| blob | 21ed0386643fef7911e579be32bf8a579cf3ad38 |
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2017, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file circuitbuild.c
9 *
10 * \brief Implements the details of building circuits (by chosing paths,
11 * constructing/sending create/extend cells, and so on).
12 *
13 * On the client side, this module handles launching circuits. Circuit
14 * launches are srtarted from circuit_establish_circuit(), called from
15 * circuit_launch_by_extend_info()). To choose the path the circuit will
16 * take, onion_extend_cpath() calls into a maze of node selection functions.
17 *
18 * Once the circuit is ready to be launched, the first hop is treated as a
19 * special case with circuit_handle_first_hop(), since it might need to open a
20 * channel. As the channel opens, and later as CREATED and RELAY_EXTENDED
21 * cells arrive, the client will invoke circuit_send_next_onion_skin() to send
22 * CREATE or RELAY_EXTEND cells.
23 *
24 * On the server side, this module also handles the logic of responding to
25 * RELAY_EXTEND requests, using circuit_extend().
26 **/
28 #define CIRCUITBUILD_PRIVATE
34 #define CIRCUITBUILD_PRIVATE
82 /** This function tries to get a channel to the specified endpoint,
83 * and then calls command_setup_channel() to give it the right
84 * callbacks.
85 */
90 {
97 }
99 /** Search for a value for circ_id that we can use on <b>chan</b> for an
100 * outbound circuit, until we get a circ_id that is not in use by any other
101 * circuit on that conn.
102 *
103 * Return it, or 0 if can't get a unique circ_id.
104 */
105 STATIC circid_t
107 {
108 /* This number is chosen somewhat arbitrarily; see comment below for more
109 * info. When the space is 80% full, it gives a one-in-a-million failure
110 * chance; when the space is 90% full, it gives a one-in-850 chance; and when
111 * the space is 95% full, it gives a one-in-26 failure chance. That seems
112 * okay, though you could make a case IMO for anything between N=32 and
113 * N=256. */
114 #define MAX_CIRCID_ATTEMPTS 64
117 circid_t test_circ_id;
127 "Trying to pick a circuit ID for a connection from "
130 }
136 /* Make sure we don't loop forever because all circuit IDs are used.
137 *
138 * Once, we would try until we had tried every possible circuit ID. But
139 * that's quite expensive. Instead, we try MAX_CIRCID_ATTEMPTS random
140 * circuit IDs, and then give up.
141 *
142 * This potentially causes us to give up early if our circuit ID space
143 * is nearly full. If we have N circuit IDs in use, then we will reject
144 * a new circuit with probability (N / max_range) ^ MAX_CIRCID_ATTEMPTS.
145 * This means that in practice, a few percent of our circuit ID capacity
146 * will go unused.
147 *
148 * The alternative here, though, is to do a linear search over the
149 * whole circuit ID space every time we extend a circuit, which is
150 * not so great either.
151 */
160 "circID support, with %u inbound and %u outbound circuits. "
161 "Found %u circuit IDs in use by circuits, and %u with "
162 "pending destroy cells. (%u of those were marked bogusly.) "
163 "The ones with pending destroy cells "
164 "have been marked unusable for an average of %ld seconds "
165 "and a maximum of %ld seconds. This channel is %ld seconds "
173 m);
177 /* This warning should be impossible. */
180 }
182 /* analysis so far on 12184 suggests that we're running out of circuit
183 IDs because it looks like we have too many pending destroy
184 cells. Let's see how many we really have pending.
185 */
190 "of which %u are active. It says it has "I64_FORMAT
196 /* Change this into "if (1)" in order to get more information about
197 * possible failure modes here. You'll need to know how to use gdb with
198 * Tor: this will make Tor exit with an assertion failure if the cmux is
199 * corrupt. */
206 }
221 since_when =
230 }
231 }
234 }
236 /** If <b>verbose</b> is false, allocate and return a comma-separated list of
237 * the currently built elements of <b>circ</b>. If <b>verbose</b> is true, also
238 * list information about link status in a more verbose format using spaces.
239 * If <b>verbose_names</b> is false, give nicknames for Named routers and hex
240 * digests for others; if <b>verbose_names</b> is true, use $DIGEST=Name style
241 * names.
242 */
245 {
262 }
289 }
298 }
299 }
307 }
315 }
317 /** If <b>verbose</b> is false, allocate and return a comma-separated
318 * list of the currently built elements of <b>circ</b>. If
319 * <b>verbose</b> is true, also list information about link status in
320 * a more verbose format using spaces.
321 */
324 {
326 }
328 /** Allocate and return a comma-separated list of the currently built elements
329 * of <b>circ</b>, giving each as a verbose nickname.
330 */
333 {
335 }
337 /** Log, at severity <b>severity</b>, the nicknames of each router in
338 * <b>circ</b>'s cpath. Also log the length of the cpath, and the intended
339 * exit point.
