| blob | 148e6471ba01e86989a84715caa867acef6d75a1 |
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2020, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file entrynodes.c
9 * \brief Code to manage our fixed first nodes for various functions.
10 *
11 * Entry nodes can be guards (for general use) or bridges (for censorship
12 * circumvention).
13 *
14 * In general, we use entry guards to prevent traffic-sampling attacks:
15 * if we chose every circuit independently, an adversary controlling
16 * some fraction of paths on the network would observe a sample of every
17 * user's traffic. Using guards gives users a chance of not being
18 * profiled.
19 *
20 * The current entry guard selection code is designed to try to avoid
21 * _ever_ trying every guard on the network, to try to stick to guards
22 * that we've used before, to handle hostile/broken networks, and
23 * to behave sanely when the network goes up and down.
24 *
25 * Our algorithm works as follows: First, we maintain a SAMPLE of guards
26 * we've seen in the networkstatus consensus. We maintain this sample
27 * over time, and store it persistently; it is chosen without reference
28 * to our configuration or firewall rules. Guards remain in the sample
29 * as they enter and leave the consensus. We expand this sample as
30 * needed, up to a maximum size.
31 *
32 * As a subset of the sample, we maintain a FILTERED SET of the guards
33 * that we would be willing to use if we could connect to them. The
34 * filter removes all the guards that we're excluding because they're
35 * bridges (or not bridges), because we have restrictive firewall rules,
36 * because of ExcludeNodes, because we of path bias restrictions,
37 * because they're absent from the network at present, and so on.
38 *
39 * As a subset of the filtered set, we keep a REACHABLE FILTERED SET
40 * (also called a "usable filtered set") of those guards that we call
41 * "reachable" or "maybe reachable". A guard is reachable if we've
42 * connected to it more recently than we've failed. A guard is "maybe
43 * reachable" if we have never tried to connect to it, or if we
44 * failed to connect to it so long ago that we no longer think our
45 * failure means it's down.
46 *
47 * As a persistent ordered list whose elements are taken from the
48 * sampled set, we track a CONFIRMED GUARDS LIST. A guard becomes
49 * confirmed when we successfully build a circuit through it, and decide
50 * to use that circuit. We order the guards on this list by the order
51 * in which they became confirmed.
52 *
53 * And as a final group, we have an ordered list of PRIMARY GUARDS,
54 * whose elements are taken from the filtered set. We prefer
55 * confirmed guards to non-confirmed guards for this list, and place
56 * other restrictions on it. The primary guards are the ones that we
57 * connect to "when nothing is wrong" -- circuits through them can be used
58 * immediately.
59 *
60 * To build circuits, we take a primary guard if possible -- or a
61 * reachable filtered confirmed guard if no primary guard is possible --
62 * or a random reachable filtered guard otherwise. If the guard is
63 * primary, we can use the circuit immediately on success. Otherwise,
64 * the guard is now "pending" -- we won't use its circuit unless all
65 * of the circuits we're trying to build through better guards have
66 * definitely failed.
67 *
68 * While we're building circuits, we track a little "guard state" for
69 * each circuit. We use this to keep track of whether the circuit is
70 * one that we can use as soon as it's done, or whether it's one that
71 * we should keep around to see if we can do better. In the latter case,
72 * a periodic call to entry_guards_upgrade_waiting_circuits() will
73 * eventually upgrade it.
74 **/
75 /* DOCDOC -- expand this.
76 *
77 * Information invariants:
78 *
79 * [x] whenever a guard becomes unreachable, clear its usable_filtered flag.
80 *
81 * [x] Whenever a guard becomes reachable or maybe-reachable, if its filtered
82 * flag is set, set its usable_filtered flag.
83 *
84 * [x] Whenever we get a new consensus, call update_from_consensus(). (LATER.)
85 *
86 * [x] Whenever the configuration changes in a relevant way, update the
87 * filtered/usable flags. (LATER.)
88 *
89 * [x] Whenever we add a guard to the sample, make sure its filtered/usable
90 * flags are set as possible.
91 *
92 * [x] Whenever we remove a guard from the sample, remove it from the primary
93 * and confirmed lists.
94 *
95 * [x] When we make a guard confirmed, update the primary list.
96 *
97 * [x] When we make a guard filtered or unfiltered, update the primary list.
98 *
99 * [x] When we are about to pick a guard, make sure that the primary list is
100 * full.
101 *
102 * [x] Before calling sample_reachable_filtered_entry_guards(), make sure
103 * that the filtered, primary, and confirmed flags are up-to-date.
104 *
105 * [x] Call entry_guard_consider_retry every time we are about to check
106 * is_usable_filtered or is_reachable, and every time we set
107 * is_filtered to 1.
108 *
109 * [x] Call entry_guards_changed_for_guard_selection() whenever we update
110 * a persistent field.
111 */
113 #define ENTRYNODES_PRIVATE
150 /** A list of existing guard selection contexts. */
152 /** The currently enabled guard selection context. */
155 /** A value of 1 means that at least one context has changed,
156 * and those changes need to be flushed to disk. */
176 /** Return 0 if we should apply guardfraction information found in the
177 * consensus. A specific consensus can be specified with the
178 * <b>ns</b> argument, if NULL the most recent one will be picked.*/
179 int
181 {
182 /* We need to check the corresponding torrc option and the consensus
183 * parameter if we need to. */
186 /* If UseGuardFraction is 'auto' then check the same-named consensus
187 * parameter. If the consensus parameter is not present, default to
188 * "off". */
193 }
196 }
198 /** Return true iff we know a preferred descriptor for <b>guard</b> */
199 static int
201 {
206 }
208 /**
209 * Try to determine the correct type for a selection named "name",
210 * if <b>type</b> is GS_TYPE_INFER.
211 */
212 STATIC guard_selection_type_t
215 {
221 else
223 }
225 }
227 /**
228 * Allocate and return a new guard_selection_t, with the name <b>name</b>.
229 */
230 STATIC guard_selection_t *
232 guard_selection_type_t type)
233 {
246 }
248 /**
249 * Return the guard selection called <b>name</b>. If there is none, and
250 * <b>create_if_absent</b> is true, then create and return it. If there
251 * is none, and <b>create_if_absent</b> is false, then return NULL.
252 */
253 STATIC guard_selection_t *
255 guard_selection_type_t type,
257 {
260 }
274 }
276 /**
277 * Allocate the first guard context that we're planning to use,
278 * and make it the current context.
