| blob | a1b8ba78ab2e12aa5ff62371461cab6333b40232 |
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2020, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file circuitbuild.c
9 *
10 * \brief Implements the details of building circuits (by chosing paths,
11 * constructing/sending create/extend cells, and so on).
12 *
13 * On the client side, this module handles launching circuits. Circuit
14 * launches are srtarted from circuit_establish_circuit(), called from
15 * circuit_launch_by_extend_info()). To choose the path the circuit will
16 * take, onion_extend_cpath() calls into a maze of node selection functions.
17 *
18 * Once the circuit is ready to be launched, the first hop is treated as a
19 * special case with circuit_handle_first_hop(), since it might need to open a
20 * channel. As the channel opens, and later as CREATED and RELAY_EXTENDED
21 * cells arrive, the client will invoke circuit_send_next_onion_skin() to send
22 * CREATE or RELAY_EXTEND cells.
23 *
24 * The server side is handled in feature/relay/circuitbuild_relay.c.
25 **/
27 #define CIRCUITBUILD_PRIVATE
28 #define OCIRC_EVENT_PRIVATE
94 /** This function tries to get a channel to the specified endpoint,
95 * and then calls command_setup_channel() to give it the right
96 * callbacks.
97 */
102 {
109 }
111 /** Search for a value for circ_id that we can use on <b>chan</b> for an
112 * outbound circuit, until we get a circ_id that is not in use by any other
113 * circuit on that conn.
114 *
115 * Return it, or 0 if can't get a unique circ_id.
116 */
117 STATIC circid_t
119 {
120 /* This number is chosen somewhat arbitrarily; see comment below for more
121 * info. When the space is 80% full, it gives a one-in-a-million failure
122 * chance; when the space is 90% full, it gives a one-in-850 chance; and when
123 * the space is 95% full, it gives a one-in-26 failure chance. That seems
124 * okay, though you could make a case IMO for anything between N=32 and
125 * N=256. */
126 #define MAX_CIRCID_ATTEMPTS 64
129 circid_t test_circ_id;
139 "Trying to pick a circuit ID for a connection from "
142 }
148 /* Make sure we don't loop forever because all circuit IDs are used.
149 *
150 * Once, we would try until we had tried every possible circuit ID. But
151 * that's quite expensive. Instead, we try MAX_CIRCID_ATTEMPTS random
152 * circuit IDs, and then give up.
153 *
154 * This potentially causes us to give up early if our circuit ID space
155 * is nearly full. If we have N circuit IDs in use, then we will reject
156 * a new circuit with probability (N / max_range) ^ MAX_CIRCID_ATTEMPTS.
157 * This means that in practice, a few percent of our circuit ID capacity
158 * will go unused.
159 *
160 * The alternative here, though, is to do a linear search over the
161 * whole circuit ID space every time we extend a circuit, which is
162 * not so great either.
163 */
172 "circID support, with %u inbound and %u outbound circuits. "
173 "Found %u circuit IDs in use by circuits, and %u with "
174 "pending destroy cells. (%u of those were marked bogusly.) "
175 "The ones with pending destroy cells "
176 "have been marked unusable for an average of %ld seconds "
177 "and a maximum of %ld seconds. This channel is %ld seconds "
185 m);
189 /* This warning should be impossible. */
192 }
194 /* analysis so far on 12184 suggests that we're running out of circuit
195 IDs because it looks like we have too many pending destroy
196 cells. Let's see how many we really have pending.
197 */
202 "of which %u are active. It says it has %"PRId64
208 /* Change this into "if (1)" in order to get more information about
209 * possible failure modes here. You'll need to know how to use gdb with
210 * Tor: this will make Tor exit with an assertion failure if the cmux is
211 * corrupt. */
218 }
233 since_when =
242 }
243 }
246 }
248 /** If <b>verbose</b> is false, allocate and return a comma-separated list of
249 * the currently built elements of <b>circ</b>. If <b>verbose</b> is true, also
250 * list information about link status in a more verbose format using spaces.
251 * If <b>verbose_names</b> is false, give hex digests; if <b>verbose_names</b>
252 * is true, use $DIGEST=Name style names.
253 */
256 {
273 }
300 }
305 }
313 }
321 }
323 /** If <b>verbose</b> is false, allocate and return a comma-separated
324 * list of the currently built elements of <b>circ</b>. If
325 * <b>verbose</b> is true, also list information about link status in
326 * a more verbose format using spaces.
327 */
330 {
332 }
334 /** Allocate and return a comma-separated list of the currently built elements
335 * of <b>circ</b>, giving each as a verbose nickname.
336 */
339 {
341 }
343 /** Log, at severity <b>severity</b>, the nicknames of each router in
344 * <b>circ</b>'s cpath. Also log the length of the cpath, and the intended
345 * exit point.