340 */
341 void
343 {
347 }
349 /** Tell the rep(utation)hist(ory) module about the status of the links
350 * in <b>circ</b>. Hops that have become OPEN are marked as successfully
351 * extended; the _first_ hop that isn't open (if any) is marked as
352 * unable to extend.
353 */
354 /* XXXX Someday we should learn from OR circuits too. */
355 void
357 {
368 }
378 }
379 }
383 }
386 }
388 /** Return 1 iff every node in circ's cpath definitely supports ntor. */
389 static int
391 {
396 /* if the extend_info is missing, we can't tell if it supports ntor */
399 }
401 /* if the key is blank, it definitely doesn't support ntor */
404 }
409 }
411 /** Pick all the entries in our cpath. Stop and return 0 when we're
412 * happy, or return -1 if an error occurs. */
413 static int
415 {
418 /* onion_extend_cpath assumes these are non-NULL */
427 }
428 }
430 /* The path is complete */
433 /* Does every node in this path support ntor? */
436 /* We would like every path to support ntor, but we have to allow for some
437 * edge cases. */
440 /* Circuits from clients to intro points, and hidden services to
441 * rend points do not support ntor, because the hidden service protocol
442 * does not include ntor onion keys. This is also true for Tor2web clients
443 * and Single Onion Services. */
445 }
448 /* Allow for bootstrapping: when we're fetching directly from a fallback,
449 * authority, or bridge, we have no way of knowing its ntor onion key
450 * before we connect to it. So instead, we try connecting, and end up using
451 * CREATE_FAST. */
456 /* If we don't know the node and its descriptor, we must be bootstrapping.
457 */
460 }
461 }
464 /* If we're building a multi-hop path, and it's not one of the HS or
465 * bootstrapping exceptions, and it doesn't support ntor, something has
466 * gone wrong. */
468 }
471 }
473 /** Create and return a new origin circuit. Initialize its purpose and
474 * build-state based on our arguments. The <b>flags</b> argument is a
475 * bitfield of CIRCLAUNCH_* flags. */
476 origin_circuit_t *
478 {
479 /* sets circ->p_circ_id and circ->p_chan */
493 }
495 /** Build a new circuit for <b>purpose</b>. If <b>exit</b>
496 * is defined, then use that as your exit router, else choose a suitable
497 * exit node.
498 *
499 * Also launch a connection to the first OR in the chosen path, if
500 * it's not open already.
501 */
502 origin_circuit_t *
504 {
514 }
521 }
523 }
525 /** Return the guard state associated with <b>circ</b>, which may be NULL. */
526 circuit_guard_state_t *
528 {
530 }
532 /** Start establishing the first hop of our circuit. Figure out what
533 * OR we should connect to, and if necessary start the connection to
534 * it. If we're already connected, then send the 'create' cell.
535 * Return 0 for ok, -reason if circ should be marked-for-close. */
536 int
538 {
550 /* Some bridges are on private addresses. Others pass a dummy private
551 * address to the pluggable transport, which ignores it.
552 * Deny the connection if:
553 * - the address is internal, and
554 * - we're not connecting to a configured bridge, and
555 * - we're not configured to allow extends to private addresses. */
562 }
564 /* now see if we're already connected to the first OR in 'route' */
576 /* not currently connected in a useful way. */
593 }
594 }
597 /* return success. The onion/circuit/etc will be taken care of
598 * automatically (may already have been) whenever n_chan reaches
599 * OR_CONN_STATE_OPEN.
600 */
610 }
611 }
613 }
615 /** Find any circuits that are waiting on <b>or_conn</b> to become
616 * open and get them to send their create cells forward.
617 *
618 * Status is 1 if connect succeeded, or 0 if connect failed.
619 *
620 * Close_origin_circuits is 1 if we should close all the origin circuits
621 * through this channel, or 0 otherwise. (This happens when we want to retry
622 * an older guard.)
623 */
624 void
626 {
640 {
641 /* These checks are redundant wrt get_all_pending_on_or_conn, but I'm
642 * leaving them in in case it's possible for the status of a circuit to
643 * change as we're going down the list. */
649 /* Look at addr/port. This is an unkeyed connection. */
653 /* We expected a key. See if it's the right one. */
657 }
662 }
667 }
669 /* circuit_deliver_create_cell will set n_circ_id and add us to
670 * chan_circuid_circuit_map, so we don't need to call
671 * set_circid_chan here. */
683 /* XXX could this be bad, eg if next_onion_skin failed because conn
684 * died? */
685 }
687 /* pull the create cell out of circ->n_chan_create_cell, and send it */
692 }
695 }
696 }
700 }
702 /** Find a new circid that isn't currently in use on the circ->n_chan
703 * for the outgoing
704 * circuit <b>circ</b>, and deliver the cell <b>create_cell</b> to this
705 * circuit. If <b>relayed</b> is true, this is a create cell somebody
706 * gave us via an EXTEND cell, so we shouldn't worry if we don't understand
707 * it. Return -1 if we failed to find a suitable circid, else return 0.
