| blob | c99f47465feaee021bef0a75f2f4a1e0f3baa5fa |
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file circuitbuild.c
9 *
10 * \brief Implements the details of building circuits (by choosing paths,
11 * constructing/sending create/extend cells, and so on).
12 *
13 * On the client side, this module handles launching circuits. Circuit
14 * launches are srtarted from circuit_establish_circuit(), called from
15 * circuit_launch_by_extend_info()). To choose the path the circuit will
16 * take, onion_extend_cpath() calls into a maze of node selection functions.
17 *
18 * Once the circuit is ready to be launched, the first hop is treated as a
19 * special case with circuit_handle_first_hop(), since it might need to open a
20 * channel. As the channel opens, and later as CREATED and RELAY_EXTENDED
21 * cells arrive, the client will invoke circuit_send_next_onion_skin() to send
22 * CREATE or RELAY_EXTEND cells.
23 *
24 * The server side is handled in feature/relay/circuitbuild_relay.c.
25 **/
27 #define CIRCUITBUILD_PRIVATE
28 #define OCIRC_EVENT_PRIVATE
93 /** This function tries to get a channel to the specified endpoint,
94 * and then calls command_setup_channel() to give it the right
95 * callbacks.
96 */
99 {
112 }
114 /** Search for a value for circ_id that we can use on <b>chan</b> for an
115 * outbound circuit, until we get a circ_id that is not in use by any other
116 * circuit on that conn.
117 *
118 * Return it, or 0 if can't get a unique circ_id.
119 */
120 STATIC circid_t
122 {
123 /* This number is chosen somewhat arbitrarily; see comment below for more
124 * info. When the space is 80% full, it gives a one-in-a-million failure
125 * chance; when the space is 90% full, it gives a one-in-850 chance; and when
126 * the space is 95% full, it gives a one-in-26 failure chance. That seems
127 * okay, though you could make a case IMO for anything between N=32 and
128 * N=256. */
129 #define MAX_CIRCID_ATTEMPTS 64
132 circid_t test_circ_id;
142 "Trying to pick a circuit ID for a connection from "
145 }
151 /* Make sure we don't loop forever because all circuit IDs are used.
152 *
153 * Once, we would try until we had tried every possible circuit ID. But
154 * that's quite expensive. Instead, we try MAX_CIRCID_ATTEMPTS random
155 * circuit IDs, and then give up.
156 *
157 * This potentially causes us to give up early if our circuit ID space
158 * is nearly full. If we have N circuit IDs in use, then we will reject
159 * a new circuit with probability (N / max_range) ^ MAX_CIRCID_ATTEMPTS.
160 * This means that in practice, a few percent of our circuit ID capacity
161 * will go unused.
162 *
163 * The alternative here, though, is to do a linear search over the
164 * whole circuit ID space every time we extend a circuit, which is
165 * not so great either.
166 */
175 "circID support, with %u inbound and %u outbound circuits. "
176 "Found %u circuit IDs in use by circuits, and %u with "
177 "pending destroy cells. (%u of those were marked bogusly.) "
178 "The ones with pending destroy cells "
179 "have been marked unusable for an average of %ld seconds "
180 "and a maximum of %ld seconds. This channel is %ld seconds "
188 m);
192 /* This warning should be impossible. */
195 }
197 /* analysis so far on 12184 suggests that we're running out of circuit
198 IDs because it looks like we have too many pending destroy
199 cells. Let's see how many we really have pending.
200 */
205 "of which %u are active. It says it has %"PRId64
211 /* Change this into "if (1)" in order to get more information about
212 * possible failure modes here. You'll need to know how to use gdb with
213 * Tor: this will make Tor exit with an assertion failure if the cmux is
214 * corrupt. */
221 }
236 since_when =
245 }
246 }
249 }
251 /** If <b>verbose</b> is false, allocate and return a comma-separated list of
252 * the currently built elements of <b>circ</b>. If <b>verbose</b> is true, also
253 * list information about link status in a more verbose format using spaces.
254 * If <b>verbose_names</b> is false, give hex digests; if <b>verbose_names</b>
255 * is true, use $DIGEST=Name style names.
256 */
259 {
276 }
303 }
308 }
316 }
324 }
326 /** If <b>verbose</b> is false, allocate and return a comma-separated
327 * list of the currently built elements of <b>circ</b>. If
328 * <b>verbose</b> is true, also list information about link status in
329 * a more verbose format using spaces.
330 */
333 {
335 }
337 /** Allocate and return a comma-separated list of the currently built elements
338 * of <b>circ</b>, giving each as a verbose nickname.
339 */
342 {
344 }
346 /** Log, at severity <b>severity</b>, the nicknames of each router in
347 * <b>circ</b>'s cpath. Also log the length of the cpath, and the intended
348 * exit point.
