| blob | 0a7b1cbc0225af4bd23e8a54116d884b349e03cb |
1 /* Copyright (c) 2019, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
4 /**
5 * \file sendme.c
6 * \brief Code that is related to SENDME cells both in terms of
7 * creating/parsing cells and handling the content.
8 */
10 #define SENDME_PRIVATE
26 /* The maximum supported version. Above that value, the cell can't be
27 * recognized as a valid SENDME. */
28 #define SENDME_MAX_SUPPORTED_VERSION 1
30 /* The cell version constants for when emitting a cell. */
31 #define SENDME_EMIT_MIN_VERSION_DEFAULT 0
32 #define SENDME_EMIT_MIN_VERSION_MIN 0
33 #define SENDME_EMIT_MIN_VERSION_MAX UINT8_MAX
35 /* The cell version constants for when accepting a cell. */
36 #define SENDME_ACCEPT_MIN_VERSION_DEFAULT 0
37 #define SENDME_ACCEPT_MIN_VERSION_MIN 0
38 #define SENDME_ACCEPT_MIN_VERSION_MAX UINT8_MAX
40 /* Return the minimum version given by the consensus (if any) that should be
41 * used when emitting a SENDME cell. */
42 STATIC int
44 {
46 SENDME_EMIT_MIN_VERSION_DEFAULT,
47 SENDME_EMIT_MIN_VERSION_MIN,
48 SENDME_EMIT_MIN_VERSION_MAX);
49 }
51 /* Return the minimum version given by the consensus (if any) that should be
52 * accepted when receiving a SENDME cell. */
53 STATIC int
55 {
57 SENDME_ACCEPT_MIN_VERSION_DEFAULT,
58 SENDME_ACCEPT_MIN_VERSION_MIN,
59 SENDME_ACCEPT_MIN_VERSION_MAX);
60 }
62 /* Return true iff the given cell digest matches the first digest in the
63 * circuit sendme list. */
64 static bool
66 {
73 /* We shouldn't have received a SENDME if we have no digests. Log at
74 * protocol warning because it can be tricked by sending many SENDMEs
75 * without prior data cell. */
79 "We received a SENDME but we have no cell digests to match. "
82 }
84 /* Pop the first element that was added (FIFO) and compare it. */
88 /* Compare the digest with the one in the SENDME. This cell is invalid
89 * without a perfect match. */
94 }
95 /* Digests matches! */
98 no_match:
99 /* This digest was popped from the circuit list. Regardless of what happens,
100 * we have no more use for it. */
103 }
105 /* Return true iff the given decoded SENDME version 1 cell is valid and
106 * matches the expected digest on the circuit.
107 *
108 * Validation is done by comparing the digest in the cell from the previous
109 * cell we saw which tells us that the other side has in fact seen that cell.
110 * See proposal 289 for more details. */
111 static bool
113 {
119 }
121 /* Return true iff the given cell version can be handled or if the minimum
122 * accepted version from the consensus is known to us. */
123 STATIC bool
125 {
128 /* Can we handle this version? */
131 "Unable to handle SENDME version %u. We only support <= %d "
135 }
137 /* We only accept a SENDME cell from what the consensus tells us. */
140 "accepting %u (taken from the consensus). "
144 }
147 invalid:
149 }
151 /* Return true iff the encoded SENDME cell in cell_payload of length
152 * cell_payload_len is valid. For each version:
153 *
154 * 0: No validation
155 * 1: Authenticated with last cell digest.
156 *
157 * This is the main critical function to make sure we can continue to
158 * send/recv cells on a circuit. If the SENDME is invalid, the circuit should
159 * be mark for close. */
160 STATIC bool
163 {
170 /* An empty payload means version 0 so skip trunnel parsing. We won't be
171 * able to parse a 0 length buffer into a valid SENDME cell. */
175 /* First we'll decode the cell so we can get the version. */
180 }
182 }
184 /* Validate that we can handle this cell version. */
187 }
189 /* Validate depending on the version now. */
194 }
197 /* Fallthrough. Version 0, there is no work to be done on the payload so
198 * it is necessarily valid if we pass the version validation. */
200 /* Unknown version means we can't handle it so fallback to version 0. */
202 }
204 /* Valid cell. */
207 invalid:
210 }
212 /* Build and encode a version 1 SENDME cell into payload, which must be at
213 * least of RELAY_PAYLOAD_SIZE bytes, using the digest for the cell data.
214 *
215 * Return the size in bytes of the encoded cell in payload. A negative value
216 * is returned on encoding failure. */
217 STATIC ssize_t
219 {
228 /* Building a payload for version 1. */
230 /* Set the data length field for v1. */
233 /* Copy the digest into the data payload. */
238 /* Finally, encode the cell into the payload. */
243 }
245 /* Send a circuit-level SENDME on the given circuit using the layer_hint if
246 * not NULL. The digest is only used for version 1.
