| blob | 96e6ccaaceb88e2e7748ba7ea197cb3ad1fd39ea |
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2017, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file entrynodes.c
9 * \brief Code to manage our fixed first nodes for various functions.
10 *
11 * Entry nodes can be guards (for general use) or bridges (for censorship
12 * circumvention).
13 *
14 * In general, we use entry guards to prevent traffic-sampling attacks:
15 * if we chose every circuit independently, an adversary controlling
16 * some fraction of paths on the network would observe a sample of every
17 * user's traffic. Using guards gives users a chance of not being
18 * profiled.
19 *
20 * The current entry guard selection code is designed to try to avoid
21 * _ever_ trying every guard on the network, to try to stick to guards
22 * that we've used before, to handle hostile/broken networks, and
23 * to behave sanely when the network goes up and down.
24 *
25 * Our algorithm works as follows: First, we maintain a SAMPLE of guards
26 * we've seen in the networkstatus consensus. We maintain this sample
27 * over time, and store it persistently; it is chosen without reference
28 * to our configuration or firewall rules. Guards remain in the sample
29 * as they enter and leave the consensus. We expand this sample as
30 * needed, up to a maximum size.
31 *
32 * As a subset of the sample, we maintain a FILTERED SET of the guards
33 * that we would be willing to use if we could connect to them. The
34 * filter removes all the guards that we're excluding because they're
35 * bridges (or not bridges), because we have restrictive firewall rules,
36 * because of ExcludeNodes, because we of path bias restrictions,
37 * because they're absent from the network at present, and so on.
38 *
39 * As a subset of the filtered set, we keep a REACHABLE FILTERED SET
40 * (also called a "usable filtered set") of those guards that we call
41 * "reachable" or "maybe reachable". A guard is reachable if we've
42 * connected to it more recently than we've failed. A guard is "maybe
43 * reachable" if we have never tried to connect to it, or if we
44 * failed to connect to it so long ago that we no longer think our
45 * failure means it's down.
46 *
47 * As a persistent ordered list whose elements are taken from the
48 * sampled set, we track a CONFIRMED GUARDS LIST. A guard becomes
49 * confirmed when we successfully build a circuit through it, and decide
50 * to use that circuit. We order the guards on this list by the order
51 * in which they became confirmed.
52 *
53 * And as a final group, we have an ordered list of PRIMARY GUARDS,
54 * whose elements are taken from the filtered set. We prefer
55 * confirmed guards to non-confirmed guards for this list, and place
56 * other restrictions on it. The primary guards are the ones that we
57 * connect to "when nothing is wrong" -- circuits through them can be used
58 * immediately.
59 *
60 * To build circuits, we take a primary guard if possible -- or a
61 * reachable filtered confirmed guard if no primary guard is possible --
62 * or a random reachable filtered guard otherwise. If the guard is
63 * primary, we can use the circuit immediately on success. Otherwise,
64 * the guard is now "pending" -- we won't use its circuit unless all
65 * of the circuits we're trying to build through better guards have
66 * definitely failed.
67 *
68 * While we're building circuits, we track a little "guard state" for
69 * each circuit. We use this to keep track of whether the circuit is
70 * one that we can use as soon as it's done, or whether it's one that
71 * we should keep around to see if we can do better. In the latter case,
72 * a periodic call to entry_guards_upgrade_waiting_circuits() will
73 * eventually upgrade it.
74 **/
75 /* DOCDOC -- expand this.
76 *
77 * Information invariants:
78 *
79 * [x] whenever a guard becomes unreachable, clear its usable_filtered flag.
80 *
81 * [x] Whenever a guard becomes reachable or maybe-reachable, if its filtered
82 * flag is set, set its usable_filtered flag.
83 *
84 * [x] Whenever we get a new consensus, call update_from_consensus(). (LATER.)
85 *
86 * [x] Whenever the configuration changes in a relevant way, update the
87 * filtered/usable flags. (LATER.)
88 *
89 * [x] Whenever we add a guard to the sample, make sure its filtered/usable
90 * flags are set as possible.
91 *
92 * [x] Whenever we remove a guard from the sample, remove it from the primary
93 * and confirmed lists.
94 *
95 * [x] When we make a guard confirmed, update the primary list.
96 *
97 * [x] When we make a guard filtered or unfiltered, update the primary list.
98 *
99 * [x] When we are about to pick a guard, make sure that the primary list is
100 * full.
101 *
102 * [x] Before calling sample_reachable_filtered_entry_guards(), make sure
103 * that the filtered, primary, and confirmed flags are up-to-date.
104 *
105 * [x] Call entry_guard_consider_retry every time we are about to check
106 * is_usable_filtered or is_reachable, and every time we set
107 * is_filtered to 1.
108 *
109 * [x] Call entry_guards_changed_for_guard_selection() whenever we update
110 * a persistent field.
111 */
113 #define ENTRYNODES_PRIVATE
140 /** A list of existing guard selection contexts. */
142 /** The currently enabled guard selection context. */
145 /** A value of 1 means that at least one context has changed,
146 * and those changes need to be flushed to disk. */
166 /** Return 0 if we should apply guardfraction information found in the
167 * consensus. A specific consensus can be specified with the
168 * <b>ns</b> argument, if NULL the most recent one will be picked.*/
169 int
171 {
172 /* We need to check the corresponding torrc option and the consensus
173 * parameter if we need to. */
176 /* If UseGuardFraction is 'auto' then check the same-named consensus
177 * parameter. If the consensus parameter is not present, default to
178 * "off". */
183 }
186 }
188 /** Return true iff we know a preferred descriptor for <b>guard</b> */
189 static int
191 {
196 }
198 /**
199 * Try to determine the correct type for a selection named "name",
200 * if <b>type</b> is GS_TYPE_INFER.
201 */
202 STATIC guard_selection_type_t
205 {
211 else
213 }
215 }
217 /**
218 * Allocate and return a new guard_selection_t, with the name <b>name</b>.
219 */
220 STATIC guard_selection_t *
222 guard_selection_type_t type)
223 {
236 }
238 /**
239 * Return the guard selection called <b>name</b>. If there is none, and
240 * <b>create_if_absent</b> is true, then create and return it. If there
241 * is none, and <b>create_if_absent</b> is false, then return NULL.