346 */
347 void
349 {
353 }
355 /** Return 1 iff every node in circ's cpath definitely supports ntor. */
356 static int
358 {
363 /* if the extend_info is missing, we can't tell if it supports ntor */
366 }
368 /* if the key is blank, it definitely doesn't support ntor */
371 }
376 }
378 /** Pick all the entries in our cpath. Stop and return 0 when we're
379 * happy, or return -1 if an error occurs. */
380 static int
382 {
385 /* onion_extend_cpath assumes these are non-NULL */
394 }
395 }
397 /* The path is complete */
400 /* Does every node in this path support ntor? */
403 /* We would like every path to support ntor, but we have to allow for some
404 * edge cases. */
407 /* Circuits from clients to intro points, and hidden services to rend
408 * points do not support ntor, because the hidden service protocol does
409 * not include ntor onion keys. This is also true for Single Onion
410 * Services. */
412 }
415 /* Allow for bootstrapping: when we're fetching directly from a fallback,
416 * authority, or bridge, we have no way of knowing its ntor onion key
417 * before we connect to it. So instead, we try connecting, and end up using
418 * CREATE_FAST. */
423 /* If we don't know the node and its descriptor, we must be bootstrapping.
424 */
427 }
428 }
431 /* If we're building a multi-hop path, and it's not one of the HS or
432 * bootstrapping exceptions, and it doesn't support ntor, something has
433 * gone wrong. */
435 }
438 }
440 /** Create and return a new origin circuit. Initialize its purpose and
441 * build-state based on our arguments. The <b>flags</b> argument is a
442 * bitfield of CIRCLAUNCH_* flags. */
443 origin_circuit_t *
445 {
446 /* sets circ->p_circ_id and circ->p_chan */
460 }
462 /** Build a new circuit for <b>purpose</b>. If <b>exit</b>
463 * is defined, then use that as your exit router, else choose a suitable
464 * exit node.
465 *
466 * Also launch a connection to the first OR in the chosen path, if
467 * it's not open already.
468 */
469 origin_circuit_t *
471 {
478 }
486 }
493 }
495 }
497 /** Return the guard state associated with <b>circ</b>, which may be NULL. */
498 circuit_guard_state_t *
500 {
502 }
504 /**
505 * Helper function to publish a channel association message
506 *
507 * circuit_handle_first_hop() calls this to notify subscribers about a
508 * channel launch event, which associates a circuit with a channel.
509 * This doesn't always correspond to an assignment of the circuit's
510 * n_chan field, because that seems to be only for fully-open
511 * channels.
512 **/
513 static void
515 {
523 }
525 /** Start establishing the first hop of our circuit. Figure out what
526 * OR we should connect to, and if necessary start the connection to
527 * it. If we're already connected, then send the 'create' cell.
528 * Return 0 for ok, -reason if circ should be marked-for-close. */
529 int
531 {
543 /* Some bridges are on private addresses. Others pass a dummy private
544 * address to the pluggable transport, which ignores it.
545 * Deny the connection if:
546 * - the address is internal, and
547 * - we're not connecting to a configured bridge, and
548 * - we're not configured to allow extends to private addresses. */
555 }
557 /* now see if we're already connected to the first OR in 'route' */
562 /* We'll cleanup this code in #33220, when we add an IPv6 address to
563 * extend_info_t. */
575 /* not currently connected in a useful way. */
590 }
592 }
595 /* return success. The onion/circuit/etc will be taken care of
596 * automatically (may already have been) whenever n_chan reaches
597 * OR_CONN_STATE_OPEN.
598 */
609 }
610 }
612 }
614 /** Find any circuits that are waiting on <b>or_conn</b> to become
615 * open and get them to send their create cells forward.
616 *
617 * Status is 1 if connect succeeded, or 0 if connect failed.
618 *
619 * Close_origin_circuits is 1 if we should close all the origin circuits
620 * through this channel, or 0 otherwise. (This happens when we want to retry
621 * an older guard.)
622 */
623 void
625 {
638 {
639 /* These checks are redundant wrt get_all_pending_on_or_conn, but I'm
640 * leaving them in in case it's possible for the status of a circuit to
641 * change as we're going down the list. */
647 /* Look at addr/port. This is an unkeyed connection. */
651 /* We expected a key. See if it's the right one. */
655 }
660 }
665 }
667 /* circuit_deliver_create_cell will set n_circ_id and add us to
668 * chan_circuid_circuit_map, so we don't need to call
669 * set_circid_chan here. */
681 /* XXX could this be bad, eg if next_onion_skin failed because conn
682 * died? */
683 }
685 /* pull the create cell out of circ->n_chan_create_cell, and send it */
690 }
693 }
694 }
698 }
700 /** Find a new circid that isn't currently in use on the circ->n_chan
701 * for the outgoing
702 * circuit <b>circ</b>, and deliver the cell <b>create_cell</b> to this
703 * circuit. If <b>relayed</b> is true, this is a create cell somebody
704 * gave us via an EXTEND cell, so we shouldn't worry if we don't understand
705 * it. Return -1 if we failed to find a suitable circid, else return 0.
