| blob | 9cad245b29b81994a876fd9119c87e1d89ef15c6 |
1 /* Copyright (c) 2019-2020, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
4 /**
5 * \file sendme.c
6 * \brief Code that is related to SENDME cells both in terms of
7 * creating/parsing cells and handling the content.
8 */
10 #define SENDME_PRIVATE
28 /* Return the minimum version given by the consensus (if any) that should be
29 * used when emitting a SENDME cell. */
30 STATIC int
32 {
34 SENDME_EMIT_MIN_VERSION_DEFAULT,
35 SENDME_EMIT_MIN_VERSION_MIN,
36 SENDME_EMIT_MIN_VERSION_MAX);
37 }
39 /* Return the minimum version given by the consensus (if any) that should be
40 * accepted when receiving a SENDME cell. */
41 STATIC int
43 {
45 SENDME_ACCEPT_MIN_VERSION_DEFAULT,
46 SENDME_ACCEPT_MIN_VERSION_MIN,
47 SENDME_ACCEPT_MIN_VERSION_MAX);
48 }
50 /* Pop the first cell digset on the given circuit from the SENDME last digests
51 * list. NULL is returned if the list is uninitialized or empty.
52 *
53 * The caller gets ownership of the returned digest thus is responsible for
54 * freeing the memory. */
57 {
65 }
67 /* More cell digest than the SENDME window is never suppose to happen. The
68 * cell should have been rejected before reaching this point due to its
69 * package_window down to 0 leading to a circuit close. Scream loudly but
70 * still pop the element so we don't memory leak. */
77 }
79 /* Return true iff the given cell digest matches the first digest in the
80 * circuit sendme list. */
81 static bool
83 {
87 /* Compare the digest with the one in the SENDME. This cell is invalid
88 * without a perfect match. */
93 }
95 /* Digests matches! */
97 }
99 /* Return true iff the given decoded SENDME version 1 cell is valid and
100 * matches the expected digest on the circuit.
101 *
102 * Validation is done by comparing the digest in the cell from the previous
103 * cell we saw which tells us that the other side has in fact seen that cell.
104 * See proposal 289 for more details. */
105 static bool
107 {
113 }
115 /* Return true iff the given cell version can be handled or if the minimum
116 * accepted version from the consensus is known to us. */
117 STATIC bool
119 {
122 /* We will first check if the consensus minimum accepted version can be
123 * handled by us and if not, regardless of the cell version we got, we can't
124 * continue. */
127 "Unable to accept SENDME version %u (from consensus). "
131 }
133 /* Then, is this version below the accepted version from the consensus? If
134 * yes, we must not handle it. */
140 }
142 /* Is this cell version supported by us? */
148 }
151 invalid:
153 }
155 /* Return true iff the encoded SENDME cell in cell_payload of length
156 * cell_payload_len is valid. For each version:
157 *
158 * 0: No validation
159 * 1: Authenticated with last cell digest.
160 *
161 * This is the main critical function to make sure we can continue to
162 * send/recv cells on a circuit. If the SENDME is invalid, the circuit should
163 * be marked for close by the caller. */
164 STATIC bool
167 {
175 /* An empty payload means version 0 so skip trunnel parsing. We won't be
176 * able to parse a 0 length buffer into a valid SENDME cell. */
180 /* First we'll decode the cell so we can get the version. */
185 }
187 }
189 /* Validate that we can handle this cell version. */
192 }
194 /* Pop the first element that was added (FIFO). We do that regardless of the
195 * version so we don't accumulate on the circuit if v0 is used by the other
196 * end point. */
199 /* We shouldn't have received a SENDME if we have no digests. Log at
200 * protocol warning because it can be tricked by sending many SENDMEs
201 * without prior data cell. */
203 "We received a SENDME but we have no cell digests to match. "
206 }
208 /* Validate depending on the version now. */
213 }
216 /* Version 0, there is no work to be done on the payload so it is
217 * necessarily valid if we pass the version validation. */
221 cell_version);
224 }
226 /* Valid cell. */
230 invalid:
234 }
236 /* Build and encode a version 1 SENDME cell into payload, which must be at
237 * least of RELAY_PAYLOAD_SIZE bytes, using the digest for the cell data.
