| blob | 100286f103b33cc0e3e28b028863f7792eb1d068 |
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2017, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file entrynodes.c
9 * \brief Code to manage our fixed first nodes for various functions.
10 *
11 * Entry nodes can be guards (for general use) or bridges (for censorship
12 * circumvention).
13 *
14 * In general, we use entry guards to prevent traffic-sampling attacks:
15 * if we chose every circuit independently, an adversary controlling
16 * some fraction of paths on the network would observe a sample of every
17 * user's traffic. Using guards gives users a chance of not being
18 * profiled.
19 *
20 * The current entry guard selection code is designed to try to avoid
21 * _ever_ trying every guard on the network, to try to stick to guards
22 * that we've used before, to handle hostile/broken networks, and
23 * to behave sanely when the network goes up and down.
24 *
25 * Our algorithm works as follows: First, we maintain a SAMPLE of guards
26 * we've seen in the networkstatus consensus. We maintain this sample
27 * over time, and store it persistently; it is chosen without reference
28 * to our configuration or firewall rules. Guards remain in the sample
29 * as they enter and leave the consensus. We expand this sample as
30 * needed, up to a maximum size.
31 *
32 * As a subset of the sample, we maintain a FILTERED SET of the guards
33 * that we would be willing to use if we could connect to them. The
34 * filter removes all the guards that we're excluding because they're
35 * bridges (or not bridges), because we have restrictive firewall rules,
36 * because of ExcludeNodes, because we of path bias restrictions,
37 * because they're absent from the network at present, and so on.
38 *
39 * As a subset of the filtered set, we keep a REACHABLE FILTERED SET
40 * (also called a "usable filtered set") of those guards that we call
41 * "reachable" or "maybe reachable". A guard is reachable if we've
42 * connected to it more recently than we've failed. A guard is "maybe
43 * reachable" if we have never tried to connect to it, or if we
44 * failed to connect to it so long ago that we no longer think our
45 * failure means it's down.
46 *
47 * As a persistent ordered list whose elements are taken from the
48 * sampled set, we track a CONFIRMED GUARDS LIST. A guard becomes
49 * confirmed when we successfully build a circuit through it, and decide
50 * to use that circuit. We order the guards on this list by the order
51 * in which they became confirmed.
52 *
53 * And as a final group, we have an ordered list of PRIMARY GUARDS,
54 * whose elements are taken from the filtered set. We prefer
55 * confirmed guards to non-confirmed guards for this list, and place
56 * other restrictions on it. The primary guards are the ones that we
57 * connect to "when nothing is wrong" -- circuits through them can be used
58 * immediately.
59 *
60 * To build circuits, we take a primary guard if possible -- or a
61 * reachable filtered confirmed guard if no primary guard is possible --
62 * or a random reachable filtered guard otherwise. If the guard is
63 * primary, we can use the circuit immediately on success. Otherwise,
64 * the guard is now "pending" -- we won't use its circuit unless all
65 * of the circuits we're trying to build through better guards have
66 * definitely failed.
67 *
68 * While we're building circuits, we track a little "guard state" for
69 * each circuit. We use this to keep track of whether the circuit is
70 * one that we can use as soon as it's done, or whether it's one that
71 * we should keep around to see if we can do better. In the latter case,
72 * a periodic call to entry_guards_upgrade_waiting_circuits() will
73 * eventually upgrade it.
74 **/
75 /* DOCDOC -- expand this.
76 *
77 * Information invariants:
78 *
79 * [x] whenever a guard becomes unreachable, clear its usable_filtered flag.
80 *
81 * [x] Whenever a guard becomes reachable or maybe-reachable, if its filtered
82 * flag is set, set its usable_filtered flag.
83 *
84 * [x] Whenever we get a new consensus, call update_from_consensus(). (LATER.)
85 *
86 * [x] Whenever the configuration changes in a relevant way, update the
87 * filtered/usable flags. (LATER.)
88 *
89 * [x] Whenever we add a guard to the sample, make sure its filtered/usable
90 * flags are set as possible.
91 *
92 * [x] Whenever we remove a guard from the sample, remove it from the primary
93 * and confirmed lists.
94 *
95 * [x] When we make a guard confirmed, update the primary list.
96 *
97 * [x] When we make a guard filtered or unfiltered, update the primary list.
98 *
99 * [x] When we are about to pick a guard, make sure that the primary list is
100 * full.
101 *
102 * [x] Before calling sample_reachable_filtered_entry_guards(), make sure
103 * that the filtered, primary, and confirmed flags are up-to-date.
104 *
105 * [x] Call entry_guard_consider_retry every time we are about to check
106 * is_usable_filtered or is_reachable, and every time we set
107 * is_filtered to 1.
108 *
109 * [x] Call entry_guards_changed_for_guard_selection() whenever we update
110 * a persistent field.
111 */
113 #define ENTRYNODES_PRIVATE
140 /** A list of existing guard selection contexts. */
142 /** The currently enabled guard selection context. */
145 /** A value of 1 means that at least one context has changed,
146 * and those changes need to be flushed to disk. */
166 /** Return 0 if we should apply guardfraction information found in the
167 * consensus. A specific consensus can be specified with the
168 * <b>ns</b> argument, if NULL the most recent one will be picked.*/
169 int
171 {
172 /* We need to check the corresponding torrc option and the consensus
173 * parameter if we need to. */
176 /* If UseGuardFraction is 'auto' then check the same-named consensus
177 * parameter. If the consensus parameter is not present, default to
178 * "off". */
183 }
186 }
188 /** Return true iff we know a descriptor for <b>guard</b> */
189 static int
191 {
196 }
198 /**
199 * Try to determine the correct type for a selection named "name",
200 * if <b>type</b> is GS_TYPE_INFER.
201 */
202 STATIC guard_selection_type_t
205 {
211 else
213 }
215 }
217 /**
218 * Allocate and return a new guard_selection_t, with the name <b>name</b>.
