1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2010, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
9 * \brief The actual details of building circuits.
12 #define CIRCUIT_PRIVATE
15 #include "circuitbuild.h"
16 #include "circuitlist.h"
17 #include "circuituse.h"
19 #include "connection.h"
20 #include "connection_edge.h"
21 #include "connection_or.h"
23 #include "directory.h"
25 #include "networkstatus.h"
31 #include "routerlist.h"
32 #include "routerparse.h"
38 #define MIN(a,b) ((a)<(b)?(a):(b))
41 #define CBT_BIN_TO_MS(bin) ((bin)*CBT_BIN_WIDTH + (CBT_BIN_WIDTH/2))
43 /********* START VARIABLES **********/
44 /** Global list of circuit build times */
45 // FIXME: Add this as a member for entry_guard_t instead of global?
46 // Then we could do per-guard statistics, as guards are likely to
47 // vary in their own latency. The downside of this is that guards
48 // can change frequently, so we'd be building a lot more circuits
50 circuit_build_times_t circ_times
;
52 /** A global list of all circuits at this hop. */
53 extern circuit_t
*global_circuitlist
;
55 /** An entry_guard_t represents our information about a chosen long-term
56 * first hop, known as a "helper" node in the literature. We can't just
57 * use a routerinfo_t, since we want to remember these even when we
58 * don't have a directory. */
60 char nickname
[MAX_NICKNAME_LEN
+1];
61 char identity
[DIGEST_LEN
];
62 time_t chosen_on_date
; /**< Approximately when was this guard added?
63 * "0" if we don't know. */
64 char *chosen_by_version
; /**< What tor version added this guard? NULL
65 * if we don't know. */
66 unsigned int made_contact
: 1; /**< 0 if we have never connected to this
67 * router, 1 if we have. */
68 unsigned int can_retry
: 1; /**< Should we retry connecting to this entry,
69 * in spite of having it marked as unreachable?*/
70 time_t bad_since
; /**< 0 if this guard is currently usable, or the time at
71 * which it was observed to become (according to the
72 * directory or the user configuration) unusable. */
73 time_t unreachable_since
; /**< 0 if we can connect to this guard, or the
74 * time at which we first noticed we couldn't
76 time_t last_attempted
; /**< 0 if we can connect to this guard, or the time
77 * at which we last failed to connect to it. */
80 /** A list of our chosen entry guards. */
81 static smartlist_t
*entry_guards
= NULL
;
82 /** A value of 1 means that the entry_guards list has changed
83 * and those changes need to be flushed to disk. */
84 static int entry_guards_dirty
= 0;
86 /** If set, we're running the unit tests: we should avoid clobbering
87 * our state file or accessing get_options() or get_or_state() */
88 static int unit_tests
= 0;
90 /********* END VARIABLES ************/
92 static int circuit_deliver_create_cell(circuit_t
*circ
,
93 uint8_t cell_type
, const char *payload
);
94 static int onion_pick_cpath_exit(origin_circuit_t
*circ
, extend_info_t
*exit
);
95 static crypt_path_t
*onion_next_hop_in_cpath(crypt_path_t
*cpath
);
96 static int onion_extend_cpath(origin_circuit_t
*circ
);
97 static int count_acceptable_routers(smartlist_t
*routers
);
98 static int onion_append_hop(crypt_path_t
**head_ptr
, extend_info_t
*choice
);
100 static void entry_guards_changed(void);
103 circuit_build_times_disabled(void)
108 int consensus_disabled
= networkstatus_get_param(NULL
, "cbtdisabled",
110 int config_disabled
= !get_options()->LearnCircuitBuildTimeout
;
111 int dirauth_disabled
= get_options()->AuthoritativeDir
;
112 int state_disabled
= (get_or_state()->LastWritten
== -1);
114 if (consensus_disabled
|| config_disabled
|| dirauth_disabled
||
117 "CircuitBuildTime learning is disabled. "
118 "Consensus=%d, Config=%d, AuthDir=%d, StateFile=%d",
119 consensus_disabled
, config_disabled
, dirauth_disabled
,
129 circuit_build_times_max_timeouts(void)
131 int32_t num
= networkstatus_get_param(NULL
, "cbtmaxtimeouts",
132 CBT_DEFAULT_MAX_RECENT_TIMEOUT_COUNT
);
137 circuit_build_times_default_num_xm_modes(void)
139 int32_t num
= networkstatus_get_param(NULL
, "cbtnummodes",
140 CBT_DEFAULT_NUM_XM_MODES
);
145 circuit_build_times_min_circs_to_observe(void)
147 int32_t num
= networkstatus_get_param(NULL
, "cbtmincircs",
148 CBT_DEFAULT_MIN_CIRCUITS_TO_OBSERVE
);
153 circuit_build_times_quantile_cutoff(void)
155 int32_t num
= networkstatus_get_param(NULL
, "cbtquantile",
156 CBT_DEFAULT_QUANTILE_CUTOFF
);
161 circuit_build_times_close_quantile(void)
163 int32_t num
= networkstatus_get_param(NULL
, "cbtclosequantile",
164 CBT_DEFAULT_CLOSE_QUANTILE
);
170 circuit_build_times_test_frequency(void)
172 int32_t num
= networkstatus_get_param(NULL
, "cbttestfreq",
173 CBT_DEFAULT_TEST_FREQUENCY
);
178 circuit_build_times_min_timeout(void)
180 int32_t num
= networkstatus_get_param(NULL
, "cbtmintimeout",
181 CBT_DEFAULT_TIMEOUT_MIN_VALUE
);
186 circuit_build_times_initial_timeout(void)
188 int32_t num
= networkstatus_get_param(NULL
, "cbtinitialtimeout",
189 CBT_DEFAULT_TIMEOUT_INITIAL_VALUE
);
194 circuit_build_times_recent_circuit_count(void)
196 int32_t num
= networkstatus_get_param(NULL
, "cbtrecentcount",
197 CBT_DEFAULT_RECENT_CIRCUITS
);
202 * This function is called when we get a consensus update.
204 * It checks to see if we have changed any consensus parameters
205 * that require reallocation or discard of previous stats.
208 circuit_build_times_new_consensus_params(circuit_build_times_t
*cbt
,
211 int32_t num
= networkstatus_get_param(ns
, "cbtrecentcount",
212 CBT_DEFAULT_RECENT_CIRCUITS
);
214 if (num
> 0 && num
!= cbt
->liveness
.num_recent_circs
) {
215 int8_t *recent_circs
;
216 log_notice(LD_CIRC
, "Changing recent timeout size from %d to %d",
217 cbt
->liveness
.num_recent_circs
, num
);
219 tor_assert(cbt
->liveness
.timeouts_after_firsthop
);
222 * Technically this is a circular array that we are reallocating
223 * and memcopying. However, since it only consists of either 1s
224 * or 0s, and is only used in a statistical test to determine when
225 * we should discard our history after a sufficient number of 1's
226 * have been reached, it is fine if order is not preserved or
229 * cbtrecentcount should only be changing in cases of severe network
230 * distress anyway, so memory correctness here is paramount over
231 * doing acrobatics to preserve the array.
233 recent_circs
= tor_malloc_zero(sizeof(int8_t)*num
);
234 memcpy(recent_circs
, cbt
->liveness
.timeouts_after_firsthop
,
235 sizeof(int8_t)*MIN(num
, cbt
->liveness
.num_recent_circs
));
237 // Adjust the index if it needs it.
238 if (num
< cbt
->liveness
.num_recent_circs
) {
239 cbt
->liveness
.after_firsthop_idx
= MIN(num
-1,
240 cbt
->liveness
.after_firsthop_idx
);
243 tor_free(cbt
->liveness
.timeouts_after_firsthop
);
244 cbt
->liveness
.timeouts_after_firsthop
= recent_circs
;
245 cbt
->liveness
.num_recent_circs
= num
;
249 /** Make a note that we're running unit tests (rather than running Tor
250 * itself), so we avoid clobbering our state file. */
252 circuitbuild_running_unit_tests(void)
258 * Return the initial default or configured timeout in milliseconds
261 circuit_build_times_get_initial_timeout(void)
264 if (!unit_tests
&& get_options()->CircuitBuildTimeout
) {
265 timeout
= get_options()->CircuitBuildTimeout
*1000;
266 if (timeout
< circuit_build_times_min_timeout()) {
267 log_warn(LD_CIRC
, "Config CircuitBuildTimeout too low. Setting to %ds",
268 circuit_build_times_min_timeout()/1000);
269 timeout
= circuit_build_times_min_timeout();
272 timeout
= circuit_build_times_initial_timeout();
278 * Reset the build time state.
280 * Leave estimated parameters, timeout and network liveness intact
284 circuit_build_times_reset(circuit_build_times_t
*cbt
)
286 memset(cbt
->circuit_build_times
, 0, sizeof(cbt
->circuit_build_times
));
287 cbt
->total_build_times
= 0;
288 cbt
->build_times_idx
= 0;
289 cbt
->have_computed_timeout
= 0;
293 * Initialize the buildtimes structure for first use.
295 * Sets the initial timeout value based to either the
296 * config setting or BUILD_TIMEOUT_INITIAL_VALUE.
299 circuit_build_times_init(circuit_build_times_t
*cbt
)
301 memset(cbt
, 0, sizeof(*cbt
));
302 cbt
->liveness
.num_recent_circs
= circuit_build_times_recent_circuit_count();
303 cbt
->liveness
.timeouts_after_firsthop
= tor_malloc_zero(sizeof(int8_t)*
304 cbt
->liveness
.num_recent_circs
);
305 cbt
->close_ms
= cbt
->timeout_ms
= circuit_build_times_get_initial_timeout();
306 control_event_buildtimeout_set(cbt
, BUILDTIMEOUT_SET_EVENT_RESET
);
310 * Rewind our build time history by n positions.
313 circuit_build_times_rewind_history(circuit_build_times_t
*cbt
, int n
)
317 cbt
->build_times_idx
-= n
;
318 cbt
->build_times_idx
%= CBT_NCIRCUITS_TO_OBSERVE
;
320 for (i
= 0; i
< n
; i
++) {
321 cbt
->circuit_build_times
[(i
+cbt
->build_times_idx
)
322 %CBT_NCIRCUITS_TO_OBSERVE
]=0;
325 if (cbt
->total_build_times
> n
) {
326 cbt
->total_build_times
-= n
;
328 cbt
->total_build_times
= 0;
332 "Rewound history by %d places. Current index: %d. "
333 "Total: %d", n
, cbt
->build_times_idx
, cbt
->total_build_times
);
337 * Add a new build time value <b>time</b> to the set of build times. Time
338 * units are milliseconds.
340 * circuit_build_times <b>cbt</a> is a circular array, so loop around when
344 circuit_build_times_add_time(circuit_build_times_t
*cbt
, build_time_t time
)
346 if (time
<= 0 || time
> CBT_BUILD_TIME_MAX
) {
347 log_warn(LD_BUG
, "Circuit build time is too large (%u)."
348 "This is probably a bug.", time
);
349 tor_fragile_assert();
353 log_debug(LD_CIRC
, "Adding circuit build time %u", time
);
355 cbt
->circuit_build_times
[cbt
->build_times_idx
] = time
;
356 cbt
->build_times_idx
= (cbt
->build_times_idx
+ 1) % CBT_NCIRCUITS_TO_OBSERVE
;
357 if (cbt
->total_build_times
< CBT_NCIRCUITS_TO_OBSERVE
)
358 cbt
->total_build_times
++;
360 if ((cbt
->total_build_times
% CBT_SAVE_STATE_EVERY
) == 0) {
361 /* Save state every n circuit builds */
362 if (!unit_tests
&& !get_options()->AvoidDiskWrites
)
363 or_state_mark_dirty(get_or_state(), 0);
370 * Return maximum circuit build time
373 circuit_build_times_max(circuit_build_times_t
*cbt
)
376 build_time_t max_build_time
= 0;
377 for (i
= 0; i
< CBT_NCIRCUITS_TO_OBSERVE
; i
++) {
378 if (cbt
->circuit_build_times
[i
] > max_build_time
379 && cbt
->circuit_build_times
[i
] != CBT_BUILD_ABANDONED
)
380 max_build_time
= cbt
->circuit_build_times
[i
];
382 return max_build_time
;
386 /** Return minimum circuit build time */
388 circuit_build_times_min(circuit_build_times_t
*cbt
)
391 build_time_t min_build_time
= CBT_BUILD_TIME_MAX
;
392 for (i
= 0; i
< CBT_NCIRCUITS_TO_OBSERVE
; i
++) {
393 if (cbt
->circuit_build_times
[i
] && /* 0 <-> uninitialized */
394 cbt
->circuit_build_times
[i
] < min_build_time
)
395 min_build_time
= cbt
->circuit_build_times
[i
];
397 if (min_build_time
== CBT_BUILD_TIME_MAX
) {
398 log_warn(LD_CIRC
, "No build times less than CBT_BUILD_TIME_MAX!");
400 return min_build_time
;
405 * Calculate and return a histogram for the set of build times.
407 * Returns an allocated array of histrogram bins representing
408 * the frequency of index*CBT_BIN_WIDTH millisecond
409 * build times. Also outputs the number of bins in nbins.
411 * The return value must be freed by the caller.
414 circuit_build_times_create_histogram(circuit_build_times_t
*cbt
,
418 build_time_t max_build_time
= circuit_build_times_max(cbt
);
421 *nbins
= 1 + (max_build_time
/ CBT_BIN_WIDTH
);
422 histogram
= tor_malloc_zero(*nbins
* sizeof(build_time_t
));
424 // calculate histogram
425 for (i
= 0; i
< CBT_NCIRCUITS_TO_OBSERVE
; i
++) {
426 if (cbt
->circuit_build_times
[i
] == 0
427 || cbt
->circuit_build_times
[i
] == CBT_BUILD_ABANDONED
)
428 continue; /* 0 <-> uninitialized */
430 c
= (cbt
->circuit_build_times
[i
] / CBT_BIN_WIDTH
);
438 * Return the Pareto start-of-curve parameter Xm.
440 * Because we are not a true Pareto curve, we compute this as the
441 * weighted average of the N=3 most frequent build time bins.
444 circuit_build_times_get_xm(circuit_build_times_t
*cbt
)
446 build_time_t i
, nbins
;
447 build_time_t
*nth_max_bin
;
448 int32_t bin_counts
=0;
449 build_time_t ret
= 0;
450 uint32_t *histogram
= circuit_build_times_create_histogram(cbt
, &nbins
);
452 int num_modes
= circuit_build_times_default_num_xm_modes();
454 // Only use one mode if < 1000 buildtimes. Not enough data
456 if (cbt
->total_build_times
< CBT_NCIRCUITS_TO_OBSERVE
)
459 nth_max_bin
= (build_time_t
*)tor_malloc_zero(num_modes
*sizeof(build_time_t
));
461 for (i
= 0; i
< nbins
; i
++) {
462 if (histogram
[i
] >= histogram
[nth_max_bin
[0]]) {
466 for (n
= 1; n
< num_modes
; n
++) {
467 if (histogram
[i
] >= histogram
[nth_max_bin
[n
]] &&
468 (!histogram
[nth_max_bin
[n
-1]]
469 || histogram
[i
] < histogram
[nth_max_bin
[n
-1]])) {
475 for (n
= 0; n
< num_modes
; n
++) {
476 bin_counts
+= histogram
[nth_max_bin
[n
]];
477 ret
+= CBT_BIN_TO_MS(nth_max_bin
[n
])*histogram
[nth_max_bin
[n
]];
478 log_info(LD_CIRC
, "Xm mode #%d: %u %u", n
, CBT_BIN_TO_MS(nth_max_bin
[n
]),
479 histogram
[nth_max_bin
[n
]]);
484 tor_free(nth_max_bin
);
490 * Output a histogram of current circuit build times to
491 * the or_state_t state structure.
494 circuit_build_times_update_state(circuit_build_times_t
*cbt
,
499 build_time_t nbins
= 0;
500 config_line_t
**next
, *line
;
502 histogram
= circuit_build_times_create_histogram(cbt
, &nbins
);
504 config_free_lines(state
->BuildtimeHistogram
);
505 next
= &state
->BuildtimeHistogram
;
508 state
->TotalBuildTimes
= cbt
->total_build_times
;
509 state
->CircuitBuildAbandonedCount
= 0;
511 for (i
= 0; i
< CBT_NCIRCUITS_TO_OBSERVE
; i
++) {
512 if (cbt
->circuit_build_times
[i
] == CBT_BUILD_ABANDONED
)
513 state
->CircuitBuildAbandonedCount
++;
516 for (i
= 0; i
< nbins
; i
++) {
517 // compress the histogram by skipping the blanks
518 if (histogram
[i
] == 0) continue;
519 *next
= line
= tor_malloc_zero(sizeof(config_line_t
));
520 line
->key
= tor_strdup("CircuitBuildTimeBin");
521 line
->value
= tor_malloc(25);
522 tor_snprintf(line
->value
, 25, "%d %d",
523 CBT_BIN_TO_MS(i
), histogram
[i
]);
524 next
= &(line
->next
);
528 if (!get_options()->AvoidDiskWrites
)
529 or_state_mark_dirty(get_or_state(), 0);
536 * Shuffle the build times array.
538 * Stolen from http://en.wikipedia.org/wiki/Fisher\u2013Yates_shuffle
541 circuit_build_times_shuffle_and_store_array(circuit_build_times_t
*cbt
,
542 build_time_t
*raw_times
,
546 if (num_times
> CBT_NCIRCUITS_TO_OBSERVE
) {
547 log_notice(LD_CIRC
, "Decreasing circuit_build_times size from %d to %d",
548 num_times
, CBT_NCIRCUITS_TO_OBSERVE
);
551 /* This code can only be run on a compact array */
553 int k
= crypto_rand_int(n
+ 1); /* 0 <= k <= n. */
554 build_time_t tmp
= raw_times
[k
];
555 raw_times
[k
] = raw_times
[n
];
559 /* Since the times are now shuffled, take a random CBT_NCIRCUITS_TO_OBSERVE
560 * subset (ie the first CBT_NCIRCUITS_TO_OBSERVE values) */
561 for (n
= 0; n
< MIN(num_times
, CBT_NCIRCUITS_TO_OBSERVE
); n
++) {
562 circuit_build_times_add_time(cbt
, raw_times
[n
]);
567 * Filter old synthetic timeouts that were created before the
568 * new right-censored Pareto calculation was deployed.
570 * Once all clients before 0.2.1.13-alpha are gone, this code
574 circuit_build_times_filter_timeouts(circuit_build_times_t
*cbt
)
576 int num_filtered
=0, i
=0;
577 double timeout_rate
= 0;
578 build_time_t max_timeout
= 0;
580 timeout_rate
= circuit_build_times_timeout_rate(cbt
);
581 max_timeout
= (build_time_t
)cbt
->close_ms
;
583 for (i
= 0; i
< CBT_NCIRCUITS_TO_OBSERVE
; i
++) {
584 if (cbt
->circuit_build_times
[i
] > max_timeout
) {
585 build_time_t replaced
= cbt
->circuit_build_times
[i
];
587 cbt
->circuit_build_times
[i
] = CBT_BUILD_ABANDONED
;
589 log_debug(LD_CIRC
, "Replaced timeout %d with %d", replaced
,
590 cbt
->circuit_build_times
[i
]);
595 "We had %d timeouts out of %d build times, "
596 "and filtered %d above the max of %u",
597 (int)(cbt
->total_build_times
*timeout_rate
),
598 cbt
->total_build_times
, num_filtered
, max_timeout
);
604 * Load histogram from <b>state</b>, shuffling the resulting array
605 * after we do so. Use this result to estimate parameters and
606 * calculate the timeout.
608 * Return -1 on error.
