| blob | 034a0dc77891b9591c3114d47996fd69dd92448d |
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2020, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file circuitbuild.c
9 *
10 * \brief Implements the details of building circuits (by chosing paths,
11 * constructing/sending create/extend cells, and so on).
12 *
13 * On the client side, this module handles launching circuits. Circuit
14 * launches are srtarted from circuit_establish_circuit(), called from
15 * circuit_launch_by_extend_info()). To choose the path the circuit will
16 * take, onion_extend_cpath() calls into a maze of node selection functions.
17 *
18 * Once the circuit is ready to be launched, the first hop is treated as a
19 * special case with circuit_handle_first_hop(), since it might need to open a
20 * channel. As the channel opens, and later as CREATED and RELAY_EXTENDED
21 * cells arrive, the client will invoke circuit_send_next_onion_skin() to send
22 * CREATE or RELAY_EXTEND cells.
23 *
24 * The server side is handled in feature/relay/circuitbuild_relay.c.
25 **/
27 #define CIRCUITBUILD_PRIVATE
28 #define OCIRC_EVENT_PRIVATE
94 /** This function tries to get a channel to the specified endpoint,
95 * and then calls command_setup_channel() to give it the right
96 * callbacks.
97 */
100 {
113 }
115 /** Search for a value for circ_id that we can use on <b>chan</b> for an
116 * outbound circuit, until we get a circ_id that is not in use by any other
117 * circuit on that conn.
118 *
119 * Return it, or 0 if can't get a unique circ_id.
120 */
121 STATIC circid_t
123 {
124 /* This number is chosen somewhat arbitrarily; see comment below for more
125 * info. When the space is 80% full, it gives a one-in-a-million failure
126 * chance; when the space is 90% full, it gives a one-in-850 chance; and when
127 * the space is 95% full, it gives a one-in-26 failure chance. That seems
128 * okay, though you could make a case IMO for anything between N=32 and
129 * N=256. */
130 #define MAX_CIRCID_ATTEMPTS 64
133 circid_t test_circ_id;
143 "Trying to pick a circuit ID for a connection from "
146 }
152 /* Make sure we don't loop forever because all circuit IDs are used.
153 *
154 * Once, we would try until we had tried every possible circuit ID. But
155 * that's quite expensive. Instead, we try MAX_CIRCID_ATTEMPTS random
156 * circuit IDs, and then give up.
157 *
158 * This potentially causes us to give up early if our circuit ID space
159 * is nearly full. If we have N circuit IDs in use, then we will reject
160 * a new circuit with probability (N / max_range) ^ MAX_CIRCID_ATTEMPTS.
161 * This means that in practice, a few percent of our circuit ID capacity
162 * will go unused.
163 *
164 * The alternative here, though, is to do a linear search over the
165 * whole circuit ID space every time we extend a circuit, which is
166 * not so great either.
167 */
176 "circID support, with %u inbound and %u outbound circuits. "
177 "Found %u circuit IDs in use by circuits, and %u with "
178 "pending destroy cells. (%u of those were marked bogusly.) "
179 "The ones with pending destroy cells "
180 "have been marked unusable for an average of %ld seconds "
181 "and a maximum of %ld seconds. This channel is %ld seconds "
189 m);
193 /* This warning should be impossible. */
196 }
198 /* analysis so far on 12184 suggests that we're running out of circuit
199 IDs because it looks like we have too many pending destroy
200 cells. Let's see how many we really have pending.
201 */
206 "of which %u are active. It says it has %"PRId64
212 /* Change this into "if (1)" in order to get more information about
213 * possible failure modes here. You'll need to know how to use gdb with
214 * Tor: this will make Tor exit with an assertion failure if the cmux is
215 * corrupt. */
222 }
237 since_when =
246 }
247 }
250 }
252 /** If <b>verbose</b> is false, allocate and return a comma-separated list of
253 * the currently built elements of <b>circ</b>. If <b>verbose</b> is true, also
254 * list information about link status in a more verbose format using spaces.
255 * If <b>verbose_names</b> is false, give hex digests; if <b>verbose_names</b>
256 * is true, use $DIGEST=Name style names.
257 */
260 {
277 }
304 }
309 }
317 }
325 }
327 /** If <b>verbose</b> is false, allocate and return a comma-separated
328 * list of the currently built elements of <b>circ</b>. If
329 * <b>verbose</b> is true, also list information about link status in
330 * a more verbose format using spaces.
331 */
334 {
336 }
338 /** Allocate and return a comma-separated list of the currently built elements
339 * of <b>circ</b>, giving each as a verbose nickname.
340 */
343 {
345 }
347 /** Log, at severity <b>severity</b>, the nicknames of each router in
348 * <b>circ</b>'s cpath. Also log the length of the cpath, and the intended
349 * exit point.