219 */
220 STATIC guard_selection_t *
222 guard_selection_type_t type)
223 {
236 }
238 /**
239 * Return the guard selection called <b>name</b>. If there is none, and
240 * <b>create_if_absent</b> is true, then create and return it. If there
241 * is none, and <b>create_if_absent</b> is false, then return NULL.
242 */
243 STATIC guard_selection_t *
245 guard_selection_type_t type,
247 {
250 }
264 }
266 /**
267 * Allocate the first guard context that we're planning to use,
268 * and make it the current context.
269 */
270 static void
272 {
276 }
281 NULL,
287 }
289 /** Get current default guard_selection_t, creating it if necessary */
290 guard_selection_t *
292 {
295 }
298 }
300 /** Return a statically allocated human-readable description of <b>guard</b>
301 */
304 {
311 }
313 /** Return <b>guard</b>'s 20-byte RSA identity digest */
316 {
318 }
320 /** Return the pathbias state associated with <b>guard</b>. */
321 guard_pathbias_t *
323 {
325 }
329 /** Return an interval betweeen 'now' and 'max_backdate' seconds in the past,
330 * chosen uniformly at random. We use this before recording persistent
331 * dates, so that we aren't leaking exactly when we recorded it.
332 */
335 {
346 }
348 /**
349 * @name parameters for networkstatus algorithm
350 *
351 * These parameters are taken from the consensus; some are overrideable in
352 * the torrc.
353 */
354 /**@{*/
355 /**
356 * We never let our sampled guard set grow larger than this fraction
357 * of the guards on the network.
358 */
359 STATIC double
361 {
364 DFLT_MAX_SAMPLE_THRESHOLD_PERCENT,
367 }
368 /**
369 * We never let our sampled guard set grow larger than this number.
370 */
371 STATIC int
373 {
375 DFLT_MAX_SAMPLE_SIZE,
377 }
378 /**
379 * We always try to make our sample contain at least this many guards.
380 */
381 STATIC int
383 {
385 DFLT_MIN_FILTERED_SAMPLE_SIZE,
387 }
388 /**
389 * If a guard is unlisted for this many days in a row, we remove it.
390 */
391 STATIC int
393 {
396 DFLT_REMOVE_UNLISTED_GUARDS_AFTER_DAYS,
398 }
399 /**
400 * We remove unconfirmed guards from the sample after this many days,
401 * regardless of whether they are listed or unlisted.
402 */
403 STATIC int
405 {
413 }
414 /**
415 * We remove confirmed guards from the sample if they were sampled
416 * GUARD_LIFETIME_DAYS ago and confirmed this many days ago.
417 */
418 STATIC int
420 {
425 DFLT_GUARD_CONFIRMED_MIN_LIFETIME_DAYS,
428 }
429 /**
430 * How many guards do we try to keep on our primary guard list?
431 */
432 STATIC int
434 {
441 }
446 }
447 /**
448 * Return the number of the live primary guards we should look at when
449 * making a circuit.
450 */
451 STATIC int
453 {
465 }
468 }
471 }
472 /**
473 * If we haven't successfully built or used a circuit in this long, then
474 * consider that the internet is probably down.
475 */
476 STATIC int
478 {
480 DFLT_INTERNET_LIKELY_DOWN_INTERVAL,
482 }
483 /**
484 * If we're trying to connect to a nonprimary guard for at least this
485 * many seconds, and we haven't gotten the connection to work, we will treat
486 * lower-priority guards as usable.
487 */
488 STATIC int
490 {
493 DFLT_NONPRIMARY_GUARD_CONNECT_TIMEOUT,
495 }
496 /**
497 * If a circuit has been sitting around in 'waiting for better guard' state
498 * for at least this long, we'll expire it.
499 */
500 STATIC int
502 {
505 DFLT_NONPRIMARY_GUARD_IDLE_TIMEOUT,
507 }
508 /**
509 * If our configuration retains fewer than this fraction of guards from the
510 * torrc, we are in a restricted setting.
511 */
512 STATIC double
514 {
517 DFLT_MEANINGFUL_RESTRICTION_PERCENT,
520 }
521 /**
522 * If our configuration retains fewer than this fraction of guards from the
523 * torrc, we are in an extremely restricted setting, and should warn.
524 */
525 STATIC double
527 {
530 DFLT_EXTREME_RESTRICTION_PERCENT,
533 }
535 /* Mark <b>guard</b> as maybe reachable again. */
536 static void
538 {
541 }
543 /* Note that we do not clear failing_since: this guard is now only
544 * _maybe-reachable_. */
548 }
550 /**
551 * Called when the network comes up after having seemed to be down for
552 * a while: Mark the primary guards as maybe-reachable so that we'll
553 * try them again.
554 */
555 STATIC void
557 {
566 }
568 /* Called when we exhaust all guards in our sampled set: Marks all guards as
569 maybe-reachable so that we 'll try them again. */
570 static void
572 {
578 }
580 /**@}*/
582 /**
583 * Given our options and our list of nodes, return the name of the
584 * guard selection that we should use. Return NULL for "use the
585 * same selection you were using before.
586 */
592 {
599 }
602 /* without a networkstatus, we can't tell any more than that. */
605 }
614 }
615 }
618 /* We use separate 'high' and 'low' thresholds here to prevent flapping
619 * back and forth */
629 /*
630 If we have no previous selection, then we're "restricted" iff we are
631 below the meaningful restriction threshold. That's easy enough.
633 But if we _do_ have a previous selection, we make it a little
634 "sticky": we only move from "restricted" to "default" when we find
635 that we're above the threshold plus 5%, and we only move from
636 "default" to "restricted" when we're below the threshold minus 5%.
637 That should prevent us from flapping back and forth if we happen to
638 be hovering very close to the default.
640 The extreme threshold is for warning only.
641 */
651 "guards. That's likely to make you stand out from the "
653 }
655 /* Easy case: no previous selection. Just check if we are in restricted or
656 normal guard selection. */
664 }
665 }
667 /* Trickier case: we do have a previous guard selection context. */
670 /* Use high and low thresholds to decide guard selection, and if we fall in
671 the middle then keep the current guard selection context. */
679 /* we are in the middle: maintain previous guard selection */
682 }
683 }
685 /**
686 * Check whether we should switch from our current guard selection to a
687 * different one. If so, switch and return 1. Return 0 otherwise.
