mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-28 06:13:31 +01:00
r14028@Kushana: nickm | 2007-08-14 17:07:51 -0400
Implement cert-retrieval URLs. (Also, update TODO) svn:r11112
This commit is contained in:
parent
9a30f8ba0e
commit
484a580698
8
doc/TODO
8
doc/TODO
@ -55,7 +55,7 @@ Things we'd like to do in 0.2.0.x:
|
|||||||
unreachable is bunk -- it's leftover from the time when all
|
unreachable is bunk -- it's leftover from the time when all
|
||||||
servers ran 24/7. now it triggers every time a server goes
|
servers ran 24/7. now it triggers every time a server goes
|
||||||
away and then returns before the old descriptor has expired.
|
away and then returns before the old descriptor has expired.
|
||||||
- Update dir-spec with decisions made on these issues:
|
o Update dir-spec with decisions made on these issues:
|
||||||
o clients don't log as loudly when they receive them
|
o clients don't log as loudly when they receive them
|
||||||
o they don't count toward the 3-strikes rule
|
o they don't count toward the 3-strikes rule
|
||||||
D But eventually, we give up after getting a lot of 503s.
|
D But eventually, we give up after getting a lot of 503s.
|
||||||
@ -67,8 +67,8 @@ Things we'd like to do in 0.2.0.x:
|
|||||||
D They can 503 client descriptor requests when they feel like it.
|
D They can 503 client descriptor requests when they feel like it.
|
||||||
How can they distinguish? Not implemented for now, maybe
|
How can they distinguish? Not implemented for now, maybe
|
||||||
should abandon.
|
should abandon.
|
||||||
- describe our 302 not modified behaviors.
|
o describe our 302 not modified behaviors.
|
||||||
- and document a bit more -- e.g. it looks like we return an empty
|
o and document a bit more -- e.g. it looks like we return an empty
|
||||||
200 OK when somebody asks us for a networkstatus and we don't
|
200 OK when somebody asks us for a networkstatus and we don't
|
||||||
have it?
|
have it?
|
||||||
|
|
||||||
@ -84,7 +84,7 @@ Things we'd like to do in 0.2.0.x:
|
|||||||
- Get authorities voting
|
- Get authorities voting
|
||||||
. Code to manage key certificates
|
. Code to manage key certificates
|
||||||
- Download as needed.
|
- Download as needed.
|
||||||
- Serve list as needed.
|
o Serve list as needed.
|
||||||
o Avoid double-checking signatures every time we get a vote.
|
o Avoid double-checking signatures every time we get a vote.
|
||||||
- Warn about expired stuff.
|
- Warn about expired stuff.
|
||||||
- Fix all XXXX020s in vote code
|
- Fix all XXXX020s in vote code
|
||||||
|
@ -1242,6 +1242,14 @@ $Id$
|
|||||||
available at:
|
available at:
|
||||||
http://<hostname>/tor/keys/authority.z
|
http://<hostname>/tor/keys/authority.z
|
||||||
|
|
||||||
|
The key certificate for an authority whose authority identity fingerprint
|
||||||
|
is <F> should be available at:
|
||||||
|
http://<hostname>/tor/keys/fp/<F>.z
|
||||||
|
|
||||||
|
The key certificate whose signing key is <F> should be available at:
|
||||||
|
http://<hostname>/tor/keys/fp/<F>.z
|
||||||
|
[XXX020 cross-certify?]