279 */
280 static void
282 {
286 }
293 NULL,
299 }
301 /** Get current default guard_selection_t, creating it if necessary */
302 guard_selection_t *
304 {
307 }
310 }
312 /** Return a statically allocated human-readable description of <b>guard</b>
313 */
316 {
323 }
325 /** Return <b>guard</b>'s 20-byte RSA identity digest */
328 {
330 }
332 /** Return the pathbias state associated with <b>guard</b>. */
333 guard_pathbias_t *
335 {
337 }
341 /** Return an interval betweeen 'now' and 'max_backdate' seconds in the past,
342 * chosen uniformly at random. We use this before recording persistent
343 * dates, so that we aren't leaking exactly when we recorded it.
344 */
347 {
358 }
360 /**
361 * @name parameters for networkstatus algorithm
362 *
363 * These parameters are taken from the consensus; some are overrideable in
364 * the torrc.
365 */
366 /**@{*/
367 /**
368 * We never let our sampled guard set grow larger than this fraction
369 * of the guards on the network.
370 */
371 STATIC double
373 {
376 DFLT_MAX_SAMPLE_THRESHOLD_PERCENT,
379 }
380 /**
381 * We never let our sampled guard set grow larger than this number.
382 */
383 STATIC int
385 {
387 DFLT_MAX_SAMPLE_SIZE,
389 }
390 /**
391 * We always try to make our sample contain at least this many guards.
392 */
393 STATIC int
395 {
397 DFLT_MIN_FILTERED_SAMPLE_SIZE,
399 }
400 /**
401 * If a guard is unlisted for this many days in a row, we remove it.
402 */
403 STATIC int
405 {
408 DFLT_REMOVE_UNLISTED_GUARDS_AFTER_DAYS,
410 }
412 /**
413 * Return number of seconds that will make a guard no longer eligible
414 * for selection if unlisted for this long.
415 */
416 static time_t
418 {
420 }
422 /**
423 * We remove unconfirmed guards from the sample after this many days,
424 * regardless of whether they are listed or unlisted.
425 */
426 STATIC int
428 {
436 }
437 /**
438 * We remove confirmed guards from the sample if they were sampled
439 * GUARD_LIFETIME_DAYS ago and confirmed this many days ago.
440 */
441 STATIC int
443 {
448 DFLT_GUARD_CONFIRMED_MIN_LIFETIME_DAYS,
451 }
452 /**
453 * How many guards do we try to keep on our primary guard list?
454 */
455 STATIC int
457 {
458 /* If the user has explicitly configured the number of primary guards, do
459 * what the user wishes to do */
463 }
465 /* otherwise check for consensus parameter and if that's not set either, just
466 * use the default value. */
470 }
471 /**
472 * Return the number of the live primary guards we should look at when
473 * making a circuit.
474 */
475 STATIC int
477 {
482 /* If the user has explicitly configured the amount of guards, use
483 that. Otherwise, fall back to the default value. */
492 }
495 }
498 }
499 /**
500 * If we haven't successfully built or used a circuit in this long, then
501 * consider that the internet is probably down.
502 */
503 STATIC int
505 {
507 DFLT_INTERNET_LIKELY_DOWN_INTERVAL,
509 }
510 /**
511 * If we're trying to connect to a nonprimary guard for at least this
512 * many seconds, and we haven't gotten the connection to work, we will treat
513 * lower-priority guards as usable.
514 */
515 STATIC int
517 {
520 DFLT_NONPRIMARY_GUARD_CONNECT_TIMEOUT,
522 }
523 /**
524 * If a circuit has been sitting around in 'waiting for better guard' state
525 * for at least this long, we'll expire it.
526 */
527 STATIC int
529 {
532 DFLT_NONPRIMARY_GUARD_IDLE_TIMEOUT,
534 }
535 /**
536 * If our configuration retains fewer than this fraction of guards from the
537 * torrc, we are in a restricted setting.
538 */
539 STATIC double
541 {
544 DFLT_MEANINGFUL_RESTRICTION_PERCENT,
547 }
548 /**
549 * If our configuration retains fewer than this fraction of guards from the
550 * torrc, we are in an extremely restricted setting, and should warn.
551 */
552 STATIC double
554 {
557 DFLT_EXTREME_RESTRICTION_PERCENT,
560 }
562 /* Mark <b>guard</b> as maybe reachable again. */
563 static void
565 {
568 }
570 /* Note that we do not clear failing_since: this guard is now only
571 * _maybe-reachable_. */
575 }
577 /**
578 * Called when the network comes up after having seemed to be down for
579 * a while: Mark the primary guards as maybe-reachable so that we'll
580 * try them again.
581 */
582 STATIC void
584 {
593 }
595 /* Called when we exhaust all guards in our sampled set: Marks all guards as
596 maybe-reachable so that we 'll try them again. */
597 static void
599 {
605 }
607 /**@}*/
609 /**
610 * Given our options and our list of nodes, return the name of the
611 * guard selection that we should use. Return NULL for "use the
612 * same selection you were using before.
613 */
619 {
626 }
629 /* without a networkstatus, we can't tell any more than that. */
632 }
641 }
642 }
645 /* We use separate 'high' and 'low' thresholds here to prevent flapping
646 * back and forth */
656 /*
657 If we have no previous selection, then we're "restricted" iff we are
658 below the meaningful restriction threshold. That's easy enough.
660 But if we _do_ have a previous selection, we make it a little
661 "sticky": we only move from "restricted" to "default" when we find
662 that we're above the threshold plus 5%, and we only move from
663 "default" to "restricted" when we're below the threshold minus 5%.
664 That should prevent us from flapping back and forth if we happen to
665 be hovering very close to the default.
667 The extreme threshold is for warning only.
668 */
678 "guards. That's likely to make you stand out from the "
680 }
682 /* Easy case: no previous selection. Just check if we are in restricted or
683 normal guard selection. */
691 }
692 }
694 /* Trickier case: we do have a previous guard selection context. */
697 /* Use high and low thresholds to decide guard selection, and if we fall in
698 the middle then keep the current guard selection context. */
706 /* we are in the middle: maintain previous guard selection */
709 }
710 }
712 /**
713 * Check whether we should switch from our current guard selection to a
714 * different one. If so, switch and return 1. Return 0 otherwise.
715 *
716 * On a 1 return, the caller should mark all currently live circuits unusable
717 * for new streams, by calling circuit_mark_all_unused_circs() and
718 * circuit_mark_all_dirty_circs_as_unusable().
719 */
720 int
722 {
726 }
730 options,
734 curr_guard_context,
744 }
755 }
757 /**
758 * Return true iff <b>node</b> has all the flags needed for us to consider it
759 * a possible guard when sampling guards.