688 *
689 * On a 1 return, the caller should mark all currently live circuits unusable
690 * for new streams, by calling circuit_mark_all_unused_circs() and
691 * circuit_mark_all_dirty_circs_as_unusable().
692 */
693 int
695 {
699 }
703 options,
705 curr_guard_context,
715 }
726 }
728 /**
729 * Return true iff <b>node</b> has all the flags needed for us to consider it
730 * a possible guard when sampling guards.
731 */
732 static int
734 {
735 /* The "GUARDS" set is all nodes in the nodelist for which this predicate
736 * holds. */
744 }
746 /**
747 * Return the sampled guard with the RSA identity digest <b>rsa_id</b>, or
748 * NULL if we don't have one. */
749 STATIC entry_guard_t *
752 {
760 }
762 /** If <b>gs</b> contains a sampled entry guard matching <b>bridge</b>,
763 * return that guard. Otherwise return NULL. */
767 {
776 else
778 }
780 /** If we know a bridge_info_t matching <b>guard</b>, return that
781 * bridge. Otherwise return NULL. */
784 {
788 }
796 }
798 /**
799 * Return true iff we have a sampled guard with the RSA identity digest
800 * <b>rsa_id</b>. */
803 {
805 }
807 /**
808 * Allocate a new entry_guard_t object for <b>node</b>, add it to the
809 * sampled entry guards in <b>gs</b>, and return it. <b>node</b> must
810 * not currently be a sampled guard in <b>gs</b>.
811 */
812 STATIC entry_guard_t *
815 {
819 /* make sure that the guard is not already sampled. */
826 NULL);
827 }
829 /**
830 * Backend: adds a new sampled guard to <b>gs</b>, with given identity,
831 * nickname, and ORPort. rsa_id_digest and bridge_addrport are optional, but
832 * we need one of them. nickname is optional. The caller is responsible for
833 * maintaining the size limit of the SAMPLED_GUARDS set.
834 */
840 {
844 // XXXX #20827 take ed25519 identity here too.
846 /* Make sure we can actually identify the guard. */
852 /* persistent fields */
865 /* non-persistent fields */
875 }
877 /**
878 * Add an entry guard to the "bridges" guard selection sample, with
879 * information taken from <b>bridge</b>. Return that entry guard.
880 */
884 {
890 /* make sure that the guard is not already sampled. */
895 }
897 /**
898 * Return the entry_guard_t in <b>gs</b> whose address is <b>addrport</b>,
899 * or NULL if none exists.
900 */
904 {
914 }
916 /** Update the guard subsystem's knowledge of the identity of the bridge
917 * at <b>addrport</b>. Idempotent.
918 */
919 void
922 {
924 GS_TYPE_BRIDGE,
939 /* Nothing to see here; we learned something we already knew. */
946 "we already knew a different one (%s). Ignoring the new info as "
950 old_id);
952 }
957 }
958 }
960 /**
961 * Return the number of sampled guards in <b>gs</b> that are "filtered"
962 * (that is, we're willing to connect to them) and that are "usable"
963 * (that is, either "reachable" or "maybe reachable").
964 *
965 * If a restriction is provided in <b>rst</b>, do not count any guards that
966 * violate it.
967 */
968 STATIC int
971 {
981 }
983 /** Return the actual maximum size for the sample in <b>gs</b>,
984 * given that we know about <b>n_guards</b> total. */
985 static int
988 {
992 /* If we are in bridge mode, expand our sample set as needed without worrying
993 * about max size. We should respect the user's wishes to use many bridges if
994 * that's what they have specified in their configuration file. */
1003 else
1005 }
1007 /**
1008 * Return a smartlist of the all the guards that are not currently
1009 * members of the sample (GUARDS - SAMPLED_GUARDS). The elements of
1010 * this list are node_t pointers in the non-bridge case, and
1011 * bridge_info_t pointers in the bridge case. Set *<b>n_guards_out/b>
1012 * to the number of guards that we found in GUARDS, including those
1013 * that were already sampled.
1014 */
1019 {
1020 /* Construct eligible_guards as GUARDS - SAMPLED_GUARDS */
1030 }
1037 /* Build a bloom filter of our current guards: let's keep this O(N). */
1040 guard) {
1048 /* In restricted mode, we apply the filter BEFORE sampling, so
1049 * that we are sampling from the nodes that we might actually
1050 * select. If we sampled first, we might wind up with a sample
1051 * that didn't include any EntryNodes at all. */
1054 }
1061 /* Now we can free that bloom filter. */
1063 }
1067 }
1069 /** Helper: given a smartlist of either bridge_info_t (if gs->type is
1070 * GS_TYPE_BRIDGE) or node_t (otherwise), pick one that can be a guard,
1071 * add it as a guard, remove it from the list, and return a new
1072 * entry_guard_t. Return NULL on failure. */
1076 {
1091 }
1094 }
1096 /** Return true iff we need a consensus to maintain our */
1097 static int
1099 {
1102 /* We don't update bridges from the consensus; they aren't there. */
1104 }
1106 }
1108 /**
1109 * Add new guards to the sampled guards in <b>gs</b> until there are
1110 * enough usable filtered guards, but never grow the sample beyond its
1111 * maximum size. Return the last guard added, or NULL if none were
1112 * added.
1113 */
1114 STATIC entry_guard_t *
1116 {
1124 }
1140 /* Has our sample grown too large to expand? */
1144 max_sample);
1146 }
1148 /* Did we run out of guards? */
1150 /* LCOV_EXCL_START
1151 As long as MAX_SAMPLE_THRESHOLD makes can't be adjusted to
1152 allow all guards to be sampled, this can't be reached.