350 */
351 void
353 {
357 }
359 /** Return 1 iff every node in circ's cpath definitely supports ntor. */
360 static int
362 {
367 /* if the extend_info is missing, we can't tell if it supports ntor */
370 }
372 /* if the key is blank, it definitely doesn't support ntor */
375 }
380 }
382 /** Pick all the entries in our cpath. Stop and return 0 when we're
383 * happy, or return -1 if an error occurs. */
384 static int
386 {
389 /* onion_extend_cpath assumes these are non-NULL */
398 }
399 }
401 /* The path is complete */
404 /* Does every node in this path support ntor? */
407 /* We would like every path to support ntor, but we have to allow for some
408 * edge cases. */
411 /* Circuits from clients to intro points, and hidden services to rend
412 * points do not support ntor, because the hidden service protocol does
413 * not include ntor onion keys. This is also true for Single Onion
414 * Services. */
416 }
419 /* Allow for bootstrapping: when we're fetching directly from a fallback,
420 * authority, or bridge, we have no way of knowing its ntor onion key
421 * before we connect to it. So instead, we try connecting, and end up using
422 * CREATE_FAST. */
427 /* If we don't know the node and its descriptor, we must be bootstrapping.
428 */
431 }
432 }
435 /* If we're building a multi-hop path, and it's not one of the HS or
436 * bootstrapping exceptions, and it doesn't support ntor, something has
437 * gone wrong. */
439 }
442 }
444 /** Create and return a new origin circuit. Initialize its purpose and
445 * build-state based on our arguments. The <b>flags</b> argument is a
446 * bitfield of CIRCLAUNCH_* flags, see circuit_launch_by_extend_info() for
447 * more details. */
448 origin_circuit_t *
450 {
451 /* sets circ->p_circ_id and circ->p_chan */
467 }
469 /** Build a new circuit for <b>purpose</b>. If <b>exit</b> is defined, then use
470 * that as your exit router, else choose a suitable exit node. The <b>flags</b>
471 * argument is a bitfield of CIRCLAUNCH_* flags, see
472 * circuit_launch_by_extend_info() for more details.
473 *
474 * Also launch a connection to the first OR in the chosen path, if
475 * it's not open already.
476 */
477 origin_circuit_t *
479 {
486 }
494 }
501 }
505 }
507 /** Return the guard state associated with <b>circ</b>, which may be NULL. */
508 circuit_guard_state_t *
510 {
512 }
514 /**
515 * Helper function to publish a channel association message
516 *
517 * circuit_handle_first_hop() calls this to notify subscribers about a
518 * channel launch event, which associates a circuit with a channel.
519 * This doesn't always correspond to an assignment of the circuit's
520 * n_chan field, because that seems to be only for fully-open
521 * channels.
522 **/
523 static void
525 {
533 }
535 /** Start establishing the first hop of our circuit. Figure out what
536 * OR we should connect to, and if necessary start the connection to
537 * it. If we're already connected, then send the 'create' cell.
538 * Return 0 for ok, -reason if circ should be marked-for-close. */
539 int
541 {
553 /* Some bridges are on private addresses. Others pass a dummy private
554 * address to the pluggable transport, which ignores it.
555 * Deny the connection if:
556 * - the address is internal, and
557 * - we're not connecting to a configured bridge, and
558 * - we're not configured to allow extends to private addresses. */
565 }
567 /* now see if we're already connected to the first OR in 'route' */
581 /* not currently connected in a useful way. */
592 }
594 }
597 /* return success. The onion/circuit/etc will be taken care of
598 * automatically (may already have been) whenever n_chan reaches
599 * OR_CONN_STATE_OPEN.
600 */
612 }
613 }
615 }
617 /** Find any circuits that are waiting on <b>or_conn</b> to become
618 * open and get them to send their create cells forward.
619 *
620 * Status is 1 if connect succeeded, or 0 if connect failed.
621 *
622 * Close_origin_circuits is 1 if we should close all the origin circuits
623 * through this channel, or 0 otherwise. (This happens when we want to retry
624 * an older guard.)
625 */
626 void
628 {
641 {
642 /* These checks are redundant wrt get_all_pending_on_or_conn, but I'm
643 * leaving them in in case it's possible for the status of a circuit to
644 * change as we're going down the list. */
650 /* Look at addr/port. This is an unkeyed connection. */
654 /* We expected a key. See if it's the right one. */
658 }
663 }
668 }
670 /* circuit_deliver_create_cell will set n_circ_id and add us to
671 * chan_circuid_circuit_map, so we don't need to call
672 * set_circid_chan here. */
684 /* XXX could this be bad, eg if next_onion_skin failed because conn
685 * died? */
686 }
688 /* pull the create cell out of circ->n_chan_create_cell, and send it */
693 }
696 }
697 }
701 }
703 /** Find a new circid that isn't currently in use on the circ->n_chan
704 * for the outgoing
705 * circuit <b>circ</b>, and deliver the cell <b>create_cell</b> to this
706 * circuit. If <b>relayed</b> is true, this is a create cell somebody
707 * gave us via an EXTEND cell, so we shouldn't worry if we don't understand
708 * it. Return -1 if we failed to find a suitable circid, else return 0.