706 */
711 {
712 cell_t cell;
713 circid_t id;
729 }
739 }
748 /* Update began timestamp for circuits starting their first hop */
752 "Got first hop for a circuit without an opened channel. "
755 }
758 }
760 /* mark it so it gets better rate limiting treatment. */
762 }
765 error:
768 }
770 /** Return true iff we should send a create_fast cell to start building a given
771 * circuit */
774 {
780 /* We don't have ntor, and we don't have or can't use TAP,
781 * so our hand is forced: only a create_fast will work. */
783 }
785 /* We're a server, and we have a usable onion key. We can choose.
786 * Prefer to blend our circuit into the other circuits we are
787 * creating on behalf of others. */
789 }
791 }
793 /**
794 * Return true if <b>circ</b> is the type of circuit we want to count
795 * timeouts from.
796 *
797 * In particular, we want to consider any circuit that plans to build
798 * at least 3 hops (but maybe more), but has 3 or fewer hops built
799 * so far.
800 *
801 * We still want to consider circuits before 3 hops, because we need
802 * to decide if we should convert them to a measurement circuit in
803 * circuit_build_times_handle_completed_hop(), rather than letting
804 * slow circuits get killed right away.
805 */
806 int
808 {
812 }
814 /** Decide whether to use a TAP or ntor handshake for connecting to <b>ei</b>
815 * directly, and set *<b>cell_type_out</b> and *<b>handshake_type_out</b>
816 * accordingly.
817 * Note that TAP handshakes in CREATE cells are only used for direct
818 * connections:
819 * - from Single Onions to rend points not in the service's consensus.
820 * This is checked in onion_populate_cpath. */
821 static void
825 {
826 /* torspec says: In general, clients SHOULD use CREATE whenever they are
827 * using the TAP handshake, and CREATE2 otherwise. */
832 /* XXXX030 Remove support for deciding to use TAP and EXTEND. */
835 }
836 }
838 /** Decide whether to use a TAP or ntor handshake for extending to <b>ei</b>
839 * and set *<b>handshake_type_out</b> accordingly. Decide whether we should
840 * use an EXTEND2 or an EXTEND cell to do so, and set *<b>cell_type_out</b>
841 * and *<b>create_cell_type_out</b> accordingly.
842 * Note that TAP handshakes in EXTEND cells are only used:
843 * - from clients to intro points, and
844 * - from hidden services to rend points.
845 * This is checked in onion_populate_cpath.
846 */
847 static void
852 {
856 /* torspec says: Clients SHOULD use the EXTEND format whenever sending a TAP
857 * handshake... In other cases, clients SHOULD use EXTEND2. */
862 /* XXXX030 Remove support for deciding to use TAP and EXTEND. */
865 }
866 }
868 /**
869 * Return true iff <b>purpose</b> is a purpose for a circuit which is
870 * allowed to have no guard configured, even if the circuit is multihop
871 * and guards are enabled.
872 */
873 static int
875 {
879 /* Testing circuits may omit guards because they're measuring
880 * liveness or performance, and don't want guards to interfere. */
883 /* All other multihop circuits should use guards if guards are
884 * enabled. */
886 }
887 }
889 /** This is the backbone function for building circuits.
890 *
891 * If circ's first hop is closed, then we need to build a create
892 * cell and send it forward.
893 *
894 * Otherwise, if circ's cpath still has any non-open hops, we need to
895 * build a relay extend cell and send it forward to the next non-open hop.
896 *
897 * If all hops on the cpath are open, we're done building the circuit
898 * and we should do housekeeping for the newly opened circuit.
899 *
900 * Return -reason if we want to tear down circ, else return 0.
901 */
902 int
904 {
908 /* Case one: we're on the first hop. */
910 }
921 /* Case two: we're on a hop after the first. */
923 }
925 /* Case three: the circuit is finished. Do housekeeping tasks on it. */
928 }
930 /**
931 * Called from circuit_send_next_onion_skin() when we find ourselves connected
932 * to the first hop in <b>circ</b>: Send a CREATE or CREATE2 or CREATE_FAST
933 * cell to that hop. Return 0 on success; -reason on failure (if the circuit
934 * should be torn down).
935 */
936 static int
938 {
942 create_cell_t cc;
952 /* If this is not a one-hop tunnel, the channel is being used
953 * for traffic that wants anonymity and protection from traffic
954 * analysis (such as netflow record retention). That means we want
955 * to pad it.
956 */
959 }
964 /* We know the right onion key: we should send a create cell. */
968 /* We don't know an onion key, so we need to fall back to CREATE_FAST. */
971 }
980 }
992 }
994 /**
995 * Called from circuit_send_next_onion_skin() when we find that we have no
996 * more hops: mark the circuit as finished, and perform the necessary
997 * bookkeeping. Return 0 on success; -reason on failure (if the circuit
998 * should be torn down).
999 */
1000 static int
1002 {
1003 guard_usable_t r;
1011 }
1015 }
1020 // Wait till either a better guard succeeds, or till
1021 // all better guards fail.
1026 }
1028 /* XXXX #21422 -- the rest of this branch needs careful thought!
1029 * Some of the things here need to happen when a circuit becomes
1030 * mechanically open; some need to happen when it is actually usable.
