commit 545b77e2f8fac6cf5909bb6b69b52d9cb4f8f397 Author: David Goulet dgoulet@torproject.org Date: Wed May 11 16:02:18 2016 -0400

prop250: Only trust known authority when computing SRV

Signed-off-by: David Goulet dgoulet@torproject.org --- src/or/shared_random.c | 10 ++++++++++ 1 file changed, 10 insertions(+)

diff --git a/src/or/shared_random.c b/src/or/shared_random.c index 6e6ff3b..d409d10 100644 --- a/src/or/shared_random.c +++ b/src/or/shared_random.c @@ -951,6 +951,16 @@ sr_compute_srv(void) DIGESTMAP_FOREACH(state_commits, key, sr_commit_t *, c) { /* Extra safety net, make sure we have valid commit before using it. */ ASSERT_COMMIT_VALID(c); + /* Let's not use a commit from an authority that we don't know. It's + * possible that an authority could be removed during a protocol run so + * that commit value should never be used in the SRV computation. */ + if (trusteddirserver_get_by_v3_auth_digest(c->rsa_identity) == NULL) { + log_warn(LD_DIR, "SR: Fingerprint %s is not from a recognized " + "authority. Discarding commit for the SRV computation.", + sr_commit_get_rsa_fpr(c)); + continue; + } + /* We consider this commit valid. */ smartlist_add(commits, c); } DIGESTMAP_FOREACH_END; smartlist_sort(commits, compare_reveal_);