| blob | 1f559f6c420d6cce246082bafef9451a65c93483 |
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * @file channelpadding.c
9 * @brief Link-level padding code.
10 **/
12 /* CHANNEL_OBJECT_PRIVATE define needed for an O(1) implementation of
13 * channelpadding_channel_to_channelinfo() */
14 #define CHANNEL_OBJECT_PRIVATE
41 /** The total number of pending channelpadding timers */
44 /** These are cached consensus parameters for netflow */
45 /** The timeout lower bound that is allowed before sending padding */
47 /** The timeout upper bound that is allowed before sending padding */
49 /** The timeout lower bound that is allowed before sending reduced padding */
51 /** The timeout upper bound that is allowed before sending reduced padding */
53 /** The connection timeout between relays */
55 /** The connection timeout for client connections */
57 /** Should we pad before circuits are actually used for client data? */
59 /** Should we pad relay-to-relay connections? */
61 /** Should we pad rosos connections? */
64 #define TOR_MSEC_PER_SEC 1000
65 #define TOR_USEC_PER_MSEC 1000
67 /**
68 * How often do we get called by the connection housekeeping (ie: once
69 * per second) */
70 #define TOR_HOUSEKEEPING_CALLBACK_MSEC 1000
71 /**
72 * Additional extra time buffer on the housekeeping callback, since
73 * it can be delayed. This extra slack is used to decide if we should
74 * schedule a timer or wait for the next callback. */
75 #define TOR_HOUSEKEEPING_CALLBACK_SLACK_MSEC 100
77 /**
78 * This macro tells us if either end of the channel is connected to a client.
79 * (If we're not a server, we're definitely a client. If the channel thinks
80 * it's a client, use that. Then finally verify in the consensus).
81 */
82 #define CHANNEL_IS_CLIENT(chan, options) \
83 (!public_server_mode((options)) || channel_is_client(chan) || \
84 !connection_or_digest_is_known_relay((chan)->identity_digest))
86 /**
87 * This function is called to update cached consensus parameters every time
88 * there is a consensus update. This allows us to move the consensus param
89 * search off of the critical path, so it does not need to be evaluated
90 * for every single connection, every second.
91 */
92 void
94 {
95 #define DFLT_NETFLOW_INACTIVE_KEEPALIVE_LOW 1500
96 #define DFLT_NETFLOW_INACTIVE_KEEPALIVE_HIGH 9500
97 #define DFLT_NETFLOW_INACTIVE_KEEPALIVE_MIN 0
98 #define DFLT_NETFLOW_INACTIVE_KEEPALIVE_MAX 60000
100 DFLT_NETFLOW_INACTIVE_KEEPALIVE_LOW,
101 DFLT_NETFLOW_INACTIVE_KEEPALIVE_MIN,
102 DFLT_NETFLOW_INACTIVE_KEEPALIVE_MAX);
104 DFLT_NETFLOW_INACTIVE_KEEPALIVE_HIGH,
105 consensus_nf_ito_low,
106 DFLT_NETFLOW_INACTIVE_KEEPALIVE_MAX);
108 #define DFLT_NETFLOW_REDUCED_KEEPALIVE_LOW 9000
109 #define DFLT_NETFLOW_REDUCED_KEEPALIVE_HIGH 14000
110 #define DFLT_NETFLOW_REDUCED_KEEPALIVE_MIN 0
111 #define DFLT_NETFLOW_REDUCED_KEEPALIVE_MAX 60000
112 consensus_nf_ito_low_reduced =
114 DFLT_NETFLOW_REDUCED_KEEPALIVE_LOW,
115 DFLT_NETFLOW_REDUCED_KEEPALIVE_MIN,
116 DFLT_NETFLOW_REDUCED_KEEPALIVE_MAX);
118 consensus_nf_ito_high_reduced =
120 DFLT_NETFLOW_REDUCED_KEEPALIVE_HIGH,
121 consensus_nf_ito_low_reduced,
122 DFLT_NETFLOW_REDUCED_KEEPALIVE_MAX);
125 #define CONNTIMEOUT_RELAYS_MIN 60
127 consensus_nf_conntimeout_relays =
129 CONNTIMEOUT_RELAYS_DFLT,
130 CONNTIMEOUT_RELAYS_MIN,
131 CONNTIMEOUT_RELAYS_MAX);
134 #define CIRCTIMEOUT_CLIENTS_MIN 60
136 consensus_nf_conntimeout_clients =
138 CIRCTIMEOUT_CLIENTS_DFLT,
139 CIRCTIMEOUT_CLIENTS_MIN,
140 CIRCTIMEOUT_CLIENTS_MAX);
142 consensus_nf_pad_before_usage =
145 consensus_nf_pad_relays =
148 consensus_nf_pad_single_onion =
150 CHANNELPADDING_SOS_PARAM,
152 }
154 /**
155 * Get a random netflow inactive timeout keepalive period in milliseconds,
156 * the range for which is determined by consensus parameters, negotiation,
157 * configuration, or default values. The consensus parameters enforce the
158 * minimum possible value, to avoid excessively frequent padding.