708 */
709 static int
712 {
713 cell_t cell;
714 circid_t id;
730 }
738 }
747 /* Update began timestamp for circuits starting their first hop */
751 "Got first hop for a circuit without an opened channel. "
754 }
757 }
759 /* mark it so it gets better rate limiting treatment. */
761 }
764 error:
767 }
769 /** We've decided to start our reachability testing. If all
770 * is set, log this to the user. Return 1 if we did, or 0 if
771 * we chose not to log anything. */
772 int
774 {
790 }
792 "(this may take up to %d minutes -- look for log "
801 }
803 /** Return true iff we should send a create_fast cell to start building a given
804 * circuit */
807 {
813 /* We don't have ntor, and we don't have or can't use TAP,
814 * so our hand is forced: only a create_fast will work. */
816 }
818 /* We're a server, and we have a usable onion key. We can choose.
819 * Prefer to blend our circuit into the other circuits we are
820 * creating on behalf of others. */
822 }
824 }
826 /** Return true if <b>circ</b> is the type of circuit we want to count
827 * timeouts from. In particular, we want it to have not completed yet
828 * (already completing indicates we cannibalized it), and we want it to
829 * have exactly three hops.
830 */
831 int
833 {
836 }
838 /** Decide whether to use a TAP or ntor handshake for connecting to <b>ei</b>
839 * directly, and set *<b>cell_type_out</b> and *<b>handshake_type_out</b>
840 * accordingly.
841 * Note that TAP handshakes in CREATE cells are only used for direct
842 * connections:
843 * - from Tor2web to intro points not in the client's consensus, and
844 * - from Single Onions to rend points not in the service's consensus.
845 * This is checked in onion_populate_cpath. */
846 static void
850 {
851 /* torspec says: In general, clients SHOULD use CREATE whenever they are
852 * using the TAP handshake, and CREATE2 otherwise. */
857 /* XXXX030 Remove support for deciding to use TAP and EXTEND. */
860 }
861 }
863 /** Decide whether to use a TAP or ntor handshake for extending to <b>ei</b>
864 * and set *<b>handshake_type_out</b> accordingly. Decide whether we should
865 * use an EXTEND2 or an EXTEND cell to do so, and set *<b>cell_type_out</b>
866 * and *<b>create_cell_type_out</b> accordingly.
867 * Note that TAP handshakes in EXTEND cells are only used:
868 * - from clients to intro points, and
869 * - from hidden services to rend points.
870 * This is checked in onion_populate_cpath.
871 */
872 static void
877 {
881 /* torspec says: Clients SHOULD use the EXTEND format whenever sending a TAP
882 * handshake... In other cases, clients SHOULD use EXTEND2. */
887 /* XXXX030 Remove support for deciding to use TAP and EXTEND. */
890 }
891 }
893 /**
894 * Return true iff <b>purpose</b> is a purpose for a circuit which is
895 * allowed to have no guard configured, even if the circuit is multihop
896 * and guards are enabled.
897 */
898 static int
900 {
904 /* Testing circuits may omit guards because they're measuring
905 * liveness or performance, and don't want guards to interfere. */
908 /* All other multihop circuits should use guards if guards are
909 * enabled. */
911 }
912 }
914 /** This is the backbone function for building circuits.
915 *
916 * If circ's first hop is closed, then we need to build a create
917 * cell and send it forward.
918 *
919 * Otherwise, we need to build a relay extend cell and send it
920 * forward.
921 *
922 * Return -reason if we want to tear down circ, else return 0.
923 */
924 int
926 {
941 }
942 }
943 }
945 static int
947 {
949 /* This is the first hop. */
950 create_cell_t cc;
960 /* If this is not a one-hop tunnel, the channel is being used
961 * for traffic that wants anonymity and protection from traffic
962 * analysis (such as netflow record retention). That means we want
963 * to pad it.
964 */
967 }
972 /* We are an OR and we know the right onion key: we should
973 * send a create cell.
974 */
978 /* We are not an OR, and we're building the first hop of a circuit to a
979 * new OR: we can be speedy and use CREATE_FAST to save an RSA operation
980 * and a DH operation. */
983 }
992 }
1004 }
1006 static int
1008 {
1009 /* done building the circuit. whew. */
1010 guard_usable_t r;
1018 }
1022 }
1027 // Wait till either a better guard succeeds, or till
1028 // all better guards fail.
1033 }
1035 /* XXXX #21422 -- the rest of this branch needs careful thought!