242 */
243 STATIC guard_selection_t *
245 guard_selection_type_t type,
247 {
250 }
264 }
266 /**
267 * Allocate the first guard context that we're planning to use,
268 * and make it the current context.
269 */
270 static void
272 {
276 }
281 NULL,
287 }
289 /** Get current default guard_selection_t, creating it if necessary */
290 guard_selection_t *
292 {
295 }
298 }
300 /** Return a statically allocated human-readable description of <b>guard</b>
301 */
304 {
311 }
313 /** Return <b>guard</b>'s 20-byte RSA identity digest */
316 {
318 }
320 /** Return the pathbias state associated with <b>guard</b>. */
321 guard_pathbias_t *
323 {
325 }
329 /** Return an interval betweeen 'now' and 'max_backdate' seconds in the past,
330 * chosen uniformly at random. We use this before recording persistent
331 * dates, so that we aren't leaking exactly when we recorded it.
332 */
335 {
346 }
348 /**
349 * @name parameters for networkstatus algorithm
350 *
351 * These parameters are taken from the consensus; some are overrideable in
352 * the torrc.
353 */
354 /**@{*/
355 /**
356 * We never let our sampled guard set grow larger than this fraction
357 * of the guards on the network.
358 */
359 STATIC double
361 {
364 DFLT_MAX_SAMPLE_THRESHOLD_PERCENT,
367 }
368 /**
369 * We never let our sampled guard set grow larger than this number.
370 */
371 STATIC int
373 {
375 DFLT_MAX_SAMPLE_SIZE,
377 }
378 /**
379 * We always try to make our sample contain at least this many guards.
380 */
381 STATIC int
383 {
385 DFLT_MIN_FILTERED_SAMPLE_SIZE,
387 }
388 /**
389 * If a guard is unlisted for this many days in a row, we remove it.
390 */
391 STATIC int
393 {
396 DFLT_REMOVE_UNLISTED_GUARDS_AFTER_DAYS,
398 }
399 /**
400 * We remove unconfirmed guards from the sample after this many days,
401 * regardless of whether they are listed or unlisted.
402 */
403 STATIC int
405 {
413 }
414 /**
415 * We remove confirmed guards from the sample if they were sampled
416 * GUARD_LIFETIME_DAYS ago and confirmed this many days ago.
417 */
418 STATIC int
420 {
425 DFLT_GUARD_CONFIRMED_MIN_LIFETIME_DAYS,
428 }
429 /**
430 * How many guards do we try to keep on our primary guard list?
431 */
432 STATIC int
434 {
441 }
446 }
447 /**
448 * Return the number of the live primary guards we should look at when
449 * making a circuit.
450 */
451 STATIC int
453 {
465 }
468 }
471 }
472 /**
473 * If we haven't successfully built or used a circuit in this long, then
474 * consider that the internet is probably down.
475 */
476 STATIC int
478 {
480 DFLT_INTERNET_LIKELY_DOWN_INTERVAL,
482 }
483 /**
484 * If we're trying to connect to a nonprimary guard for at least this
485 * many seconds, and we haven't gotten the connection to work, we will treat
486 * lower-priority guards as usable.
487 */
488 STATIC int
490 {
493 DFLT_NONPRIMARY_GUARD_CONNECT_TIMEOUT,
495 }
496 /**
497 * If a circuit has been sitting around in 'waiting for better guard' state
498 * for at least this long, we'll expire it.
499 */
500 STATIC int
502 {
505 DFLT_NONPRIMARY_GUARD_IDLE_TIMEOUT,
507 }
508 /**
509 * If our configuration retains fewer than this fraction of guards from the
510 * torrc, we are in a restricted setting.
511 */
512 STATIC double
514 {
517 DFLT_MEANINGFUL_RESTRICTION_PERCENT,
520 }
521 /**
522 * If our configuration retains fewer than this fraction of guards from the
523 * torrc, we are in an extremely restricted setting, and should warn.
524 */
525 STATIC double
527 {
530 DFLT_EXTREME_RESTRICTION_PERCENT,
533 }
535 /* Mark <b>guard</b> as maybe reachable again. */
536 static void
538 {
541 }
543 /* Note that we do not clear failing_since: this guard is now only
544 * _maybe-reachable_. */
548 }
550 /**
551 * Called when the network comes up after having seemed to be down for
552 * a while: Mark the primary guards as maybe-reachable so that we'll
553 * try them again.
554 */
555 STATIC void
557 {
566 }
568 /* Called when we exhaust all guards in our sampled set: Marks all guards as
569 maybe-reachable so that we 'll try them again. */
570 static void
572 {
578 }
580 /**@}*/
582 /**
583 * Given our options and our list of nodes, return the name of the
584 * guard selection that we should use. Return NULL for "use the
585 * same selection you were using before.
586 */
592 {
599 }
602 /* without a networkstatus, we can't tell any more than that. */
605 }
614 }
615 }
618 /* We use separate 'high' and 'low' thresholds here to prevent flapping
619 * back and forth */
629 /*
630 If we have no previous selection, then we're "restricted" iff we are
631 below the meaningful restriction threshold. That's easy enough.
633 But if we _do_ have a previous selection, we make it a little
634 "sticky": we only move from "restricted" to "default" when we find
635 that we're above the threshold plus 5%, and we only move from
636 "default" to "restricted" when we're below the threshold minus 5%.
637 That should prevent us from flapping back and forth if we happen to
638 be hovering very close to the default.
640 The extreme threshold is for warning only.
641 */
651 "guards. That's likely to make you stand out from the "
653 }
655 /* Easy case: no previous selection. Just check if we are in restricted or
656 normal guard selection. */
664 }
665 }
667 /* Trickier case: we do have a previous guard selection context. */
670 /* Use high and low thresholds to decide guard selection, and if we fall in
671 the middle then keep the current guard selection context. */
679 /* we are in the middle: maintain previous guard selection */
682 }
683 }
685 /**
686 * Check whether we should switch from our current guard selection to a
687 * different one. If so, switch and return 1. Return 0 otherwise.