611 circuit_build_times_parse_state(circuit_build_times_t
*cbt
,
615 uint32_t loaded_cnt
= 0, N
= 0;
618 build_time_t
*loaded_times
;
620 circuit_build_times_init(cbt
);
622 if (circuit_build_times_disabled()) {
626 /* build_time_t 0 means uninitialized */
627 loaded_times
= tor_malloc_zero(sizeof(build_time_t
)*state
->TotalBuildTimes
);
629 for (line
= state
->BuildtimeHistogram
; line
; line
= line
->next
) {
630 smartlist_t
*args
= smartlist_create();
631 smartlist_split_string(args
, line
->value
, " ",
632 SPLIT_SKIP_SPACE
|SPLIT_IGNORE_BLANK
, 0);
633 if (smartlist_len(args
) < 2) {
634 log_warn(LD_GENERAL
, "Unable to parse circuit build times: "
635 "Too few arguments to CircuitBuildTime");
637 SMARTLIST_FOREACH(args
, char*, cp
, tor_free(cp
));
638 smartlist_free(args
);
641 const char *ms_str
= smartlist_get(args
,0);
642 const char *count_str
= smartlist_get(args
,1);
646 ms
= (build_time_t
)tor_parse_ulong(ms_str
, 0, 0,
647 CBT_BUILD_TIME_MAX
, &ok
, NULL
);
649 log_warn(LD_GENERAL
, "Unable to parse circuit build times: "
650 "Unparsable bin number");
652 SMARTLIST_FOREACH(args
, char*, cp
, tor_free(cp
));
653 smartlist_free(args
);
656 count
= (uint32_t)tor_parse_ulong(count_str
, 0, 0,
657 UINT32_MAX
, &ok
, NULL
);
659 log_warn(LD_GENERAL
, "Unable to parse circuit build times: "
660 "Unparsable bin count");
662 SMARTLIST_FOREACH(args
, char*, cp
, tor_free(cp
));
663 smartlist_free(args
);
667 if (loaded_cnt
+count
+state
->CircuitBuildAbandonedCount
668 > state
->TotalBuildTimes
) {
670 "Too many build times in state file. "
671 "Stopping short before %d",
673 SMARTLIST_FOREACH(args
, char*, cp
, tor_free(cp
));
674 smartlist_free(args
);
678 for (k
= 0; k
< count
; k
++) {
679 loaded_times
[loaded_cnt
++] = ms
;
682 SMARTLIST_FOREACH(args
, char*, cp
, tor_free(cp
));
683 smartlist_free(args
);
688 "Adding %d timeouts.", state
->CircuitBuildAbandonedCount
);
689 for (i
=0; i
< state
->CircuitBuildAbandonedCount
; i
++) {
690 loaded_times
[loaded_cnt
++] = CBT_BUILD_ABANDONED
;
693 if (loaded_cnt
!= state
->TotalBuildTimes
) {
695 "Corrupt state file? Build times count mismatch. "
696 "Read %d times, but file says %d", loaded_cnt
,
697 state
->TotalBuildTimes
);
699 circuit_build_times_reset(cbt
);
703 circuit_build_times_shuffle_and_store_array(cbt
, loaded_times
, loaded_cnt
);
705 /* Verify that we didn't overwrite any indexes */
706 for (i
=0; i
< CBT_NCIRCUITS_TO_OBSERVE
; i
++) {
707 if (!cbt
->circuit_build_times
[i
])
712 "Loaded %d/%d values from %d lines in circuit time histogram",
713 tot_values
, cbt
->total_build_times
, N
);
715 if (cbt
->total_build_times
!= tot_values
716 || cbt
->total_build_times
> CBT_NCIRCUITS_TO_OBSERVE
) {
718 "Corrupt state file? Shuffled build times mismatch. "
719 "Read %d times, but file says %d", tot_values
,
720 state
->TotalBuildTimes
);
722 circuit_build_times_reset(cbt
);
726 circuit_build_times_set_timeout(cbt
);
728 if (!state
->CircuitBuildAbandonedCount
&& cbt
->total_build_times
) {
729 circuit_build_times_filter_timeouts(cbt
);
733 tor_free(loaded_times
);
738 * Estimates the Xm and Alpha parameters using
739 * http://en.wikipedia.org/wiki/Pareto_distribution#Parameter_estimation
741 * The notable difference is that we use mode instead of min to estimate Xm.
742 * This is because our distribution is frechet-like. We claim this is
743 * an acceptable approximation because we are only concerned with the
744 * accuracy of the CDF of the tail.
747 circuit_build_times_update_alpha(circuit_build_times_t
*cbt
)
749 build_time_t
*x
=cbt
->circuit_build_times
;
751 int n
=0,i
=0,abandoned_count
=0;
752 build_time_t max_time
=0;
754 /* http://en.wikipedia.org/wiki/Pareto_distribution#Parameter_estimation */
755 /* We sort of cheat here and make our samples slightly more pareto-like
756 * and less frechet-like. */
757 cbt
->Xm
= circuit_build_times_get_xm(cbt
);
759 tor_assert(cbt
->Xm
> 0);
761 for (i
=0; i
< CBT_NCIRCUITS_TO_OBSERVE
; i
++) {
766 if (x
[i
] < cbt
->Xm
) {
767 a
+= tor_mathlog(cbt
->Xm
);
768 } else if (x
[i
] == CBT_BUILD_ABANDONED
) {
771 a
+= tor_mathlog(x
[i
]);
779 * We are erring and asserting here because this can only happen
780 * in codepaths other than startup. The startup state parsing code
781 * performs this same check, and resets state if it hits it. If we
782 * hit it at runtime, something serious has gone wrong.
784 if (n
!=cbt
->total_build_times
) {
785 log_err(LD_CIRC
, "Discrepancy in build times count: %d vs %d", n
,
786 cbt
->total_build_times
);
788 tor_assert(n
==cbt
->total_build_times
);
791 /* This can happen if Xm is actually the *maximum* value in the set.
792 * It can also happen if we've abandoned every single circuit somehow.
793 * In either case, tell the caller not to compute a new build timeout. */
795 "Could not determine largest build time (%d). "
796 "Xm is %dms and we've abandoned %d out of %d circuits.", max_time
,
797 cbt
->Xm
, abandoned_count
, n
);
801 a
+= abandoned_count
*tor_mathlog(max_time
);
803 a
-= n
*tor_mathlog(cbt
->Xm
);
804 // Estimator comes from Eq #4 in:
805 // "Bayesian estimation based on trimmed samples from Pareto populations"
806 // by Arturo J. Fernández. We are right-censored only.
807 a
= (n
-abandoned_count
)/a
;
815 * This is the Pareto Quantile Function. It calculates the point x
816 * in the distribution such that F(x) = quantile (ie quantile*100%
817 * of the mass of the density function is below x on the curve).
819 * We use it to calculate the timeout and also to generate synthetic
820 * values of time for circuits that timeout before completion.
822 * See http://en.wikipedia.org/wiki/Quantile_function,
823 * http://en.wikipedia.org/wiki/Inverse_transform_sampling and
824 * http://en.wikipedia.org/wiki/Pareto_distribution#Generating_a_
825 * random_sample_from_Pareto_distribution
826 * That's right. I'll cite wikipedia all day long.
828 * Return value is in milliseconds.
831 circuit_build_times_calculate_timeout(circuit_build_times_t
*cbt
,
835 tor_assert(quantile
>= 0);
836 tor_assert(1.0-quantile
> 0);
837 tor_assert(cbt
->Xm
> 0);
839 ret
= cbt
->Xm
/pow(1.0-quantile
,1.0/cbt
->alpha
);
840 if (ret
> INT32_MAX
) {
849 circuit_build_times_cdf(circuit_build_times_t
*cbt
, double x
)
852 tor_assert(cbt
->Xm
> 0);
853 ret
= 1.0-pow(cbt
->Xm
/x
,cbt
->alpha
);
854 tor_assert(0 <= ret
&& ret
<= 1.0);
859 * Generate a synthetic time using our distribution parameters.
861 * The return value will be within the [q_lo, q_hi) quantile points
865 circuit_build_times_generate_sample(circuit_build_times_t
*cbt
,
866 double q_lo
, double q_hi
)
868 double randval
= crypto_rand_double();
872 /* Generate between [q_lo, q_hi) */
873 /*XXXX This is what nextafter is supposed to be for; we should use it on the
874 * platforms that support it. */
875 q_hi
-= 1.0/(INT32_MAX
);
877 tor_assert(q_lo
>= 0);
878 tor_assert(q_hi
< 1);
879 tor_assert(q_lo
< q_hi
);
881 u
= q_lo
+ (q_hi
-q_lo
)*randval
;
883 tor_assert(0 <= u
&& u
< 1.0);
884 /* circuit_build_times_calculate_timeout returns <= INT32_MAX */
886 tor_lround(circuit_build_times_calculate_timeout(cbt
, u
));
892 * Estimate an initial alpha parameter by solving the quantile
893 * function with a quantile point and a specific timeout value.
896 circuit_build_times_initial_alpha(circuit_build_times_t
*cbt
,
897 double quantile
, double timeout_ms
)
899 // Q(u) = Xm/((1-u)^(1/a))
900 // Q(0.8) = Xm/((1-0.8))^(1/a)) = CircBuildTimeout
901 // CircBuildTimeout = Xm/((1-0.8))^(1/a))
902 // CircBuildTimeout = Xm*((1-0.8))^(-1/a))
903 // ln(CircBuildTimeout) = ln(Xm)+ln(((1-0.8)))*(-1/a)
904 // -ln(1-0.8)/(ln(CircBuildTimeout)-ln(Xm))=a
905 tor_assert(quantile
>= 0);
906 tor_assert(cbt
->Xm
> 0);
907 cbt
->alpha
= tor_mathlog(1.0-quantile
)/
908 (tor_mathlog(cbt
->Xm
)-tor_mathlog(timeout_ms
));
909 tor_assert(cbt
->alpha
> 0);
913 * Returns true if we need circuits to be built
916 circuit_build_times_needs_circuits(circuit_build_times_t
*cbt
)
918 /* Return true if < MIN_CIRCUITS_TO_OBSERVE */
919 if (cbt
->total_build_times
< circuit_build_times_min_circs_to_observe())
925 * Returns true if we should build a timeout test circuit
929 circuit_build_times_needs_circuits_now(circuit_build_times_t
*cbt
)
931 return circuit_build_times_needs_circuits(cbt
) &&
932 approx_time()-cbt
->last_circ_at
> circuit_build_times_test_frequency();
936 * Called to indicate that the network showed some signs of liveness.
938 * This function is called every time we receive a cell. Avoid
939 * syscalls, events, and other high-intensity work.
942 circuit_build_times_network_is_live(circuit_build_times_t
*cbt
)
944 cbt
->liveness
.network_last_live
= approx_time();
945 cbt
->liveness
.nonlive_discarded
= 0;
946 cbt
->liveness
.nonlive_timeouts
= 0;
950 * Called to indicate that we completed a circuit. Because this circuit
951 * succeeded, it doesn't count as a timeout-after-the-first-hop.
954 circuit_build_times_network_circ_success(circuit_build_times_t
*cbt
)
956 cbt
->liveness
.timeouts_after_firsthop
[cbt
->liveness
.after_firsthop_idx
] = 0;
957 cbt
->liveness
.after_firsthop_idx
++;
958 cbt
->liveness
.after_firsthop_idx
%= cbt
->liveness
.num_recent_circs
;
962 * A circuit just timed out. If it failed after the first hop, record it
963 * in our history for later deciding if the network speed has changed.
966 circuit_build_times_network_timeout(circuit_build_times_t
*cbt
,
970 cbt
->liveness
.timeouts_after_firsthop
[cbt
->liveness
.after_firsthop_idx
]=1;
971 cbt
->liveness
.after_firsthop_idx
++;
972 cbt
->liveness
.after_firsthop_idx
%= cbt
->liveness
.num_recent_circs
;
977 * A circuit was just forcibly closed. If there has been no recent network
978 * activity at all, but this circuit was launched back when we thought the
979 * network was live, increment the number of "nonlive" circuit timeouts.
982 circuit_build_times_network_close(circuit_build_times_t
*cbt
,
983 int did_onehop
, time_t start_time
)
985 time_t now
= time(NULL
);
987 * Check if this is a timeout that was for a circuit that spent its
988 * entire existence during a time where we have had no network activity.
990 * Also double check that it is a valid timeout after we have possibly
991 * just recently reset cbt->close_ms.
993 * We use close_ms here because timeouts aren't actually counted as timeouts
994 * until close_ms elapses.
996 if (cbt
->liveness
.network_last_live
<= start_time
&&
997 start_time
<= (now
- cbt
->close_ms
/1000.0)) {
999 char last_live_buf
[ISO_TIME_LEN
+1];
1000 char start_time_buf
[ISO_TIME_LEN
+1];
1001 char now_buf
[ISO_TIME_LEN
+1];
1002 format_local_iso_time(last_live_buf
, cbt
->liveness
.network_last_live
);
1003 format_local_iso_time(start_time_buf
, start_time
);
1004 format_local_iso_time(now_buf
, now
);
1006 "Circuit somehow completed a hop while the network was "
1007 "not live. Network was last live at %s, but circuit launched "
1008 "at %s. It's now %s.", last_live_buf
, start_time_buf
,
1011 cbt
->liveness
.nonlive_timeouts
++;
1016 * Returns false if the network has not received a cell or tls handshake
1017 * in the past NETWORK_NOTLIVE_TIMEOUT_COUNT circuits.
1019 * Also has the side effect of rewinding the circuit time history
1020 * in the case of recent liveness changes.
1023 circuit_build_times_network_check_live(circuit_build_times_t
*cbt
)
1025 time_t now
= approx_time();
1026 if (cbt
->liveness
.nonlive_timeouts
>= CBT_NETWORK_NONLIVE_DISCARD_COUNT
) {
1027 if (!cbt
->liveness
.nonlive_discarded
) {
1028 cbt
->liveness
.nonlive_discarded
= 1;
1029 log_notice(LD_CIRC
, "Network is no longer live (too many recent "
1030 "circuit timeouts). Dead for %ld seconds.",
1031 (long int)(now
- cbt
->liveness
.network_last_live
));
1032 /* Only discard NETWORK_NONLIVE_TIMEOUT_COUNT-1 because we stopped
1033 * counting after that */
1034 circuit_build_times_rewind_history(cbt
,
1035 CBT_NETWORK_NONLIVE_TIMEOUT_COUNT
-1);
1036 control_event_buildtimeout_set(cbt
, BUILDTIMEOUT_SET_EVENT_DISCARD
);
1039 } else if (cbt
->liveness
.nonlive_timeouts
>=
1040 CBT_NETWORK_NONLIVE_TIMEOUT_COUNT
) {
1041 if (cbt
->timeout_ms
< circuit_build_times_get_initial_timeout()) {
1043 "Network is flaky. No activity for %ld seconds. "
1044 "Temporarily raising timeout to %lds.",
1045 (long int)(now
- cbt
->liveness
.network_last_live
),
1046 tor_lround(circuit_build_times_get_initial_timeout()/1000));
1047 cbt
->liveness
.suspended_timeout
= cbt
->timeout_ms
;
1048 cbt
->liveness
.suspended_close_timeout
= cbt
->close_ms
;
1049 cbt
->close_ms
= cbt
->timeout_ms
1050 = circuit_build_times_get_initial_timeout();
1051 control_event_buildtimeout_set(cbt
, BUILDTIMEOUT_SET_EVENT_SUSPENDED
);
1055 } else if (cbt
->liveness
.suspended_timeout
> 0) {
1057 "Network activity has resumed. "
1058 "Resuming circuit timeout calculations.");
1059 cbt
->timeout_ms
= cbt
->liveness
.suspended_timeout
;
1060 cbt
->close_ms
= cbt
->liveness
.suspended_close_timeout
;
1061 cbt
->liveness
.suspended_timeout
= 0;
1062 cbt
->liveness
.suspended_close_timeout
= 0;
1063 control_event_buildtimeout_set(cbt
, BUILDTIMEOUT_SET_EVENT_RESUME
);
1070 * Returns true if we have seen more than MAX_RECENT_TIMEOUT_COUNT of
1071 * the past RECENT_CIRCUITS time out after the first hop. Used to detect
1072 * if the network connection has changed significantly.
1074 * Also resets the entire timeout history in this case and causes us
1075 * to restart the process of building test circuits and estimating a
1079 circuit_build_times_network_check_changed(circuit_build_times_t
*cbt
)
1081 int total_build_times
= cbt
->total_build_times
;
1082 int timeout_count
=0;
1085 /* how many of our recent circuits made it to the first hop but then
1087 for (i
= 0; i
< cbt
->liveness
.num_recent_circs
; i
++) {
1088 timeout_count
+= cbt
->liveness
.timeouts_after_firsthop
[i
];
1091 /* If 80% of our recent circuits are timing out after the first hop,
1092 * we need to re-estimate a new initial alpha and timeout. */
1093 if (timeout_count
< circuit_build_times_max_timeouts()) {
1097 circuit_build_times_reset(cbt
);
1098 memset(cbt
->liveness
.timeouts_after_firsthop
, 0,
1099 sizeof(*cbt
->liveness
.timeouts_after_firsthop
)*
1100 cbt
->liveness
.num_recent_circs
);
1101 cbt
->liveness
.after_firsthop_idx
= 0;
1103 /* Check to see if this has happened before. If so, double the timeout
1104 * to give people on abysmally bad network connections a shot at access */
1105 if (cbt
->timeout_ms
>= circuit_build_times_get_initial_timeout()) {
1106 if (cbt
->timeout_ms
> INT32_MAX
/2 || cbt
->close_ms
> INT32_MAX
/2) {
1107 log_warn(LD_CIRC
, "Insanely large circuit build timeout value. "
1108 "(timeout = %lfmsec, close = %lfmsec)",
1109 cbt
->timeout_ms
, cbt
->close_ms
);
1111 cbt
->timeout_ms
*= 2;
1115 cbt
->close_ms
= cbt
->timeout_ms
1116 = circuit_build_times_get_initial_timeout();
1119 control_event_buildtimeout_set(cbt
, BUILDTIMEOUT_SET_EVENT_RESET
);
1122 "Network connection speed appears to have changed. Resetting "
1123 "timeout to %lds after %d timeouts and %d buildtimes.",
1124 tor_lround(cbt
->timeout_ms
/1000), timeout_count
,
1131 * Count the number of timeouts in a set of cbt data.
1134 circuit_build_times_timeout_rate(const circuit_build_times_t
*cbt
)
1137 for (i
= 0; i
< CBT_NCIRCUITS_TO_OBSERVE
; i
++) {
1138 if (cbt
->circuit_build_times
[i
] >= cbt
->timeout_ms
) {
1143 if (!cbt
->total_build_times
)
1146 return ((double)timeouts
)/cbt
->total_build_times
;
1150 * Count the number of closed circuits in a set of cbt data.
1153 circuit_build_times_close_rate(const circuit_build_times_t
*cbt
)
1156 for (i
= 0; i
< CBT_NCIRCUITS_TO_OBSERVE
; i
++) {
1157 if (cbt
->circuit_build_times
[i
] == CBT_BUILD_ABANDONED
) {
1162 if (!cbt
->total_build_times
)
1165 return ((double)closed
)/cbt
->total_build_times
;
1169 * Store a timeout as a synthetic value.
1171 * Returns true if the store was successful and we should possibly
1172 * update our timeout estimate.
1175 circuit_build_times_count_close(circuit_build_times_t
*cbt
,
1179 if (circuit_build_times_disabled()) {
1180 cbt
->close_ms
= cbt
->timeout_ms
1181 = circuit_build_times_get_initial_timeout();
1185 /* Record this force-close to help determine if the network is dead */
1186 circuit_build_times_network_close(cbt
, did_onehop
, start_time
);
1188 /* Only count timeouts if network is live.. */
1189 if (!circuit_build_times_network_check_live(cbt
)) {
1193 circuit_build_times_add_time(cbt
, CBT_BUILD_ABANDONED
);
1198 * Update timeout counts to determine if we need to expire
1199 * our build time history due to excessive timeouts.
1202 circuit_build_times_count_timeout(circuit_build_times_t
*cbt
,
1205 if (circuit_build_times_disabled()) {
1206 cbt
->close_ms
= cbt
->timeout_ms
1207 = circuit_build_times_get_initial_timeout();
1211 circuit_build_times_network_timeout(cbt
, did_onehop
);
1213 /* If there are a ton of timeouts, we should reset
1214 * the circuit build timeout.
1216 circuit_build_times_network_check_changed(cbt
);
1220 * Estimate a new timeout based on history and set our timeout
1221 * variable accordingly.
1224 circuit_build_times_set_timeout_worker(circuit_build_times_t
*cbt
)
1226 if (cbt
->total_build_times
< circuit_build_times_min_circs_to_observe()) {
1230 if (!circuit_build_times_update_alpha(cbt
))
1233 cbt
->timeout_ms
= circuit_build_times_calculate_timeout(cbt
,
1234 circuit_build_times_quantile_cutoff());
1236 cbt
->close_ms
= circuit_build_times_calculate_timeout(cbt
,
1237 circuit_build_times_close_quantile());
1239 /* Sometimes really fast guard nodes give us such a steep curve
1240 * that this ends up being not that much greater than timeout_ms.
1241 * Make it be at least 1 min to handle this case. */
1242 cbt
->close_ms
= MAX(cbt
->close_ms
, circuit_build_times_initial_timeout());
1244 cbt
->have_computed_timeout
= 1;
1249 * Exposed function to compute a new timeout. Dispatches events and
1250 * also filters out extremely high timeout values.
1253 circuit_build_times_set_timeout(circuit_build_times_t
*cbt
)
1255 long prev_timeout
= tor_lround(cbt
->timeout_ms
/1000);
1256 double timeout_rate
;
1258 if (!circuit_build_times_set_timeout_worker(cbt
))
1261 if (cbt
->timeout_ms
< circuit_build_times_min_timeout()) {
1262 log_warn(LD_CIRC
, "Set buildtimeout to low value %lfms. Setting to %dms",
1263 cbt
->timeout_ms
, circuit_build_times_min_timeout());
1264 cbt
->timeout_ms
= circuit_build_times_min_timeout();
1265 if (cbt
->close_ms
< cbt
->timeout_ms
) {
1266 /* This shouldn't happen because of MAX() in timeout_worker above,
1267 * but doing it just in case */
1268 cbt
->close_ms
= circuit_build_times_initial_timeout();
1272 control_event_buildtimeout_set(cbt
, BUILDTIMEOUT_SET_EVENT_COMPUTED
);
1274 timeout_rate
= circuit_build_times_timeout_rate(cbt
);
1276 if (prev_timeout
> tor_lround(cbt
->timeout_ms
/1000)) {
1278 "Based on %d circuit times, it looks like we don't need to "
1279 "wait so long for circuits to finish. We will now assume a "
1280 "circuit is too slow to use after waiting %ld seconds.",
1281 cbt
->total_build_times
,
1282 tor_lround(cbt
->timeout_ms
/1000));
1284 "Circuit timeout data: %lfms, %lfms, Xm: %d, a: %lf, r: %lf",
1285 cbt
->timeout_ms
, cbt
->close_ms
, cbt
->Xm
, cbt
->alpha
,
1287 } else if (prev_timeout
< tor_lround(cbt
->timeout_ms
/1000)) {
1289 "Based on %d circuit times, it looks like we need to wait "
1290 "longer for circuits to finish. We will now assume a "
1291 "circuit is too slow to use after waiting %ld seconds.",
1292 cbt
->total_build_times
,
1293 tor_lround(cbt
->timeout_ms
/1000));
1295 "Circuit timeout data: %lfms, %lfms, Xm: %d, a: %lf, r: %lf",
1296 cbt
->timeout_ms
, cbt
->close_ms
, cbt
->Xm
, cbt
->alpha
,
1300 "Set circuit build timeout to %lds (%lfms, %lfms, Xm: %d, a: %lf,"
1301 " r: %lf) based on %d circuit times",
1302 tor_lround(cbt
->timeout_ms
/1000),
1303 cbt
->timeout_ms
, cbt
->close_ms
, cbt
->Xm
, cbt
->alpha
, timeout_rate
,
1304 cbt
->total_build_times
);
1308 /** Iterate over values of circ_id, starting from conn-\>next_circ_id,
1309 * and with the high bit specified by conn-\>circ_id_type, until we get
1310 * a circ_id that is not in use by any other circuit on that conn.