1036 * Some of the things here need to happen when a circuit becomes
1037 * mechanically open; some need to happen when it is actually usable.
1038 * I think I got them right, but more checking would be wise. -NM
1039 */
1047 /*
1048 * If the circuit build time is much greater than we would have cut
1049 * it off at, we probably had a suspend event along this codepath,
1050 * and we should discard the value.
1051 */
1059 /* Only count circuit times if the network is live */
1065 }
1070 }
1071 }
1072 }
1078 }
1088 /* FFFF Log a count of known routers here */
1090 "Tor has successfully opened a circuit. "
1094 "Tor has successfully opened a circuit. "
1096 }
1102 }
1103 }
1105 /* We're done with measurement circuits here. Just close them */
1108 }
1110 }
1112 static int
1115 {
1116 extend_cell_t ec;
1122 }
1133 /* Set the ED25519 identity too -- it will only get included
1134 * in the extend2 cell if we're configured to use it, though. */
1144 }
1148 {
1155 }
1157 /* send it to hop->prev, because it will transfer
1158 * it to a create cell and then send to hop */
1160 command,
1164 }
1167 }
1169 /** Our clock just jumped by <b>seconds_elapsed</b>. Assume
1170 * something has also gone wrong with our network: notify the user,
1171 * and abandon all not-yet-used circuits. */
1172 void
1174 {
1181 seconds_elapsed);
1182 /* so we log when it works again */
1189 /* Restart all the timers in case we jumped a long way into the past. */
1191 }
1192 }
1194 /** Take the 'extend' <b>cell</b>, pull out addr/port plus the onion
1195 * skin and identity digest for the next hop. If we're already connected,
1196 * pass the onion skin to the next hop using a create cell; otherwise
1197 * launch a new OR connection, and <b>circ</b> will notice when the
1198 * connection succeeds or fails.
1199 *
1200 * Return -1 if we want to warn and tear down the circuit, else return 0.
1201 */
1202 int
1204 {
1206 relay_header_t rh;
1207 extend_cell_t ec;
1215 }
1220 }
1226 }
1236 }
1242 }
1249 }
1251 /* Check if they asked us for 0000..0000. We support using
1252 * an empty fingerprint for the first hop (e.g. for a bridge relay),
1253 * but we don't want to let clients send us extend cells for empty
1254 * fingerprints -- a) because it opens the user up to a mitm attack,
1255 * and b) because it lets an attacker force the relay to hold open a
1256 * new TLS connection for each extend request. */
1261 }
1263 /* Fill in ed_pubkey if it was not provided and we can infer it from
1264 * our networkstatus */
1272 }
1273 }
1275 /* Next, check if we're being asked to connect to the hop that the
1276 * extend cell came from. There isn't any reason for that, and it can
1277 * assist circular-path attacks. */
1280 DIGEST_LEN)) {
1284 }
1286 /* Check the previous hop Ed25519 ID too */
1291 "Client asked me to extend back to the previous hop "
1293 }
1320 /* we should try to open a connection */
1329 }
1331 }
1332 /* return success. The onion/circuit/etc will be taken care of
1333 * automatically (may already have been) whenever n_chan reaches
1334 * OR_CONN_STATE_OPEN.
1335 */
1337 }
1349 }
1351 /** Initialize cpath-\>{f|b}_{crypto|digest} from the key material in
1352 * key_data. key_data must contain CPATH_KEY_MATERIAL bytes, which are
1353 * used as follows:
1354 * - 20 to initialize f_digest
1355 * - 20 to initialize b_digest
1356 * - 16 to key f_crypto
1357 * - 16 to key b_crypto
1358 *
1359 * (If 'reverse' is true, then f_XX and b_XX are swapped.)
1360 */
1361 int
1364 {
1382 }
1387 }
1396 }
1399 }
1401 /** A "created" cell <b>reply</b> came back to us on circuit <b>circ</b>.
1402 * (The body of <b>reply</b> varies depending on what sort of handshake
1403 * this is.)
1404 *
1405 * Calculate the appropriate keys and digests, make sure KH is
1406 * correct, and initialize this hop of the cpath.
1407 *
1408 * Return - reason if we want to mark circ for close, else return 0.
1409 */
1410 int
1413 {
1421 }
1430 }
1431 }
1434 {
1445 }
1446 }
1452 }
1460 }
1462 /** We received a relay truncated cell on circ.
1463 *
1464 * Since we don't send truncates currently, getting a truncated
1465 * means that a connection broke or an extend failed. For now,
1466 * just give up: force circ to close, and return 0.
1467 */
1468 int
1470 {
1471 // crypt_path_t *victim;
1472 // connection_t *stream;
1477 /* XXX Since we don't send truncates currently, getting a truncated
1478 * means that a connection broke or an extend failed. For now,
1479 * just give up.
