search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Actually notice when our last entrynode goes down
[tor/rransom.git] / src / or / circuitbuild.c
bloba9920e2bcbb3ff5ca2a207556aeb5b2913f71cd6
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2010, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6
7 /**
8 * \file circuitbuild.c
9 * \brief The actual details of building circuits.
10 **/
11
12 #define CIRCUIT_PRIVATE
13
14 #include "or.h"
15 #include "circuitbuild.h"
16 #include "circuitlist.h"
17 #include "circuituse.h"
18 #include "config.h"
19 #include "connection.h"
20 #include "connection_edge.h"
21 #include "connection_or.h"
22 #include "control.h"
23 #include "directory.h"
24 #include "main.h"
25 #include "networkstatus.h"
26 #include "onion.h"
27 #include "policies.h"
28 #include "relay.h"
29 #include "rephist.h"
30 #include "router.h"
31 #include "routerlist.h"
32 #include "routerparse.h"
33 #include "crypto.h"
34 #undef log
35 #include <math.h>
36
37 #ifndef MIN
38 #define MIN(a,b) ((a)<(b)?(a):(b))
39 #endif
40
41 #define CBT_BIN_TO_MS(bin) ((bin)*CBT_BIN_WIDTH + (CBT_BIN_WIDTH/2))
42
43 /********* START VARIABLES **********/
44 /** Global list of circuit build times */
45 // FIXME: Add this as a member for entry_guard_t instead of global?
46 // Then we could do per-guard statistics, as guards are likely to
47 // vary in their own latency. The downside of this is that guards
48 // can change frequently, so we'd be building a lot more circuits
49 // most likely.
50 circuit_build_times_t circ_times;
51
52 /** A global list of all circuits at this hop. */
53 extern circuit_t *global_circuitlist;
54
55 /** An entry_guard_t represents our information about a chosen long-term
56 * first hop, known as a "helper" node in the literature. We can't just
57 * use a routerinfo_t, since we want to remember these even when we
58 * don't have a directory. */
59 typedef struct {
60 char nickname[MAX_NICKNAME_LEN+1];
61 char identity[DIGEST_LEN];
62 time_t chosen_on_date; /**< Approximately when was this guard added?
63 * "0" if we don't know. */
64 char *chosen_by_version; /**< What tor version added this guard? NULL
65 * if we don't know. */
66 unsigned int made_contact : 1; /**< 0 if we have never connected to this
67 * router, 1 if we have. */
68 unsigned int can_retry : 1; /**< Should we retry connecting to this entry,
69 * in spite of having it marked as unreachable?*/
70 time_t bad_since; /**< 0 if this guard is currently usable, or the time at
71 * which it was observed to become (according to the
72 * directory or the user configuration) unusable. */
73 time_t unreachable_since; /**< 0 if we can connect to this guard, or the
74 * time at which we first noticed we couldn't
75 * connect to it. */
76 time_t last_attempted; /**< 0 if we can connect to this guard, or the time
77 * at which we last failed to connect to it. */
78 } entry_guard_t;
79
80 /** A list of our chosen entry guards. */
81 static smartlist_t *entry_guards = NULL;
82 /** A value of 1 means that the entry_guards list has changed
83 * and those changes need to be flushed to disk. */
84 static int entry_guards_dirty = 0;
85
86 /** If set, we're running the unit tests: we should avoid clobbering
87 * our state file or accessing get_options() or get_or_state() */
88 static int unit_tests = 0;
89
90 /********* END VARIABLES ************/
91
92 static int circuit_deliver_create_cell(circuit_t *circ,
93 uint8_t cell_type, const char *payload);
94 static int onion_pick_cpath_exit(origin_circuit_t *circ, extend_info_t *exit);
95 static crypt_path_t *onion_next_hop_in_cpath(crypt_path_t *cpath);
96 static int onion_extend_cpath(origin_circuit_t *circ);
97 static int count_acceptable_routers(smartlist_t *routers);
98 static int onion_append_hop(crypt_path_t **head_ptr, extend_info_t *choice);
99
100 static void entry_guards_changed(void);
101
102 static int
103 circuit_build_times_disabled(void)
104 {
105 if (unit_tests) {
106 return 0;
107 } else {
108 int consensus_disabled = networkstatus_get_param(NULL, "cbtdisabled",
109 0);
110 int config_disabled = !get_options()->LearnCircuitBuildTimeout;
111 int dirauth_disabled = get_options()->AuthoritativeDir;
112 int state_disabled = (get_or_state()->LastWritten == -1);
113
114 if (consensus_disabled || config_disabled || dirauth_disabled ||
115 state_disabled) {
116 log_info(LD_CIRC,
117 "CircuitBuildTime learning is disabled. "
118 "Consensus=%d, Config=%d, AuthDir=%d, StateFile=%d",
119 consensus_disabled, config_disabled, dirauth_disabled,
120 state_disabled);
121 return 1;
122 } else {
123 return 0;
124 }
125 }
126 }
127
128 static int32_t
129 circuit_build_times_max_timeouts(void)
130 {
131 int32_t num = networkstatus_get_param(NULL, "cbtmaxtimeouts",
132 CBT_DEFAULT_MAX_RECENT_TIMEOUT_COUNT);
133 return num;
134 }
135
136 static int32_t
137 circuit_build_times_default_num_xm_modes(void)
138 {
139 int32_t num = networkstatus_get_param(NULL, "cbtnummodes",
140 CBT_DEFAULT_NUM_XM_MODES);
141 return num;
142 }
143
144 static int32_t
145 circuit_build_times_min_circs_to_observe(void)
146 {
147 int32_t num = networkstatus_get_param(NULL, "cbtmincircs",
148 CBT_DEFAULT_MIN_CIRCUITS_TO_OBSERVE);
149 return num;
150 }
151
152 double
153 circuit_build_times_quantile_cutoff(void)
154 {
155 int32_t num = networkstatus_get_param(NULL, "cbtquantile",
156 CBT_DEFAULT_QUANTILE_CUTOFF);
157 return num/100.0;
158 }
159
160 static double
161 circuit_build_times_close_quantile(void)
162 {
163 int32_t num = networkstatus_get_param(NULL, "cbtclosequantile",
164 CBT_DEFAULT_CLOSE_QUANTILE);
165
166 return num/100.0;
167 }
168
169 static int32_t
170 circuit_build_times_test_frequency(void)
171 {
172 int32_t num = networkstatus_get_param(NULL, "cbttestfreq",
173 CBT_DEFAULT_TEST_FREQUENCY);
174 return num;
175 }
176
177 static int32_t
178 circuit_build_times_min_timeout(void)
179 {
180 int32_t num = networkstatus_get_param(NULL, "cbtmintimeout",
181 CBT_DEFAULT_TIMEOUT_MIN_VALUE);
182 return num;
183 }
184
185 int32_t
186 circuit_build_times_initial_timeout(void)
187 {
188 int32_t num = networkstatus_get_param(NULL, "cbtinitialtimeout",
189 CBT_DEFAULT_TIMEOUT_INITIAL_VALUE);
190 return num;
191 }
192
193 static int32_t
194 circuit_build_times_recent_circuit_count(void)
195 {
196 int32_t num = networkstatus_get_param(NULL, "cbtrecentcount",
197 CBT_DEFAULT_RECENT_CIRCUITS);
198 return num;
199 }
200
201 /**
202 * This function is called when we get a consensus update.
203 *
204 * It checks to see if we have changed any consensus parameters
205 * that require reallocation or discard of previous stats.
206 */
207 void
208 circuit_build_times_new_consensus_params(circuit_build_times_t *cbt,
209 networkstatus_t *ns)
210 {
211 int32_t num = networkstatus_get_param(ns, "cbtrecentcount",
212 CBT_DEFAULT_RECENT_CIRCUITS);
213
214 if (num > 0 && num != cbt->liveness.num_recent_circs) {
215 int8_t *recent_circs;
216 log_notice(LD_CIRC, "Changing recent timeout size from %d to %d",
217 cbt->liveness.num_recent_circs, num);
218
219 tor_assert(cbt->liveness.timeouts_after_firsthop);
220
221 /*
222 * Technically this is a circular array that we are reallocating
223 * and memcopying. However, since it only consists of either 1s
224 * or 0s, and is only used in a statistical test to determine when
225 * we should discard our history after a sufficient number of 1's
226 * have been reached, it is fine if order is not preserved or
227 * elements are lost.
228 *
229 * cbtrecentcount should only be changing in cases of severe network
230 * distress anyway, so memory correctness here is paramount over
231 * doing acrobatics to preserve the array.
232 */
233 recent_circs = tor_malloc_zero(sizeof(int8_t)*num);
234 memcpy(recent_circs, cbt->liveness.timeouts_after_firsthop,
235 sizeof(int8_t)*MIN(num, cbt->liveness.num_recent_circs));
236
237 // Adjust the index if it needs it.
238 if (num < cbt->liveness.num_recent_circs) {
239 cbt->liveness.after_firsthop_idx = MIN(num-1,
240 cbt->liveness.after_firsthop_idx);
241 }
242
243 tor_free(cbt->liveness.timeouts_after_firsthop);
244 cbt->liveness.timeouts_after_firsthop = recent_circs;
245 cbt->liveness.num_recent_circs = num;
246 }
247 }
248
249 /** Make a note that we're running unit tests (rather than running Tor
250 * itself), so we avoid clobbering our state file. */
251 void
252 circuitbuild_running_unit_tests(void)
253 {
254 unit_tests = 1;
255 }
256
257 /**
258 * Return the initial default or configured timeout in milliseconds
259 */
260 static double
261 circuit_build_times_get_initial_timeout(void)
262 {
263 double timeout;
264 if (!unit_tests && get_options()->CircuitBuildTimeout) {
265 timeout = get_options()->CircuitBuildTimeout*1000;
266 if (timeout < circuit_build_times_min_timeout()) {
267 log_warn(LD_CIRC, "Config CircuitBuildTimeout too low. Setting to %ds",
268 circuit_build_times_min_timeout()/1000);
269 timeout = circuit_build_times_min_timeout();
270 }
271 } else {
272 timeout = circuit_build_times_initial_timeout();
273 }
274 return timeout;
275 }
276
277 /**
278 * Reset the build time state.
279 *
280 * Leave estimated parameters, timeout and network liveness intact
281 * for future use.
282 */
283 void
284 circuit_build_times_reset(circuit_build_times_t *cbt)
285 {
286 memset(cbt->circuit_build_times, 0, sizeof(cbt->circuit_build_times));
287 cbt->total_build_times = 0;
288 cbt->build_times_idx = 0;
289 cbt->have_computed_timeout = 0;
290 }
291
292 /**
293 * Initialize the buildtimes structure for first use.
294 *
295 * Sets the initial timeout value based to either the
296 * config setting or BUILD_TIMEOUT_INITIAL_VALUE.
297 */
298 void
299 circuit_build_times_init(circuit_build_times_t *cbt)
300 {
301 memset(cbt, 0, sizeof(*cbt));
302 cbt->liveness.num_recent_circs = circuit_build_times_recent_circuit_count();
303 cbt->liveness.timeouts_after_firsthop = tor_malloc_zero(sizeof(int8_t)*
304 cbt->liveness.num_recent_circs);
305 cbt->close_ms = cbt->timeout_ms = circuit_build_times_get_initial_timeout();
306 control_event_buildtimeout_set(cbt, BUILDTIMEOUT_SET_EVENT_RESET);
307 }
308
309 /**
310 * Rewind our build time history by n positions.
311 */
312 static void
313 circuit_build_times_rewind_history(circuit_build_times_t *cbt, int n)
314 {
315 int i = 0;
316
317 cbt->build_times_idx -= n;
318 cbt->build_times_idx %= CBT_NCIRCUITS_TO_OBSERVE;
319
320 for (i = 0; i < n; i++) {
321 cbt->circuit_build_times[(i+cbt->build_times_idx)
322 %CBT_NCIRCUITS_TO_OBSERVE]=0;
323 }
324
325 if (cbt->total_build_times > n) {
326 cbt->total_build_times -= n;
327 } else {
328 cbt->total_build_times = 0;
329 }
330
331 log_info(LD_CIRC,
332 "Rewound history by %d places. Current index: %d. "
333 "Total: %d", n, cbt->build_times_idx, cbt->total_build_times);
334 }
335
336 /**
337 * Add a new build time value <b>time</b> to the set of build times. Time
338 * units are milliseconds.
339 *
340 * circuit_build_times <b>cbt</a> is a circular array, so loop around when
341 * array is full.
342 */
343 int
344 circuit_build_times_add_time(circuit_build_times_t *cbt, build_time_t time)
345 {
346 if (time <= 0 || time > CBT_BUILD_TIME_MAX) {
347 log_warn(LD_BUG, "Circuit build time is too large (%u)."
348 "This is probably a bug.", time);
349 tor_fragile_assert();
350 return -1;
351 }
352
353 log_debug(LD_CIRC, "Adding circuit build time %u", time);
354
355 cbt->circuit_build_times[cbt->build_times_idx] = time;
356 cbt->build_times_idx = (cbt->build_times_idx + 1) % CBT_NCIRCUITS_TO_OBSERVE;
357 if (cbt->total_build_times < CBT_NCIRCUITS_TO_OBSERVE)
358 cbt->total_build_times++;
359
360 if ((cbt->total_build_times % CBT_SAVE_STATE_EVERY) == 0) {
361 /* Save state every n circuit builds */
362 if (!unit_tests && !get_options()->AvoidDiskWrites)
363 or_state_mark_dirty(get_or_state(), 0);
364 }
365
366 return 0;
367 }
368
369 /**
370 * Return maximum circuit build time
371 */
372 static build_time_t
373 circuit_build_times_max(circuit_build_times_t *cbt)
374 {
375 int i = 0;
376 build_time_t max_build_time = 0;
377 for (i = 0; i < CBT_NCIRCUITS_TO_OBSERVE; i++) {
378 if (cbt->circuit_build_times[i] > max_build_time
379 && cbt->circuit_build_times[i] != CBT_BUILD_ABANDONED)
380 max_build_time = cbt->circuit_build_times[i];
381 }
382 return max_build_time;
383 }
384
385 #if 0
386 /** Return minimum circuit build time */
387 build_time_t
388 circuit_build_times_min(circuit_build_times_t *cbt)
389 {
390 int i = 0;
391 build_time_t min_build_time = CBT_BUILD_TIME_MAX;
392 for (i = 0; i < CBT_NCIRCUITS_TO_OBSERVE; i++) {
393 if (cbt->circuit_build_times[i] && /* 0 <-> uninitialized */
394 cbt->circuit_build_times[i] < min_build_time)
395 min_build_time = cbt->circuit_build_times[i];
396 }
397 if (min_build_time == CBT_BUILD_TIME_MAX) {
398 log_warn(LD_CIRC, "No build times less than CBT_BUILD_TIME_MAX!");
399 }
400 return min_build_time;
401 }
402 #endif
403
404 /**
405 * Calculate and return a histogram for the set of build times.
406 *
407 * Returns an allocated array of histrogram bins representing
408 * the frequency of index*CBT_BIN_WIDTH millisecond
409 * build times. Also outputs the number of bins in nbins.
410 *
411 * The return value must be freed by the caller.
412 */
413 static uint32_t *
414 circuit_build_times_create_histogram(circuit_build_times_t *cbt,
415 build_time_t *nbins)
416 {
417 uint32_t *histogram;
418 build_time_t max_build_time = circuit_build_times_max(cbt);
419 int i, c;
420
421 *nbins = 1 + (max_build_time / CBT_BIN_WIDTH);
422 histogram = tor_malloc_zero(*nbins * sizeof(build_time_t));
423
424 // calculate histogram
425 for (i = 0; i < CBT_NCIRCUITS_TO_OBSERVE; i++) {
426 if (cbt->circuit_build_times[i] == 0
427 || cbt->circuit_build_times[i] == CBT_BUILD_ABANDONED)
428 continue; /* 0 <-> uninitialized */
429
430 c = (cbt->circuit_build_times[i] / CBT_BIN_WIDTH);
431 histogram[c]++;
432 }
433
434 return histogram;
435 }
436
437 /**
438 * Return the Pareto start-of-curve parameter Xm.
439 *
440 * Because we are not a true Pareto curve, we compute this as the
441 * weighted average of the N=3 most frequent build time bins.
442 */
443 static build_time_t
444 circuit_build_times_get_xm(circuit_build_times_t *cbt)
445 {
446 build_time_t i, nbins;
447 build_time_t *nth_max_bin;
448 int32_t bin_counts=0;
449 build_time_t ret = 0;
450 uint32_t *histogram = circuit_build_times_create_histogram(cbt, &nbins);
451 int n=0;
452 int num_modes = circuit_build_times_default_num_xm_modes();
453
454 // Only use one mode if < 1000 buildtimes. Not enough data
455 // for multiple.
456 if (cbt->total_build_times < CBT_NCIRCUITS_TO_OBSERVE)
457 num_modes = 1;
458
459 nth_max_bin = (build_time_t*)tor_malloc_zero(num_modes*sizeof(build_time_t));
460
461 for (i = 0; i < nbins; i++) {
462 if (histogram[i] >= histogram[nth_max_bin[0]]) {
463 nth_max_bin[0] = i;
464 }
465
466 for (n = 1; n < num_modes; n++) {
467 if (histogram[i] >= histogram[nth_max_bin[n]] &&
468 (!histogram[nth_max_bin[n-1]]
469 || histogram[i] < histogram[nth_max_bin[n-1]])) {
470 nth_max_bin[n] = i;
471 }
472 }
473 }
474
475 for (n = 0; n < num_modes; n++) {
476 bin_counts += histogram[nth_max_bin[n]];
477 ret += CBT_BIN_TO_MS(nth_max_bin[n])*histogram[nth_max_bin[n]];
478 log_info(LD_CIRC, "Xm mode #%d: %u %u", n, CBT_BIN_TO_MS(nth_max_bin[n]),
479 histogram[nth_max_bin[n]]);
480 }
481
482 ret /= bin_counts;
483 tor_free(histogram);
484 tor_free(nth_max_bin);
485
486 return ret;
487 }
488
489 /**
490 * Output a histogram of current circuit build times to
491 * the or_state_t state structure.
492 */
493 void
494 circuit_build_times_update_state(circuit_build_times_t *cbt,
495 or_state_t *state)
496 {
497 uint32_t *histogram;
498 build_time_t i = 0;
499 build_time_t nbins = 0;
500 config_line_t **next, *line;
501
502 histogram = circuit_build_times_create_histogram(cbt, &nbins);
503 // write to state
504 config_free_lines(state->BuildtimeHistogram);
505 next = &state->BuildtimeHistogram;
506 *next = NULL;
507
508 state->TotalBuildTimes = cbt->total_build_times;
509 state->CircuitBuildAbandonedCount = 0;
510
511 for (i = 0; i < CBT_NCIRCUITS_TO_OBSERVE; i++) {
512 if (cbt->circuit_build_times[i] == CBT_BUILD_ABANDONED)
513 state->CircuitBuildAbandonedCount++;
514 }
515
516 for (i = 0; i < nbins; i++) {
517 // compress the histogram by skipping the blanks
518 if (histogram[i] == 0) continue;
519 *next = line = tor_malloc_zero(sizeof(config_line_t));
520 line->key = tor_strdup("CircuitBuildTimeBin");
521 line->value = tor_malloc(25);
522 tor_snprintf(line->value, 25, "%d %d",
523 CBT_BIN_TO_MS(i), histogram[i]);
524 next = &(line->next);
525 }
526
527 if (!unit_tests) {
528 if (!get_options()->AvoidDiskWrites)
529 or_state_mark_dirty(get_or_state(), 0);
530 }
531
532 tor_free(histogram);
533 }
534
535 /**
536 * Shuffle the build times array.
537 *
538 * Stolen from http://en.wikipedia.org/wiki/Fisher\u2013Yates_shuffle
539 */
540 static void
541 circuit_build_times_shuffle_and_store_array(circuit_build_times_t *cbt,
542 build_time_t *raw_times,
543 int num_times)
544 {
545 int n = num_times;
546 if (num_times > CBT_NCIRCUITS_TO_OBSERVE) {
547 log_notice(LD_CIRC, "Decreasing circuit_build_times size from %d to %d",
548 num_times, CBT_NCIRCUITS_TO_OBSERVE);
549 }
550
551 /* This code can only be run on a compact array */
552 while (n-- > 1) {
553 int k = crypto_rand_int(n + 1); /* 0 <= k <= n. */
554 build_time_t tmp = raw_times[k];
555 raw_times[k] = raw_times[n];
556 raw_times[n] = tmp;
557 }
558
559 /* Since the times are now shuffled, take a random CBT_NCIRCUITS_TO_OBSERVE
560 * subset (ie the first CBT_NCIRCUITS_TO_OBSERVE values) */
561 for (n = 0; n < MIN(num_times, CBT_NCIRCUITS_TO_OBSERVE); n++) {
562 circuit_build_times_add_time(cbt, raw_times[n]);
563 }
564 }
565
566 /**
567 * Filter old synthetic timeouts that were created before the
568 * new right-censored Pareto calculation was deployed.
569 *
570 * Once all clients before 0.2.1.13-alpha are gone, this code
571 * will be unused.
572 */
573 static int
574 circuit_build_times_filter_timeouts(circuit_build_times_t *cbt)
575 {
576 int num_filtered=0, i=0;
577 double timeout_rate = 0;
578 build_time_t max_timeout = 0;
579
580 timeout_rate = circuit_build_times_timeout_rate(cbt);
581 max_timeout = (build_time_t)cbt->close_ms;
582
583 for (i = 0; i < CBT_NCIRCUITS_TO_OBSERVE; i++) {
584 if (cbt->circuit_build_times[i] > max_timeout) {
585 build_time_t replaced = cbt->circuit_build_times[i];
586 num_filtered++;
587 cbt->circuit_build_times[i] = CBT_BUILD_ABANDONED;
588
589 log_debug(LD_CIRC, "Replaced timeout %d with %d", replaced,
590 cbt->circuit_build_times[i]);
591 }
592 }
593
594 log_info(LD_CIRC,
595 "We had %d timeouts out of %d build times, "
596 "and filtered %d above the max of %u",
597 (int)(cbt->total_build_times*timeout_rate),
598 cbt->total_build_times, num_filtered, max_timeout);
599
600 return num_filtered;
601 }
602
603 /**
604 * Load histogram from <b>state</b>, shuffling the resulting array
605 * after we do so. Use this result to estimate parameters and
606 * calculate the timeout.
607 *
608 * Return -1 on error.
