| blob | 5da3009e6710b9cdfd8ba58f484f79bfc0958147 |
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2015, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /* TOR_CHANNEL_INTERNAL_ define needed for an O(1) implementation of
8 * channelpadding_channel_to_channelinfo() */
9 #define TOR_CHANNEL_INTERNAL_
23 #include <event2/event.h>
31 /** The total number of pending channelpadding timers */
34 /** These are cached consensus parameters for netflow */
35 /** The timeout lower bound that is allowed before sending padding */
37 /** The timeout upper bound that is allowed before sending padding */
39 /** The timeout lower bound that is allowed before sending reduced padding */
41 /** The timeout upper bound that is allowed before sending reduced padding */
43 /** The connection timeout between relays */
45 /** The connection timeout for client connections */
47 /** Should we pad before circuits are actually used for client data? */
49 /** Should we pad relay-to-relay connections? */
51 /** Should we pad tor2web connections? */
53 /** Should we pad rosos connections? */
56 #define TOR_MSEC_PER_SEC 1000
57 #define TOR_USEC_PER_MSEC 1000
59 /**
60 * How often do we get called by the connection housekeeping (ie: once
61 * per second) */
62 #define TOR_HOUSEKEEPING_CALLBACK_MSEC 1000
63 /**
64 * Additional extra time buffer on the housekeeping callback, since
65 * it can be delayed. This extra slack is used to decide if we should
66 * schedule a timer or wait for the next callback. */
67 #define TOR_HOUSEKEEPING_CALLBACK_SLACK_MSEC 100
69 /**
70 * This macro tells us if either end of the channel is connected to a client.
71 * (If we're not a server, we're definitely a client. If the channel thinks
72 * it's a client, use that. Then finally verify in the consensus).
73 */
74 #define CHANNEL_IS_CLIENT(chan, options) \
75 (!public_server_mode((options)) || channel_is_client(chan) || \
76 !connection_or_digest_is_known_relay((chan)->identity_digest))
78 /**
79 * This function is called to update cached consensus parameters every time
80 * there is a consensus update. This allows us to move the consensus param
81 * search off of the critical path, so it does not need to be evaluated
82 * for every single connection, every second.
83 */
84 void
86 {
87 #define DFLT_NETFLOW_INACTIVE_KEEPALIVE_LOW 1500
88 #define DFLT_NETFLOW_INACTIVE_KEEPALIVE_HIGH 9500
89 #define DFLT_NETFLOW_INACTIVE_KEEPALIVE_MIN 0
90 #define DFLT_NETFLOW_INACTIVE_KEEPALIVE_MAX 60000
92 DFLT_NETFLOW_INACTIVE_KEEPALIVE_LOW,
93 DFLT_NETFLOW_INACTIVE_KEEPALIVE_MIN,
94 DFLT_NETFLOW_INACTIVE_KEEPALIVE_MAX);
96 DFLT_NETFLOW_INACTIVE_KEEPALIVE_HIGH,
97 consensus_nf_ito_low,
98 DFLT_NETFLOW_INACTIVE_KEEPALIVE_MAX);
100 #define DFLT_NETFLOW_REDUCED_KEEPALIVE_LOW 9000
101 #define DFLT_NETFLOW_REDUCED_KEEPALIVE_HIGH 14000
102 #define DFLT_NETFLOW_REDUCED_KEEPALIVE_MIN 0
103 #define DFLT_NETFLOW_REDUCED_KEEPALIVE_MAX 60000
104 consensus_nf_ito_low_reduced =
106 DFLT_NETFLOW_REDUCED_KEEPALIVE_LOW,
107 DFLT_NETFLOW_REDUCED_KEEPALIVE_MIN,
108 DFLT_NETFLOW_REDUCED_KEEPALIVE_MAX);
110 consensus_nf_ito_high_reduced =
112 DFLT_NETFLOW_REDUCED_KEEPALIVE_HIGH,
113 consensus_nf_ito_low_reduced,
114 DFLT_NETFLOW_REDUCED_KEEPALIVE_MAX);
117 #define CONNTIMEOUT_RELAYS_MIN 60
119 consensus_nf_conntimeout_relays =
121 CONNTIMEOUT_RELAYS_DFLT,
122 CONNTIMEOUT_RELAYS_MIN,
123 CONNTIMEOUT_RELAYS_MAX);
126 #define CIRCTIMEOUT_CLIENTS_MIN 60
128 consensus_nf_conntimeout_clients =
130 CIRCTIMEOUT_CLIENTS_DFLT,
131 CIRCTIMEOUT_CLIENTS_MIN,
132 CIRCTIMEOUT_CLIENTS_MAX);
134 consensus_nf_pad_before_usage =
137 consensus_nf_pad_relays =
140 consensus_nf_pad_tor2web =
142 CHANNELPADDING_TOR2WEB_PARAM,
145 consensus_nf_pad_single_onion =
147 CHANNELPADDING_SOS_PARAM,
149 }
151 /**
152 * Get a random netflow inactive timeout keepalive period in milliseconds,
153 * the range for which is determined by consensus parameters, negotiation,
154 * configuration, or default values. The consensus parameters enforce the
155 * minimum possible value, to avoid excessively frequent padding.
