| blob | 65fcaf4089b41d8247afec7b2b452769e391230b |
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2012, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file circuitbuild.c
9 * \brief The actual details of building circuits.
10 **/
12 #define CIRCUIT_PRIVATE
36 #undef log
37 #include <math.h>
39 #ifndef MIN
40 #define MIN(a,b) ((a)<(b)?(a):(b))
41 #endif
43 #define CBT_BIN_TO_MS(bin) ((bin)*CBT_BIN_WIDTH + (CBT_BIN_WIDTH/2))
45 /********* START VARIABLES **********/
46 /** Global list of circuit build times */
47 // XXXX023: Add this as a member for entry_guard_t instead of global?
48 // Then we could do per-guard statistics, as guards are likely to
49 // vary in their own latency. The downside of this is that guards
50 // can change frequently, so we'd be building a lot more circuits
51 // most likely.
52 /* XXXX023 Make this static; add accessor functions. */
53 circuit_build_times_t circ_times;
55 /** A global list of all circuits at this hop. */
58 /** An entry_guard_t represents our information about a chosen long-term
59 * first hop, known as a "helper" node in the literature. We can't just
60 * use a node_t, since we want to remember these even when we
61 * don't have any directory info. */
66 * "0" if we don't know. */
68 * if we don't know. */
70 * router, 1 if we have. */
72 * in spite of having it marked as unreachable?*/
74 * for this node already? */
76 * of path bias issues? */
78 * which it was observed to become (according to the
79 * directory or the user configuration) unusable. */
81 * time at which we first noticed we couldn't
82 * connect to it. */
84 * at which we last failed to connect to it. */
88 * this guard as first hop. */
91 /** Information about a configured bridge. Currently this just matches the
92 * ones in the torrc file, but one day we may be able to learn about new
93 * bridges on our own, and remember them in the state file. */
95 /** Address of the bridge. */
96 tor_addr_t addr;
97 /** TLS port for the bridge. */
99 /** Boolean: We are re-parsing our bridge list, and we are going to remove
100 * this one if we don't find it in the list of configured bridges. */
102 /** Expected identity digest, or all zero bytes if we don't know what the
103 * digest should be. */
106 /** Name of pluggable transport protocol taken from its config line. */
109 /** When should we next try to fetch a descriptor for this bridge? */
110 download_status_t fetch_status;
113 /** A list of our chosen entry guards. */
115 /** A value of 1 means that the entry_guards list has changed
116 * and those changes need to be flushed to disk. */
119 /** If set, we're running the unit tests: we should avoid clobbering
120 * our state file or accessing get_options() or get_or_state() */
123 /********* END VARIABLES ************/
138 /**
139 * This function decides if CBT learning should be disabled. It returns
140 * true if one or more of the following four conditions are met:
141 *
142 * 1. If the cbtdisabled consensus parameter is set.
143 * 2. If the torrc option LearnCircuitBuildTimeout is false.
144 * 3. If we are a directory authority
145 * 4. If we fail to write circuit build time history to our state file.
146 */
147 static int
149 {
160 state_disabled) {
162 "CircuitBuildTime learning is disabled. "
165 state_disabled);
169 "CircuitBuildTime learning is not disabled. "
172 state_disabled);
174 }
175 }
176 }
178 /**
179 * Retrieve and bounds-check the cbtmaxtimeouts consensus paramter.
180 *
181 * Effect: When this many timeouts happen in the last 'cbtrecentcount'
182 * circuit attempts, the client should discard all of its history and
183 * begin learning a fresh timeout value.
184 */
185 static int32_t
187 {
191 CBT_DEFAULT_MAX_RECENT_TIMEOUT_COUNT,
192 CBT_MIN_MAX_RECENT_TIMEOUT_COUNT,
193 CBT_MAX_MAX_RECENT_TIMEOUT_COUNT);
197 "circuit_build_times_max_timeouts() called, cbtmaxtimeouts is"
199 cbt_maxtimeouts);
200 }
203 }
205 /**
206 * Retrieve and bounds-check the cbtnummodes consensus paramter.
207 *
208 * Effect: This value governs how many modes to use in the weighted
209 * average calculation of Pareto parameter Xm. A value of 3 introduces
210 * some bias (2-5% of CDF) under ideal conditions, but allows for better
211 * performance in the event that a client chooses guard nodes of radically
212 * different performance characteristics.
213 */
214 static int32_t
216 {
218 CBT_DEFAULT_NUM_XM_MODES,
219 CBT_MIN_NUM_XM_MODES,
220 CBT_MAX_NUM_XM_MODES);
224 "circuit_build_times_default_num_xm_modes() called, cbtnummodes"
226 num);
227 }
230 }
232 /**
233 * Retrieve and bounds-check the cbtmincircs consensus paramter.
234 *
235 * Effect: This is the minimum number of circuits to build before
236 * computing a timeout.
237 */
238 static int32_t
240 {
242 CBT_DEFAULT_MIN_CIRCUITS_TO_OBSERVE,
243 CBT_MIN_MIN_CIRCUITS_TO_OBSERVE,
244 CBT_MAX_MIN_CIRCUITS_TO_OBSERVE);
248 "circuit_build_times_min_circs_to_observe() called, cbtmincircs"
250 num);
251 }
254 }
256 /** Return true iff <b>cbt</b> has recorded enough build times that we
257 * want to start acting on the timeout it implies. */
258 int
260 {
262 }
264 /**
265 * Retrieve and bounds-check the cbtquantile consensus paramter.
266 *
267 * Effect: This is the position on the quantile curve to use to set the
268 * timeout value. It is a percent (10-99).
269 */
270 double
272 {
274 CBT_DEFAULT_QUANTILE_CUTOFF,
275 CBT_MIN_QUANTILE_CUTOFF,
276 CBT_MAX_QUANTILE_CUTOFF);
280 "circuit_build_times_quantile_cutoff() called, cbtquantile"
282 num);
283 }
286 }
288 /* DOCDOC circuit_build_times_get_bw_scale */
289 int
291 {
293 BW_WEIGHT_SCALE,
294 BW_MIN_WEIGHT_SCALE,
295 BW_MAX_WEIGHT_SCALE);
296 }
298 /**
299 * Retrieve and bounds-check the cbtclosequantile consensus paramter.
300 *
301 * Effect: This is the position on the quantile curve to use to set the
302 * timeout value to use to actually close circuits. It is a percent
303 * (0-99).
304 */
305 static double
307 {
309 /* Cast is safe - circuit_build_times_quantile_cutoff() is capped */
312 CBT_DEFAULT_CLOSE_QUANTILE,
313 CBT_MIN_CLOSE_QUANTILE,
314 CBT_MAX_CLOSE_QUANTILE);
318 "circuit_build_times_close_quantile() called, cbtclosequantile"
320 }
326 }
328 }
330 /**
331 * Retrieve and bounds-check the cbttestfreq consensus paramter.
332 *
333 * Effect: Describes how often in seconds to build a test circuit to
334 * gather timeout values. Only applies if less than 'cbtmincircs'
335 * have been recorded.
336 */
337 static int32_t
339 {
341 CBT_DEFAULT_TEST_FREQUENCY,
342 CBT_MIN_TEST_FREQUENCY,
343 CBT_MAX_TEST_FREQUENCY);
348 num);
349 }
352 }
354 /**
355 * Retrieve and bounds-check the cbtmintimeout consensus parameter.
356 *
357 * Effect: This is the minimum allowed timeout value in milliseconds.
358 * The minimum is to prevent rounding to 0 (we only check once
359 * per second).
360 */
361 static int32_t
363 {
365 CBT_DEFAULT_TIMEOUT_MIN_VALUE,
366 CBT_MIN_TIMEOUT_MIN_VALUE,
367 CBT_MAX_TIMEOUT_MIN_VALUE);
372 num);
373 }
376 }
378 /**
379 * Retrieve and bounds-check the cbtinitialtimeout consensus paramter.
380 *
381 * Effect: This is the timeout value to use before computing a timeout,
382 * in milliseconds.
383 */
384 int32_t
386 {
389 CBT_DEFAULT_TIMEOUT_INITIAL_VALUE,
390 CBT_MIN_TIMEOUT_INITIAL_VALUE,
391 CBT_MAX_TIMEOUT_INITIAL_VALUE);
395 "circuit_build_times_initial_timeout() called, "
397 param);
398 }
404 }
406 }
408 /**
409 * Retrieve and bounds-check the cbtrecentcount consensus paramter.
410 *
411 * Effect: This is the number of circuit build times to keep track of
412 * for deciding if we hit cbtmaxtimeouts and need to reset our state
413 * and learn a new timeout.
414 */
415 static int32_t
417 {
420 CBT_DEFAULT_RECENT_CIRCUITS,
421 CBT_MIN_RECENT_CIRCUITS,
422 CBT_MAX_RECENT_CIRCUITS);
426 "circuit_build_times_recent_circuit_count() called, "
428 num);
429 }
432 }
434 /**
435 * This function is called when we get a consensus update.
436 *
437 * It checks to see if we have changed any consensus parameters
438 * that require reallocation or discard of previous stats.
439 */
440 void
443 {
446 /*
447 * First check if we're doing adaptive timeouts at all; nothing to
448 * update if we aren't.
449 */
458 "circuits we must track to detect network failures from %d "
464 /*
465 * Technically this is a circular array that we are reallocating
466 * and memcopying. However, since it only consists of either 1s
467 * or 0s, and is only used in a statistical test to determine when
468 * we should discard our history after a sufficient number of 1's
469 * have been reached, it is fine if order is not preserved or
470 * elements are lost.