1031 * I think I got them right, but more checking would be wise. -NM
1032 */
1039 }
1048 /* FFFF Log a count of known routers here */
1050 "Tor has successfully opened a circuit. "
1058 }
1059 }
1061 /* We're done with measurement circuits here. Just close them */
1064 }
1066 }
1068 /**
1069 * Called from circuit_send_next_onion_skin() when we find that we have a hop
1070 * other than the first that we need to extend to: use <b>hop</b>'s
1071 * information to extend the circuit another step. Return 0 on success;
1072 * -reason on failure (if the circuit should be torn down).
1073 */
1074 static int
1077 {
1079 extend_cell_t ec;
1087 }
1098 /* Set the ED25519 identity too -- it will only get included
1099 * in the extend2 cell if we're configured to use it, though. */
1109 }
1113 {
1120 }
1122 /* send it to hop->prev, because that relay will transfer
1123 * it to a create cell and then send to hop */
1125 command,
1129 }
1132 }
1134 /** Our clock just jumped by <b>seconds_elapsed</b>. If <b>was_idle</b> is
1135 * true, then the monotonic time matches; otherwise it doesn't. Assume
1136 * something has also gone wrong with our network: notify the user, and
1137 * abandon all not-yet-used circuits. */
1138 void
1140 {
1150 (
1153 }
1157 /* so we log when it works again */
1164 /* Restart all the timers in case we jumped a long way into the past. */
1166 }
1167 }
1169 /** A "created" cell <b>reply</b> came back to us on circuit <b>circ</b>.
1170 * (The body of <b>reply</b> varies depending on what sort of handshake
1171 * this is.)
1172 *
1173 * Calculate the appropriate keys and digests, make sure KH is
1174 * correct, and initialize this hop of the cpath.
1175 *
1176 * Return - reason if we want to mark circ for close, else return 0.
1177 */
1178 int
1181 {
1189 }
1198 }
1199 }
1202 {
1213 }
1214 }
1220 }
1228 }
1230 /** We received a relay truncated cell on circ.
1231 *
1232 * Since we don't send truncates currently, getting a truncated
1233 * means that a connection broke or an extend failed. For now,
1234 * just give up: force circ to close, and return 0.
1235 */
1236 int
1238 {
1239 // crypt_path_t *victim;
1240 // connection_t *stream;
1244 /* XXX Since we don't send truncates currently, getting a truncated
1245 * means that a connection broke or an extend failed. For now,
1246 * just give up.
1247 */
1252 #if 0
1254 /* we need to clear out layer->next */
1262 /* no need to send 'end' relay cells,
1263 * because the other side's already dead
1264 */
1266 }
1267 }
1271 }
1276 }
1278 /** Helper for new_route_len(). Choose a circuit length for purpose
1279 * <b>purpose</b>: DEFAULT_ROUTE_LEN (+ 1 if someone else chose the
1280 * exit). If someone else chose the exit, they could be colluding
1281 * with the exit, so add a randomly selected node to preserve
1282 * anonymity.
1283 *
1284 * Here, "exit node" sometimes means an OR acting as an internal
1285 * endpoint, rather than as a relay to an external endpoint. This
1286 * means there need to be at least DEFAULT_ROUTE_LEN routers between
1287 * us and the internal endpoint to preserve the same anonymity
1288 * properties that we would get when connecting to an external
1289 * endpoint. These internal endpoints can include:
1290 *
1291 * - Connections to a directory of hidden services
1292 * (CIRCUIT_PURPOSE_C_GENERAL)
1293 *
1294 * - A client connecting to an introduction point, which the hidden
1295 * service picked (CIRCUIT_PURPOSE_C_INTRODUCING, via
1296 * circuit_get_open_circ_or_launch() which rewrites it from
1297 * CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT)
1298 *
1299 * - A hidden service connecting to a rendezvous point, which the
1300 * client picked (CIRCUIT_PURPOSE_S_CONNECT_REND, via
1301 * rend_service_receive_introduction() and
1302 * rend_service_relaunch_rendezvous)
1303 *
1304 * There are currently two situations where we picked the exit node
1305 * ourselves, making DEFAULT_ROUTE_LEN a safe circuit length:
1306 *
1307 * - We are a hidden service connecting to an introduction point
1308 * (CIRCUIT_PURPOSE_S_ESTABLISH_INTRO, via
1309 * rend_service_launch_establish_intro())
1310 *
1311 * - We are a router testing its own reachabiity
1312 * (CIRCUIT_PURPOSE_TESTING, via router_do_reachability_checks())
1313 *
1314 * onion_pick_cpath_exit() bypasses us (by not calling
1315 * new_route_len()) in the one-hop tunnel case, so we don't need to
1316 * handle that.
1317 */
1318 int
1320 {
1325 /* Clients want an extra hop for rends to avoid linkability.
1326 * Services want it for intro points to avoid publishing their
1327 * layer3 guards. They want it for hsdir posts to use
1328 * their full layer3 guard set for those connections.
1329 * Ex: C - G - L2 - L3 - R
1330 * S - G - L2 - L3 - HSDIR
1331 * S - G - L2 - L3 - I
1332 */
1339 /* If we only have Layer2 vanguards, then we do not need
1340 * the extra hop for linkabilty reasons (see below).