760 */
761 static int
763 {
764 /* The "GUARDS" set is all nodes in the nodelist for which this predicate
765 * holds. */
774 }
776 /**
777 * Return the sampled guard with the RSA identity digest <b>rsa_id</b>, or
778 * NULL if we don't have one. */
779 STATIC entry_guard_t *
782 {
790 }
792 /** If <b>gs</b> contains a sampled entry guard matching <b>bridge</b>,
793 * return that guard. Otherwise return NULL. */
797 {
806 else
808 }
810 /** If we know a bridge_info_t matching <b>guard</b>, return that
811 * bridge. Otherwise return NULL. */
814 {
818 }
826 }
828 /**
829 * Return true iff we have a sampled guard with the RSA identity digest
830 * <b>rsa_id</b>. */
833 {
835 }
837 /**
838 * Allocate a new entry_guard_t object for <b>node</b>, add it to the
839 * sampled entry guards in <b>gs</b>, and return it. <b>node</b> must
840 * not currently be a sampled guard in <b>gs</b>.
841 */
842 STATIC entry_guard_t *
845 {
849 /* make sure that the guard is not already sampled. */
856 NULL);
857 }
859 /**
860 * Backend: adds a new sampled guard to <b>gs</b>, with given identity,
861 * nickname, and ORPort. rsa_id_digest and bridge_addrport are optional, but
862 * we need one of them. nickname is optional. The caller is responsible for
863 * maintaining the size limit of the SAMPLED_GUARDS set.
864 */
870 {
874 // XXXX #20827 take ed25519 identity here too.
876 /* Make sure we can actually identify the guard. */
882 /* persistent fields */
895 /* non-persistent fields */
905 }
907 /**
908 * Add an entry guard to the "bridges" guard selection sample, with
909 * information taken from <b>bridge</b>. Return that entry guard.
910 */
914 {
920 /* make sure that the guard is not already sampled. */
925 }
927 /**
928 * Return the entry_guard_t in <b>gs</b> whose address is <b>addrport</b>,
929 * or NULL if none exists.
930 */
934 {
944 }
946 /** Update the guard subsystem's knowledge of the identity of the bridge
947 * at <b>addrport</b>. Idempotent.
948 */
949 void
952 {
954 GS_TYPE_BRIDGE,
969 /* Nothing to see here; we learned something we already knew. */
976 "we already knew a different one (%s). Ignoring the new info as "
980 old_id);
982 }
987 }
988 }
990 /**
991 * Return the number of sampled guards in <b>gs</b> that are "filtered"
992 * (that is, we're willing to connect to them) and that are "usable"
993 * (that is, either "reachable" or "maybe reachable").
994 *
995 * If a restriction is provided in <b>rst</b>, do not count any guards that
996 * violate it.
997 */
998 STATIC int
1001 {
1011 }
1013 /** Return the actual maximum size for the sample in <b>gs</b>,
1014 * given that we know about <b>n_guards</b> total. */
1015 static int
1018 {
1022 /* If we are in bridge mode, expand our sample set as needed without worrying
1023 * about max size. We should respect the user's wishes to use many bridges if
1024 * that's what they have specified in their configuration file. */
1033 else
1035 }
1037 /**
1038 * Return a smartlist of the all the guards that are not currently
1039 * members of the sample (GUARDS - SAMPLED_GUARDS). The elements of
1040 * this list are node_t pointers in the non-bridge case, and
1041 * bridge_info_t pointers in the bridge case. Set *<b>n_guards_out</b>
1042 * to the number of guards that we found in GUARDS, including those
1043 * that were already sampled.
1044 */
1049 {
1050 /* Construct eligible_guards as GUARDS - SAMPLED_GUARDS */
1060 }
1067 /* Build a bloom filter of our current guards: let's keep this O(N). */
1070 guard) {
1078 /* In restricted mode, we apply the filter BEFORE sampling, so
1079 * that we are sampling from the nodes that we might actually
1080 * select. If we sampled first, we might wind up with a sample
1081 * that didn't include any EntryNodes at all. */
1084 }
1091 /* Now we can free that bloom filter. */
1093 }
1097 }
1099 /** Helper: given a smartlist of either bridge_info_t (if gs->type is
1100 * GS_TYPE_BRIDGE) or node_t (otherwise), pick one that can be a guard,
1101 * add it as a guard, remove it from the list, and return a new
1102 * entry_guard_t. Return NULL on failure. */
1106 {
1121 }
1124 }
1126 /**
1127 * Return true iff we need a consensus to update our guards, but we don't
1128 * have one. (We can return 0 here either if the consensus is _not_ missing,
1129 * or if we don't need a consensus because we're using bridges.)
1130 */
1131 static int
1133 {
1136 /* We don't update bridges from the consensus; they aren't there. */
1138 }
1142 }
1144 /**
1145 * Add new guards to the sampled guards in <b>gs</b> until there are
1146 * enough usable filtered guards, but never grow the sample beyond its
1147 * maximum size. Return the last guard added, or NULL if none were
1148 * added.
1149 */
1150 STATIC entry_guard_t *
1152 {
1160 }
1176 /* Has our sample grown too large to expand? */
1180 max_sample);
1182 }
1184 /* Did we run out of guards? */
1186 /* LCOV_EXCL_START
1187 As long as MAX_SAMPLE_THRESHOLD makes can't be adjusted to
1188 allow all guards to be sampled, this can't be reached.
1189 */
1193 /* LCOV_EXCL_STOP */
1194 }
1196 /* Otherwise we can add at least one new guard. */
1205 }
1207 done:
1210 }
1212 /**
1213 * Helper: <b>guard</b> has just been removed from the sampled guards:
1214 * also remove it from primary and confirmed. */
1215 static void
1218 {
1225 }
1226 }
1234 // LCOV_EXCL_START
1236 // LCOV_EXCL_STOP
1237 }
1238 }
1239 }
1241 /** Return true iff <b>guard</b> is currently "listed" -- that is, it
1242 * appears in the consensus, or as a configured bridge (as
1243 * appropriate) */
1246 {
1253 }
1254 }
1256 /**
1257 * Enumerate <b>sampled_entry_guards</b> smartlist in <b>gs</b>.
1258 * For each <b>entry_guard_t</b> object in smartlist, do the following:
1259 * * Update <b>currently_listed</b> field to reflect if guard is listed
1260 * in guard selection <b>gs</b>.
1261 * * Set <b>unlisted_since_date</b> to approximate UNIX time of
1262 * unlisting if guard is unlisted (randomize within 20% of
1263 * get_remove_unlisted_guards_after_seconds()). Otherwise,
1264 * set it to 0.