471 *
472 * cbtrecentcount should only be changing in cases of severe network
473 * distress anyway, so memory correctness here is paramount over
474 * doing acrobatics to preserve the array.
475 */
481 }
483 // Adjust the index if it needs it.
487 }
492 }
493 /* else no change, nothing to do */
495 /*
496 * Weird. This probably shouldn't happen, so log a warning, but try
497 * to do something sensible anyway.
498 */
501 "The cbtrecentcircs consensus parameter came back zero! "
502 "This disables adaptive timeouts since we can't keep track of "
506 }
508 /*
509 * Adaptive timeouts are disabled; this might be because of the
510 * LearnCircuitBuildTimes config parameter, and hence permanent, or
511 * the cbtdisabled consensus parameter, so it may be a new condition.
512 * Treat it like getting num == 0 above and free the circuit history
513 * if we have any.
514 */
517 }
518 }
520 /** Make a note that we're running unit tests (rather than running Tor
521 * itself), so we avoid clobbering our state file. */
522 void
524 {
526 }
528 /**
529 * Return the initial default or configured timeout in milliseconds
530 */
531 static double
533 {
536 /*
537 * Check if we have LearnCircuitBuildTimeout, and if we don't,
538 * always use CircuitBuildTimeout, no questions asked.
539 */
547 }
550 }
553 }
556 }
558 /**
559 * Reset the build time state.
560 *
561 * Leave estimated parameters, timeout and network liveness intact
562 * for future use.
563 */
564 void
566 {
571 }
573 /**
574 * Initialize the buildtimes structure for first use.
575 *
576 * Sets the initial timeout values based on either the config setting,
577 * the consensus param, or the default (CBT_DEFAULT_TIMEOUT_INITIAL_VALUE).
578 */
579 void
581 {
583 /*
584 * Check if we really are using adaptive timeouts, and don't keep
585 * track of this stuff if not.
586 */
595 }
598 }
600 /**
601 * Free the saved timeouts, if the cbtdisabled consensus parameter got turned
602 * on or something.
603 */
605 void
607 {
612 }
615 }
617 #if 0
618 /**
619 * Rewind our build time history by n positions.
620 */
621 static void
623 {
632 }
638 }
641 "Rewound history by %d places. Current index: %d. "
643 }
644 #endif
646 /**
647 * Add a new build time value <b>time</b> to the set of build times. Time
648 * units are milliseconds.
649 *
650 * circuit_build_times <b>cbt</b> is a circular array, so loop around when
651 * array is full.
652 */
653 int
655 {
661 }
671 /* Save state every n circuit builds */
674 }
677 }
679 /**
680 * Return maximum circuit build time
681 */
682 static build_time_t
684 {
691 }
693 }
695 #if 0
696 /** Return minimum circuit build time */
697 build_time_t
699 {
706 }
709 }
711 }
712 #endif
714 /**
715 * Calculate and return a histogram for the set of build times.
716 *
717 * Returns an allocated array of histrogram bins representing
718 * the frequency of index*CBT_BIN_WIDTH millisecond
719 * build times. Also outputs the number of bins in nbins.
720 *
721 * The return value must be freed by the caller.
722 */
726 {
734 // calculate histogram
742 }
745 }
747 /**
748 * Return the Pareto start-of-curve parameter Xm.
749 *
750 * Because we are not a true Pareto curve, we compute this as the
751 * weighted average of the N most frequent build time bins. N is either
752 * 1 if we don't have enough circuit build time data collected, or
753 * determined by the consensus parameter cbtnummodes (default 3).
754 */
755 static build_time_t
757 {
769 // Only use one mode if < 1000 buildtimes. Not enough data
770 // for multiple.
776 /* Determine the N most common build times */
780 }
787 }
788 }
789 }
796 }
798 /* The following assert is safe, because we don't get called when we
799 * haven't observed at least CBT_MIN_MIN_CIRCUITS_TO_OBSERVE circuits. */
807 }
809 /**
810 * Output a histogram of current circuit build times to
811 * the or_state_t state structure.
812 */
813 void
816 {
823 // write to state
834 }
837 // compress the histogram by skipping the blanks
844 }
849 }
852 }
854 /**
855 * Shuffle the build times array.
856 *
857 * Adapted from http://en.wikipedia.org/wiki/Fisher-Yates_shuffle
858 */
859 static void
863 {
867 "uses to calculate build times is less than the number stored "
868 "in your state file. Decreasing the circuit time history from "
870 CBT_NCIRCUITS_TO_OBSERVE);
871 }
875 "observations in your state file. That's far too many; probably "
878 }
880 /* This code can only be run on a compact array */
886 }
888 /* Since the times are now shuffled, take a random CBT_NCIRCUITS_TO_OBSERVE
889 * subset (ie the first CBT_NCIRCUITS_TO_OBSERVE values) */
892 }
893 }
895 /**
896 * Filter old synthetic timeouts that were created before the
897 * new right-censored Pareto calculation was deployed.
898 *
899 * Once all clients before 0.2.1.13-alpha are gone, this code
900 * will be unused.
901 */
902 static int
904 {
915 num_filtered++;
920 }
921 }
924 "We had %d timeouts out of %d build times, "
930 }
932 /**
933 * Load histogram from <b>state</b>, shuffling the resulting array
934 * after we do so. Use this result to estimate parameters and
935 * calculate the timeout.
936 *
937 * Return -1 on error.
938 */
939 int
942 {
953 }
955 /* build_time_t 0 means uninitialized */
973 build_time_t ms;
984 }
994 }
999 "Too many build times in state file. "
1005 }
1009 }
1010 N++;
1013 }
1014 }
1020 }
1024 "Corrupt state file? Build times count mismatch. "
1030 }
1034 /* Verify that we didn't overwrite any indexes */
1038 tot_values++;
1039 }
1047 "Corrupt state file? Shuffled build times mismatch. "
1053 }
1059 }
1061 done:
1064 }
1066 /**
1067 * Estimates the Xm and Alpha parameters using
1068 * http://en.wikipedia.org/wiki/Pareto_distribution#Parameter_estimation
1069 *
1070 * The notable difference is that we use mode instead of min to estimate Xm.
1071 * This is because our distribution is frechet-like. We claim this is
1072 * an acceptable approximation because we are only concerned with the
1073 * accuracy of the CDF of the tail.
1074 */
1075 int
1077 {
1083 /* http://en.wikipedia.org/wiki/Pareto_distribution#Parameter_estimation */
1084 /* We sort of cheat here and make our samples slightly more pareto-like
1085 * and less frechet-like. */
1093 }
1098 abandoned_count++;
1103 }
1104 n++;
1105 }
1107 /*
1108 * We are erring and asserting here because this can only happen
1109 * in codepaths other than startup. The startup state parsing code
1110 * performs this same check, and resets state if it hits it. If we
1111 * hit it at runtime, something serious has gone wrong.
1112 */
1116 }
1120 /* This can happen if Xm is actually the *maximum* value in the set.
1121 * It can also happen if we've abandoned every single circuit somehow.
1122 * In either case, tell the caller not to compute a new build timeout. */
1124 "Could not determine largest build time (%d). "
1128 }
1133 // Estimator comes from Eq #4 in:
1134 // "Bayesian estimation based on trimmed samples from Pareto populations"
1135 // by Arturo J. Fernández. We are right-censored only.
1141 }
1143 /**
1144 * This is the Pareto Quantile Function. It calculates the point x
1145 * in the distribution such that F(x) = quantile (ie quantile*100%
1146 * of the mass of the density function is below x on the curve).
1147 *
1148 * We use it to calculate the timeout and also to generate synthetic
1149 * values of time for circuits that timeout before completion.
1150 *
1151 * See http://en.wikipedia.org/wiki/Quantile_function,
1152 * http://en.wikipedia.org/wiki/Inverse_transform_sampling and
1153 * http://en.wikipedia.org/wiki/Pareto_distribution#Generating_a_
1154 * random_sample_from_Pareto_distribution
1155 * That's right. I'll cite wikipedia all day long.
1156 *
1157 * Return value is in milliseconds.
1158 */
1159 double
1162 {
1171 }
1174 }
1176 /** Pareto CDF */
1177 double
1179 {
1185 }
1187 /**
1188 * Generate a synthetic time using our distribution parameters.
1189 *
1190 * The return value will be within the [q_lo, q_hi) quantile points
1191 * on the CDF.
1192 */
1193 build_time_t
1196 {
1198 build_time_t ret;
1201 /* Generate between [q_lo, q_hi) */
1202 /*XXXX This is what nextafter is supposed to be for; we should use it on the
1203 * platforms that support it. */
1213 /* circuit_build_times_calculate_timeout returns <= INT32_MAX */
1218 }
1220 /**
1221 * Estimate an initial alpha parameter by solving the quantile
1222 * function with a quantile point and a specific timeout value.