247 *
248 * Return 0 on success else a negative value and the circuit will be closed
249 * because we failed to send the cell on it. */
250 static int
253 {
256 ssize_t payload_len;
266 /* Unable to encode the cell, abort. We can recover from this by closing
267 * the circuit but in theory it should never happen. */
269 }
273 /* Fallthrough because default is to use v0. */
275 /* Unknown version, fallback to version 0 meaning no payload. */
278 }
286 }
288 }
290 /** Called when we've just received a relay data cell, when we've just
291 * finished flushing all bytes to stream <b>conn</b>, or when we've flushed
292 * *some* bytes to the stream <b>conn</b>.
293 *
294 * If conn->outbuf is not too full, and our deliver window is low, send back a
295 * suitable number of stream-level sendme cells.
296 */
297 void
299 {
304 /* Don't send it if we still have data to deliver. */
307 }
310 /* This can legitimately happen if the destroy has already arrived and
311 * torn down the circuit. */
315 }
327 }
328 }
330 end:
332 }
334 /** Check if the deliver_window for circuit <b>circ</b> (at hop
335 * <b>layer_hint</b> if it's defined) is low enough that we should
336 * send a circuit-level sendme back down the circuit. If so, send
337 * enough sendmes that the window would be overfull if we sent any
338 * more.
339 */
340 void
342 {
354 }
357 }
358 }
359 }
361 /* Process a circuit-level SENDME cell that we just received. The layer_hint,
362 * if not NULL, is the Exit hop of the connection which means that we are a
363 * client. In that case, circ must be an origin circuit. The cell_body_len is
364 * the length of the SENDME cell payload (excluding the header). The
365 * cell_payload is the payload.
366 *
367 * Return 0 on success that is the SENDME is valid and the package window has
368 * been updated properly.
369 *
370 * On error, a negative value is returned which indicate that the circuit must
371 * be closed using the value as the reason for it. */
372 int
376 {
380 /* If we are the origin of the circuit, we are the Client so we use the
381 * layer hint (the Exit hop) for the package window tracking. */
384 CIRCWINDOW_START_MAX) {
387 "Unexpected sendme cell from exit relay. "
390 }
395 /* We count circuit-level sendme's as valid delivered data because they
396 * are rate limited. */
399 /* Validate the SENDME cell. Depending on the version, different
400 * validation can be done. An invalid SENDME requires us to close the
401 * circuit. It is only done if we are the Exit of the circuit. */
404 }
406 /* We aren't the origin of this circuit so we are the Exit and thus we
407 * track the package window with the circuit object. */
409 CIRCWINDOW_START_MAX) {
412 "Unexpected sendme cell from client. "
415 }
419 }
422 }
424 /* Process a stream-level SENDME cell that we just received. The conn is the
425 * edge connection (stream) that the circuit circ is associated with. The
426 * cell_body_len is the length of the payload (excluding the header).
427 *
428 * Return 0 on success that is the SENDME is valid and the package window has
429 * been updated properly.
430 *
431 * On error, a negative value is returned which indicate that the circuit must
432 * be closed using the value as the reason for it. */
433 int
436 {
440 /* Don't allow the other endpoint to request more than our maximum (i.e.
441 * initial) stream SENDME window worth of data. Well-behaved stock clients
442 * will not request more than this max (as per the check in the while loop
443 * of sendme_connection_edge_consider_sending()). */
445 STREAMWINDOW_START_MAX) {
451 }
452 /* At this point, the stream sendme is valid */
455 /* We count circuit-level sendme's as valid delivered data because they are
456 * rate limited. */
459 }
465 }
467 /* Called when a relay DATA cell is received on the given circuit. If
468 * layer_hint is NULL, this means we are the Exit end point else we are the
469 * Client. Update the deliver window and return its new value. */
470 int
472 {
485 }
489 }
491 /* Called when a relay DATA cell is received for the given edge connection
492 * conn. Update the deliver window and return its new value. */
493 int
495 {
498 }
500 /* Called when a relay DATA cell is packaged on the given circuit. If
501 * layer_hint is NULL, this means we are the Exit end point else we are the
502 * Client. Update the package window and return its new value. */
503 int
505 {
511 /* Client side. */
517 /* Exit side. */
522 }
526 }
528 /* Called when a relay DATA cell is packaged for the given edge connection
529 * conn. Update the package window and return its new value. */
530 int
532 {
535 }
537 /* Note the cell digest in the circuit sendme last digests FIFO if applicable.
538 * It is safe to pass a circuit that isn't meant to track those digests. */
539 void
541 {
546 /* We only keep the cell digest if we are the Exit on that circuit and if
547 * this cell is the last one before the client should send a SENDME. */
550 }
551 /* Is this the last cell before a SENDME? The idea is that if the
552 * package_window reaches a multiple of the increment, after this cell, we
553 * should expect a SENDME. */
556 }
558 /* Only note the digest if we actually have the digest of the previous cell
559 * recorded. It should never happen in theory as we always record the last
560 * digest for the v1 SENDME. */
567 }
569 }
570 }