1341 * This means all hops can be of the form:
1342 * S/C - G - L2 - M - R/HSDir/I
1343 */
1347 /* For connections to hsdirs, clients want two extra hops
1348 * when using layer3 guards, to avoid linkability.
1349 * Same goes for intro points. Note that the route len
1350 * includes the intro point or hsdir, hence the +2.
1351 * Ex: C - G - L2 - L3 - M - I
1352 * C - G - L2 - L3 - M - HSDIR
1353 * S - G - L2 - L3 - M - R
1354 */
1359 }
1365 /* These two purposes connect to a router that we chose, so
1366 * DEFAULT_ROUTE_LEN is safe. */
1368 /* hidden service connecting to introduction point */
1370 /* router reachability testing */
1374 /* These three purposes connect to a router that someone else
1375 * might have chosen, so add an extra hop to protect anonymity. */
1379 /* connecting to hidden service directory */
1381 /* client connecting to introduction point */
1383 /* hidden service connecting to rendezvous point */
1385 routelen++;
1389 /* Got a purpose not listed above along with a chosen exit.
1390 * Increase the circuit length by one anyway for safety. */
1391 routelen++;
1393 }
1398 }
1400 }
1402 /** Choose a length for a circuit of purpose <b>purpose</b> and check
1403 * if enough routers are available.
1404 *
1405 * If the routerlist <b>nodes</b> doesn't have enough routers
1406 * to handle the desired path length, return -1.
1407 */
1408 STATIC int
1411 {
1423 num_acceptable_indirect);
1427 "Not enough acceptable routers (%d/%d direct and %d/%d "
1432 }
1435 }
1437 /** Return a newly allocated list of uint16_t * for each predicted port not
1438 * handled by a current circuit. */
1441 {
1445 }
1447 /** Return 1 if we already have circuits present or on the way for
1448 * all anticipated ports. Return 0 if we should make more.
1449 *
1450 * If we're returning 0, set need_uptime and need_capacity to
1451 * indicate any requirements that the unhandled ports have.
1452 */
1456 {
1463 // Always predict need_capacity
1471 }
1474 }
1476 /** Return 1 if <b>node</b> can handle one or more of the ports in
1477 * <b>needed_ports</b>, else return 0.
1478 */
1479 static int
1486 addr_policy_result_t r;
1487 /* alignment issues aren't a worry for this dereference, since
1488 needed_ports is explicitly a smartlist of uint16_t's */
1493 else
1497 }
1499 }
1501 /** Return true iff <b>conn</b> needs another general circuit to be
1502 * built. */
1503 static int
1505 {
1518 MIN_CIRCUITS_HANDLING_STREAM))
1521 }
1523 /** Return a pointer to a suitable router to be the exit node for the
1524 * general-purpose circuit we're about to build.
1525 *
1526 * Look through the connection array, and choose a router that maximizes
1527 * the number of pending streams that can exit from this router.
1528 *
1529 * Return NULL if we can't find any suitable routers.
1530 */
1533 {
1548 /* Count how many connections are waiting for a circuit to be built.
1549 * We use this for log messages now, but in the future we may depend on it.
1550 */
1552 {
1555 });
1556 // log_fn(LOG_DEBUG, "Choosing exit node; %d connections are pending",
1557 // n_pending_connections);
1558 /* Now we count, for each of the routers in the directory, how many
1559 * of the pending connections could possibly exit from that
1560 * router (n_supported[i]). (We can't be sure about cases where we
1561 * don't know the IP address of the pending connection.)
1562 *
1563 * -1 means "Don't use this router at all."