1153 */
1157 /* LCOV_EXCL_STOP */
1158 }
1160 /* Otherwise we can add at least one new guard. */
1169 }
1171 done:
1174 }
1176 /**
1177 * Helper: <b>guard</b> has just been removed from the sampled guards:
1178 * also remove it from primary and confirmed. */
1179 static void
1182 {
1189 }
1190 }
1198 // LCOV_EXCL_START
1200 // LCOV_EXCL_STOP
1201 }
1202 }
1203 }
1205 /** Return true iff <b>guard</b> is currently "listed" -- that is, it
1206 * appears in the consensus, or as a configured bridge (as
1207 * appropriate) */
1210 {
1217 }
1218 }
1220 /**
1221 * Update the status of all sampled guards based on the arrival of a
1222 * new consensus networkstatus document. This will include marking
1223 * some guards as listed or unlisted, and removing expired guards. */
1224 STATIC void
1226 {
1232 // It's important to use only a live consensus here; we don't want to
1233 // make changes based on anything expired or old.
1238 }
1244 /* First: Update listed/unlisted. */
1246 /* XXXX #20827 check ed ID too */
1259 unlisted_since_slop);
1269 }
1271 /* Clean up unlisted_since_date, just in case. */
1281 unlisted_since_slop);
1285 }
1295 /* Then: remove the ones that have been junk for too long */
1301 /*
1302 "We have a live consensus, and {IS_LISTED} is false, and
1303 {FIRST_UNLISTED_AT} is over {REMOVE_UNLISTED_GUARDS_AFTER}
1304 days in the past."
1305 */
1311 /* We have a live consensus, and {ADDED_ON_DATE} is over
1312 {GUARD_LIFETIME} ago, *and* {CONFIRMED_ON_DATE} is either
1313 "never", or over {GUARD_CONFIRMED_MIN_LIFETIME} ago.
1314 */
1328 }
1329 }
1336 }
1342 /* We don't need to rebuild the confirmed list right here -- we may have
1343 * removed confirmed guards above, but we can't have added any new
1344 * confirmed guards.
1345 */
1347 }
1348 }
1350 /**
1351 * Return true iff <b>node</b> is a Tor relay that we are configured to
1352 * be able to connect to. */
1353 static int
1356 {
1357 /* NOTE: Make sure that this function stays in sync with
1358 * options_transition_affects_entry_guards */
1373 }
1375 /** Helper: Return true iff <b>bridge</b> passes our configuration
1376 * filter-- if it is a relay that we are configured to be able to
1377 * connect to. */
1378 static int
1381 {
1389 /* Ignore entrynodes */
1394 FIREWALL_OR_CONNECTION,
1399 }
1401 /**
1402 * Return true iff <b>guard</b> is a Tor relay that we are configured to
1403 * be able to connect to, and we haven't disabled it for omission from
1404 * the consensus or path bias issues. */
1405 static int
1408 {
1422 // This can happen when currently_listed is true, and we're not updating
1423 // it because we don't have a live consensus.
1425 }
1428 }
1429 }
1431 /** Return true iff <b>guard</b> is in the same family as <b>node</b>.
1432 */
1433 static int
1435 {
1440 /* If we don't have a node_t for the guard node, we might have
1441 * a bridge_info_t for it. So let's check to see whether the bridge
1442 * address matches has any family issues.
1443 *
1444 * (Strictly speaking, I believe this check is unnecessary, since we only
1445 * use it to avoid the exit's family when building circuits, and we don't
1446 * build multihop circuits until we have a routerinfo_t for the
1447 * bridge... at which point, we'll also have a node_t for the
1448 * bridge. Nonetheless, it seems wise to include it, in case our
1449 * assumptions change down the road. -nickm.)
1450 */
1452 tor_addr_t node_addr;
1457 }
1458 }
1460 }
1461 }
1463 /* Allocate and return a new exit guard restriction (where <b>exit_id</b> is of
1464 * size DIGEST_LEN) */
1465 STATIC entry_guard_restriction_t *
1467 {
1473 }
1475 /** If we have fewer than this many possible usable guards, don't set
1476 * MD-availability-based restrictions: we might blacklist all of them. */
1477 #define MIN_GUARDS_FOR_MD_RESTRICTION 10
1479 /** Return true if we should set md dirserver restrictions. We might not want
1480 * to set those if our guard options are too restricted, since we don't want
1481 * to blacklist all of them. */
1482 static int
1484 {
1488 /* Don't set restriction if too few reachable filtered guards. */
1493 }
1495 /* We have enough usable guards: set MD restriction */
1497 }
1499 /** Allocate and return an outdated md guard restriction. Return NULL if no
1500 * such restriction is needed. */
1501 STATIC entry_guard_restriction_t *
1503 {
1510 }
1516 }
1518 /* Return True if <b>guard</b> obeys the exit restriction <b>rst</b>. */
1519 static int
1522 {
1525 // Exclude the exit ID and all of its family.
1531 }
1533 /** Return True if <b>guard</b> should be used as a dirserver for fetching
1534 * microdescriptors. */
1535 static int
1537 {
1538 /* If this guard is an outdated dirserver, don't use it. */
1543 }
1549 }
1551 /**
1552 * Return true iff <b>guard</b> obeys the restrictions defined in <b>rst</b>.
1553 * (If <b>rst</b> is NULL, there are no restrictions.)
1554 */
1555 static int
1558 {
1567 }
1571 }
1573 /**
1574 * Update the <b>is_filtered_guard</b> and <b>is_usable_filtered_guard</b>
1575 * flags on <b>guard</b>. */
1576 void
1580 {
1592 }
1598 /* This guard might now be primary or nonprimary. */
1600 }
1601 }
1603 /**
1604 * Update the <b>is_filtered_guard</b> and <b>is_usable_filtered_guard</b>
1605 * flag on every guard in <b>gs</b>. */
1606 STATIC void
1608 {
1614 }
1616 /**
1617 * Return a random guard from the reachable filtered sample guards
1618 * in <b>gs</b>, subject to the exclusion rules listed in <b>flags</b>.
1619 * Return NULL if no such guard can be found.
1620 *
1621 * Make sure that the sample is big enough, and that all the filter flags
1622 * are set correctly, before calling this function.