156 *
157 * The ranges for this value were chosen to be low enough to ensure that
158 * routers do not emit a new netflow record for a connection due to it
159 * being idle.
160 *
161 * Specific timeout values for major routers are listed in Proposal 251.
162 * No major router appeared capable of setting an inactive timeout below 10
163 * seconds, so we set the defaults below that value, since we can always
164 * scale back if it ends up being too much padding.
165 *
166 * Returns the next timeout period (in milliseconds) after which we should
167 * send a padding packet, or 0 if padding is disabled.
168 */
169 STATIC int32_t
171 {
179 /* If we have negotiated different timeout values, use those, but
180 * don't allow them to be lower than the consensus ones */
184 }
189 /*
190 * This MAX() hack is here because we apply the timeout on both the client
191 * and the server. This creates the situation where the total time before
192 * sending a packet in either direction is actually
193 * min(client_timeout,server_timeout).
194 *
195 * If X is a random variable uniform from 0..R-1 (where R=high-low),
196 * then Y=max(X,X) has Prob(Y == i) = (2.0*i + 1)/(R*R).
197 *
198 * If we create a third random variable Z=min(Y,Y), then it turns out that
199 * Exp[Z] ~= Exp[X]. Here's a table:
200 *
201 * R Exp[X] Exp[Z] Exp[min(X,X)] Exp[max(X,X)]
202 * 2000 999.5 1066 666.2 1332.8
203 * 3000 1499.5 1599.5 999.5 1999.5
204 * 5000 2499.5 2666 1666.2 3332.8
205 * 6000 2999.5 3199.5 1999.5 3999.5
206 * 7000 3499.5 3732.8 2332.8 4666.2
207 * 8000 3999.5 4266.2 2666.2 5332.8
208 * 10000 4999.5 5328 3332.8 6666.2
209 * 15000 7499.5 7995 4999.5 9999.5
210 * 20000 9900.5 10661 6666.2 13332.8
211 *
212 * In other words, this hack makes it so that when both the client and
213 * the guard are sending this padding, then the averages work out closer
214 * to the midpoint of the range, making the overhead easier to tune.
215 * If only one endpoint is padding (for example: if the relay does not
216 * support padding, but the client has set ConnectionPadding 1; or
217 * if the relay does support padding, but the client has set
218 * ReducedConnectionPadding 1), then the defense will still prevent
219 * record splitting, but with less overhead than the midpoint
220 * (as seen by the Exp[max(X,X)] column).
221 *
222 * To calculate average padding packet frequency (and thus overhead),
223 * index into the table by picking a row based on R = high-low. Then,
224 * use the appropriate column (Exp[Z] for two-sided padding, and
225 * Exp[max(X,X)] for one-sided padding). Finally, take this value
226 * and add it to the low timeout value. This value is the average
227 * frequency which padding packets will be sent.
228 */
233 }
235 /**
236 * Update this channel's padding settings based on the PADDING_NEGOTIATE
237 * contents.
238 *
239 * Returns -1 on error; 1 on success.
240 */
241 int
244 {
251 }
253 // We should not allow malicious relays to disable or reduce padding for
254 // us as clients. In fact, we should only accept this cell at all if we're
255 // operating as a relay. Bridges should not accept it from relays, either
256 // (only from their clients).
263 "Got a PADDING_NEGOTIATE from relay at %s (%s). "
268 }
272 /* Min must not be lower than the current consensus parameter
273 nf_ito_low. */
277 /* Max must not be lower than ito_low_ms */
288 }
290 /**
291 * Sends a CELL_PADDING_NEGOTIATE on the channel to tell the other side not
292 * to send padding.
293 *
294 * Returns -1 on error, 0 on success.