709 */
714 {
715 cell_t cell;
716 circid_t id;
732 }
740 }
749 /* Update began timestamp for circuits starting their first hop */
753 "Got first hop for a circuit without an opened channel. "
756 }
759 }
761 /* mark it so it gets better rate limiting treatment. */
763 }
766 error:
769 }
771 /** Return true iff we should send a create_fast cell to start building a given
772 * circuit */
775 {
781 /* We don't have ntor, and we don't have or can't use TAP,
782 * so our hand is forced: only a create_fast will work. */
784 }
786 /* We're a server, and we have a usable onion key. We can choose.
787 * Prefer to blend our circuit into the other circuits we are
788 * creating on behalf of others. */
790 }
792 }
794 /**
795 * Return true if <b>circ</b> is the type of circuit we want to count
796 * timeouts from.
797 *
798 * In particular, we want to consider any circuit that plans to build
799 * at least 3 hops (but maybe more), but has 3 or fewer hops built
800 * so far.
801 *
802 * We still want to consider circuits before 3 hops, because we need
803 * to decide if we should convert them to a measurement circuit in
804 * circuit_build_times_handle_completed_hop(), rather than letting
805 * slow circuits get killed right away.
806 */
807 int
809 {
813 }
815 /** Decide whether to use a TAP or ntor handshake for connecting to <b>ei</b>
816 * directly, and set *<b>cell_type_out</b> and *<b>handshake_type_out</b>
817 * accordingly.
818 * Note that TAP handshakes in CREATE cells are only used for direct
819 * connections:
820 * - from Single Onions to rend points not in the service's consensus.
821 * This is checked in onion_populate_cpath. */
822 static void
826 {
827 /* torspec says: In general, clients SHOULD use CREATE whenever they are
828 * using the TAP handshake, and CREATE2 otherwise. */
833 /* XXXX030 Remove support for deciding to use TAP and EXTEND. */
836 }
837 }
839 /** Decide whether to use a TAP or ntor handshake for extending to <b>ei</b>
840 * and set *<b>handshake_type_out</b> accordingly. Decide whether we should
841 * use an EXTEND2 or an EXTEND cell to do so, and set *<b>cell_type_out</b>
842 * and *<b>create_cell_type_out</b> accordingly.
843 * Note that TAP handshakes in EXTEND cells are only used:
844 * - from clients to intro points, and
845 * - from hidden services to rend points.
846 * This is checked in onion_populate_cpath.
847 */
848 static void
853 {
857 /* torspec says: Clients SHOULD use the EXTEND format whenever sending a TAP
858 * handshake... In other cases, clients SHOULD use EXTEND2. */
863 /* XXXX030 Remove support for deciding to use TAP and EXTEND. */
866 }
867 }
869 /**
870 * Return true iff <b>purpose</b> is a purpose for a circuit which is
871 * allowed to have no guard configured, even if the circuit is multihop
872 * and guards are enabled.
873 */
874 static int
876 {
880 /* Testing circuits may omit guards because they're measuring
881 * liveness or performance, and don't want guards to interfere. */
884 /* All other multihop circuits should use guards if guards are
885 * enabled. */
887 }
888 }
890 /** This is the backbone function for building circuits.
891 *
892 * If circ's first hop is closed, then we need to build a create
893 * cell and send it forward.
894 *
895 * Otherwise, if circ's cpath still has any non-open hops, we need to
896 * build a relay extend cell and send it forward to the next non-open hop.
897 *
898 * If all hops on the cpath are open, we're done building the circuit
899 * and we should do housekeeping for the newly opened circuit.
900 *
901 * Return -reason if we want to tear down circ, else return 0.
902 */
903 int
905 {
909 /* Case one: we're on the first hop. */
911 }
922 /* Case two: we're on a hop after the first. */
924 }
926 /* Case three: the circuit is finished. Do housekeeping tasks on it. */
929 }
931 /**
932 * Called from circuit_send_next_onion_skin() when we find ourselves connected
933 * to the first hop in <b>circ</b>: Send a CREATE or CREATE2 or CREATE_FAST
934 * cell to that hop. Return 0 on success; -reason on failure (if the circuit
935 * should be torn down).
936 */
937 static int
939 {
943 create_cell_t cc;
953 /* If this is not a one-hop tunnel, the channel is being used
954 * for traffic that wants anonymity and protection from traffic
955 * analysis (such as netflow record retention). That means we want
956 * to pad it.