609 */
610 int
611 circuit_build_times_parse_state(circuit_build_times_t *cbt,
612 or_state_t *state)
613 {
614 int tot_values = 0;
615 uint32_t loaded_cnt = 0, N = 0;
616 config_line_t *line;
617 unsigned int i;
618 build_time_t *loaded_times;
619 int err = 0;
620 circuit_build_times_init(cbt);
621
622 if (circuit_build_times_disabled()) {
623 return 0;
624 }
625
626 /* build_time_t 0 means uninitialized */
627 loaded_times = tor_malloc_zero(sizeof(build_time_t)*state->TotalBuildTimes);
628
629 for (line = state->BuildtimeHistogram; line; line = line->next) {
630 smartlist_t *args = smartlist_create();
631 smartlist_split_string(args, line->value, " ",
632 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0);
633 if (smartlist_len(args) < 2) {
634 log_warn(LD_GENERAL, "Unable to parse circuit build times: "
635 "Too few arguments to CircuitBuildTime");
636 err = 1;
637 SMARTLIST_FOREACH(args, char*, cp, tor_free(cp));
638 smartlist_free(args);
639 break;
640 } else {
641 const char *ms_str = smartlist_get(args,0);
642 const char *count_str = smartlist_get(args,1);
643 uint32_t count, k;
644 build_time_t ms;
645 int ok;
646 ms = (build_time_t)tor_parse_ulong(ms_str, 0, 0,
647 CBT_BUILD_TIME_MAX, &ok, NULL);
648 if (!ok) {
649 log_warn(LD_GENERAL, "Unable to parse circuit build times: "
650 "Unparsable bin number");
651 err = 1;
652 SMARTLIST_FOREACH(args, char*, cp, tor_free(cp));
653 smartlist_free(args);
654 break;
655 }
656 count = (uint32_t)tor_parse_ulong(count_str, 0, 0,
657 UINT32_MAX, &ok, NULL);
658 if (!ok) {
659 log_warn(LD_GENERAL, "Unable to parse circuit build times: "
660 "Unparsable bin count");
661 err = 1;
662 SMARTLIST_FOREACH(args, char*, cp, tor_free(cp));
663 smartlist_free(args);
664 break;
665 }
666
667 if (loaded_cnt+count+state->CircuitBuildAbandonedCount
668 > state->TotalBuildTimes) {
669 log_warn(LD_CIRC,
670 "Too many build times in state file. "
671 "Stopping short before %d",
672 loaded_cnt+count);
673 SMARTLIST_FOREACH(args, char*, cp, tor_free(cp));
674 smartlist_free(args);
675 break;
676 }
677
678 for (k = 0; k < count; k++) {
679 loaded_times[loaded_cnt++] = ms;
680 }
681 N++;
682 SMARTLIST_FOREACH(args, char*, cp, tor_free(cp));
683 smartlist_free(args);
684 }
685 }
686
687 log_info(LD_CIRC,
688 "Adding %d timeouts.", state->CircuitBuildAbandonedCount);
689 for (i=0; i < state->CircuitBuildAbandonedCount; i++) {
690 loaded_times[loaded_cnt++] = CBT_BUILD_ABANDONED;
691 }
692
693 if (loaded_cnt != state->TotalBuildTimes) {
694 log_warn(LD_CIRC,
695 "Corrupt state file? Build times count mismatch. "
696 "Read %d times, but file says %d", loaded_cnt,
697 state->TotalBuildTimes);
698 err = 1;
699 circuit_build_times_reset(cbt);
700 goto done;
701 }
702
703 circuit_build_times_shuffle_and_store_array(cbt, loaded_times, loaded_cnt);
704
705 /* Verify that we didn't overwrite any indexes */
706 for (i=0; i < CBT_NCIRCUITS_TO_OBSERVE; i++) {
707 if (!cbt->circuit_build_times[i])
708 break;
709 tot_values++;
710 }
711 log_info(LD_CIRC,
712 "Loaded %d/%d values from %d lines in circuit time histogram",
713 tot_values, cbt->total_build_times, N);
714
715 if (cbt->total_build_times != tot_values
716 || cbt->total_build_times > CBT_NCIRCUITS_TO_OBSERVE) {
717 log_warn(LD_CIRC,
718 "Corrupt state file? Shuffled build times mismatch. "
719 "Read %d times, but file says %d", tot_values,
720 state->TotalBuildTimes);
721 err = 1;
722 circuit_build_times_reset(cbt);
723 goto done;
724 }
725
726 circuit_build_times_set_timeout(cbt);
727
728 if (!state->CircuitBuildAbandonedCount && cbt->total_build_times) {
729 circuit_build_times_filter_timeouts(cbt);
730 }
731
732 done:
733 tor_free(loaded_times);
734 return err ? -1 : 0;
735 }
736
737 /**
738 * Estimates the Xm and Alpha parameters using
739 * http://en.wikipedia.org/wiki/Pareto_distribution#Parameter_estimation
740 *
741 * The notable difference is that we use mode instead of min to estimate Xm.
742 * This is because our distribution is frechet-like. We claim this is
743 * an acceptable approximation because we are only concerned with the
744 * accuracy of the CDF of the tail.
745 */
746 int
747 circuit_build_times_update_alpha(circuit_build_times_t *cbt)
748 {
749 build_time_t *x=cbt->circuit_build_times;
750 double a = 0;
751 int n=0,i=0,abandoned_count=0;
752 build_time_t max_time=0;
753
754 /* http://en.wikipedia.org/wiki/Pareto_distribution#Parameter_estimation */
755 /* We sort of cheat here and make our samples slightly more pareto-like
756 * and less frechet-like. */
757 cbt->Xm = circuit_build_times_get_xm(cbt);
758
759 tor_assert(cbt->Xm > 0);
760
761 for (i=0; i< CBT_NCIRCUITS_TO_OBSERVE; i++) {
762 if (!x[i]) {
763 continue;
764 }
765
766 if (x[i] < cbt->Xm) {
767 a += tor_mathlog(cbt->Xm);
768 } else if (x[i] == CBT_BUILD_ABANDONED) {
769 abandoned_count++;
770 } else {
771 a += tor_mathlog(x[i]);
772 if (x[i] > max_time)
773 max_time = x[i];
774 }
775 n++;
776 }
777
778 /*
779 * We are erring and asserting here because this can only happen
780 * in codepaths other than startup. The startup state parsing code
781 * performs this same check, and resets state if it hits it. If we
782 * hit it at runtime, something serious has gone wrong.
783 */
784 if (n!=cbt->total_build_times) {
785 log_err(LD_CIRC, "Discrepancy in build times count: %d vs %d", n,
786 cbt->total_build_times);
787 }
788 tor_assert(n==cbt->total_build_times);
789
790 if (max_time <= 0) {
791 /* This can happen if Xm is actually the *maximum* value in the set.
792 * It can also happen if we've abandoned every single circuit somehow.
793 * In either case, tell the caller not to compute a new build timeout. */
794 log_warn(LD_BUG,
795 "Could not determine largest build time (%d). "
796 "Xm is %dms and we've abandoned %d out of %d circuits.", max_time,
797 cbt->Xm, abandoned_count, n);
798 return 0;
799 }
800
801 a += abandoned_count*tor_mathlog(max_time);
802
803 a -= n*tor_mathlog(cbt->Xm);
804 // Estimator comes from Eq #4 in:
805 // "Bayesian estimation based on trimmed samples from Pareto populations"
806 // by Arturo J. Fernández. We are right-censored only.
807 a = (n-abandoned_count)/a;
808
809 cbt->alpha = a;
810
811 return 1;
812 }
813
814 /**
815 * This is the Pareto Quantile Function. It calculates the point x
816 * in the distribution such that F(x) = quantile (ie quantile*100%
817 * of the mass of the density function is below x on the curve).
818 *
819 * We use it to calculate the timeout and also to generate synthetic
820 * values of time for circuits that timeout before completion.
821 *
822 * See http://en.wikipedia.org/wiki/Quantile_function,
823 * http://en.wikipedia.org/wiki/Inverse_transform_sampling and
824 * http://en.wikipedia.org/wiki/Pareto_distribution#Generating_a_
825 * random_sample_from_Pareto_distribution
826 * That's right. I'll cite wikipedia all day long.
827 *
828 * Return value is in milliseconds.
829 */
830 double
831 circuit_build_times_calculate_timeout(circuit_build_times_t *cbt,
832 double quantile)
833 {
834 double ret;
835 tor_assert(quantile >= 0);
836 tor_assert(1.0-quantile > 0);
837 tor_assert(cbt->Xm > 0);
838
839 ret = cbt->Xm/pow(1.0-quantile,1.0/cbt->alpha);
840 if (ret > INT32_MAX) {
841 ret = INT32_MAX;
842 }
843 tor_assert(ret > 0);
844 return ret;
845 }
846
847 /** Pareto CDF */
848 double
849 circuit_build_times_cdf(circuit_build_times_t *cbt, double x)
850 {
851 double ret;
852 tor_assert(cbt->Xm > 0);
853 ret = 1.0-pow(cbt->Xm/x,cbt->alpha);
854 tor_assert(0 <= ret && ret <= 1.0);
855 return ret;
856 }
857
858 /**
859 * Generate a synthetic time using our distribution parameters.
860 *
861 * The return value will be within the [q_lo, q_hi) quantile points
862 * on the CDF.
863 */
864 build_time_t
865 circuit_build_times_generate_sample(circuit_build_times_t *cbt,
866 double q_lo, double q_hi)
867 {
868 double randval = crypto_rand_double();
869 build_time_t ret;
870 double u;
871
872 /* Generate between [q_lo, q_hi) */
873 /*XXXX This is what nextafter is supposed to be for; we should use it on the
874 * platforms that support it. */
875 q_hi -= 1.0/(INT32_MAX);
876
877 tor_assert(q_lo >= 0);
878 tor_assert(q_hi < 1);
879 tor_assert(q_lo < q_hi);
880
881 u = q_lo + (q_hi-q_lo)*randval;
882
883 tor_assert(0 <= u && u < 1.0);
884 /* circuit_build_times_calculate_timeout returns <= INT32_MAX */
885 ret = (build_time_t)
886 tor_lround(circuit_build_times_calculate_timeout(cbt, u));
887 tor_assert(ret > 0);
888 return ret;
889 }
890
891 /**
892 * Estimate an initial alpha parameter by solving the quantile
893 * function with a quantile point and a specific timeout value.
894 */
895 void
896 circuit_build_times_initial_alpha(circuit_build_times_t *cbt,
897 double quantile, double timeout_ms)
898 {
899 // Q(u) = Xm/((1-u)^(1/a))
900 // Q(0.8) = Xm/((1-0.8))^(1/a)) = CircBuildTimeout
901 // CircBuildTimeout = Xm/((1-0.8))^(1/a))
902 // CircBuildTimeout = Xm*((1-0.8))^(-1/a))
903 // ln(CircBuildTimeout) = ln(Xm)+ln(((1-0.8)))*(-1/a)
904 // -ln(1-0.8)/(ln(CircBuildTimeout)-ln(Xm))=a
905 tor_assert(quantile >= 0);
906 tor_assert(cbt->Xm > 0);
907 cbt->alpha = tor_mathlog(1.0-quantile)/
908 (tor_mathlog(cbt->Xm)-tor_mathlog(timeout_ms));
909 tor_assert(cbt->alpha > 0);
910 }
911
912 /**
913 * Returns true if we need circuits to be built
914 */
915 int
916 circuit_build_times_needs_circuits(circuit_build_times_t *cbt)
917 {
918 /* Return true if < MIN_CIRCUITS_TO_OBSERVE */
919 if (cbt->total_build_times < circuit_build_times_min_circs_to_observe())
920 return 1;
921 return 0;
922 }
923
924 /**
925 * Returns true if we should build a timeout test circuit
926 * right now.
927 */
928 int
929 circuit_build_times_needs_circuits_now(circuit_build_times_t *cbt)
930 {
931 return circuit_build_times_needs_circuits(cbt) &&
932 approx_time()-cbt->last_circ_at > circuit_build_times_test_frequency();
933 }
934
935 /**
936 * Called to indicate that the network showed some signs of liveness.
937 *
938 * This function is called every time we receive a cell. Avoid
939 * syscalls, events, and other high-intensity work.
940 */
941 void
942 circuit_build_times_network_is_live(circuit_build_times_t *cbt)
943 {
944 cbt->liveness.network_last_live = approx_time();
945 cbt->liveness.nonlive_discarded = 0;
946 cbt->liveness.nonlive_timeouts = 0;
947 }
948
949 /**
950 * Called to indicate that we completed a circuit. Because this circuit
951 * succeeded, it doesn't count as a timeout-after-the-first-hop.
952 */
953 void
954 circuit_build_times_network_circ_success(circuit_build_times_t *cbt)
955 {
956 cbt->liveness.timeouts_after_firsthop[cbt->liveness.after_firsthop_idx] = 0;
957 cbt->liveness.after_firsthop_idx++;
958 cbt->liveness.after_firsthop_idx %= cbt->liveness.num_recent_circs;
959 }
960
961 /**
962 * A circuit just timed out. If it failed after the first hop, record it
963 * in our history for later deciding if the network speed has changed.
964 */
965 static void
966 circuit_build_times_network_timeout(circuit_build_times_t *cbt,
967 int did_onehop)
968 {
969 if (did_onehop) {
970 cbt->liveness.timeouts_after_firsthop[cbt->liveness.after_firsthop_idx]=1;
971 cbt->liveness.after_firsthop_idx++;
972 cbt->liveness.after_firsthop_idx %= cbt->liveness.num_recent_circs;
973 }
974 }
975
976 /**
977 * A circuit was just forcibly closed. If there has been no recent network
978 * activity at all, but this circuit was launched back when we thought the
979 * network was live, increment the number of "nonlive" circuit timeouts.
980 */
981 static void
982 circuit_build_times_network_close(circuit_build_times_t *cbt,
983 int did_onehop, time_t start_time)
984 {
985 time_t now = time(NULL);
986 /*
987 * Check if this is a timeout that was for a circuit that spent its
988 * entire existence during a time where we have had no network activity.
989 *
990 * Also double check that it is a valid timeout after we have possibly
991 * just recently reset cbt->close_ms.
992 *
993 * We use close_ms here because timeouts aren't actually counted as timeouts
994 * until close_ms elapses.
995 */
996 if (cbt->liveness.network_last_live <= start_time &&
997 start_time <= (now - cbt->close_ms/1000.0)) {
998 if (did_onehop) {
999 char last_live_buf[ISO_TIME_LEN+1];
1000 char start_time_buf[ISO_TIME_LEN+1];
1001 char now_buf[ISO_TIME_LEN+1];
1002 format_local_iso_time(last_live_buf, cbt->liveness.network_last_live);
1003 format_local_iso_time(start_time_buf, start_time);
1004 format_local_iso_time(now_buf, now);
1005 log_warn(LD_BUG,
1006 "Circuit somehow completed a hop while the network was "
1007 "not live. Network was last live at %s, but circuit launched "
1008 "at %s. It's now %s.", last_live_buf, start_time_buf,
1009 now_buf);
1010 }
1011 cbt->liveness.nonlive_timeouts++;
1012 }
1013 }
1014
1015 /**
1016 * Returns false if the network has not received a cell or tls handshake
1017 * in the past NETWORK_NOTLIVE_TIMEOUT_COUNT circuits.
1018 *
1019 * Also has the side effect of rewinding the circuit time history
1020 * in the case of recent liveness changes.
1021 */
1022 int
1023 circuit_build_times_network_check_live(circuit_build_times_t *cbt)
1024 {
1025 time_t now = approx_time();
1026 if (cbt->liveness.nonlive_timeouts >= CBT_NETWORK_NONLIVE_DISCARD_COUNT) {
1027 if (!cbt->liveness.nonlive_discarded) {
1028 cbt->liveness.nonlive_discarded = 1;
1029 log_notice(LD_CIRC, "Network is no longer live (too many recent "
1030 "circuit timeouts). Dead for %ld seconds.",
1031 (long int)(now - cbt->liveness.network_last_live));
1032 /* Only discard NETWORK_NONLIVE_TIMEOUT_COUNT-1 because we stopped
1033 * counting after that */
1034 circuit_build_times_rewind_history(cbt,
1035 CBT_NETWORK_NONLIVE_TIMEOUT_COUNT-1);
1036 control_event_buildtimeout_set(cbt, BUILDTIMEOUT_SET_EVENT_DISCARD);
1037 }
1038 return 0;
1039 } else if (cbt->liveness.nonlive_timeouts >=
1040 CBT_NETWORK_NONLIVE_TIMEOUT_COUNT) {
1041 if (cbt->timeout_ms < circuit_build_times_get_initial_timeout()) {
1042 log_notice(LD_CIRC,
1043 "Network is flaky. No activity for %ld seconds. "
1044 "Temporarily raising timeout to %lds.",
1045 (long int)(now - cbt->liveness.network_last_live),
1046 tor_lround(circuit_build_times_get_initial_timeout()/1000));
1047 cbt->liveness.suspended_timeout = cbt->timeout_ms;
1048 cbt->liveness.suspended_close_timeout = cbt->close_ms;
1049 cbt->close_ms = cbt->timeout_ms
1050 = circuit_build_times_get_initial_timeout();
1051 control_event_buildtimeout_set(cbt, BUILDTIMEOUT_SET_EVENT_SUSPENDED);
1052 }
1053
1054 return 0;
1055 } else if (cbt->liveness.suspended_timeout > 0) {
1056 log_notice(LD_CIRC,
1057 "Network activity has resumed. "
1058 "Resuming circuit timeout calculations.");
1059 cbt->timeout_ms = cbt->liveness.suspended_timeout;
1060 cbt->close_ms = cbt->liveness.suspended_close_timeout;
1061 cbt->liveness.suspended_timeout = 0;
1062 cbt->liveness.suspended_close_timeout = 0;
1063 control_event_buildtimeout_set(cbt, BUILDTIMEOUT_SET_EVENT_RESUME);
1064 }
1065
1066 return 1;
1067 }
1068
1069 /**
1070 * Returns true if we have seen more than MAX_RECENT_TIMEOUT_COUNT of
1071 * the past RECENT_CIRCUITS time out after the first hop. Used to detect
1072 * if the network connection has changed significantly.
1073 *
1074 * Also resets the entire timeout history in this case and causes us
1075 * to restart the process of building test circuits and estimating a
1076 * new timeout.
1077 */
1078 int
1079 circuit_build_times_network_check_changed(circuit_build_times_t *cbt)
1080 {
1081 int total_build_times = cbt->total_build_times;
1082 int timeout_count=0;
1083 int i;
1084
1085 /* how many of our recent circuits made it to the first hop but then
1086 * timed out? */
1087 for (i = 0; i < cbt->liveness.num_recent_circs; i++) {
1088 timeout_count += cbt->liveness.timeouts_after_firsthop[i];
1089 }
1090
1091 /* If 80% of our recent circuits are timing out after the first hop,
1092 * we need to re-estimate a new initial alpha and timeout. */
1093 if (timeout_count < circuit_build_times_max_timeouts()) {
1094 return 0;
1095 }
1096
1097 circuit_build_times_reset(cbt);
1098 memset(cbt->liveness.timeouts_after_firsthop, 0,
1099 sizeof(*cbt->liveness.timeouts_after_firsthop)*
1100 cbt->liveness.num_recent_circs);
1101 cbt->liveness.after_firsthop_idx = 0;
1102
1103 /* Check to see if this has happened before. If so, double the timeout
1104 * to give people on abysmally bad network connections a shot at access */
1105 if (cbt->timeout_ms >= circuit_build_times_get_initial_timeout()) {
1106 if (cbt->timeout_ms > INT32_MAX/2 || cbt->close_ms > INT32_MAX/2) {
1107 log_warn(LD_CIRC, "Insanely large circuit build timeout value. "
1108 "(timeout = %lfmsec, close = %lfmsec)",
1109 cbt->timeout_ms, cbt->close_ms);
1110 } else {
1111 cbt->timeout_ms *= 2;
1112 cbt->close_ms *= 2;
1113 }
1114 } else {
1115 cbt->close_ms = cbt->timeout_ms
1116 = circuit_build_times_get_initial_timeout();
1117 }
1118
1119 control_event_buildtimeout_set(cbt, BUILDTIMEOUT_SET_EVENT_RESET);
1120
1121 log_notice(LD_CIRC,
1122 "Network connection speed appears to have changed. Resetting "
1123 "timeout to %lds after %d timeouts and %d buildtimes.",
1124 tor_lround(cbt->timeout_ms/1000), timeout_count,
1125 total_build_times);
1126
1127 return 1;
1128 }
1129
1130 /**
1131 * Count the number of timeouts in a set of cbt data.
1132 */
1133 double
1134 circuit_build_times_timeout_rate(const circuit_build_times_t *cbt)
1135 {
1136 int i=0,timeouts=0;
1137 for (i = 0; i < CBT_NCIRCUITS_TO_OBSERVE; i++) {
1138 if (cbt->circuit_build_times[i] >= cbt->timeout_ms) {
1139 timeouts++;
1140 }
1141 }
1142
1143 if (!cbt->total_build_times)
1144 return 0;
1145
1146 return ((double)timeouts)/cbt->total_build_times;
1147 }
1148
1149 /**
1150 * Count the number of closed circuits in a set of cbt data.
1151 */
1152 double
1153 circuit_build_times_close_rate(const circuit_build_times_t *cbt)
1154 {
1155 int i=0,closed=0;
1156 for (i = 0; i < CBT_NCIRCUITS_TO_OBSERVE; i++) {
1157 if (cbt->circuit_build_times[i] == CBT_BUILD_ABANDONED) {
1158 closed++;
1159 }
1160 }
1161
1162 if (!cbt->total_build_times)
1163 return 0;
1164
1165 return ((double)closed)/cbt->total_build_times;
1166 }
1167
1168 /**
1169 * Store a timeout as a synthetic value.
1170 *
1171 * Returns true if the store was successful and we should possibly
1172 * update our timeout estimate.
1173 */
1174 int
1175 circuit_build_times_count_close(circuit_build_times_t *cbt,
1176 int did_onehop,
1177 time_t start_time)
1178 {
1179 if (circuit_build_times_disabled()) {
1180 cbt->close_ms = cbt->timeout_ms
1181 = circuit_build_times_get_initial_timeout();
1182 return 0;
1183 }
1184
1185 /* Record this force-close to help determine if the network is dead */
1186 circuit_build_times_network_close(cbt, did_onehop, start_time);
1187
1188 /* Only count timeouts if network is live.. */
1189 if (!circuit_build_times_network_check_live(cbt)) {
1190 return 0;
1191 }
1192
1193 circuit_build_times_add_time(cbt, CBT_BUILD_ABANDONED);
1194 return 1;
1195 }
1196
1197 /**
1198 * Update timeout counts to determine if we need to expire
1199 * our build time history due to excessive timeouts.
1200 */
1201 void
1202 circuit_build_times_count_timeout(circuit_build_times_t *cbt,
1203 int did_onehop)
1204 {
1205 if (circuit_build_times_disabled()) {
1206 cbt->close_ms = cbt->timeout_ms
1207 = circuit_build_times_get_initial_timeout();
1208 return;
1209 }
1210
1211 circuit_build_times_network_timeout(cbt, did_onehop);
1212
1213 /* If there are a ton of timeouts, we should reset
1214 * the circuit build timeout.
1215 */
1216 circuit_build_times_network_check_changed(cbt);
1217 }
1218
1219 /**
1220 * Estimate a new timeout based on history and set our timeout
1221 * variable accordingly.
1222 */
1223 static int
1224 circuit_build_times_set_timeout_worker(circuit_build_times_t *cbt)
1225 {
1226 if (cbt->total_build_times < circuit_build_times_min_circs_to_observe()) {
1227 return 0;
1228 }
1229
1230 if (!circuit_build_times_update_alpha(cbt))
1231 return 0;
1232
1233 cbt->timeout_ms = circuit_build_times_calculate_timeout(cbt,
1234 circuit_build_times_quantile_cutoff());
1235
1236 cbt->close_ms = circuit_build_times_calculate_timeout(cbt,
1237 circuit_build_times_close_quantile());
1238
1239 /* Sometimes really fast guard nodes give us such a steep curve
1240 * that this ends up being not that much greater than timeout_ms.
1241 * Make it be at least 1 min to handle this case. */
1242 cbt->close_ms = MAX(cbt->close_ms, circuit_build_times_initial_timeout());
1243
1244 cbt->have_computed_timeout = 1;
1245 return 1;
1246 }
1247
1248 /**
1249 * Exposed function to compute a new timeout. Dispatches events and
1250 * also filters out extremely high timeout values.
