| blob | 46d36cf1060fc9dff3b06de8079a0dce0e79a566 |
1 /* Copyright (c) 2021, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
4 /**
5 * \file conflux_pool.c
6 * \brief Conflux circuit pool management
7 */
9 #define TOR_CONFLUX_PRIVATE
10 #define CONFLUX_CELL_PRIVATE
44 /* Indicate if we are shutting down. This is used so we avoid recovering a
45 * conflux set on total shutdown. */
48 /** The pool of client-side conflux_t that are built, linked, and ready
49 * to be used. Indexed by nonce. */
52 /** The pool of origin unlinked_circuits_t indexed by nonce. */
55 /** The pool of relay conflux_t indexed by nonce. We call these "server"
56 * because they could be onion-service side too (even though we likely will
57 * only implement onion service conflux in Arti). The code is littered with
58 * asserts to ensure there are no origin circuits in here for now, too. */
61 /** The pool of relay unlinked_circuits_t indexed by nonce. */
64 /* A leg is essentially a circuit for a conflux set. We use this object for the
65 * unlinked pool. */
67 /* The circuit of the leg. */
70 /* The LINK cell content which is used to put the information back in the
71 * conflux_t object once all legs have linked and validate the ack. */
74 /* Indicate if the leg has received the LINKED or the LINKED_ACK cell
75 * depending on its side of the circuit. When all legs are linked, we then
76 * finalize the conflux_t object and move it to the linked pool. */
79 /* What time did we send the LINK/LINKED (depending on which side) so we can
80 * calculate the RTT. */
83 /* The RTT value in usec takend from the LINK <--> LINKED round trip. */
87 /* Object used to track unlinked circuits which are kept in the unlinked pool
88 * until they are linked and moved to the linked pool and global circuit set.
89 */
91 /* If true, indicate that this unlinked set is client side as in the legs are
92 * origin circuits. Else, it is on the exit side and thus or circuits. */
95 /* If true, indicate if the conflux_t is related to a linked set. */
98 /* Conflux object that will be set in each leg once all linked. */
101 /* Legs. */
105 /** Error code used when linking circuits. Based on those, we decide to
106 * relaunch or not. */
108 /* Linking was successful. */
110 /* The RTT was not acceptable. */
112 /* The leg can't be found. */
114 /* The set can't be found. */
116 /* Invalid leg as in not pass validation. */
120 #ifdef TOR_UNIT_TESTS
121 digest256map_t *
123 {
125 }
127 digest256map_t *
129 {
131 }
132 #endif
134 /* For unit tests only: please treat these exactly as the defines in the
135 * code. */
139 /** Helper: Format at 8 bytes the nonce for logging. */
142 {
144 }
146 /**
147 * Return the conflux algorithm for a desired UX value.
148 */
149 static uint8_t
151 {
159 /* For now, we have no low mem algs, so use minRTT since it should
160 * switch less and thus use less mem */
161 /* TODO-329-TUNING: Pick better algs here*/
166 /* Trunnel should protect us from this */
169 }
170 }
172 /** Return a newly allocated conflux_t object. */
175 {
182 }
184 static void
186 {
189 }
202 }
204 /** Wrapper for the free function, set the cfx pointer to NULL after free */
205 #define conflux_free(cfx) \
206 FREE_AND_NULL(conflux_t, conflux_free_, cfx)
208 /** Helper: Free function for the digest256map_free(). */
211 {
214 }
216 /** Return a newly allocated leg object containing the given circuit and link
217 * pointer (no copy). */
220 {
225 }
227 /** Free the given leg object. Passing NULL is safe. */
228 static void
230 {
233 }
237 }
240 }
242 /** Return a newly allocated unlinked set object for the given nonce. A new
243 * conflux object is also created. */
246 {
254 }
256 /** Free the given unlinked object. */
257 static void
259 {
262 }
263 /* This cfx is pointing to a linked set. */
266 }
270 }
272 /** Add the given unlinked object to the unlinked pool. */
273 static void
275 {
281 }
282 }
284 /** Delete the given unlinked object from the unlinked pool. */
285 static void
287 {
294 }
295 }
297 /** Return an unlinked object for the given nonce else NULL. */
300 {
306 }
307 }
309 /** Delete from the pool and free the given unlinked object. */
310 static void
312 {
316 }
318 /** Add the given conflux object to the linked conflux set. */
319 static void
321 {
327 }
328 }
330 /** Delete from the linked conflux set the given nonce. */
331 static void
333 {
339 }
340 }
342 /** Return a conflux_t object for the given nonce from the linked set. */
345 {
351 }
352 }
354 /** Add the given leg to the given unlinked object. */
357 {
362 }
364 /** Return an unlinked leg for the given unlinked object and for the given
365 * circuit. */
368 {
372 }
375 }
377 /** Return the given circuit leg from its unlinked set (if any). */
380 {
385 }
387 }
389 static void
392 {
401 }
403 }
405 /**
406 * Ensure that the given circuit has no attached streams.
407 *
408 * This validation function is called at various stages for
409 * unlinked circuits, to make sure they have no streams.
410 */
411 static void
413 {
421 }
427 }
434 }
439 }
440 }
441 }
443 /** Return true iff the legs in the given unlinked set are valid and coherent
444 * to be a linked set. */
445 static bool
447 {
459 /* Version and nonce must match in all legs. */
462 }
464 // If the other ends last sent sequence number is higher than the
465 // last sequence number we delivered, we have data loss, and cannot link.
471 // TODO-329-ARTI: Instead of closing the set here, we could
472 // immediately send a SWITCH cell and re-send the missing data.
473 // To do this, though, we would need to constantly buffer at least
474 // a cwnd worth of sent data to retransmit. We're not going to try
475 // this in C-Tor, but arti could consider it.
476 }
480 /* Note that if no legs, it validates. */
483 }
485 /** Add up a new leg to the given conflux object. */
486 static void
488 {
493 /* Big trouble if we add a leg to the wrong set. */
498 }
502 // TODO-329-ARTI: Blindly copying the values from the cell. Is this correct?
503 // I think no... When adding new legs, switching to this leg is
504 // likely to break, unless the sender tracks what link cell it sent..
505 // Is that the best option? Or should we use the max of our legs, here?
506 // (It seems the other side will have no idea what our current maxes
507 /// are, so this option seems better right now)
515 /* Add leg to given conflux. */
518 /* Ensure the new circuit has no streams. */
521 /* If this is not the first leg, get the first leg, and get
522 * the reference streams from it. */
531 /* Sync all legs with the new stream(s). */
538 }
539 }
543 CIRCUIT_PURPOSE_CONFLUX_UNLINKED);
545 }
547 }
549 /**
550 * Clean up a circuit from its conflux_t object.
551 *
552 * Return true if closing this circuit should tear down the entire set,
553 * false otherwise.
554 */
555 static bool
557 {
567 }
569 // If the circuit still has inflight data, teardown
577 }
579 /* Remove it from the cfx. */
582 /* After removal, if this leg had the highest sent (or recv)
583 * sequence number, it was in active use by us (or the other side).
584 * We need to tear down the entire set. */
585 // TODO-329-ARTI: If we support resumption, we don't need this.
592 }
593 }
595 /* Cleanup any reference to leg. */
601 }
604 }
608 end:
610 }
612 /** Close the circuit of each legs of the given unlinked object. */
613 static void
615 {
620 /* Small optimization here, avoid this work if no legs. */
623 }
625 /* We will iterate over all legs and put the circuit in its own list and then
626 * mark them for close. The unlinked object gets freed opportunistically once
627 * there is no more legs attached to it and so we can't hold a reference
628 * while closing circuits. */
635 /* The leg gets cleaned up in the circuit close. */
639 }
642 }
645 /* Drop the list and ignore its content, we don't have ownership. */
647 }
649 /** Either closee all legs of the given unlinked set or delete it from the pool
650 * and free its memory.
651 *
652 * Important: The unlinked object is freed opportunistically when legs are
653 * removed until the point none remains. And so, it is only safe to free the
654 * object if no more legs exist.
655 */
656 static void
658 {
661 }
663 /* If we have legs, the circuit close will trigger the unlinked object to be
664 * opportunistically freed. Else, we do it explicitly. */
669 }
670 /* Either the unlinked object has been freed or the last leg close will free
671 * it so from this point on, nullify for safety reasons. */
673 }
675 /** Upon an error condition or a close of an in-use circuit, we must close all
676 * linked and unlinked circuits associated with a set. When the last leg of
677 * each set is closed, the set is removed from the pool. */
678 static void
680 {
681 /* It is possible that for a nonce we have both an unlinked set and a linked
682 * set. This happens if there is a recovery leg launched for an existing
683 * linked set. */
685 /* Close the unlinked set. */
689 }
690 /* In case it gets freed, be safe here. */
693 /* Close the linked set. It will free itself upon the close of
694 * the last leg. */
699 }
710 /* Drop the list and ignore its content, we don't have ownership. */
712 }
713 }
715 /** Helper: Free function taking a void pointer for the digest256map_free. */
718 {
721 }
723 /** Attempt to finalize the unlinked set to become a linked set and be put in
724 * the linked pool.
725 *
726 * If this finalized successfully, the given unlinked object is freed. */
727 static link_circ_err_t
729 {
735 /* Without legs, this is not ready to become a linked set. */
739 }
741 /* Validate that all legs are coherent and parameters match. On failure, we
742 * teardown the whole unlinked set because this means we either have a code
743 * flow problem or the Exit is trying to trick us. */
748 END_CIRC_REASON_TORPROTOCOL);
751 }
753 /* Check all linked status. All need to be true in order to finalize the set
754 * and move it to the linked pool. */
756 /* We are still waiting on a leg. */
762 }
765 /* Finalize the cfx object by adding all legs into it. */
767 /* Removing the leg from the list is important so we avoid ending up with a
768 * leg in the unlinked list that is set with LINKED purpose. */
771 /* We are ready to attach the leg to the cfx object now. */
774 /* Clean the pending nonce and set the conflux object in the circuit. */
777 /* We are done with this leg object. */
783 /* Add the conflux object to the linked pool. For an existing linked cfx
784 * object, we'll simply replace it with itself. */
787 /* Remove it from the unlinked pool. */
790 /* We don't recover a leg when it is linked but if we would like to support
791 * session ressumption, this would be very important in order to allow new
792 * legs to be created/recovered. */
795 /* Nullify because we are about to free the unlinked object and the cfx has
796 * moved to all circuits. */
804 end:
806 }
808 /** Record the RTT for this client circuit.
809 *
810 * Return the RTT value. UINT64_MAX is returned if we couldn't find the initial
811 * measurement of when the cell was sent or if the leg is missing. */
812 static uint64_t
814 {
825 }
832 // TODO-329-TUNING: For now, let's accept this case. We need to do
833 // tuning and clean up the tests such that they use RTT in order to
834 // fail here.
835 //goto err;
836 }
839 err:
840 // Avoid using this leg until a timestamp comes in
844 }
846 /** Record the RTT for this Exit circuit.
847 *
848 * Return the RTT value. UINT64_MAX is returned if we couldn't find the initial
849 * measurement of when the cell was sent or if the leg is missing. */
851 static uint64_t
853 {
864 }
873 }
876 err:
880 }
882 /** For the given circuit, record the RTT from when the LINK or LINKED cell was
883 * sent that is this function works for either client or Exit.
884 *
885 * Return false if the RTT is too high for our standard else true. */
886 static bool
888 {
904 }
907 }
910 }
912 /** Link the given circuit within its unlinked set. This is called when either
913 * the LINKED or LINKED_ACK is received depending on which side of the circuit
914 * it is.
915 *
916 * It attempts to finalize the unlinked set as well which, if successful, puts
917 * it in the linked pool. */
918 static link_circ_err_t
920 {
929 }
938 }
942 /* Failure to find the leg when linking a circuit is an important problem
943 * so log loudly and error. */
949 }
951 /* Successful link. Attempt to finalize the set in case this was the last
952 * LINKED or LINKED_ACK cell to receive. */
956 end:
958 }
960 /** Launch a brand new set.
961 *
962 * Return true if all legs successfully launched or false if one failed. */
963 STATIC bool
965 {
968 /* Brand new nonce for this set. */
971 /* Launch all legs. */
974 /* This function cleans up entirely the unlinked set if a leg is unable
975 * to be launched. The recovery would be complex here. */
977 }
978 }
982 err:
984 }
988 {
997 /* If this is a leg of an existing linked set, use that conflux object
998 * instead so all legs point to the same. It is put in the leg's circuit
999 * once the link is confirmed. */
1005 }
1006 /* Add this set to the unlinked pool. */
1008 }
1011 }
1013 /**
1014 * On the client side, we need to determine if there is already
1015 * an exit in use for this set, and if so, use that.
1016 *
1017 * Otherwise, we return NULL and the exit is decided by the
1018 * circuitbuild.c code.
1019 */
1022 {
1027 // First, check the linked pool for the nonce
1031 /* Get the exit from the first leg */
1045 /* Get the exit from the first leg */
1052 }
1053 }
1054 }
1057 }
1059 /**
1060 * Return the currently configured client UX.
1061 */
1062 static uint8_t
1064 {
1065 #ifdef TOR_UNIT_TESTS
1067 #else
1072 /* Return the UX */
1074 #endif
1075 }
1077 /** Return true iff the given conflux object is allowed to launch a new leg. If
1078 * the cfx object is NULL, then it is always allowed to launch a new leg. */
1079 static bool
1081 {
1084 }
1086 /* The maximum number of retry is the minimum number of legs we are allowed
1087 * per set plus the maximum amount of retries we are allowed to do. */
1092 /* Only log once per nonce if we've reached the maximum. */
1096 }
1100 }
1102 allowed:
1104 }
1106 /*
1107 * Public API.
1108 */
1110 /** Launch a new conflux leg for the given nonce.
1111 *
1112 * Return true on success else false which teardowns the entire unlinked set if
1113 * any. */
1114 bool
1116 {
1118 CIRCLAUNCH_NEED_CONFLUX;
1124 /* Get or create a new unlinked object for this leg. */
1128 /* If we have an existing linked set, validate the number of leg retries
1129 * before attempting the launch. */
1132 }
1141 }
1143 /* Increase the retry count for this conflux object as in this nonce.
1144 * We must do this now, because some of the maze's early failure paths
1145 * call right back into this function for relaunch. */
1153 }
1156 /* At this point, the unlinked object has either a new conflux_t or the one
1157 * used by a linked set so it is fine to use the cfx from the unlinked object
1158 * from now on. */
1160 /* Get the max_seq_sent and recv from the linked pool, if it exists, and pass
1161 * to new link cell. */
1165 // TODO-329-ARTI: To support resumption/retransmit, the client should store
1166 // the last_seq_sent now, so that it can know how much data to retransmit to
1167 // the server after link. C-Tor will not be implementing this, but arti and
1168 // arti-relay could (if resumption seems worthwhile; it may not be worth the
1169 // memory storage there, either).
1171 /* We have a circuit, create the new leg and attach it to the set. */
1180 err:
1182 }
1184 /**
1185 * Add the identity digest of the guard nodes of all legs of the conflux
1186 * circuit.
1187 *
1188 * This function checks both pending and linked conflux circuits.
1189 */
1190 void
1193 {
1197 /* Ease our lives. */
1200 /* Ignore if this is not conflux related. */
1203 }
1205 /* When building a circuit, we should not have a conflux object
1206 * ourselves (though one may exist elsewhere). */
1209 /* Getting here without a nonce is a code flow issue. */
1212 }
1214 /* If there is only one bridge, then only issue a warn once that
1215 * at least two bridges are best for conflux. Exempt Snowflake
1216 * from this warn */
1218 /* Do not build any exclude lists; not enough bridges */
1220 }
1222 /* A linked set exists, use it. */
1229 DIGEST_LEN));
1231 }
1233 /* An unlinked set might exist for this nonce, if so, add the second hop of
1234 * the existing legs to the exclusion list. */
1240 /* Convert to origin circ and get cpath */
1244 DIGEST_LEN));
1246 }
1247 }
1249 /**
1250 * Add the identity digest of the middle nodes of all legs of the conflux
1251 * circuit.
1252 *
1253 * This function checks both pending and linked conflux circuits.
1254 *
1255 * XXX: The add guard and middle could be merged since it is the exact same
1256 * code except for the cpath position and the identity digest vs node_t in
1257 * the list. We could use an extra param indicating guard or middle. */
1258 void
1261 {
1265 /* Ease our lives. */
1268 /* Ignore if this is not conflux related. */
1271 }
1273 /* When building a circuit, we should not have a conflux object
1274 * ourselves (though one may exist elsewhere). */
1277 /* Getting here without a nonce is a code flow issue. */
1280 }
1282 /* A linked set exists, use it. */
1291 }
1293 }
1295 /* An unlinked set might exist for this nonce, if so, add the second hop of
1296 * the existing legs to the exclusion list. */
1302 /* Convert to origin circ and get cpath */
1308 }
1310 }
1311 }
1313 /** Return the number of unused client linked set. */
1314 static int
1316 {
1324 }
1326 count++;
1327 }
1331 }
1333 /** Determine if we need to launch new conflux circuits for our preemptive
1334 * pool.
1335 *
1336 * This is called once a second from the mainloop from
1337 * circuit_predict_and_launch_new(). */
1338 void
1340 {
1343 /* If conflux is disabled, or we have insufficient consensus exits,
1344 * don't prebuild. */
1348 }
1350 /* Don't attempt to build a new set if we are above our allowed maximum of
1351 * linked sets. */
1355 }
1357 /* Count the linked and unlinked to get the total number of sets we have
1358 * (will have). */
1366 }
1374 /* Failing once likely means we'll fail next attempt so stop for now and
1375 * we'll try later. */
1377 }
1378 }
1379 }
1381 /** Return the first circuit from the linked pool that will work with the conn.
1382 * If no such circuit exists, return NULL. */
1383 origin_circuit_t *
1385 {
1386 /* Use conn to check the exit policy of the first circuit
1387 * of each set in the linked pool. */
1391 /* Get the first circuit of the set. */
1396 /* Bug on these but we can recover. */
1399 }
1402 }
1405 /* Make sure the connection conforms with the exit policy and the isolation
1406 * flags also allows it. */
1408 CIRCUIT_PURPOSE_CONFLUX_LINKED,
1412 }
1414 /* Found a circuit that works. */
1419 }
1421 /** The given circuit is conflux pending and has closed. This deletes the leg
1422 * from the set, attempt to finalize it and relaunch a new leg. If the set is
1423 * empty after removing this leg, it is deleted. */
1424 static void
1426 {
1437 }
1441 /* This circuit is part of set that has already been removed previously freed
1442 * by another leg closing. */
1445 }
1447 /* We keep the nonce here because we will try to recover if we can and the
1448 * pending nonce will get nullified early. */
1454 /* Remove leg from set. */
1456 /* The circuit pending nonce has been nullified at this point. */
1458 /* If no more legs, opportunistically free the unlinked set. */
1462 /* Launch a new leg for this set to recover. */
1465 }
1466 }
1467 /* After this, it might have been freed. */
1470 /* Unlinked circuits should not have attached streams, but check
1471 * anyway, because The Maze. */
1473 }
1475 /** Update all stream pointers to point to this circuit.
1476 * This is used when a linked circuit is closed and we need to update the
1477 * streams to point to the remaining circuit
1478 */
1479 static void
1481 {
1488 /* Iterate over stream list using next_stream pointer, until null */
1491 /* Update the circuit pointer of each stream */
1494 }
1497 /* Iterate over stream list using next_stream pointer, until null */
1500 /* Update the circuit pointer of each stream */
1502 }
1503 /* Iterate over stream list using next_stream pointer, until null */
1506 /* Update the circuit pointer of each stream */
1508 }
1509 }
1510 }
1512 /** Nullify all streams of the given circuit. */
1513 static void
1515 {
1526 }
1527 }
1529 /** The given circuit is already linked to a set and has been closed. Remove it
1530 * from the set and free the pool if no more legs. */
1531 static void
1533 {
1544 }
1546 /* Unlink circuit from its conflux object. */
1550 /* Last leg, remove conflux object from linked set. */
1553 /* If there are other circuits, update streams backpointers and
1554 * nullify the stream lists. We do not free those streams in circuit_free_.
1555 * (They only get freed when the last circuit is freed). */
1559 }
1561 /* Keep the nonce so we can use it through out the rest of the function in
1562 * case we nullify the conflux object before. Reason is that in the case of a
1563 * full teardown, this function becomes basically recursive and so we must
1564 * nullify the conflux object of this circuit now before the recursiveness
1565 * starts leading to all legs being removed and thus not noticing if we are
1566 * the last or the first.
1567 *
1568 * Not the prettiest but that is the price to pay to live in the C-tor maze
1569 * and protected by ballrogs. */
1572 /* Nullify the conflux object from the circuit being closed iff we have more
1573 * legs. Reason being that the last leg needs to have the conflux object
1574 * attached to the circuit so it can be freed in conflux_circuit_free(). */
1577 }
1579 /* If this was a teardown condition, we need to mark other circuits,
1580 * including any potential unlinked circuits, for close.