957 */
960 }
965 /* We know the right onion key: we should send a create cell. */
969 /* We don't know an onion key, so we need to fall back to CREATE_FAST. */
972 }
981 }
994 }
996 /**
997 * Called from circuit_send_next_onion_skin() when we find that we have no
998 * more hops: mark the circuit as finished, and perform the necessary
999 * bookkeeping. Return 0 on success; -reason on failure (if the circuit
1000 * should be torn down).
1001 */
1002 static int
1004 {
1005 guard_usable_t r;
1013 }
1017 }
1022 // Wait till either a better guard succeeds, or till
1023 // all better guards fail.
1028 }
1030 /* XXXX #21422 -- the rest of this branch needs careful thought!
1031 * Some of the things here need to happen when a circuit becomes
1032 * mechanically open; some need to happen when it is actually usable.
1033 * I think I got them right, but more checking would be wise. -NM
1034 */
1041 }
1050 /* FFFF Log a count of known routers here */
1052 "Tor has successfully opened a circuit. "
1060 }
1061 }
1063 /* We're done with measurement circuits here. Just close them */
1066 }
1068 }
1070 /**
1071 * Called from circuit_send_next_onion_skin() when we find that we have a hop
1072 * other than the first that we need to extend to: use <b>hop</b>'s
1073 * information to extend the circuit another step. Return 0 on success;
1074 * -reason on failure (if the circuit should be torn down).
1075 */
1076 static int
1079 {
1081 extend_cell_t ec;
1082 /* Relays and bridges can send IPv6 extends. But for clients, it's an
1083 * obvious version distinguisher. */
1105 }
1110 }
1115 }
1117 /* Set the ED25519 identity too -- it will only get included
1118 * in the extend2 cell if we're configured to use it, though. */
1128 }
1132 {
1139 }
1141 /* send it to hop->prev, because that relay will transfer
1142 * it to a create cell and then send to hop */
1144 command,
1148 }
1152 }
1154 /** Our clock just jumped by <b>seconds_elapsed</b>. If <b>was_idle</b> is
1155 * true, then the monotonic time matches; otherwise it doesn't. Assume
1156 * something has also gone wrong with our network: notify the user, and
1157 * abandon all not-yet-used circuits. */
1158 void
1160 {
1170 (
1173 }
1177 /* so we log when it works again */
1184 /* Restart all the timers in case we jumped a long way into the past. */
1186 }
1187 }
1189 /** A "created" cell <b>reply</b> came back to us on circuit <b>circ</b>.
1190 * (The body of <b>reply</b> varies depending on what sort of handshake
1191 * this is.)
1192 *
1193 * Calculate the appropriate keys and digests, make sure KH is
1194 * correct, and initialize this hop of the cpath.
1195 *
1196 * Return - reason if we want to mark circ for close, else return 0.
1197 */
1198 int
1201 {
1209 }
1218 }
1219 }
1222 {
1233 }
1234 }
1240 }
1248 }
1250 /** We received a relay truncated cell on circ.
1251 *
1252 * Since we don't send truncates currently, getting a truncated
1253 * means that a connection broke or an extend failed. For now,
1254 * just give up: force circ to close, and return 0.
1255 */
1256 int
1258 {
1259 // crypt_path_t *victim;
1260 // connection_t *stream;
1264 /* XXX Since we don't send truncates currently, getting a truncated
1265 * means that a connection broke or an extend failed. For now,
1266 * just give up.
1267 */
1272 #if 0
1274 /* we need to clear out layer->next */
1282 /* no need to send 'end' relay cells,
1283 * because the other side's already dead
1284 */
1286 }
1287 }
1291 }
1296 }
1298 /** Helper for new_route_len(). Choose a circuit length for purpose
1299 * <b>purpose</b>: DEFAULT_ROUTE_LEN (+ 1 if someone else chose the
1300 * exit). If someone else chose the exit, they could be colluding
1301 * with the exit, so add a randomly selected node to preserve
1302 * anonymity.
1303 *
1304 * Here, "exit node" sometimes means an OR acting as an internal
1305 * endpoint, rather than as a relay to an external endpoint. This
1306 * means there need to be at least DEFAULT_ROUTE_LEN routers between
1307 * us and the internal endpoint to preserve the same anonymity
1308 * properties that we would get when connecting to an external
1309 * endpoint. These internal endpoints can include:
1310 *
1311 * - Connections to a directory of hidden services
1312 * (CIRCUIT_PURPOSE_C_GENERAL)
1313 *
1314 * - A client connecting to an introduction point, which the hidden
1315 * service picked (CIRCUIT_PURPOSE_C_INTRODUCING, via
1316 * circuit_get_open_circ_or_launch() which rewrites it from
1317 * CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT)
1318 *
1319 * - A hidden service connecting to a rendezvous point, which the
1320 * client picked (CIRCUIT_PURPOSE_S_CONNECT_REND, via
1321 * rend_service_receive_introduction() and
1322 * rend_service_relaunch_rendezvous)
1323 *
1324 * There are currently two situations where we picked the exit node
1325 * ourselves, making DEFAULT_ROUTE_LEN a safe circuit length:
1326 *
1327 * - We are a hidden service connecting to an introduction point
1328 * (CIRCUIT_PURPOSE_S_ESTABLISH_INTRO, via
1329 * rend_service_launch_establish_intro())
1330 *
1331 * - We are a router testing its own reachabiity
1332 * (CIRCUIT_PURPOSE_TESTING, via router_do_reachability_checks())
1333 *
1334 * onion_pick_cpath_exit() bypasses us (by not calling
1335 * new_route_len()) in the one-hop tunnel case, so we don't need to
1336 * handle that.