1480 */
1485 #if 0
1487 /* we need to clear out layer->next */
1495 /* no need to send 'end' relay cells,
1496 * because the other side's already dead
1497 */
1499 }
1500 }
1504 }
1508 #endif
1509 }
1511 /** Given a response payload and keys, initialize, then send a created
1512 * cell back.
1513 */
1514 int
1519 {
1520 cell_t cell;
1527 }
1542 }
1559 /* Ignore the local bit when ExtendAllowPrivateAddresses is set:
1560 * it violates the assumption that private addresses are local.
1561 * Also, many test networks run on local addresses, and
1562 * TestingTorNetwork sets ExtendAllowPrivateAddresses. */
1566 /* record that we could process create cells from a non-local conn
1567 * that we didn't initiate; presumably this means that create cells
1568 * can reach us too. */
1570 }
1573 }
1575 /** Helper for new_route_len(). Choose a circuit length for purpose
1576 * <b>purpose</b>: DEFAULT_ROUTE_LEN (+ 1 if someone else chose the
1577 * exit). If someone else chose the exit, they could be colluding
1578 * with the exit, so add a randomly selected node to preserve
1579 * anonymity.
1580 *
1581 * Here, "exit node" sometimes means an OR acting as an internal
1582 * endpoint, rather than as a relay to an external endpoint. This
1583 * means there need to be at least DEFAULT_ROUTE_LEN routers between
1584 * us and the internal endpoint to preserve the same anonymity
1585 * properties that we would get when connecting to an external
1586 * endpoint. These internal endpoints can include:
1587 *
1588 * - Connections to a directory of hidden services
1589 * (CIRCUIT_PURPOSE_C_GENERAL)
1590 *
1591 * - A client connecting to an introduction point, which the hidden
1592 * service picked (CIRCUIT_PURPOSE_C_INTRODUCING, via
1593 * circuit_get_open_circ_or_launch() which rewrites it from
1594 * CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT)
1595 *
1596 * - A hidden service connecting to a rendezvous point, which the
1597 * client picked (CIRCUIT_PURPOSE_S_CONNECT_REND, via
1598 * rend_service_receive_introduction() and
1599 * rend_service_relaunch_rendezvous)
1600 *
1601 * There are currently two situations where we picked the exit node
1602 * ourselves, making DEFAULT_ROUTE_LEN a safe circuit length:
1603 *
1604 * - We are a hidden service connecting to an introduction point
1605 * (CIRCUIT_PURPOSE_S_ESTABLISH_INTRO, via
1606 * rend_service_launch_establish_intro())
1607 *
1608 * - We are a router testing its own reachabiity
1609 * (CIRCUIT_PURPOSE_TESTING, via consider_testing_reachability())
1610 *
1611 * onion_pick_cpath_exit() bypasses us (by not calling
1612 * new_route_len()) in the one-hop tunnel case, so we don't need to
1613 * handle that.
1614 */
1615 static int
1617 {
1625 /* These two purposes connect to a router that we chose, so
1626 * DEFAULT_ROUTE_LEN is safe. */
1628 /* hidden service connecting to introduction point */
1630 /* router reachability testing */
1634 /* These three purposes connect to a router that someone else
1635 * might have chosen, so add an extra hop to protect anonymity. */
1637 /* connecting to hidden service directory */
1639 /* client connecting to introduction point */
1641 /* hidden service connecting to rendezvous point */
1643 routelen++;
1647 /* Got a purpose not listed above along with a chosen exit.
1648 * Increase the circuit length by one anyway for safety. */
1649 routelen++;
1651 }
1656 }
1658 }
1660 /** Choose a length for a circuit of purpose <b>purpose</b> and check
1661 * if enough routers are available.
1662 *
1663 * If the routerlist <b>nodes</b> doesn't have enough routers
1664 * to handle the desired path length, return -1.
1665 */
1666 STATIC int
1668 {
1686 }
1689 }
1691 /** Return a newly allocated list of uint16_t * for each predicted port not
1692 * handled by a current circuit. */
1695 {
1699 }
1701 /** Return 1 if we already have circuits present or on the way for
1702 * all anticipated ports. Return 0 if we should make more.
1703 *
1704 * If we're returning 0, set need_uptime and need_capacity to
1705 * indicate any requirements that the unhandled ports have.
1706 */
1710 {
1717 // Always predict need_capacity
1725 }
1728 }
1730 /** Return 1 if <b>node</b> can handle one or more of the ports in
1731 * <b>needed_ports</b>, else return 0.
1732 */
1733 static int
1740 addr_policy_result_t r;
1741 /* alignment issues aren't a worry for this dereference, since
1742 needed_ports is explicitly a smartlist of uint16_t's */
1747 else
1751 }
1753 }
1755 /** Return true iff <b>conn</b> needs another general circuit to be
1756 * built. */
1757 static int
1759 {
1772 MIN_CIRCUITS_HANDLING_STREAM))
1775 }
1777 /** Return a pointer to a suitable router to be the exit node for the
1778 * general-purpose circuit we're about to build.