238 *
239 * Return the size in bytes of the encoded cell in payload. A negative value
240 * is returned on encoding failure. */
241 STATIC ssize_t
243 {
252 /* Building a payload for version 1. */
254 /* Set the data length field for v1. */
257 /* Copy the digest into the data payload. */
261 /* Finally, encode the cell into the payload. */
266 }
268 /* Send a circuit-level SENDME on the given circuit using the layer_hint if
269 * not NULL. The digest is only used for version 1.
270 *
271 * Return 0 on success else a negative value and the circuit will be closed
272 * because we failed to send the cell on it. */
273 static int
276 {
279 ssize_t payload_len;
289 /* Unable to encode the cell, abort. We can recover from this by closing
290 * the circuit but in theory it should never happen. */
292 }
296 FALLTHROUGH;
298 /* Unknown version, fallback to version 0 meaning no payload. */
303 }
311 }
313 }
315 /* Record the cell digest only if the next cell is expected to be a SENDME. */
316 static void
318 {
322 /* Add the digest to the last seen list in the circuit. */
325 }
328 }
330 /*
331 * Public API
332 */
334 /** Return true iff the next cell for the given cell window is expected to be
335 * a SENDME.
336 *
337 * We are able to know that because the package or deliver window value minus
338 * one cell (the possible SENDME cell) should be a multiple of the increment
339 * window value. */
340 static bool
342 {
343 /* At the start of the window, no SENDME will be expected. */
346 }
348 /* Are we at the limit of the increment and if not, we don't expect next
349 * cell is a SENDME.
350 *
351 * We test against the window minus 1 because when we are looking if the
352 * next cell is a SENDME, the window (either package or deliver) hasn't been
353 * decremented just yet so when this is called, we are currently processing
354 * the "window - 1" cell.
355 *
356 * This function is used when recording a cell digest and this is done quite
357 * low in the stack when decrypting or encrypting a cell. The window is only
358 * updated once the cell is actually put in the outbuf. */
361 }
363 /* Next cell is expected to be a SENDME. */
365 }
367 /** Called when we've just received a relay data cell, when we've just
368 * finished flushing all bytes to stream <b>conn</b>, or when we've flushed
369 * *some* bytes to the stream <b>conn</b>.
370 *
371 * If conn->outbuf is not too full, and our deliver window is low, send back a
372 * suitable number of stream-level sendme cells.
373 */
374 void
376 {
381 /* Don't send it if we still have data to deliver. */
384 }
387 /* This can legitimately happen if the destroy has already arrived and
388 * torn down the circuit. */
392 }
404 }
405 }
407 end:
409 }
411 /** Check if the deliver_window for circuit <b>circ</b> (at hop
412 * <b>layer_hint</b> if it's defined) is low enough that we should
413 * send a circuit-level sendme back down the circuit. If so, send
414 * enough sendmes that the window would be overfull if we sent any
415 * more.
416 */
417 void
419 {
432 }
435 }
436 /* Current implementation is not suppose to send multiple SENDME at once
437 * because this means we would use the same relay crypto digest for each
438 * SENDME leading to a mismatch on the other side and the circuit to
439 * collapse. Scream loudly if it ever happens so we can address it. */
442 }
443 }
445 /* Process a circuit-level SENDME cell that we just received. The layer_hint,
446 * if not NULL, is the Exit hop of the connection which means that we are a
447 * client. In that case, circ must be an origin circuit. The cell_body_len is
448 * the length of the SENDME cell payload (excluding the header). The
449 * cell_payload is the payload.
450 *
451 * Return 0 on success (the SENDME is valid and the package window has
452 * been updated properly).