1337 */
1338 int
1340 {
1345 /* Clients want an extra hop for rends to avoid linkability.
1346 * Services want it for intro points to avoid publishing their
1347 * layer3 guards. They want it for hsdir posts to use
1348 * their full layer3 guard set for those connections.
1349 * Ex: C - G - L2 - L3 - R
1350 * S - G - L2 - L3 - HSDIR
1351 * S - G - L2 - L3 - I
1352 */
1359 /* If we only have Layer2 vanguards, then we do not need
1360 * the extra hop for linkabilty reasons (see below).
1361 * This means all hops can be of the form:
1362 * S/C - G - L2 - M - R/HSDir/I
1363 */
1367 /* For connections to hsdirs, clients want two extra hops
1368 * when using layer3 guards, to avoid linkability.
1369 * Same goes for intro points. Note that the route len
1370 * includes the intro point or hsdir, hence the +2.
1371 * Ex: C - G - L2 - L3 - M - I
1372 * C - G - L2 - L3 - M - HSDIR
1373 * S - G - L2 - L3 - M - R
1374 */
1379 }
1385 /* These two purposes connect to a router that we chose, so
1386 * DEFAULT_ROUTE_LEN is safe. */
1388 /* hidden service connecting to introduction point */
1390 /* router reachability testing */
1394 /* These three purposes connect to a router that someone else
1395 * might have chosen, so add an extra hop to protect anonymity. */
1399 /* connecting to hidden service directory */
1401 /* client connecting to introduction point */
1403 /* hidden service connecting to rendezvous point */
1405 routelen++;
1409 /* Got a purpose not listed above along with a chosen exit.
1410 * Increase the circuit length by one anyway for safety. */
1411 routelen++;
1413 }
1418 }
1420 }
1422 /** Choose a length for a circuit of purpose <b>purpose</b> and check
1423 * if enough routers are available.
1424 *
1425 * If the routerlist <b>nodes</b> doesn't have enough routers
1426 * to handle the desired path length, return -1.
1427 */
1428 STATIC int
1431 {
1443 num_acceptable_indirect);
1447 "Not enough acceptable routers (%d/%d direct and %d/%d "
1452 }
1455 }
1457 /** Return a newly allocated list of uint16_t * for each predicted port not
1458 * handled by a current circuit. */
1461 {
1465 }
1467 /** Return 1 if we already have circuits present or on the way for
1468 * all anticipated ports. Return 0 if we should make more.
1469 *
1470 * If we're returning 0, set need_uptime and need_capacity to
1471 * indicate any requirements that the unhandled ports have.
1472 */
1476 {
1483 // Always predict need_capacity
1491 }
1494 }
1496 /** Return 1 if <b>node</b> can handle one or more of the ports in
1497 * <b>needed_ports</b>, else return 0.
1498 */
1499 static int
1506 addr_policy_result_t r;
1507 /* alignment issues aren't a worry for this dereference, since
1508 needed_ports is explicitly a smartlist of uint16_t's */
1513 else
1517 }
1519 }
1521 /** Return true iff <b>conn</b> needs another general circuit to be
1522 * built. */
1523 static int
1525 {
1538 MIN_CIRCUITS_HANDLING_STREAM))
1541 }
1543 /** Return a pointer to a suitable router to be the exit node for the
1544 * general-purpose circuit we're about to build.
1545 *
1546 * Look through the connection array, and choose a router that maximizes
1547 * the number of pending streams that can exit from this router.
1548 *
1549 * Return NULL if we can't find any suitable routers.
1550 */
1553 {
1565 /* We should not require guard flags on exits. */
1569 /* We reject single-hop exits for all node positions. */
1573 /* This isn't the function for picking rendezvous nodes. */
1577 /* We only want exits to extend if we cannibalize the circuit.
1578 * But we don't require IPv6 extends yet. */
1584 /* Count how many connections are waiting for a circuit to be built.
1585 * We use this for log messages now, but in the future we may depend on it.
1586 */
1588 {
1591 });
1592 // log_fn(LOG_DEBUG, "Choosing exit node; %d connections are pending",
1593 // n_pending_connections);
1594 /* Now we count, for each of the routers in the directory, how many
1595 * of the pending connections could possibly exit from that
1596 * router (n_supported[i]). (We can't be sure about cases where we
1597 * don't know the IP address of the pending connection.)
