[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor/master] Exits don't need to fetch certs for unknown authorities
commit 5193752ca88849878a0843cec1e81c6b4b05e550
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Fri Mar 30 15:20:06 2012 -0400
Exits don't need to fetch certs for unknown authorities
When we started RefuseUnknownExits back in 0.2.2.11-alpha, we
started making exits act like they cache directory info (since they
need an up-to-date idea of who is really a router). But this
included fetching needless (unrecognized) authorities' certs, which
doesn't make any sense for them.
This is related to, but not necessarily the same as, the issue that
Ian reported for bug #2297.
(This patch is based on a patch from a user who I believe has asked
not to be named. If I'm wrong about that, please add the
appropriate name onto the changelog.)
---
changes/bug2297-related | 6 ++++++
src/or/dirserv.c | 9 +++++++++
src/or/dirserv.h | 1 +
src/or/routerlist.c | 4 ++--
4 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/changes/bug2297-related b/changes/bug2297-related
new file mode 100644
index 0000000..3d9af11
--- /dev/null
+++ b/changes/bug2297-related
@@ -0,0 +1,6 @@
+ o Minor bugfixes:
+ - Exit nodes don't need to fetch certificates for authorities that
+ they don't recognize; only directory authorities, bridges, and
+ caches need to do that. Fix related to bug 2297; bugfix on
+ 0.2.2.11-alpha.
+
diff --git a/src/or/dirserv.c b/src/or/dirserv.c
index 11f235c..898d9f4 100644
--- a/src/or/dirserv.c
+++ b/src/or/dirserv.c
@@ -1252,6 +1252,15 @@ directory_caches_v2_dir_info(const or_options_t *options)
return options->DirPort != NULL;
}
+/** Return true iff we want to fetch and keep certificates for authorities
+ * that we don't acknowledge as aurthorities ourself.
+ */
+int
+directory_caches_unknown_auth_certs(const or_options_t *options)
+{
+ return options->DirPort || options->BridgeRelay;
+}
+
/** Return 1 if we want to keep descriptors, networkstatuses, etc around
* and we're willing to serve them to others. Else return 0.
*/
diff --git a/src/or/dirserv.h b/src/or/dirserv.h
index fc48e48..3ff0815 100644
--- a/src/or/dirserv.h
+++ b/src/or/dirserv.h
@@ -76,6 +76,7 @@ int directory_fetches_dir_info_early(const or_options_t *options);
int directory_fetches_dir_info_later(const or_options_t *options);
int directory_caches_v2_dir_info(const or_options_t *options);
#define directory_caches_v1_dir_info(o) directory_caches_v2_dir_info(o)
+int directory_caches_unknown_auth_certs(const or_options_t *options);
int directory_caches_dir_info(const or_options_t *options);
int directory_permits_begindir_requests(const or_options_t *options);
int directory_permits_controller_requests(const or_options_t *options);
diff --git a/src/or/routerlist.c b/src/or/routerlist.c
index 160f340..f549549 100644
--- a/src/or/routerlist.c
+++ b/src/or/routerlist.c
@@ -229,7 +229,7 @@ trusted_dirs_load_certs_from_string(const char *contents, int from_store,
"signing key %s", from_store ? "cached" : "downloaded",
ds->nickname, hex_str(cert->signing_key_digest,DIGEST_LEN));
} else {
- int adding = directory_caches_dir_info(get_options());
+ int adding = directory_caches_unknown_auth_certs(get_options());
log_info(LD_DIR, "%s %s certificate for unrecognized directory "
"authority with signing key %s",
adding ? "Adding" : "Not adding",
@@ -480,7 +480,7 @@ authority_certs_fetch_missing(networkstatus_t *status, time_t now)
smartlist_t *missing_digests;
char *resource = NULL;
cert_list_t *cl;
- const int cache = directory_caches_dir_info(get_options());
+ const int cache = directory_caches_unknown_auth_certs(get_options());
if (should_delay_dir_fetches(get_options()))
return;
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits