| blob | 51a75cf50233178204dfa0e577e6fe311e16c7af |
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2013, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
29 /** Increment the number of times we successfully extended a circuit to
30 * <b>guard</b>, first checking if the failure rate is high enough that
31 * we should eliminate the guard. Return -1 if the guard looks no good;
32 * return 0 if the guard looks fine.
33 */
34 static int
36 {
51 }
53 /** The minimum number of circuit attempts before we start
54 * thinking about warning about path bias and dropping guards */
55 static int
57 {
58 #define DFLT_PATH_BIAS_MIN_CIRC 150
61 else
63 DFLT_PATH_BIAS_MIN_CIRC,
65 }
67 /** The circuit success rate below which we issue a notice */
68 static double
70 {
71 #define DFLT_PATH_BIAS_NOTICE_PCT 70
74 else
77 }
79 /* XXXX024 I'd like to have this be static again, but entrynodes.c needs it. */
80 /** The circuit success rate below which we issue a warn */
81 static double
83 {
84 #define DFLT_PATH_BIAS_WARN_PCT 50
87 else
90 }
92 /* XXXX024 I'd like to have this be static again, but entrynodes.c needs it. */
93 /**
94 * The extreme rate is the rate at which we would drop the guard,
95 * if pb_dropguard is also set. Otherwise we just warn.
96 */
97 double
99 {
100 #define DFLT_PATH_BIAS_EXTREME_PCT 30
103 else
106 }
108 /* XXXX024 I'd like to have this be static again, but entrynodes.c needs it. */
109 /**
110 * If 1, we actually disable use of guards that fall below
111 * the extreme_pct.
112 */
113 int
115 {
116 #define DFLT_PATH_BIAS_DROP_GUARDS 0
119 else
122 }
124 /**
125 * This is the number of circuits at which we scale our
126 * counts by mult_factor/scale_factor. Note, this count is
127 * not exact, as we only perform the scaling in the event
128 * of no integer truncation.
129 */
130 static int
132 {
133 #define DFLT_PATH_BIAS_SCALE_THRESHOLD 300
136 else
139 INT32_MAX);
140 }
142 /**
143 * Compute the path bias scaling ratio from the consensus
144 * parameters pb_multfactor/pb_scalefactor.
145 *
146 * Returns a value in (0, 1.0] which we multiply our pathbias
147 * counts with to scale them down.
148 */
149 static double
151 {
152 /*
153 * The scale factor is the denominator for our scaling
154 * of circuit counts for our path bias window.
155 *
156 * Note that our use of doubles for the path bias state
157 * file means that powers of 2 work best here.
158 */
162 /**
163 * The mult factor is the numerator for our scaling
164 * of circuit counts for our path bias window. It
165 * allows us to scale by fractions.
166 */
169 }
171 /** The minimum number of circuit usage attempts before we start
172 * thinking about warning about path use bias and dropping guards */
173 static int
175 {
176 #define DFLT_PATH_BIAS_MIN_USE 20
179 else
181 DFLT_PATH_BIAS_MIN_USE,
183 }
185 /** The circuit use success rate below which we issue a notice */
186 static double
188 {
189 #define DFLT_PATH_BIAS_NOTICE_USE_PCT 80
192 else
194 DFLT_PATH_BIAS_NOTICE_USE_PCT,
196 }
198 /**
199 * The extreme use rate is the rate at which we would drop the guard,
200 * if pb_dropguard is also set. Otherwise we just warn.
201 */
202 double
204 {
205 #define DFLT_PATH_BIAS_EXTREME_USE_PCT 60
208 else
210 DFLT_PATH_BIAS_EXTREME_USE_PCT,
212 }
214 /**
215 * This is the number of circuits at which we scale our
216 * use counts by mult_factor/scale_factor. Note, this count is
217 * not exact, as we only perform the scaling in the event
218 * of no integer truncation.
219 */
220 static int
222 {
223 #define DFLT_PATH_BIAS_SCALE_USE_THRESHOLD 100
226 else
228 DFLT_PATH_BIAS_SCALE_USE_THRESHOLD,
230 }
232 /**
233 * Convert a Guard's path state to string.
234 */
237 {
253 }
256 }
258 /**
259 * This function decides if a circuit has progressed far enough to count
260 * as a circuit "attempt". As long as end-to-end tagging is possible,
261 * we assume the adversary will use it over hop-to-hop failure. Therefore,
262 * we only need to account bias for the last hop. This should make us
263 * much more resilient to ambient circuit failure, and also make that
264 * failure easier to measure (we only need to measure Exit failure rates).