1223 */
1224 void
1227 {
1228 // Q(u) = Xm/((1-u)^(1/a))
1229 // Q(0.8) = Xm/((1-0.8))^(1/a)) = CircBuildTimeout
1230 // CircBuildTimeout = Xm/((1-0.8))^(1/a))
1231 // CircBuildTimeout = Xm*((1-0.8))^(-1/a))
1232 // ln(CircBuildTimeout) = ln(Xm)+ln(((1-0.8)))*(-1/a)
1233 // -ln(1-0.8)/(ln(CircBuildTimeout)-ln(Xm))=a
1239 }
1241 /**
1242 * Returns true if we need circuits to be built
1243 */
1244 int
1246 {
1247 /* Return true if < MIN_CIRCUITS_TO_OBSERVE */
1249 }
1251 /**
1252 * Returns true if we should build a timeout test circuit
1253 * right now.
1254 */
1255 int
1257 {
1260 }
1262 /**
1263 * Called to indicate that the network showed some signs of liveness,
1264 * i.e. we received a cell.
1265 *
1266 * This is used by circuit_build_times_network_check_live() to decide
1267 * if we should record the circuit build timeout or not.
1268 *
1269 * This function is called every time we receive a cell. Avoid
1270 * syscalls, events, and other high-intensity work.
1271 */
1272 void
1274 {
1278 "Tor now sees network activity. Restoring circuit build "
1279 "timeout recording. Network was down for %d seconds "
1283 }
1286 }
1288 /**
1289 * Called to indicate that we completed a circuit. Because this circuit
1290 * succeeded, it doesn't count as a timeout-after-the-first-hop.
1291 *
1292 * This is used by circuit_build_times_network_check_changed() to determine
1293 * if we had too many recent timeouts and need to reset our learned timeout
1294 * to something higher.
1295 */
1296 void
1298 {
1299 /* Check for NULLness because we might not be using adaptive timeouts */
1306 }
1307 }
1309 /**
1310 * A circuit just timed out. If it failed after the first hop, record it
1311 * in our history for later deciding if the network speed has changed.
1312 *
1313 * This is used by circuit_build_times_network_check_changed() to determine
1314 * if we had too many recent timeouts and need to reset our learned timeout
1315 * to something higher.
1316 */
1317 static void
1320 {
1321 /* Check for NULLness because we might not be using adaptive timeouts */
1329 }
1330 }
1331 }
1333 /**
1334 * A circuit was just forcibly closed. If there has been no recent network
1335 * activity at all, but this circuit was launched back when we thought the
1336 * network was live, increment the number of "nonlive" circuit timeouts.
1337 *
1338 * This is used by circuit_build_times_network_check_live() to decide
1339 * if we should record the circuit build timeout or not.
1340 */
1341 static void
1344 {
1346 /*
1347 * Check if this is a timeout that was for a circuit that spent its
1348 * entire existence during a time where we have had no network activity.
1349 */
1359 "Circuit somehow completed a hop while the network was "
1360 "not live. Network was last live at %s, but circuit launched "
1362 now_buf);
1363 }
1367 "Tor has not observed any network activity for the past %d "
1374 }
1375 }
1376 }
1378 /**
1379 * When the network is not live, we do not record circuit build times.
1380 *
1381 * The network is considered not live if there has been at least one
1382 * circuit build that began and ended (had its close_ms measurement
1383 * period expire) since we last received a cell.
1384 *
1385 * Also has the side effect of rewinding the circuit time history
1386 * in the case of recent liveness changes.
1387 */
1388 int
1390 {
1393 }
1396 }
1398 /**
1399 * Returns true if we have seen more than MAX_RECENT_TIMEOUT_COUNT of
1400 * the past RECENT_CIRCUITS time out after the first hop. Used to detect
1401 * if the network connection has changed significantly, and if so,
1402 * resets our circuit build timeout to the default.
1403 *
1404 * Also resets the entire timeout history in this case and causes us
1405 * to restart the process of building test circuits and estimating a
1406 * new timeout.
1407 */
1408 int
1410 {
1417 /* how many of our recent circuits made it to the first hop but then
1418 * timed out? */
1421 }
1422 }
1424 /* If 80% of our recent circuits are timing out after the first hop,
1425 * we need to re-estimate a new initial alpha and timeout. */
1428 }
1436 }
1439 /* Check to see if this has happened before. If so, double the timeout
1440 * to give people on abysmally bad network connections a shot at access */
1449 }
1453 }
1458 "Your network connection speed appears to have changed. Resetting "
1461 total_build_times);
1464 }
1466 /**
1467 * Count the number of timeouts in a set of cbt data.
1468 */
1469 double
1471 {
1475 timeouts++;
1476 }
1477 }
1483 }
1485 /**
1486 * Count the number of closed circuits in a set of cbt data.
1487 */
1488 double
1490 {
1494 closed++;
1495 }
1496 }
1502 }
1504 /**
1505 * Store a timeout as a synthetic value.
1506 *
1507 * Returns true if the store was successful and we should possibly
1508 * update our timeout estimate.
1509 */
1510 int
1514 {
1519 }
1521 /* Record this force-close to help determine if the network is dead */
1524 /* Only count timeouts if network is live.. */
1527 }
1531 }
1533 /**
1534 * Update timeout counts to determine if we need to expire
1535 * our build time history due to excessive timeouts.
1536 *
1537 * We do not record any actual time values at this stage;
1538 * we are only interested in recording the fact that a timeout
1539 * happened. We record the time values via
1540 * circuit_build_times_count_close() and circuit_build_times_add_time().
1541 */
1542 void
1545 {
1550 }
1552 /* Register the fact that a timeout just occurred. */
1555 /* If there are a ton of timeouts, we should reset
1556 * the circuit build timeout. */
1558 }
1560 /**
1561 * Estimate a new timeout based on history and set our timeout
1562 * variable accordingly.
1563 */
1564 static int
1566 {
1567 build_time_t max_time;
1582 /* Sometimes really fast guard nodes give us such a steep curve
1583 * that this ends up being not that much greater than timeout_ms.
1584 * Make it be at least 1 min to handle this case. */
1589 "Circuit build timeout of %dms is beyond the maximum build "
1593 }
1597 "Circuit build measurement period of %dms is more than twice "
1598 "the maximum build time we have ever observed. Capping it to "
1601 }
1605 }
1607 /**
1608 * Exposed function to compute a new timeout. Dispatches events and
1609 * also filters out extremely high timeout values.
1610 */
1611 void
1613 {
1617 /*
1618 * Just return if we aren't using adaptive timeouts
1619 */
1631 /* This shouldn't happen because of MAX() in timeout_worker above,
1632 * but doing it just in case */
1634 }
1635 }
1643 "Based on %d circuit times, it looks like we don't need to "
1644 "wait so long for circuits to finish. We will now assume a "
1651 timeout_rate);
1654 "Based on %d circuit times, it looks like we need to wait "
1655 "longer for circuits to finish. We will now assume a "
1662 timeout_rate);
1665 "Set circuit build timeout to %lds (%fms, %fms, Xm: %d, a: %f,"
1670 }
1671 }
1673 /** Iterate over values of circ_id, starting from conn-\>next_circ_id,
1674 * and with the high bit specified by conn-\>circ_id_type, until we get
1675 * a circ_id that is not in use by any other circuit on that conn.
1676 *
1677 * Return it, or 0 if can't get a unique circ_id.
1678 */
1679 static circid_t
1681 {
1682 circid_t test_circ_id;
1684 circid_t high_bit;
1691 }
1694 /* Sequentially iterate over test_circ_id=1...1<<15-1 until we find a
1695 * circID such that (high_bit|test_circ_id) is not already used. */
1700 }
1702 /* Make sure we don't loop forever if all circ_id's are used. This
1703 * matters because it's an external DoS opportunity.
1704 */
1707 }
1711 }
1713 /** If <b>verbose</b> is false, allocate and return a comma-separated list of
1714 * the currently built elements of <b>circ</b>. If <b>verbose</b> is true, also
1715 * list information about link status in a more verbose format using spaces.
1716 * If <b>verbose_names</b> is false, give nicknames for Named routers and hex
1717 * digests for others; if <b>verbose_names</b> is true, use $DIGEST=Name style
1718 * names.
1719 */
1722 {
1739 }
1766 }
1775 }
1776 }
1784 }
1792 }
1794 /** If <b>verbose</b> is false, allocate and return a comma-separated
1795 * list of the currently built elements of <b>circ</b>. If
1796 * <b>verbose</b> is true, also list information about link status in
1797 * a more verbose format using spaces.
1798 */
1801 {
1803 }
1805 /** Allocate and return a comma-separated list of the currently built elements
1806 * of <b>circ</b>, giving each as a verbose nickname.
1807 */
1810 {
1812 }
1814 /** Log, at severity <b>severity</b>, the nicknames of each router in
1815 * <b>circ</b>'s cpath. Also log the length of the cpath, and the intended
1816 * exit point.
1817 */
1818 void
1820 {
1824 }
1826 /** Tell the rep(utation)hist(ory) module about the status of the links
1827 * in <b>circ</b>. Hops that have become OPEN are marked as successfully
1828 * extended; the _first_ hop that isn't open (if any) is marked as
1829 * unable to extend.
1830 */
1831 /* XXXX Someday we should learn from OR circuits too. */
1832 void
1834 {
1845 }
1855 }
1856 }
1860 }
1863 }
1865 /** Pick all the entries in our cpath. Stop and return 0 when we're
1866 * happy, or return -1 if an error occurs. */
1867 static int
1869 {
1871 again:
1876 }
1880 }
1882 /** Create and return a new origin circuit. Initialize its purpose and
1883 * build-state based on our arguments. The <b>flags</b> argument is a
1884 * bitfield of CIRCLAUNCH_* flags. */
1885 origin_circuit_t *
1887 {
1888 /* sets circ->p_circ_id and circ->p_conn */
1902 }
1904 /** Build a new circuit for <b>purpose</b>. If <b>exit</b>
1905 * is defined, then use that as your exit router, else choose a suitable
1906 * exit node.