1251 */
1252 void
1253 circuit_build_times_set_timeout(circuit_build_times_t *cbt)
1254 {
1255 long prev_timeout = tor_lround(cbt->timeout_ms/1000);
1256 double timeout_rate;
1257
1258 if (!circuit_build_times_set_timeout_worker(cbt))
1259 return;
1260
1261 if (cbt->timeout_ms < circuit_build_times_min_timeout()) {
1262 log_warn(LD_CIRC, "Set buildtimeout to low value %lfms. Setting to %dms",
1263 cbt->timeout_ms, circuit_build_times_min_timeout());
1264 cbt->timeout_ms = circuit_build_times_min_timeout();
1265 if (cbt->close_ms < cbt->timeout_ms) {
1266 /* This shouldn't happen because of MAX() in timeout_worker above,
1267 * but doing it just in case */
1268 cbt->close_ms = circuit_build_times_initial_timeout();
1269 }
1270 }
1271
1272 control_event_buildtimeout_set(cbt, BUILDTIMEOUT_SET_EVENT_COMPUTED);
1273
1274 timeout_rate = circuit_build_times_timeout_rate(cbt);
1275
1276 if (prev_timeout > tor_lround(cbt->timeout_ms/1000)) {
1277 log_notice(LD_CIRC,
1278 "Based on %d circuit times, it looks like we don't need to "
1279 "wait so long for circuits to finish. We will now assume a "
1280 "circuit is too slow to use after waiting %ld seconds.",
1281 cbt->total_build_times,
1282 tor_lround(cbt->timeout_ms/1000));
1283 log_info(LD_CIRC,
1284 "Circuit timeout data: %lfms, %lfms, Xm: %d, a: %lf, r: %lf",
1285 cbt->timeout_ms, cbt->close_ms, cbt->Xm, cbt->alpha,
1286 timeout_rate);
1287 } else if (prev_timeout < tor_lround(cbt->timeout_ms/1000)) {
1288 log_notice(LD_CIRC,
1289 "Based on %d circuit times, it looks like we need to wait "
1290 "longer for circuits to finish. We will now assume a "
1291 "circuit is too slow to use after waiting %ld seconds.",
1292 cbt->total_build_times,
1293 tor_lround(cbt->timeout_ms/1000));
1294 log_info(LD_CIRC,
1295 "Circuit timeout data: %lfms, %lfms, Xm: %d, a: %lf, r: %lf",
1296 cbt->timeout_ms, cbt->close_ms, cbt->Xm, cbt->alpha,
1297 timeout_rate);
1298 } else {
1299 log_info(LD_CIRC,
1300 "Set circuit build timeout to %lds (%lfms, %lfms, Xm: %d, a: %lf,"
1301 " r: %lf) based on %d circuit times",
1302 tor_lround(cbt->timeout_ms/1000),
1303 cbt->timeout_ms, cbt->close_ms, cbt->Xm, cbt->alpha, timeout_rate,
1304 cbt->total_build_times);
1305 }
1306 }
1307
1308 /** Iterate over values of circ_id, starting from conn-\>next_circ_id,
1309 * and with the high bit specified by conn-\>circ_id_type, until we get
1310 * a circ_id that is not in use by any other circuit on that conn.
1311 *
1312 * Return it, or 0 if can't get a unique circ_id.
1313 */
1314 static circid_t
1315 get_unique_circ_id_by_conn(or_connection_t *conn)
1316 {
1317 circid_t test_circ_id;
1318 circid_t attempts=0;
1319 circid_t high_bit;
1320
1321 tor_assert(conn);
1322 if (conn->circ_id_type == CIRC_ID_TYPE_NEITHER) {
1323 log_warn(LD_BUG, "Trying to pick a circuit ID for a connection from "
1324 "a client with no identity.");
1325 return 0;
1326 }
1327 high_bit = (conn->circ_id_type == CIRC_ID_TYPE_HIGHER) ? 1<<15 : 0;
1328 do {
1329 /* Sequentially iterate over test_circ_id=1...1<<15-1 until we find a
1330 * circID such that (high_bit|test_circ_id) is not already used. */
1331 test_circ_id = conn->next_circ_id++;
1332 if (test_circ_id == 0 || test_circ_id >= 1<<15) {
1333 test_circ_id = 1;
1334 conn->next_circ_id = 2;
1335 }
1336 if (++attempts > 1<<15) {
1337 /* Make sure we don't loop forever if all circ_id's are used. This
1338 * matters because it's an external DoS opportunity.
1339 */
1340 log_warn(LD_CIRC,"No unused circ IDs. Failing.");
1341 return 0;
1342 }
1343 test_circ_id |= high_bit;
1344 } while (circuit_id_in_use_on_orconn(test_circ_id, conn));
1345 return test_circ_id;
1346 }
1347
1348 /** If <b>verbose</b> is false, allocate and return a comma-separated list of
1349 * the currently built elements of circuit_t. If <b>verbose</b> is true, also
1350 * list information about link status in a more verbose format using spaces.
1351 * If <b>verbose_names</b> is false, give nicknames for Named routers and hex
1352 * digests for others; if <b>verbose_names</b> is true, use $DIGEST=Name style
1353 * names.
1354 */
1355 static char *
1356 circuit_list_path_impl(origin_circuit_t *circ, int verbose, int verbose_names)
1357 {
1358 crypt_path_t *hop;
1359 smartlist_t *elements;
1360 const char *states[] = {"closed", "waiting for keys", "open"};
1361 char *s;
1362
1363 elements = smartlist_create();
1364
1365 if (verbose) {
1366 const char *nickname = build_state_get_exit_nickname(circ->build_state);
1367 char *cp;
1368 tor_asprintf(&cp, "%s%s circ (length %d%s%s):",
1369 circ->build_state->is_internal ? "internal" : "exit",
1370 circ->build_state->need_uptime ? " (high-uptime)" : "",
1371 circ->build_state->desired_path_len,
1372 circ->_base.state == CIRCUIT_STATE_OPEN ? "" : ", exit ",
1373 circ->_base.state == CIRCUIT_STATE_OPEN ? "" :
1374 (nickname?nickname:"*unnamed*"));
1375 smartlist_add(elements, cp);
1376 }
1377
1378 hop = circ->cpath;
1379 do {
1380 routerinfo_t *ri;
1381 routerstatus_t *rs;
1382 char *elt;
1383 const char *id;
1384 if (!hop)
1385 break;
1386 if (!verbose && hop->state != CPATH_STATE_OPEN)
1387 break;
1388 if (!hop->extend_info)
1389 break;
1390 id = hop->extend_info->identity_digest;
1391 if (verbose_names) {
1392 elt = tor_malloc(MAX_VERBOSE_NICKNAME_LEN+1);
1393 if ((ri = router_get_by_digest(id))) {
1394 router_get_verbose_nickname(elt, ri);
1395 } else if ((rs = router_get_consensus_status_by_id(id))) {
1396 routerstatus_get_verbose_nickname(elt, rs);
1397 } else if (is_legal_nickname(hop->extend_info->nickname)) {
1398 elt[0] = '$';
1399 base16_encode(elt+1, HEX_DIGEST_LEN+1, id, DIGEST_LEN);
1400 elt[HEX_DIGEST_LEN+1]= '~';
1401 strlcpy(elt+HEX_DIGEST_LEN+2,
1402 hop->extend_info->nickname, MAX_NICKNAME_LEN+1);
1403 } else {
1404 elt[0] = '$';
1405 base16_encode(elt+1, HEX_DIGEST_LEN+1, id, DIGEST_LEN);
1406 }
1407 } else { /* ! verbose_names */
1408 if ((ri = router_get_by_digest(id)) &&
1409 ri->is_named) {
1410 elt = tor_strdup(hop->extend_info->nickname);
1411 } else {
1412 elt = tor_malloc(HEX_DIGEST_LEN+2);
1413 elt[0] = '$';
1414 base16_encode(elt+1, HEX_DIGEST_LEN+1, id, DIGEST_LEN);
1415 }
1416 }
1417 tor_assert(elt);
1418 if (verbose) {
1419 size_t len = strlen(elt)+2+strlen(states[hop->state])+1;
1420 char *v = tor_malloc(len);
1421 tor_assert(hop->state <= 2);
1422 tor_snprintf(v,len,"%s(%s)",elt,states[hop->state]);
1423 smartlist_add(elements, v);
1424 tor_free(elt);
1425 } else {
1426 smartlist_add(elements, elt);
1427 }
1428 hop = hop->next;
1429 } while (hop != circ->cpath);
1430
1431 s = smartlist_join_strings(elements, verbose?" ":",", 0, NULL);
1432 SMARTLIST_FOREACH(elements, char*, cp, tor_free(cp));
1433 smartlist_free(elements);
1434 return s;
1435 }
1436
1437 /** If <b>verbose</b> is false, allocate and return a comma-separated
1438 * list of the currently built elements of circuit_t. If
1439 * <b>verbose</b> is true, also list information about link status in
1440 * a more verbose format using spaces.
1441 */
1442 char *
1443 circuit_list_path(origin_circuit_t *circ, int verbose)
1444 {
1445 return circuit_list_path_impl(circ, verbose, 0);
1446 }
1447
1448 /** Allocate and return a comma-separated list of the currently built elements
1449 * of circuit_t, giving each as a verbose nickname.
1450 */
1451 char *
1452 circuit_list_path_for_controller(origin_circuit_t *circ)
1453 {
1454 return circuit_list_path_impl(circ, 0, 1);
1455 }
1456
1457 /** Log, at severity <b>severity</b>, the nicknames of each router in
1458 * circ's cpath. Also log the length of the cpath, and the intended
1459 * exit point.
1460 */
1461 void
1462 circuit_log_path(int severity, unsigned int domain, origin_circuit_t *circ)
1463 {
1464 char *s = circuit_list_path(circ,1);
1465 tor_log(severity,domain,"%s",s);
1466 tor_free(s);
1467 }
1468
1469 /** Tell the rep(utation)hist(ory) module about the status of the links
1470 * in circ. Hops that have become OPEN are marked as successfully
1471 * extended; the _first_ hop that isn't open (if any) is marked as
1472 * unable to extend.
1473 */
1474 /* XXXX Someday we should learn from OR circuits too. */
1475 void
1476 circuit_rep_hist_note_result(origin_circuit_t *circ)
1477 {
1478 crypt_path_t *hop;
1479 char *prev_digest = NULL;
1480 routerinfo_t *router;
1481 hop = circ->cpath;
1482 if (!hop) /* circuit hasn't started building yet. */
1483 return;
1484 if (server_mode(get_options())) {
1485 routerinfo_t *me = router_get_my_routerinfo();
1486 if (!me)
1487 return;
1488 prev_digest = me->cache_info.identity_digest;
1489 }
1490 do {
1491 router = router_get_by_digest(hop->extend_info->identity_digest);
1492 if (router) {
1493 if (prev_digest) {
1494 if (hop->state == CPATH_STATE_OPEN)
1495 rep_hist_note_extend_succeeded(prev_digest,
1496 router->cache_info.identity_digest);
1497 else {
1498 rep_hist_note_extend_failed(prev_digest,
1499 router->cache_info.identity_digest);
1500 break;
1501 }
1502 }
1503 prev_digest = router->cache_info.identity_digest;
1504 } else {
1505 prev_digest = NULL;
1506 }
1507 hop=hop->next;
1508 } while (hop!=circ->cpath);
1509 }
1510
1511 /** Pick all the entries in our cpath. Stop and return 0 when we're
1512 * happy, or return -1 if an error occurs. */
1513 static int
1514 onion_populate_cpath(origin_circuit_t *circ)
1515 {
1516 int r;
1517 again:
1518 r = onion_extend_cpath(circ);
1519 if (r < 0) {
1520 log_info(LD_CIRC,"Generating cpath hop failed.");
1521 return -1;
1522 }
1523 if (r == 0)
1524 goto again;
1525 return 0; /* if r == 1 */
1526 }
1527
1528 /** Create and return a new origin circuit. Initialize its purpose and
1529 * build-state based on our arguments. The <b>flags</b> argument is a
1530 * bitfield of CIRCLAUNCH_* flags. */
1531 origin_circuit_t *
1532 origin_circuit_init(uint8_t purpose, int flags)
1533 {
1534 /* sets circ->p_circ_id and circ->p_conn */
1535 origin_circuit_t *circ = origin_circuit_new();
1536 circuit_set_state(TO_CIRCUIT(circ), CIRCUIT_STATE_OR_WAIT);
1537 circ->build_state = tor_malloc_zero(sizeof(cpath_build_state_t));
1538 circ->build_state->onehop_tunnel =
1539 ((flags & CIRCLAUNCH_ONEHOP_TUNNEL) ? 1 : 0);
1540 circ->build_state->need_uptime =
1541 ((flags & CIRCLAUNCH_NEED_UPTIME) ? 1 : 0);
1542 circ->build_state->need_capacity =
1543 ((flags & CIRCLAUNCH_NEED_CAPACITY) ? 1 : 0);
1544 circ->build_state->is_internal =
1545 ((flags & CIRCLAUNCH_IS_INTERNAL) ? 1 : 0);
1546 circ->_base.purpose = purpose;
1547 return circ;
1548 }
1549
1550 /** Build a new circuit for <b>purpose</b>. If <b>exit</b>
1551 * is defined, then use that as your exit router, else choose a suitable
1552 * exit node.
1553 *
1554 * Also launch a connection to the first OR in the chosen path, if
1555 * it's not open already.
1556 */
1557 origin_circuit_t *
1558 circuit_establish_circuit(uint8_t purpose, extend_info_t *exit, int flags)
1559 {
1560 origin_circuit_t *circ;
1561 int err_reason = 0;
1562
1563 circ = origin_circuit_init(purpose, flags);
1564
1565 if (onion_pick_cpath_exit(circ, exit) < 0 ||
1566 onion_populate_cpath(circ) < 0) {
1567 circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_NOPATH);
1568 return NULL;
1569 }
1570
1571 control_event_circuit_status(circ, CIRC_EVENT_LAUNCHED, 0);
1572
1573 if ((err_reason = circuit_handle_first_hop(circ)) < 0) {
1574 circuit_mark_for_close(TO_CIRCUIT(circ), -err_reason);
1575 return NULL;
1576 }
1577 return circ;
1578 }
1579
1580 /** Start establishing the first hop of our circuit. Figure out what
1581 * OR we should connect to, and if necessary start the connection to
1582 * it. If we're already connected, then send the 'create' cell.
1583 * Return 0 for ok, -reason if circ should be marked-for-close. */
1584 int
1585 circuit_handle_first_hop(origin_circuit_t *circ)
1586 {
1587 crypt_path_t *firsthop;
1588 or_connection_t *n_conn;
1589 int err_reason = 0;
1590 const char *msg = NULL;
1591 int should_launch = 0;
1592
1593 firsthop = onion_next_hop_in_cpath(circ->cpath);
1594 tor_assert(firsthop);
1595 tor_assert(firsthop->extend_info);
1596
1597 /* now see if we're already connected to the first OR in 'route' */
1598 log_debug(LD_CIRC,"Looking for firsthop '%s:%u'",
1599 fmt_addr(&firsthop->extend_info->addr),
1600 firsthop->extend_info->port);
1601
1602 n_conn = connection_or_get_for_extend(firsthop->extend_info->identity_digest,
1603 &firsthop->extend_info->addr,
1604 &msg,
1605 &should_launch);
1606
1607 if (!n_conn) {
1608 /* not currently connected in a useful way. */
1609 const char *name = strlen(firsthop->extend_info->nickname) ?
1610 firsthop->extend_info->nickname : fmt_addr(&firsthop->extend_info->addr);
1611 log_info(LD_CIRC, "Next router is %s: %s ",
1612 safe_str_client(name), msg?msg:"???");
1613 circ->_base.n_hop = extend_info_dup(firsthop->extend_info);
1614
1615 if (should_launch) {
1616 if (circ->build_state->onehop_tunnel)
1617 control_event_bootstrap(BOOTSTRAP_STATUS_CONN_DIR, 0);
1618 n_conn = connection_or_connect(&firsthop->extend_info->addr,
1619 firsthop->extend_info->port,
1620 firsthop->extend_info->identity_digest);
1621 if (!n_conn) { /* connect failed, forget the whole thing */
1622 log_info(LD_CIRC,"connect to firsthop failed. Closing.");
1623 return -END_CIRC_REASON_CONNECTFAILED;
1624 }
1625 }
1626
1627 log_debug(LD_CIRC,"connecting in progress (or finished). Good.");
1628 /* return success. The onion/circuit/etc will be taken care of
1629 * automatically (may already have been) whenever n_conn reaches
1630 * OR_CONN_STATE_OPEN.
1631 */
1632 return 0;
1633 } else { /* it's already open. use it. */
1634 tor_assert(!circ->_base.n_hop);
1635 circ->_base.n_conn = n_conn;
1636 log_debug(LD_CIRC,"Conn open. Delivering first onion skin.");
1637 if ((err_reason = circuit_send_next_onion_skin(circ)) < 0) {
1638 log_info(LD_CIRC,"circuit_send_next_onion_skin failed.");
1639 return err_reason;
1640 }
1641 }
1642 return 0;
1643 }
1644
1645 /** Find any circuits that are waiting on <b>or_conn</b> to become
1646 * open and get them to send their create cells forward.
1647 *
1648 * Status is 1 if connect succeeded, or 0 if connect failed.
1649 */
1650 void
1651 circuit_n_conn_done(or_connection_t *or_conn, int status)
1652 {
1653 smartlist_t *pending_circs;
1654 int err_reason = 0;
1655
1656 log_debug(LD_CIRC,"or_conn to %s/%s, status=%d",
1657 or_conn->nickname ? or_conn->nickname : "NULL",
1658 or_conn->_base.address, status);
1659
1660 pending_circs = smartlist_create();
1661 circuit_get_all_pending_on_or_conn(pending_circs, or_conn);
1662
1663 SMARTLIST_FOREACH_BEGIN(pending_circs, circuit_t *, circ)
1664 {
1665 /* These checks are redundant wrt get_all_pending_on_or_conn, but I'm
1666 * leaving them in in case it's possible for the status of a circuit to
1667 * change as we're going down the list. */
1668 if (circ->marked_for_close || circ->n_conn || !circ->n_hop ||
1669 circ->state != CIRCUIT_STATE_OR_WAIT)
1670 continue;
1671
1672 if (tor_digest_is_zero(circ->n_hop->identity_digest)) {
1673 /* Look at addr/port. This is an unkeyed connection. */
1674 if (!tor_addr_eq(&circ->n_hop->addr, &or_conn->_base.addr) ||
1675 circ->n_hop->port != or_conn->_base.port)
1676 continue;
1677 } else {
1678 /* We expected a key. See if it's the right one. */
1679 if (memcmp(or_conn->identity_digest,
1680 circ->n_hop->identity_digest, DIGEST_LEN))
1681 continue;
1682 }
1683 if (!status) { /* or_conn failed; close circ */
1684 log_info(LD_CIRC,"or_conn failed. Closing circ.");
1685 circuit_mark_for_close(circ, END_CIRC_REASON_OR_CONN_CLOSED);
1686 continue;
1687 }
1688 log_debug(LD_CIRC, "Found circ, sending create cell.");
1689 /* circuit_deliver_create_cell will set n_circ_id and add us to
1690 * orconn_circuid_circuit_map, so we don't need to call
1691 * set_circid_orconn here. */
1692 circ->n_conn = or_conn;
1693 extend_info_free(circ->n_hop);
1694 circ->n_hop = NULL;
1695
1696 if (CIRCUIT_IS_ORIGIN(circ)) {
1697 if ((err_reason =
1698 circuit_send_next_onion_skin(TO_ORIGIN_CIRCUIT(circ))) < 0) {
1699 log_info(LD_CIRC,
1700 "send_next_onion_skin failed; circuit marked for closing.");
1701 circuit_mark_for_close(circ, -err_reason);
1702 continue;
1703 /* XXX could this be bad, eg if next_onion_skin failed because conn
1704 * died? */
1705 }
1706 } else {
1707 /* pull the create cell out of circ->onionskin, and send it */
1708 tor_assert(circ->n_conn_onionskin);
1709 if (circuit_deliver_create_cell(circ,CELL_CREATE,
1710 circ->n_conn_onionskin)<0) {
1711 circuit_mark_for_close(circ, END_CIRC_REASON_RESOURCELIMIT);
1712 continue;
1713 }
1714 tor_free(circ->n_conn_onionskin);
1715 circuit_set_state(circ, CIRCUIT_STATE_OPEN);
1716 }
1717 }
1718 SMARTLIST_FOREACH_END(circ);
1719
1720 smartlist_free(pending_circs);
1721 }
1722
1723 /** Find a new circid that isn't currently in use on the circ->n_conn
1724 * for the outgoing
1725 * circuit <b>circ</b>, and deliver a cell of type <b>cell_type</b>
1726 * (either CELL_CREATE or CELL_CREATE_FAST) with payload <b>payload</b>
1727 * to this circuit.
1728 * Return -1 if we failed to find a suitable circid, else return 0.
1729 */
1730 static int
1731 circuit_deliver_create_cell(circuit_t *circ, uint8_t cell_type,
1732 const char *payload)
1733 {
1734 cell_t cell;
1735 circid_t id;
1736
1737 tor_assert(circ);
1738 tor_assert(circ->n_conn);
1739 tor_assert(payload);
1740 tor_assert(cell_type == CELL_CREATE || cell_type == CELL_CREATE_FAST);
1741
1742 id = get_unique_circ_id_by_conn(circ->n_conn);
1743 if (!id) {
1744 log_warn(LD_CIRC,"failed to get unique circID.");
1745 return -1;
1746 }
1747 log_debug(LD_CIRC,"Chosen circID %u.", id);
1748 circuit_set_n_circid_orconn(circ, id, circ->n_conn);
1749
1750 memset(&cell, 0, sizeof(cell_t));
1751 cell.command = cell_type;
1752 cell.circ_id = circ->n_circ_id;
1753
1754 memcpy(cell.payload, payload, ONIONSKIN_CHALLENGE_LEN);
1755 append_cell_to_circuit_queue(circ, circ->n_conn, &cell,
1756 CELL_DIRECTION_OUT, 0);
1757
1758 if (CIRCUIT_IS_ORIGIN(circ)) {
1759 /* mark it so it gets better rate limiting treatment. */
1760 circ->n_conn->client_used = time(NULL);
1761 }
1762
1763 return 0;
1764 }
1765
1766 /** We've decided to start our reachability testing. If all
1767 * is set, log this to the user. Return 1 if we did, or 0 if
1768 * we chose not to log anything. */
1769 int
1770 inform_testing_reachability(void)
1771 {
1772 char dirbuf[128];
1773 routerinfo_t *me = router_get_my_routerinfo();
1774 if (!me)
1775 return 0;
1776 control_event_server_status(LOG_NOTICE,
1777 "CHECKING_REACHABILITY ORADDRESS=%s:%d",
1778 me->address, me->or_port);
1779 if (me->dir_port) {
1780 tor_snprintf(dirbuf, sizeof(dirbuf), " and DirPort %s:%d",
1781 me->address, me->dir_port);
1782 control_event_server_status(LOG_NOTICE,
1783 "CHECKING_REACHABILITY DIRADDRESS=%s:%d",
1784 me->address, me->dir_port);
1785 }
1786 log_notice(LD_OR, "Now checking whether ORPort %s:%d%s %s reachable... "
1787 "(this may take up to %d minutes -- look for log "
1788 "messages indicating success)",
1789 me->address, me->or_port,
1790 me->dir_port ? dirbuf : "",
1791 me->dir_port ? "are" : "is",
1792 TIMEOUT_UNTIL_UNREACHABILITY_COMPLAINT/60);
1793
1794 return 1;
1795 }
1796
1797 /** Return true iff we should send a create_fast cell to start building a given
1798 * circuit */
1799 static INLINE int
1800 should_use_create_fast_for_circuit(origin_circuit_t *circ)
1801 {
1802 or_options_t *options = get_options();
1803 tor_assert(circ->cpath);
1804 tor_assert(circ->cpath->extend_info);
1805
1806 if (!circ->cpath->extend_info->onion_key)
1807 return 1; /* our hand is forced: only a create_fast will work. */
1808 if (!options->FastFirstHopPK)
1809 return 0; /* we prefer to avoid create_fast */
1810 if (server_mode(options)) {
1811 /* We're a server, and we know an onion key. We can choose.