159 *
160 * The ranges for this value were chosen to be low enough to ensure that
161 * routers do not emit a new netflow record for a connection due to it
162 * being idle.
163 *
164 * Specific timeout values for major routers are listed in Proposal 251.
165 * No major router appeared capable of setting an inactive timeout below 10
166 * seconds, so we set the defaults below that value, since we can always
167 * scale back if it ends up being too much padding.
168 *
169 * Returns the next timeout period (in milliseconds) after which we should
170 * send a padding packet, or 0 if padding is disabled.
171 */
172 STATIC int32_t
174 {
182 /* If we have negotiated different timeout values, use those, but
183 * don't allow them to be lower than the consensus ones */
187 }
192 /*
193 * This MAX() hack is here because we apply the timeout on both the client
194 * and the server. This creates the situation where the total time before
195 * sending a packet in either direction is actually
196 * min(client_timeout,server_timeout).
197 *
198 * If X is a random variable uniform from 0..R-1 (where R=high-low),
199 * then Y=max(X,X) has Prob(Y == i) = (2.0*i + 1)/(R*R).
200 *
201 * If we create a third random variable Z=min(Y,Y), then it turns out that
202 * Exp[Z] ~= Exp[X]. Here's a table:
203 *
204 * R Exp[X] Exp[Z] Exp[min(X,X)] Exp[max(X,X)]
205 * 2000 999.5 1066 666.2 1332.8
206 * 3000 1499.5 1599.5 999.5 1999.5
207 * 5000 2499.5 2666 1666.2 3332.8
208 * 6000 2999.5 3199.5 1999.5 3999.5
209 * 7000 3499.5 3732.8 2332.8 4666.2
210 * 8000 3999.5 4266.2 2666.2 5332.8
211 * 10000 4999.5 5328 3332.8 6666.2
212 * 15000 7499.5 7995 4999.5 9999.5
213 * 20000 9900.5 10661 6666.2 13332.8
214 *
215 * In other words, this hack makes it so that when both the client and
216 * the guard are sending this padding, then the averages work out closer
217 * to the midpoint of the range, making the overhead easier to tune.
218 * If only one endpoint is padding (for example: if the relay does not
219 * support padding, but the client has set ConnectionPadding 1; or
220 * if the relay does support padding, but the client has set
221 * ReducedConnectionPadding 1), then the defense will still prevent
222 * record splitting, but with less overhead than the midpoint
223 * (as seen by the Exp[max(X,X)] column).
224 *
225 * To calculate average padding packet frequency (and thus overhead),
226 * index into the table by picking a row based on R = high-low. Then,
227 * use the appropriate column (Exp[Z] for two-sided padding, and
228 * Exp[max(X,X)] for one-sided padding). Finally, take this value
229 * and add it to the low timeout value. This value is the average
230 * frequency which padding packets will be sent.
231 */
236 }
238 /**
239 * Update this channel's padding settings based on the PADDING_NEGOTIATE
240 * contents.
241 *
242 * Returns -1 on error; 1 on success.
243 */
244 int
247 {
254 }
256 // We should not allow malicious relays to disable or reduce padding for
257 // us as clients. In fact, we should only accept this cell at all if we're
258 // operating as a relay. Bridges should not accept it from relays, either
259 // (only from their clients).
266 "Got a PADDING_NEGOTIATE from relay at %s (%s). "
271 }
275 /* Min must not be lower than the current consensus parameter
276 nf_ito_low. */
280 /* Max must not be lower than ito_low_ms */
291 }
293 /**
294 * Sends a CELL_PADDING_NEGOTIATE on the channel to tell the other side not
295 * to send padding.
296 *
297 * Returns -1 on error, 0 on success.