1907 *
1908 * Also launch a connection to the first OR in the chosen path, if
1909 * it's not open already.
1910 */
1911 origin_circuit_t *
1913 {
1923 }
1930 }
1932 }
1934 /** Start establishing the first hop of our circuit. Figure out what
1935 * OR we should connect to, and if necessary start the connection to
1936 * it. If we're already connected, then send the 'create' cell.
1937 * Return 0 for ok, -reason if circ should be marked-for-close. */
1938 int
1940 {
1951 /* now see if we're already connected to the first OR in 'route' */
1962 /* not currently connected in a useful way. */
1977 }
1978 }
1981 /* return success. The onion/circuit/etc will be taken care of
1982 * automatically (may already have been) whenever n_conn reaches
1983 * OR_CONN_STATE_OPEN.
1984 */
1993 }
1994 }
1996 }
1998 /** Find any circuits that are waiting on <b>or_conn</b> to become
1999 * open and get them to send their create cells forward.
2000 *
2001 * Status is 1 if connect succeeded, or 0 if connect failed.
2002 */
2003 void
2005 {
2017 {
2018 /* These checks are redundant wrt get_all_pending_on_or_conn, but I'm
2019 * leaving them in in case it's possible for the status of a circuit to
2020 * change as we're going down the list. */
2026 /* Look at addr/port. This is an unkeyed connection. */
2031 /* We expected a key. See if it's the right one. */
2035 }
2040 }
2042 /* circuit_deliver_create_cell will set n_circ_id and add us to
2043 * orconn_circuid_circuit_map, so we don't need to call
2044 * set_circid_orconn here. */
2056 /* XXX could this be bad, eg if next_onion_skin failed because conn
2057 * died? */
2058 }
2060 /* pull the create cell out of circ->onionskin, and send it */
2066 }
2069 }
2070 }
2074 }
2076 /** Find a new circid that isn't currently in use on the circ->n_conn
2077 * for the outgoing
2078 * circuit <b>circ</b>, and deliver a cell of type <b>cell_type</b>
2079 * (either CELL_CREATE or CELL_CREATE_FAST) with payload <b>payload</b>
2080 * to this circuit.
2081 * Return -1 if we failed to find a suitable circid, else return 0.
2082 */
2083 static int
2086 {
2087 cell_t cell;
2088 circid_t id;
2099 }
2112 /* mark it so it gets better rate limiting treatment. */
2114 }
2117 }
2119 /** We've decided to start our reachability testing. If all
2120 * is set, log this to the user. Return 1 if we did, or 0 if
2121 * we chose not to log anything. */
2122 int
2124 {
2138 }
2140 "(this may take up to %d minutes -- look for log "
2148 }
2150 /** Return true iff we should send a create_fast cell to start building a given
2151 * circuit */
2154 {
2164 /* We're a server, and we know an onion key. We can choose.
2165 * Prefer to blend our circuit into the other circuits we are
2166 * creating on behalf of others. */
2168 }
2171 }
2173 /** Return true if <b>circ</b> is the type of circuit we want to count
2174 * timeouts from. In particular, we want it to have not completed yet
2175 * (already completing indicates we cannibalized it), and we want it to
2176 * have exactly three hops.
2177 */
2178 int
2180 {
2183 }
2185 /** This is the backbone function for building circuits.
2186 *
2187 * If circ's first hop is closed, then we need to build a create
2188 * cell and send it forward.
2189 *
2190 * Otherwise, we need to build a relay extend cell and send it
2191 * forward.
2192 *
2193 * Return -reason if we want to tear down circ, else return 0.
2194 */
2195 int
2197 {
2212 else
2218 /* We are an OR and we know the right onion key: we should
2219 * send an old slow create cell.
2220 */
2227 }
2230 /* We are not an OR, and we're building the first hop of a circuit to a
2231 * new OR: we can be speedy and use CREATE_FAST to save an RSA operation
2232 * and a DH operation. */
2240 }
2256 /* done building the circuit. whew. */
2264 /*
2265 * If the circuit build time is much greater than we would have cut
2266 * it off at, we probably had a suspend event along this codepath,
2267 * and we should discard the value.
2268 */
2275 /* Only count circuit times if the network is live */
2279 }
2283 }
2284 }
2285 }
2288 /* Don't count cannibalized or onehop circs for path bias */
2307 }
2308 }
2309 }
2313 /* FFFF Log a count of known routers here */
2315 "Tor has successfully opened a circuit. "
2323 }
2324 }
2328 /* We're done with measurement circuits here. Just close them */
2332 }
2337 }
2351 }
2355 /* send it to hop->prev, because it will transfer
2356 * it to a create cell and then send to hop */
2358 RELAY_COMMAND_EXTEND,
2363 }
2365 }
2367 /** Our clock just jumped by <b>seconds_elapsed</b>. Assume
2368 * something has also gone wrong with our network: notify the user,
2369 * and abandon all not-yet-used circuits. */
2370 void
2372 {
2379 seconds_elapsed);
2385 }
2387 /** Take the 'extend' <b>cell</b>, pull out addr/port plus the onion
2388 * skin and identity digest for the next hop. If we're already connected,
2389 * pass the onion skin to the next hop using a create cell; otherwise
2390 * launch a new OR connection, and <b>circ</b> will notice when the
2391 * connection succeeds or fails.
2392 *
2393 * Return -1 if we want to warn and tear down the circuit, else return 0.
2394 */
2395 int
2397 {
2399 relay_header_t rh;
2404 tor_addr_t n_addr;
2412 }
2417 }
2423 }
2432 }
2438 ONIONSKIN_CHALLENGE_LEN;
2445 }
2447 /* Check if they asked us for 0000..0000. We support using
2448 * an empty fingerprint for the first hop (e.g. for a bridge relay),
2449 * but we don't want to let people send us extend cells for empty
2450 * fingerprints -- a) because it opens the user up to a mitm attack,
2451 * and b) because it lets an attacker force the relay to hold open a
2452 * new TLS connection for each extend request. */
2457 }
2459 /* Next, check if we're being asked to connect to the hop that the
2460 * extend cell came from. There isn't any reason for that, and it can
2461 * assist circular-path attacks. */
2463 DIGEST_LEN)) {
2467 }
2479 id_digest,
2488 /* we should try to open a connection */
2494 }
2496 }
2497 /* return success. The onion/circuit/etc will be taken care of
2498 * automatically (may already have been) whenever n_conn reaches
2499 * OR_CONN_STATE_OPEN.
2500 */
2502 }
2512 }
2514 /** Initialize cpath-\>{f|b}_{crypto|digest} from the key material in
2515 * key_data. key_data must contain CPATH_KEY_MATERIAL bytes, which are
2516 * used as follows:
2517 * - 20 to initialize f_digest
2518 * - 20 to initialize b_digest
2519 * - 16 to key f_crypto
2520 * - 16 to key b_crypto
2521 *
2522 * (If 'reverse' is true, then f_XX and b_XX are swapped.)
2523 */
2524 int
2527 {
2545 }
2550 }
2559 }
2562 }
2564 /** The minimum number of first hop completions before we start
2565 * thinking about warning about path bias and dropping guards */
2566 static int
2568 {
2569 #define DFLT_PATH_BIAS_MIN_CIRC 20
2572 else
2574 DFLT_PATH_BIAS_MIN_CIRC,
2576 }
2578 static double
2580 {
2581 #define DFLT_PATH_BIAS_NOTICE_PCT 40
2584 else
2587 }
2589 static double
2591 {
2592 // XXX: This needs tuning based on use + experimentation before we set it
2593 #define DFLT_PATH_BIAS_DISABLE_PCT 0
2596 else
2599 }
2601 static int
2603 {
2604 #define DFLT_PATH_BIAS_SCALE_THRESHOLD 200
2607 else
2610 INT32_MAX);
2611 }
2613 static int
2615 {
2616 #define DFLT_PATH_BIAS_SCALE_FACTOR 4
2619 else
2622 }
2624 /** Increment the number of times we successfully extended a circuit to
2625 * 'guard', first checking if the failure rate is high enough that we should
2626 * eliminate the guard. Return -1 if the guard looks no good; return 0 if the
2627 * guard looks fine. */
2628 static int
2630 {
2636 /* Note: We rely on the < comparison here to allow us to set a 0
2637 * rate and disable the feature entirely. If refactoring, don't
2638 * change to <= */
2643 "Extremely low circuit success rate %u/%u for guard %s=%s. "
2659 }
2660 }
2662 /* If we get a ton of circuits, just scale everything down */
2667 }
2672 }
2674 /** A created or extended cell came back to us on the circuit, and it included
2675 * <b>reply</b> as its body. (If <b>reply_type</b> is CELL_CREATED, the body
2676 * contains (the second DH key, plus KH). If <b>reply_type</b> is
2677 * CELL_CREATED_FAST, the body contains a secret y and a hash H(x|y).)
2678 *
2679 * Calculate the appropriate keys and digests, make sure KH is
2680 * correct, and initialize this hop of the cpath.
2681 *
2682 * Return - reason if we want to mark circ for close, else return 0.