1312 * Return it, or 0 if can't get a unique circ_id.
1315 get_unique_circ_id_by_conn(or_connection_t
*conn
)
1317 circid_t test_circ_id
;
1318 circid_t attempts
=0;
1322 if (conn
->circ_id_type
== CIRC_ID_TYPE_NEITHER
) {
1323 log_warn(LD_BUG
, "Trying to pick a circuit ID for a connection from "
1324 "a client with no identity.");
1327 high_bit
= (conn
->circ_id_type
== CIRC_ID_TYPE_HIGHER
) ? 1<<15 : 0;
1329 /* Sequentially iterate over test_circ_id=1...1<<15-1 until we find a
1330 * circID such that (high_bit|test_circ_id) is not already used. */
1331 test_circ_id
= conn
->next_circ_id
++;
1332 if (test_circ_id
== 0 || test_circ_id
>= 1<<15) {
1334 conn
->next_circ_id
= 2;
1336 if (++attempts
> 1<<15) {
1337 /* Make sure we don't loop forever if all circ_id's are used. This
1338 * matters because it's an external DoS opportunity.
1340 log_warn(LD_CIRC
,"No unused circ IDs. Failing.");
1343 test_circ_id
|= high_bit
;
1344 } while (circuit_id_in_use_on_orconn(test_circ_id
, conn
));
1345 return test_circ_id
;
1348 /** If <b>verbose</b> is false, allocate and return a comma-separated list of
1349 * the currently built elements of circuit_t. If <b>verbose</b> is true, also
1350 * list information about link status in a more verbose format using spaces.
1351 * If <b>verbose_names</b> is false, give nicknames for Named routers and hex
1352 * digests for others; if <b>verbose_names</b> is true, use $DIGEST=Name style
1356 circuit_list_path_impl(origin_circuit_t
*circ
, int verbose
, int verbose_names
)
1359 smartlist_t
*elements
;
1360 const char *states
[] = {"closed", "waiting for keys", "open"};
1363 elements
= smartlist_create();
1366 const char *nickname
= build_state_get_exit_nickname(circ
->build_state
);
1368 tor_asprintf(&cp
, "%s%s circ (length %d%s%s):",
1369 circ
->build_state
->is_internal
? "internal" : "exit",
1370 circ
->build_state
->need_uptime
? " (high-uptime)" : "",
1371 circ
->build_state
->desired_path_len
,
1372 circ
->_base
.state
== CIRCUIT_STATE_OPEN
? "" : ", exit ",
1373 circ
->_base
.state
== CIRCUIT_STATE_OPEN
? "" :
1374 (nickname
?nickname
:"*unnamed*"));
1375 smartlist_add(elements
, cp
);
1386 if (!verbose
&& hop
->state
!= CPATH_STATE_OPEN
)
1388 if (!hop
->extend_info
)
1390 id
= hop
->extend_info
->identity_digest
;
1391 if (verbose_names
) {
1392 elt
= tor_malloc(MAX_VERBOSE_NICKNAME_LEN
+1);
1393 if ((ri
= router_get_by_digest(id
))) {
1394 router_get_verbose_nickname(elt
, ri
);
1395 } else if ((rs
= router_get_consensus_status_by_id(id
))) {
1396 routerstatus_get_verbose_nickname(elt
, rs
);
1397 } else if (is_legal_nickname(hop
->extend_info
->nickname
)) {
1399 base16_encode(elt
+1, HEX_DIGEST_LEN
+1, id
, DIGEST_LEN
);
1400 elt
[HEX_DIGEST_LEN
+1]= '~';
1401 strlcpy(elt
+HEX_DIGEST_LEN
+2,
1402 hop
->extend_info
->nickname
, MAX_NICKNAME_LEN
+1);
1405 base16_encode(elt
+1, HEX_DIGEST_LEN
+1, id
, DIGEST_LEN
);
1407 } else { /* ! verbose_names */
1408 if ((ri
= router_get_by_digest(id
)) &&
1410 elt
= tor_strdup(hop
->extend_info
->nickname
);
1412 elt
= tor_malloc(HEX_DIGEST_LEN
+2);
1414 base16_encode(elt
+1, HEX_DIGEST_LEN
+1, id
, DIGEST_LEN
);
1419 size_t len
= strlen(elt
)+2+strlen(states
[hop
->state
])+1;
1420 char *v
= tor_malloc(len
);
1421 tor_assert(hop
->state
<= 2);
1422 tor_snprintf(v
,len
,"%s(%s)",elt
,states
[hop
->state
]);
1423 smartlist_add(elements
, v
);
1426 smartlist_add(elements
, elt
);
1429 } while (hop
!= circ
->cpath
);
1431 s
= smartlist_join_strings(elements
, verbose
?" ":",", 0, NULL
);
1432 SMARTLIST_FOREACH(elements
, char*, cp
, tor_free(cp
));
1433 smartlist_free(elements
);
1437 /** If <b>verbose</b> is false, allocate and return a comma-separated
1438 * list of the currently built elements of circuit_t. If
1439 * <b>verbose</b> is true, also list information about link status in
1440 * a more verbose format using spaces.
1443 circuit_list_path(origin_circuit_t
*circ
, int verbose
)
1445 return circuit_list_path_impl(circ
, verbose
, 0);
1448 /** Allocate and return a comma-separated list of the currently built elements
1449 * of circuit_t, giving each as a verbose nickname.
1452 circuit_list_path_for_controller(origin_circuit_t
*circ
)
1454 return circuit_list_path_impl(circ
, 0, 1);
1457 /** Log, at severity <b>severity</b>, the nicknames of each router in
1458 * circ's cpath. Also log the length of the cpath, and the intended
1462 circuit_log_path(int severity
, unsigned int domain
, origin_circuit_t
*circ
)
1464 char *s
= circuit_list_path(circ
,1);
1465 tor_log(severity
,domain
,"%s",s
);
1469 /** Tell the rep(utation)hist(ory) module about the status of the links
1470 * in circ. Hops that have become OPEN are marked as successfully
1471 * extended; the _first_ hop that isn't open (if any) is marked as
1474 /* XXXX Someday we should learn from OR circuits too. */
1476 circuit_rep_hist_note_result(origin_circuit_t
*circ
)
1479 char *prev_digest
= NULL
;
1480 routerinfo_t
*router
;
1482 if (!hop
) /* circuit hasn't started building yet. */
1484 if (server_mode(get_options())) {
1485 routerinfo_t
*me
= router_get_my_routerinfo();
1488 prev_digest
= me
->cache_info
.identity_digest
;
1491 router
= router_get_by_digest(hop
->extend_info
->identity_digest
);
1494 if (hop
->state
== CPATH_STATE_OPEN
)
1495 rep_hist_note_extend_succeeded(prev_digest
,
1496 router
->cache_info
.identity_digest
);
1498 rep_hist_note_extend_failed(prev_digest
,
1499 router
->cache_info
.identity_digest
);
1503 prev_digest
= router
->cache_info
.identity_digest
;
1508 } while (hop
!=circ
->cpath
);
1511 /** Pick all the entries in our cpath. Stop and return 0 when we're
1512 * happy, or return -1 if an error occurs. */
1514 onion_populate_cpath(origin_circuit_t
*circ
)
1518 r
= onion_extend_cpath(circ
);
1520 log_info(LD_CIRC
,"Generating cpath hop failed.");
1525 return 0; /* if r == 1 */
1528 /** Create and return a new origin circuit. Initialize its purpose and
1529 * build-state based on our arguments. The <b>flags</b> argument is a
1530 * bitfield of CIRCLAUNCH_* flags. */
1532 origin_circuit_init(uint8_t purpose
, int flags
)
1534 /* sets circ->p_circ_id and circ->p_conn */
1535 origin_circuit_t
*circ
= origin_circuit_new();
1536 circuit_set_state(TO_CIRCUIT(circ
), CIRCUIT_STATE_OR_WAIT
);
1537 circ
->build_state
= tor_malloc_zero(sizeof(cpath_build_state_t
));
1538 circ
->build_state
->onehop_tunnel
=
1539 ((flags
& CIRCLAUNCH_ONEHOP_TUNNEL
) ? 1 : 0);
1540 circ
->build_state
->need_uptime
=
1541 ((flags
& CIRCLAUNCH_NEED_UPTIME
) ? 1 : 0);
1542 circ
->build_state
->need_capacity
=
1543 ((flags
& CIRCLAUNCH_NEED_CAPACITY
) ? 1 : 0);
1544 circ
->build_state
->is_internal
=
1545 ((flags
& CIRCLAUNCH_IS_INTERNAL
) ? 1 : 0);
1546 circ
->_base
.purpose
= purpose
;
1550 /** Build a new circuit for <b>purpose</b>. If <b>exit</b>
1551 * is defined, then use that as your exit router, else choose a suitable
1554 * Also launch a connection to the first OR in the chosen path, if
1555 * it's not open already.
1558 circuit_establish_circuit(uint8_t purpose
, extend_info_t
*exit
, int flags
)
1560 origin_circuit_t
*circ
;
1563 circ
= origin_circuit_init(purpose
, flags
);
1565 if (onion_pick_cpath_exit(circ
, exit
) < 0 ||
1566 onion_populate_cpath(circ
) < 0) {
1567 circuit_mark_for_close(TO_CIRCUIT(circ
), END_CIRC_REASON_NOPATH
);
1571 control_event_circuit_status(circ
, CIRC_EVENT_LAUNCHED
, 0);
1573 if ((err_reason
= circuit_handle_first_hop(circ
)) < 0) {
1574 circuit_mark_for_close(TO_CIRCUIT(circ
), -err_reason
);
1580 /** Start establishing the first hop of our circuit. Figure out what
1581 * OR we should connect to, and if necessary start the connection to
1582 * it. If we're already connected, then send the 'create' cell.
1583 * Return 0 for ok, -reason if circ should be marked-for-close. */
1585 circuit_handle_first_hop(origin_circuit_t
*circ
)
1587 crypt_path_t
*firsthop
;
1588 or_connection_t
*n_conn
;
1590 const char *msg
= NULL
;
1591 int should_launch
= 0;
1593 firsthop
= onion_next_hop_in_cpath(circ
->cpath
);
1594 tor_assert(firsthop
);
1595 tor_assert(firsthop
->extend_info
);
1597 /* now see if we're already connected to the first OR in 'route' */
1598 log_debug(LD_CIRC
,"Looking for firsthop '%s:%u'",
1599 fmt_addr(&firsthop
->extend_info
->addr
),
1600 firsthop
->extend_info
->port
);
1602 n_conn
= connection_or_get_for_extend(firsthop
->extend_info
->identity_digest
,
1603 &firsthop
->extend_info
->addr
,
1608 /* not currently connected in a useful way. */
1609 const char *name
= strlen(firsthop
->extend_info
->nickname
) ?
1610 firsthop
->extend_info
->nickname
: fmt_addr(&firsthop
->extend_info
->addr
);
1611 log_info(LD_CIRC
, "Next router is %s: %s ",
1612 safe_str_client(name
), msg
?msg
:"???");
1613 circ
->_base
.n_hop
= extend_info_dup(firsthop
->extend_info
);
1615 if (should_launch
) {
1616 if (circ
->build_state
->onehop_tunnel
)
1617 control_event_bootstrap(BOOTSTRAP_STATUS_CONN_DIR
, 0);
1618 n_conn
= connection_or_connect(&firsthop
->extend_info
->addr
,
1619 firsthop
->extend_info
->port
,
1620 firsthop
->extend_info
->identity_digest
);
1621 if (!n_conn
) { /* connect failed, forget the whole thing */
1622 log_info(LD_CIRC
,"connect to firsthop failed. Closing.");
1623 return -END_CIRC_REASON_CONNECTFAILED
;
1627 log_debug(LD_CIRC
,"connecting in progress (or finished). Good.");
1628 /* return success. The onion/circuit/etc will be taken care of
1629 * automatically (may already have been) whenever n_conn reaches
1630 * OR_CONN_STATE_OPEN.
1633 } else { /* it's already open. use it. */
1634 tor_assert(!circ
->_base
.n_hop
);
1635 circ
->_base
.n_conn
= n_conn
;
1636 log_debug(LD_CIRC
,"Conn open. Delivering first onion skin.");
1637 if ((err_reason
= circuit_send_next_onion_skin(circ
)) < 0) {
1638 log_info(LD_CIRC
,"circuit_send_next_onion_skin failed.");
1645 /** Find any circuits that are waiting on <b>or_conn</b> to become
1646 * open and get them to send their create cells forward.
1648 * Status is 1 if connect succeeded, or 0 if connect failed.
1651 circuit_n_conn_done(or_connection_t
*or_conn
, int status
)
1653 smartlist_t
*pending_circs
;
1656 log_debug(LD_CIRC
,"or_conn to %s/%s, status=%d",
1657 or_conn
->nickname
? or_conn
->nickname
: "NULL",
1658 or_conn
->_base
.address
, status
);
1660 pending_circs
= smartlist_create();
1661 circuit_get_all_pending_on_or_conn(pending_circs
, or_conn
);
1663 SMARTLIST_FOREACH_BEGIN(pending_circs
, circuit_t
*, circ
)
1665 /* These checks are redundant wrt get_all_pending_on_or_conn, but I'm
1666 * leaving them in in case it's possible for the status of a circuit to
1667 * change as we're going down the list. */
1668 if (circ
->marked_for_close
|| circ
->n_conn
|| !circ
->n_hop
||
1669 circ
->state
!= CIRCUIT_STATE_OR_WAIT
)
1672 if (tor_digest_is_zero(circ
->n_hop
->identity_digest
)) {
1673 /* Look at addr/port. This is an unkeyed connection. */
1674 if (!tor_addr_eq(&circ
->n_hop
->addr
, &or_conn
->_base
.addr
) ||
1675 circ
->n_hop
->port
!= or_conn
->_base
.port
)
1678 /* We expected a key. See if it's the right one. */
1679 if (memcmp(or_conn
->identity_digest
,
1680 circ
->n_hop
->identity_digest
, DIGEST_LEN
))
1683 if (!status
) { /* or_conn failed; close circ */
1684 log_info(LD_CIRC
,"or_conn failed. Closing circ.");
1685 circuit_mark_for_close(circ
, END_CIRC_REASON_OR_CONN_CLOSED
);
1688 log_debug(LD_CIRC
, "Found circ, sending create cell.");
1689 /* circuit_deliver_create_cell will set n_circ_id and add us to
1690 * orconn_circuid_circuit_map, so we don't need to call
1691 * set_circid_orconn here. */
1692 circ
->n_conn
= or_conn
;
1693 extend_info_free(circ
->n_hop
);
1696 if (CIRCUIT_IS_ORIGIN(circ
)) {
1698 circuit_send_next_onion_skin(TO_ORIGIN_CIRCUIT(circ
))) < 0) {
1700 "send_next_onion_skin failed; circuit marked for closing.");
1701 circuit_mark_for_close(circ
, -err_reason
);
1703 /* XXX could this be bad, eg if next_onion_skin failed because conn
1707 /* pull the create cell out of circ->onionskin, and send it */
1708 tor_assert(circ
->n_conn_onionskin
);
1709 if (circuit_deliver_create_cell(circ
,CELL_CREATE
,
1710 circ
->n_conn_onionskin
)<0) {
1711 circuit_mark_for_close(circ
, END_CIRC_REASON_RESOURCELIMIT
);
1714 tor_free(circ
->n_conn_onionskin
);
1715 circuit_set_state(circ
, CIRCUIT_STATE_OPEN
);
1718 SMARTLIST_FOREACH_END(circ
);
1720 smartlist_free(pending_circs
);
1723 /** Find a new circid that isn't currently in use on the circ->n_conn
1725 * circuit <b>circ</b>, and deliver a cell of type <b>cell_type</b>
1726 * (either CELL_CREATE or CELL_CREATE_FAST) with payload <b>payload</b>
1728 * Return -1 if we failed to find a suitable circid, else return 0.
1731 circuit_deliver_create_cell(circuit_t
*circ
, uint8_t cell_type
,
1732 const char *payload
)
1738 tor_assert(circ
->n_conn
);
1739 tor_assert(payload
);
1740 tor_assert(cell_type
== CELL_CREATE
|| cell_type
== CELL_CREATE_FAST
);
1742 id
= get_unique_circ_id_by_conn(circ
->n_conn
);
1744 log_warn(LD_CIRC
,"failed to get unique circID.");
1747 log_debug(LD_CIRC
,"Chosen circID %u.", id
);
1748 circuit_set_n_circid_orconn(circ
, id
, circ
->n_conn
);
1750 memset(&cell
, 0, sizeof(cell_t
));
1751 cell
.command
= cell_type
;
1752 cell
.circ_id
= circ
->n_circ_id
;
1754 memcpy(cell
.payload
, payload
, ONIONSKIN_CHALLENGE_LEN
);
1755 append_cell_to_circuit_queue(circ
, circ
->n_conn
, &cell
,
1756 CELL_DIRECTION_OUT
, 0);
1758 if (CIRCUIT_IS_ORIGIN(circ
)) {
1759 /* mark it so it gets better rate limiting treatment. */
1760 circ
->n_conn
->client_used
= time(NULL
);
1766 /** We've decided to start our reachability testing. If all
1767 * is set, log this to the user. Return 1 if we did, or 0 if
1768 * we chose not to log anything. */
1770 inform_testing_reachability(void)
1773 routerinfo_t
*me
= router_get_my_routerinfo();
1776 control_event_server_status(LOG_NOTICE
,
1777 "CHECKING_REACHABILITY ORADDRESS=%s:%d",
1778 me
->address
, me
->or_port
);
1780 tor_snprintf(dirbuf
, sizeof(dirbuf
), " and DirPort %s:%d",
1781 me
->address
, me
->dir_port
);
1782 control_event_server_status(LOG_NOTICE
,
1783 "CHECKING_REACHABILITY DIRADDRESS=%s:%d",
1784 me
->address
, me
->dir_port
);
1786 log_notice(LD_OR
, "Now checking whether ORPort %s:%d%s %s reachable... "
1787 "(this may take up to %d minutes -- look for log "
1788 "messages indicating success)",
1789 me
->address
, me
->or_port
,
1790 me
->dir_port
? dirbuf
: "",
1791 me
->dir_port
? "are" : "is",
1792 TIMEOUT_UNTIL_UNREACHABILITY_COMPLAINT
/60);
1797 /** Return true iff we should send a create_fast cell to start building a given
1800 should_use_create_fast_for_circuit(origin_circuit_t
*circ
)
1802 or_options_t
*options
= get_options();
1803 tor_assert(circ
->cpath
);
1804 tor_assert(circ
->cpath
->extend_info
);
1806 if (!circ
->cpath
->extend_info
->onion_key
)
1807 return 1; /* our hand is forced: only a create_fast will work. */
1808 if (!options
->FastFirstHopPK
)
1809 return 0; /* we prefer to avoid create_fast */
1810 if (server_mode(options
)) {
1811 /* We're a server, and we know an onion key. We can choose.
1812 * Prefer to blend in. */
1819 /** This is the backbone function for building circuits.
1821 * If circ's first hop is closed, then we need to build a create
1822 * cell and send it forward.
1824 * Otherwise, we need to build a relay extend cell and send it
1827 * Return -reason if we want to tear down circ, else return 0.
1830 circuit_send_next_onion_skin(origin_circuit_t
*circ
)
1833 routerinfo_t
*router
;
1834 char payload
[2+4+DIGEST_LEN
+ONIONSKIN_CHALLENGE_LEN
];
1840 if (circ
->cpath
->state
== CPATH_STATE_CLOSED
) {
1843 log_debug(LD_CIRC
,"First skin; sending create cell.");
1844 if (circ
->build_state
->onehop_tunnel
)
1845 control_event_bootstrap(BOOTSTRAP_STATUS_ONEHOP_CREATE
, 0);
1847 control_event_bootstrap(BOOTSTRAP_STATUS_CIRCUIT_CREATE
, 0);
1849 router
= router_get_by_digest(circ
->_base
.n_conn
->identity_digest
);
1850 fast
= should_use_create_fast_for_circuit(circ
);
1852 /* We are an OR and we know the right onion key: we should
1853 * send an old slow create cell.