453 *
454 * On error, a negative value is returned, which indicates that the
455 * circuit must be closed using the value as the reason for it. */
456 int
460 {
464 /* Validate the SENDME cell. Depending on the version, different validation
465 * can be done. An invalid SENDME requires us to close the circuit. */
468 }
470 /* If we are the origin of the circuit, we are the Client so we use the
471 * layer hint (the Exit hop) for the package window tracking. */
473 /* If we are the origin of the circuit, it is impossible to not have a
474 * cpath. Just in case, bug on it and close the circuit. */
477 }
479 CIRCWINDOW_START_MAX) {
482 "Unexpected sendme cell from exit relay. "
485 }
490 /* We count circuit-level sendme's as valid delivered data because they
491 * are rate limited. */
494 /* We aren't the origin of this circuit so we are the Exit and thus we
495 * track the package window with the circuit object. */
497 CIRCWINDOW_START_MAX) {
500 "Unexpected sendme cell from client. "
503 }
507 }
510 }
512 /* Process a stream-level SENDME cell that we just received. The conn is the
513 * edge connection (stream) that the circuit circ is associated with. The
514 * cell_body_len is the length of the payload (excluding the header).
515 *
516 * Return 0 on success (the SENDME is valid and the package window has
517 * been updated properly).
518 *
519 * On error, a negative value is returned, which indicates that the
520 * circuit must be closed using the value as the reason for it. */
521 int
524 {
528 /* Don't allow the other endpoint to request more than our maximum (i.e.
529 * initial) stream SENDME window worth of data. Well-behaved stock clients
530 * will not request more than this max (as per the check in the while loop
531 * of sendme_connection_edge_consider_sending()). */
533 STREAMWINDOW_START_MAX) {
539 }
540 /* At this point, the stream sendme is valid */
543 /* We count circuit-level sendme's as valid delivered data because they are
544 * rate limited. */
547 }
553 }
555 /* Called when a relay DATA cell is received on the given circuit. If
556 * layer_hint is NULL, this means we are the Exit end point else we are the
557 * Client. Update the deliver window and return its new value. */
558 int
560 {
573 }
577 }
579 /* Called when a relay DATA cell is received for the given edge connection
580 * conn. Update the deliver window and return its new value. */
581 int
583 {
586 }
588 /* Called when a relay DATA cell is packaged on the given circuit. If
589 * layer_hint is NULL, this means we are the Exit end point else we are the
590 * Client. Update the package window and return its new value. */
591 int
593 {
599 /* Client side. */
605 /* Exit side. */
610 }
614 }
616 /* Called when a relay DATA cell is packaged for the given edge connection
617 * conn. Update the package window and return its new value. */
618 int
620 {
626 }
628 /* Record the cell digest into the circuit sendme digest list depending on
629 * which edge we are. The digest is recorded only if we expect the next cell
630 * that we will receive is a SENDME so we can match the digest. */
631 void
633 {
642 }
644 /* Is this the last cell before a SENDME? The idea is that if the
645 * package_window reaches a multiple of the increment, after this cell, we
646 * should expect a SENDME. */
649 }
651 /* Getting the digest is expensive so we only do it once we are certain to
652 * record it on the circuit. */
656 sendme_digest =
658 }
661 }
663 /* Called once we decrypted a cell and recognized it. Record the cell digest
664 * as the next sendme digest only if the next cell we'll send on the circuit
665 * is expected to be a SENDME. */
666 void
668 {
671 /* Only record if the next cell is expected to be a SENDME. */
675 }
678 /* Record incoming digest. */
681 /* Record forward digest. */
683 }
684 }
686 /* Called once we encrypted a cell. Record the cell digest as the next sendme
687 * digest only if the next cell we expect to receive is a SENDME so we can
688 * match the digests. */
689 void
691 {
694 /* Only record if the next cell is expected to be a SENDME. */
698 }
701 /* Record the forward digest. */
704 /* Record the incoming digest. */
706 }
708 end:
710 }