688 *
689 * On a 1 return, the caller should mark all currently live circuits unusable
690 * for new streams, by calling circuit_mark_all_unused_circs() and
691 * circuit_mark_all_dirty_circs_as_unusable().
692 */
693 int
695 {
699 }
703 options,
705 curr_guard_context,
715 }
726 }
728 /**
729 * Return true iff <b>node</b> has all the flags needed for us to consider it
730 * a possible guard when sampling guards.
731 */
732 static int
734 {
735 /* The "GUARDS" set is all nodes in the nodelist for which this predicate
736 * holds. */
745 }
747 /**
748 * Return the sampled guard with the RSA identity digest <b>rsa_id</b>, or
749 * NULL if we don't have one. */
750 STATIC entry_guard_t *
753 {
761 }
763 /** If <b>gs</b> contains a sampled entry guard matching <b>bridge</b>,
764 * return that guard. Otherwise return NULL. */
768 {
777 else
779 }
781 /** If we know a bridge_info_t matching <b>guard</b>, return that
782 * bridge. Otherwise return NULL. */
785 {
789 }
797 }
799 /**
800 * Return true iff we have a sampled guard with the RSA identity digest
801 * <b>rsa_id</b>. */
804 {
806 }
808 /**
809 * Allocate a new entry_guard_t object for <b>node</b>, add it to the
810 * sampled entry guards in <b>gs</b>, and return it. <b>node</b> must
811 * not currently be a sampled guard in <b>gs</b>.
812 */
813 STATIC entry_guard_t *
816 {
820 /* make sure that the guard is not already sampled. */
827 NULL);
828 }
830 /**
831 * Backend: adds a new sampled guard to <b>gs</b>, with given identity,
832 * nickname, and ORPort. rsa_id_digest and bridge_addrport are optional, but
833 * we need one of them. nickname is optional. The caller is responsible for
834 * maintaining the size limit of the SAMPLED_GUARDS set.
835 */
841 {
845 // XXXX #20827 take ed25519 identity here too.
847 /* Make sure we can actually identify the guard. */
853 /* persistent fields */
866 /* non-persistent fields */
876 }
878 /**
879 * Add an entry guard to the "bridges" guard selection sample, with
880 * information taken from <b>bridge</b>. Return that entry guard.
881 */
885 {
891 /* make sure that the guard is not already sampled. */
896 }
898 /**
899 * Return the entry_guard_t in <b>gs</b> whose address is <b>addrport</b>,
900 * or NULL if none exists.
901 */
905 {
915 }
917 /** Update the guard subsystem's knowledge of the identity of the bridge
918 * at <b>addrport</b>. Idempotent.
919 */
920 void
923 {
925 GS_TYPE_BRIDGE,
940 /* Nothing to see here; we learned something we already knew. */
947 "we already knew a different one (%s). Ignoring the new info as "
951 old_id);
953 }
958 }
959 }
961 /**
962 * Return the number of sampled guards in <b>gs</b> that are "filtered"
963 * (that is, we're willing to connect to them) and that are "usable"
964 * (that is, either "reachable" or "maybe reachable").
965 *
966 * If a restriction is provided in <b>rst</b>, do not count any guards that
967 * violate it.
968 */
969 STATIC int
972 {
982 }
984 /** Return the actual maximum size for the sample in <b>gs</b>,
985 * given that we know about <b>n_guards</b> total. */
986 static int
989 {
993 /* If we are in bridge mode, expand our sample set as needed without worrying
994 * about max size. We should respect the user's wishes to use many bridges if
995 * that's what they have specified in their configuration file. */
1004 else
1006 }
1008 /**
1009 * Return a smartlist of the all the guards that are not currently
1010 * members of the sample (GUARDS - SAMPLED_GUARDS). The elements of
1011 * this list are node_t pointers in the non-bridge case, and
1012 * bridge_info_t pointers in the bridge case. Set *<b>n_guards_out/b>
1013 * to the number of guards that we found in GUARDS, including those
1014 * that were already sampled.
1015 */
1020 {
1021 /* Construct eligible_guards as GUARDS - SAMPLED_GUARDS */
1031 }
1038 /* Build a bloom filter of our current guards: let's keep this O(N). */
1041 guard) {
1049 /* In restricted mode, we apply the filter BEFORE sampling, so
1050 * that we are sampling from the nodes that we might actually
1051 * select. If we sampled first, we might wind up with a sample
1052 * that didn't include any EntryNodes at all. */
1055 }
1062 /* Now we can free that bloom filter. */
1064 }
1068 }
1070 /** Helper: given a smartlist of either bridge_info_t (if gs->type is
1071 * GS_TYPE_BRIDGE) or node_t (otherwise), pick one that can be a guard,
1072 * add it as a guard, remove it from the list, and return a new
1073 * entry_guard_t. Return NULL on failure. */
1077 {
1092 }
1095 }
1097 /**
1098 * Return true iff we need a consensus to update our guards, but we don't
1099 * have one. (We can return 0 here either if the consensus is _not_ missing,
1100 * or if we don't need a consensus because we're using bridges.)
1101 */
1102 static int
1104 {
1107 /* We don't update bridges from the consensus; they aren't there. */
1109 }
1111 }
1113 /**
1114 * Add new guards to the sampled guards in <b>gs</b> until there are
1115 * enough usable filtered guards, but never grow the sample beyond its
1116 * maximum size. Return the last guard added, or NULL if none were
1117 * added.
1118 */
1119 STATIC entry_guard_t *
1121 {
1129 }
1145 /* Has our sample grown too large to expand? */
1149 max_sample);
1151 }
1153 /* Did we run out of guards? */
1155 /* LCOV_EXCL_START
1156 As long as MAX_SAMPLE_THRESHOLD makes can't be adjusted to
1157 allow all guards to be sampled, this can't be reached.