2683 */
2684 int
2687 {
2693 /* Don't count cannibalized or onehop circs for path bias */
2701 /* Bogus guard; we already warned. */
2703 }
2704 }
2705 }
2711 }
2712 }
2720 }
2721 /* Remember hash of g^xy */
2729 }
2734 }
2743 }
2752 }
2754 /** We received a relay truncated cell on circ.
2755 *
2756 * Since we don't ask for truncates currently, getting a truncated
2757 * means that a connection broke or an extend failed. For now,
2758 * just give up: for circ to close, and return 0.
2759 */
2760 int
2762 {
2763 // crypt_path_t *victim;
2764 // connection_t *stream;
2769 /* XXX Since we don't ask for truncates currently, getting a truncated
2770 * means that a connection broke or an extend failed. For now,
2771 * just give up.
2772 */
2777 #if 0
2779 /* we need to clear out layer->next */
2787 /* no need to send 'end' relay cells,
2788 * because the other side's already dead
2789 */
2791 }
2792 }
2796 }
2800 #endif
2801 }
2803 /** Given a response payload and keys, initialize, then send a created
2804 * cell back.
2805 */
2806 int
2809 {
2810 cell_t cell;
2832 }
2842 else
2854 /* record that we could process create cells from a non-local conn
2855 * that we didn't initiate; presumably this means that create cells
2856 * can reach us too. */
2858 }
2861 }
2863 /** Choose a length for a circuit of purpose <b>purpose</b>.
2864 * Default length is 3 + the number of endpoints that would give something
2865 * away. If the routerlist <b>routers</b> doesn't have enough routers
2866 * to handle the desired path length, return as large a path length as
2867 * is feasible, except if it's less than 2, in which case return -1.
2868 */
2869 static int
2872 {
2882 routelen++;
2892 num_acceptable_routers);
2894 }
2900 }
2903 }
2905 /** Return a newly allocated list of uint16_t * for each predicted port not
2906 * handled by a current circuit. */
2909 {
2913 }
2915 /** Return 1 if we already have circuits present or on the way for
2916 * all anticipated ports. Return 0 if we should make more.
2917 *
2918 * If we're returning 0, set need_uptime and need_capacity to
2919 * indicate any requirements that the unhandled ports have.
2920 */
2921 int
2924 {
2931 // Always predict need_capacity
2939 }
2942 }
2944 /** Return 1 if <b>node</b> can handle one or more of the ports in
2945 * <b>needed_ports</b>, else return 0.
2946 */
2947 static int
2954 addr_policy_result_t r;
2955 /* alignment issues aren't a worry for this dereference, since
2956 needed_ports is explicitly a smartlist of uint16_t's */
2961 else
2965 }
2967 }
2969 /** Return true iff <b>conn</b> needs another general circuit to be
2970 * built. */
2971 static int
2973 {
2986 MIN_CIRCUITS_HANDLING_STREAM))
2989 }
2991 /** Return a pointer to a suitable router to be the exit node for the
2992 * general-purpose circuit we're about to build.
2993 *
2994 * Look through the connection array, and choose a router that maximizes
2995 * the number of pending streams that can exit from this router.
2996 *
2997 * Return NULL if we can't find any suitable routers.
2998 */
3001 {
3013 /* Count how many connections are waiting for a circuit to be built.
3014 * We use this for log messages now, but in the future we may depend on it.
3015 */
3017 {
3020 });
3021 // log_fn(LOG_DEBUG, "Choosing exit node; %d connections are pending",
3022 // n_pending_connections);
3023 /* Now we count, for each of the routers in the directory, how many
3024 * of the pending connections could possibly exit from that
3025 * router (n_supported[i]). (We can't be sure about cases where we
3026 * don't know the IP address of the pending connection.)
3027 *
3028 * -1 means "Don't use this router at all."
3029 */
3036 // log_fn(LOG_DEBUG,"Skipping node %s -- it's me.", router->nickname);
3037 /* XXX there's probably a reverse predecessor attack here, but
3038 * it's slow. should we take this out? -RD
3039 */
3041 }
3045 }
3049 }
3051 /* never pick a non-general node as a random exit. */
3054 }
3058 }
3063 }
3068 * this makes us reject all the possible routers: if so,
3069 * we'll retry later in this function with need_update and
3070 * need_capacity set to 0. */
3071 }
3073 /* if it's invalid and we don't want it */
3075 // log_fn(LOG_DEBUG,"Skipping node %s (index %d) -- invalid router.",
3076 // router->nickname, i);
3078 }
3083 }
3086 // log_fn(LOG_DEBUG,"Skipping node %s (index %d) -- it rejects all.",
3087 // router->nickname, i);
3089 }
3091 /* iterate over connections */
3097 // log_fn(LOG_DEBUG,"%s is supported. n_supported[%d] now %d.",
3098 // router->nickname, i, n_supported[i]);
3100 // log_fn(LOG_DEBUG,"%s (index %d) would reject this stream.",
3101 // router->nickname, i);
3102 }
3105 /* Leave best_support at -1 if that's where it is, so we can
3106 * distinguish it later. */
3108 }
3110 /* If this router is better than previous ones, remember its index
3111 * and goodness, and start counting how many routers are this good. */
3113 // log_fn(LOG_DEBUG,"%s is new best supported option so far.",
3114 // router->nickname);
3116 /* If this router is _as good_ as the best one, just increment the
3117 * count of equally good routers.*/
3119 }
3124 n_pending_connections);
3126 /* If any routers definitely support any pending connections, choose one
3127 * at random. */
3134 });
3139 /* Either there are no pending connections, or no routers even seem to
3140 * possibly support any of them. Choose a router at random that satisfies
3141 * at least one predicted exit port. */
3149 "We couldn't find any live%s%s routers; falling back "
3155 }
3159 }
3163 /* try once to pick only from routers that satisfy a needed port,
3164 * then if there are none, pick from any that support exiting. */
3168 // log_fn(LOG_DEBUG,"Try %d: '%s' is a possibility.",
3169 // try, router->nickname);
3171 }
3178 /* If we reach this point, we can't actually support any unhandled
3179 * predicted ports, so clear all the remaining ones. */
3182 }
3186 }
3192 }
3195 "No specified %sexit routers seem to be running: "
3198 }
3200 }
3202 /** Return a pointer to a suitable router to be the exit node for the
3203 * circuit of purpose <b>purpose</b> that we're about to build (or NULL
3204 * if no router is suitable).
3205 *
3206 * For general-purpose circuits, pass it off to
3207 * choose_good_exit_server_general()
3208 *
3209 * For client-side rendezvous circuits, choose a random node, weighted
3210 * toward the preferences in 'options'.
3211 */
3215 {
3229 else
3235 }
3239 }
3241 /** Log a warning if the user specified an exit for the circuit that
3242 * has been excluded from use by ExcludeNodes or ExcludeExitNodes. */
3243 static void
3245 {
3255 {
3289 }
3292 /* We should never get here if StrictNodes is set to 1. */
3295 "even though StrictNodes is set. Please report. "
3302 "ExcludeNodes%s, because no better options were available. To "
3303 "prevent this (and possibly break your Tor functionality), "
3304 "set the StrictNodes configuration option. "
3309 }
3311 }
3314 }
3316 /** Decide a suitable length for circ's cpath, and pick an exit
3317 * router (or use <b>exit</b> if provided). Store these in the
3318 * cpath. Return 0 if ok, -1 if circuit should be closed. */
3319 static int
3321 {
3332 }
3346 }
3349 }
3352 }
3354 /** Give <b>circ</b> a new exit destination to <b>exit</b>, and add a
3355 * hop to the cpath reflecting this. Don't send the next extend cell --
3356 * the caller will do this if it wants to.
3357 */
3358 int
3360 {
3373 }
3375 /** Take an open <b>circ</b>, and add a new hop at the end, based on
3376 * <b>info</b>. Set its state back to CIRCUIT_STATE_BUILDING, and then
3377 * send the next extend cell to begin connecting to that hop.
3378 */
3379 int
3381 {
3391 }
3393 }
3395 /** Return the number of routers in <b>routers</b> that are currently up
3396 * and available for building circuits through.
3397 */
3398 static int
3400 {
3404 // log_debug(LD_CIRC,
3405 // "Contemplating whether router %d (%s) is a new option.",
3406 // i, r->nickname);
3408 // log_debug(LD_CIRC,"Nope, the directory says %d is not running.",i);
3411 // log_debug(LD_CIRC,"Nope, the directory says %d is not valid.",i);
3415 /* XXX This clause makes us count incorrectly: if AllowInvalidRouters
3416 * allows this node in some places, then we're getting an inaccurate
3417 * count. For now, be conservative and don't count it. But later we
3418 * should try to be smarter. */
3422 // log_debug(LD_CIRC,"I like %d. num_acceptable_routers now %d.",i, num);
3425 }
3427 /** Add <b>new_hop</b> to the end of the doubly-linked-list <b>head_ptr</b>.
3428 * This function is used to extend cpath by another hop.
3429 */
3430 void
3432 {
3441 }
3442 }
3444 /** A helper function used by onion_extend_cpath(). Use <b>purpose</b>
3445 * and <b>state</b> and the cpath <b>head</b> (currently populated only
3446 * to length <b>cur_len</b> to decide a suitable middle hop for a
3447 * circuit. In particular, make sure we don't pick the exit node or its
3448 * family, and make sure we don't duplicate any previous nodes or their
3449 * families. */
3455 {
3469 }
3473 }
3474 }
3485 }
3487 /** Pick a good entry server for the circuit to be built according to
3488 * <b>state</b>. Don't reuse a chosen exit (if any), don't use this
3489 * router (if we're an OR), and respect firewall settings; if we're
3490 * configured to use entry guards, return one.
