. */
+  if (!the_nodelist) {
+    return;
+  }
+
+  if (the_nodelist->live_consensus_valid_after != ns->valid_after) {
+    log_info(LD_GENERAL, "Nodelist was not fresh: rebuilding. (%d / %d)",
+             (int) the_nodelist->live_consensus_valid_after,
+             (int) ns->valid_after);
+    nodelist_set_consensus(ns);
+  }
+}
 /** Return a list of a node_t * for every node we know about.  The caller
  * MUST NOT modify the list. (You can set and clear flags in the nodes if
  * you must, but you must not add or remove nodes.) */
diff --git a/src/or/nodelist.h b/src/or/nodelist.h
index fd91a26832..b5614d957f 100644
--- a/src/or/nodelist.h
+++ b/src/or/nodelist.h
@@ -29,6 +29,7 @@ const node_t *node_get_by_hex_id(const char *identity_digest,
 node_t *nodelist_set_routerinfo(routerinfo_t *ri, routerinfo_t **ri_old_out);
 node_t *nodelist_add_microdesc(microdesc_t *md);
 void nodelist_set_consensus(networkstatus_t *ns);
+void nodelist_ensure_freshness(networkstatus_t *ns);
 int nodelist_probably_contains_address(const tor_addr_t *addr);
 
 void nodelist_remove_microdesc(const char *identity_digest, microdesc_t *md);
diff --git a/src/or/voting_schedule.c b/src/or/voting_schedule.c
index 983cabbbf3..9d2ebd0385 100644
--- a/src/or/voting_schedule.c
+++ b/src/or/voting_schedule.c
@@ -85,6 +85,10 @@ get_voting_schedule(const or_options_t *options, time_t now, int severity)
     interval = (int)( consensus->fresh_until - consensus->valid_after );
     vote_delay = consensus->vote_seconds;
     dist_delay = consensus->dist_seconds;
+
+    /* Note down the consensus valid after, so that we detect outdated voting
+     * schedules in case of skewed clocks etc. */
+    new_voting_schedule->live_consensus_valid_after = consensus->valid_after;
   } else {
     interval = options->TestingV3AuthInitialVotingInterval;
     vote_delay = options->TestingV3AuthInitialVoteDelay;
@@ -140,14 +144,34 @@ voting_schedule_t voting_schedule;
 time_t
 voting_schedule_get_next_valid_after_time(void)
 {
+  time_t now = approx_time();
+  bool need_to_recalculate_voting_schedule = false;
+
   /* This is a safe guard in order to make sure that the voting schedule
    * static object is at least initialized. Using this function with a zeroed
    * voting schedule can lead to bugs. */
   if (tor_mem_is_zero((const char *) &voting_schedule,
                       sizeof(voting_schedule))) {
-    voting_schedule_recalculate_timing(get_options(), time(NULL));
+    need_to_recalculate_voting_schedule = true;
+    goto done; /* no need for next check if we have to recalculate anyway */
+  }
+
+  /* Also make sure we are not using an outdated voting schedule. If we have a
+   * newer consensus, make sure we recalculate the voting schedule. */
+  const networkstatus_t *ns = networkstatus_get_live_consensus(now);
+  if (ns && ns->valid_after != voting_schedule.live_consensus_valid_after) {
+    log_info(LD_DIR, "Voting schedule is outdated: recalculating (%d/%d)",
+             (int) ns->valid_after,
+             (int) voting_schedule.live_consensus_valid_after);
+    need_to_recalculate_voting_schedule = true;
+  }
+
+ done:
+  if (need_to_recalculate_voting_schedule) {
+    voting_schedule_recalculate_timing(get_options(), now);
     voting_schedule.created_on_demand = 1;
   }
+
   return voting_schedule.interval_starts;
 }
 
diff --git a/src/or/voting_schedule.h b/src/or/voting_schedule.h
index 4f9d584031..087701408e 100644
--- a/src/or/voting_schedule.h
+++ b/src/or/voting_schedule.h
@@ -43,6 +43,10 @@ typedef struct {
    * timings only for the first vote even though this object was initilized
    * prior to voting. */
   int created_on_demand;
+
+  /** The valid-after time of the last live consensus that filled this voting
+   *  schedule.  It's used to detect outdated voting schedules. */
+  time_t live_consensus_valid_after;
 } voting_schedule_t;
 
 /* Public API. */