1812 * Prefer to blend in. */
1813 return 0;
1814 }
1815
1816 return 1;
1817 }
1818
1819 /** This is the backbone function for building circuits.
1820 *
1821 * If circ's first hop is closed, then we need to build a create
1822 * cell and send it forward.
1823 *
1824 * Otherwise, we need to build a relay extend cell and send it
1825 * forward.
1826 *
1827 * Return -reason if we want to tear down circ, else return 0.
1828 */
1829 int
1830 circuit_send_next_onion_skin(origin_circuit_t *circ)
1831 {
1832 crypt_path_t *hop;
1833 routerinfo_t *router;
1834 char payload[2+4+DIGEST_LEN+ONIONSKIN_CHALLENGE_LEN];
1835 char *onionskin;
1836 size_t payload_len;
1837
1838 tor_assert(circ);
1839
1840 if (circ->cpath->state == CPATH_STATE_CLOSED) {
1841 int fast;
1842 uint8_t cell_type;
1843 log_debug(LD_CIRC,"First skin; sending create cell.");
1844 if (circ->build_state->onehop_tunnel)
1845 control_event_bootstrap(BOOTSTRAP_STATUS_ONEHOP_CREATE, 0);
1846 else
1847 control_event_bootstrap(BOOTSTRAP_STATUS_CIRCUIT_CREATE, 0);
1848
1849 router = router_get_by_digest(circ->_base.n_conn->identity_digest);
1850 fast = should_use_create_fast_for_circuit(circ);
1851 if (!fast) {
1852 /* We are an OR and we know the right onion key: we should
1853 * send an old slow create cell.
1854 */
1855 cell_type = CELL_CREATE;
1856 if (onion_skin_create(circ->cpath->extend_info->onion_key,
1857 &(circ->cpath->dh_handshake_state),
1858 payload) < 0) {
1859 log_warn(LD_CIRC,"onion_skin_create (first hop) failed.");
1860 return - END_CIRC_REASON_INTERNAL;
1861 }
1862 note_request("cell: create", 1);
1863 } else {
1864 /* We are not an OR, and we're building the first hop of a circuit to a
1865 * new OR: we can be speedy and use CREATE_FAST to save an RSA operation
1866 * and a DH operation. */
1867 cell_type = CELL_CREATE_FAST;
1868 memset(payload, 0, sizeof(payload));
1869 crypto_rand(circ->cpath->fast_handshake_state,
1870 sizeof(circ->cpath->fast_handshake_state));
1871 memcpy(payload, circ->cpath->fast_handshake_state,
1872 sizeof(circ->cpath->fast_handshake_state));
1873 note_request("cell: create fast", 1);
1874 }
1875
1876 if (circuit_deliver_create_cell(TO_CIRCUIT(circ), cell_type, payload) < 0)
1877 return - END_CIRC_REASON_RESOURCELIMIT;
1878
1879 circ->cpath->state = CPATH_STATE_AWAITING_KEYS;
1880 circuit_set_state(TO_CIRCUIT(circ), CIRCUIT_STATE_BUILDING);
1881 log_info(LD_CIRC,"First hop: finished sending %s cell to '%s'",
1882 fast ? "CREATE_FAST" : "CREATE",
1883 router ? router->nickname : "<unnamed>");
1884 } else {
1885 tor_assert(circ->cpath->state == CPATH_STATE_OPEN);
1886 tor_assert(circ->_base.state == CIRCUIT_STATE_BUILDING);
1887 log_debug(LD_CIRC,"starting to send subsequent skin.");
1888 hop = onion_next_hop_in_cpath(circ->cpath);
1889 if (!hop) {
1890 /* done building the circuit. whew. */
1891 circuit_set_state(TO_CIRCUIT(circ), CIRCUIT_STATE_OPEN);
1892 if (!circ->build_state->onehop_tunnel) {
1893 struct timeval end;
1894 long timediff;
1895 tor_gettimeofday(&end);
1896 timediff = tv_mdiff(&circ->_base.highres_created, &end);
1897 /*
1898 * If the circuit build time is much greater than we would have cut
1899 * it off at, we probably had a suspend event along this codepath,
1900 * and we should discard the value.
1901 */
1902 if (timediff < 0 || timediff > 2*circ_times.close_ms+1000) {
1903 log_notice(LD_CIRC, "Strange value for circuit build time: %ldmsec. "
1904 "Assuming clock jump.", timediff);
1905 } else if (!circuit_build_times_disabled()) {
1906 /* Don't count circuit times if the network was not live */
1907 if (circuit_build_times_network_check_live(&circ_times)) {
1908 circuit_build_times_add_time(&circ_times, (build_time_t)timediff);
1909 circuit_build_times_set_timeout(&circ_times);
1910 }
1911
1912 if (circ->_base.purpose != CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT) {
1913 circuit_build_times_network_circ_success(&circ_times);
1914 }
1915 }
1916 }
1917 log_info(LD_CIRC,"circuit built!");
1918 circuit_reset_failure_count(0);
1919 if (circ->build_state->onehop_tunnel)
1920 control_event_bootstrap(BOOTSTRAP_STATUS_REQUESTING_STATUS, 0);
1921 if (!can_complete_circuit && !circ->build_state->onehop_tunnel) {
1922 or_options_t *options = get_options();
1923 can_complete_circuit=1;
1924 /* FFFF Log a count of known routers here */
1925 log_notice(LD_GENERAL,
1926 "Tor has successfully opened a circuit. "
1927 "Looks like client functionality is working.");
1928 control_event_bootstrap(BOOTSTRAP_STATUS_DONE, 0);
1929 control_event_client_status(LOG_NOTICE, "CIRCUIT_ESTABLISHED");
1930 if (server_mode(options) && !check_whether_orport_reachable()) {
1931 inform_testing_reachability();
1932 consider_testing_reachability(1, 1);
1933 }
1934 }
1935 circuit_rep_hist_note_result(circ);
1936 circuit_has_opened(circ); /* do other actions as necessary */
1937
1938 /* We're done with measurement circuits here. Just close them */
1939 if (circ->_base.purpose == CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT)
1940 circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_FINISHED);
1941 return 0;
1942 }
1943
1944 if (tor_addr_family(&hop->extend_info->addr) != AF_INET) {
1945 log_warn(LD_BUG, "Trying to extend to a non-IPv4 address.");
1946 return - END_CIRC_REASON_INTERNAL;
1947 }
1948
1949 set_uint32(payload, tor_addr_to_ipv4n(&hop->extend_info->addr));
1950 set_uint16(payload+4, htons(hop->extend_info->port));
1951
1952 onionskin = payload+2+4;
1953 memcpy(payload+2+4+ONIONSKIN_CHALLENGE_LEN,
1954 hop->extend_info->identity_digest, DIGEST_LEN);
1955 payload_len = 2+4+ONIONSKIN_CHALLENGE_LEN+DIGEST_LEN;
1956
1957 if (onion_skin_create(hop->extend_info->onion_key,
1958 &(hop->dh_handshake_state), onionskin) < 0) {
1959 log_warn(LD_CIRC,"onion_skin_create failed.");
1960 return - END_CIRC_REASON_INTERNAL;
1961 }
1962
1963 log_info(LD_CIRC,"Sending extend relay cell.");
1964 note_request("cell: extend", 1);
1965 /* send it to hop->prev, because it will transfer
1966 * it to a create cell and then send to hop */
1967 if (relay_send_command_from_edge(0, TO_CIRCUIT(circ),
1968 RELAY_COMMAND_EXTEND,
1969 payload, payload_len, hop->prev) < 0)
1970 return 0; /* circuit is closed */
1971
1972 hop->state = CPATH_STATE_AWAITING_KEYS;
1973 }
1974 return 0;
1975 }
1976
1977 /** Our clock just jumped by <b>seconds_elapsed</b>. Assume
1978 * something has also gone wrong with our network: notify the user,
1979 * and abandon all not-yet-used circuits. */
1980 void
1981 circuit_note_clock_jumped(int seconds_elapsed)
1982 {
1983 int severity = server_mode(get_options()) ? LOG_WARN : LOG_NOTICE;
1984 tor_log(severity, LD_GENERAL, "Your system clock just jumped %d seconds %s; "
1985 "assuming established circuits no longer work.",
1986 seconds_elapsed >=0 ? seconds_elapsed : -seconds_elapsed,
1987 seconds_elapsed >=0 ? "forward" : "backward");
1988 control_event_general_status(LOG_WARN, "CLOCK_JUMPED TIME=%d",
1989 seconds_elapsed);
1990 can_complete_circuit=0; /* so it'll log when it works again */
1991 control_event_client_status(severity, "CIRCUIT_NOT_ESTABLISHED REASON=%s",
1992 "CLOCK_JUMPED");
1993 circuit_mark_all_unused_circs();
1994 circuit_expire_all_dirty_circs();
1995 }
1996
1997 /** Take the 'extend' <b>cell</b>, pull out addr/port plus the onion
1998 * skin and identity digest for the next hop. If we're already connected,
1999 * pass the onion skin to the next hop using a create cell; otherwise
2000 * launch a new OR connection, and <b>circ</b> will notice when the
2001 * connection succeeds or fails.
2002 *
2003 * Return -1 if we want to warn and tear down the circuit, else return 0.
2004 */
2005 int
2006 circuit_extend(cell_t *cell, circuit_t *circ)
2007 {
2008 or_connection_t *n_conn;
2009 relay_header_t rh;
2010 char *onionskin;
2011 char *id_digest=NULL;
2012 uint32_t n_addr32;
2013 uint16_t n_port;
2014 tor_addr_t n_addr;
2015 const char *msg = NULL;
2016 int should_launch = 0;
2017
2018 if (circ->n_conn) {
2019 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
2020 "n_conn already set. Bug/attack. Closing.");
2021 return -1;
2022 }
2023 if (circ->n_hop) {
2024 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
2025 "conn to next hop already launched. Bug/attack. Closing.");
2026 return -1;
2027 }
2028
2029 if (!server_mode(get_options())) {
2030 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
2031 "Got an extend cell, but running as a client. Closing.");
2032 return -1;
2033 }
2034
2035 relay_header_unpack(&rh, cell->payload);
2036
2037 if (rh.length < 4+2+ONIONSKIN_CHALLENGE_LEN+DIGEST_LEN) {
2038 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
2039 "Wrong length %d on extend cell. Closing circuit.",
2040 rh.length);
2041 return -1;
2042 }
2043
2044 n_addr32 = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE));
2045 n_port = ntohs(get_uint16(cell->payload+RELAY_HEADER_SIZE+4));
2046 onionskin = cell->payload+RELAY_HEADER_SIZE+4+2;
2047 id_digest = cell->payload+RELAY_HEADER_SIZE+4+2+ONIONSKIN_CHALLENGE_LEN;
2048 tor_addr_from_ipv4h(&n_addr, n_addr32);
2049
2050 if (!n_port || !n_addr32) {
2051 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
2052 "Client asked me to extend to zero destination port or addr.");
2053 return -1;
2054 }
2055
2056 /* Check if they asked us for 0000..0000. We support using
2057 * an empty fingerprint for the first hop (e.g. for a bridge relay),
2058 * but we don't want to let people send us extend cells for empty
2059 * fingerprints -- a) because it opens the user up to a mitm attack,
2060 * and b) because it lets an attacker force the relay to hold open a
2061 * new TLS connection for each extend request. */
2062 if (tor_digest_is_zero(id_digest)) {
2063 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
2064 "Client asked me to extend without specifying an id_digest.");
2065 return -1;
2066 }
2067
2068 /* Next, check if we're being asked to connect to the hop that the
2069 * extend cell came from. There isn't any reason for that, and it can
2070 * assist circular-path attacks. */
2071 if (!memcmp(id_digest, TO_OR_CIRCUIT(circ)->p_conn->identity_digest,
2072 DIGEST_LEN)) {
2073 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
2074 "Client asked me to extend back to the previous hop.");
2075 return -1;
2076 }
2077
2078 n_conn = connection_or_get_for_extend(id_digest,
2079 &n_addr,
2080 &msg,
2081 &should_launch);
2082
2083 if (!n_conn) {
2084 log_debug(LD_CIRC|LD_OR,"Next router (%s:%d): %s",
2085 fmt_addr(&n_addr), (int)n_port, msg?msg:"????");
2086
2087 circ->n_hop = extend_info_alloc(NULL /*nickname*/,
2088 id_digest,
2089 NULL /*onion_key*/,
2090 &n_addr, n_port);
2091
2092 circ->n_conn_onionskin = tor_malloc(ONIONSKIN_CHALLENGE_LEN);
2093 memcpy(circ->n_conn_onionskin, onionskin, ONIONSKIN_CHALLENGE_LEN);
2094 circuit_set_state(circ, CIRCUIT_STATE_OR_WAIT);
2095
2096 if (should_launch) {
2097 /* we should try to open a connection */
2098 n_conn = connection_or_connect(&n_addr, n_port, id_digest);
2099 if (!n_conn) {
2100 log_info(LD_CIRC,"Launching n_conn failed. Closing circuit.");
2101 circuit_mark_for_close(circ, END_CIRC_REASON_CONNECTFAILED);
2102 return 0;
2103 }
2104 log_debug(LD_CIRC,"connecting in progress (or finished). Good.");
2105 }
2106 /* return success. The onion/circuit/etc will be taken care of
2107 * automatically (may already have been) whenever n_conn reaches
2108 * OR_CONN_STATE_OPEN.
2109 */
2110 return 0;
2111 }
2112
2113 tor_assert(!circ->n_hop); /* Connection is already established. */
2114 circ->n_conn = n_conn;
2115 log_debug(LD_CIRC,"n_conn is %s:%u",
2116 n_conn->_base.address,n_conn->_base.port);
2117
2118 if (circuit_deliver_create_cell(circ, CELL_CREATE, onionskin) < 0)
2119 return -1;
2120 return 0;
2121 }
2122
2123 /** Initialize cpath-\>{f|b}_{crypto|digest} from the key material in
2124 * key_data. key_data must contain CPATH_KEY_MATERIAL bytes, which are
2125 * used as follows:
2126 * - 20 to initialize f_digest
2127 * - 20 to initialize b_digest
2128 * - 16 to key f_crypto
2129 * - 16 to key b_crypto
2130 *
2131 * (If 'reverse' is true, then f_XX and b_XX are swapped.)
2132 */
2133 int
2134 circuit_init_cpath_crypto(crypt_path_t *cpath, const char *key_data,
2135 int reverse)
2136 {
2137 crypto_digest_env_t *tmp_digest;
2138 crypto_cipher_env_t *tmp_crypto;
2139
2140 tor_assert(cpath);
2141 tor_assert(key_data);
2142 tor_assert(!(cpath->f_crypto || cpath->b_crypto ||
2143 cpath->f_digest || cpath->b_digest));
2144
2145 cpath->f_digest = crypto_new_digest_env();
2146 crypto_digest_add_bytes(cpath->f_digest, key_data, DIGEST_LEN);
2147 cpath->b_digest = crypto_new_digest_env();
2148 crypto_digest_add_bytes(cpath->b_digest, key_data+DIGEST_LEN, DIGEST_LEN);
2149
2150 if (!(cpath->f_crypto =
2151 crypto_create_init_cipher(key_data+(2*DIGEST_LEN),1))) {
2152 log_warn(LD_BUG,"Forward cipher initialization failed.");
2153 return -1;
2154 }
2155 if (!(cpath->b_crypto =
2156 crypto_create_init_cipher(key_data+(2*DIGEST_LEN)+CIPHER_KEY_LEN,0))) {
2157 log_warn(LD_BUG,"Backward cipher initialization failed.");
2158 return -1;
2159 }
2160
2161 if (reverse) {
2162 tmp_digest = cpath->f_digest;
2163 cpath->f_digest = cpath->b_digest;
2164 cpath->b_digest = tmp_digest;
2165 tmp_crypto = cpath->f_crypto;
2166 cpath->f_crypto = cpath->b_crypto;
2167 cpath->b_crypto = tmp_crypto;
2168 }
2169
2170 return 0;
2171 }
2172
2173 /** A created or extended cell came back to us on the circuit, and it included
2174 * <b>reply</b> as its body. (If <b>reply_type</b> is CELL_CREATED, the body
2175 * contains (the second DH key, plus KH). If <b>reply_type</b> is
2176 * CELL_CREATED_FAST, the body contains a secret y and a hash H(x|y).)
2177 *
2178 * Calculate the appropriate keys and digests, make sure KH is
2179 * correct, and initialize this hop of the cpath.
2180 *
2181 * Return - reason if we want to mark circ for close, else return 0.
2182 */
2183 int
2184 circuit_finish_handshake(origin_circuit_t *circ, uint8_t reply_type,
2185 const char *reply)
2186 {
2187 char keys[CPATH_KEY_MATERIAL_LEN];
2188 crypt_path_t *hop;
2189
2190 if (circ->cpath->state == CPATH_STATE_AWAITING_KEYS)
2191 hop = circ->cpath;
2192 else {
2193 hop = onion_next_hop_in_cpath(circ->cpath);
2194 if (!hop) { /* got an extended when we're all done? */
2195 log_warn(LD_PROTOCOL,"got extended when circ already built? Closing.");
2196 return - END_CIRC_REASON_TORPROTOCOL;
2197 }
2198 }
2199 tor_assert(hop->state == CPATH_STATE_AWAITING_KEYS);
2200
2201 if (reply_type == CELL_CREATED && hop->dh_handshake_state) {
2202 if (onion_skin_client_handshake(hop->dh_handshake_state, reply, keys,
2203 DIGEST_LEN*2+CIPHER_KEY_LEN*2) < 0) {
2204 log_warn(LD_CIRC,"onion_skin_client_handshake failed.");
2205 return -END_CIRC_REASON_TORPROTOCOL;
2206 }
2207 /* Remember hash of g^xy */
2208 memcpy(hop->handshake_digest, reply+DH_KEY_LEN, DIGEST_LEN);
2209 } else if (reply_type == CELL_CREATED_FAST && !hop->dh_handshake_state) {
2210 if (fast_client_handshake(hop->fast_handshake_state, reply, keys,
2211 DIGEST_LEN*2+CIPHER_KEY_LEN*2) < 0) {
2212 log_warn(LD_CIRC,"fast_client_handshake failed.");
2213 return -END_CIRC_REASON_TORPROTOCOL;
2214 }
2215 memcpy(hop->handshake_digest, reply+DIGEST_LEN, DIGEST_LEN);
2216 } else {
2217 log_warn(LD_PROTOCOL,"CREATED cell type did not match CREATE cell type.");
2218 return -END_CIRC_REASON_TORPROTOCOL;
2219 }
2220
2221 crypto_dh_free(hop->dh_handshake_state); /* don't need it anymore */
2222 hop->dh_handshake_state = NULL;
2223
2224 memset(hop->fast_handshake_state, 0, sizeof(hop->fast_handshake_state));
2225
2226 if (circuit_init_cpath_crypto(hop, keys, 0)<0) {
2227 return -END_CIRC_REASON_TORPROTOCOL;
2228 }
2229
2230 hop->state = CPATH_STATE_OPEN;
2231 log_info(LD_CIRC,"Finished building %scircuit hop:",
2232 (reply_type == CELL_CREATED_FAST) ? "fast " : "");
2233 circuit_log_path(LOG_INFO,LD_CIRC,circ);
2234 control_event_circuit_status(circ, CIRC_EVENT_EXTENDED, 0);
2235
2236 return 0;
2237 }
2238
2239 /** We received a relay truncated cell on circ.
2240 *
2241 * Since we don't ask for truncates currently, getting a truncated
2242 * means that a connection broke or an extend failed. For now,
2243 * just give up: for circ to close, and return 0.
2244 */
2245 int
2246 circuit_truncated(origin_circuit_t *circ, crypt_path_t *layer)
2247 {
2248 // crypt_path_t *victim;
2249 // connection_t *stream;
2250
2251 tor_assert(circ);
2252 tor_assert(layer);
2253
2254 /* XXX Since we don't ask for truncates currently, getting a truncated
2255 * means that a connection broke or an extend failed. For now,
2256 * just give up.
2257 */
2258 circuit_mark_for_close(TO_CIRCUIT(circ),
2259 END_CIRC_REASON_FLAG_REMOTE|END_CIRC_REASON_OR_CONN_CLOSED);
2260 return 0;
2261
2262 #if 0
2263 while (layer->next != circ->cpath) {
2264 /* we need to clear out layer->next */
2265 victim = layer->next;
2266 log_debug(LD_CIRC, "Killing a layer of the cpath.");
2267
2268 for (stream = circ->p_streams; stream; stream=stream->next_stream) {
2269 if (stream->cpath_layer == victim) {
2270 log_info(LD_APP, "Marking stream %d for close because of truncate.",
2271 stream->stream_id);
2272 /* no need to send 'end' relay cells,
2273 * because the other side's already dead
2274 */
2275 connection_mark_unattached_ap(stream, END_STREAM_REASON_DESTROY);
2276 }
2277 }
2278
2279 layer->next = victim->next;
2280 circuit_free_cpath_node(victim);
2281 }
2282
2283 log_info(LD_CIRC, "finished");
2284 return 0;
2285 #endif
2286 }
2287
2288 /** Given a response payload and keys, initialize, then send a created
2289 * cell back.
2290 */
2291 int
2292 onionskin_answer(or_circuit_t *circ, uint8_t cell_type, const char *payload,
2293 const char *keys)
2294 {
2295 cell_t cell;
2296 crypt_path_t *tmp_cpath;
2297
2298 tmp_cpath = tor_malloc_zero(sizeof(crypt_path_t));
2299 tmp_cpath->magic = CRYPT_PATH_MAGIC;
2300
2301 memset(&cell, 0, sizeof(cell_t));
2302 cell.command = cell_type;
2303 cell.circ_id = circ->p_circ_id;
2304
2305 circuit_set_state(TO_CIRCUIT(circ), CIRCUIT_STATE_OPEN);
2306
2307 memcpy(cell.payload, payload,
2308 cell_type == CELL_CREATED ? ONIONSKIN_REPLY_LEN : DIGEST_LEN*2);
2309
2310 log_debug(LD_CIRC,"init digest forward 0x%.8x, backward 0x%.8x.",
2311 (unsigned int)get_uint32(keys),
2312 (unsigned int)get_uint32(keys+20));
2313 if (circuit_init_cpath_crypto(tmp_cpath, keys, 0)<0) {
2314 log_warn(LD_BUG,"Circuit initialization failed");
2315 tor_free(tmp_cpath);
2316 return -1;
2317 }
2318 circ->n_digest = tmp_cpath->f_digest;
2319 circ->n_crypto = tmp_cpath->f_crypto;
2320 circ->p_digest = tmp_cpath->b_digest;
2321 circ->p_crypto = tmp_cpath->b_crypto;
2322 tmp_cpath->magic = 0;
2323 tor_free(tmp_cpath);
2324
2325 if (cell_type == CELL_CREATED)
2326 memcpy(circ->handshake_digest, cell.payload+DH_KEY_LEN, DIGEST_LEN);
2327 else
2328 memcpy(circ->handshake_digest, cell.payload+DIGEST_LEN, DIGEST_LEN);
2329
2330 circ->is_first_hop = (cell_type == CELL_CREATED_FAST);
2331
2332 append_cell_to_circuit_queue(TO_CIRCUIT(circ),
2333 circ->p_conn, &cell, CELL_DIRECTION_IN, 0);
2334 log_debug(LD_CIRC,"Finished sending 'created' cell.");
2335
2336 if (!is_local_addr(&circ->p_conn->_base.addr) &&
2337 !connection_or_nonopen_was_started_here(circ->p_conn)) {
2338 /* record that we could process create cells from a non-local conn
2339 * that we didn't initiate; presumably this means that create cells
2340 * can reach us too. */
2341 router_orport_found_reachable();
2342 }
2343
2344 return 0;
2345 }
2346
2347 /** Choose a length for a circuit of purpose <b>purpose</b>.