1158 */
1162 /* LCOV_EXCL_STOP */
1163 }
1165 /* Otherwise we can add at least one new guard. */
1174 }
1176 done:
1179 }
1181 /**
1182 * Helper: <b>guard</b> has just been removed from the sampled guards:
1183 * also remove it from primary and confirmed. */
1184 static void
1187 {
1194 }
1195 }
1203 // LCOV_EXCL_START
1205 // LCOV_EXCL_STOP
1206 }
1207 }
1208 }
1210 /** Return true iff <b>guard</b> is currently "listed" -- that is, it
1211 * appears in the consensus, or as a configured bridge (as
1212 * appropriate) */
1215 {
1222 }
1223 }
1225 /**
1226 * Update the status of all sampled guards based on the arrival of a
1227 * new consensus networkstatus document. This will include marking
1228 * some guards as listed or unlisted, and removing expired guards. */
1229 STATIC void
1231 {
1237 // It's important to use only a live consensus here; we don't want to
1238 // make changes based on anything expired or old.
1243 }
1249 /* First: Update listed/unlisted. */
1251 /* XXXX #20827 check ed ID too */
1264 unlisted_since_slop);
1274 }
1276 /* Clean up unlisted_since_date, just in case. */
1286 unlisted_since_slop);
1290 }
1300 /* Then: remove the ones that have been junk for too long */
1306 /*
1307 "We have a live consensus, and {IS_LISTED} is false, and
1308 {FIRST_UNLISTED_AT} is over {REMOVE_UNLISTED_GUARDS_AFTER}
1309 days in the past."
1310 */
1316 /* We have a live consensus, and {ADDED_ON_DATE} is over
1317 {GUARD_LIFETIME} ago, *and* {CONFIRMED_ON_DATE} is either
1318 "never", or over {GUARD_CONFIRMED_MIN_LIFETIME} ago.
1319 */
1333 }
1334 }
1341 }
1347 /* We don't need to rebuild the confirmed list right here -- we may have
1348 * removed confirmed guards above, but we can't have added any new
1349 * confirmed guards.
1350 */
1352 }
1353 }
1355 /**
1356 * Return true iff <b>node</b> is a Tor relay that we are configured to
1357 * be able to connect to. */
1358 static int
1361 {
1362 /* NOTE: Make sure that this function stays in sync with
1363 * options_transition_affects_entry_guards */
1378 }
1380 /** Helper: Return true iff <b>bridge</b> passes our configuration
1381 * filter-- if it is a relay that we are configured to be able to
1382 * connect to. */
1383 static int
1386 {
1394 /* Ignore entrynodes */
1399 FIREWALL_OR_CONNECTION,
1404 }
1406 /**
1407 * Return true iff <b>guard</b> is a Tor relay that we are configured to
1408 * be able to connect to, and we haven't disabled it for omission from
1409 * the consensus or path bias issues. */
1410 static int
1413 {
1427 // This can happen when currently_listed is true, and we're not updating
1428 // it because we don't have a live consensus.
1430 }
1433 }
1434 }
1436 /** Return true iff <b>guard</b> is in the same family as <b>node</b>.
1437 */
1438 static int
1440 {
1445 /* If we don't have a node_t for the guard node, we might have
1446 * a bridge_info_t for it. So let's check to see whether the bridge
1447 * address matches has any family issues.
1448 *
1449 * (Strictly speaking, I believe this check is unnecessary, since we only
1450 * use it to avoid the exit's family when building circuits, and we don't
1451 * build multihop circuits until we have a routerinfo_t for the
1452 * bridge... at which point, we'll also have a node_t for the
1453 * bridge. Nonetheless, it seems wise to include it, in case our
1454 * assumptions change down the road. -nickm.)
1455 */
1457 tor_addr_t node_addr;
1462 }
1463 }
1465 }
1466 }
1468 /* Allocate and return a new exit guard restriction (where <b>exit_id</b> is of
1469 * size DIGEST_LEN) */
1470 STATIC entry_guard_restriction_t *
1472 {
1478 }
1480 /** If we have fewer than this many possible usable guards, don't set
1481 * MD-availability-based restrictions: we might blacklist all of them. */
1482 #define MIN_GUARDS_FOR_MD_RESTRICTION 10
1484 /** Return true if we should set md dirserver restrictions. We might not want
1485 * to set those if our guard options are too restricted, since we don't want
1486 * to blacklist all of them. */
1487 static int
1489 {
1493 /* Don't set restriction if too few reachable filtered guards. */
1498 }
1500 /* We have enough usable guards: set MD restriction */
1502 }
1504 /** Allocate and return an outdated md guard restriction. Return NULL if no
1505 * such restriction is needed. */
1506 STATIC entry_guard_restriction_t *
1508 {
1515 }
1521 }
1523 /* Return True if <b>guard</b> obeys the exit restriction <b>rst</b>. */
1524 static int
1527 {
1530 // Exclude the exit ID and all of its family.
1536 }
1538 /** Return True if <b>guard</b> should be used as a dirserver for fetching
1539 * microdescriptors. */
1540 static int
1542 {
1543 /* If this guard is an outdated dirserver, don't use it. */
1548 }
1554 }
1556 /**
1557 * Return true iff <b>guard</b> obeys the restrictions defined in <b>rst</b>.
1558 * (If <b>rst</b> is NULL, there are no restrictions.)
1559 */
1560 static int
1563 {
1572 }
1576 }
1578 /**
1579 * Update the <b>is_filtered_guard</b> and <b>is_usable_filtered_guard</b>
1580 * flags on <b>guard</b>. */
1581 void
1585 {
1597 }
1603 /* This guard might now be primary or nonprimary. */
1605 }
1606 }
1608 /**
1609 * Update the <b>is_filtered_guard</b> and <b>is_usable_filtered_guard</b>
1610 * flag on every guard in <b>gs</b>. */
1611 STATIC void
1613 {
1619 }
1621 /**
1622 * Return a random guard from the reachable filtered sample guards
1623 * in <b>gs</b>, subject to the exclusion rules listed in <b>flags</b>.
1624 * Return NULL if no such guard can be found.
1625 *
1626 * Make sure that the sample is big enough, and that all the filter flags
1627 * are set correctly, before calling this function.
1628 *
1629 * If a restriction is provided in <b>rst</b>, do not return any guards that
1630 * violate it.