349 */
350 void
352 {
356 }
358 /** Return 1 iff every node in circ's cpath definitely supports ntor. */
359 static int
361 {
366 /* if the extend_info is missing, we can't tell if it supports ntor */
369 }
371 /* if the key is blank, it definitely doesn't support ntor */
374 }
379 }
381 /** Pick all the entries in our cpath. Stop and return 0 when we're
382 * happy, or return -1 if an error occurs. */
383 static int
385 {
388 /* onion_extend_cpath assumes these are non-NULL */
397 }
398 }
400 /* The path is complete */
403 /* Does every node in this path support ntor? */
406 /* We would like every path to support ntor, but we have to allow for some
407 * edge cases. */
410 /* Circuits from clients to intro points, and hidden services to rend
411 * points do not support ntor, because the hidden service protocol does
412 * not include ntor onion keys. This is also true for Single Onion
413 * Services. */
415 }
418 /* Allow for bootstrapping: when we're fetching directly from a fallback,
419 * authority, or bridge, we have no way of knowing its ntor onion key
420 * before we connect to it. So instead, we try connecting, and end up using
421 * CREATE_FAST. */
426 /* If we don't know the node and its descriptor, we must be bootstrapping.
427 */
430 }
431 }
434 /* If we're building a multi-hop path, and it's not one of the HS or
435 * bootstrapping exceptions, and it doesn't support ntor, something has
436 * gone wrong. */
438 }
441 }
443 /** Create and return a new origin circuit. Initialize its purpose and
444 * build-state based on our arguments. The <b>flags</b> argument is a
445 * bitfield of CIRCLAUNCH_* flags, see circuit_launch_by_extend_info() for
446 * more details. */
447 origin_circuit_t *
449 {
450 /* sets circ->p_circ_id and circ->p_chan */
466 }
468 /** Build a new circuit for <b>purpose</b>. If <b>exit</b> is defined, then use
469 * that as your exit router, else choose a suitable exit node. The <b>flags</b>
470 * argument is a bitfield of CIRCLAUNCH_* flags, see
471 * circuit_launch_by_extend_info() for more details.
472 *
473 * Also launch a connection to the first OR in the chosen path, if
474 * it's not open already.
475 */
476 origin_circuit_t *
478 {
485 }
493 }
500 }
504 }
506 /** Return the guard state associated with <b>circ</b>, which may be NULL. */
507 circuit_guard_state_t *
509 {
511 }
513 /**
514 * Helper function to publish a channel association message
515 *
516 * circuit_handle_first_hop() calls this to notify subscribers about a
517 * channel launch event, which associates a circuit with a channel.
518 * This doesn't always correspond to an assignment of the circuit's
519 * n_chan field, because that seems to be only for fully-open
520 * channels.
521 **/
522 static void
524 {
532 }
534 /** Start establishing the first hop of our circuit. Figure out what
535 * OR we should connect to, and if necessary start the connection to
536 * it. If we're already connected, then send the 'create' cell.
537 * Return 0 for ok, -reason if circ should be marked-for-close. */
538 int
540 {
552 /* Some bridges are on private addresses. Others pass a dummy private
553 * address to the pluggable transport, which ignores it.
554 * Deny the connection if:
555 * - the address is internal, and
556 * - we're not connecting to a configured bridge, and
557 * - we're not configured to allow extends to private addresses. */
564 }
566 /* now see if we're already connected to the first OR in 'route' */
581 /* not currently connected in a useful way. */
592 }
593 /* We didn't find a channel, but we're launching one for an origin
594 * circuit. (If we decided not to launch a channel, then we found at
595 * least one once good in-progress channel use for this circuit, and
596 * marked it in channel_get_for_extend().) */
599 }
602 /* return success. The onion/circuit/etc will be taken care of
603 * automatically (may already have been) whenever n_chan reaches
604 * OR_CONN_STATE_OPEN.
605 */
610 /* We found a channel, and we're using it for an origin circuit. */
619 }
620 }
622 }
624 /** Find any circuits that are waiting on <b>or_conn</b> to become
625 * open and get them to send their create cells forward.
626 *
627 * Status is 1 if connect succeeded, or 0 if connect failed.
628 *
629 * Close_origin_circuits is 1 if we should close all the origin circuits
630 * through this channel, or 0 otherwise. (This happens when we want to retry
631 * an older guard.)