2348 * Default length is 3 + the number of endpoints that would give something
2349 * away. If the routerlist <b>routers</b> doesn't have enough routers
2350 * to handle the desired path length, return as large a path length as
2351 * is feasible, except if it's less than 2, in which case return -1.
2352 */
2353 static int
2354 new_route_len(uint8_t purpose, extend_info_t *exit,
2355 smartlist_t *routers)
2356 {
2357 int num_acceptable_routers;
2358 int routelen;
2359
2360 tor_assert(routers);
2361
2362 routelen = DEFAULT_ROUTE_LEN;
2363 if (exit &&
2364 purpose != CIRCUIT_PURPOSE_TESTING &&
2365 purpose != CIRCUIT_PURPOSE_S_ESTABLISH_INTRO)
2366 routelen++;
2367
2368 num_acceptable_routers = count_acceptable_routers(routers);
2369
2370 log_debug(LD_CIRC,"Chosen route length %d (%d/%d routers suitable).",
2371 routelen, num_acceptable_routers, smartlist_len(routers));
2372
2373 if (num_acceptable_routers < 2) {
2374 log_info(LD_CIRC,
2375 "Not enough acceptable routers (%d). Discarding this circuit.",
2376 num_acceptable_routers);
2377 return -1;
2378 }
2379
2380 if (num_acceptable_routers < routelen) {
2381 log_info(LD_CIRC,"Not enough routers: cutting routelen from %d to %d.",
2382 routelen, num_acceptable_routers);
2383 routelen = num_acceptable_routers;
2384 }
2385
2386 return routelen;
2387 }
2388
2389 /** Fetch the list of predicted ports, dup it into a smartlist of
2390 * uint16_t's, remove the ones that are already handled by an
2391 * existing circuit, and return it.
2392 */
2393 static smartlist_t *
2394 circuit_get_unhandled_ports(time_t now)
2395 {
2396 smartlist_t *source = rep_hist_get_predicted_ports(now);
2397 smartlist_t *dest = smartlist_create();
2398 uint16_t *tmp;
2399 int i;
2400
2401 for (i = 0; i < smartlist_len(source); ++i) {
2402 tmp = tor_malloc(sizeof(uint16_t));
2403 memcpy(tmp, smartlist_get(source, i), sizeof(uint16_t));
2404 smartlist_add(dest, tmp);
2405 }
2406
2407 circuit_remove_handled_ports(dest);
2408 return dest;
2409 }
2410
2411 /** Return 1 if we already have circuits present or on the way for
2412 * all anticipated ports. Return 0 if we should make more.
2413 *
2414 * If we're returning 0, set need_uptime and need_capacity to
2415 * indicate any requirements that the unhandled ports have.
2416 */
2417 int
2418 circuit_all_predicted_ports_handled(time_t now, int *need_uptime,
2419 int *need_capacity)
2420 {
2421 int i, enough;
2422 uint16_t *port;
2423 smartlist_t *sl = circuit_get_unhandled_ports(now);
2424 smartlist_t *LongLivedServices = get_options()->LongLivedPorts;
2425 tor_assert(need_uptime);
2426 tor_assert(need_capacity);
2427 // Always predict need_capacity
2428 *need_capacity = 1;
2429 enough = (smartlist_len(sl) == 0);
2430 for (i = 0; i < smartlist_len(sl); ++i) {
2431 port = smartlist_get(sl, i);
2432 if (smartlist_string_num_isin(LongLivedServices, *port))
2433 *need_uptime = 1;
2434 tor_free(port);
2435 }
2436 smartlist_free(sl);
2437 return enough;
2438 }
2439
2440 /** Return 1 if <b>router</b> can handle one or more of the ports in
2441 * <b>needed_ports</b>, else return 0.
2442 */
2443 static int
2444 router_handles_some_port(routerinfo_t *router, smartlist_t *needed_ports)
2445 {
2446 int i;
2447 uint16_t port;
2448
2449 for (i = 0; i < smartlist_len(needed_ports); ++i) {
2450 addr_policy_result_t r;
2451 /* alignment issues aren't a worry for this dereference, since
2452 needed_ports is explicitly a smartlist of uint16_t's */
2453 port = *(uint16_t *)smartlist_get(needed_ports, i);
2454 tor_assert(port);
2455 r = compare_addr_to_addr_policy(0, port, router->exit_policy);
2456 if (r != ADDR_POLICY_REJECTED && r != ADDR_POLICY_PROBABLY_REJECTED)
2457 return 1;
2458 }
2459 return 0;
2460 }
2461
2462 /** Return true iff <b>conn</b> needs another general circuit to be
2463 * built. */
2464 static int
2465 ap_stream_wants_exit_attention(connection_t *conn)
2466 {
2467 if (conn->type == CONN_TYPE_AP &&
2468 conn->state == AP_CONN_STATE_CIRCUIT_WAIT &&
2469 !conn->marked_for_close &&
2470 !(TO_EDGE_CONN(conn)->want_onehop) && /* ignore one-hop streams */
2471 !(TO_EDGE_CONN(conn)->use_begindir) && /* ignore targeted dir fetches */
2472 !(TO_EDGE_CONN(conn)->chosen_exit_name) && /* ignore defined streams */
2473 !connection_edge_is_rendezvous_stream(TO_EDGE_CONN(conn)) &&
2474 !circuit_stream_is_being_handled(TO_EDGE_CONN(conn), 0,
2475 MIN_CIRCUITS_HANDLING_STREAM))
2476 return 1;
2477 return 0;
2478 }
2479
2480 /** Return a pointer to a suitable router to be the exit node for the
2481 * general-purpose circuit we're about to build.
2482 *
2483 * Look through the connection array, and choose a router that maximizes
2484 * the number of pending streams that can exit from this router.
2485 *
2486 * Return NULL if we can't find any suitable routers.
2487 */
2488 static routerinfo_t *
2489 choose_good_exit_server_general(routerlist_t *dir, int need_uptime,
2490 int need_capacity)
2491 {
2492 int *n_supported;
2493 int i;
2494 int n_pending_connections = 0;
2495 smartlist_t *connections;
2496 int best_support = -1;
2497 int n_best_support=0;
2498 routerinfo_t *router;
2499 or_options_t *options = get_options();
2500
2501 connections = get_connection_array();
2502
2503 /* Count how many connections are waiting for a circuit to be built.
2504 * We use this for log messages now, but in the future we may depend on it.
2505 */
2506 SMARTLIST_FOREACH(connections, connection_t *, conn,
2507 {
2508 if (ap_stream_wants_exit_attention(conn))
2509 ++n_pending_connections;
2510 });
2511 // log_fn(LOG_DEBUG, "Choosing exit node; %d connections are pending",
2512 // n_pending_connections);
2513 /* Now we count, for each of the routers in the directory, how many
2514 * of the pending connections could possibly exit from that
2515 * router (n_supported[i]). (We can't be sure about cases where we
2516 * don't know the IP address of the pending connection.)
2517 *
2518 * -1 means "Don't use this router at all."
2519 */
2520 n_supported = tor_malloc(sizeof(int)*smartlist_len(dir->routers));
2521 for (i = 0; i < smartlist_len(dir->routers); ++i) {/* iterate over routers */
2522 router = smartlist_get(dir->routers, i);
2523 if (router_is_me(router)) {
2524 n_supported[i] = -1;
2525 // log_fn(LOG_DEBUG,"Skipping node %s -- it's me.", router->nickname);
2526 /* XXX there's probably a reverse predecessor attack here, but
2527 * it's slow. should we take this out? -RD
2528 */
2529 continue;
2530 }
2531 if (!router->is_running || router->is_bad_exit) {
2532 n_supported[i] = -1;
2533 continue; /* skip routers that are known to be down or bad exits */
2534 }
2535 if (router_is_unreliable(router, need_uptime, need_capacity, 0) &&
2536 (!options->ExitNodes ||
2537 !routerset_contains_router(options->ExitNodes, router))) {
2538 /* FFFF Someday, differentiate between a routerset that names
2539 * routers, and a routerset that names countries, and only do this
2540 * check if they've asked for specific exit relays. Or if the country
2541 * they ask for is rare. Or something. */
2542 n_supported[i] = -1;
2543 continue; /* skip routers that are not suitable, unless we have
2544 * ExitNodes set, in which case we asked for it */
2545 }
2546 if (!(router->is_valid || options->_AllowInvalid & ALLOW_INVALID_EXIT)) {
2547 /* if it's invalid and we don't want it */
2548 n_supported[i] = -1;
2549 // log_fn(LOG_DEBUG,"Skipping node %s (index %d) -- invalid router.",
2550 // router->nickname, i);
2551 continue; /* skip invalid routers */
2552 }
2553 if (options->ExcludeSingleHopRelays && router->allow_single_hop_exits) {
2554 n_supported[i] = -1;
2555 continue;
2556 }
2557 if (router_exit_policy_rejects_all(router)) {
2558 n_supported[i] = -1;
2559 // log_fn(LOG_DEBUG,"Skipping node %s (index %d) -- it rejects all.",
2560 // router->nickname, i);
2561 continue; /* skip routers that reject all */
2562 }
2563 n_supported[i] = 0;
2564 /* iterate over connections */
2565 SMARTLIST_FOREACH(connections, connection_t *, conn,
2566 {
2567 if (!ap_stream_wants_exit_attention(conn))
2568 continue; /* Skip everything but APs in CIRCUIT_WAIT */
2569 if (connection_ap_can_use_exit(TO_EDGE_CONN(conn), router, 1)) {
2570 ++n_supported[i];
2571 // log_fn(LOG_DEBUG,"%s is supported. n_supported[%d] now %d.",
2572 // router->nickname, i, n_supported[i]);
2573 } else {
2574 // log_fn(LOG_DEBUG,"%s (index %d) would reject this stream.",
2575 // router->nickname, i);
2576 }
2577 }); /* End looping over connections. */
2578 if (n_pending_connections > 0 && n_supported[i] == 0) {
2579 /* Leave best_support at -1 if that's where it is, so we can
2580 * distinguish it later. */
2581 continue;
2582 }
2583 if (n_supported[i] > best_support) {
2584 /* If this router is better than previous ones, remember its index
2585 * and goodness, and start counting how many routers are this good. */
2586 best_support = n_supported[i]; n_best_support=1;
2587 // log_fn(LOG_DEBUG,"%s is new best supported option so far.",
2588 // router->nickname);
2589 } else if (n_supported[i] == best_support) {
2590 /* If this router is _as good_ as the best one, just increment the
2591 * count of equally good routers.*/
2592 ++n_best_support;
2593 }
2594 }
2595 log_info(LD_CIRC,
2596 "Found %d servers that might support %d/%d pending connections.",
2597 n_best_support, best_support >= 0 ? best_support : 0,
2598 n_pending_connections);
2599
2600 /* If any routers definitely support any pending connections, choose one
2601 * at random. */
2602 if (best_support > 0) {
2603 smartlist_t *supporting = smartlist_create(), *use = smartlist_create();
2604
2605 for (i = 0; i < smartlist_len(dir->routers); i++)
2606 if (n_supported[i] == best_support)
2607 smartlist_add(supporting, smartlist_get(dir->routers, i));
2608
2609 routersets_get_disjunction(use, supporting, options->ExitNodes,
2610 options->_ExcludeExitNodesUnion, 1);
2611 if (smartlist_len(use) == 0 && options->ExitNodes &&
2612 !options->StrictNodes) { /* give up on exitnodes and try again */
2613 routersets_get_disjunction(use, supporting, NULL,
2614 options->_ExcludeExitNodesUnion, 1);
2615 }
2616 router = routerlist_sl_choose_by_bandwidth(use, WEIGHT_FOR_EXIT);
2617 smartlist_free(use);
2618 smartlist_free(supporting);
2619 } else {
2620 /* Either there are no pending connections, or no routers even seem to
2621 * possibly support any of them. Choose a router at random that satisfies
2622 * at least one predicted exit port. */
2623
2624 int attempt;
2625 smartlist_t *needed_ports, *supporting, *use;
2626
2627 if (best_support == -1) {
2628 if (need_uptime || need_capacity) {
2629 log_info(LD_CIRC,
2630 "We couldn't find any live%s%s routers; falling back "
2631 "to list of all routers.",
2632 need_capacity?", fast":"",
2633 need_uptime?", stable":"");
2634 tor_free(n_supported);
2635 return choose_good_exit_server_general(dir, 0, 0);
2636 }
2637 log_notice(LD_CIRC, "All routers are down or won't exit%s -- "
2638 "choosing a doomed exit at random.",
2639 options->_ExcludeExitNodesUnion ? " or are Excluded" : "");
2640 }
2641 supporting = smartlist_create();
2642 use = smartlist_create();
2643 needed_ports = circuit_get_unhandled_ports(time(NULL));
2644 for (attempt = 0; attempt < 2; attempt++) {
2645 /* try once to pick only from routers that satisfy a needed port,
2646 * then if there are none, pick from any that support exiting. */
2647 for (i = 0; i < smartlist_len(dir->routers); i++) {
2648 router = smartlist_get(dir->routers, i);
2649 if (n_supported[i] != -1 &&
2650 (attempt || router_handles_some_port(router, needed_ports))) {
2651 // log_fn(LOG_DEBUG,"Try %d: '%s' is a possibility.",
2652 // try, router->nickname);
2653 smartlist_add(supporting, router);
2654 }
2655 }
2656
2657 routersets_get_disjunction(use, supporting, options->ExitNodes,
2658 options->_ExcludeExitNodesUnion, 1);
2659 if (smartlist_len(use) == 0 && options->ExitNodes &&
2660 !options->StrictNodes) { /* give up on exitnodes and try again */
2661 routersets_get_disjunction(use, supporting, NULL,
2662 options->_ExcludeExitNodesUnion, 1);
2663 }
2664 /* FFF sometimes the above results in null, when the requested
2665 * exit node is considered down by the consensus. we should pick
2666 * it anyway, since the user asked for it. */
2667 router = routerlist_sl_choose_by_bandwidth(use, WEIGHT_FOR_EXIT);
2668 if (router)
2669 break;
2670 smartlist_clear(supporting);
2671 smartlist_clear(use);
2672 }
2673 SMARTLIST_FOREACH(needed_ports, uint16_t *, cp, tor_free(cp));
2674 smartlist_free(needed_ports);
2675 smartlist_free(use);
2676 smartlist_free(supporting);
2677 }
2678
2679 tor_free(n_supported);
2680 if (router) {
2681 log_info(LD_CIRC, "Chose exit server '%s'", router->nickname);
2682 return router;
2683 }
2684 if (options->ExitNodes && options->StrictNodes) {
2685 log_warn(LD_CIRC,
2686 "No specified exit routers seem to be running, and "
2687 "StrictNodes is set: can't choose an exit.");
2688 }
2689 return NULL;
2690 }
2691
2692 /** Return a pointer to a suitable router to be the exit node for the
2693 * circuit of purpose <b>purpose</b> that we're about to build (or NULL
2694 * if no router is suitable).
2695 *
2696 * For general-purpose circuits, pass it off to
2697 * choose_good_exit_server_general()
2698 *
2699 * For client-side rendezvous circuits, choose a random node, weighted
2700 * toward the preferences in 'options'.
2701 */
2702 static routerinfo_t *
2703 choose_good_exit_server(uint8_t purpose, routerlist_t *dir,
2704 int need_uptime, int need_capacity, int is_internal)
2705 {
2706 or_options_t *options = get_options();
2707 router_crn_flags_t flags = 0;
2708 if (need_uptime)
2709 flags |= CRN_NEED_UPTIME;
2710 if (need_capacity)
2711 flags |= CRN_NEED_CAPACITY;
2712
2713 switch (purpose) {
2714 case CIRCUIT_PURPOSE_C_GENERAL:
2715 if (options->_AllowInvalid & ALLOW_INVALID_MIDDLE)
2716 flags |= CRN_ALLOW_INVALID;
2717 if (is_internal) /* pick it like a middle hop */
2718 return router_choose_random_node(NULL, options->ExcludeNodes, flags);
2719 else
2720 return choose_good_exit_server_general(dir,need_uptime,need_capacity);
2721 case CIRCUIT_PURPOSE_C_ESTABLISH_REND:
2722 if (options->_AllowInvalid & ALLOW_INVALID_RENDEZVOUS)
2723 flags |= CRN_ALLOW_INVALID;
2724 return router_choose_random_node(NULL, options->ExcludeNodes, flags);
2725 }
2726 log_warn(LD_BUG,"Unhandled purpose %d", purpose);
2727 tor_fragile_assert();
2728 return NULL;
2729 }
2730
2731 /** Log a warning if the user specified an exit for the circuit that
2732 * has been excluded from use by ExcludeNodes or ExcludeExitNodes. */
2733 static void
2734 warn_if_last_router_excluded(origin_circuit_t *circ, const extend_info_t *exit)
2735 {
2736 or_options_t *options = get_options();
2737 routerset_t *rs = options->ExcludeNodes;
2738 const char *description;
2739 int domain = LD_CIRC;
2740 uint8_t purpose = circ->_base.purpose;
2741
2742 if (circ->build_state->onehop_tunnel)
2743 return;
2744
2745 switch (purpose)
2746 {
2747 default:
2748 case CIRCUIT_PURPOSE_OR:
2749 case CIRCUIT_PURPOSE_INTRO_POINT:
2750 case CIRCUIT_PURPOSE_REND_POINT_WAITING:
2751 case CIRCUIT_PURPOSE_REND_ESTABLISHED:
2752 log_warn(LD_BUG, "Called on non-origin circuit (purpose %d)",
2753 (int)purpose);
2754 return;
2755 case CIRCUIT_PURPOSE_C_GENERAL:
2756 if (circ->build_state->is_internal)
2757 return;
2758 description = "Requested exit node";
2759 rs = options->_ExcludeExitNodesUnion;
2760 break;
2761 case CIRCUIT_PURPOSE_C_INTRODUCING:
2762 case CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT:
2763 case CIRCUIT_PURPOSE_C_INTRODUCE_ACKED:
2764 case CIRCUIT_PURPOSE_S_ESTABLISH_INTRO:
2765 case CIRCUIT_PURPOSE_S_CONNECT_REND:
2766 case CIRCUIT_PURPOSE_S_REND_JOINED:
2767 case CIRCUIT_PURPOSE_TESTING:
2768 return;
2769 case CIRCUIT_PURPOSE_C_ESTABLISH_REND:
2770 case CIRCUIT_PURPOSE_C_REND_READY:
2771 case CIRCUIT_PURPOSE_C_REND_READY_INTRO_ACKED:
2772 case CIRCUIT_PURPOSE_C_REND_JOINED:
2773 description = "Chosen rendezvous point";
2774 domain = LD_BUG;
2775 break;
2776 case CIRCUIT_PURPOSE_CONTROLLER:
2777 rs = options->_ExcludeExitNodesUnion;
2778 description = "Controller-selected circuit target";
2779 break;
2780 }
2781
2782 if (routerset_contains_extendinfo(rs, exit)) {
2783 log_fn(LOG_WARN, domain, "%s '%s' is in ExcludeNodes%s. Using anyway "
2784 "(circuit purpose %d).",
2785 description,exit->nickname,
2786 rs==options->ExcludeNodes?"":" or ExcludeExitNodes",
2787 (int)purpose);
2788 circuit_log_path(LOG_WARN, domain, circ);
2789 }
2790
2791 return;
2792 }
2793
2794 /** Decide a suitable length for circ's cpath, and pick an exit
2795 * router (or use <b>exit</b> if provided). Store these in the
2796 * cpath. Return 0 if ok, -1 if circuit should be closed. */
2797 static int
2798 onion_pick_cpath_exit(origin_circuit_t *circ, extend_info_t *exit)
2799 {
2800 cpath_build_state_t *state = circ->build_state;
2801 routerlist_t *rl = router_get_routerlist();
2802
2803 if (state->onehop_tunnel) {
2804 log_debug(LD_CIRC, "Launching a one-hop circuit for dir tunnel.");
2805 state->desired_path_len = 1;
2806 } else {
2807 int r = new_route_len(circ->_base.purpose, exit, rl->routers);
2808 if (r < 1) /* must be at least 1 */
2809 return -1;
2810 state->desired_path_len = r;
2811 }
2812
2813 if (exit) { /* the circuit-builder pre-requested one */
2814 warn_if_last_router_excluded(circ, exit);
2815 log_info(LD_CIRC,"Using requested exit node '%s'", exit->nickname);
2816 exit = extend_info_dup(exit);
2817 } else { /* we have to decide one */
2818 routerinfo_t *router =
2819 choose_good_exit_server(circ->_base.purpose, rl, state->need_uptime,
2820 state->need_capacity, state->is_internal);
2821 if (!router) {
2822 log_warn(LD_CIRC,"failed to choose an exit server");
2823 return -1;
2824 }
2825 exit = extend_info_from_router(router);
2826 }
2827 state->chosen_exit = exit;
2828 return 0;
2829 }
2830
2831 /** Give <b>circ</b> a new exit destination to <b>exit</b>, and add a
2832 * hop to the cpath reflecting this. Don't send the next extend cell --
2833 * the caller will do this if it wants to.
2834 */
2835 int
2836 circuit_append_new_exit(origin_circuit_t *circ, extend_info_t *exit)
2837 {
2838 cpath_build_state_t *state;
2839 tor_assert(exit);
2840 tor_assert(circ);
2841
2842 state = circ->build_state;
2843 tor_assert(state);
2844 extend_info_free(state->chosen_exit);
2845 state->chosen_exit = extend_info_dup(exit);
2846
2847 ++circ->build_state->desired_path_len;
2848 onion_append_hop(&circ->cpath, exit);
2849 return 0;
2850 }
2851
2852 /** Take an open <b>circ</b>, and add a new hop at the end, based on
2853 * <b>info</b>. Set its state back to CIRCUIT_STATE_BUILDING, and then
2854 * send the next extend cell to begin connecting to that hop.
2855 */
2856 int
2857 circuit_extend_to_new_exit(origin_circuit_t *circ, extend_info_t *exit)
2858 {
2859 int err_reason = 0;
2860 warn_if_last_router_excluded(circ, exit);
2861 circuit_append_new_exit(circ, exit);
2862 circuit_set_state(TO_CIRCUIT(circ), CIRCUIT_STATE_BUILDING);
2863 if ((err_reason = circuit_send_next_onion_skin(circ))<0) {
2864 log_warn(LD_CIRC, "Couldn't extend circuit to new point '%s'.",
2865 exit->nickname);
2866 circuit_mark_for_close(TO_CIRCUIT(circ), -err_reason);
2867 return -1;
2868 }
2869 return 0;
2870 }
2871
2872 /** Return the number of routers in <b>routers</b> that are currently up
2873 * and available for building circuits through.
2874 */
2875 static int
2876 count_acceptable_routers(smartlist_t *routers)
2877 {
2878 int i, n;
2879 int num=0;
2880 routerinfo_t *r;
2881
2882 n = smartlist_len(routers);
2883 for (i=0;i<n;i++) {
2884 r = smartlist_get(routers, i);
2885 // log_debug(LD_CIRC,
2886 // "Contemplating whether router %d (%s) is a new option.",
2887 // i, r->nickname);
2888 if (r->is_running == 0) {
2889 // log_debug(LD_CIRC,"Nope, the directory says %d is not running.",i);
2890 goto next_i_loop;
2891 }
2892 if (r->is_valid == 0) {
2893 // log_debug(LD_CIRC,"Nope, the directory says %d is not valid.",i);
2894 goto next_i_loop;
2895 /* XXX This clause makes us count incorrectly: if AllowInvalidRouters
2896 * allows this node in some places, then we're getting an inaccurate
2897 * count. For now, be conservative and don't count it. But later we
2898 * should try to be smarter. */
2899 }
2900 num++;
2901 // log_debug(LD_CIRC,"I like %d. num_acceptable_routers now %d.",i, num);
2902 next_i_loop:
2903 ; /* C requires an explicit statement after the label */
2904 }
2905
2906 return num;
2907 }
2908
2909 /** Add <b>new_hop</b> to the end of the doubly-linked-list <b>head_ptr</b>.
