[or-cvs] r17246: {tor} be less aggressive about deleting expired certs. based on pa (in tor/trunk: . src/or)

nickm at seul.org nickm at seul.org
Tue Nov 11 16:01:58 UTC 2008 

Author: nickm
Date: 2008-11-11 11:01:57 -0500 (Tue, 11 Nov 2008)
New Revision: 17246

Modified:
   tor/trunk/ChangeLog
   tor/trunk/src/or/routerlist.c
Log:
be less aggressive about deleting expired certs. based on patch from rovv.  partial fix for bug 854.

Modified: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog	2008-11-11 15:59:24 UTC (rev 17245)
+++ tor/trunk/ChangeLog	2008-11-11 16:01:57 UTC (rev 17246)
@@ -2,6 +2,8 @@
   o Minor bugfixes:
     - Get file locking working on win32.  Bugfix on 0.2.1.6-alpha.  Fixes
       bug 859.
+    - Made Tor a little less aggressive about deleting expired certificates.
+      Partial fix for bug 854.
 
   o Minor features (controller):
     - Return circuit purposes in response to GETINFO circuit-status.  Fixes

Modified: tor/trunk/src/or/routerlist.c
===================================================================
--- tor/trunk/src/or/routerlist.c	2008-11-11 15:59:24 UTC (rev 17245)
+++ tor/trunk/src/or/routerlist.c	2008-11-11 16:01:57 UTC (rev 17246)
@@ -278,23 +278,40 @@
 static void
 trusted_dirs_remove_old_certs(void)
 {
-#define OLD_CERT_LIFETIME (48*60*60)
+  time_t now = time(NULL);
+#define DEAD_CERT_LIFETIME (2*24*60*60)
+#define OLD_CERT_LIFETIME (7*24*60*60)
   if (!trusted_dir_certs)
     return;
 
+  log_notice(LD_DIR, "REMOVE OLD");
+
   DIGESTMAP_FOREACH(trusted_dir_certs, key, cert_list_t *, cl) {
     authority_cert_t *newest = NULL;
     SMARTLIST_FOREACH(cl->certs, authority_cert_t *, cert,
           if (!newest || (cert->cache_info.published_on >
                           newest->cache_info.published_on))
             newest = cert);
-    SMARTLIST_FOREACH(cl->certs, authority_cert_t *, cert,
-          if (newest && (newest->cache_info.published_on >
-                         cert->cache_info.published_on + OLD_CERT_LIFETIME)) {
-            SMARTLIST_DEL_CURRENT(cl->certs, cert);
-            authority_cert_free(cert);
-            trusted_dir_servers_certs_changed = 1;
-          });
+    if (newest) {
+      const time_t newest_published = newest->cache_info.published_on;
+      SMARTLIST_FOREACH_BEGIN(cl->certs, authority_cert_t *, cert) {
+        int expired;
+        time_t cert_published;
+        if (newest == cert)
+          continue;
+        expired = ftime_definitely_after(now, cert->expires);
+        cert_published = cert->cache_info.published_on;
+        /* Store expired certs for 48 hours after a newer arrives;
+         */
+        if (expired ?
+            (newest_published + DEAD_CERT_LIFETIME < now) :
+            (cert_published + OLD_CERT_LIFETIME < newest_published)) {
+          SMARTLIST_DEL_CURRENT(cl->certs, cert);
+          authority_cert_free(cert);
+          trusted_dir_servers_certs_changed = 1;
+        }
+      } SMARTLIST_FOREACH_END(cert);
+    }
   } DIGESTMAP_FOREACH_END;
 #undef OLD_CERT_LIFETIME

More information about the tor-commits mailing list