3491 *
3492 * If <b>state</b> is NULL, we're choosing a router to serve as an entry
3493 * guard, not for any particular circuit.
3494 */
3497 {
3506 /* This is request for an entry server to use for a regular circuit,
3507 * and we use entry guard nodes. Just return one of the guard nodes. */
3509 }
3514 /* Exclude the exit node from the state, if we have one. Also exclude its
3515 * family. */
3517 }
3519 /* Exclude all ORs that we can't reach through our firewall */
3524 });
3525 }
3526 /* and exclude current entry guards and their families, if applicable */
3529 {
3532 }
3533 });
3534 }
3541 }
3548 }
3550 /** Return the first non-open hop in cpath, or return NULL if all
3551 * hops are open. */
3554 {
3562 }
3564 /** Choose a suitable next hop in the cpath <b>head_ptr</b>,
3565 * based on <b>state</b>. Append the hop info to head_ptr.
3566 */
3567 static int
3569 {
3579 }
3589 /* If we're extending to a bridge, use the preferred address
3590 rather than the primary, for potentially extending to an IPv6
3591 bridge. */
3596 }
3603 }
3604 }
3610 }
3619 }
3621 /** Create a new hop, annotate it with information about its
3622 * corresponding router <b>choice</b>, and append it to the
3623 * end of the cpath <b>head_ptr</b>. */
3624 static int
3626 {
3629 /* link hop into the cpath, at the end. */
3641 }
3643 /** Allocate a new extend_info object based on the various arguments. */
3644 extend_info_t *
3648 {
3658 }
3660 /** Allocate and return a new extend_info_t that can be used to build
3661 * a circuit to or through the router <b>r</b>. Use the primary
3662 * address of the router unless <b>for_direct_connect</b> is true, in
3663 * which case the preferred address is used instead. */
3664 extend_info_t *
3666 {
3667 tor_addr_port_t ap;
3672 else
3676 }
3678 /** Allocate and return a new extend_info that can be used to build a
3679 * circuit to or through the node <b>node</b>. Use the primary address
3680 * of the node unless <b>for_direct_connect</b> is true, in which case
3681 * the preferred address is used instead. May return NULL if there is
3682 * not enough info about <b>node</b> to extend to it--for example, if
3683 * there is no routerinfo_t or microdesc_t.
3684 **/
3685 extend_info_t *
3687 {
3691 tor_addr_t addr;
3700 }
3701 }
3703 /** Release storage held by an extend_info_t struct. */
3704 void
3706 {
3711 }
3713 /** Allocate and return a new extend_info_t with the same contents as
3714 * <b>info</b>. */
3715 extend_info_t *
3717 {
3724 else
3727 }
3729 /** Return the routerinfo_t for the chosen exit router in <b>state</b>.
3730 * If there is no chosen exit, or if we don't know the routerinfo_t for
3731 * the chosen exit, return NULL.
3732 */
3735 {
3739 }
3741 /** Return the nickname for the chosen exit router in <b>state</b>. If
3742 * there is no chosen exit, or if we don't know the routerinfo_t for the
3743 * chosen exit, return NULL.
3744 */
3747 {
3751 }
3753 /** Check whether the entry guard <b>e</b> is usable, given the directory
3754 * authorities' opinion about the router (stored in <b>ri</b>) and the user's
3755 * configuration (in <b>options</b>). Set <b>e</b>->bad_since
3756 * accordingly. Return true iff the entry guard's status changes.
3757 *
3758 * If it's not usable, set *<b>reason</b> to a static string explaining why.
3759 */
3760 static int
3764 {
3770 /* Do we want to mark this guard as bad? */
3789 /* Router is newly bad. */
3798 /* There's nothing wrong with the router any more. */
3806 }
3808 }
3810 /** Return true iff enough time has passed since we last tried to connect
3811 * to the unreachable guard <b>e</b> that we're willing to try again. */
3812 static int
3814 {
3825 else
3827 }
3829 /** Return the node corresponding to <b>e</b>, if <b>e</b> is
3830 * working well enough that we are willing to use it as an entry
3831 * right now. (Else return NULL.) In particular, it must be
3832 * - Listed as either up or never yet contacted;
3833 * - Present in the routerlist;
3834 * - Listed as 'stable' or 'fast' by the current dirserver consensus,
3835 * if demanded by <b>need_uptime</b> or <b>need_capacity</b>
3836 * (unless it's a configured EntryNode);
3837 * - Allowed by our current ReachableORAddresses config option; and
3838 * - Currently thought to be reachable by us (unless <b>assume_reachable</b>
3839 * is true).
3840 *
3841 * If the answer is no, set *<b>msg</b> to an explanation of why.
3842 */
3846 {
3854 }
3858 }
3859 /* no good if it's unreachable, unless assume_unreachable or can_retry. */
3864 }
3869 }
3874 }
3878 }
3883 }
3884 }
3886 /* they asked for it, they get it */
3888 }
3892 }
3896 }
3898 }
3900 /** Return the number of entry guards that we think are usable. */
3901 static int
3903 {
3909 {
3912 });
3914 }
3916 /** If <b>digest</b> matches the identity of any node in the
3917 * entry_guards list, return that node. Else return NULL. */
3920 {
3924 );
3926 }
3928 /** Dump a description of our list of entry guards to the log at level
3929 * <b>severity</b>. */
3930 static void
3932 {
3937 {
3944 else
3948 msg,
3950 }
3958 }
3960 /** Called when one or more guards that we would previously have used for some
3961 * purpose are no longer in use because a higher-priority guard has become
3962 * usable again. */
3963 static void
3965 {
3966 /* XXXX We don't actually have a good way to figure out _how many_ entries
3967 * are live for some purpose. We need an entry_is_even_slightly_live()
3968 * function for this to work right. NumEntryGuards isn't reliable: if we
3969 * need guards with weird properties, we can have more than that number
3970 * live.
3971 **/
3972 #if 0
3979 {
3984 }
3985 }
3986 });
3987 #endif
3988 }
3990 /** Add a new (preferably stable and fast) router to our
3991 * entry_guards list. Return a pointer to the router if we succeed,
3992 * or NULL if we can't find any more suitable entries.
3993 *
3994 * If <b>chosen</b> is defined, use that one, and if it's not
3995 * already in our entry_guards list, put it at the *beginning*.
3996 * Else, put the one we pick at the end of the list. */
3999 {
4010 }
4012 }
4017 }
4023 /* Choose expiry time smudged over the past month. The goal here
4024 * is to a) spread out when Tor clients rotate their guards, so they
4025 * don't all select them on the same day, and b) avoid leaving a
4026 * precise timestamp in the state file about when we first picked
4027 * this guard. For details, see the Jan 2010 or-dev thread. */
4032 else
4038 }
4040 /** If the use of entry guards is configured, choose more entry guards
4041 * until we have enough in the list. */
4042 static void
4044 {
4053 }
4056 }
4058 /** How long (in seconds) do we allow an entry guard to be nonfunctional,
4059 * unlisted, excluded, or otherwise nonusable before we give up on it? */
4060 #define ENTRY_GUARD_REMOVE_AFTER (30*24*60*60)
4062 /** Release all storage held by <b>e</b>. */
4063 static void
4065 {
4070 }
4072 /** Remove any entry guard which was selected by an unknown version of Tor,
4073 * or which was selected by a version of Tor that's known to select
4074 * entry guards badly, or which was selected more 2 months ago. */
4075 /* XXXX The "obsolete guards" and "chosen long ago guards" things should
4076 * probably be different functions. */
4077 static int
4079 {
4086 tor_version_t v;
4101 /* above are bug 440; below are bug 1217 */
4108 }
4110 }
4112 /* It's been 2 months since the date listed in our state file. */
4115 }
4129 }
4130 }
4133 }
4135 /** Remove all entry guards that have been down or unlisted for so
4136 * long that we don't think they'll come up again. Return 1 if we
4137 * removed any, or 0 if we did nothing. */
4138 static int
4140 {
4164 }
4166 }
4168 /** A new directory or router-status has arrived; update the down/listed
4169 * status of the entry guards.
4170 *
4171 * An entry is 'down' if the directory lists it as nonrunning.
4172 * An entry is 'unlisted' if the directory doesn't include it.
4173 *
4174 * Don't call this on startup; only on a fresh download. Otherwise we'll
4175 * think that things are unlisted.
4176 */
4177 void
4179 {
4191 {
4201 }
4228 }
4231 }
4233 /** Called when a connection to an OR with the identity digest <b>digest</b>
4234 * is established (<b>succeeded</b>==1) or has failed (<b>succeeded</b>==0).
4235 * If the OR is an entry, change that entry's up/down status.
4236 * Return 0 normally, or -1 if we want to tear down the new connection.
4237 *
4238 * If <b>mark_relay_status</b>, also call router_set_status() on this
4239 * relay.
4240 *
4241 * XXX023 change succeeded and mark_relay_status into 'int flags'.