2910 * This function is used to extend cpath by another hop.
2911 */
2912 void
2913 onion_append_to_cpath(crypt_path_t **head_ptr, crypt_path_t *new_hop)
2914 {
2915 if (*head_ptr) {
2916 new_hop->next = (*head_ptr);
2917 new_hop->prev = (*head_ptr)->prev;
2918 (*head_ptr)->prev->next = new_hop;
2919 (*head_ptr)->prev = new_hop;
2920 } else {
2921 *head_ptr = new_hop;
2922 new_hop->prev = new_hop->next = new_hop;
2923 }
2924 }
2925
2926 /** A helper function used by onion_extend_cpath(). Use <b>purpose</b>
2927 * and <b>state</b> and the cpath <b>head</b> (currently populated only
2928 * to length <b>cur_len</b> to decide a suitable middle hop for a
2929 * circuit. In particular, make sure we don't pick the exit node or its
2930 * family, and make sure we don't duplicate any previous nodes or their
2931 * families. */
2932 static routerinfo_t *
2933 choose_good_middle_server(uint8_t purpose,
2934 cpath_build_state_t *state,
2935 crypt_path_t *head,
2936 int cur_len)
2937 {
2938 int i;
2939 routerinfo_t *r, *choice;
2940 crypt_path_t *cpath;
2941 smartlist_t *excluded;
2942 or_options_t *options = get_options();
2943 router_crn_flags_t flags = 0;
2944 tor_assert(_CIRCUIT_PURPOSE_MIN <= purpose &&
2945 purpose <= _CIRCUIT_PURPOSE_MAX);
2946
2947 log_debug(LD_CIRC, "Contemplating intermediate hop: random choice.");
2948 excluded = smartlist_create();
2949 if ((r = build_state_get_exit_router(state))) {
2950 smartlist_add(excluded, r);
2951 routerlist_add_family(excluded, r);
2952 }
2953 for (i = 0, cpath = head; i < cur_len; ++i, cpath=cpath->next) {
2954 if ((r = router_get_by_digest(cpath->extend_info->identity_digest))) {
2955 smartlist_add(excluded, r);
2956 routerlist_add_family(excluded, r);
2957 }
2958 }
2959
2960 if (state->need_uptime)
2961 flags |= CRN_NEED_UPTIME;
2962 if (state->need_capacity)
2963 flags |= CRN_NEED_CAPACITY;
2964 if (options->_AllowInvalid & ALLOW_INVALID_MIDDLE)
2965 flags |= CRN_ALLOW_INVALID;
2966 choice = router_choose_random_node(excluded, options->ExcludeNodes, flags);
2967 smartlist_free(excluded);
2968 return choice;
2969 }
2970
2971 /** Pick a good entry server for the circuit to be built according to
2972 * <b>state</b>. Don't reuse a chosen exit (if any), don't use this
2973 * router (if we're an OR), and respect firewall settings; if we're
2974 * configured to use entry guards, return one.
2975 *
2976 * If <b>state</b> is NULL, we're choosing a router to serve as an entry
2977 * guard, not for any particular circuit.
2978 */
2979 static routerinfo_t *
2980 choose_good_entry_server(uint8_t purpose, cpath_build_state_t *state)
2981 {
2982 routerinfo_t *r, *choice;
2983 smartlist_t *excluded;
2984 or_options_t *options = get_options();
2985 router_crn_flags_t flags = CRN_NEED_GUARD;
2986
2987 if (state && options->UseEntryGuards &&
2988 (purpose != CIRCUIT_PURPOSE_TESTING || options->BridgeRelay)) {
2989 return choose_random_entry(state);
2990 }
2991
2992 excluded = smartlist_create();
2993
2994 if (state && (r = build_state_get_exit_router(state))) {
2995 smartlist_add(excluded, r);
2996 routerlist_add_family(excluded, r);
2997 }
2998 if (firewall_is_fascist_or()) {
2999 /*XXXX This could slow things down a lot; use a smarter implementation */
3000 /* exclude all ORs that listen on the wrong port, if anybody notices. */
3001 routerlist_t *rl = router_get_routerlist();
3002 int i;
3003
3004 for (i=0; i < smartlist_len(rl->routers); i++) {
3005 r = smartlist_get(rl->routers, i);
3006 if (!fascist_firewall_allows_or(r))
3007 smartlist_add(excluded, r);
3008 }
3009 }
3010 /* and exclude current entry guards, if applicable */
3011 if (options->UseEntryGuards && entry_guards) {
3012 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, entry,
3013 {
3014 if ((r = router_get_by_digest(entry->identity))) {
3015 smartlist_add(excluded, r);
3016 routerlist_add_family(excluded, r);
3017 }
3018 });
3019 }
3020
3021 if (state) {
3022 if (state->need_uptime)
3023 flags |= CRN_NEED_UPTIME;
3024 if (state->need_capacity)
3025 flags |= CRN_NEED_CAPACITY;
3026 }
3027 if (options->_AllowInvalid & ALLOW_INVALID_ENTRY)
3028 flags |= CRN_ALLOW_INVALID;
3029
3030 choice = router_choose_random_node(excluded, options->ExcludeNodes, flags);
3031 smartlist_free(excluded);
3032 return choice;
3033 }
3034
3035 /** Return the first non-open hop in cpath, or return NULL if all
3036 * hops are open. */
3037 static crypt_path_t *
3038 onion_next_hop_in_cpath(crypt_path_t *cpath)
3039 {
3040 crypt_path_t *hop = cpath;
3041 do {
3042 if (hop->state != CPATH_STATE_OPEN)
3043 return hop;
3044 hop = hop->next;
3045 } while (hop != cpath);
3046 return NULL;
3047 }
3048
3049 /** Choose a suitable next hop in the cpath <b>head_ptr</b>,
3050 * based on <b>state</b>. Append the hop info to head_ptr.
3051 */
3052 static int
3053 onion_extend_cpath(origin_circuit_t *circ)
3054 {
3055 uint8_t purpose = circ->_base.purpose;
3056 cpath_build_state_t *state = circ->build_state;
3057 int cur_len = circuit_get_cpath_len(circ);
3058 extend_info_t *info = NULL;
3059
3060 if (cur_len >= state->desired_path_len) {
3061 log_debug(LD_CIRC, "Path is complete: %d steps long",
3062 state->desired_path_len);
3063 return 1;
3064 }
3065
3066 log_debug(LD_CIRC, "Path is %d long; we want %d", cur_len,
3067 state->desired_path_len);
3068
3069 if (cur_len == state->desired_path_len - 1) { /* Picking last node */
3070 info = extend_info_dup(state->chosen_exit);
3071 } else if (cur_len == 0) { /* picking first node */
3072 routerinfo_t *r = choose_good_entry_server(purpose, state);
3073 if (r)
3074 info = extend_info_from_router(r);
3075 } else {
3076 routerinfo_t *r =
3077 choose_good_middle_server(purpose, state, circ->cpath, cur_len);
3078 if (r)
3079 info = extend_info_from_router(r);
3080 }
3081
3082 if (!info) {
3083 log_warn(LD_CIRC,"Failed to find node for hop %d of our path. Discarding "
3084 "this circuit.", cur_len);
3085 return -1;
3086 }
3087
3088 log_debug(LD_CIRC,"Chose router %s for hop %d (exit is %s)",
3089 info->nickname, cur_len+1, build_state_get_exit_nickname(state));
3090
3091 onion_append_hop(&circ->cpath, info);
3092 extend_info_free(info);
3093 return 0;
3094 }
3095
3096 /** Create a new hop, annotate it with information about its
3097 * corresponding router <b>choice</b>, and append it to the
3098 * end of the cpath <b>head_ptr</b>. */
3099 static int
3100 onion_append_hop(crypt_path_t **head_ptr, extend_info_t *choice)
3101 {
3102 crypt_path_t *hop = tor_malloc_zero(sizeof(crypt_path_t));
3103
3104 /* link hop into the cpath, at the end. */
3105 onion_append_to_cpath(head_ptr, hop);
3106
3107 hop->magic = CRYPT_PATH_MAGIC;
3108 hop->state = CPATH_STATE_CLOSED;
3109
3110 hop->extend_info = extend_info_dup(choice);
3111
3112 hop->package_window = circuit_initial_package_window();
3113 hop->deliver_window = CIRCWINDOW_START;
3114
3115 return 0;
3116 }
3117
3118 /** Allocate a new extend_info object based on the various arguments. */
3119 extend_info_t *
3120 extend_info_alloc(const char *nickname, const char *digest,
3121 crypto_pk_env_t *onion_key,
3122 const tor_addr_t *addr, uint16_t port)
3123 {
3124 extend_info_t *info = tor_malloc_zero(sizeof(extend_info_t));
3125 memcpy(info->identity_digest, digest, DIGEST_LEN);
3126 if (nickname)
3127 strlcpy(info->nickname, nickname, sizeof(info->nickname));
3128 if (onion_key)
3129 info->onion_key = crypto_pk_dup_key(onion_key);
3130 tor_addr_copy(&info->addr, addr);
3131 info->port = port;
3132 return info;
3133 }
3134
3135 /** Allocate and return a new extend_info_t that can be used to build a
3136 * circuit to or through the router <b>r</b>. */
3137 extend_info_t *
3138 extend_info_from_router(routerinfo_t *r)
3139 {
3140 tor_addr_t addr;
3141 tor_assert(r);
3142 tor_addr_from_ipv4h(&addr, r->addr);
3143 return extend_info_alloc(r->nickname, r->cache_info.identity_digest,
3144 r->onion_pkey, &addr, r->or_port);
3145 }
3146
3147 /** Release storage held by an extend_info_t struct. */
3148 void
3149 extend_info_free(extend_info_t *info)
3150 {
3151 if (!info)
3152 return;
3153 crypto_free_pk_env(info->onion_key);
3154 tor_free(info);
3155 }
3156
3157 /** Allocate and return a new extend_info_t with the same contents as
3158 * <b>info</b>. */
3159 extend_info_t *
3160 extend_info_dup(extend_info_t *info)
3161 {
3162 extend_info_t *newinfo;
3163 tor_assert(info);
3164 newinfo = tor_malloc(sizeof(extend_info_t));
3165 memcpy(newinfo, info, sizeof(extend_info_t));
3166 if (info->onion_key)
3167 newinfo->onion_key = crypto_pk_dup_key(info->onion_key);
3168 else
3169 newinfo->onion_key = NULL;
3170 return newinfo;
3171 }
3172
3173 /** Return the routerinfo_t for the chosen exit router in <b>state</b>.
3174 * If there is no chosen exit, or if we don't know the routerinfo_t for
3175 * the chosen exit, return NULL.
3176 */
3177 routerinfo_t *
3178 build_state_get_exit_router(cpath_build_state_t *state)
3179 {
3180 if (!state || !state->chosen_exit)
3181 return NULL;
3182 return router_get_by_digest(state->chosen_exit->identity_digest);
3183 }
3184
3185 /** Return the nickname for the chosen exit router in <b>state</b>. If
3186 * there is no chosen exit, or if we don't know the routerinfo_t for the
3187 * chosen exit, return NULL.
3188 */
3189 const char *
3190 build_state_get_exit_nickname(cpath_build_state_t *state)
3191 {
3192 if (!state || !state->chosen_exit)
3193 return NULL;
3194 return state->chosen_exit->nickname;
3195 }
3196
3197 /** Check whether the entry guard <b>e</b> is usable, given the directory
3198 * authorities' opinion about the router (stored in <b>ri</b>) and the user's
3199 * configuration (in <b>options</b>). Set <b>e</b>-&gt;bad_since
3200 * accordingly. Return true iff the entry guard's status changes.
3201 *
3202 * If it's not usable, set *<b>reason</b> to a static string explaining why.
3203 */
3204 /*XXXX take a routerstatus, not a routerinfo. */
3205 static int
3206 entry_guard_set_status(entry_guard_t *e, routerinfo_t *ri,
3207 time_t now, or_options_t *options, const char **reason)
3208 {
3209 char buf[HEX_DIGEST_LEN+1];
3210 int changed = 0;
3211
3212 *reason = NULL;
3213
3214 /* Do we want to mark this guard as bad? */
3215 if (!ri)
3216 *reason = "unlisted";
3217 else if (!ri->is_running)
3218 *reason = "down";
3219 else if (options->UseBridges && ri->purpose != ROUTER_PURPOSE_BRIDGE)
3220 *reason = "not a bridge";
3221 else if (!options->UseBridges && !ri->is_possible_guard &&
3222 !routerset_contains_router(options->EntryNodes,ri))
3223 *reason = "not recommended as a guard";
3224 else if (routerset_contains_router(options->ExcludeNodes, ri))
3225 *reason = "excluded";
3226
3227 if (*reason && ! e->bad_since) {
3228 /* Router is newly bad. */
3229 base16_encode(buf, sizeof(buf), e->identity, DIGEST_LEN);
3230 log_info(LD_CIRC, "Entry guard %s (%s) is %s: marking as unusable.",
3231 e->nickname, buf, *reason);
3232
3233 e->bad_since = now;
3234 control_event_guard(e->nickname, e->identity, "BAD");
3235 changed = 1;
3236 } else if (!*reason && e->bad_since) {
3237 /* There's nothing wrong with the router any more. */
3238 base16_encode(buf, sizeof(buf), e->identity, DIGEST_LEN);
3239 log_info(LD_CIRC, "Entry guard %s (%s) is no longer unusable: "
3240 "marking as ok.", e->nickname, buf);
3241
3242 e->bad_since = 0;
3243 control_event_guard(e->nickname, e->identity, "GOOD");
3244 changed = 1;
3245 }
3246 return changed;
3247 }
3248
3249 /** Return true iff enough time has passed since we last tried to connect
3250 * to the unreachable guard <b>e</b> that we're willing to try again. */
3251 static int
3252 entry_is_time_to_retry(entry_guard_t *e, time_t now)
3253 {
3254 long diff;
3255 if (e->last_attempted < e->unreachable_since)
3256 return 1;
3257 diff = now - e->unreachable_since;
3258 if (diff < 6*60*60)
3259 return now > (e->last_attempted + 60*60);
3260 else if (diff < 3*24*60*60)
3261 return now > (e->last_attempted + 4*60*60);
3262 else if (diff < 7*24*60*60)
3263 return now > (e->last_attempted + 18*60*60);
3264 else
3265 return now > (e->last_attempted + 36*60*60);
3266 }
3267
3268 /** Return the router corresponding to <b>e</b>, if <b>e</b> is
3269 * working well enough that we are willing to use it as an entry
3270 * right now. (Else return NULL.) In particular, it must be
3271 * - Listed as either up or never yet contacted;
3272 * - Present in the routerlist;
3273 * - Listed as 'stable' or 'fast' by the current dirserver consensus,
3274 * if demanded by <b>need_uptime</b> or <b>need_capacity</b>
3275 * (unless it's a configured EntryNode);
3276 * - Allowed by our current ReachableORAddresses config option; and
3277 * - Currently thought to be reachable by us (unless <b>assume_reachable</b>
3278 * is true).
3279 *
3280 * If the answer is no, set *<b>msg</b> to an explanation of why.
3281 */
3282 static INLINE routerinfo_t *
3283 entry_is_live(entry_guard_t *e, int need_uptime, int need_capacity,
3284 int assume_reachable, const char **msg)
3285 {
3286 routerinfo_t *r;
3287 or_options_t *options = get_options();
3288 tor_assert(msg);
3289
3290 if (e->bad_since) {
3291 *msg = "bad";
3292 return NULL;
3293 }
3294 /* no good if it's unreachable, unless assume_unreachable or can_retry. */
3295 if (!assume_reachable && !e->can_retry &&
3296 e->unreachable_since && !entry_is_time_to_retry(e, time(NULL))) {
3297 *msg = "unreachable";
3298 return NULL;
3299 }
3300 r = router_get_by_digest(e->identity);
3301 if (!r) {
3302 *msg = "no descriptor";
3303 return NULL;
3304 }
3305 if (get_options()->UseBridges && r->purpose != ROUTER_PURPOSE_BRIDGE) {
3306 *msg = "not a bridge";
3307 return NULL;
3308 }
3309 if (!get_options()->UseBridges && r->purpose != ROUTER_PURPOSE_GENERAL) {
3310 *msg = "not general-purpose";
3311 return NULL;
3312 }
3313 if (options->EntryNodes &&
3314 routerset_contains_router(options->EntryNodes, r)) {
3315 /* they asked for it, they get it */
3316 need_uptime = need_capacity = 0;
3317 }
3318 if (router_is_unreliable(r, need_uptime, need_capacity, 0)) {
3319 *msg = "not fast/stable";
3320 return NULL;
3321 }
3322 if (!fascist_firewall_allows_or(r)) {
3323 *msg = "unreachable by config";
3324 return NULL;
3325 }
3326 return r;
3327 }
3328
3329 /** Return the number of entry guards that we think are usable. */
3330 static int
3331 num_live_entry_guards(void)
3332 {
3333 int n = 0;
3334 const char *msg;
3335 if (! entry_guards)
3336 return 0;
3337 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, entry,
3338 {
3339 if (entry_is_live(entry, 0, 1, 0, &msg))
3340 ++n;
3341 });
3342 return n;
3343 }
3344
3345 /** If <b>digest</b> matches the identity of any node in the
3346 * entry_guards list, return that node. Else return NULL. */
3347 static INLINE entry_guard_t *
3348 is_an_entry_guard(const char *digest)
3349 {
3350 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, entry,
3351 if (!memcmp(digest, entry->identity, DIGEST_LEN))
3352 return entry;
3353 );
3354 return NULL;
3355 }
3356
3357 /** Dump a description of our list of entry guards to the log at level
3358 * <b>severity</b>. */
3359 static void
3360 log_entry_guards(int severity)
3361 {
3362 smartlist_t *elements = smartlist_create();
3363 char *s;
3364
3365 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, e,
3366 {
3367 const char *msg = NULL;
3368 char *cp;
3369 if (entry_is_live(e, 0, 1, 0, &msg))
3370 tor_asprintf(&cp, "%s (up %s)",
3371 e->nickname,
3372 e->made_contact ? "made-contact" : "never-contacted");
3373 else
3374 tor_asprintf(&cp, "%s (%s, %s)",
3375 e->nickname, msg,
3376 e->made_contact ? "made-contact" : "never-contacted");
3377 smartlist_add(elements, cp);
3378 });
3379
3380 s = smartlist_join_strings(elements, ",", 0, NULL);
3381 SMARTLIST_FOREACH(elements, char*, cp, tor_free(cp));
3382 smartlist_free(elements);
3383 log_fn(severity,LD_CIRC,"%s",s);
3384 tor_free(s);
3385 }
3386
3387 /** Called when one or more guards that we would previously have used for some
3388 * purpose are no longer in use because a higher-priority guard has become
3389 * usable again. */
3390 static void
3391 control_event_guard_deferred(void)
3392 {
3393 /* XXXX We don't actually have a good way to figure out _how many_ entries
3394 * are live for some purpose. We need an entry_is_even_slightly_live()
3395 * function for this to work right. NumEntryGuards isn't reliable: if we
3396 * need guards with weird properties, we can have more than that number
3397 * live.
3398 **/
3399 #if 0
3400 int n = 0;
3401 const char *msg;
3402 or_options_t *options = get_options();
3403 if (!entry_guards)
3404 return;
3405 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, entry,
3406 {
3407 if (entry_is_live(entry, 0, 1, 0, &msg)) {
3408 if (n++ == options->NumEntryGuards) {
3409 control_event_guard(entry->nickname, entry->identity, "DEFERRED");
3410 return;
3411 }
3412 }
3413 });
3414 #endif
3415 }
3416
3417 /** Add a new (preferably stable and fast) router to our
3418 * entry_guards list. Return a pointer to the router if we succeed,
3419 * or NULL if we can't find any more suitable entries.
3420 *
3421 * If <b>chosen</b> is defined, use that one, and if it's not
3422 * already in our entry_guards list, put it at the *beginning*.
3423 * Else, put the one we pick at the end of the list. */
3424 static routerinfo_t *
3425 add_an_entry_guard(routerinfo_t *chosen, int reset_status)
3426 {
3427 routerinfo_t *router;
3428 entry_guard_t *entry;
3429
3430 if (chosen) {
3431 router = chosen;
3432 entry = is_an_entry_guard(router->cache_info.identity_digest);
3433 if (entry) {
3434 if (reset_status) {
3435 entry->bad_since = 0;
3436 entry->can_retry = 1;
3437 }
3438 return NULL;
3439 }
3440 } else {
3441 router = choose_good_entry_server(CIRCUIT_PURPOSE_C_GENERAL, NULL);
3442 if (!router)
3443 return NULL;
3444 }
3445 entry = tor_malloc_zero(sizeof(entry_guard_t));
3446 log_info(LD_CIRC, "Chose '%s' as new entry guard.", router->nickname);
3447 strlcpy(entry->nickname, router->nickname, sizeof(entry->nickname));
3448 memcpy(entry->identity, router->cache_info.identity_digest, DIGEST_LEN);
3449 /* Choose expiry time smudged over the past month. The goal here
3450 * is to a) spread out when Tor clients rotate their guards, so they
3451 * don't all select them on the same day, and b) avoid leaving a
3452 * precise timestamp in the state file about when we first picked
3453 * this guard. For details, see the Jan 2010 or-dev thread. */
3454 entry->chosen_on_date = time(NULL) - crypto_rand_int(3600*24*30);
3455 entry->chosen_by_version = tor_strdup(VERSION);
3456 if (chosen) /* prepend */
3457 smartlist_insert(entry_guards, 0, entry);
3458 else /* append */
3459 smartlist_add(entry_guards, entry);
3460 control_event_guard(entry->nickname, entry->identity, "NEW");
3461 control_event_guard_deferred();
3462 log_entry_guards(LOG_INFO);
3463 return router;
3464 }
3465
3466 /** If the use of entry guards is configured, choose more entry guards
3467 * until we have enough in the list. */
3468 static void
3469 pick_entry_guards(or_options_t *options)
3470 {
3471 int changed = 0;
3472
3473 tor_assert(entry_guards);
3474
3475 while (num_live_entry_guards() < options->NumEntryGuards) {
3476 if (!add_an_entry_guard(NULL, 0))
3477 break;
3478 changed = 1;
3479 }
3480 if (changed)
3481 entry_guards_changed();
3482 }
3483
3484 /** How long (in seconds) do we allow an entry guard to be nonfunctional,
3485 * unlisted, excluded, or otherwise nonusable before we give up on it? */
3486 #define ENTRY_GUARD_REMOVE_AFTER (30*24*60*60)
3487
3488 /** Release all storage held by <b>e</b>. */
3489 static void
3490 entry_guard_free(entry_guard_t *e)
3491 {
3492 if (!e)
3493 return;
3494 tor_free(e->chosen_by_version);
3495 tor_free(e);
3496 }
3497
3498 /** Remove any entry guard which was selected by an unknown version of Tor,
3499 * or which was selected by a version of Tor that's known to select
3500 * entry guards badly. */
3501 static int
3502 remove_obsolete_entry_guards(time_t now)
3503 {
3504 int changed = 0, i;
3505
3506 for (i = 0; i < smartlist_len(entry_guards); ++i) {
3507 entry_guard_t *entry = smartlist_get(entry_guards, i);
3508 const char *ver = entry->chosen_by_version;
3509 const char *msg = NULL;
3510 tor_version_t v;
3511 int version_is_bad = 0, date_is_bad = 0;
3512 if (!ver) {
3513 msg = "does not say what version of Tor it was selected by";
3514 version_is_bad = 1;
3515 } else if (tor_version_parse(ver, &v)) {
3516 msg = "does not seem to be from any recognized version of Tor";
3517 version_is_bad = 1;
3518 } else {
3519 size_t len = strlen(ver)+5;
3520 char *tor_ver = tor_malloc(len);
3521 tor_snprintf(tor_ver, len, "Tor %s", ver);
3522 if ((tor_version_as_new_as(tor_ver, "0.1.0.10-alpha") &&
3523 !tor_version_as_new_as(tor_ver, "0.1.2.16-dev")) ||
3524 (tor_version_as_new_as(tor_ver, "0.2.0.0-alpha") &&
3525 !tor_version_as_new_as(tor_ver, "0.2.0.6-alpha")) ||
3526 /* above are bug 440; below are bug 1217 */
3527 (tor_version_as_new_as(tor_ver, "0.2.1.3-alpha") &&
3528 !tor_version_as_new_as(tor_ver, "0.2.1.23")) ||
3529 (tor_version_as_new_as(tor_ver, "0.2.2.0-alpha") &&
3530 !tor_version_as_new_as(tor_ver, "0.2.2.7-alpha"))) {
3531 msg = "was selected without regard for guard bandwidth";
3532 version_is_bad = 1;
3533 }
3534 tor_free(tor_ver);
3535 }
3536 if (!version_is_bad && entry->chosen_on_date + 3600*24*60 < now) {
3537 /* It's been 2 months since the date listed in our state file. */
3538 msg = "was selected several months ago";
3539 date_is_bad = 1;
3540 }
3541
3542 if (version_is_bad || date_is_bad) { /* we need to drop it */
3543 char dbuf[HEX_DIGEST_LEN+1];
3544 tor_assert(msg);
3545 base16_encode(dbuf, sizeof(dbuf), entry->identity, DIGEST_LEN);
3546 log_fn(version_is_bad ? LOG_NOTICE : LOG_INFO, LD_CIRC,
3547 "Entry guard '%s' (%s) %s. (Version=%s.) Replacing it.",
3548 entry->nickname, dbuf, msg, ver?escaped(ver):"none");
3549 control_event_guard(entry->nickname, entry->identity, "DROPPED");
3550 entry_guard_free(entry);
3551 smartlist_del_keeporder(entry_guards, i--);
3552 log_entry_guards(LOG_INFO);
3553 changed = 1;
3554 }
3555 }
3556
3557 return changed ? 1 : 0;
3558 }
3559
3560 /** Remove all entry guards that have been down or unlisted for so
3561 * long that we don't think they'll come up again. Return 1 if we
3562 * removed any, or 0 if we did nothing. */
3563 static int
3564 remove_dead_entry_guards(time_t now)
3565 {
3566 char dbuf[HEX_DIGEST_LEN+1];
3567 char tbuf[ISO_TIME_LEN+1];
3568 int i;
3569 int changed = 0;
3570
3571 for (i = 0; i < smartlist_len(entry_guards); ) {
3572 entry_guard_t *entry = smartlist_get(entry_guards, i);
3573 if (entry->bad_since &&
3574 entry->bad_since + ENTRY_GUARD_REMOVE_AFTER < now) {
3575
3576 base16_encode(dbuf, sizeof(dbuf), entry->identity, DIGEST_LEN);
3577 format_local_iso_time(tbuf, entry->bad_since);
3578 log_info(LD_CIRC, "Entry guard '%s' (%s) has been down or unlisted "
3579 "since %s local time; removing.",
3580 entry->nickname, dbuf, tbuf);
3581 control_event_guard(entry->nickname, entry->identity, "DROPPED");
3582 entry_guard_free(entry);
3583 smartlist_del_keeporder(entry_guards, i);
3584 log_entry_guards(LOG_INFO);
3585 changed = 1;
3586 } else
3587 ++i;
3588 }
3589 return changed ? 1 : 0;
3590 }
3591
3592 /** A new directory or router-status has arrived; update the down/listed
3593 * status of the entry guards.