632 */
633 void
635 {
648 {
649 /* These checks are redundant wrt get_all_pending_on_or_conn, but I'm
650 * leaving them in in case it's possible for the status of a circuit to
651 * change as we're going down the list. */
660 }
663 }
666 /* Look at addr/port. This is an unkeyed connection. */
670 /* We expected a key or keys. See if they matched. */
674 /* If the channel is canonical, great. If not, it needs to match
675 * the requested address exactly. */
679 }
680 }
685 }
691 }
693 /* circuit_deliver_create_cell will set n_circ_id and add us to
694 * chan_circuid_circuit_map, so we don't need to call
695 * set_circid_chan here. */
707 /* XXX could this be bad, eg if next_onion_skin failed because conn
708 * died? */
709 }
711 /* pull the create cell out of circ->n_chan_create_cell, and send it */
716 }
719 }
720 }
724 }
726 /** Find a new circid that isn't currently in use on the circ->n_chan
727 * for the outgoing
728 * circuit <b>circ</b>, and deliver the cell <b>create_cell</b> to this
729 * circuit. If <b>relayed</b> is true, this is a create cell somebody
730 * gave us via an EXTEND cell, so we shouldn't worry if we don't understand
731 * it. Return -1 if we failed to find a suitable circid, else return 0.
732 */
737 {
738 cell_t cell;
739 circid_t id;
755 }
765 }
774 /* Update began timestamp for circuits starting their first hop */
778 "Got first hop for a circuit without an opened channel. "
781 }
784 }
786 /* mark it so it gets better rate limiting treatment. */
788 }
791 error:
794 }
796 /** Return true iff we should send a create_fast cell to start building a
797 * given circuit */
800 {
805 }
807 /**
808 * Return true if <b>circ</b> is the type of circuit we want to count
809 * timeouts from.
810 *
811 * In particular, we want to consider any circuit that plans to build
812 * at least 3 hops (but maybe more), but has 3 or fewer hops built
813 * so far.
814 *
815 * We still want to consider circuits before 3 hops, because we need
816 * to decide if we should convert them to a measurement circuit in
817 * circuit_build_times_handle_completed_hop(), rather than letting
818 * slow circuits get killed right away.
819 */
820 int
822 {
826 }
828 /** Decide whether to use a TAP or ntor handshake for connecting to <b>ei</b>
829 * directly, and set *<b>cell_type_out</b> and *<b>handshake_type_out</b>
830 * accordingly.
831 * Note that TAP handshakes in CREATE cells are only used for direct
832 * connections:
833 * - from Single Onions to rend points not in the service's consensus.
834 * This is checked in onion_populate_cpath. */
835 static void
839 {
840 /* torspec says: In general, clients SHOULD use CREATE whenever they are
841 * using the TAP handshake, and CREATE2 otherwise. */
846 /* XXXX030 Remove support for deciding to use TAP and EXTEND. */
849 }
850 }
852 /** Decide whether to use a TAP or ntor handshake for extending to <b>ei</b>
853 * and set *<b>handshake_type_out</b> accordingly. Decide whether we should
854 * use an EXTEND2 or an EXTEND cell to do so, and set *<b>cell_type_out</b>
855 * and *<b>create_cell_type_out</b> accordingly.
856 * Note that TAP handshakes in EXTEND cells are only used:
857 * - from clients to intro points, and
858 * - from hidden services to rend points.
859 * This is checked in onion_populate_cpath.
860 */
861 static void
866 {
870 /* torspec says: Clients SHOULD use the EXTEND format whenever sending a TAP
871 * handshake... In other cases, clients SHOULD use EXTEND2. */
876 /* XXXX030 Remove support for deciding to use TAP and EXTEND. */
879 }
880 }
882 /**
883 * Return true iff <b>purpose</b> is a purpose for a circuit which is
884 * allowed to have no guard configured, even if the circuit is multihop
885 * and guards are enabled.
886 */
887 static int
889 {
893 /* Testing circuits may omit guards because they're measuring
894 * liveness or performance, and don't want guards to interfere. */
897 /* All other multihop circuits should use guards if guards are
898 * enabled. */
900 }
901 }
903 /** This is the backbone function for building circuits.
904 *
905 * If circ's first hop is closed, then we need to build a create
906 * cell and send it forward.
907 *
908 * Otherwise, if circ's cpath still has any non-open hops, we need to
909 * build a relay extend cell and send it forward to the next non-open hop.
910 *
911 * If all hops on the cpath are open, we're done building the circuit
912 * and we should do housekeeping for the newly opened circuit.
913 *
914 * Return -reason if we want to tear down circ, else return 0.
915 */
916 int
918 {
922 /* Case one: we're on the first hop. */
924 }
935 /* Case two: we're on a hop after the first. */
937 }
939 /* Case three: the circuit is finished. Do housekeeping tasks on it. */
942 }
944 /**
945 * Called from circuit_send_next_onion_skin() when we find ourselves connected
946 * to the first hop in <b>circ</b>: Send a CREATE or CREATE2 or CREATE_FAST
947 * cell to that hop. Return 0 on success; -reason on failure (if the circuit
948 * should be torn down).
949 */
950 static int
952 {
956 create_cell_t cc;
966 /* If this is not a one-hop tunnel, the channel is being used
967 * for traffic that wants anonymity and protection from traffic
968 * analysis (such as netflow record retention). That means we want
969 * to pad it.