|
||||||
|
|
||||||
The most recent descriptor for a server whose identity key has a
|
The most recent descriptor for a server whose identity key has a
|
||||||
fingerprint of <F> should be available at:
|
fingerprint of <F> should be available at:
|
||||||
http://<hostname>/tor/server/fp/<F>.z
|
http://<hostname>/tor/server/fp/<F>.z
|
||||||
|
@ -1737,7 +1737,8 @@ directory_handle_command_get(dir_connection_t *conn, const char *headers,
|
|||||||
const char *body, size_t body_len)
|
const char *body, size_t body_len)
|
||||||
{
|
{
|
||||||
size_t dlen;
|
size_t dlen;
|
||||||
char *url = NULL;
|
char *url = NULL; /* XXX020 every exit point needs to free url. this
|
||||||
|
* function should use 'goto done' for that. */
|
||||||
or_options_t *options = get_options();
|
or_options_t *options = get_options();
|
||||||
time_t if_modified_since = 0;
|
time_t if_modified_since = 0;
|
||||||
char *header;
|
char *header;
|
||||||
@ -2007,6 +2008,84 @@ directory_handle_command_get(dir_connection_t *conn, const char *headers,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!strcmpstart(url,"/tor/keys/")) {
|
||||||
|
smartlist_t *certs = smartlist_create();
|
||||||
|
int compressed;
|
||||||
|
ssize_t len = -1;
|
||||||
|
url += strlen("/tor/keys/");
|
||||||
|
compressed = !strcmpend(url, ".z");
|
||||||
|
if (compressed)
|
||||||
|
url[strlen(url)-2] = '\0';
|
||||||
|
if (!strcmp(url, "all")) {
|
||||||
|
SMARTLIST_FOREACH(router_get_trusted_dir_servers(),
|
||||||
|
trusted_dir_server_t *, ds,
|
||||||
|
{
|
||||||
|
if (!ds->v3_certs)
|
||||||
|
continue;
|
||||||
|
SMARTLIST_FOREACH(ds->v3_certs, authority_cert_t *, cert,
|
||||||
|
if (cert->cache_info.published_on >= if_modified_since)
|
||||||
|
smartlist_add(certs, cert));
|
||||||
|
});
|
||||||
|
} else if (!strcmp(url, "authority")) {
|
||||||
|
authority_cert_t *cert = get_my_v3_authority_cert();
|
||||||
|
if (cert)
|
||||||
|
smartlist_add(certs, cert);
|
||||||
|
} else if (!strcmpstart(url, "fp/")) {
|
||||||
|
smartlist_t *fps = smartlist_create();
|
||||||
|
dir_split_resource_into_fingerprints(url, fps, NULL, 1, 1);
|
||||||
|
SMARTLIST_FOREACH(fps, char *, d, {
|
||||||
|
authority_cert_t *c = authority_cert_get_newest_by_id(d);
|
||||||
|
if (c) smartlist_add(certs, c);
|
||||||
|
tor_free(d);
|
||||||
|
});
|
||||||
|
smartlist_free(fps);
|
||||||
|
} else if (!strcmpstart(url, "sk/")) {
|
||||||
|
smartlist_t *fps = smartlist_create();
|
||||||
|
dir_split_resource_into_fingerprints(url, fps, NULL, 1, 1);
|
||||||
|
SMARTLIST_FOREACH(fps, char *, d, {
|
||||||
|
authority_cert_t *c = authority_cert_get_by_sk_digest(d);
|
||||||
|
if (c) smartlist_add(certs, c);
|
||||||
|
tor_free(d);
|
||||||
|
});
|
||||||
|
smartlist_free(fps);
|
||||||
|
} else {
|
||||||
|
write_http_status_line(conn, 400, "Bad request");
|
||||||
|
tor_free(url);
|
||||||
|
smartlist_free(certs);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
if (!smartlist_len(certs)) {
|
||||||
|
write_http_status_line(conn, 404, "Not found");
|
||||||
|
tor_free(url);
|
||||||
|
smartlist_free(certs);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
if (!compressed) {
|
||||||
|
len = 0;
|
||||||
|
SMARTLIST_FOREACH(certs, authority_cert_t *, c,
|
||||||
|
len += c->cache_info.signed_descriptor_len);
|
||||||
|
}
|
||||||
|
write_http_response_header(conn, len,
|
||||||
|
compressed?"application/octet-stream":"text/plain",
|
||||||
|
compressed?"deflate":"identity",
|
||||||
|
60*60);
|
||||||
|
if (compressed) {
|
||||||
|
conn->zlib_state = tor_zlib_new(1, ZLIB_METHOD);