1623 *
1624 * If a restriction is provided in <b>rst</b>, do not return any guards that
1625 * violate it.
1626 **/
1627 STATIC entry_guard_t *
1631 {
1653 }
1658 /* Build the set of reachable filtered guards. */
1684 }
1688 }
1690 /**
1691 * Helper: compare two entry_guard_t by their confirmed_idx values.
1692 * Used to sort the confirmed list.
1693 */
1694 static int
1696 {
1702 else
1704 }
1706 /**
1707 * Find the confirmed guards from among the sampled guards in <b>gs</b>,
1708 * and put them in confirmed_entry_guards in the correct
1709 * order. Recalculate their indices.
1710 */
1711 STATIC void
1713 {
1727 }
1734 }
1735 }
1737 /**
1738 * Mark <b>guard</b> as a confirmed guard -- that is, one that we have
1739 * connected to, and intend to use again.
1740 */
1741 STATIC void
1743 {
1760 // This confirmed guard might kick something else out of the primary
1761 // guards.
1765 }
1767 /**
1768 * Recalculate the list of primary guards (the ones we'd prefer to use) from
1769 * the filtered sample and the confirmed list.
1770 */
1771 STATIC void
1773 {
1776 // prevent recursion. Recursion is potentially very bad here.
1787 /* Set this flag now, to prevent the calls below from recursing. */
1790 /* First, can we fill it up with confirmed guards? */
1800 /* Can we keep any older primary guards? First remove all the ones
1801 * that we already kept. */
1805 }
1808 /* Now add any that are still good. */
1819 /* Mark the remaining previous primary guards as non-primary */
1824 /* Finally, fill out the list with sampled guards. */
1827 SAMPLE_EXCLUDE_CONFIRMED|
1828 SAMPLE_EXCLUDE_PRIMARY|
1829 SAMPLE_NO_UPDATE_PRIMARY);
1834 }
1836 #if 1
1837 /* Debugging. */
1842 });
1853 }
1855 }
1867 }
1874 }
1876 /**
1877 * Return the number of seconds after the last attempt at which we should
1878 * retry a guard that has been failing since <b>failing_since</b>.
1879 */
1880 static int
1883 {
1893 }
1902 };
1908 }
1909 }
1910 /* LCOV_EXCL_START -- can't reach, since delays ends with TIME_MAX. */
1913 /* LCOV_EXCL_STOP */
1914 }
1916 /**
1917 * If <b>guard</b> is unreachable, consider whether enough time has passed
1918 * to consider it maybe-reachable again.
1919 */
1920 STATIC void
1922 {
1933 /* We should mark this retriable. */
1941 tbuf);
1946 }
1947 }
1949 /** Tell the entry guards subsystem that we have confirmed that as of
1950 * just now, we're on the internet. */
1951 void
1953 {
1955 }
1957 /**
1958 * Get a guard for use with a circuit. Prefer to pick a running primary
1959 * guard; then a non-pending running filtered confirmed guard; then a
1960 * non-pending runnable filtered guard. Update the
1961 * <b>last_tried_to_connect</b> time and the <b>is_pending</b> fields of the
1962 * guard as appropriate. Set <b>state_out</b> to the new guard-state
1963 * of the circuit.
1964 */
1965 STATIC entry_guard_t *
1967 guard_usage_t usage,
1970 {
1981 /* "If any entry in PRIMARY_GUARDS has {is_reachable} status of
1982 <maybe> or <yes>, return the first such guard." */
1990 }
1996 }
2005 }
2008 /* "Otherwise, if the ordered intersection of {CONFIRMED_GUARDS}
2009 and {USABLE_FILTERED_GUARDS} is nonempty, return the first
2010 entry in that intersection that has {is_pending} set to
2011 false." */
2025 "guard %s for circuit. Will try other guards before using "
2029 }
2032 /* "Otherwise, if there is no such entry, select a member at
2033 random from {USABLE_FILTERED_GUARDS}." */
2034 {
2040 rst,
2041 SAMPLE_EXCLUDE_CONFIRMED |
2042 SAMPLE_EXCLUDE_PRIMARY |
2043 SAMPLE_EXCLUDE_PENDING |
2044 flags);
2050 }
2055 "random guard %s for circuit. Will try other guards before "
2059 }
2060 }
2062 /**
2063 * Note that we failed to connect to or build circuits through <b>guard</b>.
2064 * Use with a guard returned by select_entry_guard_for_circuit().
2065 */
2066 STATIC void
2069 {
2083 }
2085 /**
2086 * Note that we successfully connected to, and built a circuit through
2087 * <b>guard</b>. Given the old guard-state of the circuit in <b>old_state</b>,
2088 * return the new guard-state of the circuit.
2089 *
2090 * Be aware: the circuit is only usable when its guard-state becomes
2091 * GUARD_CIRC_STATE_COMPLETE.
2092 **/
2093 STATIC unsigned
2097 {
2100 /* Save this, since we're about to overwrite it. */
2114 }
2124 /* Fall through. */
2127 /* XXXX #20832 -- I don't actually like this logic. It seems to make
2128 * us a little more susceptible to evil-ISP attacks. The mitigations
2129 * I'm thinking of, however, aren't local to this point, so I'll leave
2130 * it alone. */
2131 /* This guard may have become primary by virtue of being confirmed.
2132 * If so, the circuit for it is now complete.
2133 */
2137 }
2139 }
2145 }
2146 }
2154 }
2156 /**
2157 * Helper: Return true iff <b>a</b> has higher priority than <b>b</b>.
2158 */
2159 STATIC int
2161 {
2166 /* Confirmed is always better than unconfirmed; lower index better
2167 than higher */
2175 /* Lower confirmed_idx is better than higher. */
2177 }
2179 /* If we reach this point, both are unconfirmed. If one is pending, it
2180 * has higher priority. */
2185 /* Both are pending: earlier last_tried_connect wins. */
2191 /* Neither is pending: priorities are equal. */
2193 }
2194 }
2196 /** Release all storage held in <b>restriction</b> */
2197 STATIC void
2199 {
2201 }
2203 /**
2204 * Release all storage held in <b>state</b>.