1631 **/
1632 STATIC entry_guard_t *
1636 {
1658 }
1663 /* Build the set of reachable filtered guards. */
1689 }
1693 }
1695 /**
1696 * Helper: compare two entry_guard_t by their confirmed_idx values.
1697 * Used to sort the confirmed list.
1698 */
1699 static int
1701 {
1707 else
1709 }
1711 /**
1712 * Find the confirmed guards from among the sampled guards in <b>gs</b>,
1713 * and put them in confirmed_entry_guards in the correct
1714 * order. Recalculate their indices.
1715 */
1716 STATIC void
1718 {
1732 }
1739 }
1740 }
1742 /**
1743 * Mark <b>guard</b> as a confirmed guard -- that is, one that we have
1744 * connected to, and intend to use again.
1745 */
1746 STATIC void
1748 {
1765 // This confirmed guard might kick something else out of the primary
1766 // guards.
1770 }
1772 /**
1773 * Recalculate the list of primary guards (the ones we'd prefer to use) from
1774 * the filtered sample and the confirmed list.
1775 */
1776 STATIC void
1778 {
1781 // prevent recursion. Recursion is potentially very bad here.
1792 /* Set this flag now, to prevent the calls below from recursing. */
1795 /* First, can we fill it up with confirmed guards? */
1805 /* Can we keep any older primary guards? First remove all the ones
1806 * that we already kept. */
1810 }
1813 /* Now add any that are still good. */
1824 /* Mark the remaining previous primary guards as non-primary */
1829 /* Finally, fill out the list with sampled guards. */
1832 SAMPLE_EXCLUDE_CONFIRMED|
1833 SAMPLE_EXCLUDE_PRIMARY|
1834 SAMPLE_NO_UPDATE_PRIMARY);
1839 }
1841 #if 1
1842 /* Debugging. */
1847 });
1858 }
1860 }
1872 }
1879 }
1881 /**
1882 * Return the number of seconds after the last attempt at which we should
1883 * retry a guard that has been failing since <b>failing_since</b>.
1884 */
1885 static int
1888 {
1898 }
1907 };
1913 }
1914 }
1915 /* LCOV_EXCL_START -- can't reach, since delays ends with TIME_MAX. */
1918 /* LCOV_EXCL_STOP */
1919 }
1921 /**
1922 * If <b>guard</b> is unreachable, consider whether enough time has passed
1923 * to consider it maybe-reachable again.
1924 */
1925 STATIC void
1927 {
1938 /* We should mark this retriable. */
1946 tbuf);
1951 }
1952 }
1954 /** Tell the entry guards subsystem that we have confirmed that as of
1955 * just now, we're on the internet. */
1956 void
1958 {
1960 }
1962 /**
1963 * Get a guard for use with a circuit. Prefer to pick a running primary
1964 * guard; then a non-pending running filtered confirmed guard; then a
1965 * non-pending runnable filtered guard. Update the
1966 * <b>last_tried_to_connect</b> time and the <b>is_pending</b> fields of the
1967 * guard as appropriate. Set <b>state_out</b> to the new guard-state
1968 * of the circuit.
1969 */
1970 STATIC entry_guard_t *
1972 guard_usage_t usage,
1975 {
1986 /* "If any entry in PRIMARY_GUARDS has {is_reachable} status of
1987 <maybe> or <yes>, return the first such guard." */
1995 }
2001 }
2010 }
2013 /* "Otherwise, if the ordered intersection of {CONFIRMED_GUARDS}
2014 and {USABLE_FILTERED_GUARDS} is nonempty, return the first
2015 entry in that intersection that has {is_pending} set to
2016 false." */
2030 "guard %s for circuit. Will try other guards before using "
2034 }
2037 /* "Otherwise, if there is no such entry, select a member at
2038 random from {USABLE_FILTERED_GUARDS}." */
2039 {
2045 rst,
2046 SAMPLE_EXCLUDE_CONFIRMED |
2047 SAMPLE_EXCLUDE_PRIMARY |
2048 SAMPLE_EXCLUDE_PENDING |
2049 flags);
2055 }
2060 "random guard %s for circuit. Will try other guards before "
2064 }
2065 }
2067 /**
2068 * Note that we failed to connect to or build circuits through <b>guard</b>.
2069 * Use with a guard returned by select_entry_guard_for_circuit().
2070 */
2071 STATIC void
2074 {
2088 }
2090 /**
2091 * Note that we successfully connected to, and built a circuit through
2092 * <b>guard</b>. Given the old guard-state of the circuit in <b>old_state</b>,
2093 * return the new guard-state of the circuit.
2094 *
2095 * Be aware: the circuit is only usable when its guard-state becomes
2096 * GUARD_CIRC_STATE_COMPLETE.
2097 **/
2098 STATIC unsigned
2102 {
2105 /* Save this, since we're about to overwrite it. */
2119 }
2129 /* Fall through. */
2132 /* XXXX #20832 -- I don't actually like this logic. It seems to make
2133 * us a little more susceptible to evil-ISP attacks. The mitigations
2134 * I'm thinking of, however, aren't local to this point, so I'll leave
2135 * it alone. */
2136 /* This guard may have become primary by virtue of being confirmed.
2137 * If so, the circuit for it is now complete.
2138 */
2142 }
2144 }
2150 }
2151 }
2159 }
2161 /**
2162 * Helper: Return true iff <b>a</b> has higher priority than <b>b</b>.
2163 */
2164 STATIC int
2166 {
2171 /* Confirmed is always better than unconfirmed; lower index better
2172 than higher */
2180 /* Lower confirmed_idx is better than higher. */
2182 }
2184 /* If we reach this point, both are unconfirmed. If one is pending, it
2185 * has higher priority. */
2190 /* Both are pending: earlier last_tried_connect wins. */
2196 /* Neither is pending: priorities are equal. */
2198 }
2199 }
2201 /** Release all storage held in <b>restriction</b> */
2202 STATIC void
2204 {
2206 }
2208 /**
2209 * Release all storage held in <b>state</b>.