970 */
973 }
978 /* We know the right onion key: we should send a create cell. */
982 /* We don't know an onion key, so we need to fall back to CREATE_FAST. */
985 }
994 }
1007 }
1009 /**
1010 * Called from circuit_send_next_onion_skin() when we find that we have no
1011 * more hops: mark the circuit as finished, and perform the necessary
1012 * bookkeeping. Return 0 on success; -reason on failure (if the circuit
1013 * should be torn down).
1014 */
1015 static int
1017 {
1018 guard_usable_t r;
1026 }
1030 }
1035 // Wait till either a better guard succeeds, or till
1036 // all better guards fail.
1041 }
1043 /* XXXX #21422 -- the rest of this branch needs careful thought!
1044 * Some of the things here need to happen when a circuit becomes
1045 * mechanically open; some need to happen when it is actually usable.
1046 * I think I got them right, but more checking would be wise. -NM
1047 */
1054 }
1063 /* FFFF Log a count of known routers here */
1065 "Tor has successfully opened a circuit. "
1073 }
1074 }
1076 /* We're done with measurement circuits here. Just close them */
1079 }
1081 }
1083 /**
1084 * Called from circuit_send_next_onion_skin() when we find that we have a hop
1085 * other than the first that we need to extend to: use <b>hop</b>'s
1086 * information to extend the circuit another step. Return 0 on success;
1087 * -reason on failure (if the circuit should be torn down).
1088 */
1089 static int
1092 {
1094 extend_cell_t ec;
1095 /* Relays and bridges can send IPv6 extends. But for clients, it's an
1096 * obvious version distinguisher. */
1118 }
1123 }
1128 }
1130 /* Set the ED25519 identity too -- it will only get included
1131 * in the extend2 cell if we're configured to use it, though. */
1141 }
1145 {
1152 }
1154 /* send it to hop->prev, because that relay will transfer
1155 * it to a create cell and then send to hop */
1157 command,
1161 }
1165 }
1167 /** Our clock just jumped by <b>seconds_elapsed</b>. If <b>was_idle</b> is
1168 * true, then the monotonic time matches; otherwise it doesn't. Assume
1169 * something has also gone wrong with our network: notify the user, and
1170 * abandon all not-yet-used circuits. */
1171 void
1173 {
1183 (
1186 }
1190 /* so we log when it works again */
1197 /* Restart all the timers in case we jumped a long way into the past. */
1199 }
1200 }
1202 /** A "created" cell <b>reply</b> came back to us on circuit <b>circ</b>.
1203 * (The body of <b>reply</b> varies depending on what sort of handshake
1204 * this is.)
1205 *
1206 * Calculate the appropriate keys and digests, make sure KH is
1207 * correct, and initialize this hop of the cpath.
1208 *
1209 * Return - reason if we want to mark circ for close, else return 0.
1210 */
1211 int
1214 {
1222 }
1231 }
1232 }
1235 {
1246 }
1247 }
1253 }
1261 }
1263 /** We received a relay truncated cell on circ.
1264 *
1265 * Since we don't send truncates currently, getting a truncated
1266 * means that a connection broke or an extend failed. For now,
1267 * just give up: force circ to close, and return 0.
1268 */
1269 int
1271 {
1272 // crypt_path_t *victim;
1273 // connection_t *stream;
1277 /* XXX Since we don't send truncates currently, getting a truncated
1278 * means that a connection broke or an extend failed. For now,
1279 * just give up.
1280 */
1285 #if 0
1287 /* we need to clear out layer->next */
1295 /* no need to send 'end' relay cells,
1296 * because the other side's already dead
1297 */
1299 }
1300 }
1304 }
1309 }
1311 /** Helper for new_route_len(). Choose a circuit length for purpose
1312 * <b>purpose</b>: DEFAULT_ROUTE_LEN (+ 1 if someone else chose the
1313 * exit). If someone else chose the exit, they could be colluding
1314 * with the exit, so add a randomly selected node to preserve
1315 * anonymity.
1316 *
1317 * Here, "exit node" sometimes means an OR acting as an internal
1318 * endpoint, rather than as a relay to an external endpoint. This
1319 * means there need to be at least DEFAULT_ROUTE_LEN routers between
1320 * us and the internal endpoint to preserve the same anonymity
1321 * properties that we would get when connecting to an external
1322 * endpoint. These internal endpoints can include:
1323 *
1324 * - Connections to a directory of hidden services
1325 * (CIRCUIT_PURPOSE_C_GENERAL)
1326 *
1327 * - A client connecting to an introduction point, which the hidden
1328 * service picked (CIRCUIT_PURPOSE_C_INTRODUCING, via
1329 * circuit_get_open_circ_or_launch() which rewrites it from
1330 * CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT)
1331 *
1332 * - A hidden service connecting to a rendezvous point, which the
1333 * client picked (CIRCUIT_PURPOSE_S_CONNECT_REND.