1581 *
1582 * This call is recursive in the sense that linked_circuit_closed() will end
1583 * up being called for all legs and so by the time we come back here, the
1584 * linked is likely entirely gone. Thus why this is done last. */
1587 }
1588 }
1590 /** The given circuit is being freed and it is a linked leg. Clean up and free
1591 * anything that has to do with this circuit.
1592 *
1593 * After this call, the circuit should NOT be referenced anymore anywhere. */
1594 static void
1596 {
1601 }
1603 /* Circuit can be freed without being closed and so we try to delete this leg
1604 * so we can learn if this circuit is the last leg or not. */
1608 /* The last leg will free the streams but until then, we nullify to avoid
1609 * use-after-free. */
1612 /* We are the last leg. */
1614 /* Remove from pool in case it is still lingering there else we'll end up
1615 * in a double free situation. */
1618 /* If there is an unlinked circuit that was also created for this set, we
1619 * need to look for it, and tell it is no longer part of a linked set
1620 * anymore, so it can be freed properly, or can complete the link if it is
1621 * able to. Effectively, the conflux_t object lifetime is longer than
1622 * either the linked or unlinked sets by themselves. This is a situation we
1623 * could cover with handles, but so far, it is not clear they are an
1624 * obvious benefit for other cases than this one. */
1631 /* We are the last one, clear the conflux object. If an unlinked object
1632 * has a reference to it, it won't get freed due to is_for_linked_set
1633 * flag. */
1635 }
1636 }
1637 }
1639 /** The given circuit is being freed and it is an unlinked leg. Clean up and
1640 * free anything that has to do with this circuit.
1641 *
1642 * After this call, the circuit should NOT be referenced anymore anywhere. */
1643 static void
1645 {
1650 }
1652 /* Cleanup circuit reference if a leg exists. This is possible if the circuit
1653 * was not marked for close before being freed. */
1657 }
1659 /* Null pointers are safe here. */
1661 }
1663 /** Circuit has been marked for close. */
1664 void
1666 {
1667 /* The unlinked case. If an unlinked set exists, we delete the leg and then
1668 * attempt to finalize it. After that, we'll launch a new leg to recover. */
1673 }
1674 }
1676 /** Circuit with conflux purpose just opened. */
1677 void
1679 {
1687 /* Extra safety layer so we never let a circuit opens if conflux is not
1688 * enabled. */
1693 "Conflux circuit opened without negotiating "
1696 }
1698 /* Unrelated to conflux. */
1701 }
1710 }
1712 /* On failure here, the circuit is closed and thus the leg and unlinked set
1713 * will be cleaned up. */
1716 }
1718 /* Mark the leg on when the LINK cell is sent. Used to timeout the circuit
1719 * for a minimum RTT when getting the LINKED. */
1722 end:
1725 }
1727 /** Process a CONFLUX_LINK cell which arrived on the given circuit. */
1728 void
1731 {
1741 }
1743 /* This cell can't be received on an origin circuit because only the endpoint
1744 * creating the circuit sends it. */
1750 }
1757 }
1761 "Got a CONFLUX_LINK on a circuit with a pending nonce. "
1765 }
1769 "Got a CONFLUX_LINK on an already linked circuit "
1773 }
1775 /* On errors, logging is emitted in this parsing function. */
1782 }
1787 /* Consider this circuit a new leg. We'll now attempt to attach it to an
1788 * existing set or unlinked one. */
1793 /* Attach leg to the unlinked set. */
1796 /* Set the circuit in a pending conflux state for the LINKED_ACK. */
1800 /* Mark when we send the LINKED. */
1803 /* Send LINKED. */
1807 // TODO-329-ARTI: To support resumption/retransmit, the server should
1808 // store the last_seq_sent now, so that it can know how much data
1809 // to retransmit to the server after link. C-Tor will not be implementing
1810 // this, but arti and arti-relay could (if resumption seems worthwhile;
1811 // it may not be worth the memory storage there, either).
1816 /* Link the circuit to the a conflux set immediately before the LINKED is
1817 * sent. Reason is that once the client sends the LINKED_ACK, there is a race
1818 * with the BEGIN cell that can be sent immediately after and arrive first.