1855 cell_type
= CELL_CREATE
;
1856 if (onion_skin_create(circ
->cpath
->extend_info
->onion_key
,
1857 &(circ
->cpath
->dh_handshake_state
),
1859 log_warn(LD_CIRC
,"onion_skin_create (first hop) failed.");
1860 return - END_CIRC_REASON_INTERNAL
;
1862 note_request("cell: create", 1);
1864 /* We are not an OR, and we're building the first hop of a circuit to a
1865 * new OR: we can be speedy and use CREATE_FAST to save an RSA operation
1866 * and a DH operation. */
1867 cell_type
= CELL_CREATE_FAST
;
1868 memset(payload
, 0, sizeof(payload
));
1869 crypto_rand(circ
->cpath
->fast_handshake_state
,
1870 sizeof(circ
->cpath
->fast_handshake_state
));
1871 memcpy(payload
, circ
->cpath
->fast_handshake_state
,
1872 sizeof(circ
->cpath
->fast_handshake_state
));
1873 note_request("cell: create fast", 1);
1876 if (circuit_deliver_create_cell(TO_CIRCUIT(circ
), cell_type
, payload
) < 0)
1877 return - END_CIRC_REASON_RESOURCELIMIT
;
1879 circ
->cpath
->state
= CPATH_STATE_AWAITING_KEYS
;
1880 circuit_set_state(TO_CIRCUIT(circ
), CIRCUIT_STATE_BUILDING
);
1881 log_info(LD_CIRC
,"First hop: finished sending %s cell to '%s'",
1882 fast
? "CREATE_FAST" : "CREATE",
1883 router
? router
->nickname
: "<unnamed>");
1885 tor_assert(circ
->cpath
->state
== CPATH_STATE_OPEN
);
1886 tor_assert(circ
->_base
.state
== CIRCUIT_STATE_BUILDING
);
1887 log_debug(LD_CIRC
,"starting to send subsequent skin.");
1888 hop
= onion_next_hop_in_cpath(circ
->cpath
);
1890 /* done building the circuit. whew. */
1891 circuit_set_state(TO_CIRCUIT(circ
), CIRCUIT_STATE_OPEN
);
1892 if (!circ
->build_state
->onehop_tunnel
) {
1895 tor_gettimeofday(&end
);
1896 timediff
= tv_mdiff(&circ
->_base
.highres_created
, &end
);
1898 * If the circuit build time is much greater than we would have cut
1899 * it off at, we probably had a suspend event along this codepath,
1900 * and we should discard the value.
1902 if (timediff
< 0 || timediff
> 2*circ_times
.close_ms
+1000) {
1903 log_notice(LD_CIRC
, "Strange value for circuit build time: %ldmsec. "
1904 "Assuming clock jump.", timediff
);
1905 } else if (!circuit_build_times_disabled()) {
1906 /* Don't count circuit times if the network was not live */
1907 if (circuit_build_times_network_check_live(&circ_times
)) {
1908 circuit_build_times_add_time(&circ_times
, (build_time_t
)timediff
);
1909 circuit_build_times_set_timeout(&circ_times
);
1912 if (circ
->_base
.purpose
!= CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT
) {
1913 circuit_build_times_network_circ_success(&circ_times
);
1917 log_info(LD_CIRC
,"circuit built!");
1918 circuit_reset_failure_count(0);
1919 if (circ
->build_state
->onehop_tunnel
)
1920 control_event_bootstrap(BOOTSTRAP_STATUS_REQUESTING_STATUS
, 0);
1921 if (!can_complete_circuit
&& !circ
->build_state
->onehop_tunnel
) {
1922 or_options_t
*options
= get_options();
1923 can_complete_circuit
=1;
1924 /* FFFF Log a count of known routers here */
1925 log_notice(LD_GENERAL
,
1926 "Tor has successfully opened a circuit. "
1927 "Looks like client functionality is working.");
1928 control_event_bootstrap(BOOTSTRAP_STATUS_DONE
, 0);
1929 control_event_client_status(LOG_NOTICE
, "CIRCUIT_ESTABLISHED");
1930 if (server_mode(options
) && !check_whether_orport_reachable()) {
1931 inform_testing_reachability();
1932 consider_testing_reachability(1, 1);
1935 circuit_rep_hist_note_result(circ
);
1936 circuit_has_opened(circ
); /* do other actions as necessary */
1938 /* We're done with measurement circuits here. Just close them */
1939 if (circ
->_base
.purpose
== CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT
)
1940 circuit_mark_for_close(TO_CIRCUIT(circ
), END_CIRC_REASON_FINISHED
);
1944 if (tor_addr_family(&hop
->extend_info
->addr
) != AF_INET
) {
1945 log_warn(LD_BUG
, "Trying to extend to a non-IPv4 address.");
1946 return - END_CIRC_REASON_INTERNAL
;
1949 set_uint32(payload
, tor_addr_to_ipv4n(&hop
->extend_info
->addr
));
1950 set_uint16(payload
+4, htons(hop
->extend_info
->port
));
1952 onionskin
= payload
+2+4;
1953 memcpy(payload
+2+4+ONIONSKIN_CHALLENGE_LEN
,
1954 hop
->extend_info
->identity_digest
, DIGEST_LEN
);
1955 payload_len
= 2+4+ONIONSKIN_CHALLENGE_LEN
+DIGEST_LEN
;
1957 if (onion_skin_create(hop
->extend_info
->onion_key
,
1958 &(hop
->dh_handshake_state
), onionskin
) < 0) {
1959 log_warn(LD_CIRC
,"onion_skin_create failed.");
1960 return - END_CIRC_REASON_INTERNAL
;
1963 log_info(LD_CIRC
,"Sending extend relay cell.");
1964 note_request("cell: extend", 1);
1965 /* send it to hop->prev, because it will transfer
1966 * it to a create cell and then send to hop */
1967 if (relay_send_command_from_edge(0, TO_CIRCUIT(circ
),
1968 RELAY_COMMAND_EXTEND
,
1969 payload
, payload_len
, hop
->prev
) < 0)
1970 return 0; /* circuit is closed */
1972 hop
->state
= CPATH_STATE_AWAITING_KEYS
;
1977 /** Our clock just jumped by <b>seconds_elapsed</b>. Assume
1978 * something has also gone wrong with our network: notify the user,
1979 * and abandon all not-yet-used circuits. */
1981 circuit_note_clock_jumped(int seconds_elapsed
)
1983 int severity
= server_mode(get_options()) ? LOG_WARN
: LOG_NOTICE
;
1984 tor_log(severity
, LD_GENERAL
, "Your system clock just jumped %d seconds %s; "
1985 "assuming established circuits no longer work.",
1986 seconds_elapsed
>=0 ? seconds_elapsed
: -seconds_elapsed
,
1987 seconds_elapsed
>=0 ? "forward" : "backward");
1988 control_event_general_status(LOG_WARN
, "CLOCK_JUMPED TIME=%d",
1990 can_complete_circuit
=0; /* so it'll log when it works again */
1991 control_event_client_status(severity
, "CIRCUIT_NOT_ESTABLISHED REASON=%s",
1993 circuit_mark_all_unused_circs();
1994 circuit_expire_all_dirty_circs();
1997 /** Take the 'extend' <b>cell</b>, pull out addr/port plus the onion
1998 * skin and identity digest for the next hop. If we're already connected,
1999 * pass the onion skin to the next hop using a create cell; otherwise
2000 * launch a new OR connection, and <b>circ</b> will notice when the
2001 * connection succeeds or fails.
2003 * Return -1 if we want to warn and tear down the circuit, else return 0.
2006 circuit_extend(cell_t
*cell
, circuit_t
*circ
)
2008 or_connection_t
*n_conn
;
2011 char *id_digest
=NULL
;
2015 const char *msg
= NULL
;
2016 int should_launch
= 0;
2019 log_fn(LOG_PROTOCOL_WARN
, LD_PROTOCOL
,
2020 "n_conn already set. Bug/attack. Closing.");
2024 log_fn(LOG_PROTOCOL_WARN
, LD_PROTOCOL
,
2025 "conn to next hop already launched. Bug/attack. Closing.");
2029 if (!server_mode(get_options())) {
2030 log_fn(LOG_PROTOCOL_WARN
, LD_PROTOCOL
,
2031 "Got an extend cell, but running as a client. Closing.");
2035 relay_header_unpack(&rh
, cell
->payload
);
2037 if (rh
.length
< 4+2+ONIONSKIN_CHALLENGE_LEN
+DIGEST_LEN
) {
2038 log_fn(LOG_PROTOCOL_WARN
, LD_PROTOCOL
,
2039 "Wrong length %d on extend cell. Closing circuit.",
2044 n_addr32
= ntohl(get_uint32(cell
->payload
+RELAY_HEADER_SIZE
));
2045 n_port
= ntohs(get_uint16(cell
->payload
+RELAY_HEADER_SIZE
+4));
2046 onionskin
= cell
->payload
+RELAY_HEADER_SIZE
+4+2;
2047 id_digest
= cell
->payload
+RELAY_HEADER_SIZE
+4+2+ONIONSKIN_CHALLENGE_LEN
;
2048 tor_addr_from_ipv4h(&n_addr
, n_addr32
);
2050 if (!n_port
|| !n_addr32
) {
2051 log_fn(LOG_PROTOCOL_WARN
, LD_PROTOCOL
,
2052 "Client asked me to extend to zero destination port or addr.");
2056 /* Check if they asked us for 0000..0000. We support using
2057 * an empty fingerprint for the first hop (e.g. for a bridge relay),
2058 * but we don't want to let people send us extend cells for empty
2059 * fingerprints -- a) because it opens the user up to a mitm attack,
2060 * and b) because it lets an attacker force the relay to hold open a
2061 * new TLS connection for each extend request. */
2062 if (tor_digest_is_zero(id_digest
)) {
2063 log_fn(LOG_PROTOCOL_WARN
, LD_PROTOCOL
,
2064 "Client asked me to extend without specifying an id_digest.");
2068 /* Next, check if we're being asked to connect to the hop that the
2069 * extend cell came from. There isn't any reason for that, and it can
2070 * assist circular-path attacks. */
2071 if (!memcmp(id_digest
, TO_OR_CIRCUIT(circ
)->p_conn
->identity_digest
,
2073 log_fn(LOG_PROTOCOL_WARN
, LD_PROTOCOL
,
2074 "Client asked me to extend back to the previous hop.");
2078 n_conn
= connection_or_get_for_extend(id_digest
,
2084 log_debug(LD_CIRC
|LD_OR
,"Next router (%s:%d): %s",
2085 fmt_addr(&n_addr
), (int)n_port
, msg
?msg
:"????");
2087 circ
->n_hop
= extend_info_alloc(NULL
/*nickname*/,
2092 circ
->n_conn_onionskin
= tor_malloc(ONIONSKIN_CHALLENGE_LEN
);
2093 memcpy(circ
->n_conn_onionskin
, onionskin
, ONIONSKIN_CHALLENGE_LEN
);
2094 circuit_set_state(circ
, CIRCUIT_STATE_OR_WAIT
);
2096 if (should_launch
) {
2097 /* we should try to open a connection */
2098 n_conn
= connection_or_connect(&n_addr
, n_port
, id_digest
);
2100 log_info(LD_CIRC
,"Launching n_conn failed. Closing circuit.");
2101 circuit_mark_for_close(circ
, END_CIRC_REASON_CONNECTFAILED
);
2104 log_debug(LD_CIRC
,"connecting in progress (or finished). Good.");
2106 /* return success. The onion/circuit/etc will be taken care of
2107 * automatically (may already have been) whenever n_conn reaches
2108 * OR_CONN_STATE_OPEN.
2113 tor_assert(!circ
->n_hop
); /* Connection is already established. */
2114 circ
->n_conn
= n_conn
;
2115 log_debug(LD_CIRC
,"n_conn is %s:%u",
2116 n_conn
->_base
.address
,n_conn
->_base
.port
);
2118 if (circuit_deliver_create_cell(circ
, CELL_CREATE
, onionskin
) < 0)
2123 /** Initialize cpath-\>{f|b}_{crypto|digest} from the key material in
2124 * key_data. key_data must contain CPATH_KEY_MATERIAL bytes, which are
2126 * - 20 to initialize f_digest
2127 * - 20 to initialize b_digest
2128 * - 16 to key f_crypto
2129 * - 16 to key b_crypto
2131 * (If 'reverse' is true, then f_XX and b_XX are swapped.)
2134 circuit_init_cpath_crypto(crypt_path_t
*cpath
, const char *key_data
,
2137 crypto_digest_env_t
*tmp_digest
;
2138 crypto_cipher_env_t
*tmp_crypto
;
2141 tor_assert(key_data
);
2142 tor_assert(!(cpath
->f_crypto
|| cpath
->b_crypto
||
2143 cpath
->f_digest
|| cpath
->b_digest
));
2145 cpath
->f_digest
= crypto_new_digest_env();
2146 crypto_digest_add_bytes(cpath
->f_digest
, key_data
, DIGEST_LEN
);
2147 cpath
->b_digest
= crypto_new_digest_env();
2148 crypto_digest_add_bytes(cpath
->b_digest
, key_data
+DIGEST_LEN
, DIGEST_LEN
);
2150 if (!(cpath
->f_crypto
=
2151 crypto_create_init_cipher(key_data
+(2*DIGEST_LEN
),1))) {
2152 log_warn(LD_BUG
,"Forward cipher initialization failed.");
2155 if (!(cpath
->b_crypto
=
2156 crypto_create_init_cipher(key_data
+(2*DIGEST_LEN
)+CIPHER_KEY_LEN
,0))) {
2157 log_warn(LD_BUG
,"Backward cipher initialization failed.");
2162 tmp_digest
= cpath
->f_digest
;
2163 cpath
->f_digest
= cpath
->b_digest
;
2164 cpath
->b_digest
= tmp_digest
;
2165 tmp_crypto
= cpath
->f_crypto
;
2166 cpath
->f_crypto
= cpath
->b_crypto
;
2167 cpath
->b_crypto
= tmp_crypto
;
2173 /** A created or extended cell came back to us on the circuit, and it included
2174 * <b>reply</b> as its body. (If <b>reply_type</b> is CELL_CREATED, the body
2175 * contains (the second DH key, plus KH). If <b>reply_type</b> is
2176 * CELL_CREATED_FAST, the body contains a secret y and a hash H(x|y).)
2178 * Calculate the appropriate keys and digests, make sure KH is
2179 * correct, and initialize this hop of the cpath.
2181 * Return - reason if we want to mark circ for close, else return 0.
2184 circuit_finish_handshake(origin_circuit_t
*circ
, uint8_t reply_type
,
2187 char keys
[CPATH_KEY_MATERIAL_LEN
];
2190 if (circ
->cpath
->state
== CPATH_STATE_AWAITING_KEYS
)
2193 hop
= onion_next_hop_in_cpath(circ
->cpath
);
2194 if (!hop
) { /* got an extended when we're all done? */
2195 log_warn(LD_PROTOCOL
,"got extended when circ already built? Closing.");
2196 return - END_CIRC_REASON_TORPROTOCOL
;
2199 tor_assert(hop
->state
== CPATH_STATE_AWAITING_KEYS
);
2201 if (reply_type
== CELL_CREATED
&& hop
->dh_handshake_state
) {
2202 if (onion_skin_client_handshake(hop
->dh_handshake_state
, reply
, keys
,
2203 DIGEST_LEN
*2+CIPHER_KEY_LEN
*2) < 0) {
2204 log_warn(LD_CIRC
,"onion_skin_client_handshake failed.");
2205 return -END_CIRC_REASON_TORPROTOCOL
;
2207 /* Remember hash of g^xy */
2208 memcpy(hop
->handshake_digest
, reply
+DH_KEY_LEN
, DIGEST_LEN
);
2209 } else if (reply_type
== CELL_CREATED_FAST
&& !hop
->dh_handshake_state
) {
2210 if (fast_client_handshake(hop
->fast_handshake_state
, reply
, keys
,
2211 DIGEST_LEN
*2+CIPHER_KEY_LEN
*2) < 0) {
2212 log_warn(LD_CIRC
,"fast_client_handshake failed.");
2213 return -END_CIRC_REASON_TORPROTOCOL
;
2215 memcpy(hop
->handshake_digest
, reply
+DIGEST_LEN
, DIGEST_LEN
);
2217 log_warn(LD_PROTOCOL
,"CREATED cell type did not match CREATE cell type.");
2218 return -END_CIRC_REASON_TORPROTOCOL
;
2221 crypto_dh_free(hop
->dh_handshake_state
); /* don't need it anymore */
2222 hop
->dh_handshake_state
= NULL
;
2224 memset(hop
->fast_handshake_state
, 0, sizeof(hop
->fast_handshake_state
));
2226 if (circuit_init_cpath_crypto(hop
, keys
, 0)<0) {
2227 return -END_CIRC_REASON_TORPROTOCOL
;
2230 hop
->state
= CPATH_STATE_OPEN
;
2231 log_info(LD_CIRC
,"Finished building %scircuit hop:",
2232 (reply_type
== CELL_CREATED_FAST
) ? "fast " : "");
2233 circuit_log_path(LOG_INFO
,LD_CIRC
,circ
);
2234 control_event_circuit_status(circ
, CIRC_EVENT_EXTENDED
, 0);
2239 /** We received a relay truncated cell on circ.
2241 * Since we don't ask for truncates currently, getting a truncated
2242 * means that a connection broke or an extend failed. For now,
2243 * just give up: for circ to close, and return 0.
2246 circuit_truncated(origin_circuit_t
*circ
, crypt_path_t
*layer
)
2248 // crypt_path_t *victim;
2249 // connection_t *stream;
2254 /* XXX Since we don't ask for truncates currently, getting a truncated
2255 * means that a connection broke or an extend failed. For now,
2258 circuit_mark_for_close(TO_CIRCUIT(circ
),
2259 END_CIRC_REASON_FLAG_REMOTE
|END_CIRC_REASON_OR_CONN_CLOSED
);
2263 while (layer
->next
!= circ
->cpath
) {
2264 /* we need to clear out layer->next */
2265 victim
= layer
->next
;
2266 log_debug(LD_CIRC
, "Killing a layer of the cpath.");
2268 for (stream
= circ
->p_streams
; stream
; stream
=stream
->next_stream
) {
2269 if (stream
->cpath_layer
== victim
) {
2270 log_info(LD_APP
, "Marking stream %d for close because of truncate.",
2272 /* no need to send 'end' relay cells,
2273 * because the other side's already dead
2275 connection_mark_unattached_ap(stream
, END_STREAM_REASON_DESTROY
);
2279 layer
->next
= victim
->next
;
2280 circuit_free_cpath_node(victim
);
2283 log_info(LD_CIRC
, "finished");
2288 /** Given a response payload and keys, initialize, then send a created
2292 onionskin_answer(or_circuit_t
*circ
, uint8_t cell_type
, const char *payload
,
2296 crypt_path_t
*tmp_cpath
;
2298 tmp_cpath
= tor_malloc_zero(sizeof(crypt_path_t
));
2299 tmp_cpath
->magic
= CRYPT_PATH_MAGIC
;
2301 memset(&cell
, 0, sizeof(cell_t
));
2302 cell
.command
= cell_type
;
2303 cell
.circ_id
= circ
->p_circ_id
;
2305 circuit_set_state(TO_CIRCUIT(circ
), CIRCUIT_STATE_OPEN
);
2307 memcpy(cell
.payload
, payload
,
2308 cell_type
== CELL_CREATED
? ONIONSKIN_REPLY_LEN
: DIGEST_LEN
*2);
2310 log_debug(LD_CIRC
,"init digest forward 0x%.8x, backward 0x%.8x.",
2311 (unsigned int)get_uint32(keys
),
2312 (unsigned int)get_uint32(keys
+20));
2313 if (circuit_init_cpath_crypto(tmp_cpath
, keys
, 0)<0) {
2314 log_warn(LD_BUG
,"Circuit initialization failed");
2315 tor_free(tmp_cpath
);
2318 circ
->n_digest
= tmp_cpath
->f_digest
;
2319 circ
->n_crypto
= tmp_cpath
->f_crypto
;
2320 circ
->p_digest
= tmp_cpath
->b_digest
;
2321 circ
->p_crypto
= tmp_cpath
->b_crypto
;
2322 tmp_cpath
->magic
= 0;
2323 tor_free(tmp_cpath
);
2325 if (cell_type
== CELL_CREATED
)
2326 memcpy(circ
->handshake_digest
, cell
.payload
+DH_KEY_LEN
, DIGEST_LEN
);
2328 memcpy(circ
->handshake_digest
, cell
.payload
+DIGEST_LEN
, DIGEST_LEN
);
2330 circ
->is_first_hop
= (cell_type
== CELL_CREATED_FAST
);
2332 append_cell_to_circuit_queue(TO_CIRCUIT(circ
),
2333 circ
->p_conn
, &cell
, CELL_DIRECTION_IN
, 0);
2334 log_debug(LD_CIRC
,"Finished sending 'created' cell.");
2336 if (!is_local_addr(&circ
->p_conn
->_base
.addr
) &&
2337 !connection_or_nonopen_was_started_here(circ
->p_conn
)) {
2338 /* record that we could process create cells from a non-local conn
2339 * that we didn't initiate; presumably this means that create cells
2340 * can reach us too. */
2341 router_orport_found_reachable();
2347 /** Choose a length for a circuit of purpose <b>purpose</b>.
2348 * Default length is 3 + the number of endpoints that would give something
2349 * away. If the routerlist <b>routers</b> doesn't have enough routers
2350 * to handle the desired path length, return as large a path length as
2351 * is feasible, except if it's less than 2, in which case return -1.