3594 *
3595 * An entry is 'down' if the directory lists it as nonrunning.
3596 * An entry is 'unlisted' if the directory doesn't include it.
3597 *
3598 * Don't call this on startup; only on a fresh download. Otherwise we'll
3599 * think that things are unlisted.
3600 */
3601 void
3602 entry_guards_compute_status(or_options_t *options, time_t now)
3603 {
3604 int changed = 0;
3605 int severity = LOG_DEBUG;
3606 digestmap_t *reasons;
3607
3608 if (! entry_guards)
3609 return;
3610
3611 if (options->EntryNodes) /* reshuffle the entry guard list if needed */
3612 entry_nodes_should_be_added();
3613
3614 reasons = digestmap_new();
3615 SMARTLIST_FOREACH_BEGIN(entry_guards, entry_guard_t *, entry)
3616 {
3617 routerinfo_t *r = router_get_by_digest(entry->identity);
3618 const char *reason = NULL;
3619 if (entry_guard_set_status(entry, r, now, options, &reason))
3620 changed = 1;
3621
3622 if (entry->bad_since)
3623 tor_assert(reason);
3624 if (reason)
3625 digestmap_set(reasons, entry->identity, (char*)reason);
3626 }
3627 SMARTLIST_FOREACH_END(entry);
3628
3629 if (remove_dead_entry_guards(now))
3630 changed = 1;
3631
3632 severity = changed ? LOG_DEBUG : LOG_INFO;
3633
3634 if (changed) {
3635 SMARTLIST_FOREACH_BEGIN(entry_guards, entry_guard_t *, entry) {
3636 const char *reason = digestmap_get(reasons, entry->identity);
3637 const char *live_msg = "";
3638 routerinfo_t *r = entry_is_live(entry, 0, 1, 0, &live_msg);
3639 log_info(LD_CIRC, "Summary: Entry '%s' is %s, %s%s%s, and %s%s.",
3640 entry->nickname,
3641 entry->unreachable_since ? "unreachable" : "reachable",
3642 entry->bad_since ? "unusable" : "usable",
3643 reason ? ", ": "",
3644 reason ? reason : "",
3645 r ? "live" : "not live / ",
3646 r ? "" : live_msg);
3647 } SMARTLIST_FOREACH_END(entry);
3648 log_info(LD_CIRC, " (%d/%d entry guards are usable/new)",
3649 num_live_entry_guards(), smartlist_len(entry_guards));
3650 log_entry_guards(LOG_INFO);
3651 entry_guards_changed();
3652 }
3653
3654 digestmap_free(reasons, NULL);
3655 }
3656
3657 /** Called when a connection to an OR with the identity digest <b>digest</b>
3658 * is established (<b>succeeded</b>==1) or has failed (<b>succeeded</b>==0).
3659 * If the OR is an entry, change that entry's up/down status.
3660 * Return 0 normally, or -1 if we want to tear down the new connection.
3661 *
3662 * If <b>mark_relay_status</b>, also call router_set_status() on this
3663 * relay.
3664 *
3665 * XXX022 change succeeded and mark_relay_status into 'int flags'.
3666 */
3667 int
3668 entry_guard_register_connect_status(const char *digest, int succeeded,
3669 int mark_relay_status, time_t now)
3670 {
3671 int changed = 0;
3672 int refuse_conn = 0;
3673 int first_contact = 0;
3674 entry_guard_t *entry = NULL;
3675 int idx = -1;
3676 char buf[HEX_DIGEST_LEN+1];
3677
3678 if (! entry_guards)
3679 return 0;
3680
3681 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, e,
3682 {
3683 if (!memcmp(e->identity, digest, DIGEST_LEN)) {
3684 entry = e;
3685 idx = e_sl_idx;
3686 break;
3687 }
3688 });
3689
3690 if (!entry)
3691 return 0;
3692
3693 base16_encode(buf, sizeof(buf), entry->identity, DIGEST_LEN);
3694
3695 if (succeeded) {
3696 if (entry->unreachable_since) {
3697 log_info(LD_CIRC, "Entry guard '%s' (%s) is now reachable again. Good.",
3698 entry->nickname, buf);
3699 entry->can_retry = 0;
3700 entry->unreachable_since = 0;
3701 entry->last_attempted = now;
3702 control_event_guard(entry->nickname, entry->identity, "UP");
3703 changed = 1;
3704 }
3705 if (!entry->made_contact) {
3706 entry->made_contact = 1;
3707 first_contact = changed = 1;
3708 }
3709 } else { /* ! succeeded */
3710 if (!entry->made_contact) {
3711 /* We've never connected to this one. */
3712 log_info(LD_CIRC,
3713 "Connection to never-contacted entry guard '%s' (%s) failed. "
3714 "Removing from the list. %d/%d entry guards usable/new.",
3715 entry->nickname, buf,
3716 num_live_entry_guards()-1, smartlist_len(entry_guards)-1);
3717 control_event_guard(entry->nickname, entry->identity, "DROPPED");
3718 entry_guard_free(entry);
3719 smartlist_del_keeporder(entry_guards, idx);
3720 log_entry_guards(LOG_INFO);
3721 changed = 1;
3722 } else if (!entry->unreachable_since) {
3723 log_info(LD_CIRC, "Unable to connect to entry guard '%s' (%s). "
3724 "Marking as unreachable.", entry->nickname, buf);
3725 entry->unreachable_since = entry->last_attempted = now;
3726 control_event_guard(entry->nickname, entry->identity, "DOWN");
3727 changed = 1;
3728 entry->can_retry = 0; /* We gave it an early chance; no good. */
3729 } else {
3730 char tbuf[ISO_TIME_LEN+1];
3731 format_iso_time(tbuf, entry->unreachable_since);
3732 log_debug(LD_CIRC, "Failed to connect to unreachable entry guard "
3733 "'%s' (%s). It has been unreachable since %s.",
3734 entry->nickname, buf, tbuf);
3735 entry->last_attempted = now;
3736 entry->can_retry = 0; /* We gave it an early chance; no good. */
3737 }
3738 }
3739
3740 /* if the caller asked us to, also update the is_running flags for this
3741 * relay */
3742 if (mark_relay_status)
3743 router_set_status(digest, succeeded);
3744
3745 if (first_contact) {
3746 /* We've just added a new long-term entry guard. Perhaps the network just
3747 * came back? We should give our earlier entries another try too,
3748 * and close this connection so we don't use it before we've given
3749 * the others a shot. */
3750 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, e, {
3751 if (e == entry)
3752 break;
3753 if (e->made_contact) {
3754 const char *msg;
3755 routerinfo_t *r = entry_is_live(e, 0, 1, 1, &msg);
3756 if (r && e->unreachable_since) {
3757 refuse_conn = 1;
3758 e->can_retry = 1;
3759 }
3760 }
3761 });
3762 if (refuse_conn) {
3763 log_info(LD_CIRC,
3764 "Connected to new entry guard '%s' (%s). Marking earlier "
3765 "entry guards up. %d/%d entry guards usable/new.",
3766 entry->nickname, buf,
3767 num_live_entry_guards(), smartlist_len(entry_guards));
3768 log_entry_guards(LOG_INFO);
3769 changed = 1;
3770 }
3771 }
3772
3773 if (changed)
3774 entry_guards_changed();
3775 return refuse_conn ? -1 : 0;
3776 }
3777
3778 /** When we try to choose an entry guard, should we parse and add
3779 * config's EntryNodes first? */
3780 static int should_add_entry_nodes = 0;
3781
3782 /** Called when the value of EntryNodes changes in our configuration. */
3783 void
3784 entry_nodes_should_be_added(void)
3785 {
3786 log_info(LD_CIRC, "EntryNodes config option set. Putting configured "
3787 "relays at the front of the entry guard list.");
3788 should_add_entry_nodes = 1;
3789 }
3790
3791 /** Add all nodes in EntryNodes that aren't currently guard nodes to the list
3792 * of guard nodes, at the front. */
3793 static void
3794 entry_guards_prepend_from_config(or_options_t *options)
3795 {
3796 smartlist_t *entry_routers, *entry_fps;
3797 smartlist_t *old_entry_guards_on_list, *old_entry_guards_not_on_list;
3798 tor_assert(entry_guards);
3799
3800 should_add_entry_nodes = 0;
3801
3802 if (!options->EntryNodes) {
3803 /* It's possible that a controller set EntryNodes, thus making
3804 * should_add_entry_nodes set, then cleared it again, all before the
3805 * call to choose_random_entry() that triggered us. If so, just return.
3806 */
3807 return;
3808 }
3809
3810 {
3811 char *string = routerset_to_string(options->EntryNodes);
3812 log_info(LD_CIRC,"Adding configured EntryNodes '%s'.", string);
3813 tor_free(string);
3814 }
3815
3816 entry_routers = smartlist_create();
3817 entry_fps = smartlist_create();
3818 old_entry_guards_on_list = smartlist_create();
3819 old_entry_guards_not_on_list = smartlist_create();
3820
3821 /* Split entry guards into those on the list and those not. */
3822
3823 /* XXXX022 Now that we allow countries and IP ranges in EntryNodes, this is
3824 * potentially an enormous list. For now, we disable such values for
3825 * EntryNodes in options_validate(); really, this wants a better solution.
3826 * Perhaps we should do this calculation once whenever the list of routers
3827 * changes or the entrynodes setting changes.
3828 */
3829 routerset_get_all_routers(entry_routers, options->EntryNodes, 0);
3830 SMARTLIST_FOREACH(entry_routers, routerinfo_t *, ri,
3831 smartlist_add(entry_fps,ri->cache_info.identity_digest));
3832 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, e, {
3833 if (smartlist_digest_isin(entry_fps, e->identity))
3834 smartlist_add(old_entry_guards_on_list, e);
3835 else
3836 smartlist_add(old_entry_guards_not_on_list, e);
3837 });
3838
3839 /* Remove all currently configured entry guards from entry_routers. */
3840 SMARTLIST_FOREACH(entry_routers, routerinfo_t *, ri, {
3841 if (is_an_entry_guard(ri->cache_info.identity_digest)) {
3842 SMARTLIST_DEL_CURRENT(entry_routers, ri);
3843 }
3844 });
3845
3846 /* Now build the new entry_guards list. */
3847 smartlist_clear(entry_guards);
3848 /* First, the previously configured guards that are in EntryNodes. */
3849 smartlist_add_all(entry_guards, old_entry_guards_on_list);
3850 /* Next, the rest of EntryNodes */
3851 SMARTLIST_FOREACH(entry_routers, routerinfo_t *, ri, {
3852 add_an_entry_guard(ri, 0);
3853 });
3854 /* Finally, the remaining previously configured guards that are not in
3855 * EntryNodes, unless we're strict in which case we drop them */
3856 if (options->StrictNodes) {
3857 SMARTLIST_FOREACH(old_entry_guards_not_on_list, entry_guard_t *, e,
3858 entry_guard_free(e));
3859 } else {
3860 smartlist_add_all(entry_guards, old_entry_guards_not_on_list);
3861 }
3862
3863 smartlist_free(entry_routers);
3864 smartlist_free(entry_fps);
3865 smartlist_free(old_entry_guards_on_list);
3866 smartlist_free(old_entry_guards_not_on_list);
3867 entry_guards_changed();
3868 }
3869
3870 /** Return 0 if we're fine adding arbitrary routers out of the
3871 * directory to our entry guard list, or return 1 if we have a
3872 * list already and we'd prefer to stick to it.
3873 */
3874 int
3875 entry_list_is_constrained(or_options_t *options)
3876 {
3877 if (options->EntryNodes)
3878 return 1;
3879 if (options->UseBridges)
3880 return 1;
3881 return 0;
3882 }
3883
3884 /* Are we dead set against changing our entry guard list, or would we
3885 * change it if it means keeping Tor usable? */
3886 static int
3887 entry_list_is_totally_static(or_options_t *options)
3888 {
3889 if (options->EntryNodes && options->StrictNodes)
3890 return 1;
3891 if (options->UseBridges)
3892 return 1;
3893 return 0;
3894 }
3895
3896 /** Pick a live (up and listed) entry guard from entry_guards. If
3897 * <b>state</b> is non-NULL, this is for a specific circuit --
3898 * make sure not to pick this circuit's exit or any node in the
3899 * exit's family. If <b>state</b> is NULL, we're looking for a random
3900 * guard (likely a bridge). */
3901 routerinfo_t *
3902 choose_random_entry(cpath_build_state_t *state)
3903 {
3904 or_options_t *options = get_options();
3905 smartlist_t *live_entry_guards = smartlist_create();
3906 smartlist_t *exit_family = smartlist_create();
3907 routerinfo_t *chosen_exit = state?build_state_get_exit_router(state) : NULL;
3908 routerinfo_t *r = NULL;
3909 int need_uptime = state ? state->need_uptime : 0;
3910 int need_capacity = state ? state->need_capacity : 0;
3911 int preferred_min, consider_exit_family = 0;
3912
3913 if (chosen_exit) {
3914 smartlist_add(exit_family, chosen_exit);
3915 routerlist_add_family(exit_family, chosen_exit);
3916 consider_exit_family = 1;
3917 }
3918
3919 if (!entry_guards)
3920 entry_guards = smartlist_create();
3921
3922 if (should_add_entry_nodes)
3923 entry_guards_prepend_from_config(options);
3924
3925 if (!entry_list_is_constrained(options) &&
3926 smartlist_len(entry_guards) < options->NumEntryGuards)
3927 pick_entry_guards(options);
3928
3929 retry:
3930 smartlist_clear(live_entry_guards);
3931 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, entry,
3932 {
3933 const char *msg;
3934 r = entry_is_live(entry, need_uptime, need_capacity, 0, &msg);
3935 if (!r)
3936 continue; /* down, no point */
3937 if (consider_exit_family && smartlist_isin(exit_family, r))
3938 continue; /* avoid relays that are family members of our exit */
3939 if (options->EntryNodes &&
3940 !routerset_contains_router(options->EntryNodes, r)) {
3941 /* We've come to the end of our preferred entry nodes. */
3942 if (smartlist_len(live_entry_guards))
3943 goto choose_and_finish; /* only choose from the ones we like */
3944 if (options->StrictNodes) {
3945 /* in theory this case should never happen, since
3946 * entry_guards_prepend_from_config() drops unwanted relays */
3947 tor_fragile_assert();
3948 } else {
3949 log_info(LD_CIRC,
3950 "No relays from EntryNodes available. Using others.");
3951 }
3952 }
3953 smartlist_add(live_entry_guards, r);
3954 if (!entry->made_contact) {
3955 /* Always start with the first not-yet-contacted entry
3956 * guard. Otherwise we might add several new ones, pick
3957 * the second new one, and now we've expanded our entry
3958 * guard list without needing to. */
3959 goto choose_and_finish;
3960 }
3961 if (smartlist_len(live_entry_guards) >= options->NumEntryGuards)
3962 break; /* we have enough */
3963 });
3964
3965 if (entry_list_is_constrained(options)) {
3966 /* If we prefer the entry nodes we've got, and we have at least
3967 * one choice, that's great. Use it. */
3968 preferred_min = 1;
3969 } else {
3970 /* Try to have at least 2 choices available. This way we don't
3971 * get stuck with a single live-but-crummy entry and just keep
3972 * using him.
3973 * (We might get 2 live-but-crummy entry guards, but so be it.) */
3974 preferred_min = 2;
3975 }
3976
3977 if (smartlist_len(live_entry_guards) < preferred_min) {
3978 if (!entry_list_is_totally_static(options)) {
3979 /* still no? try adding a new entry then */
3980 /* XXX if guard doesn't imply fast and stable, then we need
3981 * to tell add_an_entry_guard below what we want, or it might
3982 * be a long time til we get it. -RD */
3983 r = add_an_entry_guard(NULL, 0);
3984 if (r) {
3985 entry_guards_changed();
3986 /* XXX we start over here in case the new node we added shares
3987 * a family with our exit node. There's a chance that we'll just
3988 * load up on entry guards here, if the network we're using is
3989 * one big family. Perhaps we should teach add_an_entry_guard()
3990 * to understand nodes-to-avoid-if-possible? -RD */
3991 goto retry;
3992 }
3993 }
3994 if (!r && need_uptime) {
3995 need_uptime = 0; /* try without that requirement */
3996 goto retry;
3997 }
3998 if (!r && need_capacity) {
3999 /* still no? last attempt, try without requiring capacity */
4000 need_capacity = 0;
4001 goto retry;
4002 }
4003 if (!r && entry_list_is_constrained(options) && consider_exit_family) {
4004 /* still no? if we're using bridges or have strictentrynodes
4005 * set, and our chosen exit is in the same family as all our
4006 * bridges/entry guards, then be flexible about families. */
4007 consider_exit_family = 0;
4008 goto retry;
4009 }
4010 /* live_entry_guards may be empty below. Oh well, we tried. */
4011 }
4012
4013 choose_and_finish:
4014 if (entry_list_is_constrained(options)) {
4015 /* We need to weight by bandwidth, because our bridges or entryguards
4016 * were not already selected proportional to their bandwidth. */
4017 r = routerlist_sl_choose_by_bandwidth(live_entry_guards, WEIGHT_FOR_GUARD);
4018 } else {
4019 /* We choose uniformly at random here, because choose_good_entry_server()
4020 * already weights its choices by bandwidth, so we don't want to
4021 * *double*-weight our guard selection. */
4022 r = smartlist_choose(live_entry_guards);
4023 }
4024 smartlist_free(live_entry_guards);
4025 smartlist_free(exit_family);
4026 return r;
4027 }
4028
4029 /** Parse <b>state</b> and learn about the entry guards it describes.
4030 * If <b>set</b> is true, and there are no errors, replace the global
4031 * entry_list with what we find.
4032 * On success, return 0. On failure, alloc into *<b>msg</b> a string
4033 * describing the error, and return -1.
