commit 149931571a4c5ad9ec24eb6d4306e8965a454211 Merge: 47f7085 75b4975 Author: Nick Mathewson nickm@torproject.org Date: Mon Apr 14 18:00:38 2014 -0400
Merge remote-tracking branch 'origin/maint-0.2.3' into maint-0.2.4
Conflicts: src/or/routerlist.h
changes/bug11464_023 | 5 +++++ src/or/networkstatus.c | 11 +++++++++++ src/or/routerlist.c | 33 +++++++++++++++++++++++++++++++++ src/or/routerlist.h | 1 + src/or/routerparse.c | 8 ++++++++ 5 files changed, 58 insertions(+)
diff --cc src/or/routerlist.c index cb39729,a7968be..b49dc1a --- a/src/or/routerlist.c +++ b/src/or/routerlist.c @@@ -600,39 -455,42 +600,72 @@@ authority_cert_dl_failed(const char *id !(cl = digestmap_get(trusted_dir_certs, id_digest))) return;
- download_status_failed(&cl->dl_status, status); + /* + * Are we noting a failed download of the latest cert for the id digest, + * or of a download by (id, signing key) digest pair? + */ + if (!signing_key_digest) { + /* Just by id digest */ + download_status_failed(&cl->dl_status_by_id, status); + } else { + /* Reset by (id, signing key) digest pair + * + * Look for a download_status_t in the map with this digest + */ + dlstatus = dsmap_get(cl->dl_status_map, signing_key_digest); + /* Got one? */ + if (dlstatus) { + download_status_failed(dlstatus, status); + } else { + /* + * Do this rather than hex_str(), since hex_str clobbers + * old results and we call twice in the param list. + */ + base16_encode(id_digest_str, sizeof(id_digest_str), + id_digest, DIGEST_LEN); + base16_encode(sk_digest_str, sizeof(sk_digest_str), + signing_key_digest, DIGEST_LEN); + log_warn(LD_BUG, + "Got failure for cert fetch with (fp,sk) = (%s,%s), with " + "status %d, but knew nothing about the download.", + id_digest_str, sk_digest_str, status); + } + } }
+ static const char *BAD_SIGNING_KEYS[] = { + "09CD84F751FD6E955E0F8ADB497D5401470D697E", // Expires 2015-01-11 16:26:31 + // dizum still needs to rotate as of 2014-04-14 + //"0E7E9C07F0969D0468AD741E172A6109DC289F3C", // Expires 2014-08-12 10:18:26 + // dannenberg still needs to rotate as of 2014-04-14 + //"57B85409891D3FB32137F642FDEDF8B7F8CDFDCD", // Expires 2015-02-11 17:19:09 + "87326329007AF781F587AF5B594E540B2B6C7630", // Expires 2014-07-17 11:10:09 + "98CC82342DE8D298CF99D3F1A396475901E0D38E", // Expires 2014-11-10 13:18:56 + "9904B52336713A5ADCB13E4FB14DC919E0D45571", // Expires 2014-04-20 20:01:01 + "9DCD8E3F1DD1597E2AD476BBA28A1A89F3095227", // Expires 2015-01-16 03:52:30 + "A61682F34B9BB9694AC98491FE1ABBFE61923941", // Expires 2014-06-11 09:25:09 + "B59F6E99C575113650C99F1C425BA7B20A8C071D", // Expires 2014-07-31 13:22:10 + "D27178388FA75B96D37FA36E0B015227DDDBDA51", // Expires 2014-08-04 04:01:57 + NULL, + }; + + /** DOCDOC */ + int + authority_cert_is_blacklisted(const authority_cert_t *cert) + { + char hex_digest[HEX_DIGEST_LEN+1]; + int i; + base16_encode(hex_digest, sizeof(hex_digest), + cert->signing_key_digest, sizeof(cert->signing_key_digest)); + + for (i = 0; BAD_SIGNING_KEYS[i]; ++i) { + if (!strcasecmp(hex_digest, BAD_SIGNING_KEYS[i])) { + return 1; + } + } + return 0; + } + /** Return true iff when we've been getting enough failures when trying to * download the certificate with ID digest <b>id_digest</b> that we're willing * to start bugging the user about it. */ diff --cc src/or/routerlist.h index ce0f0f2,bd55b7b..5056858 --- a/src/or/routerlist.h +++ b/src/or/routerlist.h @@@ -39,8 -25,8 +39,9 @@@ void authority_cert_dl_failed(const cha void authority_certs_fetch_missing(networkstatus_t *status, time_t now); int router_reload_router_list(void); int authority_cert_dl_looks_uncertain(const char *id_digest); +const smartlist_t *router_get_trusted_dir_servers(void); +const smartlist_t *router_get_fallback_dir_servers(void); + int authority_cert_is_blacklisted(const authority_cert_t *cert); -smartlist_t *router_get_trusted_dir_servers(void);
const routerstatus_t *router_pick_directory_server(dirinfo_type_t type, int flags);