2354 new_route_len(uint8_t purpose
, extend_info_t
*exit
,
2355 smartlist_t
*routers
)
2357 int num_acceptable_routers
;
2360 tor_assert(routers
);
2362 routelen
= DEFAULT_ROUTE_LEN
;
2364 purpose
!= CIRCUIT_PURPOSE_TESTING
&&
2365 purpose
!= CIRCUIT_PURPOSE_S_ESTABLISH_INTRO
)
2368 num_acceptable_routers
= count_acceptable_routers(routers
);
2370 log_debug(LD_CIRC
,"Chosen route length %d (%d/%d routers suitable).",
2371 routelen
, num_acceptable_routers
, smartlist_len(routers
));
2373 if (num_acceptable_routers
< 2) {
2375 "Not enough acceptable routers (%d). Discarding this circuit.",
2376 num_acceptable_routers
);
2380 if (num_acceptable_routers
< routelen
) {
2381 log_info(LD_CIRC
,"Not enough routers: cutting routelen from %d to %d.",
2382 routelen
, num_acceptable_routers
);
2383 routelen
= num_acceptable_routers
;
2389 /** Fetch the list of predicted ports, dup it into a smartlist of
2390 * uint16_t's, remove the ones that are already handled by an
2391 * existing circuit, and return it.
2393 static smartlist_t
*
2394 circuit_get_unhandled_ports(time_t now
)
2396 smartlist_t
*source
= rep_hist_get_predicted_ports(now
);
2397 smartlist_t
*dest
= smartlist_create();
2401 for (i
= 0; i
< smartlist_len(source
); ++i
) {
2402 tmp
= tor_malloc(sizeof(uint16_t));
2403 memcpy(tmp
, smartlist_get(source
, i
), sizeof(uint16_t));
2404 smartlist_add(dest
, tmp
);
2407 circuit_remove_handled_ports(dest
);
2411 /** Return 1 if we already have circuits present or on the way for
2412 * all anticipated ports. Return 0 if we should make more.
2414 * If we're returning 0, set need_uptime and need_capacity to
2415 * indicate any requirements that the unhandled ports have.
2418 circuit_all_predicted_ports_handled(time_t now
, int *need_uptime
,
2423 smartlist_t
*sl
= circuit_get_unhandled_ports(now
);
2424 smartlist_t
*LongLivedServices
= get_options()->LongLivedPorts
;
2425 tor_assert(need_uptime
);
2426 tor_assert(need_capacity
);
2427 // Always predict need_capacity
2429 enough
= (smartlist_len(sl
) == 0);
2430 for (i
= 0; i
< smartlist_len(sl
); ++i
) {
2431 port
= smartlist_get(sl
, i
);
2432 if (smartlist_string_num_isin(LongLivedServices
, *port
))
2440 /** Return 1 if <b>router</b> can handle one or more of the ports in
2441 * <b>needed_ports</b>, else return 0.
2444 router_handles_some_port(routerinfo_t
*router
, smartlist_t
*needed_ports
)
2449 for (i
= 0; i
< smartlist_len(needed_ports
); ++i
) {
2450 addr_policy_result_t r
;
2451 /* alignment issues aren't a worry for this dereference, since
2452 needed_ports is explicitly a smartlist of uint16_t's */
2453 port
= *(uint16_t *)smartlist_get(needed_ports
, i
);
2455 r
= compare_addr_to_addr_policy(0, port
, router
->exit_policy
);
2456 if (r
!= ADDR_POLICY_REJECTED
&& r
!= ADDR_POLICY_PROBABLY_REJECTED
)
2462 /** Return true iff <b>conn</b> needs another general circuit to be
2465 ap_stream_wants_exit_attention(connection_t
*conn
)
2467 if (conn
->type
== CONN_TYPE_AP
&&
2468 conn
->state
== AP_CONN_STATE_CIRCUIT_WAIT
&&
2469 !conn
->marked_for_close
&&
2470 !(TO_EDGE_CONN(conn
)->want_onehop
) && /* ignore one-hop streams */
2471 !(TO_EDGE_CONN(conn
)->use_begindir
) && /* ignore targeted dir fetches */
2472 !(TO_EDGE_CONN(conn
)->chosen_exit_name
) && /* ignore defined streams */
2473 !connection_edge_is_rendezvous_stream(TO_EDGE_CONN(conn
)) &&
2474 !circuit_stream_is_being_handled(TO_EDGE_CONN(conn
), 0,
2475 MIN_CIRCUITS_HANDLING_STREAM
))
2480 /** Return a pointer to a suitable router to be the exit node for the
2481 * general-purpose circuit we're about to build.
2483 * Look through the connection array, and choose a router that maximizes
2484 * the number of pending streams that can exit from this router.
2486 * Return NULL if we can't find any suitable routers.
2488 static routerinfo_t
*
2489 choose_good_exit_server_general(routerlist_t
*dir
, int need_uptime
,
2494 int n_pending_connections
= 0;
2495 smartlist_t
*connections
;
2496 int best_support
= -1;
2497 int n_best_support
=0;
2498 routerinfo_t
*router
;
2499 or_options_t
*options
= get_options();
2501 connections
= get_connection_array();
2503 /* Count how many connections are waiting for a circuit to be built.
2504 * We use this for log messages now, but in the future we may depend on it.
2506 SMARTLIST_FOREACH(connections
, connection_t
*, conn
,
2508 if (ap_stream_wants_exit_attention(conn
))
2509 ++n_pending_connections
;
2511 // log_fn(LOG_DEBUG, "Choosing exit node; %d connections are pending",
2512 // n_pending_connections);
2513 /* Now we count, for each of the routers in the directory, how many
2514 * of the pending connections could possibly exit from that
2515 * router (n_supported[i]). (We can't be sure about cases where we
2516 * don't know the IP address of the pending connection.)
2518 * -1 means "Don't use this router at all."
2520 n_supported
= tor_malloc(sizeof(int)*smartlist_len(dir
->routers
));
2521 for (i
= 0; i
< smartlist_len(dir
->routers
); ++i
) {/* iterate over routers */
2522 router
= smartlist_get(dir
->routers
, i
);
2523 if (router_is_me(router
)) {
2524 n_supported
[i
] = -1;
2525 // log_fn(LOG_DEBUG,"Skipping node %s -- it's me.", router->nickname);
2526 /* XXX there's probably a reverse predecessor attack here, but
2527 * it's slow. should we take this out? -RD
2531 if (!router
->is_running
|| router
->is_bad_exit
) {
2532 n_supported
[i
] = -1;
2533 continue; /* skip routers that are known to be down or bad exits */
2535 if (router_is_unreliable(router
, need_uptime
, need_capacity
, 0) &&
2536 (!options
->ExitNodes
||
2537 !routerset_contains_router(options
->ExitNodes
, router
))) {
2538 /* FFFF Someday, differentiate between a routerset that names
2539 * routers, and a routerset that names countries, and only do this
2540 * check if they've asked for specific exit relays. Or if the country
2541 * they ask for is rare. Or something. */
2542 n_supported
[i
] = -1;
2543 continue; /* skip routers that are not suitable, unless we have
2544 * ExitNodes set, in which case we asked for it */
2546 if (!(router
->is_valid
|| options
->_AllowInvalid
& ALLOW_INVALID_EXIT
)) {
2547 /* if it's invalid and we don't want it */
2548 n_supported
[i
] = -1;
2549 // log_fn(LOG_DEBUG,"Skipping node %s (index %d) -- invalid router.",
2550 // router->nickname, i);
2551 continue; /* skip invalid routers */
2553 if (options
->ExcludeSingleHopRelays
&& router
->allow_single_hop_exits
) {
2554 n_supported
[i
] = -1;
2557 if (router_exit_policy_rejects_all(router
)) {
2558 n_supported
[i
] = -1;
2559 // log_fn(LOG_DEBUG,"Skipping node %s (index %d) -- it rejects all.",
2560 // router->nickname, i);
2561 continue; /* skip routers that reject all */
2564 /* iterate over connections */
2565 SMARTLIST_FOREACH(connections
, connection_t
*, conn
,
2567 if (!ap_stream_wants_exit_attention(conn
))
2568 continue; /* Skip everything but APs in CIRCUIT_WAIT */
2569 if (connection_ap_can_use_exit(TO_EDGE_CONN(conn
), router
, 1)) {
2571 // log_fn(LOG_DEBUG,"%s is supported. n_supported[%d] now %d.",
2572 // router->nickname, i, n_supported[i]);
2574 // log_fn(LOG_DEBUG,"%s (index %d) would reject this stream.",
2575 // router->nickname, i);
2577 }); /* End looping over connections. */
2578 if (n_pending_connections
> 0 && n_supported
[i
] == 0) {
2579 /* Leave best_support at -1 if that's where it is, so we can
2580 * distinguish it later. */
2583 if (n_supported
[i
] > best_support
) {
2584 /* If this router is better than previous ones, remember its index
2585 * and goodness, and start counting how many routers are this good. */
2586 best_support
= n_supported
[i
]; n_best_support
=1;
2587 // log_fn(LOG_DEBUG,"%s is new best supported option so far.",
2588 // router->nickname);
2589 } else if (n_supported
[i
] == best_support
) {
2590 /* If this router is _as good_ as the best one, just increment the
2591 * count of equally good routers.*/
2596 "Found %d servers that might support %d/%d pending connections.",
2597 n_best_support
, best_support
>= 0 ? best_support
: 0,
2598 n_pending_connections
);
2600 /* If any routers definitely support any pending connections, choose one
2602 if (best_support
> 0) {
2603 smartlist_t
*supporting
= smartlist_create(), *use
= smartlist_create();
2605 for (i
= 0; i
< smartlist_len(dir
->routers
); i
++)
2606 if (n_supported
[i
] == best_support
)
2607 smartlist_add(supporting
, smartlist_get(dir
->routers
, i
));
2609 routersets_get_disjunction(use
, supporting
, options
->ExitNodes
,
2610 options
->_ExcludeExitNodesUnion
, 1);
2611 if (smartlist_len(use
) == 0 && options
->ExitNodes
&&
2612 !options
->StrictNodes
) { /* give up on exitnodes and try again */
2613 routersets_get_disjunction(use
, supporting
, NULL
,
2614 options
->_ExcludeExitNodesUnion
, 1);
2616 router
= routerlist_sl_choose_by_bandwidth(use
, WEIGHT_FOR_EXIT
);
2617 smartlist_free(use
);
2618 smartlist_free(supporting
);
2620 /* Either there are no pending connections, or no routers even seem to
2621 * possibly support any of them. Choose a router at random that satisfies
2622 * at least one predicted exit port. */
2625 smartlist_t
*needed_ports
, *supporting
, *use
;
2627 if (best_support
== -1) {
2628 if (need_uptime
|| need_capacity
) {
2630 "We couldn't find any live%s%s routers; falling back "
2631 "to list of all routers.",
2632 need_capacity
?", fast":"",
2633 need_uptime
?", stable":"");
2634 tor_free(n_supported
);
2635 return choose_good_exit_server_general(dir
, 0, 0);
2637 log_notice(LD_CIRC
, "All routers are down or won't exit%s -- "
2638 "choosing a doomed exit at random.",
2639 options
->_ExcludeExitNodesUnion
? " or are Excluded" : "");
2641 supporting
= smartlist_create();
2642 use
= smartlist_create();
2643 needed_ports
= circuit_get_unhandled_ports(time(NULL
));
2644 for (attempt
= 0; attempt
< 2; attempt
++) {
2645 /* try once to pick only from routers that satisfy a needed port,
2646 * then if there are none, pick from any that support exiting. */
2647 for (i
= 0; i
< smartlist_len(dir
->routers
); i
++) {
2648 router
= smartlist_get(dir
->routers
, i
);
2649 if (n_supported
[i
] != -1 &&
2650 (attempt
|| router_handles_some_port(router
, needed_ports
))) {
2651 // log_fn(LOG_DEBUG,"Try %d: '%s' is a possibility.",
2652 // try, router->nickname);
2653 smartlist_add(supporting
, router
);
2657 routersets_get_disjunction(use
, supporting
, options
->ExitNodes
,
2658 options
->_ExcludeExitNodesUnion
, 1);
2659 if (smartlist_len(use
) == 0 && options
->ExitNodes
&&
2660 !options
->StrictNodes
) { /* give up on exitnodes and try again */
2661 routersets_get_disjunction(use
, supporting
, NULL
,
2662 options
->_ExcludeExitNodesUnion
, 1);
2664 /* FFF sometimes the above results in null, when the requested
2665 * exit node is considered down by the consensus. we should pick
2666 * it anyway, since the user asked for it. */
2667 router
= routerlist_sl_choose_by_bandwidth(use
, WEIGHT_FOR_EXIT
);
2670 smartlist_clear(supporting
);
2671 smartlist_clear(use
);
2673 SMARTLIST_FOREACH(needed_ports
, uint16_t *, cp
, tor_free(cp
));
2674 smartlist_free(needed_ports
);
2675 smartlist_free(use
);
2676 smartlist_free(supporting
);
2679 tor_free(n_supported
);
2681 log_info(LD_CIRC
, "Chose exit server '%s'", router
->nickname
);
2684 if (options
->ExitNodes
&& options
->StrictNodes
) {
2686 "No specified exit routers seem to be running, and "
2687 "StrictNodes is set: can't choose an exit.");
2692 /** Return a pointer to a suitable router to be the exit node for the
2693 * circuit of purpose <b>purpose</b> that we're about to build (or NULL
2694 * if no router is suitable).
2696 * For general-purpose circuits, pass it off to
2697 * choose_good_exit_server_general()
2699 * For client-side rendezvous circuits, choose a random node, weighted
2700 * toward the preferences in 'options'.
2702 static routerinfo_t
*
2703 choose_good_exit_server(uint8_t purpose
, routerlist_t
*dir
,
2704 int need_uptime
, int need_capacity
, int is_internal
)
2706 or_options_t
*options
= get_options();
2707 router_crn_flags_t flags
= 0;
2709 flags
|= CRN_NEED_UPTIME
;
2711 flags
|= CRN_NEED_CAPACITY
;
2714 case CIRCUIT_PURPOSE_C_GENERAL
:
2715 if (options
->_AllowInvalid
& ALLOW_INVALID_MIDDLE
)
2716 flags
|= CRN_ALLOW_INVALID
;
2717 if (is_internal
) /* pick it like a middle hop */
2718 return router_choose_random_node(NULL
, options
->ExcludeNodes
, flags
);
2720 return choose_good_exit_server_general(dir
,need_uptime
,need_capacity
);
2721 case CIRCUIT_PURPOSE_C_ESTABLISH_REND
:
2722 if (options
->_AllowInvalid
& ALLOW_INVALID_RENDEZVOUS
)
2723 flags
|= CRN_ALLOW_INVALID
;
2724 return router_choose_random_node(NULL
, options
->ExcludeNodes
, flags
);
2726 log_warn(LD_BUG
,"Unhandled purpose %d", purpose
);
2727 tor_fragile_assert();
2731 /** Log a warning if the user specified an exit for the circuit that
2732 * has been excluded from use by ExcludeNodes or ExcludeExitNodes. */
2734 warn_if_last_router_excluded(origin_circuit_t
*circ
, const extend_info_t
*exit
)
2736 or_options_t
*options
= get_options();
2737 routerset_t
*rs
= options
->ExcludeNodes
;
2738 const char *description
;
2739 int domain
= LD_CIRC
;
2740 uint8_t purpose
= circ
->_base
.purpose
;
2742 if (circ
->build_state
->onehop_tunnel
)
2748 case CIRCUIT_PURPOSE_OR
:
2749 case CIRCUIT_PURPOSE_INTRO_POINT
:
2750 case CIRCUIT_PURPOSE_REND_POINT_WAITING
:
2751 case CIRCUIT_PURPOSE_REND_ESTABLISHED
:
2752 log_warn(LD_BUG
, "Called on non-origin circuit (purpose %d)",
2755 case CIRCUIT_PURPOSE_C_GENERAL
:
2756 if (circ
->build_state
->is_internal
)
2758 description
= "Requested exit node";
2759 rs
= options
->_ExcludeExitNodesUnion
;
2761 case CIRCUIT_PURPOSE_C_INTRODUCING
:
2762 case CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT
:
2763 case CIRCUIT_PURPOSE_C_INTRODUCE_ACKED
:
2764 case CIRCUIT_PURPOSE_S_ESTABLISH_INTRO
:
2765 case CIRCUIT_PURPOSE_S_CONNECT_REND
:
2766 case CIRCUIT_PURPOSE_S_REND_JOINED
:
2767 case CIRCUIT_PURPOSE_TESTING
:
2769 case CIRCUIT_PURPOSE_C_ESTABLISH_REND
:
2770 case CIRCUIT_PURPOSE_C_REND_READY
:
2771 case CIRCUIT_PURPOSE_C_REND_READY_INTRO_ACKED
:
2772 case CIRCUIT_PURPOSE_C_REND_JOINED
:
2773 description
= "Chosen rendezvous point";
2776 case CIRCUIT_PURPOSE_CONTROLLER
:
2777 rs
= options
->_ExcludeExitNodesUnion
;
2778 description
= "Controller-selected circuit target";
2782 if (routerset_contains_extendinfo(rs
, exit
)) {
2783 log_fn(LOG_WARN
, domain
, "%s '%s' is in ExcludeNodes%s. Using anyway "
2784 "(circuit purpose %d).",
2785 description
,exit
->nickname
,
2786 rs
==options
->ExcludeNodes
?"":" or ExcludeExitNodes",
2788 circuit_log_path(LOG_WARN
, domain
, circ
);
2794 /** Decide a suitable length for circ's cpath, and pick an exit
2795 * router (or use <b>exit</b> if provided). Store these in the
2796 * cpath. Return 0 if ok, -1 if circuit should be closed. */
2798 onion_pick_cpath_exit(origin_circuit_t
*circ
, extend_info_t
*exit
)
2800 cpath_build_state_t
*state
= circ
->build_state
;
2801 routerlist_t
*rl
= router_get_routerlist();
2803 if (state
->onehop_tunnel
) {
2804 log_debug(LD_CIRC
, "Launching a one-hop circuit for dir tunnel.");
2805 state
->desired_path_len
= 1;
2807 int r
= new_route_len(circ
->_base
.purpose
, exit
, rl
->routers
);
2808 if (r
< 1) /* must be at least 1 */
2810 state
->desired_path_len
= r
;
2813 if (exit
) { /* the circuit-builder pre-requested one */
2814 warn_if_last_router_excluded(circ
, exit
);
2815 log_info(LD_CIRC
,"Using requested exit node '%s'", exit
->nickname
);
2816 exit
= extend_info_dup(exit
);
2817 } else { /* we have to decide one */
2818 routerinfo_t
*router
=
2819 choose_good_exit_server(circ
->_base
.purpose
, rl
, state
->need_uptime
,
2820 state
->need_capacity
, state
->is_internal
);
2822 log_warn(LD_CIRC
,"failed to choose an exit server");
2825 exit
= extend_info_from_router(router
);
2827 state
->chosen_exit
= exit
;
2831 /** Give <b>circ</b> a new exit destination to <b>exit</b>, and add a
2832 * hop to the cpath reflecting this. Don't send the next extend cell --
2833 * the caller will do this if it wants to.
2836 circuit_append_new_exit(origin_circuit_t
*circ
, extend_info_t
*exit
)
2838 cpath_build_state_t
*state
;
2842 state
= circ
->build_state
;
2844 extend_info_free(state
->chosen_exit
);
2845 state
->chosen_exit
= extend_info_dup(exit
);
2847 ++circ
->build_state
->desired_path_len
;
2848 onion_append_hop(&circ
->cpath
, exit
);
2852 /** Take an open <b>circ</b>, and add a new hop at the end, based on
2853 * <b>info</b>. Set its state back to CIRCUIT_STATE_BUILDING, and then
2854 * send the next extend cell to begin connecting to that hop.
2857 circuit_extend_to_new_exit(origin_circuit_t
*circ
, extend_info_t
*exit
)
2860 warn_if_last_router_excluded(circ
, exit
);
2861 circuit_append_new_exit(circ
, exit
);
2862 circuit_set_state(TO_CIRCUIT(circ
), CIRCUIT_STATE_BUILDING
);
2863 if ((err_reason
= circuit_send_next_onion_skin(circ
))<0) {
2864 log_warn(LD_CIRC
, "Couldn't extend circuit to new point '%s'.",
2866 circuit_mark_for_close(TO_CIRCUIT(circ
), -err_reason
);
2872 /** Return the number of routers in <b>routers</b> that are currently up
2873 * and available for building circuits through.
2876 count_acceptable_routers(smartlist_t
*routers
)
2882 n
= smartlist_len(routers
);
2884 r
= smartlist_get(routers
, i
);
2885 // log_debug(LD_CIRC,
2886 // "Contemplating whether router %d (%s) is a new option.",
2888 if (r
->is_running
== 0) {
2889 // log_debug(LD_CIRC,"Nope, the directory says %d is not running.",i);
2892 if (r
->is_valid
== 0) {
2893 // log_debug(LD_CIRC,"Nope, the directory says %d is not valid.",i);
2895 /* XXX This clause makes us count incorrectly: if AllowInvalidRouters
2896 * allows this node in some places, then we're getting an inaccurate
2897 * count. For now, be conservative and don't count it. But later we
2898 * should try to be smarter. */
2901 // log_debug(LD_CIRC,"I like %d. num_acceptable_routers now %d.",i, num);
2903 ; /* C requires an explicit statement after the label */
2909 /** Add <b>new_hop</b> to the end of the doubly-linked-list <b>head_ptr</b>.
2910 * This function is used to extend cpath by another hop.