1564 */
1571 // log_fn(LOG_DEBUG,"Skipping node %s -- it's me.", router->nickname);
1572 /* XXX there's probably a reverse predecessor attack here, but
1573 * it's slow. should we take this out? -RD
1574 */
1576 }
1580 }
1584 }
1586 /* never pick a non-general node as a random exit. */
1589 }
1593 }
1598 }
1603 * this makes us reject all the possible routers: if so,
1604 * we'll retry later in this function with need_update and
1605 * need_capacity set to 0. */
1606 }
1608 /* if it's invalid and we don't want it */
1610 // log_fn(LOG_DEBUG,"Skipping node %s (index %d) -- invalid router.",
1611 // router->nickname, i);
1613 }
1614 /* We do not allow relays that allow single hop exits by default. Option
1615 * was deprecated in 0.2.9.2-alpha and removed in 0.3.1.0-alpha. */
1619 }
1622 // log_fn(LOG_DEBUG,"Skipping node %s (index %d) -- it rejects all.",
1623 // router->nickname, i);
1625 }
1627 /* iterate over connections */
1633 // log_fn(LOG_DEBUG,"%s is supported. n_supported[%d] now %d.",
1634 // router->nickname, i, n_supported[i]);
1636 // log_fn(LOG_DEBUG,"%s (index %d) would reject this stream.",
1637 // router->nickname, i);
1638 }
1641 /* Leave best_support at -1 if that's where it is, so we can
1642 * distinguish it later. */
1644 }
1646 /* If this router is better than previous ones, remember its index
1647 * and goodness, and start counting how many routers are this good. */
1649 // log_fn(LOG_DEBUG,"%s is new best supported option so far.",
1650 // router->nickname);
1652 /* If this router is _as good_ as the best one, just increment the
1653 * count of equally good routers.*/
1655 }
1660 n_pending_connections);
1662 /* If any routers definitely support any pending connections, choose one
1663 * at random. */
1670 });
1675 /* Either there are no pending connections, or no routers even seem to
1676 * possibly support any of them. Choose a router at random that satisfies
1677 * at least one predicted exit port. */
1685 "We couldn't find any live%s%s routers; falling back "
1692 }
1696 }
1700 /* try once to pick only from routers that satisfy a needed port,
1701 * then if there are none, pick from any that support exiting. */
1705 // log_fn(LOG_DEBUG,"Try %d: '%s' is a possibility.",
1706 // try, router->nickname);
1708 }
1715 /* If we reach this point, we can't actually support any unhandled
1716 * predicted ports, so clear all the remaining ones. */
1719 }
1723 }
1729 }
1732 "No exits in ExitNodes%s seem to be running: "
1736 }
1738 }
1740 /* Pick a Rendezvous Point for our HS circuits according to <b>flags</b>. */
1743 {
1746 }
1748 /*
1749 * Helper function to pick a configured restricted middle node
1750 * (either HSLayer2Nodes or HSLayer3Nodes).
1751 *
1752 * Make sure that the node we chose is alive, and not excluded,
1753 * and return it.
1754 *
1755 * The exclude_set is a routerset of nodes that the selected node
1756 * must not match, and the exclude_list is a simple list of nodes
1757 * that the selected node must not be in. Either or both may be
1758 * NULL.
1759 *
1760 * Return NULL if no usable nodes could be found. */
1767 {
1775 /* Add all running nodes to all_live_nodes */
1784 /* Filter all_live_nodes to only add live *and* whitelisted middles
1785 * to the list whitelisted_live_middles. */
1789 }
1792 /* Honor ExcludeNodes */
1795 }
1799 }
1801 /**
1802 * Max number of restricted nodes before we alert the user and try
1803 * to load balance for them.
1804 *
1805 * The most aggressive vanguard design had 16 nodes at layer3.
1806 * Let's give a small ceiling above that. */
1807 #define MAX_SANE_RESTRICTED_NODES 20
1808 /* If the user (or associated tor controller) selected only a few nodes,
1809 * assume they took load balancing into account and don't do it for them.
1810 *
1811 * If there are a lot of nodes in here, assume they did not load balance
1812 * and do it for them, but also warn them that they may be Doing It Wrong.
1813 */
1815 MAX_SANE_RESTRICTED_NODES) {
1820 "Your _HSLayer%dNodes setting has resulted "
1821 "in %d total nodes. This is a lot of nodes. "
1822 "You may want to consider using a Tor controller "
1826 /* NO_WEIGHTING here just means don't take node flags into account
1827 * (ie: use consensus measurement only). This is done so that
1828 * we don't further surprise the user by not using Exits that they
1829 * specified at all */
1831 NO_WEIGHTING);
1832 }
1838 }
1840 /** Return a pointer to a suitable router to be the exit node for the
1841 * circuit of purpose <b>purpose</b> that we're about to build (or NULL
1842 * if no router is suitable).
1843 *
1844 * For general-purpose circuits, pass it off to
1845 * choose_good_exit_server_general()
1846 *
1847 * For client-side rendezvous circuits, choose a random node, weighted
1848 * toward the preferences in 'options'.
1849 */
1853 {
1861 /* For these three, we want to pick the exit like a middle hop,
1862 * since it should be random. */
1864 FALLTHROUGH;
1868 else
1871 {
1872 /* Pick a new RP */
1877 }
1878 }
1882 }
1884 /** Log a warning if the user specified an exit for the circuit that
1885 * has been excluded from use by ExcludeNodes or ExcludeExitNodes. */
1886 static void
1889 {
1899 {
1935 }
1938 /* We should never get here if StrictNodes is set to 1. */
1941 "even though StrictNodes is set. Please report. "
1948 "ExcludeNodes%s, because no better options were available. To "
1949 "prevent this (and possibly break your Tor functionality), "
1950 "set the StrictNodes configuration option. "
1955 }
1957 }
1960 }
1962 /** Decide a suitable length for circ's cpath, and pick an exit
1963 * router (or use <b>exit</b> if provided). Store these in the
1964 * cpath.
1965 *
1966 * If <b>is_hs_v3_rp_circuit</b> is set, then this exit should be suitable to
1967 * be used as an HS v3 rendezvous point.
1968 *
1969 * Return 0 if ok, -1 if circuit should be closed. */
1970 STATIC int
1973 {
1986 }
2008 }
2012 }
2015 }
2017 /** Give <b>circ</b> a new exit destination to <b>exit</b>, and add a
2018 * hop to the cpath reflecting this. Don't send the next extend cell --
2019 * the caller will do this if it wants to.