2205 */
2206 void
2208 {
2214 }
2216 /** Allocate and return a new circuit_guard_state_t to track the result
2217 * of using <b>guard</b> for a given operation. */
2221 {
2231 }
2233 /**
2234 * Pick a suitable entry guard for a circuit in, and place that guard
2235 * in *<b>chosen_node_out</b>. Set *<b>guard_state_out</b> to an opaque
2236 * state object that will record whether the circuit is ready to be used
2237 * or not. Return 0 on success; on failure, return -1.
2238 *
2239 * If a restriction is provided in <b>rst</b>, do not return any guards that
2240 * violate it, and remember that restriction in <b>guard_state_out</b> for
2241 * later use. (Takes ownership of the <b>rst</b> object.)
2242 */
2243 int
2245 guard_usage_t usage,
2249 {
2264 // XXXX #20827 check Ed ID.
2274 fail:
2277 }
2279 /**
2280 * Called by the circuit building module when a circuit has succeeded: informs
2281 * the guards code that the guard in *<b>guard_state_p</b> is working, and
2282 * advances the state of the guard module. On a GUARD_USABLE_NEVER return
2283 * value, the circuit is broken and should not be used. On a GUARD_USABLE_NOW
2284 * return value, the circuit is ready to use. On a GUARD_MAYBE_USABLE_LATER
2285 * return value, the circuit should not be used until we find out whether
2286 * preferred guards will work for us.
2287 */
2288 guard_usable_t
2290 {
2309 }
2310 }
2312 /** Cancel the selection of *<b>guard_state_p</b> without declaring
2313 * success or failure. It is safe to call this function if success or
2314 * failure _has_ already been declared. */
2315 void
2317 {
2324 /* XXXX prop271 -- last_tried_to_connect_at will be erroneous here, but this
2325 * function will only get called in "bug" cases anyway. */
2329 }
2331 /**
2332 * Called by the circuit building module when a circuit has succeeded:
2333 * informs the guards code that the guard in *<b>guard_state_p</b> is
2334 * not working, and advances the state of the guard module.
2335 */
2336 void
2338 {
2350 }
2352 /**
2353 * Run the entry_guard_failed() function on every circuit that is
2354 * pending on <b>chan</b>.
2355 */
2356 void
2358 {
2370 /* We might have no guard state if we didn't use a guard on this
2371 * circuit (eg it's for a fallback directory). */
2373 }
2376 }
2378 /**
2379 * Return true iff every primary guard in <b>gs</b> is believed to
2380 * be unreachable.
2381 */
2382 STATIC int
2384 {
2394 }
2396 /** Wrapper for entry_guard_has_higher_priority that compares the
2397 * guard-priorities of a pair of circuits. Return 1 if <b>a</b> has higher
2398 * priority than <b>b</b>.
2399 *
2400 * If a restriction is provided in <b>rst</b>, then do not consider
2401 * <b>a</b> to have higher priority if it violates the restriction.
2402 */
2403 static int
2407 {
2418 /* Unknown guard -- never higher priority. */
2421 /* Known guard -- higher priority than any unknown guard. */
2424 /* Restriction violated; guard_a cannot have higher priority. */
2427 /* Both known -- compare.*/
2429 }
2430 }
2432 /**
2433 * Look at all of the origin_circuit_t * objects in <b>all_circuits_in</b>,
2434 * and see if any of them that were previously not ready to use for
2435 * guard-related reasons are now ready to use. Place those circuits
2436 * in <b>newly_complete_out</b>, and mark them COMPLETE.
2437 *
2438 * Return 1 if we upgraded any circuits, and 0 otherwise.
2439 */
2440 int
2444 {
2450 /* We only upgrade a waiting circuit if the primary guards are all
2451 * down. */
2455 }
2463 // We filter out circuits that aren't ours, or which we can't
2464 // reason about.
2485 }
2486 }
2493 }
2495 /* We'll need to keep track of what restrictions were used when picking this
2496 * circuit, so that we don't allow any circuit without those restrictions to
2497 * block it. */
2501 /* First look at the complete circuits: Do any block this circuit? */
2503 /* "C2 "blocks" C1 if:
2504 * C2 obeys all the restrictions that C1 had to obey, AND
2505 * C2 has higher priority than C1, AND
2506 * Either C2 is <complete>, or C2 is <waiting_for_better_guard>,
2507 or C2 has been <usable_if_no_better_guard> for no more than
2508 {NONPRIMARY_GUARD_CONNECT_TIMEOUT} seconds."
2509 */
2517 best_waiting_circuit))
2523 "%d complete and %d guard-stalled. At least one complete "
2527 }
2529 /* " * If any circuit C1 is <waiting_for_better_guard>, AND:
2530 * All primary guards have reachable status of <no>.
2531 * There is no circuit C2 that "blocks" C1.
2532 Then, upgrade C1 to <complete>.""
2533 */
2546 best_waiting_circuit))
2552 "%d guard-stalled, but %d pending circuit(s) had higher "
2556 }
2558 /* Okay. We have a best waiting circuit, and we aren't waiting for
2559 anything better. Add all circuits with that priority to the
2560 list, and call them COMPLETE. */
2567 /* Can't upgrade other circ with same priority as best; might
2568 be blocked. */
2570 }
2583 "%d guard-stalled, %d complete. %d of the guard-stalled "
2591 no_change:
2594 }
2596 /**
2597 * Return true iff the circuit whose state is <b>guard_state</b> should
2598 * expire.
2599 */
2600 int
2602 {
2609 }
2611 /**
2612 * Update all derived pieces of the guard selection state in <b>gs</b>.
2613 * Return true iff we should stop using all previously generated circuits.
2614 */
2615 int
2617 {
2623 }
2625 /**
2626 * Return a newly allocated string for encoding the persistent parts of
2627 * <b>guard</b> to the state file.
2628 */
2631 {
2632 /*
2633 * The meta-format we use is K=V K=V K=V... where K can be any
2634 * characters excepts space and =, and V can be any characters except
2635 * space. The order of entries is not allowed to matter.