295 */
296 STATIC int
298 {
299 channelpadding_negotiate_t disable;
300 cell_t cell;
303 MIN_LINK_PROTO_FOR_CHANNEL_PADDING);
317 else
319 }
321 /**
322 * Sends a CELL_PADDING_NEGOTIATE on the channel to tell the other side to
323 * resume sending padding at some rate.
324 *
325 * Returns -1 on error, 0 on success.
326 */
327 int
330 {
331 channelpadding_negotiate_t enable;
332 cell_t cell;
335 MIN_LINK_PROTO_FOR_CHANNEL_PADDING);
351 else
353 }
355 /**
356 * Sends a CELL_PADDING cell on a channel if it has been idle since
357 * our callback was scheduled.
358 *
359 * This function also clears the pending padding timer and the callback
360 * flags.
361 */
362 static void
364 {
365 cell_t cell;
367 /* Check that the channel is still valid and open */
373 }
375 /* We should have a pending callback flag set. */
383 /* We must have been active before the timer fired */
386 }
388 {
389 monotime_coarse_t now;
401 }
403 /* Clear the timer */
406 /* Send the padding cell. This will cause the channel to get a
407 * fresh timestamp_active */
411 }
413 /**
414 * tor_timer callback function for us to send padding on an idle channel.
415 *
416 * This function just obtains the channel from the callback handle, ensures
417 * it is still valid, and then hands it off to
418 * channelpadding_send_padding_cell_for_callback(), which checks if
419 * the channel is still idle before sending padding.
420 */
421 static void
424 {
429 /* Hrmm.. It might be nice to have an equivalent to assert_connection_ok
430 * for channels. Then we could get rid of the channeltls dependency */
432 OR_CONNECTION_MAGIC);
439 }
441 total_timers_pending--;
442 }
444 /**
445 * Schedules a callback to send padding on a channel in_ms milliseconds from
446 * now.
447 *
448 * Returns CHANNELPADDING_WONTPAD on error, CHANNELPADDING_PADDING_SENT if we
449 * sent the packet immediately without a timer, and
450 * CHANNELPADDING_PADDING_SCHEDULED if we decided to schedule a timer.
451 */
452 static channelpadding_decision_t
454 {
462 }
469 }
473 channelpadding_send_padding_callback,
478 }
485 }
487 /**
488 * Calculates the number of milliseconds from now to schedule a padding cell.
489 *
490 * Returns the number of milliseconds from now (relative) to schedule the
491 * padding callback. If the padding timer is more than 1.1 seconds in the
492 * future, we return -1, to avoid scheduling excessive callbacks. If padding
493 * is disabled in the consensus, we return -2.
494 *
495 * Side-effects: Updates chan->next_padding_time_ms, storing an (absolute, not
496 * relative) millisecond representation of when we should send padding, unless
497 * other activity happens first. This side-effect allows us to avoid
498 * scheduling a libevent callback until we're within 1.1 seconds of the padding
499 * time.
500 */
501 #define CHANNELPADDING_TIME_LATER -1
502 #define CHANNELPADDING_TIME_DISABLED -2
503 STATIC int64_t
505 {
506 monotime_coarse_t now;
510 /* If the below line or crypto_rand_int() shows up on a profile,
511 * we can avoid getting a timeout until we're at least nf_ito_lo
512 * from a timeout window. That will prevent us from setting timers
513 * on connections that were active up to 1.5 seconds ago.
514 * Idle connections should only call this once every 5.5s on average
515 * though, so that might be a micro-optimization for little gain. */
524 padding_timeout);
525 }
530 /* If the next padding time is beyond the maximum possible consensus value,
531 * then this indicates a clock jump, so just send padding now. This is
532 * better than using monotonic time because we want to avoid the situation
533 * where we wait around forever for monotonic time to move forward after
534 * a clock jump far into the past.
535 */
543 }
545 /* If the timeout will expire before the next time we're called (1000ms
546 from now, plus some slack), then calculate the number of milliseconds
547 from now which we should send padding, so we can schedule a callback
548 then.
549 */
551 TOR_HOUSEKEEPING_CALLBACK_SLACK_MSEC)) {
552 /* If the padding time is in the past, that means that libevent delayed
553 * calling the once-per-second callback due to other work taking too long.
