[tor-bugs] #2991 [Tor]: Confusing log messages when a DA starts using a new key

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Wed Oct 17 02:30:21 UTC 2012


#2991: Confusing log messages when a DA starts using a new key
------------------------+---------------------------------------------------
 Reporter:  rransom     |          Owner:                  
     Type:  defect      |         Status:  new             
 Priority:  normal      |      Milestone:  Tor: unspecified
Component:  Tor         |        Version:                  
 Keywords:  tor-client  |         Parent:                  
   Points:              |   Actualpoints:                  
------------------------+---------------------------------------------------

Comment(by sysrqb):

 Based on the two messages, at the time maatuska's:
   a) newest key was not in the trusted_dir_certs table
   b) trusted_dir_certs contained its most-current descriptor (?)

 Assumption:
 a) maatuska called authority_certs_fetch_missing which resulted it in
 checking if it had a certificate for each of the signatures on the status.
 It didn't have a cert for itself (with the correct sig) stored in its
 digestmap, so it launched the request.

 b) when the request came in, already_have_cert was called to ensure it
 wasn't a duplicate. already_have_cert takes the cert and compares its
 cache_info.signed_descriptor_digest with the
 cache_info.signed_descriptor_digest for every cert that's stored in
 trusted_dir_certs.

 So, assuming (a) and (b) are reasonably well founded, is there a reason
 the two checks are comparing different digests? I understand that (b) is
 more comprehensive/accurate but the descriptor digest doesn't include the
 DA's signing key, does it? Because if not then the descriptor digest
 wouldn't change when the signing key changed, if I understand what's
 contained in the descriptor correctly.

 Also, based on the above and the assumption there is a connection to #5595
 (which seems likely), the discrepancy between the two comparisons would
 lead to the repeated downloading of the certificate until the new cert was
 actually added to the digestmap.

 I'll keep digging and please correct me where I am wrong.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2991#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list