4242 */
4243 int
4246 {
4263 }
4280 }
4284 }
4287 /* We've never connected to this one. */
4289 "Connection to never-contacted entry guard '%s' (%s) failed. "
4313 }
4314 }
4316 /* if the caller asked us to, also update the is_running flags for this
4317 * relay */
4322 /* We've just added a new long-term entry guard. Perhaps the network just
4323 * came back? We should give our earlier entries another try too,
4324 * and close this connection so we don't use it before we've given
4325 * the others a shot. */
4335 }
4336 }
4337 });
4340 "Connected to new entry guard '%s' (%s). Marking earlier "
4346 }
4347 }
4352 }
4354 /** When we try to choose an entry guard, should we parse and add
4355 * config's EntryNodes first? */
4358 /** Called when the value of EntryNodes changes in our configuration. */
4359 void
4361 {
4365 }
4367 /** Adjust the entry guards list so that it only contains entries from
4368 * EntryNodes, adding new entries from EntryNodes to the list as needed. */
4369 static void
4371 {
4379 /* It's possible that a controller set EntryNodes, thus making
4380 * should_add_entry_nodes set, then cleared it again, all before the
4381 * call to choose_random_entry() that triggered us. If so, just return.
4382 */
4384 }
4386 {
4390 }
4398 /* Split entry guards into those on the list and those not. */
4408 else
4410 });
4412 /* Remove all currently configured guard nodes, excluded nodes, unreachable
4413 * nodes, or non-Guard nodes from entry_nodes. */
4427 }
4430 /* Now build the new entry_guards list. */
4432 /* First, the previously configured guards that are in EntryNodes. */
4434 /* Next, scramble the rest of EntryNodes, putting the guards first. */
4439 /* Next, the rest of EntryNodes */
4446 /* Finally, free the remaining previously configured guards that are not in
4447 * EntryNodes. */
4457 }
4459 /** Return 0 if we're fine adding arbitrary routers out of the
4460 * directory to our entry guard list, or return 1 if we have a
4461 * list already and we must stick to it.
4462 */
4463 int
4465 {
4471 }
4473 /** Pick a live (up and listed) entry guard from entry_guards. If
4474 * <b>state</b> is non-NULL, this is for a specific circuit --
4475 * make sure not to pick this circuit's exit or any node in the
4476 * exit's family. If <b>state</b> is NULL, we're looking for a random
4477 * guard (likely a bridge). */
4480 {
4494 }
4506 retry:
4520 /* We've come to the end of our preferred entry nodes. */
4524 /* in theory this case should never happen, since
4525 * entry_guards_set_from_config() drops unwanted relays */
4530 }
4531 }
4532 #endif
4535 /* Always start with the first not-yet-contacted entry
4536 * guard. Otherwise we might add several new ones, pick
4537 * the second new one, and now we've expanded our entry
4538 * guard list without needing to. */
4540 }
4546 /* If we prefer the entry nodes we've got, and we have at least
4547 * one choice, that's great. Use it. */
4550 /* Try to have at least 2 choices available. This way we don't
4551 * get stuck with a single live-but-crummy entry and just keep
4552 * using him.
4553 * (We might get 2 live-but-crummy entry guards, but so be it.) */
4555 }
4559 /* still no? try adding a new entry then */
4560 /* XXX if guard doesn't imply fast and stable, then we need
4561 * to tell add_an_entry_guard below what we want, or it might
4562 * be a long time til we get it. -RD */
4566 /* XXX we start over here in case the new node we added shares
4567 * a family with our exit node. There's a chance that we'll just
4568 * load up on entry guards here, if the network we're using is
4569 * one big family. Perhaps we should teach add_an_entry_guard()
4570 * to understand nodes-to-avoid-if-possible? -RD */
4572 }
4573 }
4577 }
4579 /* still no? last attempt, try without requiring capacity */
4582 }
4583 #if 0
4584 /* Removing this retry logic: if we only allow one exit, and it is in the
4585 same family as all our entries, then we are just plain not going to win
4586 here. */
4588 /* still no? if we're using bridges or have strictentrynodes
4589 * set, and our chosen exit is in the same family as all our
4590 * bridges/entry guards, then be flexible about families. */
4593 }
4594 #endif
4595 /* live_entry_guards may be empty below. Oh well, we tried. */
4596 }
4598 choose_and_finish:
4600 /* We need to weight by bandwidth, because our bridges or entryguards
4601 * were not already selected proportional to their bandwidth. */
4604 /* We choose uniformly at random here, because choose_good_entry_server()
4605 * already weights its choices by bandwidth, so we don't want to
4606 * *double*-weight our guard selection. */
4608 }
4612 }
4614 /** Parse <b>state</b> and learn about the entry guards it describes.
4615 * If <b>set</b> is true, and there are no errors, replace the global
4616 * entry_list with what we find.
4617 * On success, return 0. On failure, alloc into *<b>msg</b> a string
4618 * describing the error, and return -1.
4619 */
4620 int
4622 {
4635 /* all entry guards on disk have been contacted */
4652 }
4653 }
4666 }
4671 }
4673 /* It's a bad idea to believe info in the future: you can wind
4674 * up with timeouts that aren't allowed to happen for years. */
4676 }
4678 /* ignore failure */
4680 }
4686 }
4689 /* format is digest version date */
4693 }
4699 }
4709 }
4715 /* Note: We rely on the < comparison here to allow us to set a 0
4716 * rate and disable the feature entirely. If refactoring, don't
4717 * change to <= */
4724 }
4728 }
4729 }
4732 {
4743 }
4748 }
4749 }
4752 });
4763 }
4766 /* XXX023 hand new_entry_guards to this func, and move it up a
4767 * few lines, so we don't have to re-dirty it */
4770 }
4773 }
4775 /** Our list of entry guards has changed, or some element of one
4776 * of our entry guards has changed. Write the changes to disk within
4777 * the next few minutes.
4778 */
4779 static void
4781 {
4785 /* or_state_save() will call entry_guards_update_state(). */
4788 }
4790 /** If the entry guard info has not changed, do nothing and return.
4791 * Otherwise, free the EntryGuards piece of <b>state</b> and create
4792 * a new one out of the global entry_guards list, and then mark
4793 * <b>state</b> dirty so it will get saved to disk.
4794 */
4795 void
4797 {
4808 {
4825 }
4827 }
4834 }
4846 }
4853 }
4855 });
4859 }
4861 /** If <b>question</b> is the string "entry-guards", then dump
4862 * to *<b>answer</b> a newly allocated string describing all of
4863 * the nodes in the global entry_guards list. See control-spec.txt
4864 * for details.
4865 * For backward compatibility, we also handle the string "helper-nodes".
4866 * */
4867 int
4871 {
4894 }
4902 /* e->nickname field is not very reliable if we don't know about
4903 * this router any longer; don't include it. */
4904 }
4911 }
4916 }
4918 }
4920 /** A list of configured bridges. Whenever we actually get a descriptor
4921 * for one, we add it as an entry guard. Note that the order of bridges
4922 * in this list does not necessarily correspond to the order of bridges
4923 * in the torrc. */
4926 /** Mark every entry of the bridge list to be removed on our next call to
4927 * sweep_bridge_list unless it has first been un-marked. */
4928 void
4930 {
4935 }
4937 /** Remove every entry of the bridge list that was marked with
4938 * mark_bridge_list if it has not subsequently been un-marked. */
4939 void
4941 {
4948 }
4950 }
4952 /** Initialize the bridge list to empty, creating it if needed. */
4953 static void
4955 {
4960 }
4962 /** Free the bridge <b>bridge</b>. */
4963 static void
4965 {
4971 }
4973 /** A list of pluggable transports found in torrc. */
4976 /** Mark every entry of the transport list to be removed on our next call to
4977 * sweep_transport_list unless it has first been un-marked. */
4978 void
4980 {
4985 }
4987 /** Remove every entry of the transport list that was marked with
4988 * mark_transport_list if it has not subsequently been un-marked. */
4989 void
4991 {
4998 }
5000 }
5002 /** Initialize the pluggable transports list to empty, creating it if
5003 * needed. */
5004 void
5006 {
5011 }
5013 /** Free the pluggable transport struct <b>transport</b>. */
5014 void
5016 {
5022 }
5024 /** Returns the transport in our transport list that has the name <b>name</b>.
5025 * Else returns NULL. */
5026 transport_t *
5028 {
5040 }
5042 /** Returns a transport_t struct for a transport proxy supporting the
5043 protocol <b>name</b> listening at <b>addr</b>:<b>port</b> using
5044 SOCKS version <b>socks_ver</b>. */
5045 transport_t *
5048 {
5057 }
5059 /** Resolve any conflicts that the insertion of transport <b>t</b>
5060 * might cause.
5061 * Return 0 if <b>t</b> is OK and should be registered, 1 if there is
5062 * a transport identical to <b>t</b> already registered and -1 if
5063 * <b>t</b> cannot be added due to conflicts. */
5064 static int
5066 {
5067 /* This is how we resolve transport conflicts:
5069 If there is already a transport with the same name and addrport,
5070 we either have duplicate torrc lines OR we are here post-HUP and
5071 this transport was here pre-HUP as well. In any case, mark the
5072 old transport so that it doesn't get removed and ignore the new
5073 one. Our caller has to free the new transport so we return '1' to
5074 signify this.
5076 If there is already a transport with the same name but different
5077 addrport:
5078 * if it's marked for removal, it means that it either has a lower
5079 priority than 't' in torrc (otherwise the mark would have been
5080 cleared by the paragraph above), or it doesn't exist at all in
5081 the post-HUP torrc. We destroy the old transport and register 't'.