265 */
266 static int
268 {
269 #define N2N_TAGGING_IS_POSSIBLE
270 #ifdef N2N_TAGGING_IS_POSSIBLE
271 /* cpath is a circular list. We want circs with more than one hop,
272 * and the second hop must be waiting for keys still (it's just
273 * about to get them). */
277 #else
278 /* If tagging attacks are no longer possible, we probably want to
279 * count bias from the first hop. However, one could argue that
280 * timing-based tagging is still more useful than per-hop failure.
281 * In which case, we'd never want to use this.
282 */
285 #endif
286 }
288 /**
289 * Decide if the path bias code should count a circuit.
290 *
291 * @returns 1 if we should count it, 0 otherwise.
292 */
293 static int
295 {
296 #define PATHBIAS_COUNT_INTERVAL (600)
301 /* We can't do path bias accounting without entry guards.
302 * Testing and controller circuits also have no guards.
303 *
304 * We also don't count server-side rends, because their
305 * endpoint could be chosen maliciously.
306 * Similarly, we can't count client-side intro attempts,
307 * because clients can be manipulated into connecting to
308 * malicious intro points. */
317 /* Check to see if the shouldcount result has changed due to a
318 * unexpected purpose change that would affect our results.
319 *
320 * The reason we check the path state too here is because for the
321 * cannibalized versions of these purposes, we count them as successful
322 * before their purpose change.
323 */
327 "Circuit %d is now being ignored despite being counted "
332 }
335 }
337 /* Completely ignore one hop circuits */
340 /* Check for inconsistency */
345 "One-hop circuit has length %d. Path state is %s. "
351 rate_msg);
353 }
355 }
357 /* Check to see if the shouldcount result has changed due to a
358 * unexpected change that would affect our results */
361 "One-hop circuit %d is now being ignored despite being counted "
366 }
369 }
371 /* Check to see if the shouldcount result has changed due to a
372 * unexpected purpose change that would affect our results */
375 "Circuit %d is now being counted despite being ignored "
380 }
384 }
386 /**
387 * Check our circuit state to see if this is a successful circuit attempt.
388 * If so, record it in the current guard's path bias circ_attempt count.
389 *
390 * Also check for several potential error cases for bug #6475.
391 */
392 int
394 {
395 #define CIRC_ATTEMPT_NOTICE_INTERVAL (600)
402 }
405 /* Help track down the real cause of bug #6475: */
410 "Opened circuit is in strange path state %s. "
415 rate_msg);
417 }
418 }
420 /* Don't re-count cannibalized circs.. */
428 guard =
430 }
437 /* Bogus guard; we already warned. */
439 }
444 "Unopened circuit has strange path state %s. "
449 rate_msg);
451 }
452 }
457 "Unopened circuit has no known guard. "
461 rate_msg);
463 }
464 }
465 }
466 }
469 }
471 /**
472 * Check our circuit state to see if this is a successful circuit
473 * completion. If so, record it in the current guard's path bias
474 * success count.
475 *
476 * Also check for several potential error cases for bug #6475.
477 */
478 void
480 {
481 #define SUCCESS_NOTICE_INTERVAL (600)
489 }
491 /* Don't count cannibalized/reused circs for path bias
492 * "build" success, since they get counted under "use" success. */
497 }
512 "Succeeded circuit is in strange path state %s. "
517 rate_msg);
519 }
520 }
527 }
528 /* In rare cases, CIRCUIT_PURPOSE_TESTING can get converted to
529 * CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT and have no guards here.
530 * No need to log that case. */
535 "Completed circuit has no known guard. "
539 rate_msg);
541 }
542 }
548 "Opened circuit is in strange path state %s. "
553 rate_msg);
555 }
556 }
557 }
558 }
560 /**
561 * Record an attempt to use a circuit. Changes the circuit's
562 * path state and update its guard's usage counter.
563 *
564 * Used for path bias usage accounting.
565 */
566 void
568 {
573 }
577 "Used circuit is in strange path state %s. "
596 }
600 /* Harmless but educational log message */
602 "Used circuit %d is already in path state %s. "
608 }
611 }
613 /**
614 * Check the circuit's path state is appropriate and mark it as
615 * successfully used. Used for path bias usage accounting.
616 *
617 * We don't actually increment the guard's counters until
618 * pathbias_check_close(), because the circuit can still transition
619 * back to PATH_STATE_USE_ATTEMPTED if a stream fails later (this
620 * is done so we can probe the circuit for liveness at close).