554 * See https://bugs.torproject.org/22212 and
555 * https://bugs.torproject.org/16585. This is a systemic problem
556 * with being single-threaded, but let's emit a notice if this
557 * is long enough in the past that we might have missed a netflow window,
558 * and allowed a router to emit a netflow frame, just so we don't forget
559 * about it entirely.. */
560 #define NETFLOW_MISSED_WINDOW (150000 - DFLT_NETFLOW_INACTIVE_KEEPALIVE_HIGH)
568 }
571 }
573 }
575 /**
576 * Returns a randomized value for channel idle timeout in seconds.
577 * The channel idle timeout governs how quickly we close a channel
578 * after its last circuit has disappeared.
579 *
580 * There are three classes of channels:
581 * 1. Client+non-canonical. These live for 3-4.5 minutes
582 * 2. relay to relay. These live for 45-75 min by default
583 * 3. Reduced padding clients. These live for 1.5-2.25 minutes.
584 *
585 * Also allows the default relay-to-relay value to be controlled by the
586 * consensus.
587 */
588 unsigned int
591 {
595 /* Non-canonical and client channels only last for 3-4.5 min when idle */
598 timeout = CONNTIMEOUT_CLIENTS_BASE
601 // 45..75min or consensus +/- 25%
604 }
606 /* If ReducedConnectionPadding is set, we want to halve the duration of
607 * the channel idle timeout, since reducing the additional time that
608 * a channel stays open will reduce the total overhead for making
609 * new channels. This reduction in overhead/channel expense
610 * is important for mobile users. The option cannot be set by relays.
611 *
612 * We also don't reduce any values for timeout that the user explicitly
613 * set.
614 */
618 }
621 }
623 /**
624 * This function controls how long we keep idle circuits open,
625 * and how long we build predicted circuits. This behavior is under
626 * the control of channelpadding because circuit availability is the
627 * dominant factor in channel lifespan, which influences total padding
628 * overhead.
629 *
630 * Returns a randomized number of seconds in a range from
631 * CircuitsAvailableTimeout to 2*CircuitsAvailableTimeout. This value is halved
632 * if ReducedConnectionPadding is set. The default value of
633 * CircuitsAvailableTimeout can be controlled by the consensus.
634 */
635 int
637 {
644 /* If ReducedConnectionPadding is set, we want to halve the duration of
645 * the channel idle timeout, since reducing the additional time that
646 * a channel stays open will reduce the total overhead for making
647 * new connections. This reduction in overhead/connection expense
648 * is important for mobile users. The option cannot be set by relays.
649 *
650 * We also don't reduce any values for timeout that the user explicitly
651 * set.
652 */
654 // half the value to 15..30min by default
656 }
657 }
659 // 30..60min by default
663 }
665 /**
666 * Calling this function on a channel causes it to tell the other side
667 * not to send padding, and disables sending padding from this side as well.
668 */
669 void
671 {
674 // Send cell to disable padding on the other end
676 }
678 /**
679 * Calling this function on a channel causes it to tell the other side
680 * not to send padding, and reduces the rate that padding is sent from
681 * this side.
682 */
683 void
685 {
686 /* Padding can be forced and reduced by clients, regardless of if
687 * the channel supports it. So we check for support here before
688 * sending any commands. */
691 }
700 }
702 /**
703 * This function is called once per second by run_connection_housekeeping(),
704 * but only if the channel is still open, valid, and non-wedged.
705 *
706 * It decides if and when we should send a padding cell, and if needed,
707 * schedules a callback to send that cell at the appropriate time.
708 *
709 * Returns an enum that represents the current padding decision state.
710 * Return value is currently used only by unit tests.
711 */
712 channelpadding_decision_t
714 {
717 /* Only pad open channels */
726 }
731 /* Don't pad the channel if we didn't negotiate it, but still
732 * allow clients to force padding if options->ChannelPadding is
733 * explicitly set to 1.
734 */
737 }
740 /* If the consensus just changed values, this channel may still
741 * think padding is enabled. Negotiate it off. */
746 }
750 /* If the consensus just changed values, this channel may still
751 * think padding is enabled. Negotiate it off. */
756 }
763 }
765 /* If nf_pad_relays=1 is set in the consensus, we pad
766 * on *all* idle connections, relay-relay or relay-client.
767 * Otherwise pad only for client+bridge cons */
780 }
781 /* We have to schedule a callback because we're called exactly once per
782 * second, but we don't want padding packets to go out exactly on an
783 * integer multiple of seconds. This callback will only be scheduled
784 * if we're within 1.1 seconds of the padding time.
785 */
788 }
792 }
795 }
796 }