2210 */
2211 void
2213 {
2219 }
2221 /** Allocate and return a new circuit_guard_state_t to track the result
2222 * of using <b>guard</b> for a given operation. */
2226 {
2236 }
2238 /**
2239 * Pick a suitable entry guard for a circuit in, and place that guard
2240 * in *<b>chosen_node_out</b>. Set *<b>guard_state_out</b> to an opaque
2241 * state object that will record whether the circuit is ready to be used
2242 * or not. Return 0 on success; on failure, return -1.
2243 *
2244 * If a restriction is provided in <b>rst</b>, do not return any guards that
2245 * violate it, and remember that restriction in <b>guard_state_out</b> for
2246 * later use. (Takes ownership of the <b>rst</b> object.)
2247 */
2248 int
2250 guard_usage_t usage,
2254 {
2269 // XXXX #20827 check Ed ID.
2280 fail:
2283 }
2285 /**
2286 * Called by the circuit building module when a circuit has succeeded: informs
2287 * the guards code that the guard in *<b>guard_state_p</b> is working, and
2288 * advances the state of the guard module. On a GUARD_USABLE_NEVER return
2289 * value, the circuit is broken and should not be used. On a GUARD_USABLE_NOW
2290 * return value, the circuit is ready to use. On a GUARD_MAYBE_USABLE_LATER
2291 * return value, the circuit should not be used until we find out whether
2292 * preferred guards will work for us.
2293 */
2294 guard_usable_t
2296 {
2315 }
2316 }
2318 /** Cancel the selection of *<b>guard_state_p</b> without declaring
2319 * success or failure. It is safe to call this function if success or
2320 * failure _has_ already been declared. */
2321 void
2323 {
2330 /* XXXX prop271 -- last_tried_to_connect_at will be erroneous here, but this
2331 * function will only get called in "bug" cases anyway. */
2335 }
2337 /**
2338 * Called by the circuit building module when a circuit has failed:
2339 * informs the guards code that the guard in *<b>guard_state_p</b> is
2340 * not working, and advances the state of the guard module.
2341 */
2342 void
2344 {
2356 }
2358 /**
2359 * Run the entry_guard_failed() function on every circuit that is
2360 * pending on <b>chan</b>.
2361 */
2362 void
2364 {
2376 /* We might have no guard state if we didn't use a guard on this
2377 * circuit (eg it's for a fallback directory). */
2379 }
2382 }
2384 /**
2385 * Return true iff every primary guard in <b>gs</b> is believed to
2386 * be unreachable.
2387 */
2388 STATIC int
2390 {
2400 }
2402 /** Wrapper for entry_guard_has_higher_priority that compares the
2403 * guard-priorities of a pair of circuits. Return 1 if <b>a</b> has higher
2404 * priority than <b>b</b>.
2405 *
2406 * If a restriction is provided in <b>rst</b>, then do not consider
2407 * <b>a</b> to have higher priority if it violates the restriction.
2408 */
2409 static int
2413 {
2424 /* Unknown guard -- never higher priority. */
2427 /* Known guard -- higher priority than any unknown guard. */
2430 /* Restriction violated; guard_a cannot have higher priority. */
2433 /* Both known -- compare.*/
2435 }
2436 }
2438 /**
2439 * Look at all of the origin_circuit_t * objects in <b>all_circuits_in</b>,
2440 * and see if any of them that were previously not ready to use for
2441 * guard-related reasons are now ready to use. Place those circuits
2442 * in <b>newly_complete_out</b>, and mark them COMPLETE.
2443 *
2444 * Return 1 if we upgraded any circuits, and 0 otherwise.
2445 */
2446 int
2450 {
2456 /* We only upgrade a waiting circuit if the primary guards are all
2457 * down. */
2461 }
2469 // We filter out circuits that aren't ours, or which we can't
2470 // reason about.
2491 }
2492 }
2499 }
2501 /* We'll need to keep track of what restrictions were used when picking this
2502 * circuit, so that we don't allow any circuit without those restrictions to
2503 * block it. */
2507 /* First look at the complete circuits: Do any block this circuit? */
2509 /* "C2 "blocks" C1 if:
2510 * C2 obeys all the restrictions that C1 had to obey, AND
2511 * C2 has higher priority than C1, AND
2512 * Either C2 is <complete>, or C2 is <waiting_for_better_guard>,
2513 or C2 has been <usable_if_no_better_guard> for no more than
2514 {NONPRIMARY_GUARD_CONNECT_TIMEOUT} seconds."
2515 */
2523 best_waiting_circuit))
2529 "%d complete and %d guard-stalled. At least one complete "
2533 }
2535 /* " * If any circuit C1 is <waiting_for_better_guard>, AND:
2536 * All primary guards have reachable status of <no>.
2537 * There is no circuit C2 that "blocks" C1.
2538 Then, upgrade C1 to <complete>.""
2539 */
2552 best_waiting_circuit))
2558 "%d guard-stalled, but %d pending circuit(s) had higher "
2562 }
2564 /* Okay. We have a best waiting circuit, and we aren't waiting for
2565 anything better. Add all circuits with that priority to the
2566 list, and call them COMPLETE. */
2573 /* Can't upgrade other circ with same priority as best; might
2574 be blocked. */
2576 }
2589 "%d guard-stalled, %d complete. %d of the guard-stalled "
2597 no_change:
2600 }
2602 /**
2603 * Return true iff the circuit whose state is <b>guard_state</b> should
2604 * expire.
2605 */
2606 int
2608 {
2615 }
2617 /**
2618 * Update all derived pieces of the guard selection state in <b>gs</b>.
2619 * Return true iff we should stop using all previously generated circuits.
2620 */
2621 int
2623 {
2629 }
2631 /**
2632 * Return a newly allocated string for encoding the persistent parts of
2633 * <b>guard</b> to the state file.
2634 */
2637 {
2638 /*
2639 * The meta-format we use is K=V K=V K=V... where K can be any
2640 * characters excepts space and =, and V can be any characters except
2641 * space. The order of entries is not allowed to matter.
2642 * Unrecognized K=V entries are persisted; recognized but erroneous
2643 * entries are corrected.