2020 */
2021 int
2023 {
2036 }
2038 /** Take an open <b>circ</b>, and add a new hop at the end, based on
2039 * <b>info</b>. Set its state back to CIRCUIT_STATE_BUILDING, and then
2040 * send the next extend cell to begin connecting to that hop.
2041 */
2042 int
2044 {
2057 }
2059 // XXX: Should cannibalized circuits be dirty or not? Not easy to say..
2062 }
2064 /** Return the number of routers in <b>routers</b> that are currently up
2065 * and available for building circuits through.
2066 *
2067 * (Note that this function may overcount or undercount, if we have
2068 * descriptors that are not the type we would prefer to use for some
2069 * particular router. See bug #25885.)
2070 */
2073 {
2077 // log_debug(LD_CIRC,
2078 // "Contemplating whether router %d (%s) is a new option.",
2079 // i, r->nickname);
2081 // log_debug(LD_CIRC,"Nope, the directory says %d is not running.",i);
2084 // log_debug(LD_CIRC,"Nope, the directory says %d is not valid.",i);
2088 /* The node has a descriptor, so we can just check the ntor key directly */
2094 // log_debug(LD_CIRC,"I like %d. num_acceptable_routers now %d.",i, num);
2097 }
2099 /**
2100 * Build the exclude list for vanguard circuits.
2101 *
2102 * For vanguard circuits we exclude all the already chosen nodes (including the
2103 * exit) from being middle hops to prevent the creation of A - B - A subpaths.
2104 * We also allow the 4th hop to be the same as the guard node so as to not leak
2105 * guard information to RP/IP/HSDirs.
2106 *
2107 * For vanguard circuits, we don't apply any subnet or family restrictions.
2108 * This is to avoid impossible-to-build circuit paths, or just situations where
2109 * our earlier guards prevent us from using most of our later ones.
2110 *
2111 * The alternative is building the circuit in reverse. Reverse calls to
2112 * onion_extend_cpath() (ie: select outer hops first) would then have the
2113 * property that you don't gain information about inner hops by observing
2114 * outer ones. See https://trac.torproject.org/projects/tor/ticket/24487
2115 * for this.
2116 *
2117 * (Note further that we still exclude the exit to prevent A - B - A
2118 * at the end of the path. */
2124 {
2134 /* Add the exit to the exclude list (note that the exit/last hop is always
2135 * chosen first in circuit_establish_circuit()). */
2138 }
2140 /* If we are picking the 4th hop, allow that node to be the guard too.
2141 * This prevents us from avoiding the Guard for those hops, which
2142 * gives the adversary information about our guard if they control
2143 * the RP, IP, or HSDIR. We don't do this check based on purpose
2144 * because we also want to allow HS_VANGUARDS pre-build circuits
2145 * to use the guard for that last hop.
2146 */
2148 /* Skip the first hop for the exclude list below */
2150 cur_len--;
2151 }
2156 }
2157 }
2160 }
2162 /**
2163 * Build a list of nodes to exclude from the choice of this middle
2164 * hop, based on already chosen nodes.
2165 */
2171 {
2177 /** Vanguard circuits have their own path selection rules */
2180 }
2184 /* For non-vanguard circuits, add the exit and its family to the exclude list
2185 * (note that the exit/last hop is always chosen first in
2186 * circuit_establish_circuit()). */
2189 }
2191 /* also exclude all other already chosen nodes and their family */
2195 }
2196 }
2199 }
2201 /** Return true if we MUST use vanguards for picking this middle node. */
2202 static int
2205 {
2206 /* If this is not a hidden service circuit, don't use vanguards */
2209 }
2211 /* If we have sticky L2 nodes, and this is an L2 pick, use vanguards */
2214 }
2216 /* If we have sticky L3 nodes, and this is an L3 pick, use vanguards */
2219 }
2222 }
2224 /** Pick a sticky vanguard middle node or return NULL if not found.
2225 * See doc of pick_restricted_middle_node() for argument details. */
2230 {
2234 /* Pick the right routerset based on the current hop */
2240 /* guaranteed by middle_node_should_be_vanguard() */
2243 }
2252 "Could not find a node that matches the configured "
2254 }
2257 }
2259 /** A helper function used by onion_extend_cpath(). Use <b>purpose</b>
2260 * and <b>state</b> and the cpath <b>head</b> (currently populated only
2261 * to length <b>cur_len</b> to decide a suitable middle hop for a
2262 * circuit. In particular, make sure we don't pick the exit node or its
2263 * family, and make sure we don't duplicate any previous nodes or their
2264 * families. */
2270 {
2288 /** If a hidden service circuit wants a specific middle node, pin it. */
2294 }
2310 }
2313 }
2316 }
2318 /** Pick a good entry server for the circuit to be built according to
2319 * <b>state</b>. Don't reuse a chosen exit (if any), don't use this
2320 * router (if we're an OR), and respect firewall settings; if we're
2321 * configured to use entry guards, return one.
2322 *
2323 * Set *<b>guard_state_out</b> to information about the guard that
2324 * we're selecting, which we'll use later to remember whether the
2325 * guard worked or not.
