On Tue, Aug 26, 2014 at 08:25:15PM +0300, Timo Teras wrote:
> > The algorithm should be improved to never delete links which are
> > subsequently recreated.
>
> I almost answered "it's fixed". But it's not. IIRC, the version had it
> fixed, but it did not handle hash collisions nicely. This certainly is
> possibly to do, but needs some extra care when there's collisions and
> the entries need renaming instead of deletion.
>
> The time window is certainly a lot less in C-version, but it still
> exists. I'll look into fixing this too.
The collision case is tricky when a colliding trust-anchor is
deleted whose index suffix is not the largest. I'd be tempted to
symlink it to the remaining colliding certificate with the highest
index:
Before:
X.0 -> retired CA
X.1 -> retained CA
After:
X.0 -> retained CA
X.1 -> retained CA
And leave it that way for some time. On each run, if the highest
numbered index is duplicated by a lower-numbered index whose lstat(2)
age is sufficiently high (5 minutes or more?), that index can be
deleted (garbage collection). That might create a situation in
which we have:
X.0 -> CA1
X.1 -> CA1
X.2 -> CA2
(X.3 -> CA1 deleted)
In that case, update all but the first link to any fixed target to
point to the highest retained index.
X.1 -> CA2.
Leaving the invariant condition that at the end of each run at most
the last CA is duplicated. In steady-state this eliminates redundant
links, but avoids exposing verifiers to race conditions.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