1779 *
1780 * Look through the connection array, and choose a router that maximizes
1781 * the number of pending streams that can exit from this router.
1782 *
1783 * Return NULL if we can't find any suitable routers.
1784 */
1787 {
1799 /* Count how many connections are waiting for a circuit to be built.
1800 * We use this for log messages now, but in the future we may depend on it.
1801 */
1803 {
1806 });
1807 // log_fn(LOG_DEBUG, "Choosing exit node; %d connections are pending",
1808 // n_pending_connections);
1809 /* Now we count, for each of the routers in the directory, how many
1810 * of the pending connections could possibly exit from that
1811 * router (n_supported[i]). (We can't be sure about cases where we
1812 * don't know the IP address of the pending connection.)
1813 *
1814 * -1 means "Don't use this router at all."
1815 */
1822 // log_fn(LOG_DEBUG,"Skipping node %s -- it's me.", router->nickname);
1823 /* XXX there's probably a reverse predecessor attack here, but
1824 * it's slow. should we take this out? -RD
1825 */
1827 }
1831 }
1835 }
1837 /* never pick a non-general node as a random exit. */
1840 }
1844 }
1849 }
1854 * this makes us reject all the possible routers: if so,
1855 * we'll retry later in this function with need_update and
1856 * need_capacity set to 0. */
1857 }
1859 /* if it's invalid and we don't want it */
1861 // log_fn(LOG_DEBUG,"Skipping node %s (index %d) -- invalid router.",
1862 // router->nickname, i);
1864 }
1865 /* We do not allow relays that allow single hop exits by default. Option
1866 * was deprecated in 0.2.9.2-alpha and removed in 0.3.1.0-alpha. */
1870 }
1873 // log_fn(LOG_DEBUG,"Skipping node %s (index %d) -- it rejects all.",
1874 // router->nickname, i);
1876 }
1878 /* iterate over connections */
1884 // log_fn(LOG_DEBUG,"%s is supported. n_supported[%d] now %d.",
1885 // router->nickname, i, n_supported[i]);
1887 // log_fn(LOG_DEBUG,"%s (index %d) would reject this stream.",
1888 // router->nickname, i);
1889 }
1892 /* Leave best_support at -1 if that's where it is, so we can
1893 * distinguish it later. */
1895 }
1897 /* If this router is better than previous ones, remember its index
1898 * and goodness, and start counting how many routers are this good. */
1900 // log_fn(LOG_DEBUG,"%s is new best supported option so far.",
1901 // router->nickname);
1903 /* If this router is _as good_ as the best one, just increment the
1904 * count of equally good routers.*/
1906 }
1911 n_pending_connections);
1913 /* If any routers definitely support any pending connections, choose one
1914 * at random. */
1921 });
1926 /* Either there are no pending connections, or no routers even seem to
1927 * possibly support any of them. Choose a router at random that satisfies
1928 * at least one predicted exit port. */
1936 "We couldn't find any live%s%s routers; falling back "
1942 }
1946 }
1950 /* try once to pick only from routers that satisfy a needed port,
1951 * then if there are none, pick from any that support exiting. */
1955 // log_fn(LOG_DEBUG,"Try %d: '%s' is a possibility.",
1956 // try, router->nickname);
1958 }
1965 /* If we reach this point, we can't actually support any unhandled
1966 * predicted ports, so clear all the remaining ones. */
1969 }
1973 }
1979 }
1982 "No exits in ExitNodes%s seem to be running: "
1986 }
1988 }
1990 #if defined(ENABLE_TOR2WEB_MODE) || defined(TOR_UNIT_TESTS)
1991 /* The config option Tor2webRendezvousPoints has been set and we need
1992 * to pick an RP out of that set. Make sure that the RP we choose is
1993 * alive, and return it. Return NULL if no usable RP could be found in
1994 * Tor2webRendezvousPoints. */
1998 {
2009 /* Add all running nodes to all_live_nodes */
2012 need_desc,
2013 pref_addr,
2014 direct_conn);
2016 /* Filter all_live_nodes to only add live *and* whitelisted RPs to
2017 * the list whitelisted_live_rps. */
2021 }
2024 /* Honor ExcludeNodes */
2027 }
2029 /* Now pick randomly amongst the whitelisted RPs. No need to waste time
2030 doing bandwidth load balancing, for most use cases
2031 'whitelisted_live_rps' contains a single OR anyway. */
2037 }
2043 }
2044 #endif
2046 /* Pick a Rendezvous Point for our HS circuits according to <b>flags</b>. */
2049 {
2052 #ifdef ENABLE_TOR2WEB_MODE
2053 /* We want to connect directly to the node if we can */
2058 /* The user wants us to pick specific RPs. */
2061 options);
2064 }
2065 }
2067 /* Else, if no direct, preferred tor2web RP was found, fall back to choosing
2068 * a random direct node */
2070 direct_flags);
2071 /* Return the direct node (if found), or log a message and fall back to an
2072 * indirect connection. */
2077 "Unable to find a random rendezvous point that is reachable via "
2079 }
2080 #endif
2083 }
2085 /** Return a pointer to a suitable router to be the exit node for the
2086 * circuit of purpose <b>purpose</b> that we're about to build (or NULL
2087 * if no router is suitable).