2326 */
2330 {
2334 /* If possible, choose an entry server with a preferred address,
2335 * otherwise, choose one with an allowed address */
2337 CRN_DIRECT_CONN);
2340 /* Once we used this function to select a node to be a guard. We had
2341 * 'state == NULL' be the signal for that. But we don't do that any more.
2342 */
2347 /* This request is for an entry server to use for a regular circuit,
2348 * and we use entry guard nodes. Just return one of the guard nodes. */
2351 }
2356 /* Exclude the exit node from the state, if we have one. Also exclude its
2357 * family. */
2359 }
2366 }
2371 }
2373 /** Choose a suitable next hop for the circuit <b>circ</b>.
2374 * Append the hop info to circ->cpath.
2375 *
2376 * Return 1 if the path is complete, 0 if we successfully added a hop,
2377 * and -1 on error.
2378 */
2379 STATIC int
2381 {
2391 }
2402 /* If we're a client, use the preferred address rather than the
2403 primary address, for potentially connecting to an IPv6 OR
2404 port. Servers always want the primary (IPv4) address. */
2407 /* Clients can fail to find an allowed address */
2409 }
2416 }
2417 }
2423 }
2432 }
2434 /** Allocate a new extend_info object based on the various arguments. */
2435 extend_info_t *
2442 {
2457 }
2459 /** Allocate and return a new extend_info that can be used to build a
2460 * circuit to or through the node <b>node</b>. Use the primary address
2461 * of the node (i.e. its IPv4 address) unless
2462 * <b>for_direct_connect</b> is true, in which case the preferred
2463 * address is used instead. May return NULL if there is not enough
2464 * info about <b>node</b> to extend to it--for example, if the preferred
2465 * routerinfo_t or microdesc_t is missing, or if for_direct_connect is
2466 * true and none of the node's addresses is allowed by tor's firewall
2467 * and IP version config.
2468 **/
2469 extend_info_t *
2471 {
2474 tor_addr_port_t ap;
2479 }
2481 /* Choose a preferred address first, but fall back to an allowed address. */
2486 }
2493 else
2497 /* Every node we connect or extend to must support ntor */
2500 "Attempted to create extend_info for a node that does not support "
2503 }
2507 /* Don't send the ed25519 pubkey unless the target node actually supports
2508 * authenticating with it. */
2516 }
2518 /* Retrieve the curve25519 pubkey. */
2526 ed_pubkey,
2527 rsa_pubkey,
2528 curve_pubkey,
2534 ed_pubkey,
2535 rsa_pubkey,
2536 curve_pubkey,
2539 }
2543 }
2545 /** Release storage held by an extend_info_t struct. */
2546 void
2548 {
2553 }
2555 /** Allocate and return a new extend_info_t with the same contents as
2556 * <b>info</b>. */
2557 extend_info_t *
2559 {
2566 else
2569 }
2571 /** Return the node_t for the chosen exit router in <b>state</b>.
2572 * If there is no chosen exit, or if we don't know the node_t for
2573 * the chosen exit, return NULL.
2574 */
2577 {
2581 }
2583 /** Return the RSA ID digest for the chosen exit router in <b>state</b>.
2584 * If there is no chosen exit, return NULL.
2585 */
2588 {
2592 }
2594 /** Return the nickname for the chosen exit router in <b>state</b>. If
2595 * there is no chosen exit, or if we don't know the routerinfo_t for the
2596 * chosen exit, return NULL.
2597 */
2600 {
2604 }
2606 /** Return true iff the given address can be used to extend to. */
2607 int
2609 {
2612 /* Check if we have a private address and if we can extend to it. */
2616 }
2617 /* Allowed! */
2619 disallow:
2621 }
2623 /* Does ei have a valid TAP key? */
2624 int
2626 {
2628 /* Valid TAP keys are not NULL */
2630 }
2632 /* Does ei have a valid ntor key? */
2633 int
2635 {
2637 /* Valid ntor keys have at least one non-zero byte */
2640 CURVE25519_PUBKEY_LEN);
2641 }
2643 /* Is circuit purpose allowed to use the deprecated TAP encryption protocol?
2644 * The hidden service protocol still uses TAP for some connections, because
2645 * ntor onion keys aren't included in HS descriptors or INTRODUCE cells. */
2646 static int
2648 {
2651 }
2653 /* Is circ allowed to use the deprecated TAP encryption protocol?
2654 * The hidden service protocol still uses TAP for some connections, because
2655 * ntor onion keys aren't included in HS descriptors or INTRODUCE cells. */
2656 int
2658 {
2664 }
2666 /* Does circ have an onion key which it's allowed to use? */
2667 int
2669 {
2675 }
2677 /* Does ei have an onion key which it would prefer to use?
2678 * Currently, we prefer ntor keys*/
2679 int
2681 {
2684 }
2686 /** Find the circuits that are waiting to find out whether their guards are
2687 * usable, and if any are ready to become usable, mark them open and try
2688 * attaching streams as appropriate. */
2689 void
2691 {
2707 }