1334 *
1335 * There are currently two situations where we picked the exit node
1336 * ourselves, making DEFAULT_ROUTE_LEN a safe circuit length:
1337 *
1338 * - We are a hidden service connecting to an introduction point
1339 * (CIRCUIT_PURPOSE_S_ESTABLISH_INTRO).
1340 *
1341 * - We are a router testing its own reachabiity
1342 * (CIRCUIT_PURPOSE_TESTING, via router_do_reachability_checks())
1343 *
1344 * onion_pick_cpath_exit() bypasses us (by not calling
1345 * new_route_len()) in the one-hop tunnel case, so we don't need to
1346 * handle that.
1347 */
1348 int
1350 {
1355 /* Clients want an extra hop for rends to avoid linkability.
1356 * Services want it for intro points to avoid publishing their
1357 * layer3 guards. They want it for hsdir posts to use
1358 * their full layer3 guard set for those connections.
1359 * Ex: C - G - L2 - L3 - R
1360 * S - G - L2 - L3 - HSDIR
1361 * S - G - L2 - L3 - I
1362 */
1369 /* If we only have Layer2 vanguards, then we do not need
1370 * the extra hop for linkabilty reasons (see below).
1371 * This means all hops can be of the form:
1372 * S/C - G - L2 - M - R/HSDir/I
1373 */
1377 /* For connections to hsdirs, clients want two extra hops
1378 * when using layer3 guards, to avoid linkability.
1379 * Same goes for intro points. Note that the route len
1380 * includes the intro point or hsdir, hence the +2.
1381 * Ex: C - G - L2 - L3 - M - I
1382 * C - G - L2 - L3 - M - HSDIR
1383 * S - G - L2 - L3 - M - R
1384 */
1389 }
1395 /* These two purposes connect to a router that we chose, so
1396 * DEFAULT_ROUTE_LEN is safe. */
1398 /* hidden service connecting to introduction point */
1400 /* router reachability testing */
1404 /* These three purposes connect to a router that someone else
1405 * might have chosen, so add an extra hop to protect anonymity. */
1409 /* connecting to hidden service directory */
1411 /* client connecting to introduction point */
1413 /* hidden service connecting to rendezvous point */
1415 routelen++;
1419 /* Got a purpose not listed above along with a chosen exit.
1420 * Increase the circuit length by one anyway for safety. */
1421 routelen++;
1423 }
1428 }
1430 }
1432 /** Choose a length for a circuit of purpose <b>purpose</b> and check
1433 * if enough routers are available.
1434 *
1435 * If the routerlist <b>nodes</b> doesn't have enough routers
1436 * to handle the desired path length, return -1.
1437 */
1438 STATIC int
1441 {
1453 num_acceptable_indirect);
1457 "Not enough acceptable routers (%d/%d direct and %d/%d "
1462 }
1465 }
1467 /** Return a newly allocated list of uint16_t * for each predicted port not
1468 * handled by a current circuit. */
1471 {
1475 }
1477 /** Return 1 if we already have circuits present or on the way for
1478 * all anticipated ports. Return 0 if we should make more.
1479 *
1480 * If we're returning 0, set need_uptime and need_capacity to
1481 * indicate any requirements that the unhandled ports have.
1482 */
1486 {
1493 // Always predict need_capacity
1501 }
1504 }
1506 /** Return 1 if <b>node</b> can handle one or more of the ports in
1507 * <b>needed_ports</b>, else return 0.
1508 */
1509 static int
1516 addr_policy_result_t r;
1517 /* alignment issues aren't a worry for this dereference, since
1518 needed_ports is explicitly a smartlist of uint16_t's */
1523 else
1527 }
1529 }
1531 /** Return true iff <b>conn</b> needs another general circuit to be
1532 * built. */
1533 static int
1535 {
1548 MIN_CIRCUITS_HANDLING_STREAM))
1551 }
1553 /** Return a pointer to a suitable router to be the exit node for the
1554 * general-purpose circuit we're about to build.
1555 *
1556 * Look through the connection array, and choose a router that maximizes
1557 * the number of pending streams that can exit from this router.
1558 *
1559 * Return NULL if we can't find any suitable routers.
1560 */
1563 {
1575 /* We should not require guard flags on exits. */
1579 /* We reject single-hop exits for all node positions. */
1583 /* This isn't the function for picking rendezvous nodes. */
1587 /* We only want exits to extend if we cannibalize the circuit.
1588 * But we don't require IPv6 extends yet. */
1594 /* Count how many connections are waiting for a circuit to be built.
1595 * We use this for log messages now, but in the future we may depend on it.
1596 */
1598 {
1601 });
1602 // log_fn(LOG_DEBUG, "Choosing exit node; %d connections are pending",
1603 // n_pending_connections);
1604 /* Now we count, for each of the routers in the directory, how many
1605 * of the pending connections could possibly exit from that
1606 * router (n_supported[i]). (We can't be sure about cases where we
1607 * don't know the IP address of the pending connection.)
