[or-cvs] r10954: Better certificate manipulations: extract certificates from (in tor/trunk: . doc src/or)

nickm at seul.org nickm at seul.org
Sat Jul 28 00:11:34 UTC 2007 

Author: nickm
Date: 2007-07-27 20:11:34 -0400 (Fri, 27 Jul 2007)
New Revision: 10954

Modified:
   tor/trunk/
   tor/trunk/doc/TODO
   tor/trunk/src/or/dirvote.c
   tor/trunk/src/or/routerlist.c
Log:
 r13956 at catbus:  nickm | 2007-07-27 20:09:48 -0400
 Better certificate manipulations: extract certificates from incoming votes, forget ones that are very old, and remember to store them on disk.



Property changes on: tor/trunk
___________________________________________________________________
 svk:merge ticket from /tor/trunk [r13956] on 8246c3cf-6607-4228-993b-4d95d33730f1

Modified: tor/trunk/doc/TODO
===================================================================
--- tor/trunk/doc/TODO	2007-07-27 23:19:02 UTC (rev 10953)
+++ tor/trunk/doc/TODO	2007-07-28 00:11:34 UTC (rev 10954)
@@ -90,9 +90,10 @@
           o Generate certificates
           o Authorities load certificates
           o Clients cache certificates on disk
-          * Learn new ones when they show up in votes.
-          * Forget ones that are very old.
+          o Learn new ones when they show up in votes.
+          o Forget ones that are very old.
           - Download as needed.
+          o Actually invoke trusted_dirs_flush_certs_to_disk()
           * Serve list as needed.
           * Detect whether votes are really all for the same period.
           o Avoid double-checking signatures every time we get a vote.

Modified: tor/trunk/src/or/dirvote.c
===================================================================
--- tor/trunk/src/or/dirvote.c	2007-07-27 23:19:02 UTC (rev 10953)
+++ tor/trunk/src/or/dirvote.c	2007-07-28 00:11:34 UTC (rev 10954)
@@ -1140,6 +1140,15 @@
     *msg_out = "Vote not from a recognized v3 authority";
     goto err;
   }
+  tor_assert(vote->cert);
+  if (!authority_cert_get_by_digests(vote->cert->cache_info.identity_digest,
+                                     vote->cert->signing_key_digest)) {
+    /* Hey, it's a new cert! */
+    trusted_dirs_load_certs_from_string(
+                               vote->cert->cache_info.signed_descriptor_body,
+                               0 /* from_store */);
+  }
+
   /* XXXX020 check times; make sure epochs match. */
 
   SMARTLIST_FOREACH(pending_vote_list, pending_vote_t *, v, {

Modified: tor/trunk/src/or/routerlist.c
===================================================================
--- tor/trunk/src/or/routerlist.c	2007-07-27 23:19:02 UTC (rev 10953)
+++ tor/trunk/src/or/routerlist.c	2007-07-28 00:11:34 UTC (rev 10954)
@@ -243,6 +243,9 @@
     if (!from_store)
       trusted_dir_servers_certs_changed = 1;
   }
+
+  trusted_dirs_flush_certs_to_disk();
+
   return 0;
 }
 
@@ -251,8 +254,13 @@
 trusted_dirs_flush_certs_to_disk(void)
 {
   char filename[512];
-  smartlist_t *chunks = smartlist_create();
+  smartlist_t *chunks;
 
+  if (!trusted_dir_servers_certs_changed)
+    return;
+
+  chunks = smartlist_create();
+
   tor_snprintf(filename,sizeof(filename),"%s"PATH_SEPARATOR"cached-certs",
                get_options()->DataDirectory);
   SMARTLIST_FOREACH(trusted_dir_servers, trusted_dir_server_t *, ds,
@@ -277,6 +285,35 @@
 }
 
 /** DOCDOC */
+static void
+trusted_dirs_remove_old_certs(void)
+{
+  /* Any certificate that has been superseded for more than 48 hours is
+   * irrelevant. */
+#define OLD_CERT_LIFETIME (48*60*60)
+  SMARTLIST_FOREACH(trusted_dir_servers, trusted_dir_server_t *, ds,
+    {
+      authority_cert_t *newest = NULL;
+      if (!ds->v3_certs)
+        continue;
+      SMARTLIST_FOREACH(ds->v3_certs, authority_cert_t *, cert,
+          if (!newest || (cert->cache_info.published_on >
+                          newest->cache_info.published_on))
+            newest = cert);
+      SMARTLIST_FOREACH(ds->v3_certs, authority_cert_t *, cert,
+          if (newest && (newest->cache_info.published_on >
+                         cert->cache_info.published_on + OLD_CERT_LIFETIME)) {
+            SMARTLIST_DEL_CURRENT(ds->v3_certs, cert);
+            authority_cert_free(cert);
+            trusted_dir_servers_certs_changed = 1;
+          });
+    });
+#undef OLD_CERT_LIFETIME
+
+  trusted_dirs_flush_certs_to_disk();
+}
+
+/** DOCDOC */
 authority_cert_t *
 authority_cert_get_by_digests(const char *id_digest,
                               const char *sk_digest)
@@ -622,9 +659,11 @@
 router_reload_router_list(void)
 {
   if (router_reload_router_list_impl(0))
-    return 1;
+    return -1;
   if (router_reload_router_list_impl(1))
-    return 1;
+    return -1;
+  if (trusted_dirs_reload_certs())
+    return -1;
   return 0;
 }
 
@@ -2697,6 +2736,9 @@
   routerinfo_t *router;
   signed_descriptor_t *sd;
   digestmap_t *retain;
+
+  trusted_dirs_remove_old_certs();
+
   if (!routerlist || !networkstatus_list)
     return;

More information about the tor-commits mailing list