| commit | 81c466c34abdcaae9ed78958da50148ccf9939f8 | |
| author | David Goulet <dgoulet@torproject.org> | |
| Mon, 22 Oct 2018 20:18:44 +0000 (22 16:18 -0400) | ||
| committer | David Goulet <dgoulet@torproject.org> | |
| Mon, 22 Oct 2018 20:34:41 +0000 (22 16:34 -0400) | ||
| tree | 309eb699d0a4ea297ba756888f36167babe46a3d | treesnapshot (tar.gz zip) |
| parent | 1ae91166016ec70a242c6dbb14c9ca5e77b1313f | commitdiff |
hs-v3: Create desc signing key cert before uploading
Before this commit, we would create the descriptor signing key certificate
when first building the descriptor.
In some extreme cases, it lead to the expiry of the certificate which triggers
a BUG() when encoding the descriptor before uploading.
Ticket #27838 details a possible scenario in which this can happen. It is an
edge case where tor losts internet connectivity, notices it and closes all
circuits. When it came back up, the HS subsystem noticed that it had no
introduction circuits, created them and tried to upload the descriptor.
However, in the meantime, if tor did lack a live consensus because it is
currently seeking to download one, we would consider that we don't need to
rotate the descriptors leading to using the expired signing key certificate.
That being said, this commit does a bit more to make this process cleaner.
There are a series of things that we need to "refresh" before uploading a
descriptor: signing key cert, intro points and revision counter.
A refresh function is added to deal with all mutable descriptor fields. It in
turn simplified a bit the code surrounding the creation of the plaintext data.
We keep creating the cert when building the descriptor in order to accomodate
the unit tests. However, it is replaced every single time the descriptor is
uploaded.
Fixes #27838
Signed-off-by: David Goulet <dgoulet@torproject.org>
Before this commit, we would create the descriptor signing key certificate
when first building the descriptor.
In some extreme cases, it lead to the expiry of the certificate which triggers
a BUG() when encoding the descriptor before uploading.
Ticket #27838 details a possible scenario in which this can happen. It is an
edge case where tor losts internet connectivity, notices it and closes all
circuits. When it came back up, the HS subsystem noticed that it had no
introduction circuits, created them and tried to upload the descriptor.
However, in the meantime, if tor did lack a live consensus because it is
currently seeking to download one, we would consider that we don't need to
rotate the descriptors leading to using the expired signing key certificate.
That being said, this commit does a bit more to make this process cleaner.
There are a series of things that we need to "refresh" before uploading a
descriptor: signing key cert, intro points and revision counter.
A refresh function is added to deal with all mutable descriptor fields. It in
turn simplified a bit the code surrounding the creation of the plaintext data.
We keep creating the cert when building the descriptor in order to accomodate
the unit tests. However, it is replaced every single time the descriptor is
uploaded.
Fixes #27838
Signed-off-by: David Goulet <dgoulet@torproject.org>
| changes/ticket27838 | [new file with mode: 0644] | blob |
| src/feature/hs/hs_service.c | diffblobblamehistory |