1608 *
1609 * -1 means "Don't use this router at all."
1610 */
1617 // log_fn(LOG_DEBUG,"Skipping node %s -- it's me.", router->nickname);
1618 /* XXX there's probably a reverse predecessor attack here, but
1619 * it's slow. should we take this out? -RD
1620 */
1622 }
1626 }
1630 }
1634 }
1639 }
1642 // log_fn(LOG_DEBUG,"Skipping node %s (index %d) -- it rejects all.",
1643 // router->nickname, i);
1645 }
1647 /* iterate over connections */
1653 // log_fn(LOG_DEBUG,"%s is supported. n_supported[%d] now %d.",
1654 // router->nickname, i, n_supported[i]);
1656 // log_fn(LOG_DEBUG,"%s (index %d) would reject this stream.",
1657 // router->nickname, i);
1658 }
1661 /* Leave best_support at -1 if that's where it is, so we can
1662 * distinguish it later. */
1664 }
1666 /* If this router is better than previous ones, remember its index
1667 * and goodness, and start counting how many routers are this good. */
1669 // log_fn(LOG_DEBUG,"%s is new best supported option so far.",
1670 // router->nickname);
1672 /* If this router is _as good_ as the best one, just increment the
1673 * count of equally good routers.*/
1675 }
1680 n_pending_connections);
1682 /* If any routers definitely support any pending connections, choose one
1683 * at random. */
1690 });
1695 /* Either there are no pending connections, or no routers even seem to
1696 * possibly support any of them. Choose a router at random that satisfies
1697 * at least one predicted exit port. */
1705 "We couldn't find any live%s%s routers; falling back "
1712 }
1716 }
1720 /* try once to pick only from routers that satisfy a needed port,
1721 * then if there are none, pick from any that support exiting. */
1725 // log_fn(LOG_DEBUG,"Try %d: '%s' is a possibility.",
1726 // try, router->nickname);
1728 }
1735 /* If we reach this point, we can't actually support any unhandled
1736 * predicted ports, so clear all the remaining ones. */
1739 }
1743 }
1749 }
1752 "No exits in ExitNodes%s seem to be running: "
1756 }
1758 }
1760 /* Pick a Rendezvous Point for our HS circuits according to <b>flags</b>. */
1763 {
1766 }
1768 /*
1769 * Helper function to pick a configured restricted middle node
1770 * (either HSLayer2Nodes or HSLayer3Nodes).
1771 *
1772 * Make sure that the node we chose is alive, and not excluded,
1773 * and return it.
1774 *
1775 * The exclude_set is a routerset of nodes that the selected node
1776 * must not match, and the exclude_list is a simple list of nodes
1777 * that the selected node must not be in. Either or both may be
1778 * NULL.
1779 *
1780 * Return NULL if no usable nodes could be found. */
1787 {
1795 /* Add all running nodes to all_live_nodes */
1798 /* Filter all_live_nodes to only add live *and* allowlisted middles
1799 * to the list allowlisted_live_middles. */
1803 }
1806 /* Honor ExcludeNodes */
1809 }
1813 }
1815 /**
1816 * Max number of restricted nodes before we alert the user and try
1817 * to load balance for them.
1818 *
1819 * The most aggressive vanguard design had 16 nodes at layer3.
1820 * Let's give a small ceiling above that. */
1821 #define MAX_SANE_RESTRICTED_NODES 20
1822 /* If the user (or associated tor controller) selected only a few nodes,
1823 * assume they took load balancing into account and don't do it for them.
1824 *
1825 * If there are a lot of nodes in here, assume they did not load balance
1826 * and do it for them, but also warn them that they may be Doing It Wrong.
1827 */
1829 MAX_SANE_RESTRICTED_NODES) {
1834 "Your _HSLayer%dNodes setting has resulted "
1835 "in %d total nodes. This is a lot of nodes. "
1836 "You may want to consider using a Tor controller "
1840 /* NO_WEIGHTING here just means don't take node flags into account
1841 * (ie: use consensus measurement only). This is done so that
1842 * we don't further surprise the user by not using Exits that they
1843 * specified at all */
1845 NO_WEIGHTING);
1846 }
1852 }
1854 /** Return a pointer to a suitable router to be the exit node for the
1855 * circuit of purpose <b>purpose</b> that we're about to build (or NULL
1856 * if no router is suitable).
1857 *
1858 * For general-purpose circuits, pass it off to
1859 * choose_good_exit_server_general()
1860 *
1861 * For client-side rendezvous circuits, choose a random node, weighted
1862 * toward the preferences in 'options'.