621 */
622 void
624 {
627 }
631 "Used circuit %d is in strange path state %s. "
639 }
641 /* We don't do any accounting at the guard until actual circuit close */
645 }
647 /**
648 * If a stream ever detatches from a circuit in a retriable way,
649 * we need to mark this circuit as still needing either another
650 * successful stream, or in need of a probe.
651 *
652 * An adversary could let the first stream request succeed (ie the
653 * resolve), but then tag and timeout the remainder (via cell
654 * dropping), forcing them on new circuits.
655 *
656 * Rolling back the state will cause us to probe such circuits, which
657 * should lead to probe failures in the event of such tagging due to
658 * either unrecognized cells coming in while we wait for the probe,
659 * or the cipher state getting out of sync in the case of dropped cells.
660 */
661 void
663 {
666 "Rolling back pathbias use state to 'attempted' for detached "
669 }
670 }
672 /**
673 * Actually count a circuit success towards a guard's usage counters
674 * if the path state is appropriate.
675 */
676 static void
678 {
683 }
687 "Successfully used circuit %d is in strange path state %s. "
705 }
708 "Marked circuit %d (%f/%f) as used successfully for guard "
713 }
714 }
717 }
719 /**
720 * Send a probe down a circuit that the client attempted to use,
721 * but for which the stream timed out/failed. The probe is a
722 * RELAY_BEGIN cell with a 0.a.b.c destination address, which
723 * the exit will reject and reply back, echoing that address.
724 *
725 * The reason for such probes is because it is possible to bias
726 * a user's paths simply by causing timeouts, and these timeouts
727 * are not possible to differentiate from unresponsive servers.
728 *
729 * The probe is sent at the end of the circuit lifetime for two
730 * reasons: to prevent cryptographic taggers from being able to
731 * drop cells to cause timeouts, and to prevent easy recognition
732 * of probes before any real client traffic happens.
733 *
734 * Returns -1 if we couldn't probe, 0 otherwise.
735 */
736 static int
738 {
739 /* Based on connection_ap_handshake_send_begin() */
751 /* This can happen for cannibalized circuits. Their
752 * last hop isn't yet open */
754 "Got pathbias probe request for unopened circuit %d. "
758 }
760 /* We already went down this road. */
764 "Got pathbias probe request for circuit %d with "
767 }
769 /* Can't probe if the channel isn't open */
777 }
781 /* Update timestamp for when circuit_expire_building() should kill us */
784 /* Generate a random address for the nonce */
793 // XXX: need this? Can we assume ipv4 will always be supported?
794 // If not, how do we tell?
795 //if (payload_len <= RELAY_PAYLOAD_SIZE - 4 && edge_conn->begincell_flags) {
796 // set_uint32(payload + payload_len, htonl(edge_conn->begincell_flags));
797 // payload_len += 4;
798 //}
800 /* Generate+Store stream id, make sure it's non-zero */
805 "Ran out of stream IDs on circuit %u during "
809 }
816 /* Send a test relay cell */
824 }
826 /* Mark it freshly dirty so it doesn't get expired in the meantime */
830 }
832 /**
833 * Check the response to a pathbias probe, to ensure the
834 * cell is recognized and the nonce and other probe
835 * characteristics are as expected.
836 *
837 * If the response is valid, return 0. Otherwise return < 0.
838 */
839 int
841 {
842 /* Based on connection_edge_process_relay_cell() */
843 relay_header_t rh;
861 /* Check length+extract host: It is in network order after the reason code.
862 * See connection_edge_end(). */
867 }
871 /* Check nonce */
881 "Got strange probe value 0x%x vs 0x%x back for circ %d, "
885 }
886 }
888 "Got another cell back back on pathbias probe circuit %d: "
892 }
894 /**
895 * Check if a circuit was used and/or closed successfully.
896 *
897 * If we attempted to use the circuit to carry a stream but failed
898 * for whatever reason, or if the circuit mysteriously died before
899 * we could attach any streams, record these two cases.
900 *
901 * If we *have* successfully used the circuit, or it appears to
902 * have been closed by us locally, count it as a success.
903 *
904 * Returns 0 if we're done making decisions with the circ,
905 * or -1 if we want to probe it first.
906 */
907 int
909 {
914 }
917 /* If the circuit was closed after building, but before use, we need
918 * to ensure we were the ones who tried to close it (and not a remote
919 * actor). */
922 /* Remote circ close reasons on an unused circuit all could be bias */
924 "Circuit %d remote-closed without successful use for reason %d. "
936 /* If we didn't close the channel ourselves, it could be bias */
937 /* XXX: Only count bias if the network is live?