2088 *
2089 * For general-purpose circuits, pass it off to
2090 * choose_good_exit_server_general()
2091 *
2092 * For client-side rendezvous circuits, choose a random node, weighted
2093 * toward the preferences in 'options'.
2094 */
2098 {
2110 else
2113 {
2114 /* Pick a new RP */
2119 }
2120 }
2124 }
2126 /** Log a warning if the user specified an exit for the circuit that
2127 * has been excluded from use by ExcludeNodes or ExcludeExitNodes. */
2128 static void
2131 {
2141 {
2175 }
2178 /* We should never get here if StrictNodes is set to 1. */
2181 "even though StrictNodes is set. Please report. "
2188 "ExcludeNodes%s, because no better options were available. To "
2189 "prevent this (and possibly break your Tor functionality), "
2190 "set the StrictNodes configuration option. "
2195 }
2197 }
2200 }
2202 /** Decide a suitable length for circ's cpath, and pick an exit
2203 * router (or use <b>exit</b> if provided). Store these in the
2204 * cpath. Return 0 if ok, -1 if circuit should be closed. */
2205 static int
2207 {
2220 }
2234 }
2238 }
2241 }
2243 /** Give <b>circ</b> a new exit destination to <b>exit</b>, and add a
2244 * hop to the cpath reflecting this. Don't send the next extend cell --
2245 * the caller will do this if it wants to.
2246 */
2247 int
2249 {
2262 }
2264 /** Take an open <b>circ</b>, and add a new hop at the end, based on
2265 * <b>info</b>. Set its state back to CIRCUIT_STATE_BUILDING, and then
2266 * send the next extend cell to begin connecting to that hop.
2267 */
2268 int
2270 {
2283 }
2285 // XXX: Should cannibalized circuits be dirty or not? Not easy to say..
2288 }
2290 /** Return the number of routers in <b>routers</b> that are currently up
2291 * and available for building circuits through.
2292 */
2295 {
2299 // log_debug(LD_CIRC,
2300 // "Contemplating whether router %d (%s) is a new option.",
2301 // i, r->nickname);
2303 // log_debug(LD_CIRC,"Nope, the directory says %d is not running.",i);
2306 // log_debug(LD_CIRC,"Nope, the directory says %d is not valid.",i);
2310 /* The node has a descriptor, so we can just check the ntor key directly */
2316 // log_debug(LD_CIRC,"I like %d. num_acceptable_routers now %d.",i, num);
2319 }
2321 /** Add <b>new_hop</b> to the end of the doubly-linked-list <b>head_ptr</b>.
2322 * This function is used to extend cpath by another hop.
2323 */
2324 void
2326 {
2335 }
2336 }
2338 /** A helper function used by onion_extend_cpath(). Use <b>purpose</b>
2339 * and <b>state</b> and the cpath <b>head</b> (currently populated only
2340 * to length <b>cur_len</b> to decide a suitable middle hop for a
2341 * circuit. In particular, make sure we don't pick the exit node or its
2342 * family, and make sure we don't duplicate any previous nodes or their
2343 * families. */
2349 {
2360 cur_len);
2364 }
2368 }
2369 }
2378 }
2380 /** Pick a good entry server for the circuit to be built according to
2381 * <b>state</b>. Don't reuse a chosen exit (if any), don't use this
2382 * router (if we're an OR), and respect firewall settings; if we're
2383 * configured to use entry guards, return one.
2384 *
2385 * If <b>state</b> is NULL, we're choosing a router to serve as an entry
2386 * guard, not for any particular circuit.
2387 *
2388 * Set *<b>guard_state_out</b> to information about the guard that
2389 * we're selecting, which we'll use later to remember whether the
2390 * guard worked or not.
2391 */
2395 {
2399 /* If possible, choose an entry server with a preferred address,
2400 * otherwise, choose one with an allowed address */
2402 CRN_DIRECT_CONN);
2407 /* This request is for an entry server to use for a regular circuit,
2408 * and we use entry guard nodes. Just return one of the guard nodes. */
2411 }
2416 /* Exclude the exit node from the state, if we have one. Also exclude its
2417 * family. */
2419 }
2426 }
2431 }
2433 /** Return the first non-open hop in cpath, or return NULL if all
2434 * hops are open. */
2437 {
2445 }
2447 /** Choose a suitable next hop in the cpath <b>head_ptr</b>,
2448 * based on <b>state</b>. Append the hop info to head_ptr.