2913 onion_append_to_cpath(crypt_path_t
**head_ptr
, crypt_path_t
*new_hop
)
2916 new_hop
->next
= (*head_ptr
);
2917 new_hop
->prev
= (*head_ptr
)->prev
;
2918 (*head_ptr
)->prev
->next
= new_hop
;
2919 (*head_ptr
)->prev
= new_hop
;
2921 *head_ptr
= new_hop
;
2922 new_hop
->prev
= new_hop
->next
= new_hop
;
2926 /** A helper function used by onion_extend_cpath(). Use <b>purpose</b>
2927 * and <b>state</b> and the cpath <b>head</b> (currently populated only
2928 * to length <b>cur_len</b> to decide a suitable middle hop for a
2929 * circuit. In particular, make sure we don't pick the exit node or its
2930 * family, and make sure we don't duplicate any previous nodes or their
2932 static routerinfo_t
*
2933 choose_good_middle_server(uint8_t purpose
,
2934 cpath_build_state_t
*state
,
2939 routerinfo_t
*r
, *choice
;
2940 crypt_path_t
*cpath
;
2941 smartlist_t
*excluded
;
2942 or_options_t
*options
= get_options();
2943 router_crn_flags_t flags
= 0;
2944 tor_assert(_CIRCUIT_PURPOSE_MIN
<= purpose
&&
2945 purpose
<= _CIRCUIT_PURPOSE_MAX
);
2947 log_debug(LD_CIRC
, "Contemplating intermediate hop: random choice.");
2948 excluded
= smartlist_create();
2949 if ((r
= build_state_get_exit_router(state
))) {
2950 smartlist_add(excluded
, r
);
2951 routerlist_add_family(excluded
, r
);
2953 for (i
= 0, cpath
= head
; i
< cur_len
; ++i
, cpath
=cpath
->next
) {
2954 if ((r
= router_get_by_digest(cpath
->extend_info
->identity_digest
))) {
2955 smartlist_add(excluded
, r
);
2956 routerlist_add_family(excluded
, r
);
2960 if (state
->need_uptime
)
2961 flags
|= CRN_NEED_UPTIME
;
2962 if (state
->need_capacity
)
2963 flags
|= CRN_NEED_CAPACITY
;
2964 if (options
->_AllowInvalid
& ALLOW_INVALID_MIDDLE
)
2965 flags
|= CRN_ALLOW_INVALID
;
2966 choice
= router_choose_random_node(excluded
, options
->ExcludeNodes
, flags
);
2967 smartlist_free(excluded
);
2971 /** Pick a good entry server for the circuit to be built according to
2972 * <b>state</b>. Don't reuse a chosen exit (if any), don't use this
2973 * router (if we're an OR), and respect firewall settings; if we're
2974 * configured to use entry guards, return one.
2976 * If <b>state</b> is NULL, we're choosing a router to serve as an entry
2977 * guard, not for any particular circuit.
2979 static routerinfo_t
*
2980 choose_good_entry_server(uint8_t purpose
, cpath_build_state_t
*state
)
2982 routerinfo_t
*r
, *choice
;
2983 smartlist_t
*excluded
;
2984 or_options_t
*options
= get_options();
2985 router_crn_flags_t flags
= CRN_NEED_GUARD
;
2987 if (state
&& options
->UseEntryGuards
&&
2988 (purpose
!= CIRCUIT_PURPOSE_TESTING
|| options
->BridgeRelay
)) {
2989 return choose_random_entry(state
);
2992 excluded
= smartlist_create();
2994 if (state
&& (r
= build_state_get_exit_router(state
))) {
2995 smartlist_add(excluded
, r
);
2996 routerlist_add_family(excluded
, r
);
2998 if (firewall_is_fascist_or()) {
2999 /*XXXX This could slow things down a lot; use a smarter implementation */
3000 /* exclude all ORs that listen on the wrong port, if anybody notices. */
3001 routerlist_t
*rl
= router_get_routerlist();
3004 for (i
=0; i
< smartlist_len(rl
->routers
); i
++) {
3005 r
= smartlist_get(rl
->routers
, i
);
3006 if (!fascist_firewall_allows_or(r
))
3007 smartlist_add(excluded
, r
);
3010 /* and exclude current entry guards, if applicable */
3011 if (options
->UseEntryGuards
&& entry_guards
) {
3012 SMARTLIST_FOREACH(entry_guards
, entry_guard_t
*, entry
,
3014 if ((r
= router_get_by_digest(entry
->identity
))) {
3015 smartlist_add(excluded
, r
);
3016 routerlist_add_family(excluded
, r
);
3022 if (state
->need_uptime
)
3023 flags
|= CRN_NEED_UPTIME
;
3024 if (state
->need_capacity
)
3025 flags
|= CRN_NEED_CAPACITY
;
3027 if (options
->_AllowInvalid
& ALLOW_INVALID_ENTRY
)
3028 flags
|= CRN_ALLOW_INVALID
;
3030 choice
= router_choose_random_node(excluded
, options
->ExcludeNodes
, flags
);
3031 smartlist_free(excluded
);
3035 /** Return the first non-open hop in cpath, or return NULL if all
3037 static crypt_path_t
*
3038 onion_next_hop_in_cpath(crypt_path_t
*cpath
)
3040 crypt_path_t
*hop
= cpath
;
3042 if (hop
->state
!= CPATH_STATE_OPEN
)
3045 } while (hop
!= cpath
);
3049 /** Choose a suitable next hop in the cpath <b>head_ptr</b>,
3050 * based on <b>state</b>. Append the hop info to head_ptr.
3053 onion_extend_cpath(origin_circuit_t
*circ
)
3055 uint8_t purpose
= circ
->_base
.purpose
;
3056 cpath_build_state_t
*state
= circ
->build_state
;
3057 int cur_len
= circuit_get_cpath_len(circ
);
3058 extend_info_t
*info
= NULL
;
3060 if (cur_len
>= state
->desired_path_len
) {
3061 log_debug(LD_CIRC
, "Path is complete: %d steps long",
3062 state
->desired_path_len
);
3066 log_debug(LD_CIRC
, "Path is %d long; we want %d", cur_len
,
3067 state
->desired_path_len
);
3069 if (cur_len
== state
->desired_path_len
- 1) { /* Picking last node */
3070 info
= extend_info_dup(state
->chosen_exit
);
3071 } else if (cur_len
== 0) { /* picking first node */
3072 routerinfo_t
*r
= choose_good_entry_server(purpose
, state
);
3074 info
= extend_info_from_router(r
);
3077 choose_good_middle_server(purpose
, state
, circ
->cpath
, cur_len
);
3079 info
= extend_info_from_router(r
);
3083 log_warn(LD_CIRC
,"Failed to find node for hop %d of our path. Discarding "
3084 "this circuit.", cur_len
);
3088 log_debug(LD_CIRC
,"Chose router %s for hop %d (exit is %s)",
3089 info
->nickname
, cur_len
+1, build_state_get_exit_nickname(state
));
3091 onion_append_hop(&circ
->cpath
, info
);
3092 extend_info_free(info
);
3096 /** Create a new hop, annotate it with information about its
3097 * corresponding router <b>choice</b>, and append it to the
3098 * end of the cpath <b>head_ptr</b>. */
3100 onion_append_hop(crypt_path_t
**head_ptr
, extend_info_t
*choice
)
3102 crypt_path_t
*hop
= tor_malloc_zero(sizeof(crypt_path_t
));
3104 /* link hop into the cpath, at the end. */
3105 onion_append_to_cpath(head_ptr
, hop
);
3107 hop
->magic
= CRYPT_PATH_MAGIC
;
3108 hop
->state
= CPATH_STATE_CLOSED
;
3110 hop
->extend_info
= extend_info_dup(choice
);
3112 hop
->package_window
= circuit_initial_package_window();
3113 hop
->deliver_window
= CIRCWINDOW_START
;
3118 /** Allocate a new extend_info object based on the various arguments. */
3120 extend_info_alloc(const char *nickname
, const char *digest
,
3121 crypto_pk_env_t
*onion_key
,
3122 const tor_addr_t
*addr
, uint16_t port
)
3124 extend_info_t
*info
= tor_malloc_zero(sizeof(extend_info_t
));
3125 memcpy(info
->identity_digest
, digest
, DIGEST_LEN
);
3127 strlcpy(info
->nickname
, nickname
, sizeof(info
->nickname
));
3129 info
->onion_key
= crypto_pk_dup_key(onion_key
);
3130 tor_addr_copy(&info
->addr
, addr
);
3135 /** Allocate and return a new extend_info_t that can be used to build a
3136 * circuit to or through the router <b>r</b>. */
3138 extend_info_from_router(routerinfo_t
*r
)
3142 tor_addr_from_ipv4h(&addr
, r
->addr
);
3143 return extend_info_alloc(r
->nickname
, r
->cache_info
.identity_digest
,
3144 r
->onion_pkey
, &addr
, r
->or_port
);
3147 /** Release storage held by an extend_info_t struct. */
3149 extend_info_free(extend_info_t
*info
)
3153 crypto_free_pk_env(info
->onion_key
);
3157 /** Allocate and return a new extend_info_t with the same contents as
3160 extend_info_dup(extend_info_t
*info
)
3162 extend_info_t
*newinfo
;
3164 newinfo
= tor_malloc(sizeof(extend_info_t
));
3165 memcpy(newinfo
, info
, sizeof(extend_info_t
));
3166 if (info
->onion_key
)
3167 newinfo
->onion_key
= crypto_pk_dup_key(info
->onion_key
);
3169 newinfo
->onion_key
= NULL
;
3173 /** Return the routerinfo_t for the chosen exit router in <b>state</b>.
3174 * If there is no chosen exit, or if we don't know the routerinfo_t for
3175 * the chosen exit, return NULL.
3178 build_state_get_exit_router(cpath_build_state_t
*state
)
3180 if (!state
|| !state
->chosen_exit
)
3182 return router_get_by_digest(state
->chosen_exit
->identity_digest
);
3185 /** Return the nickname for the chosen exit router in <b>state</b>. If
3186 * there is no chosen exit, or if we don't know the routerinfo_t for the
3187 * chosen exit, return NULL.
3190 build_state_get_exit_nickname(cpath_build_state_t
*state
)
3192 if (!state
|| !state
->chosen_exit
)
3194 return state
->chosen_exit
->nickname
;
3197 /** Check whether the entry guard <b>e</b> is usable, given the directory
3198 * authorities' opinion about the router (stored in <b>ri</b>) and the user's
3199 * configuration (in <b>options</b>). Set <b>e</b>->bad_since
3200 * accordingly. Return true iff the entry guard's status changes.
3202 * If it's not usable, set *<b>reason</b> to a static string explaining why.
3204 /*XXXX take a routerstatus, not a routerinfo. */
3206 entry_guard_set_status(entry_guard_t
*e
, routerinfo_t
*ri
,
3207 time_t now
, or_options_t
*options
, const char **reason
)
3209 char buf
[HEX_DIGEST_LEN
+1];
3214 /* Do we want to mark this guard as bad? */
3216 *reason
= "unlisted";
3217 else if (!ri
->is_running
)
3219 else if (options
->UseBridges
&& ri
->purpose
!= ROUTER_PURPOSE_BRIDGE
)
3220 *reason
= "not a bridge";
3221 else if (!options
->UseBridges
&& !ri
->is_possible_guard
&&
3222 !routerset_contains_router(options
->EntryNodes
,ri
))
3223 *reason
= "not recommended as a guard";
3224 else if (routerset_contains_router(options
->ExcludeNodes
, ri
))
3225 *reason
= "excluded";
3227 if (*reason
&& ! e
->bad_since
) {
3228 /* Router is newly bad. */
3229 base16_encode(buf
, sizeof(buf
), e
->identity
, DIGEST_LEN
);
3230 log_info(LD_CIRC
, "Entry guard %s (%s) is %s: marking as unusable.",
3231 e
->nickname
, buf
, *reason
);
3234 control_event_guard(e
->nickname
, e
->identity
, "BAD");
3236 } else if (!*reason
&& e
->bad_since
) {
3237 /* There's nothing wrong with the router any more. */
3238 base16_encode(buf
, sizeof(buf
), e
->identity
, DIGEST_LEN
);
3239 log_info(LD_CIRC
, "Entry guard %s (%s) is no longer unusable: "
3240 "marking as ok.", e
->nickname
, buf
);
3243 control_event_guard(e
->nickname
, e
->identity
, "GOOD");
3249 /** Return true iff enough time has passed since we last tried to connect
3250 * to the unreachable guard <b>e</b> that we're willing to try again. */
3252 entry_is_time_to_retry(entry_guard_t
*e
, time_t now
)
3255 if (e
->last_attempted
< e
->unreachable_since
)
3257 diff
= now
- e
->unreachable_since
;
3259 return now
> (e
->last_attempted
+ 60*60);
3260 else if (diff
< 3*24*60*60)
3261 return now
> (e
->last_attempted
+ 4*60*60);
3262 else if (diff
< 7*24*60*60)
3263 return now
> (e
->last_attempted
+ 18*60*60);
3265 return now
> (e
->last_attempted
+ 36*60*60);
3268 /** Return the router corresponding to <b>e</b>, if <b>e</b> is
3269 * working well enough that we are willing to use it as an entry
3270 * right now. (Else return NULL.) In particular, it must be
3271 * - Listed as either up or never yet contacted;
3272 * - Present in the routerlist;
3273 * - Listed as 'stable' or 'fast' by the current dirserver consensus,
3274 * if demanded by <b>need_uptime</b> or <b>need_capacity</b>
3275 * (unless it's a configured EntryNode);
3276 * - Allowed by our current ReachableORAddresses config option; and
3277 * - Currently thought to be reachable by us (unless <b>assume_reachable</b>
3280 * If the answer is no, set *<b>msg</b> to an explanation of why.
3282 static INLINE routerinfo_t
*
3283 entry_is_live(entry_guard_t
*e
, int need_uptime
, int need_capacity
,
3284 int assume_reachable
, const char **msg
)
3287 or_options_t
*options
= get_options();
3294 /* no good if it's unreachable, unless assume_unreachable or can_retry. */
3295 if (!assume_reachable
&& !e
->can_retry
&&
3296 e
->unreachable_since
&& !entry_is_time_to_retry(e
, time(NULL
))) {
3297 *msg
= "unreachable";
3300 r
= router_get_by_digest(e
->identity
);
3302 *msg
= "no descriptor";
3305 if (get_options()->UseBridges
&& r
->purpose
!= ROUTER_PURPOSE_BRIDGE
) {
3306 *msg
= "not a bridge";
3309 if (!get_options()->UseBridges
&& r
->purpose
!= ROUTER_PURPOSE_GENERAL
) {
3310 *msg
= "not general-purpose";
3313 if (options
->EntryNodes
&&
3314 routerset_contains_router(options
->EntryNodes
, r
)) {
3315 /* they asked for it, they get it */
3316 need_uptime
= need_capacity
= 0;
3318 if (router_is_unreliable(r
, need_uptime
, need_capacity
, 0)) {
3319 *msg
= "not fast/stable";
3322 if (!fascist_firewall_allows_or(r
)) {
3323 *msg
= "unreachable by config";
3329 /** Return the number of entry guards that we think are usable. */
3331 num_live_entry_guards(void)
3337 SMARTLIST_FOREACH(entry_guards
, entry_guard_t
*, entry
,
3339 if (entry_is_live(entry
, 0, 1, 0, &msg
))
3345 /** If <b>digest</b> matches the identity of any node in the
3346 * entry_guards list, return that node. Else return NULL. */
3347 static INLINE entry_guard_t
*
3348 is_an_entry_guard(const char *digest
)
3350 SMARTLIST_FOREACH(entry_guards
, entry_guard_t
*, entry
,
3351 if (!memcmp(digest
, entry
->identity
, DIGEST_LEN
))
3357 /** Dump a description of our list of entry guards to the log at level
3358 * <b>severity</b>. */
3360 log_entry_guards(int severity
)
3362 smartlist_t
*elements
= smartlist_create();
3365 SMARTLIST_FOREACH(entry_guards
, entry_guard_t
*, e
,
3367 const char *msg
= NULL
;
3369 if (entry_is_live(e
, 0, 1, 0, &msg
))
3370 tor_asprintf(&cp
, "%s (up %s)",
3372 e
->made_contact
? "made-contact" : "never-contacted");
3374 tor_asprintf(&cp
, "%s (%s, %s)",
3376 e
->made_contact
? "made-contact" : "never-contacted");
3377 smartlist_add(elements
, cp
);
3380 s
= smartlist_join_strings(elements
, ",", 0, NULL
);
3381 SMARTLIST_FOREACH(elements
, char*, cp
, tor_free(cp
));
3382 smartlist_free(elements
);
3383 log_fn(severity
,LD_CIRC
,"%s",s
);
3387 /** Called when one or more guards that we would previously have used for some
3388 * purpose are no longer in use because a higher-priority guard has become
3391 control_event_guard_deferred(void)
3393 /* XXXX We don't actually have a good way to figure out _how many_ entries
3394 * are live for some purpose. We need an entry_is_even_slightly_live()
3395 * function for this to work right. NumEntryGuards isn't reliable: if we
3396 * need guards with weird properties, we can have more than that number
3402 or_options_t
*options
= get_options();
3405 SMARTLIST_FOREACH(entry_guards
, entry_guard_t
*, entry
,
3407 if (entry_is_live(entry
, 0, 1, 0, &msg
)) {
3408 if (n
++ == options
->NumEntryGuards
) {
3409 control_event_guard(entry
->nickname
, entry
->identity
, "DEFERRED");
3417 /** Add a new (preferably stable and fast) router to our
3418 * entry_guards list. Return a pointer to the router if we succeed,
3419 * or NULL if we can't find any more suitable entries.
3421 * If <b>chosen</b> is defined, use that one, and if it's not
3422 * already in our entry_guards list, put it at the *beginning*.
3423 * Else, put the one we pick at the end of the list. */
3424 static routerinfo_t
*
3425 add_an_entry_guard(routerinfo_t
*chosen
, int reset_status
)
3427 routerinfo_t
*router
;
3428 entry_guard_t
*entry
;
3432 entry
= is_an_entry_guard(router
->cache_info
.identity_digest
);
3435 entry
->bad_since
= 0;
3436 entry
->can_retry
= 1;
3441 router
= choose_good_entry_server(CIRCUIT_PURPOSE_C_GENERAL
, NULL
);
3445 entry
= tor_malloc_zero(sizeof(entry_guard_t
));
3446 log_info(LD_CIRC
, "Chose '%s' as new entry guard.", router
->nickname
);
3447 strlcpy(entry
->nickname
, router
->nickname
, sizeof(entry
->nickname
));
3448 memcpy(entry
->identity
, router
->cache_info
.identity_digest
, DIGEST_LEN
);
3449 /* Choose expiry time smudged over the past month. The goal here
3450 * is to a) spread out when Tor clients rotate their guards, so they
3451 * don't all select them on the same day, and b) avoid leaving a
3452 * precise timestamp in the state file about when we first picked
3453 * this guard. For details, see the Jan 2010 or-dev thread. */
3454 entry
->chosen_on_date
= time(NULL
) - crypto_rand_int(3600*24*30);
3455 entry
->chosen_by_version
= tor_strdup(VERSION
);
3456 if (chosen
) /* prepend */
3457 smartlist_insert(entry_guards
, 0, entry
);
3459 smartlist_add(entry_guards
, entry
);
3460 control_event_guard(entry
->nickname
, entry
->identity
, "NEW");
3461 control_event_guard_deferred();
3462 log_entry_guards(LOG_INFO
);
3466 /** If the use of entry guards is configured, choose more entry guards
3467 * until we have enough in the list. */
3469 pick_entry_guards(or_options_t
*options
)
3473 tor_assert(entry_guards
);
3475 while (num_live_entry_guards() < options
->NumEntryGuards
) {
3476 if (!add_an_entry_guard(NULL
, 0))
3481 entry_guards_changed();
3484 /** How long (in seconds) do we allow an entry guard to be nonfunctional,
3485 * unlisted, excluded, or otherwise nonusable before we give up on it? */
3486 #define ENTRY_GUARD_REMOVE_AFTER (30*24*60*60)
3488 /** Release all storage held by <b>e</b>. */
3490 entry_guard_free(entry_guard_t
*e
)
3494 tor_free(e
->chosen_by_version
);
3498 /** Remove any entry guard which was selected by an unknown version of Tor,
3499 * or which was selected by a version of Tor that's known to select
3500 * entry guards badly. */
3502 remove_obsolete_entry_guards(time_t now
)
3506 for (i
= 0; i
< smartlist_len(entry_guards
); ++i
) {
3507 entry_guard_t
*entry
= smartlist_get(entry_guards
, i
);
3508 const char *ver
= entry
->chosen_by_version
;
3509 const char *msg
= NULL
;
3511 int version_is_bad
= 0, date_is_bad
= 0;
3513 msg
= "does not say what version of Tor it was selected by";
3515 } else if (tor_version_parse(ver
, &v
)) {
3516 msg
= "does not seem to be from any recognized version of Tor";
3519 size_t len
= strlen(ver
)+5;
3520 char *tor_ver
= tor_malloc(len
);
3521 tor_snprintf(tor_ver
, len
, "Tor %s", ver
);
3522 if ((tor_version_as_new_as(tor_ver
, "0.1.0.10-alpha") &&
3523 !tor_version_as_new_as(tor_ver
, "0.1.2.16-dev")) ||
3524 (tor_version_as_new_as(tor_ver
, "0.2.0.0-alpha") &&
3525 !tor_version_as_new_as(tor_ver
, "0.2.0.6-alpha")) ||
3526 /* above are bug 440; below are bug 1217 */
3527 (tor_version_as_new_as(tor_ver
, "0.2.1.3-alpha") &&
3528 !tor_version_as_new_as(tor_ver
, "0.2.1.23")) ||
3529 (tor_version_as_new_as(tor_ver
, "0.2.2.0-alpha") &&
3530 !tor_version_as_new_as(tor_ver
, "0.2.2.7-alpha"))) {
3531 msg
= "was selected without regard for guard bandwidth";
3536 if (!version_is_bad
&& entry
->chosen_on_date
+ 3600*24*60 < now
) {
3537 /* It's been 2 months since the date listed in our state file. */
3538 msg
= "was selected several months ago";
3542 if (version_is_bad
|| date_is_bad
) { /* we need to drop it */
3543 char dbuf
[HEX_DIGEST_LEN
+1];
3545 base16_encode(dbuf
, sizeof(dbuf
), entry
->identity
, DIGEST_LEN
);
3546 log_fn(version_is_bad
? LOG_NOTICE
: LOG_INFO
, LD_CIRC
,
3547 "Entry guard '%s' (%s) %s. (Version=%s.) Replacing it.",
3548 entry
->nickname
, dbuf
, msg
, ver
?escaped(ver
):"none");
3549 control_event_guard(entry
->nickname
, entry
->identity
, "DROPPED");
3550 entry_guard_free(entry
);
3551 smartlist_del_keeporder(entry_guards
, i
--);
3552 log_entry_guards(LOG_INFO
);
3557 return changed
? 1 : 0;
3560 /** Remove all entry guards that have been down or unlisted for so
3561 * long that we don't think they'll come up again. Return 1 if we
3562 * removed any, or 0 if we did nothing. */
3564 remove_dead_entry_guards(time_t now
)
3566 char dbuf
[HEX_DIGEST_LEN
+1];
3567 char tbuf
[ISO_TIME_LEN
+1];
3571 for (i
= 0; i
< smartlist_len(entry_guards
); ) {
3572 entry_guard_t
*entry
= smartlist_get(entry_guards
, i
);
3573 if (entry
->bad_since
&&
3574 entry
->bad_since
+ ENTRY_GUARD_REMOVE_AFTER
< now
) {
3576 base16_encode(dbuf
, sizeof(dbuf
), entry
->identity
, DIGEST_LEN
);
3577 format_local_iso_time(tbuf
, entry
->bad_since
);
3578 log_info(LD_CIRC
, "Entry guard '%s' (%s) has been down or unlisted "
3579 "since %s local time; removing.",
3580 entry
->nickname
, dbuf
, tbuf
);
3581 control_event_guard(entry
->nickname
, entry
->identity
, "DROPPED");
3582 entry_guard_free(entry
);
3583 smartlist_del_keeporder(entry_guards
, i
);
3584 log_entry_guards(LOG_INFO
);
3589 return changed
? 1 : 0;
3592 /** A new directory or router-status has arrived; update the down/listed
3593 * status of the entry guards.