1863 */
1867 {
1875 /* For these three, we want to pick the exit like a middle hop,
1876 * since it should be random. */
1878 FALLTHROUGH;
1882 else
1885 {
1886 /* Pick a new RP */
1891 }
1892 }
1896 }
1898 /** Log a warning if the user specified an exit for the circuit that
1899 * has been excluded from use by ExcludeNodes or ExcludeExitNodes. */
1900 static void
1903 {
1913 {
1949 }
1952 /* We should never get here if StrictNodes is set to 1. */
1955 "even though StrictNodes is set. Please report. "
1962 "ExcludeNodes%s, because no better options were available. To "
1963 "prevent this (and possibly break your Tor functionality), "
1964 "set the StrictNodes configuration option. "
1969 }
1971 }
1974 }
1976 /* Return a set of generic CRN_* flags based on <b>state</b>.
1977 *
1978 * Called for every position in the circuit. */
1979 STATIC int
1981 {
1983 /* These flags apply to entry, middle, and exit nodes.
1984 * If a flag only applies to a specific position, it should be checked in
1985 * that function. */
1991 }
1993 /* Return the CRN_INITIATE_IPV6_EXTEND flag, based on <b>state</b> and
1994 * <b>cur_len</b>.
1995 *
1996 * Only called for middle nodes (for now). Must not be called on single-hop
1997 * circuits. */
1998 STATIC int
2001 {
2005 /* The last node is the relay doing the self-test. So we want to extend over
2006 * IPv6 from the second-last node. */
2009 else
2011 }
2013 /** Decide a suitable length for circ's cpath, and pick an exit
2014 * router (or use <b>exit</b> if provided). Store these in the
2015 * cpath.
2016 *
2017 * If <b>is_hs_v3_rp_circuit</b> is set, then this exit should be suitable to
2018 * be used as an HS v3 rendezvous point.
2019 *
2020 * Return 0 if ok, -1 if circuit should be closed. */
2021 STATIC int
2024 {
2037 }
2047 /* Some internal exits are one hop, for example directory connections.
2048 * (Guards are always direct, middles are never direct.) */
2058 }
2062 }
2065 }
2067 /** Give <b>circ</b> a new exit destination to <b>exit</b>, and add a
2068 * hop to the cpath reflecting this. Don't send the next extend cell --
2069 * the caller will do this if it wants to.
2070 */
2071 int
2073 {
2086 }
2088 /** Take an open <b>circ</b>, and add a new hop at the end, based on
2089 * <b>info</b>. Set its state back to CIRCUIT_STATE_BUILDING, and then
2090 * send the next extend cell to begin connecting to that hop.
2091 */
2092 int
2094 {
2107 }
2109 // XXX: Should cannibalized circuits be dirty or not? Not easy to say..
2112 }
2114 /** Return the number of routers in <b>nodes</b> that are currently up and
2115 * available for building circuits through.
2116 *
2117 * If <b>direct</b> is true, only count nodes that are suitable for direct
2118 * connections. Counts nodes regardless of whether their addresses are
2119 * preferred.
2120 */
2123 {
2131 // log_debug(LD_CIRC,
2132 // "Contemplating whether router %d (%s) is a new option.",
2133 // i, r->nickname);
2139 // log_debug(LD_CIRC,"I like %d. num_acceptable_routers now %d.",i, num);
2142 }
2144 /**
2145 * Build the exclude list for vanguard circuits.
2146 *
2147 * For vanguard circuits we exclude all the already chosen nodes (including the
2148 * exit) from being middle hops to prevent the creation of A - B - A subpaths.
2149 * We also allow the 4th hop to be the same as the guard node so as to not leak
2150 * guard information to RP/IP/HSDirs.
2151 *
2152 * For vanguard circuits, we don't apply any subnet or family restrictions.
2153 * This is to avoid impossible-to-build circuit paths, or just situations where
2154 * our earlier guards prevent us from using most of our later ones.
2155 *
2156 * The alternative is building the circuit in reverse. Reverse calls to
2157 * onion_extend_cpath() (ie: select outer hops first) would then have the
2158 * property that you don't gain information about inner hops by observing
2159 * outer ones. See https://bugs.torproject.org/tpo/core/tor/24487
2160 * for this.
2161 *
2162 * (Note further that we still exclude the exit to prevent A - B - A
2163 * at the end of the path. */
2169 {
2179 /* Add the exit to the exclude list (note that the exit/last hop is always
2180 * chosen first in circuit_establish_circuit()). */
2183 }
2185 /* If we are picking the 4th hop, allow that node to be the guard too.
2186 * This prevents us from avoiding the Guard for those hops, which
2187 * gives the adversary information about our guard if they control
2188 * the RP, IP, or HSDIR. We don't do this check based on purpose
2189 * because we also want to allow HS_VANGUARDS pre-build circuits
2190 * to use the guard for that last hop.
2191 */
2193 /* Skip the first hop for the exclude list below */
2195 cur_len--;
2196 }
2201 }
2202 }
2205 }
2207 /**
2208 * Build a list of nodes to exclude from the choice of this middle
2209 * hop, based on already chosen nodes.