2644 */
2658 }
2661 }
2669 }
2674 }
2684 }
2688 /* Make a copy of the pathbias object, since we will want to update
2689 some of them */
2694 #define PB_FIELD(field) do { \
2695 if (pb->field >= EPSILON) { \
2697 } \
2698 } while (0)
2708 #undef PB_FIELD
2718 }
2720 /**
2721 * Given a string generated by entry_guard_encode_for_state(), parse it
2722 * (if possible) and return an entry_guard_t object for it. Return NULL
2723 * on complete failure.
2724 */
2725 STATIC entry_guard_t *
2727 {
2728 /* Unrecognized entries get put in here. */
2731 /* These fields get parsed from the string. */
2743 // pathbias
2753 /* Split up the entries. Put the ones we know about in strings and the
2754 * rest in "extra". */
2755 {
2759 #define FIELD(f) \
2760 strmap_set(vals, #f, &f);
2779 #undef FIELD
2789 }
2793 /* unrecognized or already set */
2797 }
2806 }
2814 }
2822 }
2824 /* Process the identity and nickname. */
2829 }
2837 }
2840 tor_addr_port_t res;
2846 /* On error, we already warned. */
2847 }
2849 /* Process the various time fields. */
2851 #define HANDLE_TIME(field) do { \
2852 if (field) { \
2853 int r = parse_iso_time_nospace(field, &field ## _time); \
2854 if (r < 0) { \
2856 #field, escaped(field)); \
2857 field##_time = -1; \
2858 } \
2859 } \
2860 } while (0)
2877 #undef HANDLE_TIME
2883 /* Take sampled_by_version verbatim. */
2887 /* Listed is a boolean */
2891 /* The index is a nonnegative integer. */
2901 }
2902 }
2904 /* Anything we didn't recognize gets crammed together */
2907 }
2909 /* initialize non-persistent fields */
2912 #define PB_FIELD(field) \
2913 do { \
2914 if (pb_ ## field) { \
2915 int ok = 1; \
2916 double r = tor_parse_double(pb_ ## field, 0.0, 1e9, &ok, NULL); \
2917 if (! ok) { \
2919 #field, pb_ ## field); \
2920 } else { \
2921 guard->pb.field = r; \
2922 } \
2923 } \
2924 } while (0)
2933 #undef PB_FIELD
2938 /* We update everything on this guard later, after we've parsed
2939 * everything. */
2943 err:
2944 // only consider it an error if the guard state was totally unparseable.
2948 done:
2972 }
2974 /**
2975 * Replace the Guards entries in <b>state</b> with a list of all our sampled
2976 * guards.
2977 */
2978 static void
2980 {
2999 }
3001 /**
3002 * Replace our sampled guards from the Guards entries in <b>state</b>. Return 0
3003 * on success, -1 on failure. (If <b>set</b> is true, replace nothing -- only
3004 * check whether replacing would work.)
3005 */
3006 static int
3008 {
3015 /* Wipe all our existing guard info. (we shouldn't have any, but
3016 * let's be safe.) */
3024 }
3031 }
3037 }
3048 }
3049 }
3055 }
3057 }
3059 /** If <b>digest</b> matches the identity of any node in the
3060 * entry_guards list for the provided guard selection state,
3061 return that node. Else return NULL. */
3062 entry_guard_t *
3065 {
3067 }
3069 /** Return the node_t associated with a single entry_guard_t. May
3070 * return NULL if the guard is not currently in the consensus. */
3073 {
3076 }
3078 /** If <b>digest</b> matches the identity of any node in the
3079 * entry_guards list for the default guard selection state,
3080 return that node. Else return NULL. */
3081 entry_guard_t *
3083 {
3086 }
3088 /** We are about to connect to bridge with identity <b>digest</b> to fetch its
3089 * descriptor. Create a new guard state for this connection and return it. */
3090 circuit_guard_state_t *
3092 {
3100 }
3102 /* Update the guard last_tried_to_connect time since it's checked by the
3103 * guard susbsystem. */
3106 /* Create the guard state */
3108 GUARD_CIRC_STATE_USABLE_ON_COMPLETION,
3109 NULL);
3112 }
3114 /** Release all storage held by <b>e</b>. */
3115 STATIC void
3117 {
3126 }
3128 /** Return 0 if we're fine adding arbitrary routers out of the
3129 * directory to our entry guard list, or return 1 if we have a
3130 * list already and we must stick to it.
3131 */
3132 int
3134 {
3135 // XXXX #21425 look at the current selection.
3141 }
3143 /** Return the number of bridges that have descriptors that are marked with
3144 * purpose 'bridge' and are running. If use_maybe_reachable is
3145 * true, include bridges that might be reachable in the count.
3146 * Otherwise, if it is false, only include bridges that have recently been
3147 * found running in the count.
3148 *
3149 * We use this function to decide if we're ready to start building
3150 * circuits through our bridges, or if we need to wait until the
3151 * directory "server/authority" requests finish. */
3154 {
3159 }
3163 }
3166 /* Definitely not usable */
3169 /* If we want to be really sure the bridges will work, skip maybes */
3180 }
3182 /** Check the pathbias use success count of <b>node</b> and disable it if it
3183 * goes over our thresholds. */
3184 static void
3186 {
3190 /* Note: We rely on the < comparison here to allow us to set a 0
3191 * rate and disable the feature entirely. If refactoring, don't
3192 * change to <= */
3202 }
3203 }
3205 /** Check the pathbias close count of <b>node</b> and disable it if it goes
3206 * over our thresholds. */
3207 static void
3209 {
3213 /* Note: We rely on the < comparison here to allow us to set a 0
3214 * rate and disable the feature entirely. If refactoring, don't
3215 * change to <= */
3225 }
3226 }
3228 /** Parse <b>state</b> and learn about the entry guards it describes.
3229 * If <b>set</b> is true, and there are no errors, replace the guard
3230 * list in the default guard selection context with what we find.
3231 * On success, return 0. On failure, alloc into *<b>msg</b> a string
3232 * describing the error, and return -1.