3595 * An entry is 'down' if the directory lists it as nonrunning.
3596 * An entry is 'unlisted' if the directory doesn't include it.
3598 * Don't call this on startup; only on a fresh download. Otherwise we'll
3599 * think that things are unlisted.
3602 entry_guards_compute_status(or_options_t
*options
, time_t now
)
3605 int severity
= LOG_DEBUG
;
3606 digestmap_t
*reasons
;
3611 if (options
->EntryNodes
) /* reshuffle the entry guard list if needed */
3612 entry_nodes_should_be_added();
3614 reasons
= digestmap_new();
3615 SMARTLIST_FOREACH_BEGIN(entry_guards
, entry_guard_t
*, entry
)
3617 routerinfo_t
*r
= router_get_by_digest(entry
->identity
);
3618 const char *reason
= NULL
;
3619 if (entry_guard_set_status(entry
, r
, now
, options
, &reason
))
3622 if (entry
->bad_since
)
3625 digestmap_set(reasons
, entry
->identity
, (char*)reason
);
3627 SMARTLIST_FOREACH_END(entry
);
3629 if (remove_dead_entry_guards(now
))
3632 severity
= changed
? LOG_DEBUG
: LOG_INFO
;
3635 SMARTLIST_FOREACH_BEGIN(entry_guards
, entry_guard_t
*, entry
) {
3636 const char *reason
= digestmap_get(reasons
, entry
->identity
);
3637 const char *live_msg
= "";
3638 routerinfo_t
*r
= entry_is_live(entry
, 0, 1, 0, &live_msg
);
3639 log_info(LD_CIRC
, "Summary: Entry '%s' is %s, %s%s%s, and %s%s.",
3641 entry
->unreachable_since
? "unreachable" : "reachable",
3642 entry
->bad_since
? "unusable" : "usable",
3644 reason
? reason
: "",
3645 r
? "live" : "not live / ",
3647 } SMARTLIST_FOREACH_END(entry
);
3648 log_info(LD_CIRC
, " (%d/%d entry guards are usable/new)",
3649 num_live_entry_guards(), smartlist_len(entry_guards
));
3650 log_entry_guards(LOG_INFO
);
3651 entry_guards_changed();
3654 digestmap_free(reasons
, NULL
);
3657 /** Called when a connection to an OR with the identity digest <b>digest</b>
3658 * is established (<b>succeeded</b>==1) or has failed (<b>succeeded</b>==0).
3659 * If the OR is an entry, change that entry's up/down status.
3660 * Return 0 normally, or -1 if we want to tear down the new connection.
3662 * If <b>mark_relay_status</b>, also call router_set_status() on this
3665 * XXX022 change succeeded and mark_relay_status into 'int flags'.
3668 entry_guard_register_connect_status(const char *digest
, int succeeded
,
3669 int mark_relay_status
, time_t now
)
3672 int refuse_conn
= 0;
3673 int first_contact
= 0;
3674 entry_guard_t
*entry
= NULL
;
3676 char buf
[HEX_DIGEST_LEN
+1];
3681 SMARTLIST_FOREACH(entry_guards
, entry_guard_t
*, e
,
3683 if (!memcmp(e
->identity
, digest
, DIGEST_LEN
)) {
3693 base16_encode(buf
, sizeof(buf
), entry
->identity
, DIGEST_LEN
);
3696 if (entry
->unreachable_since
) {
3697 log_info(LD_CIRC
, "Entry guard '%s' (%s) is now reachable again. Good.",
3698 entry
->nickname
, buf
);
3699 entry
->can_retry
= 0;
3700 entry
->unreachable_since
= 0;
3701 entry
->last_attempted
= now
;
3702 control_event_guard(entry
->nickname
, entry
->identity
, "UP");
3705 if (!entry
->made_contact
) {
3706 entry
->made_contact
= 1;
3707 first_contact
= changed
= 1;
3709 } else { /* ! succeeded */
3710 if (!entry
->made_contact
) {
3711 /* We've never connected to this one. */
3713 "Connection to never-contacted entry guard '%s' (%s) failed. "
3714 "Removing from the list. %d/%d entry guards usable/new.",
3715 entry
->nickname
, buf
,
3716 num_live_entry_guards()-1, smartlist_len(entry_guards
)-1);
3717 control_event_guard(entry
->nickname
, entry
->identity
, "DROPPED");
3718 entry_guard_free(entry
);
3719 smartlist_del_keeporder(entry_guards
, idx
);
3720 log_entry_guards(LOG_INFO
);
3722 } else if (!entry
->unreachable_since
) {
3723 log_info(LD_CIRC
, "Unable to connect to entry guard '%s' (%s). "
3724 "Marking as unreachable.", entry
->nickname
, buf
);
3725 entry
->unreachable_since
= entry
->last_attempted
= now
;
3726 control_event_guard(entry
->nickname
, entry
->identity
, "DOWN");
3728 entry
->can_retry
= 0; /* We gave it an early chance; no good. */
3730 char tbuf
[ISO_TIME_LEN
+1];
3731 format_iso_time(tbuf
, entry
->unreachable_since
);
3732 log_debug(LD_CIRC
, "Failed to connect to unreachable entry guard "
3733 "'%s' (%s). It has been unreachable since %s.",
3734 entry
->nickname
, buf
, tbuf
);
3735 entry
->last_attempted
= now
;
3736 entry
->can_retry
= 0; /* We gave it an early chance; no good. */
3740 /* if the caller asked us to, also update the is_running flags for this
3742 if (mark_relay_status
)
3743 router_set_status(digest
, succeeded
);
3745 if (first_contact
) {
3746 /* We've just added a new long-term entry guard. Perhaps the network just
3747 * came back? We should give our earlier entries another try too,
3748 * and close this connection so we don't use it before we've given
3749 * the others a shot. */
3750 SMARTLIST_FOREACH(entry_guards
, entry_guard_t
*, e
, {
3753 if (e
->made_contact
) {
3755 routerinfo_t
*r
= entry_is_live(e
, 0, 1, 1, &msg
);
3756 if (r
&& e
->unreachable_since
) {
3764 "Connected to new entry guard '%s' (%s). Marking earlier "
3765 "entry guards up. %d/%d entry guards usable/new.",
3766 entry
->nickname
, buf
,
3767 num_live_entry_guards(), smartlist_len(entry_guards
));
3768 log_entry_guards(LOG_INFO
);
3774 entry_guards_changed();
3775 return refuse_conn
? -1 : 0;
3778 /** When we try to choose an entry guard, should we parse and add
3779 * config's EntryNodes first? */
3780 static int should_add_entry_nodes
= 0;
3782 /** Called when the value of EntryNodes changes in our configuration. */
3784 entry_nodes_should_be_added(void)
3786 log_info(LD_CIRC
, "EntryNodes config option set. Putting configured "
3787 "relays at the front of the entry guard list.");
3788 should_add_entry_nodes
= 1;
3791 /** Add all nodes in EntryNodes that aren't currently guard nodes to the list
3792 * of guard nodes, at the front. */
3794 entry_guards_prepend_from_config(or_options_t
*options
)
3796 smartlist_t
*entry_routers
, *entry_fps
;
3797 smartlist_t
*old_entry_guards_on_list
, *old_entry_guards_not_on_list
;
3798 tor_assert(entry_guards
);
3800 should_add_entry_nodes
= 0;
3802 if (!options
->EntryNodes
) {
3803 /* It's possible that a controller set EntryNodes, thus making
3804 * should_add_entry_nodes set, then cleared it again, all before the
3805 * call to choose_random_entry() that triggered us. If so, just return.
3811 char *string
= routerset_to_string(options
->EntryNodes
);
3812 log_info(LD_CIRC
,"Adding configured EntryNodes '%s'.", string
);
3816 entry_routers
= smartlist_create();
3817 entry_fps
= smartlist_create();
3818 old_entry_guards_on_list
= smartlist_create();
3819 old_entry_guards_not_on_list
= smartlist_create();
3821 /* Split entry guards into those on the list and those not. */
3823 /* XXXX022 Now that we allow countries and IP ranges in EntryNodes, this is
3824 * potentially an enormous list. For now, we disable such values for
3825 * EntryNodes in options_validate(); really, this wants a better solution.
3826 * Perhaps we should do this calculation once whenever the list of routers
3827 * changes or the entrynodes setting changes.
3829 routerset_get_all_routers(entry_routers
, options
->EntryNodes
, 0);
3830 SMARTLIST_FOREACH(entry_routers
, routerinfo_t
*, ri
,
3831 smartlist_add(entry_fps
,ri
->cache_info
.identity_digest
));
3832 SMARTLIST_FOREACH(entry_guards
, entry_guard_t
*, e
, {
3833 if (smartlist_digest_isin(entry_fps
, e
->identity
))
3834 smartlist_add(old_entry_guards_on_list
, e
);
3836 smartlist_add(old_entry_guards_not_on_list
, e
);
3839 /* Remove all currently configured entry guards from entry_routers. */
3840 SMARTLIST_FOREACH(entry_routers
, routerinfo_t
*, ri
, {
3841 if (is_an_entry_guard(ri
->cache_info
.identity_digest
)) {
3842 SMARTLIST_DEL_CURRENT(entry_routers
, ri
);
3846 /* Now build the new entry_guards list. */
3847 smartlist_clear(entry_guards
);
3848 /* First, the previously configured guards that are in EntryNodes. */
3849 smartlist_add_all(entry_guards
, old_entry_guards_on_list
);
3850 /* Next, the rest of EntryNodes */
3851 SMARTLIST_FOREACH(entry_routers
, routerinfo_t
*, ri
, {
3852 add_an_entry_guard(ri
, 0);
3854 /* Finally, the remaining previously configured guards that are not in
3855 * EntryNodes, unless we're strict in which case we drop them */
3856 if (options
->StrictNodes
) {
3857 SMARTLIST_FOREACH(old_entry_guards_not_on_list
, entry_guard_t
*, e
,
3858 entry_guard_free(e
));
3860 smartlist_add_all(entry_guards
, old_entry_guards_not_on_list
);
3863 smartlist_free(entry_routers
);
3864 smartlist_free(entry_fps
);
3865 smartlist_free(old_entry_guards_on_list
);
3866 smartlist_free(old_entry_guards_not_on_list
);
3867 entry_guards_changed();
3870 /** Return 0 if we're fine adding arbitrary routers out of the
3871 * directory to our entry guard list, or return 1 if we have a
3872 * list already and we'd prefer to stick to it.
3875 entry_list_is_constrained(or_options_t
*options
)
3877 if (options
->EntryNodes
)
3879 if (options
->UseBridges
)
3884 /* Are we dead set against changing our entry guard list, or would we
3885 * change it if it means keeping Tor usable? */
3887 entry_list_is_totally_static(or_options_t
*options
)
3889 if (options
->EntryNodes
&& options
->StrictNodes
)
3891 if (options
->UseBridges
)
3896 /** Pick a live (up and listed) entry guard from entry_guards. If
3897 * <b>state</b> is non-NULL, this is for a specific circuit --
3898 * make sure not to pick this circuit's exit or any node in the
3899 * exit's family. If <b>state</b> is NULL, we're looking for a random
3900 * guard (likely a bridge). */
3902 choose_random_entry(cpath_build_state_t
*state
)
3904 or_options_t
*options
= get_options();
3905 smartlist_t
*live_entry_guards
= smartlist_create();
3906 smartlist_t
*exit_family
= smartlist_create();
3907 routerinfo_t
*chosen_exit
= state
?build_state_get_exit_router(state
) : NULL
;
3908 routerinfo_t
*r
= NULL
;
3909 int need_uptime
= state
? state
->need_uptime
: 0;
3910 int need_capacity
= state
? state
->need_capacity
: 0;
3911 int preferred_min
, consider_exit_family
= 0;
3914 smartlist_add(exit_family
, chosen_exit
);
3915 routerlist_add_family(exit_family
, chosen_exit
);
3916 consider_exit_family
= 1;
3920 entry_guards
= smartlist_create();
3922 if (should_add_entry_nodes
)
3923 entry_guards_prepend_from_config(options
);
3925 if (!entry_list_is_constrained(options
) &&
3926 smartlist_len(entry_guards
) < options
->NumEntryGuards
)
3927 pick_entry_guards(options
);
3930 smartlist_clear(live_entry_guards
);
3931 SMARTLIST_FOREACH(entry_guards
, entry_guard_t
*, entry
,
3934 r
= entry_is_live(entry
, need_uptime
, need_capacity
, 0, &msg
);
3936 continue; /* down, no point */
3937 if (consider_exit_family
&& smartlist_isin(exit_family
, r
))
3938 continue; /* avoid relays that are family members of our exit */
3939 if (options
->EntryNodes
&&
3940 !routerset_contains_router(options
->EntryNodes
, r
)) {
3941 /* We've come to the end of our preferred entry nodes. */
3942 if (smartlist_len(live_entry_guards
))
3943 goto choose_and_finish
; /* only choose from the ones we like */
3944 if (options
->StrictNodes
) {
3945 /* in theory this case should never happen, since
3946 * entry_guards_prepend_from_config() drops unwanted relays */
3947 tor_fragile_assert();
3950 "No relays from EntryNodes available. Using others.");
3953 smartlist_add(live_entry_guards
, r
);
3954 if (!entry
->made_contact
) {
3955 /* Always start with the first not-yet-contacted entry
3956 * guard. Otherwise we might add several new ones, pick
3957 * the second new one, and now we've expanded our entry
3958 * guard list without needing to. */
3959 goto choose_and_finish
;
3961 if (smartlist_len(live_entry_guards
) >= options
->NumEntryGuards
)
3962 break; /* we have enough */
3965 if (entry_list_is_constrained(options
)) {
3966 /* If we prefer the entry nodes we've got, and we have at least
3967 * one choice, that's great. Use it. */
3970 /* Try to have at least 2 choices available. This way we don't
3971 * get stuck with a single live-but-crummy entry and just keep
3973 * (We might get 2 live-but-crummy entry guards, but so be it.) */
3977 if (smartlist_len(live_entry_guards
) < preferred_min
) {
3978 if (!entry_list_is_totally_static(options
)) {
3979 /* still no? try adding a new entry then */
3980 /* XXX if guard doesn't imply fast and stable, then we need
3981 * to tell add_an_entry_guard below what we want, or it might
3982 * be a long time til we get it. -RD */
3983 r
= add_an_entry_guard(NULL
, 0);
3985 entry_guards_changed();
3986 /* XXX we start over here in case the new node we added shares
3987 * a family with our exit node. There's a chance that we'll just
3988 * load up on entry guards here, if the network we're using is
3989 * one big family. Perhaps we should teach add_an_entry_guard()
3990 * to understand nodes-to-avoid-if-possible? -RD */
3994 if (!r
&& need_uptime
) {
3995 need_uptime
= 0; /* try without that requirement */
3998 if (!r
&& need_capacity
) {
3999 /* still no? last attempt, try without requiring capacity */
4003 if (!r
&& entry_list_is_constrained(options
) && consider_exit_family
) {
4004 /* still no? if we're using bridges or have strictentrynodes
4005 * set, and our chosen exit is in the same family as all our
4006 * bridges/entry guards, then be flexible about families. */
4007 consider_exit_family
= 0;
4010 /* live_entry_guards may be empty below. Oh well, we tried. */
4014 if (entry_list_is_constrained(options
)) {
4015 /* We need to weight by bandwidth, because our bridges or entryguards
4016 * were not already selected proportional to their bandwidth. */
4017 r
= routerlist_sl_choose_by_bandwidth(live_entry_guards
, WEIGHT_FOR_GUARD
);
4019 /* We choose uniformly at random here, because choose_good_entry_server()
4020 * already weights its choices by bandwidth, so we don't want to
4021 * *double*-weight our guard selection. */
4022 r
= smartlist_choose(live_entry_guards
);
4024 smartlist_free(live_entry_guards
);
4025 smartlist_free(exit_family
);
4029 /** Parse <b>state</b> and learn about the entry guards it describes.
4030 * If <b>set</b> is true, and there are no errors, replace the global
4031 * entry_list with what we find.
4032 * On success, return 0. On failure, alloc into *<b>msg</b> a string
4033 * describing the error, and return -1.