1598 *
1599 * -1 means "Don't use this router at all."
1600 */
1607 // log_fn(LOG_DEBUG,"Skipping node %s -- it's me.", router->nickname);
1608 /* XXX there's probably a reverse predecessor attack here, but
1609 * it's slow. should we take this out? -RD
1610 */
1612 }
1616 }
1620 }
1624 }
1629 }
1632 // log_fn(LOG_DEBUG,"Skipping node %s (index %d) -- it rejects all.",
1633 // router->nickname, i);
1635 }
1637 /* iterate over connections */
1643 // log_fn(LOG_DEBUG,"%s is supported. n_supported[%d] now %d.",
1644 // router->nickname, i, n_supported[i]);
1646 // log_fn(LOG_DEBUG,"%s (index %d) would reject this stream.",
1647 // router->nickname, i);
1648 }
1651 /* Leave best_support at -1 if that's where it is, so we can
1652 * distinguish it later. */
1654 }
1656 /* If this router is better than previous ones, remember its index
1657 * and goodness, and start counting how many routers are this good. */
1659 // log_fn(LOG_DEBUG,"%s is new best supported option so far.",
1660 // router->nickname);
1662 /* If this router is _as good_ as the best one, just increment the
1663 * count of equally good routers.*/
1665 }
1670 n_pending_connections);
1672 /* If any routers definitely support any pending connections, choose one
1673 * at random. */
1680 });
1685 /* Either there are no pending connections, or no routers even seem to
1686 * possibly support any of them. Choose a router at random that satisfies
1687 * at least one predicted exit port. */
1695 "We couldn't find any live%s%s routers; falling back "
1702 }
1706 }
1710 /* try once to pick only from routers that satisfy a needed port,
1711 * then if there are none, pick from any that support exiting. */
1715 // log_fn(LOG_DEBUG,"Try %d: '%s' is a possibility.",
1716 // try, router->nickname);
1718 }
1725 /* If we reach this point, we can't actually support any unhandled
1726 * predicted ports, so clear all the remaining ones. */
1729 }
1733 }
1739 }
1742 "No exits in ExitNodes%s seem to be running: "
1746 }
1748 }
1750 /* Pick a Rendezvous Point for our HS circuits according to <b>flags</b>. */
1753 {
1756 }
1758 /*
1759 * Helper function to pick a configured restricted middle node
1760 * (either HSLayer2Nodes or HSLayer3Nodes).
1761 *
1762 * Make sure that the node we chose is alive, and not excluded,
1763 * and return it.
1764 *
1765 * The exclude_set is a routerset of nodes that the selected node
1766 * must not match, and the exclude_list is a simple list of nodes
1767 * that the selected node must not be in. Either or both may be
1768 * NULL.
1769 *
1770 * Return NULL if no usable nodes could be found. */
1777 {
1785 /* Add all running nodes to all_live_nodes */
1788 /* Filter all_live_nodes to only add live *and* whitelisted middles
1789 * to the list whitelisted_live_middles. */
1793 }
1796 /* Honor ExcludeNodes */
1799 }
1803 }
1805 /**
1806 * Max number of restricted nodes before we alert the user and try
1807 * to load balance for them.
1808 *
1809 * The most aggressive vanguard design had 16 nodes at layer3.
1810 * Let's give a small ceiling above that. */
1811 #define MAX_SANE_RESTRICTED_NODES 20
1812 /* If the user (or associated tor controller) selected only a few nodes,
1813 * assume they took load balancing into account and don't do it for them.
1814 *
1815 * If there are a lot of nodes in here, assume they did not load balance
1816 * and do it for them, but also warn them that they may be Doing It Wrong.
1817 */
1819 MAX_SANE_RESTRICTED_NODES) {
1824 "Your _HSLayer%dNodes setting has resulted "
1825 "in %d total nodes. This is a lot of nodes. "
1826 "You may want to consider using a Tor controller "
1830 /* NO_WEIGHTING here just means don't take node flags into account
1831 * (ie: use consensus measurement only). This is done so that
1832 * we don't further surprise the user by not using Exits that they
1833 * specified at all */
1835 NO_WEIGHTING);
1836 }
1842 }
1844 /** Return a pointer to a suitable router to be the exit node for the
1845 * circuit of purpose <b>purpose</b> that we're about to build (or NULL
1846 * if no router is suitable).
1847 *
1848 * For general-purpose circuits, pass it off to
1849 * choose_good_exit_server_general()
1850 *
1851 * For client-side rendezvous circuits, choose a random node, weighted
1852 * toward the preferences in 'options'.
1853 */
1857 {
1865 /* For these three, we want to pick the exit like a middle hop,
1866 * since it should be random. */
1868 FALLTHROUGH;
1872 else
1875 {
1876 /* Pick a new RP */
1881 }
1882 }
1886 }
1888 /** Log a warning if the user specified an exit for the circuit that
1889 * has been excluded from use by ExcludeNodes or ExcludeExitNodes. */
1890 static void
1893 {
1903 {
1939 }
1942 /* We should never get here if StrictNodes is set to 1. */
1945 "even though StrictNodes is set. Please report. "
1952 "ExcludeNodes%s, because no better options were available. To "
1953 "prevent this (and possibly break your Tor functionality), "
1954 "set the StrictNodes configuration option. "
1959 }
1961 }
1964 }
1966 /* Return a set of generic CRN_* flags based on <b>state</b>.
1967 *
1968 * Called for every position in the circuit. */
1969 STATIC int
1971 {
1973 /* These flags apply to entry, middle, and exit nodes.
1974 * If a flag only applies to a specific position, it should be checked in
1975 * that function. */
1981 }
1983 /* Return the CRN_INITIATE_IPV6_EXTEND flag, based on <b>state</b> and
1984 * <b>cur_len</b>.
1985 *
1986 * Only called for middle nodes (for now). Must not be called on single-hop
1987 * circuits. */
1988 STATIC int
1991 {
1995 /* The last node is the relay doing the self-test. So we want to extend over
1996 * IPv6 from the second-last node. */
1999 else
2001 }
2003 /** Decide a suitable length for circ's cpath, and pick an exit
2004 * router (or use <b>exit</b> if provided). Store these in the
2005 * cpath.
2006 *
2007 * If <b>is_hs_v3_rp_circuit</b> is set, then this exit should be suitable to
2008 * be used as an HS v3 rendezvous point.
2009 *
2010 * Return 0 if ok, -1 if circuit should be closed. */
2011 STATIC int
2014 {
2027 }
2037 /* Some internal exits are one hop, for example directory connections.
2038 * (Guards are always direct, middles are never direct.) */
2048 }
2052 }
2055 }
2057 /** Give <b>circ</b> a new exit destination to <b>exit</b>, and add a
2058 * hop to the cpath reflecting this. Don't send the next extend cell --
2059 * the caller will do this if it wants to.
2060 */
2061 int
2063 {
2076 }
2078 /** Take an open <b>circ</b>, and add a new hop at the end, based on
2079 * <b>info</b>. Set its state back to CIRCUIT_STATE_BUILDING, and then
2080 * send the next extend cell to begin connecting to that hop.
2081 */
2082 int
2084 {
2097 }
2099 // XXX: Should cannibalized circuits be dirty or not? Not easy to say..
2102 }
2104 /** Return the number of routers in <b>nodes</b> that are currently up and
2105 * available for building circuits through.
2106 *
2107 * If <b>direct</b> is true, only count nodes that are suitable for direct
2108 * connections. Counts nodes regardless of whether their addresses are
2109 * preferred.
2110 */
2113 {
2121 // log_debug(LD_CIRC,
2122 // "Contemplating whether router %d (%s) is a new option.",
2123 // i, r->nickname);
2129 // log_debug(LD_CIRC,"I like %d. num_acceptable_routers now %d.",i, num);
2132 }
2134 /**
2135 * Build the exclude list for vanguard circuits.
2136 *
2137 * For vanguard circuits we exclude all the already chosen nodes (including the
2138 * exit) from being middle hops to prevent the creation of A - B - A subpaths.
2139 * We also allow the 4th hop to be the same as the guard node so as to not leak
2140 * guard information to RP/IP/HSDirs.
2141 *
2142 * For vanguard circuits, we don't apply any subnet or family restrictions.
2143 * This is to avoid impossible-to-build circuit paths, or just situations where
2144 * our earlier guards prevent us from using most of our later ones.
2145 *
2146 * The alternative is building the circuit in reverse. Reverse calls to
2147 * onion_extend_cpath() (ie: select outer hops first) would then have the
2148 * property that you don't gain information about inner hops by observing
2149 * outer ones. See https://trac.torproject.org/projects/tor/ticket/24487
2150 * for this.
2151 *
2152 * (Note further that we still exclude the exit to prevent A - B - A
2153 * at the end of the path. */
2159 {
2169 /* Add the exit to the exclude list (note that the exit/last hop is always
2170 * chosen first in circuit_establish_circuit()). */
2173 }
2175 /* If we are picking the 4th hop, allow that node to be the guard too.
2176 * This prevents us from avoiding the Guard for those hops, which
2177 * gives the adversary information about our guard if they control
2178 * the RP, IP, or HSDIR. We don't do this check based on purpose
2179 * because we also want to allow HS_VANGUARDS pre-build circuits
2180 * to use the guard for that last hop.
2181 */
2183 /* Skip the first hop for the exclude list below */
2185 cur_len--;
2186 }
2191 }
2192 }
2195 }
2197 /**
2198 * Build a list of nodes to exclude from the choice of this middle
2199 * hop, based on already chosen nodes.