1265 *
1266 * Require <b>gs</b> to be non-null pointer.
1267 * Return a number of entries updated.
1268 */
1269 static size_t
1271 {
1280 /* XXXX #20827 check ed ID too */
1293 unlisted_since_slop);
1303 }
1305 /* Clean up unlisted_since_date, just in case. */
1315 unlisted_since_slop);
1319 }
1323 }
1325 /**
1326 * Enumerate <b>sampled_entry_guards</b> smartlist in <b>gs</b>.
1327 * For each <b>entry_guard_t</b> object in smartlist, do the following:
1328 * * If <b>currently_listed</b> is false and <b>unlisted_since_date</b>
1329 * is earlier than <b>remove_if_unlisted_since</b> - remove it.
1330 * * Otherwise, check if <b>sampled_on_date</b> is earlier than
1331 * <b>maybe_remove_if_sampled_before</b>.
1332 * * When above condition is correct, remove the guard if:
1333 * * It was never confirmed.
1334 * * It was confirmed before <b>remove_if_confirmed_before</b>.
1335 *
1336 * Require <b>gs</b> to be non-null pointer.
1337 * Return number of entries deleted.
1338 */
1339 static size_t
1344 {
1354 /*
1355 "We have a live consensus, and {IS_LISTED} is false, and
1356 {FIRST_UNLISTED_AT} is over get_remove_unlisted_guards_after_days()
1357 days in the past."
1358 */
1364 /* We have a live consensus, and {ADDED_ON_DATE} is over
1365 {GUARD_LIFETIME} ago, *and* {CONFIRMED_ON_DATE} is either
1366 "never", or over {GUARD_CONFIRMED_MIN_LIFETIME} ago.
1367 */
1381 }
1382 }
1389 }
1393 }
1395 /**
1396 * Update the status of all sampled guards based on the arrival of a
1397 * new consensus networkstatus document. This will include marking
1398 * some guards as listed or unlisted, and removing expired guards. */
1399 STATIC void
1401 {
1404 // It's important to use a reasonably live consensus here; we want clients
1405 // to bootstrap even if their clock is skewed by more than 2-3 hours.
1406 // But we don't want to make changes based on anything that's really old.
1411 }
1415 /* First: Update listed/unlisted. */
1425 /* Then: remove the ones that have been junk for too long */
1426 n_changes +=
1428 remove_if_unlisted_since,
1429 maybe_remove_if_sampled_before,
1430 remove_if_confirmed_before);
1435 /* We don't need to rebuild the confirmed list right here -- we may have
1436 * removed confirmed guards above, but we can't have added any new
1437 * confirmed guards.
1438 */
1440 }
1441 }
1443 /**
1444 * Return true iff <b>node</b> is a Tor relay that we are configured to
1445 * be able to connect to. */
1446 static int
1449 {
1450 /* NOTE: Make sure that this function stays in sync with
1451 * options_transition_affects_entry_guards */
1466 }
1468 /** Helper: Return true iff <b>bridge</b> passes our configuration
1469 * filter-- if it is a relay that we are configured to be able to
1470 * connect to. */
1471 static int
1474 {
1482 /* Ignore entrynodes */
1487 FIREWALL_OR_CONNECTION,
1492 }
1494 /**
1495 * Return true iff <b>guard</b> is a Tor relay that we are configured to
1496 * be able to connect to, and we haven't disabled it for omission from
1497 * the consensus or path bias issues. */
1498 static int
1501 {
1515 // This can happen when currently_listed is true, and we're not updating
1516 // it because we don't have a live consensus.
1518 }
1521 }
1522 }
1524 /** Return true iff <b>guard</b> is in the same family as <b>node</b>.
1525 */
1526 static int
1528 {
1533 /* If we don't have a node_t for the guard node, we might have
1534 * a bridge_info_t for it. So let's check to see whether the bridge
1535 * address matches has any family issues.
1536 *
1537 * (Strictly speaking, I believe this check is unnecessary, since we only
1538 * use it to avoid the exit's family when building circuits, and we don't
1539 * build multihop circuits until we have a routerinfo_t for the
1540 * bridge... at which point, we'll also have a node_t for the
1541 * bridge. Nonetheless, it seems wise to include it, in case our
1542 * assumptions change down the road. -nickm.)
1543 */
1545 tor_addr_t node_addr;
1550 }
1551 }
1553 }
1554 }
1556 /* Allocate and return a new exit guard restriction (where <b>exit_id</b> is of
1557 * size DIGEST_LEN) */
1558 STATIC entry_guard_restriction_t *
1560 {
1566 }
1568 /** If we have fewer than this many possible usable guards, don't set
1569 * MD-availability-based restrictions: we might blacklist all of them. */
1570 #define MIN_GUARDS_FOR_MD_RESTRICTION 10
1572 /** Return true if we should set md dirserver restrictions. We might not want
1573 * to set those if our guard options are too restricted, since we don't want
1574 * to blacklist all of them. */
1575 static int
1577 {
1581 /* Don't set restriction if too few reachable filtered guards. */
1586 }
1588 /* We have enough usable guards: set MD restriction */
1590 }
1592 /** Allocate and return an outdated md guard restriction. Return NULL if no
1593 * such restriction is needed. */
1594 STATIC entry_guard_restriction_t *
1596 {
1603 }
1609 }
1611 /* Return True if <b>guard</b> obeys the exit restriction <b>rst</b>. */
1612 static int
1615 {
1618 // Exclude the exit ID and all of its family.
1624 }
1626 /** Return True if <b>guard</b> should be used as a dirserver for fetching
1627 * microdescriptors. */
1628 static int
1630 {
1631 /* If this guard is an outdated dirserver, don't use it. */
1636 }
1642 }
1644 /**
1645 * Return true iff <b>guard</b> obeys the restrictions defined in <b>rst</b>.
1646 * (If <b>rst</b> is NULL, there are no restrictions.)
1647 */
1648 static int
1651 {
1660 }
1664 }
1666 /**
1667 * Update the <b>is_filtered_guard</b> and <b>is_usable_filtered_guard</b>
1668 * flags on <b>guard</b>. */
1669 void
1673 {
1685 }
1691 /* This guard might now be primary or nonprimary. */
1693 }
1694 }
1696 /**
1697 * Update the <b>is_filtered_guard</b> and <b>is_usable_filtered_guard</b>
1698 * flag on every guard in <b>gs</b>. */
1699 STATIC void
1701 {
1707 }
1709 /**
1710 * Return a random guard from the reachable filtered sample guards
1711 * in <b>gs</b>, subject to the exclusion rules listed in <b>flags</b>.