2210 */
2216 {
2222 /** Vanguard circuits have their own path selection rules */
2225 }
2229 /* For non-vanguard circuits, add the exit and its family to the exclude list
2230 * (note that the exit/last hop is always chosen first in
2231 * circuit_establish_circuit()). */
2234 }
2236 /* also exclude all other already chosen nodes and their family */
2240 }
2241 }
2244 }
2246 /** Return true if we MUST use vanguards for picking this middle node. */
2247 static int
2250 {
2251 /* If this is not a hidden service circuit, don't use vanguards */
2254 }
2256 /* If we have sticky L2 nodes, and this is an L2 pick, use vanguards */
2259 }
2261 /* If we have sticky L3 nodes, and this is an L3 pick, use vanguards */
2264 }
2267 }
2269 /** Pick a sticky vanguard middle node or return NULL if not found.
2270 * See doc of pick_restricted_middle_node() for argument details. */
2275 {
2279 /* Pick the right routerset based on the current hop */
2285 /* guaranteed by middle_node_should_be_vanguard() */
2288 }
2297 "Could not find a node that matches the configured "
2299 }
2302 }
2304 /** A helper function used by onion_extend_cpath(). Use <b>purpose</b>
2305 * and <b>state</b> and the cpath <b>head</b> (currently populated only
2306 * to length <b>cur_len</b> to decide a suitable middle hop for a
2307 * circuit. In particular, make sure we don't pick the exit node or its
2308 * family, and make sure we don't duplicate any previous nodes or their
2309 * families. */
2315 {
2331 /** If a hidden service circuit wants a specific middle node, pin it. */
2337 }
2353 }
2356 }
2359 }
2361 /** Pick a good entry server for the circuit to be built according to
2362 * <b>state</b>. Don't reuse a chosen exit (if any), don't use this
2363 * router (if we're an OR), and respect firewall settings; if we're
2364 * configured to use entry guards, return one.
2365 *
2366 * Set *<b>guard_state_out</b> to information about the guard that
2367 * we're selecting, which we'll use later to remember whether the
2368 * guard worked or not.
2369 */
2373 {
2377 /* If possible, choose an entry server with a preferred address,
2378 * otherwise, choose one with an allowed address */
2380 CRN_DIRECT_CONN);
2383 /* Once we used this function to select a node to be a guard. We had
2384 * 'state == NULL' be the signal for that. But we don't do that any more.
2385 */
2390 /* This request is for an entry server to use for a regular circuit,
2391 * and we use entry guard nodes. Just return one of the guard nodes. */
2394 }
2399 /* Exclude the exit node from the state, if we have one. Also exclude its
2400 * family. */
2402 }
2406 }
2411 }
2413 /** Choose a suitable next hop for the circuit <b>circ</b>.
2414 * Append the hop info to circ->cpath.
2415 *
2416 * Return 1 if the path is complete, 0 if we successfully added a hop,
2417 * and -1 on error.
2418 */
2419 STATIC int
2421 {
2431 }
2442 /* If we're a client, use the preferred address rather than the
2443 primary address, for potentially connecting to an IPv6 OR
2444 port. Servers always want the primary (IPv4) address. */
2447 /* Clients can fail to find an allowed address */
2449 }
2455 }
2456 }
2462 }
2471 }
2473 /** Return the node_t for the chosen exit router in <b>state</b>.
2474 * If there is no chosen exit, or if we don't know the node_t for
2475 * the chosen exit, return NULL.
2476 */
2479 {
2483 }
2485 /** Return the RSA ID digest for the chosen exit router in <b>state</b>.
2486 * If there is no chosen exit, return NULL.
2487 */
2490 {
2494 }
2496 /** Return the nickname for the chosen exit router in <b>state</b>. If
2497 * there is no chosen exit, or if we don't know the routerinfo_t for the
2498 * chosen exit, return NULL.
2499 */
2502 {
2506 }
2508 /* Is circuit purpose allowed to use the deprecated TAP encryption protocol?
2509 * The hidden service protocol still uses TAP for some connections, because
2510 * ntor onion keys aren't included in HS descriptors or INTRODUCE cells. */
2511 static int
2513 {
2516 }
2518 /* Is circ allowed to use the deprecated TAP encryption protocol?
2519 * The hidden service protocol still uses TAP for some connections, because
2520 * ntor onion keys aren't included in HS descriptors or INTRODUCE cells. */
2521 int
2523 {
2529 }
2531 /* Does circ have an onion key which it's allowed to use? */
2532 int
2534 {
2540 }
2542 /** Find the circuits that are waiting to find out whether their guards are
2543 * usable, and if any are ready to become usable, mark them open and try
2544 * attaching streams as appropriate. */
2545 void
2547 {
2563 }