2200 */
2206 {
2212 /** Vanguard circuits have their own path selection rules */
2215 }
2219 /* For non-vanguard circuits, add the exit and its family to the exclude list
2220 * (note that the exit/last hop is always chosen first in
2221 * circuit_establish_circuit()). */
2224 }
2226 /* also exclude all other already chosen nodes and their family */
2230 }
2231 }
2234 }
2236 /** Return true if we MUST use vanguards for picking this middle node. */
2237 static int
2240 {
2241 /* If this is not a hidden service circuit, don't use vanguards */
2244 }
2246 /* If we have sticky L2 nodes, and this is an L2 pick, use vanguards */
2249 }
2251 /* If we have sticky L3 nodes, and this is an L3 pick, use vanguards */
2254 }
2257 }
2259 /** Pick a sticky vanguard middle node or return NULL if not found.
2260 * See doc of pick_restricted_middle_node() for argument details. */
2265 {
2269 /* Pick the right routerset based on the current hop */
2275 /* guaranteed by middle_node_should_be_vanguard() */
2278 }
2287 "Could not find a node that matches the configured "
2289 }
2292 }
2294 /** A helper function used by onion_extend_cpath(). Use <b>purpose</b>
2295 * and <b>state</b> and the cpath <b>head</b> (currently populated only
2296 * to length <b>cur_len</b> to decide a suitable middle hop for a
2297 * circuit. In particular, make sure we don't pick the exit node or its
2298 * family, and make sure we don't duplicate any previous nodes or their
2299 * families. */
2305 {
2321 /** If a hidden service circuit wants a specific middle node, pin it. */
2327 }
2343 }
2346 }
2349 }
2351 /** Pick a good entry server for the circuit to be built according to
2352 * <b>state</b>. Don't reuse a chosen exit (if any), don't use this
2353 * router (if we're an OR), and respect firewall settings; if we're
2354 * configured to use entry guards, return one.
2355 *
2356 * Set *<b>guard_state_out</b> to information about the guard that
2357 * we're selecting, which we'll use later to remember whether the
2358 * guard worked or not.
2359 */
2363 {
2367 /* If possible, choose an entry server with a preferred address,
2368 * otherwise, choose one with an allowed address */
2370 CRN_DIRECT_CONN);
2373 /* Once we used this function to select a node to be a guard. We had
2374 * 'state == NULL' be the signal for that. But we don't do that any more.
2375 */
2380 /* This request is for an entry server to use for a regular circuit,
2381 * and we use entry guard nodes. Just return one of the guard nodes. */
2384 }
2389 /* Exclude the exit node from the state, if we have one. Also exclude its
2390 * family. */
2392 }
2396 }
2401 }
2403 /** Choose a suitable next hop for the circuit <b>circ</b>.
2404 * Append the hop info to circ->cpath.
2405 *
2406 * Return 1 if the path is complete, 0 if we successfully added a hop,
2407 * and -1 on error.
2408 */
2409 STATIC int
2411 {
2421 }
2432 /* If we're a client, use the preferred address rather than the
2433 primary address, for potentially connecting to an IPv6 OR
2434 port. Servers always want the primary (IPv4) address. */
2437 /* Clients can fail to find an allowed address */
2439 }
2446 }
2447 }
2453 }
2462 }
2464 /** Return the node_t for the chosen exit router in <b>state</b>.
2465 * If there is no chosen exit, or if we don't know the node_t for
2466 * the chosen exit, return NULL.
2467 */
2470 {
2474 }
2476 /** Return the RSA ID digest for the chosen exit router in <b>state</b>.
2477 * If there is no chosen exit, return NULL.
2478 */
2481 {
2485 }
2487 /** Return the nickname for the chosen exit router in <b>state</b>. If
2488 * there is no chosen exit, or if we don't know the routerinfo_t for the
2489 * chosen exit, return NULL.
2490 */
2493 {
2497 }
2499 /* Is circuit purpose allowed to use the deprecated TAP encryption protocol?
2500 * The hidden service protocol still uses TAP for some connections, because
2501 * ntor onion keys aren't included in HS descriptors or INTRODUCE cells. */
2502 static int
2504 {
2507 }
2509 /* Is circ allowed to use the deprecated TAP encryption protocol?
2510 * The hidden service protocol still uses TAP for some connections, because
2511 * ntor onion keys aren't included in HS descriptors or INTRODUCE cells. */
2512 int
2514 {
2520 }
2522 /* Does circ have an onion key which it's allowed to use? */
2523 int
2525 {
2531 }
2533 /** Find the circuits that are waiting to find out whether their guards are
2534 * usable, and if any are ready to become usable, mark them open and try
2535 * attaching streams as appropriate. */
2536 void
2538 {
2554 }