2636 * Unrecognized K=V entries are persisted; recognized but erroneous
2637 * entries are corrected.
2638 */
2652 }
2655 }
2663 }
2668 }
2678 }
2682 /* Make a copy of the pathbias object, since we will want to update
2683 some of them */
2688 #define PB_FIELD(field) do { \
2689 if (pb->field >= EPSILON) { \
2691 } \
2692 } while (0)
2702 #undef PB_FIELD
2712 }
2714 /**
2715 * Given a string generated by entry_guard_encode_for_state(), parse it
2716 * (if possible) and return an entry_guard_t object for it. Return NULL
2717 * on complete failure.
2718 */
2719 STATIC entry_guard_t *
2721 {
2722 /* Unrecognized entries get put in here. */
2725 /* These fields get parsed from the string. */
2737 // pathbias
2747 /* Split up the entries. Put the ones we know about in strings and the
2748 * rest in "extra". */
2749 {
2753 #define FIELD(f) \
2754 strmap_set(vals, #f, &f);
2773 #undef FIELD
2783 }
2787 /* unrecognized or already set */
2791 }
2800 }
2808 }
2816 }
2818 /* Process the identity and nickname. */
2823 }
2831 }
2834 tor_addr_port_t res;
2840 /* On error, we already warned. */
2841 }
2843 /* Process the various time fields. */
2845 #define HANDLE_TIME(field) do { \
2846 if (field) { \
2847 int r = parse_iso_time_nospace(field, &field ## _time); \
2848 if (r < 0) { \
2850 #field, escaped(field)); \
2851 field##_time = -1; \
2852 } \
2853 } \
2854 } while (0)
2871 #undef HANDLE_TIME
2877 /* Take sampled_by_version verbatim. */
2881 /* Listed is a boolean */
2885 /* The index is a nonnegative integer. */
2895 }
2896 }
2898 /* Anything we didn't recognize gets crammed together */
2901 }
2903 /* initialize non-persistent fields */
2906 #define PB_FIELD(field) \
2907 do { \
2908 if (pb_ ## field) { \
2909 int ok = 1; \
2910 double r = tor_parse_double(pb_ ## field, 0.0, 1e9, &ok, NULL); \
2911 if (! ok) { \
2913 #field, pb_ ## field); \
2914 } else { \
2915 guard->pb.field = r; \
2916 } \
2917 } \
2918 } while (0)
2927 #undef PB_FIELD
2932 /* We update everything on this guard later, after we've parsed
2933 * everything. */
2937 err:
2938 // only consider it an error if the guard state was totally unparseable.
2942 done:
2966 }
2968 /**
2969 * Replace the Guards entries in <b>state</b> with a list of all our sampled
2970 * guards.
2971 */
2972 static void
2974 {
2993 }
2995 /**
2996 * Replace our sampled guards from the Guards entries in <b>state</b>. Return 0
2997 * on success, -1 on failure. (If <b>set</b> is true, replace nothing -- only
2998 * check whether replacing would work.)
2999 */
3000 static int
3002 {
3009 /* Wipe all our existing guard info. (we shouldn't have any, but
3010 * let's be safe.) */
3018 }
3025 }
3031 }
3042 }
3043 }
3049 }
3051 }
3053 /** If <b>digest</b> matches the identity of any node in the
3054 * entry_guards list for the provided guard selection state,
3055 return that node. Else return NULL. */
3056 entry_guard_t *
3059 {
3061 }
3063 /** Return the node_t associated with a single entry_guard_t. May
3064 * return NULL if the guard is not currently in the consensus. */
3067 {
3070 }
3072 /** If <b>digest</b> matches the identity of any node in the
3073 * entry_guards list for the default guard selection state,
3074 return that node. Else return NULL. */
3075 entry_guard_t *
3077 {
3080 }
3082 /** We are about to connect to bridge with identity <b>digest</b> to fetch its
3083 * descriptor. Create a new guard state for this connection and return it. */
3084 circuit_guard_state_t *
3086 {
3094 }
3096 /* Update the guard last_tried_to_connect time since it's checked by the
3097 * guard susbsystem. */
3100 /* Create the guard state */
3102 GUARD_CIRC_STATE_USABLE_ON_COMPLETION,
3103 NULL);
3106 }
3108 /** Release all storage held by <b>e</b>. */
3109 STATIC void
3111 {
3120 }
3122 /** Return 0 if we're fine adding arbitrary routers out of the
3123 * directory to our entry guard list, or return 1 if we have a
3124 * list already and we must stick to it.
3125 */
3126 int
3128 {
3129 // XXXX #21425 look at the current selection.
3135 }
3137 /** Return the number of bridges that have descriptors that are marked with
3138 * purpose 'bridge' and are running.
3139 *
3140 * We use this function to decide if we're ready to start building
3141 * circuits through our bridges, or if we need to wait until the
3142 * directory "server/authority" requests finish. */
3145 {
3150 }
3154 }
3167 }
3169 /** Check the pathbias use success count of <b>node</b> and disable it if it
3170 * goes over our thresholds. */
3171 static void
3173 {
3177 /* Note: We rely on the < comparison here to allow us to set a 0
3178 * rate and disable the feature entirely. If refactoring, don't
3179 * change to <= */
3189 }
3190 }
3192 /** Check the pathbias close count of <b>node</b> and disable it if it goes
3193 * over our thresholds. */
3194 static void
3196 {
3200 /* Note: We rely on the < comparison here to allow us to set a 0
3201 * rate and disable the feature entirely. If refactoring, don't
3202 * change to <= */
3212 }
3213 }
3215 /** Parse <b>state</b> and learn about the entry guards it describes.
3216 * If <b>set</b> is true, and there are no errors, replace the guard
3217 * list in the default guard selection context with what we find.
3218 * On success, return 0. On failure, alloc into *<b>msg</b> a string
3219 * describing the error, and return -1.