|
||||||
|
SMARTLIST_FOREACH(certs, authority_cert_t *, c,
|
||||||
|
connection_write_to_buf_zlib(c->cache_info.signed_descriptor_body,
|
||||||
|
c->cache_info.signed_descriptor_len,
|
||||||
|
conn, 0));
|
||||||
|
connection_write_to_buf_zlib("", 0, conn, 1);
|
||||||
|
} else {
|
||||||
|
SMARTLIST_FOREACH(certs, authority_cert_t *, c,
|
||||||
|
connection_write_to_buf(c->cache_info.signed_descriptor_body,
|
||||||
|
c->cache_info.signed_descriptor_len,
|
||||||
|
TO_CONN(conn)));
|
||||||
|
}
|
||||||
|
smartlist_free(certs);
|
||||||
|
tor_free(url);
|
||||||
|
}
|
||||||
|
|
||||||
if (options->HSAuthoritativeDir &&
|
if (options->HSAuthoritativeDir &&
|
||||||
(!strcmpstart(url,"/tor/rendezvous/") ||
|
(!strcmpstart(url,"/tor/rendezvous/") ||
|
||||||
!strcmpstart(url,"/tor/rendezvous1/"))) {
|
!strcmpstart(url,"/tor/rendezvous1/"))) {
|
||||||
|
@ -3355,6 +3355,8 @@ trusted_dir_server_t *router_get_trusteddirserver_by_digest(
|
|||||||
const char *digest);
|
const char *digest);
|
||||||
trusted_dir_server_t *trusteddirserver_get_by_v3_auth_digest(
|
trusted_dir_server_t *trusteddirserver_get_by_v3_auth_digest(
|
||||||
const char *digest);
|
const char *digest);
|
||||||
|
authority_cert_t *authority_cert_get_newest_by_id(const char *id_digest);
|
||||||
|
authority_cert_t *authority_cert_get_by_sk_digest(const char *sk_digest);
|
||||||
authority_cert_t *authority_cert_get_by_digests(const char *id_digest,
|
authority_cert_t *authority_cert_get_by_digests(const char *id_digest,
|
||||||
const char *sk_digest);
|
const char *sk_digest);
|
||||||
void routerlist_add_family(smartlist_t *sl, routerinfo_t *router);
|
void routerlist_add_family(smartlist_t *sl, routerinfo_t *router);
|
||||||
|
@ -337,6 +337,41 @@ trusted_dirs_remove_old_certs(void)
|
|||||||
trusted_dirs_flush_certs_to_disk();
|
trusted_dirs_flush_certs_to_disk();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/** DOCDOC */
|
||||||
|
authority_cert_t *
|
||||||
|
authority_cert_get_newest_by_id(const char *id_digest)
|
||||||
|
{
|
||||||
|
trusted_dir_server_t *ds = trusteddirserver_get_by_v3_auth_digest(id_digest);
|
||||||
|
authority_cert_t *best = NULL;
|
||||||
|
if (!ds || !ds->v3_certs)
|
||||||
|
return NULL;
|
||||||
|
SMARTLIST_FOREACH(ds->v3_certs, authority_cert_t *, cert,
|
||||||
|
{
|
||||||
|
if (!best || cert->cache_info.published_on > best->cache_info.published_on)
|
||||||
|
best = cert;
|
||||||
|
});
|
||||||
|
return best;
|
||||||
|
}
|
||||||
|
|
||||||
|
/** DOCDOC */
|
||||||
|
authority_cert_t *
|
||||||
|
authority_cert_get_by_sk_digest(const char *sk_digest)
|
||||||
|
{
|
||||||
|
if (!trusted_dir_servers)
|
||||||
|
return NULL;
|
||||||
|
SMARTLIST_FOREACH(trusted_dir_servers, trusted_dir_server_t *, ds,
|
||||||
|
{
|
||||||
|
if (!ds->v3_certs)
|
||||||
|
return NULL;
|
||||||
|
SMARTLIST_FOREACH(ds->v3_certs, authority_cert_t *, cert,
|
||||||
|
{
|
||||||
|
if (!memcmp(cert->signing_key_digest, sk_digest, DIGEST_LEN))
|
||||||
|
return cert;
|
||||||
|
});
|
||||||
|
});
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
/** Return the v3 authority certificate with signing key matching
|
/** Return the v3 authority certificate with signing key matching
|
||||||
* <b>sk_digest</b>, for the authority with identity digest <b>id_digest</b>.
|
* <b>sk_digest</b>, for the authority with identity digest <b>id_digest</b>.
|
||||||
* Return NULL if no such authority is known. */
|
* Return NULL if no such authority is known. */
|
||||||
|
Loading…
Reference in New Issue
Block a user