[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] r10954: Better certificate manipulations: extract certificates from (in tor/trunk: . doc src/or)
Author: nickm
Date: 2007-07-27 20:11:34 -0400 (Fri, 27 Jul 2007)
New Revision: 10954
Modified:
tor/trunk/
tor/trunk/doc/TODO
tor/trunk/src/or/dirvote.c
tor/trunk/src/or/routerlist.c
Log:
r13956@catbus: nickm | 2007-07-27 20:09:48 -0400
Better certificate manipulations: extract certificates from incoming votes, forget ones that are very old, and remember to store them on disk.
Property changes on: tor/trunk
___________________________________________________________________
svk:merge ticket from /tor/trunk [r13956] on 8246c3cf-6607-4228-993b-4d95d33730f1
Modified: tor/trunk/doc/TODO
===================================================================
--- tor/trunk/doc/TODO 2007-07-27 23:19:02 UTC (rev 10953)
+++ tor/trunk/doc/TODO 2007-07-28 00:11:34 UTC (rev 10954)
@@ -90,9 +90,10 @@
o Generate certificates
o Authorities load certificates
o Clients cache certificates on disk
- * Learn new ones when they show up in votes.
- * Forget ones that are very old.
+ o Learn new ones when they show up in votes.
+ o Forget ones that are very old.
- Download as needed.
+ o Actually invoke trusted_dirs_flush_certs_to_disk()
* Serve list as needed.
* Detect whether votes are really all for the same period.
o Avoid double-checking signatures every time we get a vote.
Modified: tor/trunk/src/or/dirvote.c
===================================================================
--- tor/trunk/src/or/dirvote.c 2007-07-27 23:19:02 UTC (rev 10953)
+++ tor/trunk/src/or/dirvote.c 2007-07-28 00:11:34 UTC (rev 10954)
@@ -1140,6 +1140,15 @@
*msg_out = "Vote not from a recognized v3 authority";
goto err;
}
+ tor_assert(vote->cert);
+ if (!authority_cert_get_by_digests(vote->cert->cache_info.identity_digest,
+ vote->cert->signing_key_digest)) {
+ /* Hey, it's a new cert! */
+ trusted_dirs_load_certs_from_string(
+ vote->cert->cache_info.signed_descriptor_body,
+ 0 /* from_store */);
+ }
+
/* XXXX020 check times; make sure epochs match. */
SMARTLIST_FOREACH(pending_vote_list, pending_vote_t *, v, {
Modified: tor/trunk/src/or/routerlist.c
===================================================================
--- tor/trunk/src/or/routerlist.c 2007-07-27 23:19:02 UTC (rev 10953)
+++ tor/trunk/src/or/routerlist.c 2007-07-28 00:11:34 UTC (rev 10954)
@@ -243,6 +243,9 @@
if (!from_store)
trusted_dir_servers_certs_changed = 1;
}
+
+ trusted_dirs_flush_certs_to_disk();
+
return 0;
}
@@ -251,8 +254,13 @@
trusted_dirs_flush_certs_to_disk(void)
{
char filename[512];
- smartlist_t *chunks = smartlist_create();
+ smartlist_t *chunks;
+ if (!trusted_dir_servers_certs_changed)
+ return;
+
+ chunks = smartlist_create();
+
tor_snprintf(filename,sizeof(filename),"%s"PATH_SEPARATOR"cached-certs",
get_options()->DataDirectory);
SMARTLIST_FOREACH(trusted_dir_servers, trusted_dir_server_t *, ds,
@@ -277,6 +285,35 @@
}
/** DOCDOC */
+static void
+trusted_dirs_remove_old_certs(void)
+{
+ /* Any certificate that has been superseded for more than 48 hours is
+ * irrelevant. */
+#define OLD_CERT_LIFETIME (48*60*60)
+ SMARTLIST_FOREACH(trusted_dir_servers, trusted_dir_server_t *, ds,
+ {
+ authority_cert_t *newest = NULL;
+ if (!ds->v3_certs)
+ continue;
+ SMARTLIST_FOREACH(ds->v3_certs, authority_cert_t *, cert,
+ if (!newest || (cert->cache_info.published_on >
+ newest->cache_info.published_on))
+ newest = cert);
+ SMARTLIST_FOREACH(ds->v3_certs, authority_cert_t *, cert,
+ if (newest && (newest->cache_info.published_on >
+ cert->cache_info.published_on + OLD_CERT_LIFETIME)) {
+ SMARTLIST_DEL_CURRENT(ds->v3_certs, cert);
+ authority_cert_free(cert);
+ trusted_dir_servers_certs_changed = 1;
+ });
+ });
+#undef OLD_CERT_LIFETIME
+
+ trusted_dirs_flush_certs_to_disk();
+}
+
+/** DOCDOC */
authority_cert_t *
authority_cert_get_by_digests(const char *id_digest,
const char *sk_digest)
@@ -622,9 +659,11 @@
router_reload_router_list(void)
{
if (router_reload_router_list_impl(0))
- return 1;
+ return -1;
if (router_reload_router_list_impl(1))
- return 1;
+ return -1;
+ if (trusted_dirs_reload_certs())
+ return -1;
return 0;
}
@@ -2697,6 +2736,9 @@
routerinfo_t *router;
signed_descriptor_t *sd;
digestmap_t *retain;
+
+ trusted_dirs_remove_old_certs();
+
if (!routerlist || !networkstatus_list)
return;