4036 entry_guards_parse_state(or_state_t
*state
, int set
, char **msg
)
4038 entry_guard_t
*node
= NULL
;
4039 smartlist_t
*new_entry_guards
= smartlist_create();
4040 config_line_t
*line
;
4041 time_t now
= time(NULL
);
4042 const char *state_version
= state
->TorVersion
;
4043 digestmap_t
*added_by
= digestmap_new();
4046 for (line
= state
->EntryGuards
; line
; line
= line
->next
) {
4047 if (!strcasecmp(line
->key
, "EntryGuard")) {
4048 smartlist_t
*args
= smartlist_create();
4049 node
= tor_malloc_zero(sizeof(entry_guard_t
));
4050 /* all entry guards on disk have been contacted */
4051 node
->made_contact
= 1;
4052 smartlist_add(new_entry_guards
, node
);
4053 smartlist_split_string(args
, line
->value
, " ",
4054 SPLIT_SKIP_SPACE
|SPLIT_IGNORE_BLANK
, 0);
4055 if (smartlist_len(args
)<2) {
4056 *msg
= tor_strdup("Unable to parse entry nodes: "
4057 "Too few arguments to EntryGuard");
4058 } else if (!is_legal_nickname(smartlist_get(args
,0))) {
4059 *msg
= tor_strdup("Unable to parse entry nodes: "
4060 "Bad nickname for EntryGuard");
4062 strlcpy(node
->nickname
, smartlist_get(args
,0), MAX_NICKNAME_LEN
+1);
4063 if (base16_decode(node
->identity
, DIGEST_LEN
, smartlist_get(args
,1),
4064 strlen(smartlist_get(args
,1)))<0) {
4065 *msg
= tor_strdup("Unable to parse entry nodes: "
4066 "Bad hex digest for EntryGuard");
4069 SMARTLIST_FOREACH(args
, char*, cp
, tor_free(cp
));
4070 smartlist_free(args
);
4073 } else if (!strcasecmp(line
->key
, "EntryGuardDownSince") ||
4074 !strcasecmp(line
->key
, "EntryGuardUnlistedSince")) {
4076 time_t last_try
= 0;
4078 *msg
= tor_strdup("Unable to parse entry nodes: "
4079 "EntryGuardDownSince/UnlistedSince without EntryGuard");
4082 if (parse_iso_time(line
->value
, &when
)<0) {
4083 *msg
= tor_strdup("Unable to parse entry nodes: "
4084 "Bad time in EntryGuardDownSince/UnlistedSince");
4088 /* It's a bad idea to believe info in the future: you can wind
4089 * up with timeouts that aren't allowed to happen for years. */
4092 if (strlen(line
->value
) >= ISO_TIME_LEN
+ISO_TIME_LEN
+1) {
4093 /* ignore failure */
4094 (void) parse_iso_time(line
->value
+ISO_TIME_LEN
+1, &last_try
);
4096 if (!strcasecmp(line
->key
, "EntryGuardDownSince")) {
4097 node
->unreachable_since
= when
;
4098 node
->last_attempted
= last_try
;
4100 node
->bad_since
= when
;
4102 } else if (!strcasecmp(line
->key
, "EntryGuardAddedBy")) {
4104 /* format is digest version date */
4105 if (strlen(line
->value
) < HEX_DIGEST_LEN
+1+1+1+ISO_TIME_LEN
) {
4106 log_warn(LD_BUG
, "EntryGuardAddedBy line is not long enough.");
4109 if (base16_decode(d
, sizeof(d
), line
->value
, HEX_DIGEST_LEN
)<0 ||
4110 line
->value
[HEX_DIGEST_LEN
] != ' ') {
4111 log_warn(LD_BUG
, "EntryGuardAddedBy line %s does not begin with "
4112 "hex digest", escaped(line
->value
));
4115 digestmap_set(added_by
, d
, tor_strdup(line
->value
+HEX_DIGEST_LEN
+1));
4117 log_warn(LD_BUG
, "Unexpected key %s", line
->key
);
4121 SMARTLIST_FOREACH(new_entry_guards
, entry_guard_t
*, e
,
4124 char *val
= digestmap_get(added_by
, e
->identity
);
4125 if (val
&& (sp
= strchr(val
, ' '))) {
4128 if (parse_iso_time(sp
, &when
)<0) {
4129 log_warn(LD_BUG
, "Can't read time %s in EntryGuardAddedBy", sp
);
4131 e
->chosen_by_version
= tor_strdup(val
);
4132 e
->chosen_on_date
= when
;
4135 if (state_version
) {
4136 e
->chosen_by_version
= tor_strdup(state_version
);
4137 e
->chosen_on_date
= time(NULL
) - crypto_rand_int(3600*24*30);
4143 SMARTLIST_FOREACH(new_entry_guards
, entry_guard_t
*, e
,
4144 entry_guard_free(e
));
4145 smartlist_free(new_entry_guards
);
4146 } else { /* !err && set */
4148 SMARTLIST_FOREACH(entry_guards
, entry_guard_t
*, e
,
4149 entry_guard_free(e
));
4150 smartlist_free(entry_guards
);
4152 entry_guards
= new_entry_guards
;
4153 entry_guards_dirty
= 0;
4154 /* XXX022 hand new_entry_guards to this func, and move it up a
4155 * few lines, so we don't have to re-dirty it */
4156 if (remove_obsolete_entry_guards(now
))
4157 entry_guards_dirty
= 1;
4159 digestmap_free(added_by
, _tor_free
);
4160 return *msg
? -1 : 0;
4163 /** Our list of entry guards has changed, or some element of one
4164 * of our entry guards has changed. Write the changes to disk within
4165 * the next few minutes.
4168 entry_guards_changed(void)
4171 entry_guards_dirty
= 1;
4173 /* or_state_save() will call entry_guards_update_state(). */
4174 when
= get_options()->AvoidDiskWrites
? time(NULL
) + 3600 : time(NULL
)+600;
4175 or_state_mark_dirty(get_or_state(), when
);
4178 /** If the entry guard info has not changed, do nothing and return.
4179 * Otherwise, free the EntryGuards piece of <b>state</b> and create
4180 * a new one out of the global entry_guards list, and then mark
4181 * <b>state</b> dirty so it will get saved to disk.
4184 entry_guards_update_state(or_state_t
*state
)
4186 config_line_t
**next
, *line
;
4187 if (! entry_guards_dirty
)
4190 config_free_lines(state
->EntryGuards
);
4191 next
= &state
->EntryGuards
;
4194 entry_guards
= smartlist_create();
4195 SMARTLIST_FOREACH(entry_guards
, entry_guard_t
*, e
,
4197 char dbuf
[HEX_DIGEST_LEN
+1];
4198 if (!e
->made_contact
)
4199 continue; /* don't write this one to disk */
4200 *next
= line
= tor_malloc_zero(sizeof(config_line_t
));
4201 line
->key
= tor_strdup("EntryGuard");
4202 line
->value
= tor_malloc(HEX_DIGEST_LEN
+MAX_NICKNAME_LEN
+2);
4203 base16_encode(dbuf
, sizeof(dbuf
), e
->identity
, DIGEST_LEN
);
4204 tor_snprintf(line
->value
,HEX_DIGEST_LEN
+MAX_NICKNAME_LEN
+2,
4205 "%s %s", e
->nickname
, dbuf
);
4206 next
= &(line
->next
);
4207 if (e
->unreachable_since
) {
4208 *next
= line
= tor_malloc_zero(sizeof(config_line_t
));
4209 line
->key
= tor_strdup("EntryGuardDownSince");
4210 line
->value
= tor_malloc(ISO_TIME_LEN
+1+ISO_TIME_LEN
+1);
4211 format_iso_time(line
->value
, e
->unreachable_since
);
4212 if (e
->last_attempted
) {
4213 line
->value
[ISO_TIME_LEN
] = ' ';
4214 format_iso_time(line
->value
+ISO_TIME_LEN
+1, e
->last_attempted
);
4216 next
= &(line
->next
);
4219 *next
= line
= tor_malloc_zero(sizeof(config_line_t
));
4220 line
->key
= tor_strdup("EntryGuardUnlistedSince");
4221 line
->value
= tor_malloc(ISO_TIME_LEN
+1);
4222 format_iso_time(line
->value
, e
->bad_since
);
4223 next
= &(line
->next
);
4225 if (e
->chosen_on_date
&& e
->chosen_by_version
&&
4226 !strchr(e
->chosen_by_version
, ' ')) {
4227 char d
[HEX_DIGEST_LEN
+1];
4228 char t
[ISO_TIME_LEN
+1];
4230 *next
= line
= tor_malloc_zero(sizeof(config_line_t
));
4231 line
->key
= tor_strdup("EntryGuardAddedBy");
4232 val_len
= (HEX_DIGEST_LEN
+1+strlen(e
->chosen_by_version
)
4234 line
->value
= tor_malloc(val_len
);
4235 base16_encode(d
, sizeof(d
), e
->identity
, DIGEST_LEN
);
4236 format_iso_time(t
, e
->chosen_on_date
);
4237 tor_snprintf(line
->value
, val_len
, "%s %s %s",
4238 d
, e
->chosen_by_version
, t
);
4239 next
= &(line
->next
);
4242 if (!get_options()->AvoidDiskWrites
)
4243 or_state_mark_dirty(get_or_state(), 0);
4244 entry_guards_dirty
= 0;
4247 /** If <b>question</b> is the string "entry-guards", then dump
4248 * to *<b>answer</b> a newly allocated string describing all of
4249 * the nodes in the global entry_guards list. See control-spec.txt
4251 * For backward compatibility, we also handle the string "helper-nodes".
4254 getinfo_helper_entry_guards(control_connection_t
*conn
,
4255 const char *question
, char **answer
,
4256 const char **errmsg
)
4261 if (!strcmp(question
,"entry-guards") ||
4262 !strcmp(question
,"helper-nodes")) {
4263 smartlist_t
*sl
= smartlist_create();
4264 char tbuf
[ISO_TIME_LEN
+1];
4265 char nbuf
[MAX_VERBOSE_NICKNAME_LEN
+1];
4267 entry_guards
= smartlist_create();
4268 SMARTLIST_FOREACH_BEGIN(entry_guards
, entry_guard_t
*, e
) {
4269 size_t len
= MAX_VERBOSE_NICKNAME_LEN
+ISO_TIME_LEN
+32;
4270 char *c
= tor_malloc(len
);
4271 const char *status
= NULL
;
4275 if (!e
->made_contact
) {
4276 status
= "never-connected";
4277 } else if (e
->bad_since
) {
4278 when
= e
->bad_since
;
4279 status
= "unusable";
4284 ri
= router_get_by_digest(e
->identity
);
4286 router_get_verbose_nickname(nbuf
, ri
);
4289 base16_encode(nbuf
+1, sizeof(nbuf
)-1, e
->identity
, DIGEST_LEN
);
4290 /* e->nickname field is not very reliable if we don't know about
4291 * this router any longer; don't include it. */
4295 format_iso_time(tbuf
, when
);
4296 tor_snprintf(c
, len
, "%s %s %s\n", nbuf
, status
, tbuf
);
4298 tor_snprintf(c
, len
, "%s %s\n", nbuf
, status
);
4300 smartlist_add(sl
, c
);
4301 } SMARTLIST_FOREACH_END(e
);
4302 *answer
= smartlist_join_strings(sl
, "", 0, NULL
);
4303 SMARTLIST_FOREACH(sl
, char *, c
, tor_free(c
));
4309 /** Information about a configured bridge. Currently this just matches the
4310 * ones in the torrc file, but one day we may be able to learn about new
4311 * bridges on our own, and remember them in the state file. */
4313 /** Address of the bridge. */
4315 /** TLS port for the bridge. */
4317 /** Expected identity digest, or all zero bytes if we don't know what the
4318 * digest should be. */
4319 char identity
[DIGEST_LEN
];
4320 /** When should we next try to fetch a descriptor for this bridge? */
4321 download_status_t fetch_status
;
4324 /** A list of configured bridges. Whenever we actually get a descriptor
4325 * for one, we add it as an entry guard. */
4326 static smartlist_t
*bridge_list
= NULL
;
4328 /** Initialize the bridge list to empty, creating it if needed. */
4330 clear_bridge_list(void)
4333 bridge_list
= smartlist_create();
4334 SMARTLIST_FOREACH(bridge_list
, bridge_info_t
*, b
, tor_free(b
));
4335 smartlist_clear(bridge_list
);
4338 /** Return a bridge pointer if <b>ri</b> is one of our known bridges
4339 * (either by comparing keys if possible, else by comparing addr/port).
4340 * Else return NULL. */
4341 static bridge_info_t
*
4342 get_configured_bridge_by_addr_port_digest(tor_addr_t
*addr
, uint16_t port
,
4347 SMARTLIST_FOREACH_BEGIN(bridge_list
, bridge_info_t
*, bridge
)
4349 if (tor_digest_is_zero(bridge
->identity
) &&
4350 !tor_addr_compare(&bridge
->addr
, addr
, CMP_EXACT
) &&
4351 bridge
->port
== port
)
4353 if (!memcmp(bridge
->identity
, digest
, DIGEST_LEN
))
4356 SMARTLIST_FOREACH_END(bridge
);
4360 /** Wrapper around get_configured_bridge_by_addr_port_digest() to look
4361 * it up via router descriptor <b>ri</b>. */
4362 static bridge_info_t
*
4363 get_configured_bridge_by_routerinfo(routerinfo_t
*ri
)
4366 tor_addr_from_ipv4h(&addr
, ri
->addr
);
4367 return get_configured_bridge_by_addr_port_digest(&addr
,
4368 ri
->or_port
, ri
->cache_info
.identity_digest
);
4371 /** Return 1 if <b>ri</b> is one of our known bridges, else 0. */
4373 routerinfo_is_a_configured_bridge(routerinfo_t
*ri
)
4375 return get_configured_bridge_by_routerinfo(ri
) ? 1 : 0;
4378 /** We made a connection to a router at <b>addr</b>:<b>port</b>
4379 * without knowing its digest. Its digest turned out to be <b>digest</b>.
4380 * If it was a bridge, and we still don't know its digest, record it.
4383 learned_router_identity(tor_addr_t
*addr
, uint16_t port
, const char *digest
)
4385 bridge_info_t
*bridge
=
4386 get_configured_bridge_by_addr_port_digest(addr
, port
, digest
);
4387 if (bridge
&& tor_digest_is_zero(bridge
->identity
)) {
4388 memcpy(bridge
->identity
, digest
, DIGEST_LEN
);
4389 log_notice(LD_DIR
, "Learned fingerprint %s for bridge %s:%d",
4390 hex_str(digest
, DIGEST_LEN
), fmt_addr(addr
), port
);
4394 /** Remember a new bridge at <b>addr</b>:<b>port</b>. If <b>digest</b>
4395 * is set, it tells us the identity key too. */
4397 bridge_add_from_config(const tor_addr_t
*addr
, uint16_t port
, char *digest
)
4399 bridge_info_t
*b
= tor_malloc_zero(sizeof(bridge_info_t
));
4400 tor_addr_copy(&b
->addr
, addr
);
4403 memcpy(b
->identity
, digest
, DIGEST_LEN
);
4404 b
->fetch_status
.schedule
= DL_SCHED_BRIDGE
;
4406 bridge_list
= smartlist_create();
4407 smartlist_add(bridge_list
, b
);
4410 /** If <b>digest</b> is one of our known bridges, return it. */
4411 static bridge_info_t
*
4412 find_bridge_by_digest(const char *digest
)
4414 SMARTLIST_FOREACH(bridge_list
, bridge_info_t
*, bridge
,
4416 if (!memcmp(bridge
->identity
, digest
, DIGEST_LEN
))
4422 /** We need to ask <b>bridge</b> for its server descriptor. <b>address</b>
4423 * is a helpful string describing this bridge. */
4425 launch_direct_bridge_descriptor_fetch(bridge_info_t
*bridge
)
4429 if (connection_get_by_type_addr_port_purpose(
4430 CONN_TYPE_DIR
, &bridge
->addr
, bridge
->port
,
4431 DIR_PURPOSE_FETCH_SERVERDESC
))
4432 return; /* it's already on the way */
4434 address
= tor_dup_addr(&bridge
->addr
);
4435 directory_initiate_command(address
, &bridge
->addr
,
4437 0, /* does not matter */
4438 1, bridge
->identity
,
4439 DIR_PURPOSE_FETCH_SERVERDESC
,
4440 ROUTER_PURPOSE_BRIDGE
,
4441 0, "authority.z", NULL
, 0, 0);
4445 /** Fetching the bridge descriptor from the bridge authority returned a
4446 * "not found". Fall back to trying a direct fetch. */
4448 retry_bridge_descriptor_fetch_directly(const char *digest
)
4450 bridge_info_t
*bridge
= find_bridge_by_digest(digest
);
4452 return; /* not found? oh well. */
4454 launch_direct_bridge_descriptor_fetch(bridge
);
4457 /** For each bridge in our list for which we don't currently have a
4458 * descriptor, fetch a new copy of its descriptor -- either directly
4459 * from the bridge or via a bridge authority. */
4461 fetch_bridge_descriptors(or_options_t
*options
, time_t now
)
4463 int num_bridge_auths
= get_n_authorities(BRIDGE_AUTHORITY
);
4464 int ask_bridge_directly
;
4465 int can_use_bridge_authority
;
4470 SMARTLIST_FOREACH_BEGIN(bridge_list
, bridge_info_t
*, bridge
)
4472 if (!download_status_is_ready(&bridge
->fetch_status
, now
,
4473 IMPOSSIBLE_TO_DOWNLOAD
))
4474 continue; /* don't bother, no need to retry yet */
4476 /* schedule another fetch as if this one will fail, in case it does */
4477 download_status_failed(&bridge
->fetch_status
, 0);
4479 can_use_bridge_authority
= !tor_digest_is_zero(bridge
->identity
) &&
4481 ask_bridge_directly
= !can_use_bridge_authority
||
4482 !options
->UpdateBridgesFromAuthority
;
4483 log_debug(LD_DIR
, "ask_bridge_directly=%d (%d, %d, %d)",
4484 ask_bridge_directly
, tor_digest_is_zero(bridge
->identity
),
4485 !options
->UpdateBridgesFromAuthority
, !num_bridge_auths
);
4487 if (ask_bridge_directly
&&
4488 !fascist_firewall_allows_address_or(&bridge
->addr
, bridge
->port
)) {
4489 log_notice(LD_DIR
, "Bridge at '%s:%d' isn't reachable by our "
4490 "firewall policy. %s.", fmt_addr(&bridge
->addr
),
4492 can_use_bridge_authority
?
4493 "Asking bridge authority instead" : "Skipping");
4494 if (can_use_bridge_authority
)
4495 ask_bridge_directly
= 0;
4500 if (ask_bridge_directly
) {
4501 /* we need to ask the bridge itself for its descriptor. */
4502 launch_direct_bridge_descriptor_fetch(bridge
);
4504 /* We have a digest and we want to ask an authority. We could
4505 * combine all the requests into one, but that may give more
4506 * hints to the bridge authority than we want to give. */
4507 char resource
[10 + HEX_DIGEST_LEN
];
4508 memcpy(resource
, "fp/", 3);
4509 base16_encode(resource
+3, HEX_DIGEST_LEN
+1,
4510 bridge
->identity
, DIGEST_LEN
);
4511 memcpy(resource
+3+HEX_DIGEST_LEN
, ".z", 3);
4512 log_info(LD_DIR
, "Fetching bridge info '%s' from bridge authority.",
4514 directory_get_from_dirserver(DIR_PURPOSE_FETCH_SERVERDESC
,
4515 ROUTER_PURPOSE_BRIDGE
, resource
, 0);
4518 SMARTLIST_FOREACH_END(bridge
);
4521 /** We just learned a descriptor for a bridge. See if that
4522 * digest is in our entry guard list, and add it if not. */
4524 learned_bridge_descriptor(routerinfo_t
*ri
, int from_cache
)
4527 tor_assert(ri
->purpose
== ROUTER_PURPOSE_BRIDGE
);
4528 if (get_options()->UseBridges
) {
4529 int first
= !any_bridge_descriptors_known();
4530 bridge_info_t
*bridge
= get_configured_bridge_by_routerinfo(ri
);
4531 time_t now
= time(NULL
);
4534 if (bridge
) { /* if we actually want to use this one */
4535 /* it's here; schedule its re-fetch for a long time from now. */
4537 download_status_reset(&bridge
->fetch_status
);
4539 add_an_entry_guard(ri
, 1);
4540 log_notice(LD_DIR
, "new bridge descriptor '%s' (%s)", ri
->nickname
,
4541 from_cache
? "cached" : "fresh");
4542 /* set entry->made_contact so if it goes down we don't drop it from
4543 * our entry node list */
4544 entry_guard_register_connect_status(ri
->cache_info
.identity_digest
,
4547 routerlist_retry_directory_downloads(now
);
4552 /** Return 1 if any of our entry guards have descriptors that
4553 * are marked with purpose 'bridge' and are running. Else return 0.
4555 * We use this function to decide if we're ready to start building
4556 * circuits through our bridges, or if we need to wait until the
4557 * directory "server/authority" requests finish. */
4559 any_bridge_descriptors_known(void)
4561 tor_assert(get_options()->UseBridges
);
4562 return choose_random_entry(NULL
)!=NULL
? 1 : 0;
4565 /** Return 1 if there are any directory conns fetching bridge descriptors
4566 * that aren't marked for close. We use this to guess if we should tell
4567 * the controller that we have a problem. */
4569 any_pending_bridge_descriptor_fetches(void)
4571 smartlist_t
*conns
= get_connection_array();
4572 SMARTLIST_FOREACH(conns
, connection_t
*, conn
,
4574 if (conn
->type
== CONN_TYPE_DIR
&&
4575 conn
->purpose
== DIR_PURPOSE_FETCH_SERVERDESC
&&
4576 TO_DIR_CONN(conn
)->router_purpose
== ROUTER_PURPOSE_BRIDGE
&&
4577 !conn
->marked_for_close
&&
4578 conn
->linked
&& !conn
->linked_conn
->marked_for_close
) {
4579 log_debug(LD_DIR
, "found one: %s", conn
->address
);
4586 /** Return 1 if we have at least one descriptor for an entry guard
4587 * (bridge or member of EntryNodes) and all descriptors we know are
4588 * down. Else return 0. If <b>act</b> is 1, then mark the down guards
4589 * up; else just observe and report. */
4591 entries_retry_helper(or_options_t
*options
, int act
)
4595 int any_running
= 0;
4596 int purpose
= options
->UseBridges
?
4597 ROUTER_PURPOSE_BRIDGE
: ROUTER_PURPOSE_GENERAL
;
4599 entry_guards
= smartlist_create();
4600 SMARTLIST_FOREACH(entry_guards
, entry_guard_t
*, e
,
4602 ri
= router_get_by_digest(e
->identity
);
4603 if (ri
&& ri
->purpose
== purpose
) {
4606 any_running
= 1; /* some entry is both known and running */
4607 else if (act
) { /* mark it for retry */
4608 router_set_status(ri
->cache_info
.identity_digest
, 1);
4614 log_debug(LD_DIR
, "%d: any_known %d, any_running %d",
4615 act
, any_known
, any_running
);
4616 return any_known
&& !any_running
;
4619 /** Do we know any descriptors for our bridges / entrynodes, and are
4620 * all the ones we have descriptors for down? */
4622 entries_known_but_down(or_options_t
*options
)
4624 tor_assert(entry_list_is_constrained(options
));
4625 return entries_retry_helper(options
, 0);
4628 /** Mark all down known bridges / entrynodes up. */
4630 entries_retry_all(or_options_t
*options
)
4632 tor_assert(entry_list_is_constrained(options
));
4633 entries_retry_helper(options
, 1);
4636 /** Release all storage held by the list of entry guards and related
4637 * memory structs. */
4639 entry_guards_free_all(void)
4642 SMARTLIST_FOREACH(entry_guards
, entry_guard_t
*, e
,
4643 entry_guard_free(e
));
4644 smartlist_free(entry_guards
);
4645 entry_guards
= NULL
;
4647 clear_bridge_list();
4648 smartlist_free(bridge_list
);