3233 */
3234 int
3236 {
3244 }
3246 }
3248 }
3250 /** How long will we let a change in our guard nodes stay un-saved
3251 * when we are trying to avoid disk writes? */
3252 #define SLOW_GUARD_STATE_FLUSH_TIME 600
3253 /** How long will we let a change in our guard nodes stay un-saved
3254 * when we are not trying to avoid disk writes? */
3255 #define FAST_GUARD_STATE_FLUSH_TIME 30
3257 /** Our list of entry guards has changed for a particular guard selection
3258 * context, or some element of one of our entry guards has changed for one.
3259 * Write the changes to disk within the next few minutes.
3260 */
3261 void
3263 {
3272 else
3275 /* or_state_save() will call entry_guards_update_state() and
3276 entry_guards_update_guards_in_state()
3277 */
3279 }
3281 /** Our list of entry guards has changed for the default guard selection
3282 * context, or some element of one of our entry guards has changed. Write
3283 * the changes to disk within the next few minutes.
3284 */
3285 void
3287 {
3289 }
3291 /** If the entry guard info has not changed, do nothing and return.
3292 * Otherwise, free the EntryGuards piece of <b>state</b> and create
3293 * a new one out of the global entry_guards list, and then mark
3294 * <b>state</b> dirty so it will get saved to disk.
3295 */
3296 void
3298 {
3301 // Handles all guard info.
3309 }
3311 /** Return true iff the circuit's guard can succeed that is can be used. */
3312 int
3314 {
3317 }
3322 }
3325 }
3327 /**
3328 * Format a single entry guard in the format expected by the controller.
3329 * Return a newly allocated string.
3330 */
3333 {
3340 /* This is going to be a bit tricky, since the status
3341 * codes weren't really intended for prop271 guards.
3342 *
3343 * XXXX use a more appropriate format for exporting this information
3344 */
3357 }
3365 /* e->nickname field is not very reliable if we don't know about
3366 * this router any longer; don't include it. */
3367 }
3375 }
3377 }
3379 /** If <b>question</b> is the string "entry-guards", then dump
3380 * to *<b>answer</b> a newly allocated string describing all of
3381 * the nodes in the global entry_guards list. See control-spec.txt
3382 * for details.
3383 * For backward compatibility, we also handle the string "helper-nodes".
3384 *
3385 * XXX this should be totally redesigned after prop 271 too, and that's
3386 * going to take some control spec work.
3387 * */
3388 int
3392 {
3414 }
3416 }
3418 /* Given the original bandwidth of a guard and its guardfraction,
3419 * calculate how much bandwidth the guard should have as a guard and
3420 * as a non-guard.
3421 *
3422 * Quoting from proposal236:
3423 *
3424 * Let Wpf denote the weight from the 'bandwidth-weights' line a
3425 * client would apply to N for position p if it had the guard
3426 * flag, Wpn the weight if it did not have the guard flag, and B the
3427 * measured bandwidth of N in the consensus. Then instead of choosing
3428 * N for position p proportionally to Wpf*B or Wpn*B, clients should
3429 * choose N proportionally to F*Wpf*B + (1-F)*Wpn*B.
3430 *
3431 * This function fills the <b>guardfraction_bw</b> structure. It sets
3432 * <b>guard_bw</b> to F*B and <b>non_guard_bw</b> to (1-F)*B.
3433 */
3434 void
3438 {
3441 /* Turn the percentage into a fraction. */
3451 }
3453 /** Helper: Update the status of all entry guards, in whatever algorithm
3454 * is used. Return true if we should stop using all previously generated
3455 * circuits, by calling circuit_mark_all_unused_circs() and
3456 * circuit_mark_all_dirty_circs_as_unusable().
3457 */
3458 int
3460 {
3471 }
3473 /** Helper: pick a guard for a circuit, with whatever algorithm is
3474 used. */
3478 {
3483 /* We're building to a targeted exit node, so that node can't be
3484 * chosen as our guard for this circuit. Remember that fact in a
3485 * restriction. */
3488 }
3490 GUARD_USAGE_TRAFFIC,
3491 rst,
3495 }
3497 }
3499 /** Remove all currently listed entry guards for a given guard selection
3500 * context. This frees and replaces <b>gs</b>, so don't use <b>gs</b>
3501 * after calling this function. */
3502 void
3504 {
3505 // This function shouldn't exist. XXXX
3512 });
3516 }
3524 }
3526 /** Remove all currently listed entry guards, so new ones will be chosen.
3527 *
3528 * XXXX This function shouldn't exist -- it's meant to support the DROPGUARDS
3529 * command, which is deprecated.
3530 */
3531 void
3533 {
3535 }
3537 /** Helper: pick a directory guard, with whatever algorithm is used. */
3541 {
3545 /* If we are fetching microdescs, don't query outdated dirservers. */
3548 }
3551 GUARD_USAGE_DIRGUARD,
3552 rst,
3556 }
3558 }
3560 /**
3561 * If we're running with a constrained guard set, then maybe mark our guards
3562 * usable. Return 1 if we do; 0 if we don't.
3563 */
3564 int
3566 {
3573 }
3575 /**
3576 * Check if we are missing any crucial dirinfo for the guard subsystem to
3577 * work. Return NULL if everything went well, otherwise return a newly
3578 * allocated string with an informative error message. In the latter case, use
3579 * the genreal descriptor information <b>using_mds</b>, <b>num_present</b> and
3580 * <b>num_usable</b> to improve the error message. */
3585 {
3594 /* We want to check for the descriptor of at least the first two primary
3595 * guards in our list, since these are the guards that we typically use for
3596 * circuits. */
3598 num_primary_to_check++;
3604 n_considered++;
3606 n_missing_descriptors++;
3611 /* If we are not missing any descriptors, return NULL. */
3614 }
3616 /* otherwise return a helpful error string */
3623 }
3625 /** As guard_selection_have_enough_dir_info_to_build_circuits, but uses
3626 * the default guard selection. */
3630 {
3633 using_mds,
3635 }
3637 /** Free one guard selection context */
3638 STATIC void
3640 {
3650 }
3656 }
3658 /** Release all storage held by the list of entry guards and related
3659 * memory structs. */
3660 void
3662 {
3663 /* Null out the default */
3665 /* Free all the guard contexts */
3672 }
3674 }