2449 *
2450 * Return 1 if the path is complete, 0 if we successfully added a hop,
2451 * and -1 on error.
2452 */
2453 static int
2455 {
2465 }
2476 /* If we're a client, use the preferred address rather than the
2477 primary address, for potentially connecting to an IPv6 OR
2478 port. Servers always want the primary (IPv4) address. */
2481 /* Clients can fail to find an allowed address */
2483 }
2490 }
2491 }
2497 }
2506 }
2508 /** Create a new hop, annotate it with information about its
2509 * corresponding router <b>choice</b>, and append it to the
2510 * end of the cpath <b>head_ptr</b>. */
2511 static int
2513 {
2516 /* link hop into the cpath, at the end. */
2528 }
2530 /** Allocate a new extend_info object based on the various arguments. */
2531 extend_info_t *
2538 {
2553 }
2555 /** Allocate and return a new extend_info that can be used to build a
2556 * circuit to or through the node <b>node</b>. Use the primary address
2557 * of the node (i.e. its IPv4 address) unless
2558 * <b>for_direct_connect</b> is true, in which case the preferred
2559 * address is used instead. May return NULL if there is not enough
2560 * info about <b>node</b> to extend to it--for example, if there is no
2561 * routerinfo_t or microdesc_t, or if for_direct_connect is true and none of
2562 * the node's addresses are allowed by tor's firewall and IP version config.
2563 **/
2564 extend_info_t *
2566 {
2567 tor_addr_port_t ap;
2573 /* Choose a preferred address first, but fall back to an allowed address.
2574 * choose_address returns 1 on success, but get_prim_orport returns 0. */
2577 FIREWALL_OR_CONNECTION,
2579 else
2586 else
2590 /* Every node we connect or extend to must support ntor */
2593 "Attempted to create extend_info for a node that does not support "
2596 }
2600 /* Don't send the ed25519 pubkey unless the target node actually supports
2601 * authenticating with it. */
2609 }
2614 ed_pubkey,
2622 ed_pubkey,
2627 else
2629 }
2631 /** Release storage held by an extend_info_t struct. */
2632 void
2634 {
2639 }
2641 /** Allocate and return a new extend_info_t with the same contents as
2642 * <b>info</b>. */
2643 extend_info_t *
2645 {
2652 else
2655 }
2657 /** Return the node_t for the chosen exit router in <b>state</b>.
2658 * If there is no chosen exit, or if we don't know the node_t for
2659 * the chosen exit, return NULL.
2660 */
2663 {
2667 }
2669 /** Return the RSA ID digest for the chosen exit router in <b>state</b>.
2670 * If there is no chosen exit, return NULL.
2671 */
2674 {
2678 }
2680 /** Return the nickname for the chosen exit router in <b>state</b>. If
2681 * there is no chosen exit, or if we don't know the routerinfo_t for the
2682 * chosen exit, return NULL.
2683 */
2686 {
2690 }
2692 /** Return true iff the given address can be used to extend to. */
2693 int
2695 {
2698 /* Check if we have a private address and if we can extend to it. */
2702 }
2703 /* Allowed! */
2705 disallow:
2707 }
2709 /* Does ei have a valid TAP key? */
2710 int
2712 {
2714 /* Valid TAP keys are not NULL */
2716 }
2718 /* Does ei have a valid ntor key? */
2719 int
2721 {
2723 /* Valid ntor keys have at least one non-zero byte */
2726 CURVE25519_PUBKEY_LEN);
2727 }
2729 /* Is circuit purpose allowed to use the deprecated TAP encryption protocol?
2730 * The hidden service protocol still uses TAP for some connections, because
2731 * ntor onion keys aren't included in HS descriptors or INTRODUCE cells. */
2732 static int
2734 {
2737 }
2739 /* Is circ allowed to use the deprecated TAP encryption protocol?
2740 * The hidden service protocol still uses TAP for some connections, because
2741 * ntor onion keys aren't included in HS descriptors or INTRODUCE cells. */
2742 int
2744 {
2750 }
2752 /* Does circ have an onion key which it's allowed to use? */
2753 int
2755 {
2761 }
2763 /* Does ei have an onion key which it would prefer to use?
2764 * Currently, we prefer ntor keys*/
2765 int
2767 {
2770 }
2772 /** Find the circuits that are waiting to find out whether their guards are
2773 * usable, and if any are ready to become usable, mark them open and try
2774 * attaching streams as appropriate. */
2775 void
2777 {
2793 }