1712 * Return NULL if no such guard can be found.
1713 *
1714 * Make sure that the sample is big enough, and that all the filter flags
1715 * are set correctly, before calling this function.
1716 *
1717 * If a restriction is provided in <b>rst</b>, do not return any guards that
1718 * violate it.
1719 **/
1720 STATIC entry_guard_t *
1724 {
1746 }
1751 /* Build the set of reachable filtered guards. */
1777 }
1781 }
1783 /**
1784 * Helper: compare two entry_guard_t by their confirmed_idx values.
1785 * Used to sort the confirmed list.
1786 */
1787 static int
1789 {
1795 else
1797 }
1799 /**
1800 * Find the confirmed guards from among the sampled guards in <b>gs</b>,
1801 * and put them in confirmed_entry_guards in the correct
1802 * order. Recalculate their indices.
1803 */
1804 STATIC void
1806 {
1820 }
1827 }
1828 }
1830 /**
1831 * Mark <b>guard</b> as a confirmed guard -- that is, one that we have
1832 * connected to, and intend to use again.
1833 */
1834 STATIC void
1836 {
1853 // This confirmed guard might kick something else out of the primary
1854 // guards.
1858 }
1860 /**
1861 * Recalculate the list of primary guards (the ones we'd prefer to use) from
1862 * the filtered sample and the confirmed list.
1863 */
1864 STATIC void
1866 {
1869 // prevent recursion. Recursion is potentially very bad here.
1880 /* Set this flag now, to prevent the calls below from recursing. */
1883 /* First, can we fill it up with confirmed guards? */
1894 /* Can we keep any older primary guards? First remove all the ones
1895 * that we already kept. */
1899 }
1901 /* Now add any that are still good. */
1908 /* Mark the remaining previous primary guards as non-primary */
1910 }
1913 /* Finally, fill out the list with sampled guards. */
1916 SAMPLE_EXCLUDE_CONFIRMED|
1917 SAMPLE_EXCLUDE_PRIMARY|
1918 SAMPLE_NO_UPDATE_PRIMARY);
1923 }
1925 #if 1
1926 /* Debugging. */
1931 });
1935 new_primary_guards);
1946 }
1953 }
1955 /**
1956 * Return the number of seconds after the last attempt at which we should
1957 * retry a guard that has been failing since <b>failing_since</b>.
1958 */
1959 static int
1962 {
1972 }
1981 };
1987 }
1988 }
1989 /* LCOV_EXCL_START -- can't reach, since delays ends with TIME_MAX. */
1992 /* LCOV_EXCL_STOP */
1993 }
1995 /**
1996 * If <b>guard</b> is unreachable, consider whether enough time has passed
1997 * to consider it maybe-reachable again.
1998 */
1999 STATIC void
2001 {
2012 /* We should mark this retriable. */
2020 tbuf);
2025 }
2026 }
2028 /** Tell the entry guards subsystem that we have confirmed that as of
2029 * just now, we're on the internet. */
2030 void
2032 {
2034 }
2036 /**
2037 * Pick a primary guard for use with a circuit, if available. Update the
2038 * <b>last_tried_to_connect</b> time and the <b>is_pending</b> fields of the
2039 * guard as appropriate. Set <b>state_out</b> to the new guard-state
2040 * of the circuit.
2041 */
2044 guard_usage_t usage,
2047 {
2061 }
2067 }
2075 }
2079 }
2081 /**
2082 * For use with a circuit, pick a non-pending running filtered confirmed guard,
2083 * if one is available. Update the <b>last_tried_to_connect</b> time and the
2084 * <b>is_pending</b> fields of the guard as appropriate. Set <b>state_out</b>
2085 * to the new guard-state of the circuit.
2086 */
2089 guard_usage_t usage,
2092 {
2108 "guard %s for circuit. Will try other guards before using "
2112 }
2116 }
2118 /**
2119 * For use with a circuit, pick a confirmed usable filtered guard
2120 * at random. Update the <b>last_tried_to_connect</b> time and the
2121 * <b>is_pending</b> fields of the guard as appropriate. Set <b>state_out</b>
2122 * to the new guard-state of the circuit.
2123 */
2126 guard_usage_t usage,
2129 {
2136 rst,
2137 SAMPLE_EXCLUDE_CONFIRMED |
2138 SAMPLE_EXCLUDE_PRIMARY |
2139 SAMPLE_EXCLUDE_PENDING |
2140 flags);
2143 }
2149 "random guard %s for circuit. Will try other guards before "
2153 }
2155 /**
2156 * Get a guard for use with a circuit. Prefer to pick a running primary
2157 * guard; then a non-pending running filtered confirmed guard; then a
2158 * non-pending runnable filtered guard. Update the
2159 * <b>last_tried_to_connect</b> time and the <b>is_pending</b> fields of the
2160 * guard as appropriate. Set <b>state_out</b> to the new guard-state
2161 * of the circuit.
2162 */
2163 STATIC entry_guard_t *
2165 guard_usage_t usage,
2168 {
2176 /* "If any entry in PRIMARY_GUARDS has {is_reachable} status of
2177 <maybe> or <yes>, return the first such guard." */
2182 /* "Otherwise, if the ordered intersection of {CONFIRMED_GUARDS}
2183 and {USABLE_FILTERED_GUARDS} is nonempty, return the first
2184 entry in that intersection that has {is_pending} set to
2185 false." */
2190 /* "Otherwise, if there is no such entry, select a member at
2191 random from {USABLE_FILTERED_GUARDS}." */
2199 }
2202 }
2204 /**
2205 * Note that we failed to connect to or build circuits through <b>guard</b>.
2206 * Use with a guard returned by select_entry_guard_for_circuit().
2207 */
2208 STATIC void
2211 {
2225 }
2227 /**
2228 * Note that we successfully connected to, and built a circuit through
2229 * <b>guard</b>. Given the old guard-state of the circuit in <b>old_state</b>,
2230 * return the new guard-state of the circuit.
2231 *
2232 * Be aware: the circuit is only usable when its guard-state becomes
2233 * GUARD_CIRC_STATE_COMPLETE.
2234 **/
2235 STATIC unsigned
2239 {
2242 /* Save this, since we're about to overwrite it. */
2256 }
2266 FALLTHROUGH;
2269 /* XXXX #20832 -- I don't actually like this logic. It seems to make
2270 * us a little more susceptible to evil-ISP attacks. The mitigations
2271 * I'm thinking of, however, aren't local to this point, so I'll leave
2272 * it alone. */
2273 /* This guard may have become primary by virtue of being confirmed.
2274 * If so, the circuit for it is now complete.
