r13956@catbus: nickm | 2007-07-27 20:09:48 -0400

Better certificate manipulations: extract certificates from incoming votes, forget ones that are very old, and remember to store them on disk.


svn:r10954

doc/TODO

@@ -90,9 +90,10 @@ Things we'd like to do in 0.2.0.x:
           o Generate certificates
           o Authorities load certificates
           o Clients cache certificates on disk
-          * Learn new ones when they show up in votes.
-          * Forget ones that are very old.
+          o Learn new ones when they show up in votes.
+          o Forget ones that are very old.
           - Download as needed.
+          o Actually invoke trusted_dirs_flush_certs_to_disk()
           * Serve list as needed.
           * Detect whether votes are really all for the same period.
           o Avoid double-checking signatures every time we get a vote.

src/or/dirvote.c

@@ -1140,6 +1140,15 @@ dirvote_add_vote(const char *vote_body, const char **msg_out)
     *msg_out = "Vote not from a recognized v3 authority";
     goto err;
   }
+  tor_assert(vote->cert);
+  if (!authority_cert_get_by_digests(vote->cert->cache_info.identity_digest,
+                                     vote->cert->signing_key_digest)) {
+    /* Hey, it's a new cert! */
+    trusted_dirs_load_certs_from_string(
+                               vote->cert->cache_info.signed_descriptor_body,
+                               0 /* from_store */);
+  }
+
   /* XXXX020 check times; make sure epochs match. */
 
   SMARTLIST_FOREACH(pending_vote_list, pending_vote_t *, v, {

src/or/routerlist.c

@@ -243,6 +243,9 @@ trusted_dirs_load_certs_from_string(const char *contents, int from_store)
     if (!from_store)
       trusted_dir_servers_certs_changed = 1;
   }
+
+  trusted_dirs_flush_certs_to_disk();
+
   return 0;
 }
 
@@ -251,7 +254,12 @@ void
 trusted_dirs_flush_certs_to_disk(void)
 {
   char filename[512];
-  smartlist_t *chunks = smartlist_create();
+  smartlist_t *chunks;
+
+  if (!trusted_dir_servers_certs_changed)
+    return;
+
+  chunks = smartlist_create();
 
   tor_snprintf(filename,sizeof(filename),"%s"PATH_SEPARATOR"cached-certs",
                get_options()->DataDirectory);
@@ -276,6 +284,35 @@ trusted_dirs_flush_certs_to_disk(void)
   trusted_dir_servers_certs_changed = 0;
 }
 
+/** DOCDOC */
+static void
+trusted_dirs_remove_old_certs(void)
+{
+  /* Any certificate that has been superseded for more than 48 hours is
+   * irrelevant. */
+#define OLD_CERT_LIFETIME (48*60*60)
+  SMARTLIST_FOREACH(trusted_dir_servers, trusted_dir_server_t *, ds,
+    {
+      authority_cert_t *newest = NULL;
+      if (!ds->v3_certs)
+        continue;
+      SMARTLIST_FOREACH(ds->v3_certs, authority_cert_t *, cert,
+          if (!newest || (cert->cache_info.published_on >
+                          newest->cache_info.published_on))
+            newest = cert);
+      SMARTLIST_FOREACH(ds->v3_certs, authority_cert_t *, cert,
+          if (newest && (newest->cache_info.published_on >
+                         cert->cache_info.published_on + OLD_CERT_LIFETIME)) {
+            SMARTLIST_DEL_CURRENT(ds->v3_certs, cert);
+            authority_cert_free(cert);
+            trusted_dir_servers_certs_changed = 1;
+          });
+    });
+#undef OLD_CERT_LIFETIME
+
+  trusted_dirs_flush_certs_to_disk();
+}
+
 /** DOCDOC */
 authority_cert_t *
 authority_cert_get_by_digests(const char *id_digest,
@@ -622,9 +659,11 @@ int
 router_reload_router_list(void)
 {
   if (router_reload_router_list_impl(0))
-    return 1;
+    return -1;
   if (router_reload_router_list_impl(1))
-    return 1;
+    return -1;
+  if (trusted_dirs_reload_certs())
+    return -1;
   return 0;
 }
 
@@ -2697,6 +2736,9 @@ routerlist_remove_old_routers(void)
   routerinfo_t *router;
   signed_descriptor_t *sd;
   digestmap_t *retain;
+
+  trusted_dirs_remove_old_certs();
+
   if (!routerlist || !networkstatus_list)
     return;