938 * What about clock jumps/suspends? */
940 "Circuit %d's channel closed without successful use for reason "
941 "%d, channel reason %d. Circuit purpose %d currently %d,%s. Len "
950 }
953 /* If we tried to use a circuit but failed, we should probe it to ensure
954 * it has not been tampered with. */
956 /* XXX: Only probe and/or count failure if the network is live?
957 * What about clock jumps/suspends? */
960 else
963 /* Any circuit where there were attempted streams but no successful
964 * streams could be bias */
966 "Circuit %d closed without successful use for reason %d. "
987 // Other states are uninteresting. No stats to count.
989 }
994 }
996 /**
997 * Count a successfully closed circuit.
998 */
999 static void
1001 {
1005 }
1010 }
1013 /* In the long run: circuit_success ~= successful_circuit_close +
1014 * circ_failure + stream_failure */
1018 /* In rare cases, CIRCUIT_PURPOSE_TESTING can get converted to
1019 * CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT and have no guards here.
1020 * No need to log that case. */
1022 "Successfully closed circuit has no known guard. "
1026 }
1027 }
1029 /**
1030 * Count a circuit that fails after it is built, but before it can
1031 * carry any traffic.
1032 *
1033 * This is needed because there are ways to destroy a
1034 * circuit after it has successfully completed. Right now, this is
1035 * used for purely informational/debugging purposes.
1036 */
1037 static void
1039 {
1044 }
1049 }
1055 /* In rare cases, CIRCUIT_PURPOSE_TESTING can get converted to
1056 * CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT and have no guards here.
1057 * No need to log that case. */
1059 "Destroyed circuit has no known guard. "
1063 }
1064 }
1066 /**
1067 * Count a known failed circuit (because we could not probe it).
1068 *
1069 * This counter is informational.
1070 */
1071 static void
1073 {
1077 }
1082 }
1088 /* In rare cases, CIRCUIT_PURPOSE_TESTING can get converted to
1089 * CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT and have no guards here.
1090 * No need to log that case. */
1091 /* XXX note cut-and-paste code in this function compared to nearby
1092 * functions. Would be nice to refactor. -RD */
1094 "Stream-failing circuit has no known guard. "
1098 }
1099 }
1101 /**
1102 * Count timeouts for path bias log messages.
1103 *
1104 * These counts are purely informational.
1105 */
1106 void
1108 {
1113 }
1115 /* For hidden service circs, they can actually be used
1116 * successfully and then time out later (because
1117 * the other side declines to use them). */
1120 }
1125 }
1130 }
1131 }
1133 /**
1134 * Helper function to count all of the currently opened circuits
1135 * for a guard that are in a given path state range. The state
1136 * range is inclusive on both ends.
1137 */
1138 static int
1140 path_state_t from,
1141 path_state_t to)
1142 {
1146 /* Count currently open circuits. Give them the benefit of the doubt. */
1163 DIGEST_LEN)) {
1167 open_circuits++;
1168 }
1169 }
1172 }
1174 /**
1175 * Return the number of circuits counted as successfully closed for
1176 * this guard.
1177 *
1178 * Also add in the currently open circuits to give them the benefit
1179 * of the doubt.
1180 */
1181 double
1183 {
1186 PATH_STATE_BUILD_SUCCEEDED,
1187 PATH_STATE_USE_SUCCEEDED);
1188 }
1190 /**
1191 * Return the number of circuits counted as successfully used
1192 * this guard.
1193 *
1194 * Also add in the currently open circuits that we are attempting
1195 * to use to give them the benefit of the doubt.
1196 */
1197 double
1199 {
1202 PATH_STATE_USE_ATTEMPTED,
1203 PATH_STATE_USE_SUCCEEDED);
1204 }
1206 /**
1207 * Check the path bias use rate against our consensus parameter limits.
1208 *
1209 * Emits a log message if the use success rates are too low.
1210 *
1211 * If pathbias_get_dropguards() is set, we also disable the use of
1212 * very failure prone guards.