2275 */
2279 }
2281 }
2287 }
2288 }
2296 }
2298 /**
2299 * Helper: Return true iff <b>a</b> has higher priority than <b>b</b>.
2300 */
2301 STATIC int
2303 {
2308 /* Confirmed is always better than unconfirmed; lower index better
2309 than higher */
2317 /* Lower confirmed_idx is better than higher. */
2319 }
2321 /* If we reach this point, both are unconfirmed. If one is pending, it
2322 * has higher priority. */
2327 /* Both are pending: earlier last_tried_connect wins. */
2333 /* Neither is pending: priorities are equal. */
2335 }
2336 }
2338 /** Release all storage held in <b>restriction</b> */
2339 STATIC void
2341 {
2343 }
2345 /**
2346 * Release all storage held in <b>state</b>.
2347 */
2348 void
2350 {
2356 }
2358 /** Allocate and return a new circuit_guard_state_t to track the result
2359 * of using <b>guard</b> for a given operation. */
2363 {
2373 }
2375 /**
2376 * Pick a suitable entry guard for a circuit in, and place that guard
2377 * in *<b>chosen_node_out</b>. Set *<b>guard_state_out</b> to an opaque
2378 * state object that will record whether the circuit is ready to be used
2379 * or not. Return 0 on success; on failure, return -1.
2380 *
2381 * If a restriction is provided in <b>rst</b>, do not return any guards that
2382 * violate it, and remember that restriction in <b>guard_state_out</b> for
2383 * later use. (Takes ownership of the <b>rst</b> object.)
2384 */
2385 int
2387 guard_usage_t usage,
2391 {
2406 // XXXX #20827 check Ed ID.
2417 fail:
2420 }
2422 /**
2423 * Called by the circuit building module when a circuit has succeeded: informs
2424 * the guards code that the guard in *<b>guard_state_p</b> is working, and
2425 * advances the state of the guard module. On a GUARD_USABLE_NEVER return
2426 * value, the circuit is broken and should not be used. On a GUARD_USABLE_NOW
2427 * return value, the circuit is ready to use. On a GUARD_MAYBE_USABLE_LATER
2428 * return value, the circuit should not be used until we find out whether
2429 * preferred guards will work for us.
2430 */
2431 guard_usable_t
2433 {
2452 }
2453 }
2455 /** Cancel the selection of *<b>guard_state_p</b> without declaring
2456 * success or failure. It is safe to call this function if success or
2457 * failure _has_ already been declared. */
2458 void
2460 {
2467 /* XXXX prop271 -- last_tried_to_connect_at will be erroneous here, but this
2468 * function will only get called in "bug" cases anyway. */
2472 }
2474 /**
2475 * Called by the circuit building module when a circuit has failed:
2476 * informs the guards code that the guard in *<b>guard_state_p</b> is
2477 * not working, and advances the state of the guard module.
2478 */
2479 void
2481 {
2493 }
2495 /**
2496 * Run the entry_guard_failed() function on every circuit that is
2497 * pending on <b>chan</b>.
2498 */
2499 void
2501 {
2513 /* We might have no guard state if we didn't use a guard on this
2514 * circuit (eg it's for a fallback directory). */
2516 }
2519 }
2521 /**
2522 * Return true iff every primary guard in <b>gs</b> is believed to
2523 * be unreachable.
2524 */
2525 STATIC int
2527 {
2537 }
2539 /** Wrapper for entry_guard_has_higher_priority that compares the
2540 * guard-priorities of a pair of circuits. Return 1 if <b>a</b> has higher
2541 * priority than <b>b</b>.
2542 *
2543 * If a restriction is provided in <b>rst</b>, then do not consider
2544 * <b>a</b> to have higher priority if it violates the restriction.
2545 */
2546 static int
2550 {
2561 /* Unknown guard -- never higher priority. */
2564 /* Known guard -- higher priority than any unknown guard. */
2567 /* Restriction violated; guard_a cannot have higher priority. */
2570 /* Both known -- compare.*/
2572 }
2573 }
2575 /**
2576 * Look at all of the origin_circuit_t * objects in <b>all_circuits_in</b>,
2577 * and see if any of them that were previously not ready to use for
2578 * guard-related reasons are now ready to use. Place those circuits
2579 * in <b>newly_complete_out</b>, and mark them COMPLETE.
2580 *
2581 * Return 1 if we upgraded any circuits, and 0 otherwise.
2582 */
2583 int
2587 {
2593 /* We only upgrade a waiting circuit if the primary guards are all
2594 * down. */
2598 }
2606 // We filter out circuits that aren't ours, or which we can't
2607 // reason about.
2615 /* Don't consider any marked for close circuits. */
2617 }
2632 }
2633 }
2640 }
2642 /* We'll need to keep track of what restrictions were used when picking this
2643 * circuit, so that we don't allow any circuit without those restrictions to
2644 * block it. */
2648 /* First look at the complete circuits: Do any block this circuit? */
2650 /* "C2 "blocks" C1 if:
2651 * C2 obeys all the restrictions that C1 had to obey, AND
2652 * C2 has higher priority than C1, AND
2653 * Either C2 is <complete>, or C2 is <waiting_for_better_guard>,
2654 or C2 has been <usable_if_no_better_guard> for no more than
2655 {NONPRIMARY_GUARD_CONNECT_TIMEOUT} seconds."
2656 */
2664 best_waiting_circuit))
2670 "%d complete and %d guard-stalled. At least one complete "
2674 }
2676 /* " * If any circuit C1 is <waiting_for_better_guard>, AND:
2677 * All primary guards have reachable status of <no>.
2678 * There is no circuit C2 that "blocks" C1.
2679 Then, upgrade C1 to <complete>.""
2680 */
2693 best_waiting_circuit))
2699 "%d guard-stalled, but %d pending circuit(s) had higher "
2703 }
2705 /* Okay. We have a best waiting circuit, and we aren't waiting for
2706 anything better. Add all circuits with that priority to the
2707 list, and call them COMPLETE. */
2714 /* Can't upgrade other circ with same priority as best; might
2715 be blocked. */
2717 }
2730 "%d guard-stalled, %d complete. %d of the guard-stalled "
2738 no_change:
2741 }
2743 /**
2744 * Return true iff the circuit whose state is <b>guard_state</b> should
2745 * expire.
2746 */
2747 int
2749 {
2756 }
2758 /**
2759 * Update all derived pieces of the guard selection state in <b>gs</b>.
2760 * Return true iff we should stop using all previously generated circuits.