1819 * And so, we need to sync the streams before that happens that is before we
1820 * receive the LINKED_ACK. */
1824 }
1826 /* Exits should always request min latency from clients */
1828 last_seq_recv,
1829 DEFAULT_EXIT_UX);
1834 end:
1836 }
1838 /** Process a CONFLUX_LINKED cell which arrived on the given circuit. */
1839 void
1843 {
1848 /*
1849 * There several ways a malicious exit could create problems when sending
1850 * back this LINKED cell.
1851 *
1852 * 1. Using a different nonce that it knows about from another set. Accepting
1853 * it would mean a confirmation attack of linking sets to the same client.
1854 * To address that, the cell nonce MUST be matched with the circuit nonce.
1855 *
1856 * 2. Re-Sending a LINKED cell on an already linked circuit could create side
1857 * channel attacks or unpredictable issues. Circuit is closed.
1858 *
1859 * 3. Receiving a LINKED cell on a circuit that was not expecting it. Again,
1860 * as (2), can create side channel(s). Circuit is closed.
1861 *
1862 * 4. Receiving a LINKED cell from the another hop other than the last one
1863 * (exit). Same as (2) and (3) in terms of issues. Circuit is closed.
1864 */
1869 }
1871 /* LINKED cell are in response to a LINK cell which are only sent on an
1872 * origin circuit and thus received on such.*/
1877 }
1881 "Received a CONFLUX_LINKED cell without having sent a "
1884 }
1888 "Received a CONFLUX_LINKED cell on a circuit that is already "
1891 }
1897 }
1901 /* On errors, logging is emitted in this parsing function. */
1905 }
1910 /* Make sure the cell nonce matches the one on the circuit that was
1911 * previously set by the CONFLUX_LINK cell. */
1915 "Received CONFLUX_LINKED but circuit nonce doesn't match "
1918 }
1920 /* Find the leg from the associated unlinked set. */
1926 }
1930 /* Free the old link, and store the new one. We need to validate
1931 * the one we get during finalize, not the one we sent. */
1935 /* Record the RTT for this circuit. On failure, it means the RTT was too
1936 * high, we relaunch to recover. */
1939 }
1941 /* The following will link the circuit with its set and attempt to finalize
1942 * the set if all expected legs have linked. On error, we close the circuit
1943 * because it means the unlinked set needs to be teardowned. */
1947 /* Successfully linked. */
1951 /* No relaunch if the leg is invalid or the set is not found as in the
1952 * nonce is unknown. */
1957 }
1959 /* We can send the ack only if we finalize. This will not cause issues,
1960 * because LINKED_ACK is exempted from multiplexing in
1961 * conflux_should_multiplex(). */
1963 /* On failure, the circuit is closed by the underlying function(s). */
1965 }
1967 /* If this set is ready to use with a valid conflux set, try any pending
1968 * streams again. */
1971 }
1975 close:
1978 end:
1980 }
1982 /** Process a CONFLUX_LINKED_ACK cell which arrived on the given circuit. */
1983 void
1985 {
1990 }
1996 }
2002 }
2006 "Received a CONFLUX_LINKED_ACK cell on a circuit that is not"
2009 }
2014 /* Record the RTT for this circuit. This should not fail */
2017 }
2021 close:
2023 }
2025 /** Called when a circuit is freed.
2026 *
2027 * It is possible a conflux circuit gets freed without being closed (for
2028 * instance SIGTERM) and so this callback is needed in order to finalize the
2029 * cleanup. */
2030 void
2032 {
2041 }
2043 /* Whatever happens, nullify all conflux related pointers. */
2046 }
2048 /** Initialize the conflux pool subsystem. This is called by the subsys
2049 * manager. */
2050 void
2052 {
2055 }
2058 }
2061 }
2064 }
2065 }
2067 /**
2068 * Return a description of all linked and unlinked circuits associated
2069 * with a conflux set.
2070 *
2071 * For use in rare bug cases that are hard to diagnose.
2072 */
2073 void
2075 {
2079 LD_BUG,
2087 // Log all linked legs
2100 legs++;
2103 // Look up the nonce to see if we have any unlinked circuits.
2106 // Log the number of legs and the is_for_linked_set status
2119 legs++;
2121 }
2122 }
2124 /** Free and clean up the conflux pool subsystem. This is called by the subsys
2125 * manager AFTER all circuits have been freed which implies that all objects in
2126 * the pools aren't referenced anymore. */
2127 void
2129 {
2136 }