5082 * if it's *not* marked for removal, it means that it was newly
5083 added in the post-HUP torrc or that it's of higher priority, in
5084 this case we ignore 't'. */
5088 /* same name *and* addrport */
5094 "but there was already a transport marked for deletion at "
5095 "'%s:%u'. We deleted the old transport and registered the "
5102 "but the same transport already exists at '%s:%u'. "
5106 }
5107 }
5108 }
5111 }
5113 /** Add transport <b>t</b> to the internal list of pluggable
5114 * transports.
5115 * Returns 0 if the transport was added correctly, 1 if the same
5116 * transport was already registered (in this case the caller must
5117 * free the transport) and -1 if there was an error. */
5118 int
5120 {
5134 }
5135 }
5137 /** Remember a new pluggable transport proxy at <b>addr</b>:<b>port</b>.
5138 * <b>name</b> is set to the name of the protocol this proxy uses.
5139 * <b>socks_ver</b> is set to the SOCKS version of the proxy. */
5140 int
5143 {
5164 }
5165 }
5167 /** Return a bridge pointer if <b>ri</b> is one of our known bridges
5168 * (either by comparing keys if possible, else by comparing addr/port).
5169 * Else return NULL. */
5174 {
5178 {
5185 }
5188 }
5190 /** Wrapper around get_configured_bridge_by_addr_port_digest() to look
5191 * it up via router descriptor <b>ri</b>. */
5194 {
5195 tor_addr_port_t ap;
5200 }
5202 /** Return 1 if <b>ri</b> is one of our known bridges, else 0. */
5203 int
5205 {
5207 }
5209 /** Return 1 if <b>node</b> is one of our configured bridges, else 0. */
5210 int
5212 {
5228 }
5231 out:
5236 }
5238 }
5240 /** We made a connection to a router at <b>addr</b>:<b>port</b>
5241 * without knowing its digest. Its digest turned out to be <b>digest</b>.
5242 * If it was a bridge, and we still don't know its digest, record it.
5243 */
5244 void
5247 {
5254 }
5255 }
5257 /** Return true if <b>bridge</b> has the same identity digest as
5258 * <b>digest</b>. If <b>digest</b> is NULL, it matches
5259 * bridges with unspecified identity digests. */
5260 static int
5262 {
5265 else
5267 }
5269 /** We are about to add a new bridge at <b>addr</b>:<b>port</b>, with optional
5270 * <b>digest</b> and <b>transport_name</b>. Mark for removal any previously
5271 * existing bridge with the same address and port, and warn the user as
5272 * appropriate.
5273 */
5274 static void
5277 {
5278 /* Iterate the already-registered bridge list:
5280 If you find a bridge with the same adress and port, mark it for
5281 removal. It doesn't make sense to have two active bridges with
5282 the same IP:PORT. If the bridge in question has a different
5283 digest or transport than <b>digest</b>/<b>transport_name</b>,
5284 it's probably a misconfiguration and we should warn the user.
5285 */
5296 /* warn the user */
5309 " with the already registered bridge '%s'. We will discard"
5310 " the old bridge and keep '%s'. If this is not what you"
5313 bridge_description_new);
5317 }
5318 }
5320 }
5322 /** Remember a new bridge at <b>addr</b>:<b>port</b>. If <b>digest</b>
5323 * is set, it tells us the identity key too. If we already had the
5324 * bridge in our list, unmark it, and don't actually add anything new.
5325 * If <b>transport_name</b> is non-NULL - the bridge is associated with a
5326 * pluggable transport - we assign the transport to the bridge. */
5327 void
5330 {
5347 }
5349 /** Return true iff <b>routerset</b> contains the bridge <b>bridge</b>. */
5350 static int
5353 {
5365 }
5367 /** If <b>digest</b> is one of our known bridges, return it. */
5370 {
5372 {
5375 });
5377 }
5379 /* DOCDOC find_transport_name_by_bridge_addrport */
5382 {
5393 }
5395 /** If <b>addr</b> and <b>port</b> match the address and port of a
5396 * bridge of ours that uses pluggable transports, place its transport
5397 * in <b>transport</b>.
5398 *
5399 * Return 0 on success (found a transport, or found a bridge with no
5400 * transport, or found no bridge); return -1 if we should be using a
5401 * transport, but the transport could not be found.
5402 */
5403 int
5406 {
5417 the transport could not be found! */
5419 }
5423 }
5424 }
5429 }
5431 /** We need to ask <b>bridge</b> for its server descriptor. */
5432 static void
5434 {
5440 DIR_PURPOSE_FETCH_SERVERDESC))
5448 }
5456 DIR_PURPOSE_FETCH_SERVERDESC,
5457 ROUTER_PURPOSE_BRIDGE,
5460 }
5462 /** Fetching the bridge descriptor from the bridge authority returned a
5463 * "not found". Fall back to trying a direct fetch. */
5464 void
5466 {
5472 }
5474 /** For each bridge in our list for which we don't currently have a
5475 * descriptor, fetch a new copy of its descriptor -- either directly
5476 * from the bridge or via a bridge authority. */
5477 void
5479 {
5487 /* If we still have unconfigured managed proxies, don't go and
5488 connect to a bridge. */
5493 {
5495 IMPOSSIBLE_TO_DOWNLOAD))
5502 }
5504 /* schedule another fetch as if this one will fail, in case it does */
5508 num_bridge_auths;
5520 can_use_bridge_authority ?
5524 else
5526 }
5529 /* we need to ask the bridge itself for its descriptor. */
5532 /* We have a digest and we want to ask an authority. We could
5533 * combine all the requests into one, but that may give more
5534 * hints to the bridge authority than we want to give. */
5541 resource);
5544 }
5545 }
5547 }
5549 /** If our <b>bridge</b> is configured to be a different address than
5550 * the bridge gives in <b>node</b>, rewrite the routerinfo
5551 * we received to use the address we meant to use. Now we handle
5552 * multihomed bridges better.
5553 */
5554 static void
5556 {
5557 /* XXXX move this function. */
5558 /* XXXX overridden addresses should really live in the node_t, so that the
5559 * routerinfo_t and the microdesc_t can be immutable. But we can only
5560 * do that safely if we know that no function that connects to an OR
5561 * does so through an address from any source other than node_get_addr().
5562 */
5563 tor_addr_t addr;
5573 /* they match, so no need to do anything */
5581 "Adjusted bridge routerinfo for '%s' to match configured "
5588 "Adjusted bridge routerinfo for '%s' to match configured "
5595 }
5596 }
5598 /* Indicate that we prefer connecting to this bridge over the
5599 protocol that the bridge address indicates. Last bridge
5600 descriptor handled wins. */
5603 /* XXXipv6 we lack support for falling back to another address for
5604 the same relay, warn the user */
5606 {
5607 tor_addr_port_t ap;
5610 "Bridge '%s' has both an IPv4 and an IPv6 address. "
5615 }
5616 }
5623 /* they match, so no need to do anything */
5628 "Adjusted bridge routerstatus for '%s' to match "
5631 }
5632 }
5633 }
5635 /** We just learned a descriptor for a bridge. See if that
5636 * digest is in our entry guard list, and add it if not. */
5637 void
5639 {
5650 /* it's here; schedule its re-fetch for a long time from now. */
5661 /* set entry->made_contact so if it goes down we don't drop it from
5662 * our entry node list */
5667 }
5668 }
5669 }
5671 /** Return 1 if any of our entry guards have descriptors that
5672 * are marked with purpose 'bridge' and are running. Else return 0.
5673 *
5674 * We use this function to decide if we're ready to start building
5675 * circuits through our bridges, or if we need to wait until the
5676 * directory "server/authority" requests finish. */
5677 int
5679 {
5682 }
5684 /** Return 1 if there are any directory conns fetching bridge descriptors
5685 * that aren't marked for close. We use this to guess if we should tell
5686 * the controller that we have a problem. */
5687 int
5689 {
5692 {
5701 }
5702 });
5704 }
5706 /** Return 1 if we have at least one descriptor for an entry guard
5707 * (bridge or member of EntryNodes) and all descriptors we know are
5708 * down. Else return 0. If <b>act</b> is 1, then mark the down guards
5709 * up; else just observe and report. */
5710 static int
5712 {
5727 /* Mark all current connections to this OR as unhealthy, since
5728 * otherwise there could be one that started 30 seconds
5729 * ago, and in 30 seconds it will time out, causing us to mark
5730 * the node down and undermine the retry attempt. We mark even
5731 * the established conns, since if the network just came back
5732 * we'll want to attach circuits to fresh conns. */
5735 /* mark this entry node for retry */
5739 }
5740 }
5745 }
5747 /** Do we know any descriptors for our bridges / entrynodes, and are
5748 * all the ones we have descriptors for down? */
5749 int
5751 {
5754 }
5756 /** Mark all down known bridges / entrynodes up. */
5757 void
5759 {
5762 }
5764 /** Return true if we've ever had a bridge running a Tor version that can't
5765 * provide microdescriptors to us. In that case fall back to asking for
5766 * full descriptors. Eventually all bridges will support microdescriptors
5767 * and we can take this check out; see bug 4013. */
5768 int
5770 {
5782 /* This is one of our current bridges, and we know enough about
5783 * it to know that it won't be able to answer our microdescriptor
5784 * questions. */
5787 }
5790 }
5792 /** Release all storage held by the list of entry guards and related
5793 * memory structs. */
5794 void
5796 {
5802 }
5809 }