2761 */
2762 int
2764 {
2770 }
2772 /**
2773 * Return a newly allocated string for encoding the persistent parts of
2774 * <b>guard</b> to the state file.
2775 */
2778 {
2779 /*
2780 * The meta-format we use is K=V K=V K=V... where K can be any
2781 * characters excepts space and =, and V can be any characters except
2782 * space. The order of entries is not allowed to matter.
2783 * Unrecognized K=V entries are persisted; recognized but erroneous
2784 * entries are corrected.
2785 */
2799 }
2802 }
2810 }
2815 }
2825 }
2829 /* Make a copy of the pathbias object, since we will want to update
2830 some of them */
2835 #define PB_FIELD(field) do { \
2836 if (pb->field >= EPSILON) { \
2838 } \
2839 } while (0)
2849 #undef PB_FIELD
2859 }
2861 /**
2862 * Given a string generated by entry_guard_encode_for_state(), parse it
2863 * (if possible) and return an entry_guard_t object for it. Return NULL
2864 * on complete failure.
2865 */
2866 STATIC entry_guard_t *
2868 {
2869 /* Unrecognized entries get put in here. */
2872 /* These fields get parsed from the string. */
2884 // pathbias
2894 /* Split up the entries. Put the ones we know about in strings and the
2895 * rest in "extra". */
2896 {
2900 #define FIELD(f) \
2901 strmap_set(vals, #f, &f);
2920 #undef FIELD
2930 }
2934 /* unrecognized or already set */
2938 }
2947 }
2955 }
2963 }
2965 /* Process the identity and nickname. */
2970 }
2978 }
2981 tor_addr_port_t res;
2987 /* On error, we already warned. */
2988 }
2990 /* Process the various time fields. */
2992 #define HANDLE_TIME(field) do { \
2993 if (field) { \
2994 int r = parse_iso_time_nospace(field, &field ## _time); \
2995 if (r < 0) { \
2997 #field, escaped(field)); \
2998 field##_time = -1; \
2999 } \
3000 } \
3001 } while (0)
3018 #undef HANDLE_TIME
3024 /* Take sampled_by_version verbatim. */
3028 /* Listed is a boolean */
3032 /* The index is a nonnegative integer. */
3042 }
3043 }
3045 /* Anything we didn't recognize gets crammed together */
3048 }
3050 /* initialize non-persistent fields */
3053 #define PB_FIELD(field) \
3054 do { \
3055 if (pb_ ## field) { \
3056 int ok = 1; \
3057 double r = tor_parse_double(pb_ ## field, 0.0, 1e9, &ok, NULL); \
3058 if (! ok) { \
3060 #field, pb_ ## field); \
3061 } else { \
3062 guard->pb.field = r; \
3063 } \
3064 } \
3065 } while (0)
3074 #undef PB_FIELD
3079 /* We update everything on this guard later, after we've parsed
3080 * everything. */
3084 err:
3085 // only consider it an error if the guard state was totally unparseable.
3089 done:
3113 }
3115 /**
3116 * Replace the Guards entries in <b>state</b> with a list of all our sampled
3117 * guards.
3118 */
3119 static void
3121 {
3140 }
3142 /**
3143 * Replace our sampled guards from the Guards entries in <b>state</b>. Return 0
3144 * on success, -1 on failure. (If <b>set</b> is true, replace nothing -- only
3145 * check whether replacing would work.)
3146 */
3147 static int
3149 {
3156 /* Wipe all our existing guard info. (we shouldn't have any, but
3157 * let's be safe.) */
3165 }
3172 }
3178 }
3189 }
3190 }
3196 }
3198 }
3200 /** If <b>digest</b> matches the identity of any node in the
3201 * entry_guards list for the provided guard selection state,
3202 return that node. Else return NULL. */
3203 entry_guard_t *
3206 {
3208 }
3210 /** Return the node_t associated with a single entry_guard_t. May
3211 * return NULL if the guard is not currently in the consensus. */
3214 {
3217 }
3219 /** If <b>digest</b> matches the identity of any node in the
3220 * entry_guards list for the default guard selection state,
3221 return that node. Else return NULL. */
3222 entry_guard_t *
3224 {
3227 }
3229 /** We are about to connect to bridge with identity <b>digest</b> to fetch its
3230 * descriptor. Create a new guard state for this connection and return it. */
3231 circuit_guard_state_t *
3233 {
3241 }
3243 /* Update the guard last_tried_to_connect time since it's checked by the
3244 * guard susbsystem. */
3247 /* Create the guard state */
3249 GUARD_CIRC_STATE_USABLE_ON_COMPLETION,
3250 NULL);
3253 }
3255 /** Release all storage held by <b>e</b>. */
3256 STATIC void
3258 {
3267 }
3269 /** Return 0 if we're fine adding arbitrary routers out of the
3270 * directory to our entry guard list, or return 1 if we have a
3271 * list already and we must stick to it.
3272 */
3273 int
3275 {
3276 // XXXX #21425 look at the current selection.
3282 }
3284 /** Return the number of bridges that have descriptors that are marked with
3285 * purpose 'bridge' and are running. If use_maybe_reachable is
3286 * true, include bridges that might be reachable in the count.
3287 * Otherwise, if it is false, only include bridges that have recently been
3288 * found running in the count.
3289 *
3290 * We use this function to decide if we're ready to start building
3291 * circuits through our bridges, or if we need to wait until the
3292 * directory "server/authority" requests finish. */
3295 {
3300 }
3304 }
3307 /* Not a bridge, or not one we are configured to be able to use. */
3310 /* Definitely not usable */
3313 /* If we want to be really sure the bridges will work, skip maybes */
3324 }
3326 /** Check the pathbias use success count of <b>node</b> and disable it if it
3327 * goes over our thresholds. */
3328 static void
3330 {
3334 /* Note: We rely on the < comparison here to allow us to set a 0
3335 * rate and disable the feature entirely. If refactoring, don't
3336 * change to <= */
3346 }
3347 }
3349 /** Check the pathbias close count of <b>node</b> and disable it if it goes
3350 * over our thresholds. */
3351 static void
3353 {
3357 /* Note: We rely on the < comparison here to allow us to set a 0
3358 * rate and disable the feature entirely. If refactoring, don't
3359 * change to <= */
3369 }
3370 }
3372 /** Parse <b>state</b> and learn about the entry guards it describes.
3373 * If <b>set</b> is true, and there are no errors, replace the guard
3374 * list in the default guard selection context with what we find.
3375 * On success, return 0. On failure, alloc into *<b>msg</b> a string
3376 * describing the error, and return -1.