298 */
299 STATIC int
301 {
302 channelpadding_negotiate_t disable;
303 cell_t cell;
307 MIN_LINK_PROTO_FOR_CHANNEL_PADDING);
321 else
323 }
325 /**
326 * Sends a CELL_PADDING_NEGOTIATE on the channel to tell the other side to
327 * resume sending padding at some rate.
328 *
329 * Returns -1 on error, 0 on success.
330 */
331 int
334 {
335 channelpadding_negotiate_t enable;
336 cell_t cell;
340 MIN_LINK_PROTO_FOR_CHANNEL_PADDING);
356 else
358 }
360 /**
361 * Sends a CELL_PADDING cell on a channel if it has been idle since
362 * our callback was scheduled.
363 *
364 * This function also clears the pending padding timer and the callback
365 * flags.
366 */
367 static void
369 {
370 cell_t cell;
372 /* Check that the channel is still valid and open */
378 }
380 /* We should have a pending callback flag set. */
389 /* We must have been active before the timer fired */
392 }
394 {
395 monotime_coarse_t now;
405 (
407 }
409 /* Clear the timer */
412 /* Send the padding cell. This will cause the channel to get a
413 * fresh timestamp_active */
417 }
419 /**
420 * tor_timer callback function for us to send padding on an idle channel.
421 *
422 * This function just obtains the channel from the callback handle, ensures
423 * it is still valid, and then hands it off to
424 * channelpadding_send_padding_cell_for_callback(), which checks if
425 * the channel is still idle before sending padding.
426 */
427 static void
430 {
435 /* Hrmm.. It might be nice to have an equivalent to assert_connection_ok
436 * for channels. Then we could get rid of the channeltls dependency */
438 OR_CONNECTION_MAGIC);
445 }
447 total_timers_pending--;
448 }
450 /**
451 * Schedules a callback to send padding on a channel in_ms milliseconds from
452 * now.
453 *
454 * Returns CHANNELPADDING_WONTPAD on error, CHANNELPADDING_PADDING_SENT if we
455 * sent the packet immediately without a timer, and
456 * CHANNELPADDING_PADDING_SCHEDULED if we decided to schedule a timer.
457 */
458 static channelpadding_decision_t
460 {
468 }
475 }
479 channelpadding_send_padding_callback,
484 }
491 }
493 /**
494 * Calculates the number of milliseconds from now to schedule a padding cell.
495 *
496 * Returns the number of milliseconds from now (relative) to schedule the
497 * padding callback. If the padding timer is more than 1.1 seconds in the
498 * future, we return -1, to avoid scheduling excessive callbacks. If padding
499 * is disabled in the consensus, we return -2.
500 *
501 * Side-effects: Updates chan->next_padding_time_ms, storing an (absolute, not
502 * relative) millisecond representation of when we should send padding, unless
503 * other activity happens first. This side-effect allows us to avoid
504 * scheduling a libevent callback until we're within 1.1 seconds of the padding
505 * time.
506 */
507 #define CHANNELPADDING_TIME_LATER -1
508 #define CHANNELPADDING_TIME_DISABLED -2
509 STATIC int64_t
511 {
512 monotime_coarse_t now;
516 /* If the below line or crypto_rand_int() shows up on a profile,
517 * we can avoid getting a timeout until we're at least nf_ito_lo
518 * from a timeout window. That will prevent us from setting timers
519 * on connections that were active up to 1.5 seconds ago.
520 * Idle connections should only call this once every 5.5s on average
521 * though, so that might be a micro-optimization for little gain. */
530 padding_timeout);
531 }
536 /* If the next padding time is beyond the maximum possible consensus value,
537 * then this indicates a clock jump, so just send padding now. This is
538 * better than using monotonic time because we want to avoid the situation
539 * where we wait around forever for monotonic time to move forward after
540 * a clock jump far into the past.
541 */
549 }
551 /* If the timeout will expire before the next time we're called (1000ms
552 from now, plus some slack), then calculate the number of milliseconds
553 from now which we should send padding, so we can schedule a callback
554 then.
555 */
557 TOR_HOUSEKEEPING_CALLBACK_SLACK_MSEC)) {
558 /* If the padding time is in the past, that means that libevent delayed
559 * calling the once-per-second callback due to other work taking too long.