1213 */
1214 static void
1216 {
1220 /* Note: We rely on the < comparison here to allow us to set a 0
1221 * rate and disable the feature entirely. If refactoring, don't
1222 * change to <= */
1225 /* Dropping is currently disabled by default. */
1229 "Your Guard %s ($%s) is failing to carry an extremely large "
1230 "amount of stream on its circuits. "
1231 "To avoid potential route manipulation attacks, Tor has "
1232 "disabled use of this guard. "
1233 "Use counts are %ld/%ld. Success counts are %ld/%ld. "
1234 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1235 "and %ld timed out. "
1251 }
1255 "Your Guard %s ($%s) is failing to carry an extremely large "
1256 "amount of streams on its circuits. "
1257 "This could indicate a route manipulation attack, network "
1258 "overload, bad local network connectivity, or a bug. "
1259 "Use counts are %ld/%ld. Success counts are %ld/%ld. "
1260 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1261 "and %ld timed out. "
1273 }
1279 "Your Guard %s ($%s) is failing to carry more streams on its "
1280 "circuits than usual. "
1281 "Most likely this means the Tor network is overloaded "
1282 "or your network connection is poor. "
1283 "Use counts are %ld/%ld. Success counts are %ld/%ld. "
1284 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1285 "and %ld timed out. "
1297 }
1298 }
1299 }
1300 }
1302 /**
1303 * Check the path bias circuit close status rates against our consensus
1304 * parameter limits.
1305 *
1306 * Emits a log message if the use success rates are too low.
1307 *
1308 * If pathbias_get_dropguards() is set, we also disable the use of
1309 * very failure prone guards.
1310 *
1311 * XXX: This function shares similar log messages and checks to
1312 * pathbias_measure_use_rate(). It may be possible to combine them
1313 * eventually, especially if we can ever remove the need for 3
1314 * levels of closure warns (if the overall circuit failure rate
1315 * goes down with ntor). One way to do so would be to multiply
1316 * the build rate with the use rate to get an idea of the total
1317 * fraction of the total network paths the user is able to use.
1318 * See ticket #8159.
1319 */
1320 static void
1322 {
1326 /* Note: We rely on the < comparison here to allow us to set a 0
1327 * rate and disable the feature entirely. If refactoring, don't
1328 * change to <= */
1331 /* Dropping is currently disabled by default. */
1335 "Your Guard %s ($%s) is failing an extremely large "
1336 "amount of circuits. "
1337 "To avoid potential route manipulation attacks, Tor has "
1338 "disabled use of this guard. "
1339 "Success counts are %ld/%ld. Use counts are %ld/%ld. "
1340 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1341 "and %ld timed out. "
1357 }
1361 "Your Guard %s ($%s) is failing an extremely large "
1362 "amount of circuits. "
1363 "This could indicate a route manipulation attack, "
1364 "extreme network overload, or a bug. "
1365 "Success counts are %ld/%ld. Use counts are %ld/%ld. "
1366 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1367 "and %ld timed out. "
1379 }
1385 "Your Guard %s ($%s) is failing a very large "
1386 "amount of circuits. "
1387 "Most likely this means the Tor network is "
1388 "overloaded, but it could also mean an attack against "
1389 "you or potentially the guard itself. "
1390 "Success counts are %ld/%ld. Use counts are %ld/%ld. "
1391 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1392 "and %ld timed out. "
1404 }
1410 "Your Guard %s ($%s) is failing more circuits than "
1411 "usual. "
1412 "Most likely this means the Tor network is overloaded. "
1413 "Success counts are %ld/%ld. Use counts are %ld/%ld. "
1414 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1415 "and %ld timed out. "
1427 }
1428 }
1429 }
1430 }
1432 /**
1433 * This function scales the path bias use rates if we have
1434 * more data than the scaling threshold. This allows us to
1435 * be more sensitive to recent measurements.
1436 *
1437 * XXX: The attempt count transfer stuff here might be done
1438 * better by keeping separate pending counters that get
1439 * transfered at circuit close. See ticket #8160.
1440 */
1441 static void
1443 {
1446 /* If we get a ton of circuits, just scale everything down */
1452 PATH_STATE_BUILD_SUCCEEDED,
1453 PATH_STATE_USE_FAILED);
1454 /* Verify that the counts are sane before and after scaling */
1473 "Scaled pathbias counts to (%f,%f)/%f (%d/%d open) for guard "
1479 /* Have the counts just become invalid by this scaling attempt? */
1482 "Scaling has mangled pathbias counts to %f/%f (%d/%d open) "
1487 }
1488 }
1489 }
1491 /**
1492 * This function scales the path bias circuit close rates if we have
1493 * more data than the scaling threshold. This allows us to be more
1494 * sensitive to recent measurements.
1495 *
1496 * XXX: The attempt count transfer stuff here might be done
1497 * better by keeping separate pending counters that get
1498 * transfered at circuit close. See ticket #8160.
1499 */
1500 void
1502 {
1505 /* If we get a ton of circuits, just scale everything down */
1510 /* Verify that the counts are sane before and after scaling */
1525 /* Have the counts just become invalid by this scaling attempt? */
1528 "Scaling has mangled pathbias usage counts to %f/%f "
1533 }
1536 }
1537 }