3377 */
3378 int
3380 {
3388 }
3390 }
3392 }
3394 /** How long will we let a change in our guard nodes stay un-saved
3395 * when we are trying to avoid disk writes? */
3396 #define SLOW_GUARD_STATE_FLUSH_TIME 600
3397 /** How long will we let a change in our guard nodes stay un-saved
3398 * when we are not trying to avoid disk writes? */
3399 #define FAST_GUARD_STATE_FLUSH_TIME 30
3401 /** Our list of entry guards has changed for a particular guard selection
3402 * context, or some element of one of our entry guards has changed for one.
3403 * Write the changes to disk within the next few minutes.
3404 */
3405 void
3407 {
3416 else
3419 /* or_state_save() will call entry_guards_update_state() and
3420 entry_guards_update_guards_in_state()
3421 */
3423 }
3425 /** Our list of entry guards has changed for the default guard selection
3426 * context, or some element of one of our entry guards has changed. Write
3427 * the changes to disk within the next few minutes.
3428 */
3429 void
3431 {
3433 }
3435 /** If the entry guard info has not changed, do nothing and return.
3436 * Otherwise, free the EntryGuards piece of <b>state</b> and create
3437 * a new one out of the global entry_guards list, and then mark
3438 * <b>state</b> dirty so it will get saved to disk.
3439 */
3440 void
3442 {
3445 // Handles all guard info.
3453 }
3455 /** Return true iff the circuit's guard can succeed, that is, can be used. */
3456 int
3458 {
3460 /* we're fine with this circuit's first hop, because we're not
3461 * configured to use entry guards. */
3463 }
3467 }
3472 }
3475 }
3477 /**
3478 * Format a single entry guard in the format expected by the controller.
3479 * Return a newly allocated string.
3480 */
3483 {
3490 /* This is going to be a bit tricky, since the status
3491 * codes weren't really intended for prop271 guards.
3492 *
3493 * XXXX use a more appropriate format for exporting this information
3494 */
3507 }
3515 /* e->nickname field is not very reliable if we don't know about
3516 * this router any longer; don't include it. */
3517 }
3525 }
3527 }
3529 /** If <b>question</b> is the string "entry-guards", then dump
3530 * to *<b>answer</b> a newly allocated string describing all of
3531 * the nodes in the global entry_guards list. See control-spec.txt
3532 * for details.
3533 * For backward compatibility, we also handle the string "helper-nodes".
3534 *
3535 * XXX this should be totally redesigned after prop 271 too, and that's
3536 * going to take some control spec work.
3537 * */
3538 int
3542 {
3564 }
3566 }
3568 /* Given the original bandwidth of a guard and its guardfraction,
3569 * calculate how much bandwidth the guard should have as a guard and
3570 * as a non-guard.
3571 *
3572 * Quoting from proposal236:
3573 *
3574 * Let Wpf denote the weight from the 'bandwidth-weights' line a
3575 * client would apply to N for position p if it had the guard
3576 * flag, Wpn the weight if it did not have the guard flag, and B the
3577 * measured bandwidth of N in the consensus. Then instead of choosing
3578 * N for position p proportionally to Wpf*B or Wpn*B, clients should
3579 * choose N proportionally to F*Wpf*B + (1-F)*Wpn*B.
3580 *
3581 * This function fills the <b>guardfraction_bw</b> structure. It sets
3582 * <b>guard_bw</b> to F*B and <b>non_guard_bw</b> to (1-F)*B.
3583 */
3584 void
3588 {
3591 /* Turn the percentage into a fraction. */
3601 }
3603 /** Helper: Update the status of all entry guards, in whatever algorithm
3604 * is used. Return true if we should stop using all previously generated
3605 * circuits, by calling circuit_mark_all_unused_circs() and
3606 * circuit_mark_all_dirty_circs_as_unusable().
3607 */
3608 int
3610 {
3621 }
3623 /** Helper: pick a guard for a circuit, with whatever algorithm is
3624 used. */
3629 {
3634 /* Only apply restrictions if we have a specific exit node in mind, and only
3635 * if we are not doing vanguard circuits: we don't want to apply guard
3636 * restrictions to vanguard circuits. */
3639 /* We're building to a targeted exit node, so that node can't be
3640 * chosen as our guard for this circuit. Remember that fact in a
3641 * restriction. */
3644 }
3646 GUARD_USAGE_TRAFFIC,
3647 rst,
3651 }
3653 }
3655 /** Remove all currently listed entry guards for a given guard selection
3656 * context. This frees and replaces <b>gs</b>, so don't use <b>gs</b>
3657 * after calling this function. */
3658 void
3660 {
3661 // This function shouldn't exist. XXXX
3668 });
3672 }
3680 }
3682 /** Remove all currently listed entry guards, so new ones will be chosen.
3683 *
3684 * XXXX This function shouldn't exist -- it's meant to support the DROPGUARDS
3685 * command, which is deprecated.
3686 */
3687 void
3689 {
3691 }
3693 /** Helper: pick a directory guard, with whatever algorithm is used. */
3697 {
3701 /* If we are fetching microdescs, don't query outdated dirservers. */
3704 }
3707 GUARD_USAGE_DIRGUARD,
3708 rst,
3712 }
3714 }
3716 /**
3717 * If we're running with a constrained guard set, then maybe mark our guards
3718 * usable. Return 1 if we do; 0 if we don't.
3719 */
3720 int
3722 {
3729 }
3731 /**
3732 * Check if we are missing any crucial dirinfo for the guard subsystem to
3733 * work. Return NULL if everything went well, otherwise return a newly
3734 * allocated string with an informative error message. In the latter case, use
3735 * the genreal descriptor information <b>using_mds</b>, <b>num_present</b> and
3736 * <b>num_usable</b> to improve the error message. */
3741 {
3750 /* We want to check for the descriptor of at least the first two primary
3751 * guards in our list, since these are the guards that we typically use for
3752 * circuits. */
3754 num_primary_to_check++;
3760 n_considered++;
3762 n_missing_descriptors++;
3767 /* If we are not missing any descriptors, return NULL. */
3770 }
3772 /* otherwise return a helpful error string */
3774 "primary entry guards (total %sdescriptors: %d/%d). "
3780 }
3782 /** As guard_selection_have_enough_dir_info_to_build_circuits, but uses
3783 * the default guard selection. */
3787 {
3790 using_mds,
3792 }
3794 /** Free one guard selection context */
3795 STATIC void
3797 {
3807 }
3813 }
3815 /** Release all storage held by the list of entry guards and related
3816 * memory structs. */
3817 void
3819 {
3820 /* Null out the default */
3822 /* Free all the guard contexts */
3829 }
3831 }