560 * See https://bugs.torproject.org/22212 and
561 * https://bugs.torproject.org/16585. This is a systemic problem
562 * with being single-threaded, but let's emit a notice if this
563 * is long enough in the past that we might have missed a netflow window,
564 * and allowed a router to emit a netflow frame, just so we don't forget
565 * about it entirely.. */
566 #define NETFLOW_MISSED_WINDOW (150000 - DFLT_NETFLOW_INACTIVE_KEEPALIVE_HIGH)
574 }
577 }
579 }
581 /**
582 * Returns a randomized value for channel idle timeout in seconds.
583 * The channel idle timeout governs how quickly we close a channel
584 * after its last circuit has disappeared.
585 *
586 * There are three classes of channels:
587 * 1. Client+non-canonical. These live for 3-4.5 minutes
588 * 2. relay to relay. These live for 45-75 min by default
589 * 3. Reduced padding clients. These live for 1.5-2.25 minutes.
590 *
591 * Also allows the default relay-to-relay value to be controlled by the
592 * consensus.
593 */
594 unsigned int
597 {
601 /* Non-canonical and client channels only last for 3-4.5 min when idle */
604 timeout = CONNTIMEOUT_CLIENTS_BASE
607 // 45..75min or consensus +/- 25%
610 }
612 /* If ReducedConnectionPadding is set, we want to halve the duration of
613 * the channel idle timeout, since reducing the additional time that
614 * a channel stays open will reduce the total overhead for making
615 * new channels. This reduction in overhead/channel expense
616 * is important for mobile users. The option cannot be set by relays.
617 *
618 * We also don't reduce any values for timeout that the user explicitly
619 * set.
620 */
624 }
627 }
629 /**
630 * This function controls how long we keep idle circuits open,
631 * and how long we build predicted circuits. This behavior is under
632 * the control of channelpadding because circuit availability is the
633 * dominant factor in channel lifespan, which influences total padding
634 * overhead.
635 *
636 * Returns a randomized number of seconds in a range from
637 * CircuitsAvailableTimeout to 2*CircuitsAvailableTimeout. This value is halved
638 * if ReducedConnectionPadding is set. The default value of
639 * CircuitsAvailableTimeout can be controlled by the consensus.
640 */
641 int
643 {
650 /* If ReducedConnectionPadding is set, we want to halve the duration of
651 * the channel idle timeout, since reducing the additional time that
652 * a channel stays open will reduce the total overhead for making
653 * new connections. This reduction in overhead/connection expense
654 * is important for mobile users. The option cannot be set by relays.
655 *
656 * We also don't reduce any values for timeout that the user explicitly
657 * set.
658 */
660 // half the value to 15..30min by default
662 }
663 }
665 // 30..60min by default
671 }
673 /**
674 * Calling this function on a channel causes it to tell the other side
675 * not to send padding, and disables sending padding from this side as well.
676 */
677 void
679 {
682 // Send cell to disable padding on the other end
684 }
686 /**
687 * Calling this function on a channel causes it to tell the other side
688 * not to send padding, and reduces the rate that padding is sent from
689 * this side.
690 */
691 void
693 {
694 /* Padding can be forced and reduced by clients, regardless of if
695 * the channel supports it. So we check for support here before
696 * sending any commands. */
699 }
708 }
710 /**
711 * This function is called once per second by run_connection_housekeeping(),
712 * but only if the channel is still open, valid, and non-wedged.
713 *
714 * It decides if and when we should send a padding cell, and if needed,
715 * schedules a callback to send that cell at the appropriate time.
716 *
717 * Returns an enum that represents the current padding decision state.
718 * Return value is currently used only by unit tests.
719 */
720 channelpadding_decision_t
722 {
725 /* Only pad open channels */
734 }
739 /* Don't pad the channel if we didn't negotiate it, but still
740 * allow clients to force padding if options->ChannelPadding is
741 * explicitly set to 1.
742 */
745 }
749 /* If the consensus just changed values, this channel may still
750 * think padding is enabled. Negotiate it off. */
755 }
757 /* There should always be a cmux on the circuit. After that,
758 * only schedule padding if there are no queued writes and no
759 * queued cells in circuitmux queues. */
766 }
768 /* If nf_pad_relays=1 is set in the consensus, we pad
769 * on *all* idle connections, relay-relay or relay-client.
770 * Otherwise pad only for client+bridge cons */
783 }
784 /* We have to schedule a callback because we're called exactly once per
785 * second, but we don't want padding packets to go out exactly on an
786 * integer multiple of seconds. This callback will only be scheduled
787 * if we're within 1.1 seconds of the padding time.
788 */
791 }
795 }
798 }
799 }