3220 */
3221 int
3223 {
3231 }
3233 }
3235 }
3237 /** How long will we let a change in our guard nodes stay un-saved
3238 * when we are trying to avoid disk writes? */
3239 #define SLOW_GUARD_STATE_FLUSH_TIME 600
3240 /** How long will we let a change in our guard nodes stay un-saved
3241 * when we are not trying to avoid disk writes? */
3242 #define FAST_GUARD_STATE_FLUSH_TIME 30
3244 /** Our list of entry guards has changed for a particular guard selection
3245 * context, or some element of one of our entry guards has changed for one.
3246 * Write the changes to disk within the next few minutes.
3247 */
3248 void
3250 {
3259 else
3262 /* or_state_save() will call entry_guards_update_state() and
3263 entry_guards_update_guards_in_state()
3264 */
3266 }
3268 /** Our list of entry guards has changed for the default guard selection
3269 * context, or some element of one of our entry guards has changed. Write
3270 * the changes to disk within the next few minutes.
3271 */
3272 void
3274 {
3276 }
3278 /** If the entry guard info has not changed, do nothing and return.
3279 * Otherwise, free the EntryGuards piece of <b>state</b> and create
3280 * a new one out of the global entry_guards list, and then mark
3281 * <b>state</b> dirty so it will get saved to disk.
3282 */
3283 void
3285 {
3288 // Handles all guard info.
3296 }
3298 /**
3299 * Format a single entry guard in the format expected by the controller.
3300 * Return a newly allocated string.
3301 */
3304 {
3311 /* This is going to be a bit tricky, since the status
3312 * codes weren't really intended for prop271 guards.
3313 *
3314 * XXXX use a more appropriate format for exporting this information
3315 */
3328 }
3336 /* e->nickname field is not very reliable if we don't know about
3337 * this router any longer; don't include it. */
3338 }
3346 }
3348 }
3350 /** If <b>question</b> is the string "entry-guards", then dump
3351 * to *<b>answer</b> a newly allocated string describing all of
3352 * the nodes in the global entry_guards list. See control-spec.txt
3353 * for details.
3354 * For backward compatibility, we also handle the string "helper-nodes".
3355 *
3356 * XXX this should be totally redesigned after prop 271 too, and that's
3357 * going to take some control spec work.
3358 * */
3359 int
3363 {
3385 }
3387 }
3389 /* Given the original bandwidth of a guard and its guardfraction,
3390 * calculate how much bandwidth the guard should have as a guard and
3391 * as a non-guard.
3392 *
3393 * Quoting from proposal236:
3394 *
3395 * Let Wpf denote the weight from the 'bandwidth-weights' line a
3396 * client would apply to N for position p if it had the guard
3397 * flag, Wpn the weight if it did not have the guard flag, and B the
3398 * measured bandwidth of N in the consensus. Then instead of choosing
3399 * N for position p proportionally to Wpf*B or Wpn*B, clients should
3400 * choose N proportionally to F*Wpf*B + (1-F)*Wpn*B.
3401 *
3402 * This function fills the <b>guardfraction_bw</b> structure. It sets
3403 * <b>guard_bw</b> to F*B and <b>non_guard_bw</b> to (1-F)*B.
3404 */
3405 void
3409 {
3412 /* Turn the percentage into a fraction. */
3422 }
3424 /** Helper: Update the status of all entry guards, in whatever algorithm
3425 * is used. Return true if we should stop using all previously generated
3426 * circuits, by calling circuit_mark_all_unused_circs() and
3427 * circuit_mark_all_dirty_circs_as_unusable().
3428 */
3429 int
3431 {
3442 }
3444 /** Helper: pick a guard for a circuit, with whatever algorithm is
3445 used. */
3449 {
3454 /* We're building to a targeted exit node, so that node can't be
3455 * chosen as our guard for this circuit. Remember that fact in a
3456 * restriction. */
3459 }
3461 GUARD_USAGE_TRAFFIC,
3462 rst,
3466 }
3468 }
3470 /** Remove all currently listed entry guards for a given guard selection
3471 * context. This frees and replaces <b>gs</b>, so don't use <b>gs</b>
3472 * after calling this function. */
3473 void
3475 {
3476 // This function shouldn't exist. XXXX
3483 });
3487 }
3495 }
3497 /** Remove all currently listed entry guards, so new ones will be chosen.
3498 *
3499 * XXXX This function shouldn't exist -- it's meant to support the DROPGUARDS
3500 * command, which is deprecated.
3501 */
3502 void
3504 {
3506 }
3508 /** Helper: pick a directory guard, with whatever algorithm is used. */
3512 {
3516 /* If we are fetching microdescs, don't query outdated dirservers. */
3519 }
3522 GUARD_USAGE_DIRGUARD,
3523 rst,
3527 }
3529 }
3531 /**
3532 * If we're running with a constrained guard set, then maybe mark our guards
3533 * usable. Return 1 if we do; 0 if we don't.
3534 */
3535 int
3537 {
3544 }
3546 /**
3547 * Check if we are missing any crucial dirinfo for the guard subsystem to
3548 * work. Return NULL if everything went well, otherwise return a newly
3549 * allocated string with an informative error message. In the latter case, use
3550 * the genreal descriptor information <b>using_mds</b>, <b>num_present</b> and
3551 * <b>num_usable</b> to improve the error message. */
3556 {
3565 /* We want to check for the descriptor of at least the first two primary
3566 * guards in our list, since these are the guards that we typically use for
3567 * circuits. */
3569 num_primary_to_check++;
3575 n_considered++;
3577 n_missing_descriptors++;
3582 /* If we are not missing any descriptors, return NULL. */
3585 }
3587 /* otherwise return a helpful error string */
3594 }
3596 /** As guard_selection_have_enough_dir_info_to_build_circuits, but uses
3597 * the default guard selection. */
3601 {
3604 using_mds,
3606 }
3608 /** Free one guard selection context */
3609 STATIC void
3611 {
3621 }
3627 }
3629 /** Release all storage held by the list of entry guards and related
3630 * memory structs. */
3631 void
3633 {
3634 /* Null out the default */
3636 /* Free all the guard contexts */
3643 }
3645 }