4034 */
4035 int
4036 entry_guards_parse_state(or_state_t *state, int set, char **msg)
4037 {
4038 entry_guard_t *node = NULL;
4039 smartlist_t *new_entry_guards = smartlist_create();
4040 config_line_t *line;
4041 time_t now = time(NULL);
4042 const char *state_version = state->TorVersion;
4043 digestmap_t *added_by = digestmap_new();
4044
4045 *msg = NULL;
4046 for (line = state->EntryGuards; line; line = line->next) {
4047 if (!strcasecmp(line->key, "EntryGuard")) {
4048 smartlist_t *args = smartlist_create();
4049 node = tor_malloc_zero(sizeof(entry_guard_t));
4050 /* all entry guards on disk have been contacted */
4051 node->made_contact = 1;
4052 smartlist_add(new_entry_guards, node);
4053 smartlist_split_string(args, line->value, " ",
4054 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0);
4055 if (smartlist_len(args)<2) {
4056 *msg = tor_strdup("Unable to parse entry nodes: "
4057 "Too few arguments to EntryGuard");
4058 } else if (!is_legal_nickname(smartlist_get(args,0))) {
4059 *msg = tor_strdup("Unable to parse entry nodes: "
4060 "Bad nickname for EntryGuard");
4061 } else {
4062 strlcpy(node->nickname, smartlist_get(args,0), MAX_NICKNAME_LEN+1);
4063 if (base16_decode(node->identity, DIGEST_LEN, smartlist_get(args,1),
4064 strlen(smartlist_get(args,1)))<0) {
4065 *msg = tor_strdup("Unable to parse entry nodes: "
4066 "Bad hex digest for EntryGuard");
4067 }
4068 }
4069 SMARTLIST_FOREACH(args, char*, cp, tor_free(cp));
4070 smartlist_free(args);
4071 if (*msg)
4072 break;
4073 } else if (!strcasecmp(line->key, "EntryGuardDownSince") ||
4074 !strcasecmp(line->key, "EntryGuardUnlistedSince")) {
4075 time_t when;
4076 time_t last_try = 0;
4077 if (!node) {
4078 *msg = tor_strdup("Unable to parse entry nodes: "
4079 "EntryGuardDownSince/UnlistedSince without EntryGuard");
4080 break;
4081 }
4082 if (parse_iso_time(line->value, &when)<0) {
4083 *msg = tor_strdup("Unable to parse entry nodes: "
4084 "Bad time in EntryGuardDownSince/UnlistedSince");
4085 break;
4086 }
4087 if (when > now) {
4088 /* It's a bad idea to believe info in the future: you can wind
4089 * up with timeouts that aren't allowed to happen for years. */
4090 continue;
4091 }
4092 if (strlen(line->value) >= ISO_TIME_LEN+ISO_TIME_LEN+1) {
4093 /* ignore failure */
4094 (void) parse_iso_time(line->value+ISO_TIME_LEN+1, &last_try);
4095 }
4096 if (!strcasecmp(line->key, "EntryGuardDownSince")) {
4097 node->unreachable_since = when;
4098 node->last_attempted = last_try;
4099 } else {
4100 node->bad_since = when;
4101 }
4102 } else if (!strcasecmp(line->key, "EntryGuardAddedBy")) {
4103 char d[DIGEST_LEN];
4104 /* format is digest version date */
4105 if (strlen(line->value) < HEX_DIGEST_LEN+1+1+1+ISO_TIME_LEN) {
4106 log_warn(LD_BUG, "EntryGuardAddedBy line is not long enough.");
4107 continue;
4108 }
4109 if (base16_decode(d, sizeof(d), line->value, HEX_DIGEST_LEN)<0 ||
4110 line->value[HEX_DIGEST_LEN] != ' ') {
4111 log_warn(LD_BUG, "EntryGuardAddedBy line %s does not begin with "
4112 "hex digest", escaped(line->value));
4113 continue;
4114 }
4115 digestmap_set(added_by, d, tor_strdup(line->value+HEX_DIGEST_LEN+1));
4116 } else {
4117 log_warn(LD_BUG, "Unexpected key %s", line->key);
4118 }
4119 }
4120
4121 SMARTLIST_FOREACH(new_entry_guards, entry_guard_t *, e,
4122 {
4123 char *sp;
4124 char *val = digestmap_get(added_by, e->identity);
4125 if (val && (sp = strchr(val, ' '))) {
4126 time_t when;
4127 *sp++ = '\0';
4128 if (parse_iso_time(sp, &when)<0) {
4129 log_warn(LD_BUG, "Can't read time %s in EntryGuardAddedBy", sp);
4130 } else {
4131 e->chosen_by_version = tor_strdup(val);
4132 e->chosen_on_date = when;
4133 }
4134 } else {
4135 if (state_version) {
4136 e->chosen_by_version = tor_strdup(state_version);
4137 e->chosen_on_date = time(NULL) - crypto_rand_int(3600*24*30);
4138 }
4139 }
4140 });
4141
4142 if (*msg || !set) {
4143 SMARTLIST_FOREACH(new_entry_guards, entry_guard_t *, e,
4144 entry_guard_free(e));
4145 smartlist_free(new_entry_guards);
4146 } else { /* !err && set */
4147 if (entry_guards) {
4148 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, e,
4149 entry_guard_free(e));
4150 smartlist_free(entry_guards);
4151 }
4152 entry_guards = new_entry_guards;
4153 entry_guards_dirty = 0;
4154 /* XXX022 hand new_entry_guards to this func, and move it up a
4155 * few lines, so we don't have to re-dirty it */
4156 if (remove_obsolete_entry_guards(now))
4157 entry_guards_dirty = 1;
4158 }
4159 digestmap_free(added_by, _tor_free);
4160 return *msg ? -1 : 0;
4161 }
4162
4163 /** Our list of entry guards has changed, or some element of one
4164 * of our entry guards has changed. Write the changes to disk within
4165 * the next few minutes.
4166 */
4167 static void
4168 entry_guards_changed(void)
4169 {
4170 time_t when;
4171 entry_guards_dirty = 1;
4172
4173 /* or_state_save() will call entry_guards_update_state(). */
4174 when = get_options()->AvoidDiskWrites ? time(NULL) + 3600 : time(NULL)+600;
4175 or_state_mark_dirty(get_or_state(), when);
4176 }
4177
4178 /** If the entry guard info has not changed, do nothing and return.
4179 * Otherwise, free the EntryGuards piece of <b>state</b> and create
4180 * a new one out of the global entry_guards list, and then mark
4181 * <b>state</b> dirty so it will get saved to disk.
4182 */
4183 void
4184 entry_guards_update_state(or_state_t *state)
4185 {
4186 config_line_t **next, *line;
4187 if (! entry_guards_dirty)
4188 return;
4189
4190 config_free_lines(state->EntryGuards);
4191 next = &state->EntryGuards;
4192 *next = NULL;
4193 if (!entry_guards)
4194 entry_guards = smartlist_create();
4195 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, e,
4196 {
4197 char dbuf[HEX_DIGEST_LEN+1];
4198 if (!e->made_contact)
4199 continue; /* don't write this one to disk */
4200 *next = line = tor_malloc_zero(sizeof(config_line_t));
4201 line->key = tor_strdup("EntryGuard");
4202 line->value = tor_malloc(HEX_DIGEST_LEN+MAX_NICKNAME_LEN+2);
4203 base16_encode(dbuf, sizeof(dbuf), e->identity, DIGEST_LEN);
4204 tor_snprintf(line->value,HEX_DIGEST_LEN+MAX_NICKNAME_LEN+2,
4205 "%s %s", e->nickname, dbuf);
4206 next = &(line->next);
4207 if (e->unreachable_since) {
4208 *next = line = tor_malloc_zero(sizeof(config_line_t));
4209 line->key = tor_strdup("EntryGuardDownSince");
4210 line->value = tor_malloc(ISO_TIME_LEN+1+ISO_TIME_LEN+1);
4211 format_iso_time(line->value, e->unreachable_since);
4212 if (e->last_attempted) {
4213 line->value[ISO_TIME_LEN] = ' ';
4214 format_iso_time(line->value+ISO_TIME_LEN+1, e->last_attempted);
4215 }
4216 next = &(line->next);
4217 }
4218 if (e->bad_since) {
4219 *next = line = tor_malloc_zero(sizeof(config_line_t));
4220 line->key = tor_strdup("EntryGuardUnlistedSince");
4221 line->value = tor_malloc(ISO_TIME_LEN+1);
4222 format_iso_time(line->value, e->bad_since);
4223 next = &(line->next);
4224 }
4225 if (e->chosen_on_date && e->chosen_by_version &&
4226 !strchr(e->chosen_by_version, ' ')) {
4227 char d[HEX_DIGEST_LEN+1];
4228 char t[ISO_TIME_LEN+1];
4229 size_t val_len;
4230 *next = line = tor_malloc_zero(sizeof(config_line_t));
4231 line->key = tor_strdup("EntryGuardAddedBy");
4232 val_len = (HEX_DIGEST_LEN+1+strlen(e->chosen_by_version)
4233 +1+ISO_TIME_LEN+1);
4234 line->value = tor_malloc(val_len);
4235 base16_encode(d, sizeof(d), e->identity, DIGEST_LEN);
4236 format_iso_time(t, e->chosen_on_date);
4237 tor_snprintf(line->value, val_len, "%s %s %s",
4238 d, e->chosen_by_version, t);
4239 next = &(line->next);
4240 }
4241 });
4242 if (!get_options()->AvoidDiskWrites)
4243 or_state_mark_dirty(get_or_state(), 0);
4244 entry_guards_dirty = 0;
4245 }
4246
4247 /** If <b>question</b> is the string "entry-guards", then dump
4248 * to *<b>answer</b> a newly allocated string describing all of
4249 * the nodes in the global entry_guards list. See control-spec.txt
4250 * for details.
4251 * For backward compatibility, we also handle the string "helper-nodes".
4252 * */
4253 int
4254 getinfo_helper_entry_guards(control_connection_t *conn,
4255 const char *question, char **answer,
4256 const char **errmsg)
4257 {
4258 (void) conn;
4259 (void) errmsg;
4260
4261 if (!strcmp(question,"entry-guards") ||
4262 !strcmp(question,"helper-nodes")) {
4263 smartlist_t *sl = smartlist_create();
4264 char tbuf[ISO_TIME_LEN+1];
4265 char nbuf[MAX_VERBOSE_NICKNAME_LEN+1];
4266 if (!entry_guards)
4267 entry_guards = smartlist_create();
4268 SMARTLIST_FOREACH_BEGIN(entry_guards, entry_guard_t *, e) {
4269 size_t len = MAX_VERBOSE_NICKNAME_LEN+ISO_TIME_LEN+32;
4270 char *c = tor_malloc(len);
4271 const char *status = NULL;
4272 time_t when = 0;
4273 routerinfo_t *ri;
4274
4275 if (!e->made_contact) {
4276 status = "never-connected";
4277 } else if (e->bad_since) {
4278 when = e->bad_since;
4279 status = "unusable";
4280 } else {
4281 status = "up";
4282 }
4283
4284 ri = router_get_by_digest(e->identity);
4285 if (ri) {
4286 router_get_verbose_nickname(nbuf, ri);
4287 } else {
4288 nbuf[0] = '$';
4289 base16_encode(nbuf+1, sizeof(nbuf)-1, e->identity, DIGEST_LEN);
4290 /* e->nickname field is not very reliable if we don't know about
4291 * this router any longer; don't include it. */
4292 }
4293
4294 if (when) {
4295 format_iso_time(tbuf, when);
4296 tor_snprintf(c, len, "%s %s %s\n", nbuf, status, tbuf);
4297 } else {
4298 tor_snprintf(c, len, "%s %s\n", nbuf, status);
4299 }
4300 smartlist_add(sl, c);
4301 } SMARTLIST_FOREACH_END(e);
4302 *answer = smartlist_join_strings(sl, "", 0, NULL);
4303 SMARTLIST_FOREACH(sl, char *, c, tor_free(c));
4304 smartlist_free(sl);
4305 }
4306 return 0;
4307 }
4308
4309 /** Information about a configured bridge. Currently this just matches the
4310 * ones in the torrc file, but one day we may be able to learn about new
4311 * bridges on our own, and remember them in the state file. */
4312 typedef struct {
4313 /** Address of the bridge. */
4314 tor_addr_t addr;
4315 /** TLS port for the bridge. */
4316 uint16_t port;
4317 /** Expected identity digest, or all zero bytes if we don't know what the
4318 * digest should be. */
4319 char identity[DIGEST_LEN];
4320 /** When should we next try to fetch a descriptor for this bridge? */
4321 download_status_t fetch_status;
4322 } bridge_info_t;
4323
4324 /** A list of configured bridges. Whenever we actually get a descriptor
4325 * for one, we add it as an entry guard. */
4326 static smartlist_t *bridge_list = NULL;
4327
4328 /** Initialize the bridge list to empty, creating it if needed. */
4329 void
4330 clear_bridge_list(void)
4331 {
4332 if (!bridge_list)
4333 bridge_list = smartlist_create();
4334 SMARTLIST_FOREACH(bridge_list, bridge_info_t *, b, tor_free(b));
4335 smartlist_clear(bridge_list);
4336 }
4337
4338 /** Return a bridge pointer if <b>ri</b> is one of our known bridges
4339 * (either by comparing keys if possible, else by comparing addr/port).
4340 * Else return NULL. */
4341 static bridge_info_t *
4342 get_configured_bridge_by_addr_port_digest(tor_addr_t *addr, uint16_t port,
4343 const char *digest)
4344 {
4345 if (!bridge_list)
4346 return NULL;
4347 SMARTLIST_FOREACH_BEGIN(bridge_list, bridge_info_t *, bridge)
4348 {
4349 if (tor_digest_is_zero(bridge->identity) &&
4350 !tor_addr_compare(&bridge->addr, addr, CMP_EXACT) &&
4351 bridge->port == port)
4352 return bridge;
4353 if (!memcmp(bridge->identity, digest, DIGEST_LEN))
4354 return bridge;
4355 }
4356 SMARTLIST_FOREACH_END(bridge);
4357 return NULL;
4358 }
4359
4360 /** Wrapper around get_configured_bridge_by_addr_port_digest() to look
4361 * it up via router descriptor <b>ri</b>. */
4362 static bridge_info_t *
4363 get_configured_bridge_by_routerinfo(routerinfo_t *ri)
4364 {
4365 tor_addr_t addr;
4366 tor_addr_from_ipv4h(&addr, ri->addr);
4367 return get_configured_bridge_by_addr_port_digest(&addr,
4368 ri->or_port, ri->cache_info.identity_digest);
4369 }
4370
4371 /** Return 1 if <b>ri</b> is one of our known bridges, else 0. */
4372 int
4373 routerinfo_is_a_configured_bridge(routerinfo_t *ri)
4374 {
4375 return get_configured_bridge_by_routerinfo(ri) ? 1 : 0;
4376 }
4377
4378 /** We made a connection to a router at <b>addr</b>:<b>port</b>
4379 * without knowing its digest. Its digest turned out to be <b>digest</b>.
4380 * If it was a bridge, and we still don't know its digest, record it.
4381 */
4382 void
4383 learned_router_identity(tor_addr_t *addr, uint16_t port, const char *digest)
4384 {
4385 bridge_info_t *bridge =
4386 get_configured_bridge_by_addr_port_digest(addr, port, digest);
4387 if (bridge && tor_digest_is_zero(bridge->identity)) {
4388 memcpy(bridge->identity, digest, DIGEST_LEN);
4389 log_notice(LD_DIR, "Learned fingerprint %s for bridge %s:%d",
4390 hex_str(digest, DIGEST_LEN), fmt_addr(addr), port);
4391 }
4392 }
4393
4394 /** Remember a new bridge at <b>addr</b>:<b>port</b>. If <b>digest</b>
4395 * is set, it tells us the identity key too. */
4396 void
4397 bridge_add_from_config(const tor_addr_t *addr, uint16_t port, char *digest)
4398 {
4399 bridge_info_t *b = tor_malloc_zero(sizeof(bridge_info_t));
4400 tor_addr_copy(&b->addr, addr);
4401 b->port = port;
4402 if (digest)
4403 memcpy(b->identity, digest, DIGEST_LEN);
4404 b->fetch_status.schedule = DL_SCHED_BRIDGE;
4405 if (!bridge_list)
4406 bridge_list = smartlist_create();
4407 smartlist_add(bridge_list, b);
4408 }
4409
4410 /** If <b>digest</b> is one of our known bridges, return it. */
4411 static bridge_info_t *
4412 find_bridge_by_digest(const char *digest)
4413 {
4414 SMARTLIST_FOREACH(bridge_list, bridge_info_t *, bridge,
4415 {
4416 if (!memcmp(bridge->identity, digest, DIGEST_LEN))
4417 return bridge;
4418 });
4419 return NULL;
4420 }
4421
4422 /** We need to ask <b>bridge</b> for its server descriptor. <b>address</b>
4423 * is a helpful string describing this bridge. */
4424 static void
4425 launch_direct_bridge_descriptor_fetch(bridge_info_t *bridge)
4426 {
4427 char *address;
4428
4429 if (connection_get_by_type_addr_port_purpose(
4430 CONN_TYPE_DIR, &bridge->addr, bridge->port,
4431 DIR_PURPOSE_FETCH_SERVERDESC))
4432 return; /* it's already on the way */
4433
4434 address = tor_dup_addr(&bridge->addr);
4435 directory_initiate_command(address, &bridge->addr,
4436 bridge->port, 0,
4437 0, /* does not matter */
4438 1, bridge->identity,
4439 DIR_PURPOSE_FETCH_SERVERDESC,
4440 ROUTER_PURPOSE_BRIDGE,
4441 0, "authority.z", NULL, 0, 0);
4442 tor_free(address);
4443 }
4444
4445 /** Fetching the bridge descriptor from the bridge authority returned a
4446 * "not found". Fall back to trying a direct fetch. */
4447 void
4448 retry_bridge_descriptor_fetch_directly(const char *digest)
4449 {
4450 bridge_info_t *bridge = find_bridge_by_digest(digest);
4451 if (!bridge)
4452 return; /* not found? oh well. */
4453
4454 launch_direct_bridge_descriptor_fetch(bridge);
4455 }
4456
4457 /** For each bridge in our list for which we don't currently have a
4458 * descriptor, fetch a new copy of its descriptor -- either directly
4459 * from the bridge or via a bridge authority. */
4460 void
4461 fetch_bridge_descriptors(or_options_t *options, time_t now)
4462 {
4463 int num_bridge_auths = get_n_authorities(BRIDGE_AUTHORITY);
4464 int ask_bridge_directly;
4465 int can_use_bridge_authority;
4466
4467 if (!bridge_list)
4468 return;
4469
4470 SMARTLIST_FOREACH_BEGIN(bridge_list, bridge_info_t *, bridge)
4471 {
4472 if (!download_status_is_ready(&bridge->fetch_status, now,
4473 IMPOSSIBLE_TO_DOWNLOAD))
4474 continue; /* don't bother, no need to retry yet */
4475
4476 /* schedule another fetch as if this one will fail, in case it does */
4477 download_status_failed(&bridge->fetch_status, 0);
4478
4479 can_use_bridge_authority = !tor_digest_is_zero(bridge->identity) &&
4480 num_bridge_auths;
4481 ask_bridge_directly = !can_use_bridge_authority ||
4482 !options->UpdateBridgesFromAuthority;
4483 log_debug(LD_DIR, "ask_bridge_directly=%d (%d, %d, %d)",
4484 ask_bridge_directly, tor_digest_is_zero(bridge->identity),
4485 !options->UpdateBridgesFromAuthority, !num_bridge_auths);
4486
4487 if (ask_bridge_directly &&
4488 !fascist_firewall_allows_address_or(&bridge->addr, bridge->port)) {
4489 log_notice(LD_DIR, "Bridge at '%s:%d' isn't reachable by our "
4490 "firewall policy. %s.", fmt_addr(&bridge->addr),
4491 bridge->port,
4492 can_use_bridge_authority ?
4493 "Asking bridge authority instead" : "Skipping");
4494 if (can_use_bridge_authority)
4495 ask_bridge_directly = 0;
4496 else
4497 continue;
4498 }
4499
4500 if (ask_bridge_directly) {
4501 /* we need to ask the bridge itself for its descriptor. */
4502 launch_direct_bridge_descriptor_fetch(bridge);
4503 } else {
4504 /* We have a digest and we want to ask an authority. We could
4505 * combine all the requests into one, but that may give more
4506 * hints to the bridge authority than we want to give. */
4507 char resource[10 + HEX_DIGEST_LEN];
4508 memcpy(resource, "fp/", 3);
4509 base16_encode(resource+3, HEX_DIGEST_LEN+1,
4510 bridge->identity, DIGEST_LEN);
4511 memcpy(resource+3+HEX_DIGEST_LEN, ".z", 3);
4512 log_info(LD_DIR, "Fetching bridge info '%s' from bridge authority.",
4513 resource);
4514 directory_get_from_dirserver(DIR_PURPOSE_FETCH_SERVERDESC,
4515 ROUTER_PURPOSE_BRIDGE, resource, 0);
4516 }
4517 }
4518 SMARTLIST_FOREACH_END(bridge);
4519 }
4520
4521 /** We just learned a descriptor for a bridge. See if that
4522 * digest is in our entry guard list, and add it if not. */
4523 void
4524 learned_bridge_descriptor(routerinfo_t *ri, int from_cache)
4525 {
4526 tor_assert(ri);
4527 tor_assert(ri->purpose == ROUTER_PURPOSE_BRIDGE);
4528 if (get_options()->UseBridges) {
4529 int first = !any_bridge_descriptors_known();
4530 bridge_info_t *bridge = get_configured_bridge_by_routerinfo(ri);
4531 time_t now = time(NULL);
4532 ri->is_running = 1;
4533
4534 if (bridge) { /* if we actually want to use this one */
4535 /* it's here; schedule its re-fetch for a long time from now. */
4536 if (!from_cache)
4537 download_status_reset(&bridge->fetch_status);
4538
4539 add_an_entry_guard(ri, 1);
4540 log_notice(LD_DIR, "new bridge descriptor '%s' (%s)", ri->nickname,
4541 from_cache ? "cached" : "fresh");
4542 /* set entry->made_contact so if it goes down we don't drop it from
4543 * our entry node list */
4544 entry_guard_register_connect_status(ri->cache_info.identity_digest,
4545 1, 0, now);
4546 if (first)
4547 routerlist_retry_directory_downloads(now);
4548 }
4549 }
4550 }
4551
4552 /** Return 1 if any of our entry guards have descriptors that
4553 * are marked with purpose 'bridge' and are running. Else return 0.
4554 *
4555 * We use this function to decide if we're ready to start building
4556 * circuits through our bridges, or if we need to wait until the
4557 * directory "server/authority" requests finish. */
4558 int
4559 any_bridge_descriptors_known(void)
4560 {
4561 tor_assert(get_options()->UseBridges);
4562 return choose_random_entry(NULL)!=NULL ? 1 : 0;
4563 }
4564
4565 /** Return 1 if there are any directory conns fetching bridge descriptors
4566 * that aren't marked for close. We use this to guess if we should tell
4567 * the controller that we have a problem. */
4568 int
4569 any_pending_bridge_descriptor_fetches(void)
4570 {
4571 smartlist_t *conns = get_connection_array();
4572 SMARTLIST_FOREACH(conns, connection_t *, conn,
4573 {
4574 if (conn->type == CONN_TYPE_DIR &&
4575 conn->purpose == DIR_PURPOSE_FETCH_SERVERDESC &&
4576 TO_DIR_CONN(conn)->router_purpose == ROUTER_PURPOSE_BRIDGE &&
4577 !conn->marked_for_close &&
4578 conn->linked && !conn->linked_conn->marked_for_close) {
4579 log_debug(LD_DIR, "found one: %s", conn->address);
4580 return 1;
4581 }
4582 });
4583 return 0;
4584 }
4585
4586 /** Return 1 if we have at least one descriptor for an entry guard
4587 * (bridge or member of EntryNodes) and all descriptors we know are
4588 * down. Else return 0. If <b>act</b> is 1, then mark the down guards
4589 * up; else just observe and report. */
4590 static int
4591 entries_retry_helper(or_options_t *options, int act)
4592 {
4593 routerinfo_t *ri;
4594 int any_known = 0;
4595 int any_running = 0;
4596 int purpose = options->UseBridges ?
4597 ROUTER_PURPOSE_BRIDGE : ROUTER_PURPOSE_GENERAL;
4598 if (!entry_guards)
4599 entry_guards = smartlist_create();
4600 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, e,
4601 {
4602 ri = router_get_by_digest(e->identity);
4603 if (ri && ri->purpose == purpose) {
4604 any_known = 1;
4605 if (ri->is_running)
4606 any_running = 1; /* some entry is both known and running */
4607 else if (act) { /* mark it for retry */
4608 router_set_status(ri->cache_info.identity_digest, 1);
4609 e->can_retry = 1;
4610 e->bad_since = 0;
4611 }
4612 }
4613 });
4614 log_debug(LD_DIR, "%d: any_known %d, any_running %d",
4615 act, any_known, any_running);
4616 return any_known && !any_running;
4617 }
4618
4619 /** Do we know any descriptors for our bridges / entrynodes, and are
4620 * all the ones we have descriptors for down? */
4621 int
4622 entries_known_but_down(or_options_t *options)
4623 {
4624 tor_assert(entry_list_is_constrained(options));
4625 return entries_retry_helper(options, 0);
4626 }
4627
4628 /** Mark all down known bridges / entrynodes up. */
4629 void
4630 entries_retry_all(or_options_t *options)
4631 {
4632 tor_assert(entry_list_is_constrained(options));
4633 entries_retry_helper(options, 1);
4634 }
4635
4636 /** Release all storage held by the list of entry guards and related
4637 * memory structs. */
4638 void
4639 entry_guards_free_all(void)
4640 {
4641 if (entry_guards) {
4642 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, e,
4643 entry_guard_free(e));
4644 smartlist_free(entry_guards);
4645 entry_guards = NULL;
4646 }
4647 clear_bridge_list();
4648 smartlist_free(bridge_list);
4649 bridge_list = NULL;
4650 }
4651